ISA 2006 SP1 - SSL Client Certificate Authentication in Workgroup Environment
Posted
by
JoshODBrown
on Server Fault
See other posts from Server Fault
or by JoshODBrown
Published on 2011-02-25T19:18:35Z
Indexed on
2012/06/24
3:18 UTC
Read the original article
Hit count: 483
isa-2006
We have an IIS6 website that was previously published using an ISA 2006 SP1 standard server publishing rule. In IIS we had required a client certificate be provided before the website could be accessed... this all worked fine and dandy.
Now we wish to use a web publishing rule on ISA 2006 SP1 for this same website. However, it seems the client certificate doesn't get processed now, so of course the user can't access the website.
I've read a few articles stating the CA for the certificate needs to be installed in the trusted root certificate authorities store on the ISA Server (i have done this), as well as installing the client certificate on the ISA Server (done as well). I have also verified that the ISA Server is able to access the CRL for our CA no problem...
In the listener properties for the web publishing rule, under Authentication, and Client Authentication Method, there is an option for SSL Client Certificate Authentication... i select this, but it appears the only Authentication Validation Method selectable is Windows (Active Directory).... there is no Active Directory in this environment. When i configure the rule with the defaults, I then try to hit my website and it prompts for my certificate, i choose it and hit ok... then I'm given the following error
Error Code: 500 Internal Server Error. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)
I check the event logs on the ISA Server and in Security Logs, i see Event ID 536, Failure Aud. The reason: The NetLogon component is not active. I think this is pretty obvious since there is no active directory available.
Is there a way to make this web publishing rule work using client certificates in this workgroup environment?
Any suggestions or links to helpful documents would be greatly appreciated!
© Server Fault or respective owner