Friday, February 24, 2012 8:57 AMNext situation:
I have web application (from SharePoint) on 443 port which required ssl-certficate (on smart card) for auth. Well on iis installed client certificate auth and mapping and enabled. When i try to enter on https://IIS he ask my certificate, i gave it to him and go on the site.
On TMG I publish SharePoint web-site with next settings:
TO: IIS, disable wend original header, check request from original client
Authentication Delegation methods: No delegation, but client may authenticate directly (because i don't need auth on TMG, but want auth on iis through TMG)
Listener: Post certificate for external name, authentication settings - No authentication (no auth on TMG) (always try to auth with ssl)
At this situation TMG show me error 403.7 5 - client certificate required... But didn't asked it from me....
If i mark on TMG in Listener client sertificate required - TMG asking for certificate and auth, but iis give me 403.7 5 again without request for certificate.
What's wrong with settings? i tried many variants settings. And noone give me request certificate from iis through TMG
Friday, February 24, 2012 9:32 AMModerator
Friday, February 24, 2012 10:23 AMWithout auth on tmg but auth using client certificate on iis
Friday, February 24, 2012 12:41 PMModerator
I would recommend that you do the client cert auth on TMG, and then delegate using KCD.
If not, you will need to use server publishing on HTTPS to achieve what you need...with web publishing, TMG becomes the client and cannot satisfy the requirement to present a certificate (unless you give the firewall service a certificate). TMG cannot act as a "man in the middle" for that SSL scenario.
- Proposed As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Moderator Monday, February 27, 2012 1:38 AM
- Marked As Answer by Roman Levchenko Wednesday, February 29, 2012 10:29 AM
Monday, February 27, 2012 5:30 AMyep, i publish server like protocol publisher - that's works (because web publish not working too). But for me it's not so good because entire loading fall on the IIS. On sharepoint kerberos was not implement and rebuild web-application is not good idea for me.. And the biggest mystery for me - why tmg given't iis requests to me...
Monday, February 27, 2012 4:27 PMModerator
...becuase it can't...when you are using web publishing, TMG becomes the client to the IIS server and has no way to pass the certificate prompt request back to the external client. The only options available are to use server publishing, so that TMG does not become the client and simply port forwards the request, or alternatively you can assign the firewall service with a specific client certificate. However, this would then provide IIS with a single identitiy, not the individual external user's identity.
- Edited by Jason Jones [MSFT]Microsoft Employee, Moderator Monday, February 27, 2012 4:28 PM
Wednesday, February 29, 2012 10:28 AM
thanks for answer.
>has no way to pass the certificate prompt request back to the external client
open rhetorical question with no answer: Why?...