locked
UAG - Client Certificate Authentication - AD Name Mapping RRS feed

  • Question

  • Hi guys,

    I would like to publish a web app and use client certificate auhtentication. All users certificates are mapped to users accounts in Active Directory (Name mapping - subject to altSecurityIdentities). Certificates were issued from a number of public CA so there are no "connections" between samAccountName or UPN and fields in certificate.

    I've followed steps described in article http://technet.microsoft.com/en-us/library/ee861163.aspx (Configuring LDAP client certificate authentication) but no luck...

    Regards,
    Miro

    <!---->
    Thursday, February 11, 2010 11:48 AM

Answers

  • Hi Amigos. Any update on this? I guess you both have a different problem. Joe, try to follow the step-by-step in technet http://technet.microsoft.com/en-us/library/ee861163.aspx. It does work (at least you will be requested a user certificate providing it is correctly installed in the client's certificate store, is valid, not revoqued and issued by a CA trusted by UAG). If the previous is valid, then the certificate field "common name" must match either the samAccountName or UPN of a user in DA. UAG will query AD using this. If this object is found, then (by default) UAG will try to match the "SubjectEmail" field in the certificate with the "mail" attribute in DA for that user. The authentication will succeed if both values are the same. And now let´s go with Miro. If you are customizing the sample scripts for matching the "altSecurityIdentities" instead of the "mail" attribute, there is still something left that is the first query to AD doesn't return a valid object unless the "common name" can match a SAMaccoutname or a UPN. I guess the parameter used for this query is automaticallly inserted into the g_cookie when the certificate is presented [this is the piece of code in <trunk>1validate.inc that makes me think that assumption Session("user_name1") = GetSessionParam(g_cookie,CERTIFICATE_USER_PARAM)]. I am going to test a change in this script to use something different for setting the "user_name1" variable (like a fixed value that will always make a match) and I will come back to you as soon as I have found out something more.

    Regards
    // Raúl - I love this game
    • Marked as answer by Erez Benari Monday, March 1, 2010 9:20 PM
    Monday, March 1, 2010 3:06 PM

All replies

  • Miro,

    I have this exact same task to use the AD altSecurityIdentities and would be very interested in your experience getting this working. Have you been able to be prompted for certificates after the "Configuring LDAP client certificate authentication" TechNet article? I have an open post and have not been able to get the UAG trunk to prompt for any client certificate for authentication and I am still being presented with a FBA page.

    -Joe
    Thursday, February 11, 2010 5:14 PM
  • Hi Amigos. Any update on this? I guess you both have a different problem. Joe, try to follow the step-by-step in technet http://technet.microsoft.com/en-us/library/ee861163.aspx. It does work (at least you will be requested a user certificate providing it is correctly installed in the client's certificate store, is valid, not revoqued and issued by a CA trusted by UAG). If the previous is valid, then the certificate field "common name" must match either the samAccountName or UPN of a user in DA. UAG will query AD using this. If this object is found, then (by default) UAG will try to match the "SubjectEmail" field in the certificate with the "mail" attribute in DA for that user. The authentication will succeed if both values are the same. And now let´s go with Miro. If you are customizing the sample scripts for matching the "altSecurityIdentities" instead of the "mail" attribute, there is still something left that is the first query to AD doesn't return a valid object unless the "common name" can match a SAMaccoutname or a UPN. I guess the parameter used for this query is automaticallly inserted into the g_cookie when the certificate is presented [this is the piece of code in <trunk>1validate.inc that makes me think that assumption Session("user_name1") = GetSessionParam(g_cookie,CERTIFICATE_USER_PARAM)]. I am going to test a change in this script to use something different for setting the "user_name1" variable (like a fixed value that will always make a match) and I will come back to you as soon as I have found out something more.

    Regards
    // Raúl - I love this game
    • Marked as answer by Erez Benari Monday, March 1, 2010 9:20 PM
    Monday, March 1, 2010 3:06 PM
  • Hello,

    Any update on this. I'm facing the same issue.

    Regards,

    Daniel

    Tuesday, May 15, 2012 7:57 AM
  • still waiting... shame, isn't it...

    Regards

    Miro

    Monday, June 18, 2012 9:33 AM
  • Indeed still waiting.......

    Daniel

    Wednesday, September 5, 2012 10:16 AM
  • Was there ever a fix to the original post from MiroK?
    Wednesday, June 5, 2013 6:01 AM