Geeks With Blogs
Cajun MCSE MS technology down on the bayou

In the last few months, we moved our Active Directory to Windows 2008 R2.  We also recently deployed ISA 2006 to front end for all of our internet facing web services including SharePoint, Team Foundation Web Services, and a few others.

 

To allow employees the ability to change passwords externally or after an expiration using ISA,  we implemented LDAPS pre-authentication.  We have ISA deployed in the single NIC configuration where it lives in the perimeter network (DMZ) since we are already using a Cisco ASA 5520 as our primary firewall.  In my opinion, this is the most secure way to deploy ISA for web publishing reverse proxy purposes, but that’s another conversation.

 

One of the stumbling blocks getting this to work was the new Certificate Authority in Windows 2008 R2.  In 2008 R2, Microsoft has released quite a few new Cryptographic providers. However many of these new providers are not backwards compatible with Windows 2003 or Windows XP before SP3.  Our ISA 2006 server is running on Windows 2003 since it’s deployed on older non 64-bit capable hardware.

 

The solution was to uninstall the Certificate Authority from the domain controller and then reinstall ensuring to pick the older Microsoft Strong Cryptographic provider and SHA-1 as the algorithm.  Once this was done, a server certificate was automatically issued to my domain controller.  I was also able to export the Root CA certificate, bring it over to ISA and import it into my Trusted Certificate Authorities store without getting the non-valid certificate signature error I was getting before.   Now with ISA trusting my Certificate Authority, I was able to authenticate, change passwords, or warn of impending password expirations on the FBA screen.

Posted on Saturday, February 27, 2010 9:45 AM Windows 2008 Server , Windows Networking | Back to top


Comments on this post: Windows 2008 R2, ISA 2006, and LDAPS Pre-Authentication

No comments posted yet.
Your comment:
 (will show your gravatar)


Copyright © Ryan Roussel | Powered by: GeeksWithBlogs.net