How to publish server that uses Client Certificate mapping RRS feed

  • Question

  •  Hello All,

    I'm trying to publish on TMG an internal HTTPS server configured as follow:
        1. Non standard HTTPS port (e.g. 1234)
        2. Server authenticate client using mapping of Client certificates to User accounts.

    I configured TMG to listen connection on standard HTTPS port 443 (Listener properties / Connections) and set Listener Authentication to "No Authentication". Then I created publishing rule with 
        1. Authentication delegation: No delegation, but client may authenticate directly
        2. Binding: Redirect requests to SSL port: 1234
        3. Link translation (local mapping) https://externalname.domain.com/
            to https://internalname.domain.com:1234/ and vice versa

    In my understanding, all https requests (for external side) shall be now redirected to internal HTTPS server, port 1234 and the internal server (and not TMG) shall identify client using the client certificate. 

    However, when I'm trying to connect to external site, the IE displays an error 403 (Access is denied) and log of failed requests on internal server shows:
    ModuleName IIS Web Core
    Notification 1
    HttpStatus 403
    HttpReason Forbidden
    HttpSubStatus 7
    ErrorCode 2147942405
    Notification BEGIN_REQUEST
    ErrorCode Access is denied. (0x80070005)

    What's wrong with my setup? 
    Thank you in advance for any hint.

    Tuesday, November 18, 2008 5:07 PM


  • Hi,

    The problem is that TMG can't pass the client certificate on to the internal server.
    In web publishing, TMG consumes the client certificate and create a separate connection to the internal web server.
    Since the connection is between TMG and the web server, TMG can't use the client certificate for the session (only the owner of the client certificate can use it). Therefore the web server rejects the connection with access denied.

    You can resolve this by using server publishing instead of web publishing. By using server publishing, TMG will not create a separate connection but pass the traffic from the client to the server as is. This will allow the client to authenticate directly to the server. However it also means TMG will not be able to provide any of its features: link translation, added protection, etc.

    Another possible solution is to use client certificate authentication with TMG itself, and choose to delegate the authentication to the internal server using Integrated authentication. Although the web server will not get the client certificate, but you will get the added security and features of TMG while authenticating the client with the server.
    Wednesday, December 31, 2008 9:15 AM