Authentication Issues while Using LDAPS authentication on ISA (Internet Security and Acceleration Server) 2006

 

Introduction :

It is a very common scenario where we use LDAP authentication for publishing web sites on ISA. We have seen some issues with LDAPS authentication when there are some Certificates on the ISA server which have both Client and Server Authentication Enabled in the “Enhanced Key Usage” section under “Details” Tab.

Scenario:

We had a web site published on ISA 2006 server. We were using LDAPS authentication for that Web Site on ISA in the listener.

We had different LDAP server sets configured on the web listener for different domains.

LDAPS authentication was working fine for all domains except for one child domain.

Troubleshooting:

We took ISA Data Packager and here is what we saw there:

Description: The LDAP server DC.domain.com did not respond. If the server is physically reachable and a secure (SSL) connection is required, this event may be caused by failure of the SSL handshake. This event may also occur when the credentials used to connect to the LDAP server to verify the status and change the password of an account are rejected by the server.

It was strange because we were able to connect to the DCs from ISA over port 636 using LDP.exe and we were also BIND to the DC as well.

We checked the network captures for the same communication and found the following:

A Server certificate being sent by the DC in SERVER HELLO…

Subject: US,WA,CONTOSO Inc.,DC.CONTOSO.com

But then we also saw the following Web Server certificate going back in reply from the ISA servers:

Subject: OWA.CONTOSO.com,Messaging,CONTOSO Inc.,WA,US

As mentioned in the Introduction section, we have seen some issues on Windows when the SSL Web Server certificates have both 'CLIENT' and 'SERVER' Authentication enabled. In the above situation, the certificate was ‘sent’ by the ISA server because it had Client Authentication enabled. However, this certificate was invalid for Client Authentication to the child domain in question. So, we went to all the Web Server certificates on all the ISA servers and disabled 'CLIENT' authentication on them. Then we restarted the ISA Firewall service on all the ISA servers.

NOTE:  The “Client Authentication” usage is typically not required on the SSL certificates used by ISA 2006 Web Listeners.  Please make sure you only disable “Client Authentication” on installed certificates that do not require the “Client Authentication” usage.  For example, do not disable the “Client Authentication” usage on the ISA server’s Computer Certificates.

For more information on this behavior and how to configure and install certificates for LDAPS authentication, please refer to the articles below:

http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

http://support.microsoft.com/kb/938703

With the above changes, we were now able to perform LDAPS authentication to the child domain in question.

Conclusion:

If you experience similar issues (i.e. authentication failing or slow authentication) while using LDAP server sets for authentication, check the Web Server certificates used by the ISA Web Listeners and make sure they only have “Server Authentication” enabled under the “Enhanced Key Usage” Section in the “Details” tab of the Certificate.

Author :

Nitin Singh

Security Support Escalation Engineer

Microsoft CSS Forefront Security Edge Team

Technical Reviewers:

Richard Barker

Sr. Security Support Escalation Engineer

Microsoft CSS Forefront Security Edge Team