DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 953684 - Last Review: September 11, 2011 - Revision: 2.0

INTRODUCTION

Before Microsoft Internet Security and Acceleration Server (ISA) 2006 Service Pack 1 (SP1), you could only require a client certificate when the Web listener was configured to use forms-based authentication of domain users by using the Active Directory directory service (FBA with AD). This authentication method uses the following process:
  • The client provides a client certificate.
  • ISA Server verifies that the certificate is valid, that it has not expired, and that it was issued by a trusted certification authority.
  • ISA Server checks the certificate against the ISA Server client certificate restrictions.
  • ISA Server sends the authentication form to the client. The user enters his or her credentials and posts them.
  • ISA Server verifies the user credentials.
  • ISA Server maps the client certificate to an Active Directory user and verifies that it is the same user by using the credentials.
In ISA Server 2006 SP1, you can require a client certificate when the Web listener is configured to use forms-based authentication with other authentication validation methods, such as LDAP (Active Directory), RADIUS, RADIUS OTP, or SecurID. When you use authentication methods other than forms-based authentication with Active Directory, ISA Server performs the same process, except that it does not try to map the client certificate to a user. This means that the ISA Server computer does not have to be a member of a domain. Or, if the computer is a domain member, it means that the client certificates do not have to be mapped to user accounts in Active Directory.

This article describes the default behavior in ISA Server 2006 SP1 when you use forms-based authentication of domain users with Active Directory. Additionally, this article describes how to change this default behavior.

MORE INFORMATION

When you perform forms-based authentication with Active Directory, ISA Server tries to map the client certificate to a user in Active Directory. By design, this behavior is two-factor authentication behavior, and it requires that the user's client certificate to be mapped against a user account that provides credentials.

ISA Server 2006 SP1 also adds a feature that lets you disable certificate mapping to Active Directory when you use forms-based authentication. However, when you use forms-based authentication with Active Directory to validate client credentials, the default behavior is still to map the certificate to a user.

After you apply ISA Server 2006 Service Pack 1, follow these steps to disable certificate mapping to Active Directory:
  1. Start Notepad.
  2. Paste the following script into a new document.
    Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
    Const SE_VPS_NAME = "DisableCertMappingForFBAwithAD"
    Const SE_VPS_VALUE = true
    
    Sub SetValue()
    
        ' Create the root obect.
        Dim root  ' The FPCLib.FPC root object
        Set root = CreateObject("FPC.Root")
    
        'Declare the other objects needed.
        Dim array       ' An FPCArray object
        Dim VendorSets  ' An FPCVendorParametersSets collection
        Dim VendorSet   ' An FPCVendorParametersSet object
    
        ' Get references to the array object
        ' and the network rules collection.
        Set array = root.GetContainingArray
        Set VendorSets = array.VendorParametersSets
    
        On Error Resume Next
        Set VendorSet = VendorSets.Item( SE_VPS_GUID )
    
        If Err.Number <> 0 Then
            Err.Clear
    
            ' Add the item
            Set VendorSet = VendorSets.Add( SE_VPS_GUID )
            CheckError
            WScript.Echo "New VendorSet added... " & VendorSet.Name
    
        Else
            WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)
        End If
    
        if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then
    
            Err.Clear
            VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE
    
            If Err.Number <> 0 Then
                CheckError
            Else
                VendorSets.Save false, true
                CheckError
    
                If Err.Number = 0 Then
                    WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
                End If
            End If
        Else
            WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
        End If
    
    End Sub
    
    Sub CheckError()
    
        If Err.Number <> 0 Then
            WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
            Err.Clear
        End If
    
    End Sub
    
    SetValue
    
  3. On the File menu, click Save As, and then save the file as DisableCertMappingForFBAwithAD.vbs.
  4. At a command prompt, type the following command, and then press ENTER:
    cscript DisableCertMappingForFBAwithAD.vbs
To return to the default behavior in ISA Server 2006 Service Pack 1 and to enable client certificate mapping to Active Directory when you use form-based authentication, follow these steps:
  1. Start Notepad, and then open the DisableCertMappingForFBAwithAD.vbs script.
  2. Locate the following line of code in the script.
    Const SE_VPS_VALUE = true
    
  3. Change the code to the following.
    Const SE_VPS_VALUE = false
    
  4. On the File menu, click Save.
  5. At a command prompt, type the following command, and then press ENTER:
    cscript DisableCertMappingForFBAwithAD.vbs

REFERENCES

For more information about how to obtain ISA Server 2006 SP1, click the following article number to view the article in the Microsoft Knowledge Base:
954258  (http://support.microsoft.com/kb/954258/ ) How to obtain the latest Internet Security and Acceleration (ISA) Server 2006 service pack

For more information about ISA Server 2006 SP1 features, visit the following Microsoft Web site:
http://download.microsoft.com/download/6/6/6/6662d14d-52c3-445d-b9d1-6e373171f769/SP1_Feature_Doc_RTM.doc (http://download.microsoft.com/download/6/6/6/6662d14d-52c3-445d-b9d1-6e373171f769/SP1_Feature_Doc_RTM.doc)

APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2006 Service Pack 1
Keywords: 
kbhowto kbtshoot kbexpertiseinter kbsurveynew kbprb KB953684
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support