Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
754
Views
0
Helpful
6
Replies

SCA Passing Client Certificate to Back End Server Problem

nalcomis75
Level 1
Level 1

‎03-25-2005 07:33 AM

We are trying to pass a client certificate from the SCA to a back end IIS server so that the IIS server can authenticate the user against Windows AD. When we enable the Add Client Certificate Info option in the "Add HTTP Headers to backend HTTP Stream" section, the IIS server returns an HTTP 400 "Bad Request" response. What options do we need to set to have the SCA successfully pass a client certificate to the back end IIS server?

Labels:
0 Helpful
6 Replies 6

Gilles Dufour
Cisco Employee
Cisco Employee

‎03-26-2005 07:44 AM

is the backend clear text ?

If so, capture a sniffer trace to see the header after doing client certificate insertion.

Unless there is a bug I don't see why it fails.

It surely works for me.

Gilles.

0 Helpful

nalcomis75
Level 1
Level 1
In response to Gilles Dufour

‎03-26-2005 08:02 PM

Gilles,

Attached are my configs and packet caputers, both in front and behind the CSS. There are 4 total attachments. 3 in this post and 1 in the next thread (due to your 3 attachment limit). The packet captures are in Ethereal format.

What version software are you running on your SCA? A bug sounds very possible. I recently upgraded to the latest version. I never tried it with the older. Thanks.

-Erik

Preview file
4 KB
0 Helpful

nalcomis75
Level 1
Level 1
In response to nalcomis75

‎03-26-2005 08:05 PM

My final attachment. Note: I changed the backed port from 5150 to standard port 80 to simplify trouble-shooting. Thanks.

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to nalcomis75

‎03-28-2005 06:12 AM

I don't see anything wrong in the info sent by the CSS/SCA.

Looks like the server says "invalid header" but I can't find which one is invalid.

Looks like a microsoft bug to me.

Do you have an Apache server somewhere to test with ?

What you can also try is extract the clear text header and try to send it using a script to the IIS server.

Remove one header line at a time and see which one the IIS server is complaining about.

I can do this myself but it may take a few days for me to find the time.

Gilles.

0 Helpful

nalcomis75
Level 1
Level 1
In response to Gilles Dufour

‎03-28-2005 06:32 AM

Gilles,

Have you guys tested this config on Win2k3 with IIS 6.0?

0 Helpful

efairbanks
Level 1
Level 1
In response to Gilles Dufour

‎03-29-2005 07:06 AM

Gilles,

What version IIS have you seen this work with? Thanks.

-Erik

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card