locked
Uag And Smartcard RRS feed

  • Question

  • Good Morning,

    I have some basic question as I am really new to UAG.

    I have setup a server, installed UAG, added applications and it seems to be okay when using user authentication from AD. Now I want to use a smartcard to log into the Trunk. I followed the ee861163 article but I never see the smartcard in action. Do I need to configure the trunk authentication to anonymous or ad ?

    Another point is about the gateway server. I published a remoteapp to an application that require a smartcard logon. The remoteapp is working fine from the lan. When I publish the same app to the UAG, I just see an error "cookie rejected by the remote desktop gateway". But if I used another application like Owa , I can run the application and log using my smartcard. It seems that I need to Unable KCD for the remoteapp but I do not find any documents.

    Any help is welcome.

    Best regards

    Jean-CLaude

     

     

    Friday, May 27, 2011 8:12 AM

Answers

All replies

  • Good Morning,

    I am working on this issue and went a bit further. I finally understood the ee861163 article and now I have a correct setup.

    I have tried several ways to authenticate the user using the CN but all I have is the error message

    address 80.201.236.103 failed to log into trunk newsslcert (secure=1) using authentication server AficCert with session ID 20557D7D-D4F6-445D-A6D7-88D6D5973B91. Error code is Did not get user name.

    How can I debug this ? Is there any way to increase logging and check what certificate is used for auhenticate ?

    Any help is really welcome.

    Best regards

    Jean-Claude

    Tuesday, June 14, 2011 7:12 AM
  • How can I debug this ? Is there any way to increase logging and check what certificate is used for auhenticate ?

    Any help is really welcome.

    Best regards

    Jean-Claude


    Hi Jean-Claude,

    Since you're asking for a way to check what certificate is used to authenticate, do you mean that, on the browser side, you are not asked to select which certificate to use? If not, then this is a browser setting. For IE, open Internet Options -> Security tab -> Custom level. Then, in the Security Settings window, scroll down to locate this setting: Don't prompt for client certificate selection when only one certificate exists and make sure it is disabled.

    You can use the UAG tracing mechanism. In order to do that, go to the UAG Tracing Symbols download page, and get the tracing symbols (TMF files) and the instruction document. Read the instruction document to understand how to use UAG tracing,  note the section To configure additional Forefront UAG settings for specific components and then turn on tracing for the INTERNAL_SITE component. The UAG authentication scripts, ASP and INC files, run within the context of the Internal Site, so this is why this is the component you need to trace to troubleshoot your authentication.

    Regards,


    -Ran
    Tuesday, June 14, 2011 1:43 PM
  • Hello Ran,

    Thanks for your answer.

    I have checked my IE9, the custom level is set to disable on all the three zones. I have also added my UAG's ip address in the trusted zone but no luck. Still no popup at the client. Maybe a problem with the certificate. I am using a Governement Certificate from an Eid.

    On server side, I have installed the tmf, modified the trace.inc to include the internal site then tried to check for an error in this log. I can not find someting useless, I can see that it detects correctly the client PC, enumerating the correct settings in the ASP but always got the same message "did not get the user name' in the web monitor.

    If you have any guidance, it will be great.

    Rgds

    Jean-Claude

     

    Wednesday, June 15, 2011 9:32 AM
  • Hi Jean-Claude,

    The fact that you're not getting any prompt in IE does not look too good to me.

    In the traces, do you see any entries that end with  " at line 0, file "cert.asp" "? If yes, can you pasted some here?

    Regards,


    -Ran
    Thursday, June 16, 2011 10:56 AM
  • Hello,

    to keep you informed about the issue. The popup will only appear on your desktop computer if you have the full chain of certificate registred on your UAG server. Once this done( add your certificate to root and/or CA if needed), you will see the popup.

    I am then able to get the client certificate and using it to logon into the UAG.

    Badly, there is still an issue with the validation

    [0]d40.1044 06/16/2011-11:31:44.373 [whlcomtrace Validate.asp@0] Info:[207] @ [0] @ [3] @ [Validate.asp] @ [0] @ [The user [Jean-Claude Sente (Authentication)] have the full name []]
    [0]d40.1044 06/16/2011-11:31:44.374 [whlcomtrace Validate.asp@0] Info:[207] @ [0] @ [3] @ [Validate.asp] @ [0] @ [AuthenticateRepositoryUser return success [-1] error_code [-1] handle [0]]
    [0]d40.1044 06/16/2011-11:31:44.374 [whlcomtrace Validate.asp@0] Info:[207] @ [0] @ [3] @ [Validate.asp] @ [0] @ [ClearCredentials]
    [0]d40.1044 06/16/2011-11:31:44.374 [whlcomtrace Validate.asp@0] ERROR:[207] @ [0] @ [1] @ [Validate.asp] @ [0] @ [ERROR: Failed to authenticate the credentials of [Newdebug]]
    [0]b90.970 06/16/2011-11:31:44.375 [monitormgrcore whale::monitormgr::EventLog::Report EventLog.cpp@109] Info:Reporting EventLog event [14], of type [2], with [7] parameters

    The trunk definition, in the authentication tab, contain the two repositories adsecure and newdebug.

    It seems that authentication takes only place into the newdebug. How can I use the adsecure to validate a user ?

    Rgds

    Jean-Claude 

    Thursday, June 16, 2011 11:15 AM
  • Hi,

    See my posting earlier today in this thread: http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/115f71ce-4d31-4455-be22-6eff85285e0b . Your trunk cannot combine certificate-based authentication with form-based authentication. So you should only have one repository in the trunk configuration.

    Also, make sure that, as mentionedin this article Configuring SSL client certificate authentication, you have copied the sample file repository_for_cert.inc to the correct folder and renamed it according to your repository name (for example adsecure.inc).

    Regards,


    -Ran
    Thursday, June 16, 2011 12:29 PM