none
IIS through ISA doesn't asking certificate

    Question

  • Next situation:

    I have web application (from SharePoint) on 443 port which required ssl-certficate (on smart card) for auth. Well on iis installed client certificate auth and mapping and enabled. When i try to enter on https://IIS he ask my certificate, i gave it to him and go on the site.

    On TMG I publish SharePoint web-site with next settings:

    TO: IIS, disable wend original header, check request from original client

    Authentication Delegation methods: No delegation, but client may authenticate directly (because i don't need auth on TMG, but want auth on iis through TMG)

    Listener: Post certificate for external name, authentication settings - No authentication (no auth on TMG) (always try to auth with ssl)

     

     At this situation TMG show me error 403.7 5 - client certificate required... But didn't asked it from me....

    If i mark on TMG in Listener client sertificate required - TMG asking for certificate and auth, but iis give me 403.7 5 again without request for certificate.

    What's wrong with settings? i tried many variants settings. And noone give me request certificate from iis through TMG
    Friday, February 24, 2012 8:57 AM

Answers

All replies

  • Have you considered using client certificate auth on TMG and then using KCD to IIS?

    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Friday, February 24, 2012 9:32 AM
    Moderator
  • Without auth on tmg but auth using client certificate on iis
    Friday, February 24, 2012 10:23 AM
  • I would recommend that you do the client cert auth on TMG, and then delegate using KCD.

    If not, you will need to use server publishing on HTTPS to achieve what you need...with web publishing, TMG becomes the client and cannot satisfy the requirement to present a certificate (unless you give the firewall service a certificate). TMG cannot act as a "man in the middle" for that SSL scenario.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Friday, February 24, 2012 12:41 PM
    Moderator
  • yep, i publish server like protocol publisher - that's works (because web publish not working too). But for me it's not so good because entire loading fall on the IIS. On sharepoint kerberos was not implement and rebuild web-application is not good idea for me.. And the biggest mystery for me - why tmg given't iis requests to me...
    Monday, February 27, 2012 5:30 AM
  • ...becuase it can't...when you are using web publishing, TMG becomes the client to the IIS server and has no way to pass the certificate prompt request back to the external client. The only options available are to use server publishing, so that TMG does not become the client and simply port forwards the request, or alternatively you can assign the firewall service with a specific client certificate. However, this would then provide IIS with a single identitiy, not the individual external user's identity.


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk


    Monday, February 27, 2012 4:27 PM
    Moderator
  • thanks for answer.

    >has no way to pass the certificate prompt request back to the external client

    open rhetorical question with no answer: Why?...

    Wednesday, February 29, 2012 10:28 AM