In Forefront Unified Access Gateway (UAG), there are several scenarios that use SSL client certification authentication. For each trunk in Forefront UAG, you can configure a simple client certificate or a smart card certificate. 

You need Client Authentication certificate installed on Client. The one which I had looks like this in User store:



 

 

 On UAG I have created a portal: 


Here are the steps that we need to take to Configure Client certificate in this scenario we need to copy four files from this location :

C:\ProgramFiles\Microsoft Forefront Unified Access Gateway\von\InternalSite\samples

Files :

1.      Repository_for_cert.inc

2.      Site_secure_smartcard_cert.inc

3.      Site_secure_login_for_cert.inc

4.      Site_secure_validate_for_cert.inc

 We need to paste them in this location:

C:\ProgramFiles\Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate

Now comes the interesting part where we need to make modifications to files:

1.      Repository_for_cert.inc

First we need to rename this file to the name of the repository that we are using on this portal. Eg dc.nwtraders.com.inc where dc.nwtraders.com is set as AD repository on trunk.


Then open the file in notepad or any text editor and search for "SubjectEMAIL"


Here we need to change "SubjectEMAIL" to "CertificateUPN" . Like this :



In same file we need to make one more change and look for "mail"


And this needs to be changed to "UserPrincipalName". Like this :

  

Then Save the file

2.     
Site_secure_smartcard_cert.inc 

We need to rename the file to TrunkName1cert.inc where 1 defines it’s a secure trunk. So in our case it will be Portal1cert.inc.

Then we need to make few changes to the file.


 So we can see Line numbers 4 and 5 are not commented (Don’t have ' in front of them) and 8 and 9 are commented. Now we need to put comment on Lines 4 and 5 and then remove it from 8 and 9 and should look like this: 



1)  
 
For Smart Card Authentication Remove the Comment from the below lines so that they look like this:

'Smart Card Logon cert.inc
Const ENHANCED_KEY_USAGE = "Enhanced Key Usage"
Const CERTIFICATE_SMARTCARD_LOGON                              = "Smart Card Logon"
Const SMART_CARD_ENHANCED_KEY_USAGE_OID                = "1.3.6.1.4.1.311.20.2.2"

2)   
For Client Cert Auth remove the Comment from the below so that it looks like this:

‘Client Certificate Logon cert.inc
Const CERTIFICATE_SMARTCARD_LOGON                           = "Client Authentication"
Const SMART_CARD_ENHANCED_KEY_USAGE_OID             = "1.3.6.1.5.5.7.3.2"

In our case it will be option 2 as we are using Client Certificate and we need to comment on lines 4 and 5 which are for smart card authentication.

There is another change that we need to make at the end of this file. Like this:

 

 Here we need to remove comment ' which is next to Subject_array(0)="Subject" 


 After that Save the file.

3.      Site_secure_login_for_cert.inc 

We need to rename this file to TrunkName1login.inc. In our case it will be Portal1login.inc. Inside this file we DO NOT need to make any change.

4.      Site_secure_validate_for_cert.inc 

This one also needs to be renamed to TrunkName1Validate.inc which is Portal1validate.inc. Inside the file we need to make a small change, Like this :


 So in this file we need to add the name of the repository that is set on Portal. Like this :


Here we added "dc.nwtraders.com" (It’s the repository that I am using in my environment) next to Session("repository1"="dc.nwtraders.com")

So all four files will be placed in this location as mentioned earlier:


After all this is done we just need to Activate the configuration and then while you will access portal from client, you will see certificate popping up :


Here we just need to select the certificate and then hit OK and you will be able to access Portal successfully :) 


Note:

If you want to enable Kerberos constrained delegation on any application that belongs to this trunk, open this <Authentication_Server_Name>.inc file. In our case dc.nwtraders.com.inc, and make the following modification:

KCDAuthentication_on = true

Also we need to add following registry key :

HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\URLFilter\KCDUseUPN

DWORD VALUE 1

Useful  links: 

http://technet.microsoft.com/en-us/library/ee861163.aspx

http://technet.microsoft.com/en-us/library/ff607438.aspx

http://technet.microsoft.com/en-us/library/ff607363.aspx

http://technet.microsoft.com/en-us/library/ff607406.aspx

http://technet.microsoft.com/en-us/library/ee809087.aspx

 

Author :

Junaid Jan

Security Support Escalation Engineer

MSD Security