A couple days ago I wrote to you about how ISA 2006 SP1 will allow you to perform User Certificate authentication at the ISA firewall without requiring that you map the certificate to a user account in the Active Directory and that the ISA firewall doesn't need to be a member of the user domain. At the time I thought to myself "this is too good to be true" but I've seen the magic the ISA firewall team can perform, so I suppressed my incredulity and just gave thanks for such a great feature.
Well when something seems to be too good to be true, it usually is. I was informed yesterday that there was a slight error in the SP1 document at https://blogs.technet.com/isablog/archive/2008/05/23/isa-server-2006-service-pack-1-features.aspx
It turns out that while you can use User Certificate authentication when the machine isn't a domain member and when the certificates aren't mapped to the user accounts in the Active Directory, User Certificate authentication must be used together with Forms-based authentication. I've written about this in the past, where you can require both FBA and User Certificate Authentication. But in order for the new ISA 2006 SP1 User Certificate feature to work, you have to also use FBA.
If you want to use only User Certificate authentication, then the ISA Firewall will still need to be a domain member and the certificates will need to be mapped to the user accounts in the Active Directory.
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
MVP — Microsoft Firewalls (ISA)