Configuring SSL client certificate authentication

Updated: February 1, 2011

Applies To: Unified Access Gateway

In Forefront Unified Access Gateway (UAG), there are several scenarios that use SSL client certification authentication. For each trunk in Forefront UAG, you can configure a simple client certificate or a smart card certificate.

The following topics describe the scenarios that you can implement:

• Authenticating with e-mail in the certificate subject

• Authenticating with CN in the certificate subject

• Authenticating with UPN in the certificate SAN

Configuring the SSL client certificate authentication scheme

Before you configure any of the client certificate or smart card scenarios, copy the required files to their new location and rename them for your implementation.

To configure the SSL client certificate authentication scheme

1. In the Forefront UAG Management console, on the Admin menu, click Authentication and Authorization Servers, and ensure that you have defined an LDAP server that will be used for this scheme. LDAP servers include Active Directory, Netscape LDAP Server, Notes Directory, and Novell Directory.

2. Copy the file site_secure_cert.inc or site_secure_SmartCard_cert.inc from:

   ...\Microsoft Forefront Unified Access Gateway\von\InternalSite\samples

   to the following custom folder (if it does not exist, create it):

   ...\ Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate

   Note

   You can configure each Forefront UAG trunk to use either a client certificate (by using the file site_secure_cert.inc) or a smart card certificate (by using the file site_secure_SmartCard_cert.inc).

3. Rename the file as follows:

   <Trunk_Name>1cert.inc

   For example, for a trunk named UAGPortal, name the file UAGPortal1cert.inc.

   Tip

   The digit 1, which is part of the file name, indicates that this is an HTTPS trunk.

   By default, this file checks the user's e-mail address to verify the certificate. You can edit the file to change this functionality or add other functions, if required.

   Important

   This file <Trunk_Name>1cert.inc must set the number of parameters that are checked.

   For example, in the default settings, where one parameter (e-mail) is checked, this file sets the following:

   Dim subject_array(0) = “SubjectEMAIL”

   If you edit the file, make sure that you change this function accordingly.

4. From the samples folder you accessed in step 2, copy the file site_secure_login_for_cert.inc to the CustomUpdate folder. Rename the file as follows:

   <Trunk_Name>1login.inc

5. From the samples folder, copy the file site_secure_validate_for_cert.inc to the CustomUpdate folder. Rename the file as follows:

   <Trunk_Name>1validate.inc

6. In the <Trunk_Name>1validate.inc file, enter the name of the LDAP authentication server, in the line:

   Session("repository1") = ""

   For example, if you named the server "ContosoAD", this line should read: Session("repository1") = "ContosoAD"

7. From the samples folder, copy the file repository_for_cert.inc to the CustomUpdate folder. Rename the file as follows:

   <Authentication_Server_Name>.inc

   where <Authentication_Server_Name> is the name of your LDAP authentication server. For example, if you named the server "ContosoAD", name the file ContosoAD.inc.

   Note

   If you want to enable Kerberos constrained delegation on any application that belongs to this trunk, open this <Authentication_Server_Name>.inc file, and make the following modification:

   KCDAuthentication_on = true