[isapros] Re: SCCM and ISA - Worth a shot!
- From: Jim Harrison <Jim@xxxxxxxxxxxx>
- To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
- Date: Fri, 1 Feb 2008 15:44:09 -0800
Still stuck on that Enterprise CA thing, areya?
It doesn't need to be a MS Ent CA.
KB http://support.microsoft.com/kb/281245 discusses how to use certificates
issued by a 3rd-party CA.
KCD for cross-forest users is problematic when the "KCD pair" (the KCD
client/server pair) and the user account are separated by more than one "domain
hop". If you think that sounds weird, wait for the details.
Imagine:
RootDom1 RootDom2
(KCD_Pair1) (User3)
(User1) |
| |
ChildDom1 ChildDom2
(User2) (KCD_Pair2)
(User4)
With logon specified using certificates, NBDomainName\account or
account@NBDomainName, KCD_Pair1 can successfully perform KCD the users in
RootDom1 and its children as well as users in RootDom2, but not for users in
ChildDom2. Likewise, KCD_Pair2 can perform KCD for users in any domain in
RootDom2, but not for users in any domain of RootDom1.
With logon specified as either FQDN\account or account@FQDN, KCD functions for
all relevant cases. As it turns out, this is an issue with Windows and this
behavior is identical in WS03 and WS08.
One workaround that was smoke-tested in my repro bed and MSIT was:
Requirements:
1. ISA 2006 Supportability pack:
http://www.microsoft.com/downloads/details.aspx?FamilyID=6f629eac-d8c6-4437-9d20-b47b02db413a
2. ISA 2006 Rollup http://support.microsoft.com/kb/942639/, which contains
http://support.microsoft.com/kb/942637/
3. Bi-Directional, Transitive Forest Trust
Actions:
4. Edit ms-DS-SPNSuffixes attribute in
CN=Partitions,CN=Configuration,DC=<RootDC>, add NBDomain names for all domains
in the local domain tree
..repeat (4) for each tree in the trusted forest
5. Edit the Name Suffix Routing list in the trusting forest and enable all
*.NBDomain suffixes as well as all *.FQDN suffixes for all trusted domains
..repeat (5) for each forest which trusts the forest modified in (4)
6. If using certificate auth, ensure that all trusted forest CA certificates
are included in the:
a. Trusting forest NTAuth store: http://support.microsoft.com/kb/281245
b. ISA Server Local machine Trusted Roots store
..repeat (1) through (6) as necessary for remaining ISA arrays, AD forests and
Domain trees
There may be simpler methods (one suggested by WinSE, but not tested yet), but
this one has been demonstrated to work for a two-level domain tree. There were
not enough resources to test beyond that, but the folks in Windows assured us
that the child domain level was not relevant to the issue (I tend to believe
them on this).
Jim
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Thor (Hammer of God)
Sent: Friday, February 01, 2008 2:23 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: SCCM and ISA - Worth a shot!
And not just "a" user account, but "THE" user account from the domain
where the Enterprise Root Cert lives... I found that out the hard way
(as you know so well ;)
t
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Friday, February 01, 2008 2:12 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SCCM and ISA - Worth a shot!
>
> It depends on how the client cert (clientcertclientcertclientcert [for
> Tom <g>]) is constructed.
> By default, ISA doesn't really care how the cert is built as long as
it
> can trust the CA. The problem comes in with using the certificate for
> user authentication. When ISA receives a certificate in response to
> "you better show some ID, boy!", ISA passes this to a Windows API
> called AcquireCredentialsHandle. This API expects to resolve the
> certificate to a user account and if it can't, cert auth will fail.
>
> Jim
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> Sent: Friday, February 01, 2008 9:02 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SCCM and ISA - Worth a shot!
>
> Really?? Kinda surprised at that and surely there is quite a lot ISA
> can add rather than dumbing it down to L3 with server publishing???
>
>
>
> The bit that is really annoying is that some of the SCCM guides
> recommend SSL bridging as opposed to SSL tunnelling, so it implies it
> should be possible and is best practice - trouble is, there are no
docs
> that tell you how to get it working!!!. Here are some examples:
>
>
>
> http://technet.microsoft.com/en-us/library/bb680995.aspx
>
>
>
>
http://www.microsoft.com/technet/community/chats/trans/sms/07_0724_tn_s
> ccm.mspx
>
>
>
> Prabhu Padhi [MSFT] (Expert):
> Q: Can I do SSL-Bridging at the edge firewall to route the IBCM
clients
> to my intranet MP/DP (they are shared)?
> A: As long as your firewall supports SSL bridging, we will work fine.
>
>
>
> Cheers
>
>
>
> JJ
>
>
>
>
>
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Stefaan Pouseele
> Sent: 01 February 2008 16:41
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SCCM and ISA - Worth a shot!
>
>
>
> Hi Jason,
>
>
>
> my reasoning, whenever client certs are involved, use server
> publishing. Nothing ISA can do to enhance the security.
>
>
>
> HTH,
>
> Stefaan
>
>
>
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> Sent: vrijdag 1 februari 2008 16:49
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SCCM and ISA - Worth a shot!
>
>
>
> Hi All,
>
>
>
> Any more thoughts on this?
>
>
>
> From what I now understand, the SCCM client is using a client auth
cert
> to authenticate to the IIS instance running on the SCCM management
> point (mutual cert auth).
>
>
>
> We are getting close to SCCM deployments where customers want IBCM,
> but the only ISA Server solution I can get working is to use SSL
> tunnelling (server publishing). I have tried various web publishing
> configurations and none of them seem to work - I have tried the
> following:
>
>
>
> * Simple web publishing , ISA listener with no authentication
> and "allow client to authenticate" defined in the delegation tab -
> assumed this would just use pass-through auth to the IIS website to
> allow for this to do the client auth.
>
> * Pre-auth web publishing, ISA listener using client cert auth
> and then KCD to delegate to IIS.
>
>
>
> Do we think that one of these should work, or is web publishing for
> SCCM IBCM fundamentally flawed?
>
>
>
> Anyone actually got it working??? I know SCCM is quite new, but are we
> just too ahead of the curve here?
>
>
>
> Cheers
>
>
>
> JJ
>
>
>
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> Sent: 19 October 2007 08:50
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SCCM and ISA - Worth a shot!
>
>
>
> Hi t,
>
>
>
> I was hoping to do the former and then use KCD, but from what I gather
> SCCM is using computer based certs - I believe this makes things
> harder?. Not really comes across this scenario before...I currently
> have it working in the lab using server publishing, but I cannot bear
> the thought of doing this for customers...
>
>
>
>
>
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
> Sent: 18 October 2007 22:15
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SCCM and ISA - Worth a shot!
>
>
>
> While I've not used SCCM, I've done a good bit of work with different
> certificate-based authentication models. Are you considering using a
> web-listener configured for SSL Client Certificate Authentication, or
> just web-publishing to a back-end web server where it will do its own
> certificate-to-user mapping?
>
>
>
> t
>
>
>
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> Sent: Thursday, October 18, 2007 1:11 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SCCM and ISA - Worth a shot!
>
>
>
> Did this Q get hidden within Amy's posts or is it a big fat "don't
> know"? J
>
>
>
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> Sent: 17 October 2007 00:49
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] SCCM and ISA - Worth a shot!
>
>
>
> Hi,
>
>
>
> Has anyone used ISA with System Centre Configuration Manager (SCCM)
> yet? Specifically when using Native mode (e.g. full-on PKI mode).
>
>
>
> The initial documentation is a little patchy and seems to contradict
> itself between using Web Publishing and Server Publishing when using
> Internet based clients that cannot back into the CM server. The SCCM
> documentation talks about lots of perimeter and internet-facing
> scenarios, but I want to try and use an ISA based model in a similar
> way to protecting Exchange or SharePoint. A quote from Jim comes to
> mind "..we don't need no stinking DMZs"
>
>
>
> Ideally I want to use Web Publishing, but all communications in SCCM
> utilise client certificate based authentication.
>
>
>
> Am I right in thinking I can use ISA Web publishing combined with KCD
> to secure access from CM clients to the CM server?
>
>
>
> Answers that tell me that I have to use Server Publishing will make me
> cry, so please be sensitive
>
>
>
> Thanks in advance...
>
>
>
> Cheers
>
>
>
> JJ
>
>
>
>
>
> ________________________________
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual to whom it is addressed.
> If you have received this email in error, or if you believe this email
> is unsolicited and wish to be removed from any future mailings, please
> contact our Support Desk immediately on 01202 360360 or email
> helpdesk@xxxxxxxxxxxxxxxxx
>
> If this email contains a quotation then unless otherwise stated it is
> valid for 7 days and offered subject to Silversands Professional
> Services Terms and Conditions, a copy of which is available on
request.
> Any pricing information, design information or information concerning
> specific Silversands' staff contained in this email is considered
> confidential or of commercial interest and exempt from the Freedom of
> Information Act 2000.
>
> Any view or opinions presented are solely those of the author and do
> not necessarily represent those of Silversands
>
> Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
> Company Registration Number : 2141393.
>
>
> ________________________________
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual to whom it is addressed.
> If you have received this email in error, or if you believe this email
> is unsolicited and wish to be removed from any future mailings, please
> contact our Support Desk immediately on 01202 360360 or email
> helpdesk@xxxxxxxxxxxxxxxxx
>
> If this email contains a quotation then unless otherwise stated it is
> valid for 7 days and offered subject to Silversands Professional
> Services Terms and Conditions, a copy of which is available on
request.
> Any pricing information, design information or information concerning
> specific Silversands' staff contained in this email is considered
> confidential or of commercial interest and exempt from the Freedom of
> Information Act 2000.
>
> Any view or opinions presented are solely those of the author and do
> not necessarily represent those of Silversands
>
> Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
> Company Registration Number : 2141393.
>
Other related posts:
