UAG Cert AuthN using SubjectCN with bad data in the CN


  • Hopefully
    someone can shed some light on our situation: We are deploying UAG (yes we will
    move to WAP down the road this project was in the pipeline already!) using SSL
    for client AuthN. The problem is bad PKI directory data and the way the user
    certificates are cut. Unfortunately it's not an option to change this. We are
    using SubjectCN right now. Although in the SAN field there is the RFC822
    populated with the email address. But for now we went down the SubjectCN route.

    Setup is like this:

    SubjectCN =
    lastname firstname username

    So we created the shadow accounts using that format for the CN and UPN attributes on
    the shadow accounts. (CN=lastname firstname username and UPN = lastname
    firstname username@domain.ib.

    When the users try to log into UAG it pulls the SubjectCN and then querys AD with that
    value against the samaccount name and/or UPN which with the spaces is a no go
    I'm guessing.

    But for some users UAG rolls over to use the CSolver:CrackADUserName Solver and changes
    the user name value to <domain>/lastname firstname username which seems
    to work for some users but not all users.

    This driving us nuts!

    Friday, March 28, 2014 6:17 PM