Holiday Question #2, from Mathieu:
In Belgium we have a electronic identity card (eid) it contains a certificate for signing and authentication in windows.After some investigation I found some documents on the microsoft website how I could implement client certificate authentication with the eID on my IIS webapplication. (ASP.NET)This works very good ! (at the my intranet)But when I would like to test the same application behind my ISA firewall, it does not work.The user does not get the prompt from Internet Explorer to select an installed certificate and use this for my website.How can I change my ISA server that Internet Explorer will be asked to send a certificate and that the certificate give will be read by my IIS server.For now I use ISA 2000, but I will upgrade if it's working in 2004. But i cannot find any documentation about that subject.
Good question, but the answer won't be quite so good.
For ISA 2004:
So, short version: in this type of scenario, ISA Server is effectively acting as a Man In The Middle (MITM), and the use of client certificates prevents it from working (I don't know enough to claim that it's how it'll always work, but for now, that's my assumption).
You end up with two options:
As I'm still on holiday, I'm short an ISA 2000 box to muck around with, so I can't confirm whether the second option exists for that version, but the Server Publishing option definitely* works for both: ISA just sets up a TCP session between client and server, and gets out of the way.
* - as definitely as I can remember without actually being able to look it up. So a "probably definitely", but I wanted to sound confident*.