Consider a scenario where external client is trying to authenticate in an OWA publishing rule through ISA Server 2006 using Forms Base Authentication. In this scenario ISA Server 2006 was in workgroup and the FBA was using LDAPS authentication method. Problem: authentication doesn’t go through; it keeps in the same FBA window without saying any error message.
To narrow it down the problem the following article was followed:
2. Don’t Forget the CRL
While the core reasons for this scenario fails are covered in the above article, there are two others things to validate:
· Is ISA Server allowing the access to the CRL (Certification Revocation List)?
· Is the CRL accessible by ISA Server?
For this case the first option was true, the system policy that allows that was enabled. You can check that by opening the ISA Server 2006 System Policy and reviewing the option below:
Figure 1 – CRL Download System Policy
How to check the second option? You can use a command line utility called certutil to test that from the ISA Server itself. You just need to have the Root CA certificate file (.CER) available to test that. Here the command and the result for this scenario:
This result is very clear: ISA Server is unable to access the CRL and therefore it can’t authenticate the user. For this particular scenario (the real on, not my lab), the issue was resolved after opening port 80 between ISA Server and the Root CA. Yeah, ISA Server was running in sandwich mode, in between two others two firewalls (Root CA à Hardware Firewall à ISA Server à Hardware Firewall à Internet). Not an ISA issue, just again.
When the scenario involves LDAPS Authentication and SSL Publishing the amount of variants are quiet big. On top of that if your topology uses ISA Server in sandwich mode and your security policy is so tight that ISA can’t even check a CRL things can get worst. This is a scenario born to fail, due the lack of planning before put in production. Remember, planning is a key factor of any type of deployment and when the topology needs to be complex like this, be realistic, give yourself a couple of weeks to build a pilot environment that reflects the production one. Test it, write the results, work in the errors, write the results, resolve the problems, write the results, test it, test it and make sure that you cover at least what you plan to publish. Watch around ISA, because everyday my statistics that on every 5 cases 3 are not an ISA issue are just growing.