none
Hello! I need to publish uag-portal with "SSL client certificate authentication" (clients certificates are mapped in Active Directory) and form-based authentication (Login.asp).

    Question

  • 1. I create two authentication Servers with identical settings and different name REP1, REP2
    2. Select REP1 on Authentication tab in the properties of the trunk (for certificate authentication: copy cert, login, validate, repository files to von\InternalSite\inc\CustomUpdate\, as it is described in the manual)
    3. And Select REP2 on Authentication tab (use SSO) in the properties of the default application 'Portal' (with Authorization for 'All users') for add credentials on-the-fly by Login.asp

    When i go to the portal-url, there is a windows with request certificates. I input smart-card and pin. (On Session Monitor i see my authenticated session).
    After that there is "log on" form with request user name, password и Authenticate using (REP2).
    I input valid login, password, enter and  receive error message:

    "Application and Network Access Portal
    You cannot access this site because the user cannot be added.
    Try to access this site again in a few minutes.
    If the problem persists contact the site administrator.
    Navigate back and follow another link, or type in a different URL"

    Do i do something wrong, or how troubleshouting this error?

    Wednesday, April 03, 2013 1:35 PM

Answers

  • Hi Amig@. There is an alternative approach to what you are trying to do that is called "certified endpoints". The approach is a bit different because the order is the opposite one. The users are authenticated first in the FBA and, if authenticated succesfully, they are requested to present a user certificate. In this case, the certificate is not used for authentication, but for access control. The users having certificates will comply with the "certified enpoint" policy. To restrict the access just assign this policy to the Portal application. Using certified endpoints means to put a checkmark in a box; the one that say "use certified endpoints" in the Session tab of the trunk's properties

    Hope it helps


    // Raúl - I love this game

    • Marked as answer by G.Gleb Friday, April 05, 2013 11:18 AM
    Thursday, April 04, 2013 9:16 AM
  • Hi again. Yes, the "name matching" function compares the name in the Subject-Common Name of the certificate with the one used as username in the authentication form. This comparison is done inside cert.asp with a function called IsUserNameMatching(). You can redefine this function in your custom cert.inc changing the fields used for the comparison. If you are using the cert.inc for smartcard you can access other fields of the certificate like Subject Alternative Name. If the SAN contains a UPN you can easily extract with a text function the username prortion and compare it to the username. Take a look at here also http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/7903db0a-ccb1-4e21-bf5f-2a33c297f109 because we had a similar discussion time ago

    Hope it helps

    Please, remember to mark the posts as answers if they finally help you to solve your issue

    Have a nice weekend


    // Raúl - I love this game

    • Marked as answer by G.Gleb Friday, April 05, 2013 11:18 AM
    Friday, April 05, 2013 8:18 AM
  • Thank you, RMoros.

    I achieved this goal with CTL-functionality.
    http://social.technet.microsoft.com/wiki/contents/articles/1896.how-to-create-a-certificate-trust-list-in-w2k8-r2-for-use-with-unified-access-gateway.aspx
    http://rethinker.net/vIISual.net/Configuration/IIS7-CTLs.htm
    (I used makeCTL.exe with success without installation of any patches and additional software on my Windows 2008 R2 EN server)

    Now clients with certificates issued only by certain centers CA (listed in CTL) can connect to my UAG-portal with success.

    • Marked as answer by G.Gleb Thursday, April 11, 2013 12:10 PM
    Wednesday, April 10, 2013 9:46 AM

All replies

  • Hi Amig@. There is an alternative approach to what you are trying to do that is called "certified endpoints". The approach is a bit different because the order is the opposite one. The users are authenticated first in the FBA and, if authenticated succesfully, they are requested to present a user certificate. In this case, the certificate is not used for authentication, but for access control. The users having certificates will comply with the "certified enpoint" policy. To restrict the access just assign this policy to the Portal application. Using certified endpoints means to put a checkmark in a box; the one that say "use certified endpoints" in the Session tab of the trunk's properties

    Hope it helps


    // Raúl - I love this game

    • Marked as answer by G.Gleb Friday, April 05, 2013 11:18 AM
    Thursday, April 04, 2013 9:16 AM

  • Thank You, for interesting solution.
    One more question, about using «verify user name with endpoint certificate». When I choose this option, I receive an error after set pin “Your device does not meet access policy requirements for this application”. Without this option, or when I use certificate authentication – I can connect to portal with no errors.
    Which field in certificate UAG compares with login, may be You khow in which file is it and how customize this procedure?

    Thursday, April 04, 2013 6:43 PM
  • Hi again. Yes, the "name matching" function compares the name in the Subject-Common Name of the certificate with the one used as username in the authentication form. This comparison is done inside cert.asp with a function called IsUserNameMatching(). You can redefine this function in your custom cert.inc changing the fields used for the comparison. If you are using the cert.inc for smartcard you can access other fields of the certificate like Subject Alternative Name. If the SAN contains a UPN you can easily extract with a text function the username prortion and compare it to the username. Take a look at here also http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/7903db0a-ccb1-4e21-bf5f-2a33c297f109 because we had a similar discussion time ago

    Hope it helps

    Please, remember to mark the posts as answers if they finally help you to solve your issue

    Have a nice weekend


    // Raúl - I love this game

    • Marked as answer by G.Gleb Friday, April 05, 2013 11:18 AM
    Friday, April 05, 2013 8:18 AM
  • Hello!

    I've customized UAG authentication with certified endpoints method, and now users are authenticates first in the FBA and, if authenticated successfully, they are requested to present a user certificate. The check mark “verify user name with endpoint certificate” also used with customized function “name matching” in cert.asp, so now user email in client certificate compares against login name presented in UAG authentication form.

    The last goal is to restrict user certificate issuer to certain one, so I can only trust certificates issued by correct Certification Authority. What UAG customization can achieve such goal?

    Monday, April 08, 2013 9:11 AM
  • Hi. Your progress are certainly notable :)

    Again, you can face that with different approaches. You could use operating system features like CTL, Trusted CAs and purposes in them or use UAG code. Inside your customization code you can easily extract the Issuer of the certificate and match it against your allowed one. You can make this comparison to be part of the IsUsernamematching function or a separate check


    // Raúl - I love this game

    Monday, April 08, 2013 9:18 AM
  • Thank you, RMoros.

    I achieved this goal with CTL-functionality.
    http://social.technet.microsoft.com/wiki/contents/articles/1896.how-to-create-a-certificate-trust-list-in-w2k8-r2-for-use-with-unified-access-gateway.aspx
    http://rethinker.net/vIISual.net/Configuration/IIS7-CTLs.htm
    (I used makeCTL.exe with success without installation of any patches and additional software on my Windows 2008 R2 EN server)

    Now clients with certificates issued only by certain centers CA (listed in CTL) can connect to my UAG-portal with success.

    • Marked as answer by G.Gleb Thursday, April 11, 2013 12:10 PM
    Wednesday, April 10, 2013 9:46 AM
  • Glad to help :)

    I personally prefer the cert.inc customization as this way the restriction is included inside the configuration of UAG itself. Furthermore, in an array it is replicated to all nodes and isolates you from doing changes out of UAG


    // Raúl - I love this game

    Wednesday, April 10, 2013 10:41 AM