locked
Security Issue when using certificate based authentication in conjunction with Mobile Portal RRS feed

Answers

  • Hi Thomas,

    I'm not sure I understand what's the security risk here. Can you describe a real scenario where this could cause a concern (considering the fact that the user agent detection of the client type is a convenience, and not supposed to be a security mechanism, since the user agent can be easily spoofed)?

     


    Ben Ari
    Microsoft CSS UAG/IAG Support
    Sammamish, WA
    • Marked as answer by Erez Benari Tuesday, May 10, 2011 10:36 PM
    Tuesday, May 10, 2011 10:36 PM

All replies

  • Hi Thomas,

    I'm not sure I understand what's the security risk here. Can you describe a real scenario where this could cause a concern (considering the fact that the user agent detection of the client type is a convenience, and not supposed to be a security mechanism, since the user agent can be easily spoofed)?

     


    Ben Ari
    Microsoft CSS UAG/IAG Support
    Sammamish, WA
    • Marked as answer by Erez Benari Tuesday, May 10, 2011 10:36 PM
    Tuesday, May 10, 2011 10:36 PM
  • Hi Ben,

    well the problem is, that someone could login to the normal UAG Portal with Username/Password instead of a user certificate (as configured). Therefore he could bypass 2FA and do theoretically a brute force or can login when he knows the password for a user. This in my opinion is definitely a security problem as nobody should be able to authenticate without a certificate (this was implemented therefore I expect the UAG/IIS to behave as it was configured).

    Best regards

    Thomas

    Wednesday, May 11, 2011 8:05 PM