Configuring SSL client certificate authentication
Published: January 11, 2010
Updated: February 1, 2011
Applies To: Unified Access Gateway
In Forefront Unified Access Gateway (UAG), there are several scenarios that use SSL client certification authentication. For each trunk in Forefront UAG, you can configure a simple client certificate or a smart card certificate.
|You can configure a single trunk to use only one of the certificate methods.|
The following topics describe the scenarios that you can implement:
Authenticating with e-mail in the certificate subject
Authenticating with CN in the certificate subject
Authenticating with UPN in the certificate SAN
|For each of these scenarios, you must configure the authentication scheme on Forefront UAG, as described in the following procedure.|
Before you configure any of the client certificate or smart card scenarios, copy the required files to their new location and rename them for your implementation.
To configure the SSL client certificate authentication scheme
In the Forefront UAG Management console, on the Admin menu, click Authentication and Authorization Servers, and ensure that you have defined an LDAP server that will be used for this scheme. LDAP servers include Active Directory, Netscape LDAP Server, Notes Directory, and Novell Directory.
Copy the file site_secure_cert.inc or site_secure_SmartCard_cert.inc from:
...\Microsoft Forefront Unified Access Gateway\von\InternalSite\samples
to the following custom folder (if it does not exist, create it):
...\ Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate
Note: You can configure each Forefront UAG trunk to use either a client certificate (by using the file site_secure_cert.inc) or a smart card certificate (by using the file site_secure_SmartCard_cert.inc).
Rename the file as follows:
For example, for a trunk named UAGPortal, name the file UAGPortal1cert.inc.
Tip: The digit
1, which is part of the file name, indicates that this is an HTTPS trunk.
By default, this file checks the user's e-mail address to verify the certificate. You can edit the file to change this functionality or add other functions, if required.
Important: This file <Trunk_Name>1cert.inc must set the number of parameters that are checked. For example, in the default settings, where one parameter (e-mail) is checked, this file sets the following:
Dim subject_array(0) = “SubjectEMAIL”If you edit the file, make sure that you change this function accordingly.
From the samples folder you accessed in step 2, copy the file site_secure_login_for_cert.inc to the CustomUpdate folder. Rename the file as follows:
From the samples folder, copy the file site_secure_validate_for_cert.inc to the CustomUpdate folder. Rename the file as follows:
In the <Trunk_Name>1validate.inc file, enter the name of the LDAP authentication server, in the line:
Session("repository1") = ""
For example, if you named the server "ContosoAD", this line should read:
Session("repository1") = "ContosoAD"
From the samples folder, copy the file repository_for_cert.inc to the CustomUpdate folder. Rename the file as follows:
where <Authentication_Server_Name> is the name of your LDAP authentication server. For example, if you named the server "ContosoAD", name the file ContosoAD.inc.
Note: If you want to enable Kerberos constrained delegation on any application that belongs to this trunk, open this <Authentication_Server_Name>.inc file, and make the following modification:
KCDAuthentication_on = true