<div>
What kind of certificates are you using enterprise? You say you kerberos enabled, what does mean for you? Just saying to which spn you will authenticating is not enough.. You also have to allow isa (the machine that has isa installed or computers account) to delegate credentials to that spn using any authentication protocol in activedirectory directory. Are you delegating credentials to a web site that has integrated authentication enabled? Does isa map the certificate to auser correctly? 
</div>


What kind of certificates are you using enterprise? You say you kerberos enabled, what does mean for you? Just saying to which spn you will authenticating is not enough.. You also have to allow isa (the machine that has isa installed or computers account) to delegate credentials to that spn using any authentication protocol in activedirectory directory. Are you delegating credentials to a web site that has integrated authentication enabled? Does isa map the certificate to auser correctly?

<div>
this is for a government agency; we typically delegate kerberos to the spn via url method using http. the back end is using integrated authentication; i would think the mapping is working correctly; we have tons of other apps and web servers that are authenticating with the same domain and working ok.
</div>


this is for a government agency; we typically delegate kerberos to the spn via url method using http. the back end is using integrated authentication; i would think the mapping is working correctly; we have tons of other apps and web servers that are authenticating with the same domain and working ok.

<div>
had to manually set the spn
</div>


<div>
<div class="content wysiwyg-content">
Hello,<br />
<br />
I have a back end web server that is smart card enabled; when I bypass ISA and authenticate with the server directly, I can login ok using a smart card.<br />
<br />
When I throw ISA into the mix, the smart card credentials do not get passed and I cannot login.<br />
<br />
Any thoughts? I have kerberos delegation set from ISA to the backend.<br />
<br />
Thanks<br />

</div>
</div>


Hello,

I have a back end web server that is smart card enabled; when I bypass ISA and authenticate with the server directly, I can login ok using a smart card.

When I throw ISA into the mix, the smart card credentials do not get passed and I cannot login.

Any thoughts? I have kerberos delegation set from ISA to the backend.

Thanks


ISA 2006 and smart card authentication

Microsoft Forefront, formerly known as Internet Security and Acceleration Server (ISA Server), is a network router, firewall, antivirus program, VPN server and web cache that runs on Windows servers. It includes identity management and protection systems, and discontinued systems for threat management and network protection, along with protection for Sharepoint and Exchange. The scope of discussions includes forward and reverse proxy, application and service publishing, virtual private networks (VPNs), outbound access rules, SSL certificates and network routing within either a single node or an highly-available array pairing.