Windows Thread, Problems accessing web sites with certificates in Technical; Thought I posted this yesterday but can't find it now so I'd guess I forgot to press submit - apologies ...
9th April 2008, 01:00 PM #1
Problems accessing web sites with certificates
Thought I posted this yesterday but can't find it now so I'd guess I forgot to press submit - apologies if I've just managed to lose it :-)
We have a couple of websites (eg http://elp.slc.co.uk/) which need a certificate in order for the user to logon.
The site prompts for the certificate but then fails to load the next step (which is an https site) - it just gives the normal "server not found" type error (check DNS, check network connection etc).
On the ISA 2004 server, the info below is logged. Has anyone else seen anything like this before and fixed it? This used to work so obviously something has been changed on our ISA server but there's nothing obviously wrong (and access to web sites like banks which don't use certificates are working fine)
Failed Connection Attempt TCONWL16 09/04/2008 10:58:04
Log type: Web Proxy (Forward)
Status: 995 The I/O operation has been aborted because of either a thread exit or an application request.
Rule: Web Access Only
Source: Internal ( 10.0.1.31:0)
Destination: External ( 126.96.36.199:443)
Filter information: Req ID: 08ad9b13
Client agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)
Object source: Internet Processing time: 0
Cache info: 0x0 MIME type:
IDG Tech News
9th April 2008, 11:15 PM #2
Was interested in this coz I once did lots of stuff with client certs and it rang some kind of bell. Then Google threw up this re. ISA:
Unfortunately, all SSL tunnels will be logged as "failed" connections;
typically with one of two result-codes:
64 (The specified network name is no longer available)
995 (The I/O operation has been aborted because of either a thread exit
or an application request.)
This is because ISA only knows two things about an SSL tunnel:
1. the connections are (not) closed
2. bits are (not) not flowing through the tunnel
I suppose there's the obvious stuff e.g. is the client cert valid (e.g. in date)? Is it possible to test it directly without traversing the ISA server?
10th April 2008, 09:46 AM #3
I found that :-)
Certs are definitely valid (3 different users; 2 different sites) and I'm sure it's something to do with ISA. Trying to use squid at the moment instead but that's not yet working either!
I'd guess we could do something to give them a direct web connection but it wouldn't be easy and I really don't want "odd" pockets of internet access for particular users going to particular sites!
What I don't understand is what changes when you use a certificate to identify yourself compared to just using a username/password etc.
10th April 2008, 10:07 AM #4
You cannot intercept and proxy the SSL connections unless you use a trusted certificate (eg, one you create and push out to your domain pcs) to create a new SSL connection between the client machine and your ISA server.
The correct thing to do is to just let the connection through unmodified and put up with the warnings as Piqueaboo says.
10th April 2008, 08:15 PM #5
Sorry; probably being completely stupid here but what do you mean by "let the connection through unmodified"?
As far as I know, we're not asking the ISA server to do anything to the data but obviously something must be happening otherwise the users would be able to get to the web sites they used to be able to get to!
If you have a working rule, can you save the XML of it and post it?
2nd May 2010, 10:33 PM #6
- Rep Power
Do you have access to elp.slc.co.uk btw?
By Grommit in forum Network and Classroom Management
Last Post: 8th February 2008, 09:53 AM
By PEO in forum General Chat
Last Post: 4th January 2008, 10:14 PM
By Dos_Box in forum Windows
Last Post: 11th November 2007, 10:22 PM
By Dos_Box in forum Wireless Networks
Last Post: 3rd January 2007, 04:33 PM
Last Post: 20th April 2006, 09:18 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)