Select the product you need help with

How to change the default behavior for client certificate mapping when you use forms-based authentication with Active Directory in ISA Server 2006 Service Pack 1

Article ID: 953684 - View products that this article applies to.

INTRODUCTION

Before Microsoft Internet Security and Acceleration Server (ISA) 2006 Service Pack 1 (SP1), you could only require a client certificate when the Web listener was configured to use forms-based authentication of domain users by using the Active Directory directory service (FBA with AD). This authentication method uses the following process:

The client provides a client certificate.
ISA Server verifies that the certificate is valid, that it has not expired, and that it was issued by a trusted certification authority.
ISA Server checks the certificate against the ISA Server client certificate restrictions.
ISA Server sends the authentication form to the client. The user enters his or her credentials and posts them.
ISA Server verifies the user credentials.
ISA Server maps the client certificate to an Active Directory user and verifies that it is the same user by using the credentials.

In ISA Server 2006 SP1, you can require a client certificate when the Web listener is configured to use forms-based authentication with other authentication validation methods, such as LDAP (Active Directory), RADIUS, RADIUS OTP, or SecurID. When you use authentication methods other than forms-based authentication with Active Directory, ISA Server performs the same process, except that it does not try to map the client certificate to a user. This means that the ISA Server computer does not have to be a member of a domain. Or, if the computer is a domain member, it means that the client certificates do not have to be mapped to user accounts in Active Directory.

This article describes the default behavior in ISA Server 2006 SP1 when you use forms-based authentication of domain users with Active Directory. Additionally, this article describes how to change this default behavior.

Back to the top | Give Feedback

MORE INFORMATION

When you perform forms-based authentication with Active Directory, ISA Server tries to map the client certificate to a user in Active Directory. By design, this behavior is two-factor authentication behavior, and it requires that the user's client certificate to be mapped against a user account that provides credentials.

ISA Server 2006 SP1 also adds a feature that lets you disable certificate mapping to Active Directory when you use forms-based authentication. However, when you use forms-based authentication with Active Directory to validate client credentials, the default behavior is still to map the certificate to a user.

After you apply ISA Server 2006 Service Pack 1, follow these steps to disable certificate mapping to Active Directory:

Start Notepad.

Paste the following script into a new document.

Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
Const SE_VPS_NAME = "DisableCertMappingForFBAwithAD"
Const SE_VPS_VALUE = true

Sub SetValue()

    ' Create the root obect.
    Dim root  ' The FPCLib.FPC root object
    Set root = CreateObject("FPC.Root")

    'Declare the other objects needed.
    Dim array       ' An FPCArray object
    Dim VendorSets  ' An FPCVendorParametersSets collection
    Dim VendorSet   ' An FPCVendorParametersSet object

    ' Get references to the array object
    ' and the network rules collection.
    Set array = root.GetContainingArray
    Set VendorSets = array.VendorParametersSets

    On Error Resume Next
    Set VendorSet = VendorSets.Item( SE_VPS_GUID )

    If Err.Number <> 0 Then
        Err.Clear

        ' Add the item
        Set VendorSet = VendorSets.Add( SE_VPS_GUID )
        CheckError
        WScript.Echo "New VendorSet added... " & VendorSet.Name

    Else
        WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)
    End If

    if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then

        Err.Clear
        VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE

        If Err.Number <> 0 Then
            CheckError
        Else
            VendorSets.Save false, true
            CheckError

            If Err.Number = 0 Then
                WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
            End If
        End If
    Else
        WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
    End If

End Sub

Sub CheckError()

    If Err.Number <> 0 Then
        WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
        Err.Clear
    End If

End Sub

SetValue

On the File menu, click Save As, and then save the file as DisableCertMappingForFBAwithAD.vbs.
At a command prompt, type the following command, and then press ENTER:
cscript DisableCertMappingForFBAwithAD.vbs

To return to the default behavior in ISA Server 2006 Service Pack 1 and to enable client certificate mapping to Active Directory when you use form-based authentication, follow these steps:

Start Notepad, and then open the DisableCertMappingForFBAwithAD.vbs script.
Locate the following line of code in the script.
Const SE_VPS_VALUE = true
Change the code to the following.
Const SE_VPS_VALUE = false
On the File menu, click Save.
At a command prompt, type the following command, and then press ENTER:
cscript DisableCertMappingForFBAwithAD.vbs