[isapros] Re: SCCM and ISA - Worth a shot!
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Fri, 1 Feb 2008 16:22:45 -0800
Whoa-- typing WAY too fast...
(trust relationship)
"certificate authority somehow"
"3rd party certificate authorities"
jeeze
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
> Sent: Friday, February 01, 2008 4:21 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SCCM and ISA - Worth a shot!
>
> To be sure, that KB is standard "how to trust a cert" stuff - easy.
>
> But for ISA to use a "client certificate" at the listener, it must be
> able to contact (or delegated by a trust relations) the issuing
> certificate authority someone (as you have outlined below). That
don't
> fly with 3rd party certs. Tried it. No workie... How do you map the
> "Verisign" client certificate to an AD user account in your scenarios?
>
> t
>
>
>
>
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > Sent: Friday, February 01, 2008 3:44 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: SCCM and ISA - Worth a shot!
> >
> > Still stuck on that Enterprise CA thing, areya?
> > It doesn't need to be a MS Ent CA.
> > KB http://support.microsoft.com/kb/281245 discusses how to use
> > certificates issued by a 3rd-party CA.
> >
> > KCD for cross-forest users is problematic when the "KCD pair" (the
> KCD
> > client/server pair) and the user account are separated by more than
> one
> > "domain hop". If you think that sounds weird, wait for the details.
> >
> > Imagine:
> > RootDom1 RootDom2
> > (KCD_Pair1) (User3)
> > (User1) |
> > | |
> > ChildDom1 ChildDom2
> > (User2) (KCD_Pair2)
> > (User4)
> >
> > With logon specified using certificates, NBDomainName\account or
> > account@NBDomainName, KCD_Pair1 can successfully perform KCD the
> users
> > in RootDom1 and its children as well as users in RootDom2, but not
> for
> > users in ChildDom2. Likewise, KCD_Pair2 can perform KCD for users
in
> > any domain in RootDom2, but not for users in any domain of RootDom1.
> >
> > With logon specified as either FQDN\account or account@FQDN, KCD
> > functions for all relevant cases. As it turns out, this is an issue
> > with Windows and this behavior is identical in WS03 and WS08.
> >
> > One workaround that was smoke-tested in my repro bed and MSIT was:
> >
> > Requirements:
> > 1. ISA 2006 Supportability pack:
> >
>
http://www.microsoft.com/downloads/details.aspx?FamilyID=6f629eac-d8c6-
> > 4437-9d20-b47b02db413a
> > 2. ISA 2006 Rollup http://support.microsoft.com/kb/942639/, which
> > contains http://support.microsoft.com/kb/942637/
> > 3. Bi-Directional, Transitive Forest Trust
> >
> > Actions:
> > 4. Edit ms-DS-SPNSuffixes attribute in
> > CN=Partitions,CN=Configuration,DC=<RootDC>, add NBDomain names for
> all
> > domains in the local domain tree
> > ..repeat (4) for each tree in the trusted forest
> > 5. Edit the Name Suffix Routing list in the trusting forest and
> enable
> > all *.NBDomain suffixes as well as all *.FQDN suffixes for all
> trusted
> > domains
> > ..repeat (5) for each forest which trusts the forest modified in
> > (4)
> > 6. If using certificate auth, ensure that all trusted forest CA
> > certificates are included in the:
> > a. Trusting forest NTAuth store:
> > http://support.microsoft.com/kb/281245
> > b. ISA Server Local machine Trusted Roots store
> >
> > ..repeat (1) through (6) as necessary for remaining ISA arrays, AD
> > forests and Domain trees
> >
> > There may be simpler methods (one suggested by WinSE, but not tested
> > yet), but this one has been demonstrated to work for a two-level
> domain
> > tree. There were not enough resources to test beyond that, but the
> > folks in Windows assured us that the child domain level was not
> > relevant to the issue (I tend to believe them on this).
> >
> > Jim
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
> > Sent: Friday, February 01, 2008 2:23 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: SCCM and ISA - Worth a shot!
> >
> > And not just "a" user account, but "THE" user account from the
domain
> > where the Enterprise Root Cert lives... I found that out the hard
> way
> > (as you know so well ;)
> >
> > t
> >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > Sent: Friday, February 01, 2008 2:12 PM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: SCCM and ISA - Worth a shot!
> > >
> > > It depends on how the client cert (clientcertclientcertclientcert
> > [for
> > > Tom <g>]) is constructed.
> > > By default, ISA doesn't really care how the cert is built as long
> as
> > it
> > > can trust the CA. The problem comes in with using the certificate
> > for
> > > user authentication. When ISA receives a certificate in response
> to
> > > "you better show some ID, boy!", ISA passes this to a Windows API
> > > called AcquireCredentialsHandle. This API expects to resolve the
> > > certificate to a user account and if it can't, cert auth will
fail.
> > >
> > > Jim
> > >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > > Sent: Friday, February 01, 2008 9:02 AM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: SCCM and ISA - Worth a shot!
> > >
> > > Really?? Kinda surprised at that and surely there is quite a lot
> ISA
> > > can add rather than dumbing it down to L3 with server
publishing???
> > >
> > >
> > >
> > > The bit that is really annoying is that some of the SCCM guides
> > > recommend SSL bridging as opposed to SSL tunnelling, so it implies
> it
> > > should be possible and is best practice - trouble is, there are no
> > docs
> > > that tell you how to get it working!!!. Here are some examples:
> > >
> > >
> > >
> > > http://technet.microsoft.com/en-us/library/bb680995.aspx
> > >
> > >
> > >
> > >
> >
>
http://www.microsoft.com/technet/community/chats/trans/sms/07_0724_tn_s
> > > ccm.mspx
> > >
> > >
> > >
> > > Prabhu Padhi [MSFT] (Expert):
> > > Q: Can I do SSL-Bridging at the edge firewall to route the IBCM
> > clients
> > > to my intranet MP/DP (they are shared)?
> > > A: As long as your firewall supports SSL bridging, we will work
> fine.
> > >
> > >
> > >
> > > Cheers
> > >
> > >
> > >
> > > JJ
> > >
> > >
> > >
> > >
> > >
> > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > bounce@xxxxxxxxxxxxx] On Behalf Of Stefaan Pouseele
> > > Sent: 01 February 2008 16:41
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: SCCM and ISA - Worth a shot!
> > >
> > >
> > >
> > > Hi Jason,
> > >
> > >
> > >
> > > my reasoning, whenever client certs are involved, use server
> > > publishing. Nothing ISA can do to enhance the security.
> > >
> > >
> > >
> > > HTH,
> > >
> > > Stefaan
> > >
> > >
> > >
> > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > > Sent: vrijdag 1 februari 2008 16:49
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: SCCM and ISA - Worth a shot!
> > >
> > >
> > >
> > > Hi All,
> > >
> > >
> > >
> > > Any more thoughts on this?
> > >
> > >
> > >
> > > From what I now understand, the SCCM client is using a client auth
> > cert
> > > to authenticate to the IIS instance running on the SCCM management
> > > point (mutual cert auth).
> > >
> > >
> > >
> > > We are getting close to SCCM deployments where customers want
> IBCM,
> > > but the only ISA Server solution I can get working is to use SSL
> > > tunnelling (server publishing). I have tried various web
publishing
> > > configurations and none of them seem to work - I have tried the
> > > following:
> > >
> > >
> > >
> > > * Simple web publishing , ISA listener with no
> authentication
> > > and "allow client to authenticate" defined in the delegation tab -
> > > assumed this would just use pass-through auth to the IIS website
to
> > > allow for this to do the client auth.
> > >
> > > * Pre-auth web publishing, ISA listener using client cert
> > auth
> > > and then KCD to delegate to IIS.
> > >
> > >
> > >
> > > Do we think that one of these should work, or is web publishing
for
> > > SCCM IBCM fundamentally flawed?
> > >
> > >
> > >
> > > Anyone actually got it working??? I know SCCM is quite new, but
are
> > we
> > > just too ahead of the curve here?
> > >
> > >
> > >
> > > Cheers
> > >
> > >
> > >
> > > JJ
> > >
> > >
> > >
> > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > > Sent: 19 October 2007 08:50
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: SCCM and ISA - Worth a shot!
> > >
> > >
> > >
> > > Hi t,
> > >
> > >
> > >
> > > I was hoping to do the former and then use KCD, but from what I
> > gather
> > > SCCM is using computer based certs - I believe this makes things
> > > harder?. Not really comes across this scenario before...I
currently
> > > have it working in the lab using server publishing, but I cannot
> bear
> > > the thought of doing this for customers...
> > >
> > >
> > >
> > >
> > >
> > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
> > > Sent: 18 October 2007 22:15
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: SCCM and ISA - Worth a shot!
> > >
> > >
> > >
> > > While I've not used SCCM, I've done a good bit of work with
> different
> > > certificate-based authentication models. Are you considering
using
> a
> > > web-listener configured for SSL Client Certificate Authentication,
> or
> > > just web-publishing to a back-end web server where it will do its
> own
> > > certificate-to-user mapping?
> > >
> > >
> > >
> > > t
> > >
> > >
> > >
> > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > > Sent: Thursday, October 18, 2007 1:11 PM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: SCCM and ISA - Worth a shot!
> > >
> > >
> > >
> > > Did this Q get hidden within Amy's posts or is it a big fat "don't
> > > know"? J
> > >
> > >
> > >
> > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > > Sent: 17 October 2007 00:49
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] SCCM and ISA - Worth a shot!
> > >
> > >
> > >
> > > Hi,
> > >
> > >
> > >
> > > Has anyone used ISA with System Centre Configuration Manager
(SCCM)
> > > yet? Specifically when using Native mode (e.g. full-on PKI mode).
> > >
> > >
> > >
> > > The initial documentation is a little patchy and seems to
> contradict
> > > itself between using Web Publishing and Server Publishing when
> using
> > > Internet based clients that cannot back into the CM server. The
> SCCM
> > > documentation talks about lots of perimeter and internet-facing
> > > scenarios, but I want to try and use an ISA based model in a
> similar
> > > way to protecting Exchange or SharePoint. A quote from Jim comes
to
> > > mind "..we don't need no stinking DMZs"
> > >
> > >
> > >
> > > Ideally I want to use Web Publishing, but all communications in
> SCCM
> > > utilise client certificate based authentication.
> > >
> > >
> > >
> > > Am I right in thinking I can use ISA Web publishing combined with
> KCD
> > > to secure access from CM clients to the CM server?
> > >
> > >
> > >
> > > Answers that tell me that I have to use Server Publishing will
make
> > me
> > > cry, so please be sensitive
> > >
> > >
> > >
> > > Thanks in advance...
> > >
> > >
> > >
> > > Cheers
> > >
> > >
> > >
> > > JJ
> > >
> > >
> > >
> > >
> > >
> > > ________________________________
> > >
> > > This email and any files transmitted with it are confidential and
> > > intended solely for the use of the individual to whom it is
> > addressed.
> > > If you have received this email in error, or if you believe this
> > email
> > > is unsolicited and wish to be removed from any future mailings,
> > please
> > > contact our Support Desk immediately on 01202 360360 or email
> > > helpdesk@xxxxxxxxxxxxxxxxx
> > >
> > > If this email contains a quotation then unless otherwise stated it
> is
> > > valid for 7 days and offered subject to Silversands Professional
> > > Services Terms and Conditions, a copy of which is available on
> > request.
> > > Any pricing information, design information or information
> concerning
> > > specific Silversands' staff contained in this email is considered
> > > confidential or of commercial interest and exempt from the Freedom
> of
> > > Information Act 2000.
> > >
> > > Any view or opinions presented are solely those of the author and
> do
> > > not necessarily represent those of Silversands
> > >
> > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
> > > Company Registration Number : 2141393.
> > >
> > >
> > > ________________________________
> > >
> > > This email and any files transmitted with it are confidential and
> > > intended solely for the use of the individual to whom it is
> > addressed.
> > > If you have received this email in error, or if you believe this
> > email
> > > is unsolicited and wish to be removed from any future mailings,
> > please
> > > contact our Support Desk immediately on 01202 360360 or email
> > > helpdesk@xxxxxxxxxxxxxxxxx
> > >
> > > If this email contains a quotation then unless otherwise stated it
> is
> > > valid for 7 days and offered subject to Silversands Professional
> > > Services Terms and Conditions, a copy of which is available on
> > request.
> > > Any pricing information, design information or information
> concerning
> > > specific Silversands' staff contained in this email is considered
> > > confidential or of commercial interest and exempt from the Freedom
> of
> > > Information Act 2000.
> > >
> > > Any view or opinions presented are solely those of the author and
> do
> > > not necessarily represent those of Silversands
> > >
> > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
> > > Company Registration Number : 2141393.
> > >
> >
> >
> >
>
Other related posts:
