Thomas Shinder Blog RSS

All Blogs  »  Thomas Shinder Blog  »  ISA Central  »  Blog article: A Client Request Authenticated with a User Certificate Fails even though the Certificate is Valid

A Client Request Authenticated with a User Certificate Fails even though the Certificate is Valid

Problem:
A client request (authenticated with a user certificate) for a published Web resource fails, even though the user certificate is valid. This may occur when you publish a Web server over Secure Sockets Layer (SSL) allowing access to authenticated users only. When a client presents a user certificate for authentication, the certificate cannot be validated and the user certificate authentication attempt fails.

This occurs in the following scenario:

  • The ISA Firewall Network in which the certification authority (CA) that generated the user certificate is located has the Require All Users to Authenticate setting enabled.
  • The user certificate includes a certificate revocation list (CRL) distribution point, which points to an HTTP location for the CRL.

Cause:
During the client authentication process, the ISA Firewall tries to retrieve the CRL. This request is a transparent Web Proxy request from the ISA Firewall’s Local Host network to the network in which the CA that issued the client certificate resides, which fails because authentication is required on the CA network. Because the ISA Firewall does not have a logged on user account, it cannot authenticate, which prevents it from connecting to the CA housing the CRL. Without a valid CRL, the user certificate is assumed to be revoked.

Solution:
Possible workarounds include the following:

  • The preferred workaround method (to preserve authentication settings) is as follows:
  • Disable the setting Require All Users to Authenticate on the network on which the CRL distribution point is located.
  • Create a new rule (place it in rule ordering above HTTP access rules), to allow access from the Local Host network to the required network. Do not require authentication on this rule.
  • Modify all HTTP access rules to allow access to authenticated users only. This can be all authenticated users or individual users or security groups.

The other alternative is to disable the Require All Users to Authenticate setting on the network in which the CA is located, and ensure that rules allowing access from the Local Host network to the Internal network do not require authentication. Note that disabling Require All Users to Authenticate on the CA network turns off authentication, unless user authentication is configured for specific access rules that control traffic to the network. This is not a problem and has no security implications. All connections will continue to require authentication.

For more information on troubleshooting problems related to the ISA Firewall’s Web Proxy filter, check out: http://www.microsoft.com/technet/isa/2004/plan/ts_...#8230;

HTH,

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — ISA Firewalls

This entry was posted on Monday, September 18th, 2006 at 6:13 pm and is filed under ISA Central. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

This is a captcha-picture. It is used to prevent mass-access by robots. (see: www.captcha.net)

You must read and type the 5 chars within 0..9 and A..F, and submit the form.

  

If CAPTCHA image is missing or you cannot read the characters above, please generate a




Receive all the latest articles by email!

Receive Real-Time & Monthly ISAserver.org article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become an ISAserver.org member!

Discuss your ISA Server issues with thousands of other ISA Server experts. Click here to join!

Solution Center