locked
Disabled account still can login with certificate based authentication RRS feed

  • Question

  • Hi,

    it seems that disabling a AD (W2K8 in my case) does not prevent users logging in with certificates. Is this by design? Putting the certificate onto the CRL is another possibility of course but this normally takes a while and disabling the account would be the better solution (if a employee is leaving the company for example).

    Best regards

    Thomas

    Monday, February 14, 2011 7:59 AM

Answers

  • Hi Thomas,

    Certificate-based authentication in UAG checks the client certificate and indeed does not verify whether the account is locked or not. Here are the main stages of the client certificate authentication:

    1. Regular SSL handshake and certificate validation takes place between the browser on the client machine and IIS running on the UAG server
    2. Once IIS accepts the certificate presented by the browser, it executes some UAG ASP code
    3. Within this ASP code, UAG performs an extra validation of the certificate validity as far as dates
    4. Then UAG extracts one or several fields from the certificate and compares them with fields from the user’s AD account (for example, the email address or UPN). This, by the way, is usually the main customization area of the UAG certificate-based authentication. If the compared fields do match, the authentication is considered successful.

    Regards,


    -Ran
    • Marked as answer by Thomas Wendler Wednesday, February 16, 2011 4:40 PM
    Tuesday, February 15, 2011 2:55 PM

All replies

  • I dont think that is by design. Are u sure that the users is disabled on the Domain that is used for authetification on UAG?
    Monday, February 14, 2011 9:56 AM
  • Hi,

    it seems that disabling a AD (W2K8 in my case) does not prevent users logging in with certificates. Is this by design? Putting the certificate onto the CRL is another possibility of course but this normally takes a while and disabling the account would be the better solution (if a employee is leaving the company for example).

    Best regards

    Thomas


    Is this for DirectAccess?

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Monday, February 14, 2011 1:28 PM
  • Hi,

    yes I am sure. The user is disabled and cannot log onto his workstation when he has LAN connectivity.

    @Tom: the scenario is the UAG portal not DirectAccess

    Best regards

    Thomas

    Monday, February 14, 2011 1:35 PM
  • Hi Thomas,

    Certificate-based authentication in UAG checks the client certificate and indeed does not verify whether the account is locked or not. Here are the main stages of the client certificate authentication:

    1. Regular SSL handshake and certificate validation takes place between the browser on the client machine and IIS running on the UAG server
    2. Once IIS accepts the certificate presented by the browser, it executes some UAG ASP code
    3. Within this ASP code, UAG performs an extra validation of the certificate validity as far as dates
    4. Then UAG extracts one or several fields from the certificate and compares them with fields from the user’s AD account (for example, the email address or UPN). This, by the way, is usually the main customization area of the UAG certificate-based authentication. If the compared fields do match, the authentication is considered successful.

    Regards,


    -Ran
    • Marked as answer by Thomas Wendler Wednesday, February 16, 2011 4:40 PM
    Tuesday, February 15, 2011 2:55 PM
  • Hi Ran,

    I understand. However if the user is disabled he still can log in (at least in my test environment). I don't think this is correct.

    Best regards

    Thomas

    Tuesday, February 15, 2011 8:13 PM
  • Hi Thomas,

    In my previous reply I was trying to answer your question at the beginning of this thread, where you asked "Is this by design?"

    Whether the behavior UAG employs for certificate-based authentication makes sense, that is another question, I guess :)

    Regards,


    -Ran
    Wednesday, February 16, 2011 7:43 AM
  • Hi Ran,

    well that's really a good question. I would prefer it as it would be necessary to have a very current CRL or otherwise to delete the user. Just changing the mail attribute seems to also do the trick.

    Best regards

    Thomas

    Wednesday, February 16, 2011 4:48 PM
  • Hello Thomas

    I got the same requirement as you - if the user is disabled, he/she should be immediately disallowed to use any resources (without any workarounds). We solved this by modifying the AD repository INC file.

    Include userAccountControl AD attribute to AD params retrieval and then perform bitwise operations for user disabled or user locked out. It's advised that you modify the error message as well.

    Kind regards, Grega


    Grega

    Friday, March 2, 2012 9:19 AM