Configuring SSL client certificate authentication

Published: January 11, 2010

Updated: February 1, 2011

Applies To: Unified Access Gateway

In Forefront Unified Access Gateway (UAG), there are several scenarios that use SSL client certification authentication. For each trunk in Forefront UAG, you can configure a simple client certificate or a smart card certificate.

You can configure a single trunk to use only one of the certificate methods.

The following topics describe the scenarios that you can implement:

For each of these scenarios, you must configure the authentication scheme on Forefront UAG, as described in the following procedure.

Before you configure any of the client certificate or smart card scenarios, copy the required files to their new location and rename them for your implementation.

To configure the SSL client certificate authentication scheme

  1. In the Forefront UAG Management console, on the Admin menu, click Authentication and Authorization Servers, and ensure that you have defined an LDAP server that will be used for this scheme. LDAP servers include Active Directory, Netscape LDAP Server, Notes Directory, and Novell Directory.

  2. Copy the file or from:

    ...\Microsoft Forefront Unified Access Gateway\von\InternalSite\samples

    to the following custom folder (if it does not exist, create it):

    ...\ Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate

    You can configure each Forefront UAG trunk to use either a client certificate (by using the file or a smart card certificate (by using the file

  3. Rename the file as follows:


    For example, for a trunk named UAGPortal, name the file

    The digit 1, which is part of the file name, indicates that this is an HTTPS trunk.

    By default, this file checks the user's e-mail address to verify the certificate. You can edit the file to change this functionality or add other functions, if required.

    This file <Trunk_Name> must set the number of parameters that are checked.

    For example, in the default settings, where one parameter (e-mail) is checked, this file sets the following:

    Dim subject_array(0) = “SubjectEMAIL”

    If you edit the file, make sure that you change this function accordingly.

  4. From the samples folder you accessed in step 2, copy the file to the CustomUpdate folder. Rename the file as follows:


  5. From the samples folder, copy the file to the CustomUpdate folder. Rename the file as follows:


  6. In the <Trunk_Name> file, enter the name of the LDAP authentication server, in the line:

    Session("repository1") = ""

    For example, if you named the server "ContosoAD", this line should read: Session("repository1") = "ContosoAD"

  7. From the samples folder, copy the file to the CustomUpdate folder. Rename the file as follows:


    where <Authentication_Server_Name> is the name of your LDAP authentication server. For example, if you named the server "ContosoAD", name the file

    If you want to enable Kerberos constrained delegation on any application that belongs to this trunk, open this <Authentication_Server_Name>.inc file, and make the following modification:

    KCDAuthentication_on = true