Authenticating with CN in the certificate subject

Published: April 8, 2010

Updated: February 1, 2011

Applies To: Unified Access Gateway

This topic describes how to configure the SSL client certificate authentication scheme in Forefront Unified Access Gateway (UAG) to require a certificate that contains the common name (CN) in the subject, in order to compare it with the CN attribute in Active Directory.

The following lists the supported user names and certificates for this scenario:

  • The certificate subject must include the CN of the user.

  • The CN should be the same as the user name. For example, if the certificate subject includes “CN=Scott, CN=users, DC=contoso, DC=com”, the certificate can be authenticated. If the certificate subject includes “CN=Scott Bishop, CN=users, DC=contoso, DC=com”, it cannot be authenticated.

    This behavior is not the default when using Active Directory Domain Services (AD DS). By default, AD DS constructs the CN as “FirstName LastName” which Forefront UAG cannot use to authenticate the user with a certificate. To overcome this limitation, you can do one of the following:

    • After creating a user, rename the user from “FirstName LastName” to “username”.

    • Include the user principal name (UPN) in the subject alternative name (SAN) of the certificate, and refer to the scenario with UPN. See Authenticating with UPN in the certificate SAN.

The following procedure describes how to use the SubjectCN from a smart card certificate to authenticate users instead of the SubjectEMAIL.

This procedure describes the changes that you must make to the and files.

  1. Copy the file from:

    ...\Microsoft Forefront Unified Access Gateway\von\InternalSite\samples

    to the following custom folder:

    ...\ Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate

  2. Rename the file as follows:


    For example, for a trunk named UAGPortal, name the file

  3. In the file, locate the line subject_array(0) = “SubjectEMAIL” and comment it out.

  4. In the file, locate the line ‘subject_array(0) = “SubjectCN” and remove the comment mark.

    The file should now contain the following:

    'subject_array(0) = "SubjectEMAIL"
    'subject_array(0) = "Subject"
    subject_array(0) = "SubjectCN"
  5. From the samples folder, copy the file to the CustomUpdate folder. Rename the file as follows:


    where <Server_Name> is the name of your LDAP authentication server. For example, if you named the server "ContosoAD", name the file

  6. In the file locate the line param_email.Name = “SubjectEMAIL” for the Session Manager object and change it to param_email.Name = “SubjectCN”

  7. In the file locate the line param_email.Name = “mail” for the User Manager object and change it to param_email.Name = “<Common Name>”

    where <Common Name> is the field used within your Active Directory deployment to represent the common name for users.

    The default value for the <Common Name> field in an Active Directory deployment is the cn attribute.