Export (0) Print
Expand All

Authenticating with e-mail in the certificate subject

Published: April 8, 2010

Updated: February 1, 2011

Applies To: Unified Access Gateway

This topic describes how to configure the SSL client certificate authentication scheme in Forefront Unified Access Gateway (UAG) to require a certificate that contains the user’s e-mail address in the certificate subject, in order to compare it with the mail attribute in Active Directory.

For this scenario, the certificate subject must include the user’s e-mail address.

This scenario works with the default Active Directory Certificate Services (AD CS) “User” certificate template, when the user’s e-mail adderss is configured in Active Directory Domain Services (AD DS).

  1. Copy the file site_secure_SmartCard_cert.inc from:

    ...\Microsoft Forefront Unified Access Gateway\von\InternalSite\samples

    to the following custom folder:

    ...\ Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate

  2. Rename the file as follows:


    For example, for a trunk named UAGPortal, name the file UAGPortal1cert.inc.

  3. In the UAGPorta1cert.inc file, locate the line subject_array(0) = “SubjectEMAIL” and make sure it does not have a comment mark.

    The file should contain the following:

    subject_array(0) = "SubjectEMAIL"
    'subject_array(0) = "Subject"
    'subject_array(0) = "SubjectCN"
  4. From the samples folder, copy the file repository_for_cert.inc to the CustomUpdate folder. Rename the file as follows:


    where <Server_Name> is the name of your LDAP authentication server. For example, if you named the server "ContosoAD", name the file ContosoAD.inc.

  5. In the ContosoAD.inc file make sure that param_email.Name = “SubjectEMAIL” for the Session Manager parameter.

  6. In the ContosoAD.inc file make sure that param_email.Name = “mail” for the User Manager parameter.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2015 Microsoft