A Client Request Authenticated with a User Certificate Fails even though the Certificate is Valid
A client request (authenticated with a user certificate) for a published Web resource fails, even though the user certificate is valid. This may occur when you publish a Web server over Secure Sockets Layer (SSL) allowing access to authenticated users only. When a client presents a user certificate for authentication, the certificate cannot be validated and the user certificate authentication attempt fails.
This occurs in the following scenario:
- The ISA Firewall Network in which the certification authority (CA) that generated the user certificate is located has the Require All Users to Authenticate setting enabled.
- The user certificate includes a certificate revocation list (CRL) distribution point, which points to an HTTP location for the CRL.
During the client authentication process, the ISA Firewall tries to retrieve the CRL. This request is a transparent Web Proxy request from the ISA Firewall's Local Host network to the network in which the CA that issued the client certificate resides, which fails because authentication is required on the CA network. Because the ISA Firewall does not have a logged on user account, it cannot authenticate, which prevents it from connecting to the CA housing the CRL. Without a valid CRL, the user certificate is assumed to be revoked.
Possible workarounds include the following:
- The preferred workaround method (to preserve authentication settings) is as follows:
- Disable the setting Require All Users to Authenticate on the network on which the CRL distribution point is located.
- Create a new rule (place it in rule ordering above HTTP access rules), to allow access from the Local Host network to the required network. Do not require authentication on this rule.
- Modify all HTTP access rules to allow access to authenticated users only. This can be all authenticated users or individual users or security groups.
The other alternative is to disable the Require All Users to Authenticate setting on the network in which the CA is located, and ensure that rules allowing access from the Local Host network to the Internal network do not require authentication. Note that disabling Require All Users to Authenticate on the CA network turns off authentication, unless user authentication is configured for specific access rules that control traffic to the network. This is not a problem and has no security implications. All connections will continue to require authentication.
For more information on troubleshooting problems related to the ISA Firewall's Web Proxy filter, check out: http://www.microsoft.com/technet/isa/2004/plan/ts_...