+ Post New Thread
Results 1 to 6 of 6
Windows Thread, Problems accessing web sites with certificates in Technical; Thought I posted this yesterday but can't find it now so I'd guess I forgot to press submit - apologies ...
  1. #1

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,154
    Thank Post
    114
    Thanked 527 Times in 450 Posts
    Blog Entries
    2
    Rep Power
    123

    Problems accessing web sites with certificates

    Thought I posted this yesterday but can't find it now so I'd guess I forgot to press submit - apologies if I've just managed to lose it :-)

    We have a couple of websites (eg http://elp.slc.co.uk/) which need a certificate in order for the user to logon.

    The site prompts for the certificate but then fails to load the next step (which is an https site) - it just gives the normal "server not found" type error (check DNS, check network connection etc).

    On the ISA 2004 server, the info below is logged. Has anyone else seen anything like this before and fixed it? This used to work so obviously something has been changed on our ISA server but there's nothing obviously wrong (and access to web sites like banks which don't use certificates are working fine)




    Failed Connection Attempt TCONWL16 09/04/2008 10:58:04
    Log type: Web Proxy (Forward)
    Status: 995 The I/O operation has been aborted because of either a thread exit or an application request.
    Rule: Web Access Only
    Source: Internal ( 10.0.1.31:0)
    Destination: External ( 194.205.13.26:443)
    Request: www.tponline.co.uk:443
    Filter information: Req ID: 08ad9b13
    Protocol: SSL-tunnel
    User: anonymous
    Additional information
    Client agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)
    Object source: Internet Processing time: 0
    Cache info: 0x0 MIME type:

  2. #2

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115
    Was interested in this coz I once did lots of stuff with client certs and it rang some kind of bell. Then Google threw up this re. ISA:

    Unfortunately, all SSL tunnels will be logged as "failed" connections;
    typically with one of two result-codes:
    64 (The specified network name is no longer available)
    995 (The I/O operation has been aborted because of either a thread exit
    or an application request.)

    This is because ISA only knows two things about an SSL tunnel:
    1. the connections are (not) closed
    2. bits are (not) not flowing through the tunnel
    Ding!

    I suppose there's the obvious stuff e.g. is the client cert valid (e.g. in date)? Is it possible to test it directly without traversing the ISA server?

  3. #3

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,154
    Thank Post
    114
    Thanked 527 Times in 450 Posts
    Blog Entries
    2
    Rep Power
    123
    I found that :-)

    Certs are definitely valid (3 different users; 2 different sites) and I'm sure it's something to do with ISA. Trying to use squid at the moment instead but that's not yet working either!

    I'd guess we could do something to give them a direct web connection but it wouldn't be easy and I really don't want "odd" pockets of internet access for particular users going to particular sites!

    What I don't understand is what changes when you use a certificate to identify yourself compared to just using a username/password etc.

  4. #4

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224
    You cannot intercept and proxy the SSL connections unless you use a trusted certificate (eg, one you create and push out to your domain pcs) to create a new SSL connection between the client machine and your ISA server.

    The correct thing to do is to just let the connection through unmodified and put up with the warnings as Piqueaboo says.

  5. #5

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,154
    Thank Post
    114
    Thanked 527 Times in 450 Posts
    Blog Entries
    2
    Rep Power
    123
    Sorry; probably being completely stupid here but what do you mean by "let the connection through unmodified"?

    As far as I know, we're not asking the ISA server to do anything to the data but obviously something must be happening otherwise the users would be able to get to the web sites they used to be able to get to!

    If you have a working rule, can you save the XML of it and post it?

  6. #6

    Join Date
    May 2010
    Posts
    1
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Do you have access to elp.slc.co.uk btw?

SHARE:
+ Post New Thread

Similar Threads

  1. Students Accessing restricted Sites
    By Grommit in forum Network and Classroom Management
    Replies: 4
    Last Post: 8th February 2008, 08:53 AM
  2. ssl certificates
    By PEO in forum General Chat
    Replies: 4
    Last Post: 4th January 2008, 09:14 PM
  3. Creating SSL certificates.
    By Dos_Box in forum Windows
    Replies: 28
    Last Post: 11th November 2007, 09:22 PM
  4. Purchasing SSL Certificates
    By Dos_Box in forum Wireless Networks
    Replies: 3
    Last Post: 3rd January 2007, 03:33 PM
  5. Replies: 1
    Last Post: 20th April 2006, 08:18 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •