Export (0) Print
Expand All
2 out of 4 rated this helpful - Rate this topic

Configuring SSL client certificate authentication

Published: January 11, 2010

Updated: February 1, 2011

Applies To: Unified Access Gateway

In Forefront Unified Access Gateway (UAG), there are several scenarios that use SSL client certification authentication. For each trunk in Forefront UAG, you can configure a simple client certificate or a smart card certificate.

noteNote:
You can configure a single trunk to use only one of the certificate methods.

The following topics describe the scenarios that you can implement:

noteNote:
For each of these scenarios, you must configure the authentication scheme on Forefront UAG, as described in the following procedure.

Before you configure any of the client certificate or smart card scenarios, copy the required files to their new location and rename them for your implementation.

To configure the SSL client certificate authentication scheme

  1. In the Forefront UAG Management console, on the Admin menu, click Authentication and Authorization Servers, and ensure that you have defined an LDAP server that will be used for this scheme. LDAP servers include Active Directory, Netscape LDAP Server, Notes Directory, and Novell Directory.

  2. Copy the file site_secure_cert.inc or site_secure_SmartCard_cert.inc from:

    ...\Microsoft Forefront Unified Access Gateway\von\InternalSite\samples

    to the following custom folder (if it does not exist, create it):

    ...\ Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate

    noteNote:
    You can configure each Forefront UAG trunk to use either a client certificate (by using the file site_secure_cert.inc) or a smart card certificate (by using the file site_secure_SmartCard_cert.inc).

  3. Rename the file as follows:

    <Trunk_Name>1cert.inc

    For example, for a trunk named UAGPortal, name the file UAGPortal1cert.inc.

    TipTip:
    The digit 1, which is part of the file name, indicates that this is an HTTPS trunk.

    By default, this file checks the user's e-mail address to verify the certificate. You can edit the file to change this functionality or add other functions, if required.

    ImportantImportant:
    This file <Trunk_Name>1cert.inc must set the number of parameters that are checked.

    For example, in the default settings, where one parameter (e-mail) is checked, this file sets the following:

    Dim subject_array(0) = “SubjectEMAIL”

    If you edit the file, make sure that you change this function accordingly.

  4. From the samples folder you accessed in step 2, copy the file site_secure_login_for_cert.inc to the CustomUpdate folder. Rename the file as follows:

    <Trunk_Name>1login.inc

  5. From the samples folder, copy the file site_secure_validate_for_cert.inc to the CustomUpdate folder. Rename the file as follows:

    <Trunk_Name>1validate.inc

  6. In the <Trunk_Name>1validate.inc file, enter the name of the LDAP authentication server, in the line:

    Session("repository1") = ""

    For example, if you named the server "ContosoAD", this line should read: Session("repository1") = "ContosoAD"

  7. From the samples folder, copy the file repository_for_cert.inc to the CustomUpdate folder. Rename the file as follows:

    <Authentication_Server_Name>.inc

    where <Authentication_Server_Name> is the name of your LDAP authentication server. For example, if you named the server "ContosoAD", name the file ContosoAD.inc.

    noteNote:
    If you want to enable Kerberos constrained delegation on any application that belongs to this trunk, open this <Authentication_Server_Name>.inc file, and make the following modification:

    KCDAuthentication_on = true

 
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.