Whoa-- typing WAY too fast... (trust relationship) "certificate authority somehow" "3rd party certificate authorities" jeeze > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) > Sent: Friday, February 01, 2008 4:21 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > To be sure, that KB is standard "how to trust a cert" stuff - easy. > > But for ISA to use a "client certificate" at the listener, it must be > able to contact (or delegated by a trust relations) the issuing > certificate authority someone (as you have outlined below). That don't > fly with 3rd party certs. Tried it. No workie... How do you map the > "Verisign" client certificate to an AD user account in your scenarios? > > t > > > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > Sent: Friday, February 01, 2008 3:44 PM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > Still stuck on that Enterprise CA thing, areya? > > It doesn't need to be a MS Ent CA. > > KB http://support.microsoft.com/kb/281245 discusses how to use > > certificates issued by a 3rd-party CA. > > > > KCD for cross-forest users is problematic when the "KCD pair" (the > KCD > > client/server pair) and the user account are separated by more than > one > > "domain hop". If you think that sounds weird, wait for the details. > > > > Imagine: > > RootDom1 RootDom2 > > (KCD_Pair1) (User3) > > (User1) | > > | | > > ChildDom1 ChildDom2 > > (User2) (KCD_Pair2) > > (User4) > > > > With logon specified using certificates, NBDomainName\account or > > account@NBDomainName, KCD_Pair1 can successfully perform KCD the > users > > in RootDom1 and its children as well as users in RootDom2, but not > for > > users in ChildDom2. Likewise, KCD_Pair2 can perform KCD for users in > > any domain in RootDom2, but not for users in any domain of RootDom1. > > > > With logon specified as either FQDN\account or account@FQDN, KCD > > functions for all relevant cases. As it turns out, this is an issue > > with Windows and this behavior is identical in WS03 and WS08. > > > > One workaround that was smoke-tested in my repro bed and MSIT was: > > > > Requirements: > > 1. ISA 2006 Supportability pack: > > > http://www.microsoft.com/downloads/details.aspx?FamilyID=6f629eac-d8c6- > > 4437-9d20-b47b02db413a > > 2. ISA 2006 Rollup http://support.microsoft.com/kb/942639/, which > > contains http://support.microsoft.com/kb/942637/ > > 3. Bi-Directional, Transitive Forest Trust > > > > Actions: > > 4. Edit ms-DS-SPNSuffixes attribute in > > CN=Partitions,CN=Configuration,DC=<RootDC>, add NBDomain names for > all > > domains in the local domain tree > > ..repeat (4) for each tree in the trusted forest > > 5. Edit the Name Suffix Routing list in the trusting forest and > enable > > all *.NBDomain suffixes as well as all *.FQDN suffixes for all > trusted > > domains > > ..repeat (5) for each forest which trusts the forest modified in > > (4) > > 6. If using certificate auth, ensure that all trusted forest CA > > certificates are included in the: > > a. Trusting forest NTAuth store: > > http://support.microsoft.com/kb/281245 > > b. ISA Server Local machine Trusted Roots store > > > > ..repeat (1) through (6) as necessary for remaining ISA arrays, AD > > forests and Domain trees > > > > There may be simpler methods (one suggested by WinSE, but not tested > > yet), but this one has been demonstrated to work for a two-level > domain > > tree. There were not enough resources to test beyond that, but the > > folks in Windows assured us that the child domain level was not > > relevant to the issue (I tend to believe them on this). > > > > Jim > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) > > Sent: Friday, February 01, 2008 2:23 PM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > And not just "a" user account, but "THE" user account from the domain > > where the Enterprise Root Cert lives... I found that out the hard > way > > (as you know so well ;) > > > > t > > > > > -----Original Message----- > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > > Sent: Friday, February 01, 2008 2:12 PM > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > > > It depends on how the client cert (clientcertclientcertclientcert > > [for > > > Tom <g>]) is constructed. > > > By default, ISA doesn't really care how the cert is built as long > as > > it > > > can trust the CA. The problem comes in with using the certificate > > for > > > user authentication. When ISA receives a certificate in response > to > > > "you better show some ID, boy!", ISA passes this to a Windows API > > > called AcquireCredentialsHandle. This API expects to resolve the > > > certificate to a user account and if it can't, cert auth will fail. > > > > > > Jim > > > > > > -----Original Message----- > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > > > Sent: Friday, February 01, 2008 9:02 AM > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > > > Really?? Kinda surprised at that and surely there is quite a lot > ISA > > > can add rather than dumbing it down to L3 with server publishing??? > > > > > > > > > > > > The bit that is really annoying is that some of the SCCM guides > > > recommend SSL bridging as opposed to SSL tunnelling, so it implies > it > > > should be possible and is best practice - trouble is, there are no > > docs > > > that tell you how to get it working!!!. Here are some examples: > > > > > > > > > > > > http://technet.microsoft.com/en-us/library/bb680995.aspx > > > > > > > > > > > > > > > http://www.microsoft.com/technet/community/chats/trans/sms/07_0724_tn_s > > > ccm.mspx > > > > > > > > > > > > Prabhu Padhi [MSFT] (Expert): > > > Q: Can I do SSL-Bridging at the edge firewall to route the IBCM > > clients > > > to my intranet MP/DP (they are shared)? > > > A: As long as your firewall supports SSL bridging, we will work > fine. > > > > > > > > > > > > Cheers > > > > > > > > > > > > JJ > > > > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > bounce@xxxxxxxxxxxxx] On Behalf Of Stefaan Pouseele > > > Sent: 01 February 2008 16:41 > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > > > > > > > > > Hi Jason, > > > > > > > > > > > > my reasoning, whenever client certs are involved, use server > > > publishing. Nothing ISA can do to enhance the security. > > > > > > > > > > > > HTH, > > > > > > Stefaan > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > > > Sent: vrijdag 1 februari 2008 16:49 > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > > > > > > > > > Hi All, > > > > > > > > > > > > Any more thoughts on this? > > > > > > > > > > > > From what I now understand, the SCCM client is using a client auth > > cert > > > to authenticate to the IIS instance running on the SCCM management > > > point (mutual cert auth). > > > > > > > > > > > > We are getting close to SCCM deployments where customers want > IBCM, > > > but the only ISA Server solution I can get working is to use SSL > > > tunnelling (server publishing). I have tried various web publishing > > > configurations and none of them seem to work - I have tried the > > > following: > > > > > > > > > > > > * Simple web publishing , ISA listener with no > authentication > > > and "allow client to authenticate" defined in the delegation tab - > > > assumed this would just use pass-through auth to the IIS website to > > > allow for this to do the client auth. > > > > > > * Pre-auth web publishing, ISA listener using client cert > > auth > > > and then KCD to delegate to IIS. > > > > > > > > > > > > Do we think that one of these should work, or is web publishing for > > > SCCM IBCM fundamentally flawed? > > > > > > > > > > > > Anyone actually got it working??? I know SCCM is quite new, but are > > we > > > just too ahead of the curve here? > > > > > > > > > > > > Cheers > > > > > > > > > > > > JJ > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > > > Sent: 19 October 2007 08:50 > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > > > > > > > > > Hi t, > > > > > > > > > > > > I was hoping to do the former and then use KCD, but from what I > > gather > > > SCCM is using computer based certs - I believe this makes things > > > harder?. Not really comes across this scenario before...I currently > > > have it working in the lab using server publishing, but I cannot > bear > > > the thought of doing this for customers... > > > > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) > > > Sent: 18 October 2007 22:15 > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > > > > > > > > > While I've not used SCCM, I've done a good bit of work with > different > > > certificate-based authentication models. Are you considering using > a > > > web-listener configured for SSL Client Certificate Authentication, > or > > > just web-publishing to a back-end web server where it will do its > own > > > certificate-to-user mapping? > > > > > > > > > > > > t > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > > > Sent: Thursday, October 18, 2007 1:11 PM > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: SCCM and ISA - Worth a shot! > > > > > > > > > > > > Did this Q get hidden within Amy's posts or is it a big fat "don't > > > know"? J > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones > > > Sent: 17 October 2007 00:49 > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] SCCM and ISA - Worth a shot! > > > > > > > > > > > > Hi, > > > > > > > > > > > > Has anyone used ISA with System Centre Configuration Manager (SCCM) > > > yet? Specifically when using Native mode (e.g. full-on PKI mode). > > > > > > > > > > > > The initial documentation is a little patchy and seems to > contradict > > > itself between using Web Publishing and Server Publishing when > using > > > Internet based clients that cannot back into the CM server. The > SCCM > > > documentation talks about lots of perimeter and internet-facing > > > scenarios, but I want to try and use an ISA based model in a > similar > > > way to protecting Exchange or SharePoint. A quote from Jim comes to > > > mind "..we don't need no stinking DMZs" > > > > > > > > > > > > Ideally I want to use Web Publishing, but all communications in > SCCM > > > utilise client certificate based authentication. > > > > > > > > > > > > Am I right in thinking I can use ISA Web publishing combined with > KCD > > > to secure access from CM clients to the CM server? > > > > > > > > > > > > Answers that tell me that I have to use Server Publishing will make > > me > > > cry, so please be sensitive > > > > > > > > > > > > Thanks in advance... > > > > > > > > > > > > Cheers > > > > > > > > > > > > JJ > > > > > > > > > > > > > > > > > > ________________________________ > > > > > > This email and any files transmitted with it are confidential and > > > intended solely for the use of the individual to whom it is > > addressed. > > > If you have received this email in error, or if you believe this > > email > > > is unsolicited and wish to be removed from any future mailings, > > please > > > contact our Support Desk immediately on 01202 360360 or email > > > helpdesk@xxxxxxxxxxxxxxxxx > > > > > > If this email contains a quotation then unless otherwise stated it > is > > > valid for 7 days and offered subject to Silversands Professional > > > Services Terms and Conditions, a copy of which is available on > > request. > > > Any pricing information, design information or information > concerning > > > specific Silversands' staff contained in this email is considered > > > confidential or of commercial interest and exempt from the Freedom > of > > > Information Act 2000. > > > > > > Any view or opinions presented are solely those of the author and > do > > > not necessarily represent those of Silversands > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. > > > Company Registration Number : 2141393. > > > > > > > > > ________________________________ > > > > > > This email and any files transmitted with it are confidential and > > > intended solely for the use of the individual to whom it is > > addressed. > > > If you have received this email in error, or if you believe this > > email > > > is unsolicited and wish to be removed from any future mailings, > > please > > > contact our Support Desk immediately on 01202 360360 or email > > > helpdesk@xxxxxxxxxxxxxxxxx > > > > > > If this email contains a quotation then unless otherwise stated it > is > > > valid for 7 days and offered subject to Silversands Professional > > > Services Terms and Conditions, a copy of which is available on > > request. > > > Any pricing information, design information or information > concerning > > > specific Silversands' staff contained in this email is considered > > > confidential or of commercial interest and exempt from the Freedom > of > > > Information Act 2000. > > > > > > Any view or opinions presented are solely those of the author and > do > > > not necessarily represent those of Silversands > > > > > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. > > > Company Registration Number : 2141393. > > > > > > > > > >