[isapros] Re: SSL Client Certificate Authentication with non-web clients
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Thu, 23 Aug 2007 13:25:23 -0700
"sense" of course (had to beat Tom to it).
t
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
> Sent: Thursday, August 23, 2007 1:23 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SSL Client Certificate Authentication with non-
> web clients
>
> I'm hitting the listener as an anonymous user, yes. But, I'm providing
> the cert as authentication. If I don't "require authentication" in the
> "SSL Client Certificate Authentication" properties, it never asks the
> client to provide a cert. And just to ensure that the browser isn't
> "automatically" sending anything, I've deleted the client cert and
> removed the domain CA cert from root certs on the client box -- with
> "require authentication" cleared, but requiring SSL Client Cert Auth,
> the client, the client can still connect to the server without
> presenting a certificate (which doesn't make any since to me) and there
> is no fallback auth specified.
>
> Thoughts?
>
> t
>
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Gerald G. Young
> > Sent: Thursday, August 23, 2007 1:15 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: SSL Client Certificate Authentication with
> non-
> > web clients
> >
> > Are you still logging on as an anonymous user? Since you're
> > configuring the listener to use a client cert and require
> > authentication, shouldn't you be authenticating against the ISA
> server?
> >
> > Cordially yours,
> > Jerry G. Young II
> >
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > Application Engineer
> > Platform Engineering & Architecture
> > NTT America, an NTT Communications Company
> > =====================================
> > 22451 Shaw Rd.
> > Sterling, VA 20166
> > Office: 571-434-1319
> > Fax: 703-333-6749
> > Email: g.young@xxxxxxxx
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> > "The truth is that there is nothing noble in being superior to
> somebody
> > else.
> > The only real nobility is in being superior to your former self."
> > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> >
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
> > Sent: Thursday, August 23, 2007 4:10 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: SSL Client Certificate Authentication with
> non-
> > web clients
> >
> > OK... Help me out with this one-- forget about RDP, etc. I'm just
> > trying to get an SLL Listener to require an SSL Client Certificate
> for
> > authentication, and am having some issues- i'm sure it's something
> > easy,
> > but I'm missing it.
> >
> > Start from the basics without requiring auth on the listener:
> > 1) Create SSL listener with proper cert
> > 2) publish to internal site
> > 3) got to https://www.domain.com and it works fine (either bridged to
> > 443 or redirected to 80) as anonymous user.
> > 4) at this point, everything works just fine...
> >
> > Now, I tell the listener to require a client-side cert for
> > authentication- in this case, it is a cert that must be signed by my
> > own
> > domain CA. The ISA box is NOT on that domain.
> > 1) install CA cert in trusted root certificates on ISA box. It
> works,
> > and is valid.
> > 2) install User cert created by the CA on client box with path to
> root
> > cert. Move CA cert to trusted root certs. User cert is valid, cert
> > path is valid.
> > 3) Configure listener to use client cert, and to require
> > authentication.
> > If I don't require, the client does not have to present a cert. I
> > further tell ISA to only accept certs trusted by the domain CA (it
> > shows
> > up in the list, of course). Note that behavior does not change if I
> > select "all CA's"
> > 4) Configure the system policy on ISA for CRL lookups
> > 5) Verify the ISA box can get to the CRL path specified in the cert
> > 6) from the client, go to https://www.domain.com and it asks for a
> > cert.
> > The cert is available, and i present it: but I always get:
> >
> > Error Code: 401 Unauthorized. The server requires authorization to
> > fulfill the request. Access to the Web server is denied. Contact the
> > server administrator. (12209)
> >
> > Removing the SCCA returns things to normal. I've even tried
> publishing
> > to different back end servers... same thing.
> >
> > What could be the problem?
> > t
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > Sent: Thursday, August 23, 2007 11:26 AM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: SSL Client Certificate Authentication with
> > non-
> > > web clients
> > >
> > > The point of using a browser on not is not relevant.
> > > It's the client application's responsibility to handle the return
> > from
> > > SCHannel that says "pick a cert of type 'X'". Supposedly, the v6
> RDP
> > > client knows how to prompt for smartcard certs, but I haven't
> > > personally
> > > tested this. Word on the streets is that "soft-certs" should also
> > > work,
> > > but again; I haven't personally tested this.
> > >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > bounce@xxxxxxxxxxxxx]
> > > On Behalf Of Thor (Hammer of God)
> > > Sent: Thursday, August 23, 2007 7:26 AM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] SSL Client Certificate Authentication with non-
> web
> > > clients
> > >
> > > So, in an earlier thread, we discussed using certificates to
> control
> > > what clients could connect to a published RDP server. As we saw,
> > this
> > > is not possible in Vista/2003 implementations. However, we see
> that
> > in
> > > TSGateway, one uses an SSL listener (with public names to /rpc) to
> > > publish access to TSGateway functionality via RDP over RPC/HTTP.
> The
> > > TSGateway configuration allows you to specify smart-card logon, but
> > in
> > > the absence of that, the recommendation was made to use "SSL Client
> > > Certificate Authentication" restrictions at the SSL listener
> itself.
> > >
> > >
> > >
> > > However, I don't see how this will work. As I see it, the only way
> > to
> > > use SCCA on a web listener is for the client to be a browser -
> that's
> > > how the user is given the option of choosing which cert to present
> to
> > > the server. In the case of an RDP client (MSTSC.exe) connecting to
> a
> > > TSGateway published via an SCCA web listener, it won't work as
> there
> > is
> > > no way to present a cert.
> > >
> > >
> > >
> > > So, we really can't use SCCA as it relates to RDP, correct? Or is
> > > there
> > > some secret squirrel configuration I don't know about?
> > >
> > >
> > >
> > > t
> > >
> > >
> > >
> > > -----------------------------
> > >
> > > vinni, viddi, vinni denuo
> > >
> > >
> > >
> > >
> > > All mail to and from this domain is GFI-scanned.
> > >
> >
> >
> >
> >
> > =================================
> >
> > This email message is intended for the use of the person to whom it
> has
> > been sent, and may contain information that is confidential or
> legally
> > protected. If you are not the intended recipient or have received
> this
> > message in error, you are not authorized to copy, distribute, or
> > otherwise use this message or its attachments. Please notify the
> sender
> > immediately by return e-mail and permanently delete this message and
> > any attachments. NTT America makes no warranty that this email is
> error
> > or virus free. Thank you.
Other related posts:
