Discussion:
ISA 2004 SSL Bridging and Client Certificate Authentication
(too old to reply)
AspectIT
2009-10-20 10:46:05 UTC
Permalink
Hi Guys and Gals

This is the setup.

Windows SBS2003 Premium SP2 with ISA 2004 SP2 two Nics

Internal Card 10.0.0.1
External Card 10.0.10.1 – Connected to Router (All ports added to Rules on
router)

This is what we are trying to achieve:

We are trying to setup PDAs to communicate with a website on the SBS Server
which uses SSL Secure channel communications over an alternative SSL port of
2121. Along with this is the need to used client certificates, the SSL certs
have are from a 3rd party and the server has their root CA installed and the
Certificate for the secure communications installed on the ISA Computer store
and on the website itself.

We have setup a Secure Web publishing rule using Bridging HTTPS to HTTPS
using port 2121 and created a new listener to listen on SSL port 2121, HTTP
disabled, and added the Server certificate for the SSL communications onto
the listener, and without the client certificates authentication we have the
secure communications working fine no problems.

The problem were having is with Client certificate authentication, we have
enabled the Website on IIS6 on the SBS box to require Client Certificates and
added a Trust list using the ROOT CA from the 3rd Party, they have also given
us a PFX Cert with Public Key to import on remote users Devices and also for
anywhere else needed such as the ISA Rules.

We have added the client certificate to the Personal Store of the Microsoft
Firewall Service so it appears in the Bridging tab in ISA2004, and we have
selected Use a certificate to authenticate to the SSL Web Server, and
selected the Client Cert which is on the remote users device and what they
will be prompted to use. Then we proceeded to edit the listener and take of
Integrated Auth and add SSL Certificate Only and select Always Authenticate.

Basically ISA doesn’t seem to be forwarding the Client Certificates to the
website in the way it should and is giving a 401 error to the end user in IE.
Upon inspection of the IIS logs the Website is receiving a 403.7 error
which is Client Cert required. The user is getting the Client Certificate
Prompt when connecting but then they get this error:

Error Code: 401 Unauthorized. The server requires authorization to fulfill
the request. Access to the Web server is denied. Contact the server
administrator. (12209)

Looking at the ISA logs we get the following:

User:


Denied Connection LTE-SBS01 20/10/2009 11:07:04
Log type: Web Proxy (Reverse)
Status: 12229 The server requires authorization to fulfill the request.
Access to the Web server is denied. Contact the server administrator.
Rule:
Source: ( X.X.X.X:0)
Destination: ( 10.0.10.1:2121)
Request: GET http://pda.XXXXXX.com/
Filter information: Req ID: 1ea71f6f
Protocol: https
User: anonymous
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0;
Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR
3.5.30729; AskTB5.5)
Object source: Processing time: 63
Cache info: 0x0 MIME type:


We have tried the Website internally and the Client certificates worked as
they should, proving it isn’t the certificates, it looks like ISA isn’t
forwarding the Client certificates on. Also on the ISA logs it says the
destination is 10.0.10.1 which is the external card, shouldn’t this be
10.0.0.1 which is the internal Card ?

Can you help, if you need any more info regarding the setup please let me
know.

Thanks
michan318
2010-01-14 11:49:13 UTC
Permalink
Your issue is that ISA can't forward client certificates to the web server,
so you need to uncheck Client Certificate Required on the IIS side, and just
leave it at Integrated Windows Authentication. This is by design to ensure
the integrity of the certificates. So intead what you need to do is employ
Kerberos Constrained Delegation (KCD). You'll find many articles on both
Microsoft and www.isaserver.org about setting this up. KCD will enable you
to pass the users credential from the ISA server to the internal web server
using kerberos, which should logon the user on to the web server using the
credential passed to the ISA server via the client certificate initially
provided by the user.

Miguel
Post by AspectIT
Hi Guys and Gals
This is the setup.
Windows SBS2003 Premium SP2 with ISA 2004 SP2 two Nics
Internal Card 10.0.0.1
External Card 10.0.10.1 - Connected to Router (All ports added to Rules on
router)
We are trying to setup PDAs to communicate with a website on the SBS Server
which uses SSL Secure channel communications over an alternative SSL port of
2121. Along with this is the need to used client certificates, the SSL certs
have are from a 3rd party and the server has their root CA installed and the
Certificate for the secure communications installed on the ISA Computer store
and on the website itself.
We have setup a Secure Web publishing rule using Bridging HTTPS to HTTPS
using port 2121 and created a new listener to listen on SSL port 2121, HTTP
disabled, and added the Server certificate for the SSL communications onto
the listener, and without the client certificates authentication we have the
secure communications working fine no problems.
The problem were having is with Client certificate authentication, we have
enabled the Website on IIS6 on the SBS box to require Client Certificates and
added a Trust list using the ROOT CA from the 3rd Party, they have also given
us a PFX Cert with Public Key to import on remote users Devices and also for
anywhere else needed such as the ISA Rules.
We have added the client certificate to the Personal Store of the Microsoft
Firewall Service so it appears in the Bridging tab in ISA2004, and we have
selected Use a certificate to authenticate to the SSL Web Server, and
selected the Client Cert which is on the remote users device and what they
will be prompted to use. Then we proceeded to edit the listener and take of
Integrated Auth and add SSL Certificate Only and select Always
Authenticate.
Basically ISA doesn't seem to be forwarding the Client Certificates to the
website in the way it should and is giving a 401 error to the end user in IE.
Upon inspection of the IIS logs the Website is receiving a 403.7 error
which is Client Cert required. The user is getting the Client Certificate
Error Code: 401 Unauthorized. The server requires authorization to fulfill
the request. Access to the Web server is denied. Contact the server
administrator. (12209)
Denied Connection LTE-SBS01 20/10/2009 11:07:04
Log type: Web Proxy (Reverse)
Status: 12229 The server requires authorization to fulfill the request.
Access to the Web server is denied. Contact the server administrator.
Source: ( X.X.X.X:0)
Destination: ( 10.0.10.1:2121)
Request: GET http://pda.XXXXXX.com/
Filter information: Req ID: 1ea71f6f
Protocol: https
User: anonymous
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0;
Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR
3.5.30729; AskTB5.5)
Object source: Processing time: 63
We have tried the Website internally and the Client certificates worked as
they should, proving it isn't the certificates, it looks like ISA isn't
forwarding the Client certificates on. Also on the ISA logs it says the
destination is 10.0.10.1 which is the external card, shouldn't this be
10.0.0.1 which is the internal Card ?
Can you help, if you need any more info regarding the setup please let me
know.
Thanks
Loading...