External users receive 500 internal Server Error with the URL denied by an ISA 2006 Server when you try to publish OWA using CAC and Client Certificate Authentication

Introduction

Consider a scenario where an ISA administrator configures ISA Server 2006 to publish OWA with Smart Card /Client Certificate Authentication and Kerberos Constrained Delegation. When external users try to access OWA they get a 500 internal server error with the URL being denied by the ISA Server after they put in the pin to authenticate.

Troubleshooting

The first step to troubleshoot such an issue would be to verify if one of the authentication and/or delegation methods is failing. In our case, we changed the authentication on the Listener of the Publishing rule to FBA with Kerberos Constrained Delegation. We noticed that external users were now able to login to OWA which would prove that the issue is specific to Smart Card/Client Certificate Authentication.

To verify the reason behind the failure, we plugged the Smart Card Reader to the ISA Server and ran Certutil –scinfo against the domain. We noticed the following error as the output:

A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478)

We checked the Trusted Root CA store on the local computer and found that all the appropriate Root CA certificates were installed. Further investigation revealed that the Enterprise NTAuth registry key was not populated on the ISA Server. We also found that the the Enterprise NTAuth store on the ISA server was empty. Checked the Enterprise NTAuth store on the Domain Controller and it was populated with all the Root CA Certificates. These certificates needed to be present in the NTAuth Store of the ISA Server.

image

Note: To view the Enterprise NTAuth store, you need to have the Windows 2003 Resource Kit installed. You can then refer to KB295663 for more information on how to import to import third-party certification authority (CA) certificates into the Enterprise NTAuth store.

Resolution

The following steps were performed to export the Root CA Certificates from the Local Store to the NTAuth Store:

  1. On the ISA Server browse to the Certificates mmc.
  2. Export the Root CA Certificates used for Smart Card Certificate issuance to .cer files.
  3. Run the following command on the ISA Server using CertUtil to import the certificates to the NT Auth Store.

Certutil -AddStore -Enterprise NTAuth CaCertificate.cer

This populates the NTAuth Store with the required certificates and external users now can access OWA with CAC and KCD.

Authors
Mohit Kumar
Sr Support Escalation Engineer
Microsoft CSS Forefront TMG Team

Niladri Dasgupta
Support Engineer
Microsoft CSS Forefront TMG Team

Technical Reviewer
Yuri Diogenes
Sr Support Escalation Engineer
Microsoft CSS Forefront TMG Team