How to change the default behavior for client certificate mapping when you use forms-based authentication with Active Directory in ISA Server 2006 Service Pack 1

This article has been archived. It is offered "as is" and will no longer be updated.
INTRODUCTION
Before Microsoft Internet Security and Acceleration Server (ISA) 2006 Service Pack 1 (SP1), you could only require a client certificate when the Web listener was configured to use forms-based authentication of domain users by using the Active Directory directory service (FBA with AD). This authentication method uses the following process:
  • The client provides a client certificate.
  • ISA Server verifies that the certificate is valid, that it has not expired, and that it was issued by a trusted certification authority.
  • ISA Server checks the certificate against the ISA Server client certificate restrictions.
  • ISA Server sends the authentication form to the client. The user enters his or her credentials and posts them.
  • ISA Server verifies the user credentials.
  • ISA Server maps the client certificate to an Active Directory user and verifies that it is the same user by using the credentials.
In ISA Server 2006 SP1, you can require a client certificate when the Web listener is configured to use forms-based authentication with other authentication validation methods, such as LDAP (Active Directory), RADIUS, RADIUS OTP, or SecurID. When you use authentication methods other than forms-based authentication with Active Directory, ISA Server performs the same process, except that it does not try to map the client certificate to a user. This means that the ISA Server computer does not have to be a member of a domain. Or, if the computer is a domain member, it means that the client certificates do not have to be mapped to user accounts in Active Directory.

This article describes the default behavior in ISA Server 2006 SP1 when you use forms-based authentication of domain users with Active Directory. Additionally, this article describes how to change this default behavior.
MORE INFORMATION
When you perform forms-based authentication with Active Directory, ISA Server tries to map the client certificate to a user in Active Directory. By design, this behavior is two-factor authentication behavior, and it requires that the user's client certificate to be mapped against a user account that provides credentials.

ISA Server 2006 SP1 also adds a feature that lets you disable certificate mapping to Active Directory when you use forms-based authentication. However, when you use forms-based authentication with Active Directory to validate client credentials, the default behavior is still to map the certificate to a user.

After you apply ISA Server 2006 Service Pack 1, follow these steps to disable certificate mapping to Active Directory:
  1. Start Notepad.
  2. Paste the following script into a new document.
    Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"Const SE_VPS_NAME = "DisableCertMappingForFBAwithAD"Const SE_VPS_VALUE = trueSub SetValue()    ' Create the root obect.    Dim root  ' The FPCLib.FPC root object    Set root = CreateObject("FPC.Root")    'Declare the other objects needed.    Dim array       ' An FPCArray object    Dim VendorSets  ' An FPCVendorParametersSets collection    Dim VendorSet   ' An FPCVendorParametersSet object    ' Get references to the array object    ' and the network rules collection.    Set array = root.GetContainingArray    Set VendorSets = array.VendorParametersSets    On Error Resume Next    Set VendorSet = VendorSets.Item( SE_VPS_GUID )    If Err.Number <> 0 Then        Err.Clear        ' Add the item        Set VendorSet = VendorSets.Add( SE_VPS_GUID )        CheckError        WScript.Echo "New VendorSet added... " & VendorSet.Name    Else        WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)    End If    if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then        Err.Clear        VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE        If Err.Number <> 0 Then            CheckError        Else            VendorSets.Save false, true            CheckError            If Err.Number = 0 Then                WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"            End If        End If    Else        WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"    End IfEnd SubSub CheckError()    If Err.Number <> 0 Then        WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description        Err.Clear    End IfEnd SubSetValue
  3. On the File menu, click Save As, and then save the file as DisableCertMappingForFBAwithAD.vbs.
  4. At a command prompt, type the following command, and then press ENTER:
    cscript DisableCertMappingForFBAwithAD.vbs
To return to the default behavior in ISA Server 2006 Service Pack 1 and to enable client certificate mapping to Active Directory when you use form-based authentication, follow these steps:
  1. Start Notepad, and then open the DisableCertMappingForFBAwithAD.vbs script.
  2. Locate the following line of code in the script.
    Const SE_VPS_VALUE = true
  3. Change the code to the following.
    Const SE_VPS_VALUE = false
  4. On the File menu, click Save.
  5. At a command prompt, type the following command, and then press ENTER:
    cscript DisableCertMappingForFBAwithAD.vbs
REFERENCES
For more information about how to obtain ISA Server 2006 SP1, click the following article number to view the article in the Microsoft Knowledge Base:
954258 How to obtain the latest Internet Security and Acceleration (ISA) Server 2006 service pack

For more information about ISA Server 2006 SP1 features, visit the following Microsoft Web site:
isa2006 isa2k6
Properties

Article ID: 953684 - Last Review: 01/15/2015 17:55:20 - Revision: 2.0

  • Microsoft Internet Security and Acceleration Server 2006 Service Pack 1
  • kbnosurvey kbarchive kbhowto kbtshoot kbexpertiseinter kbsurveynew kbprb KB953684
Feedback