locked
Configuring UAG 2010 for Client Certificate AuthN RRS feed

  • Question

  • I have installed UAG 2010 Trial in a W2K8 Hyper-V VM. I have successfully configured a trunk for AD authentication to a back end Citrix architecture and it is fully functional and used Kerberos Constrained Delegation (KCD) to properly authenticate me to the Citrix Web Interface server. I am now attempting to change the authentication from AD FBA to Client Certificate Authentication (Protocol Transition/KCD). I have followed the instructions from MS Technet article Configuring LDAP Client Certificate Authentication: http://technet.microsoft.com/en-us/library/ee861163.aspx. When I add the include files to the ...\von\InternalSite\inc\CustomUpdate folder I see no change in authentication behavior. I was expecting to see a pop-up prompt for my certificate. I still see the same FBA AD login page and it still authenticates me into the trunk without a problem. What have I missed that will "turn on" the certificate prompt I am expecting for authentication?
    Wednesday, February 10, 2010 11:08 PM

Answers

  • Joe,

    If your trunk is named IDETrunk1 then your custom files should be named IDETrunk11<file_name>.inc
    Note the two consecutive '1'. As I said before, the file name should be composed of the trunk_name, then the digit '1', then the file name.

    So, for example, your custom Login.inc file, placed in the "...\Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate" folder, should be named IDETrunk11Login.inc

    -Ran
    • Marked as answer by Erez Benari Thursday, February 11, 2010 11:02 PM
    Thursday, February 11, 2010 5:51 PM

All replies

  • IIS restart?
    Jason Jones | Forefront MVP | Silversands Ltd
    Wednesday, February 10, 2010 11:58 PM
  • Thanks for the reply Jason. IIS Reset produced no change in behavior. I also did a UAG activation for good measure. Any other suggestions?
    Thursday, February 11, 2010 12:34 AM
  • Are you sure you followed correctly *all* the instructions in the TechNet article?
    If you're getting the regular UAG FBA, it means that there is something wrong with your custom Login.inc file. Here is what you should do with that file:

    From the samples folder you accessed in step 2, copy the file site_secure_login_for_cert.inc to the CustomUpdate folder. Rename the file as follows:

    <Trunk_Name>1login.inc


    Note that you need to rename the file as follows: your trunk name, then the digit ‘1’, then Login.inc. For example: MyTrunk1Login.inc

    -Ran

    Thursday, February 11, 2010 9:56 AM
  • I executed steps 1 - 7 initially in the TechNet article with the expectation that I would at least be prompted for a client certificate when accessing the trunk URL from a client workstation. I am sure that the include filenames are named correctly. My trunk is named: IDETrunk1. These files were copied from the "C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\samples" folder to the "C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate" folder:

    site_secure_cert.inc                     --> IDETrunk1cert.inc
    site_secure_login_for_cert.inc       --> IDETrunk1login.inc
    site_secure_validate_for_cert.inc  --> IDETrunk1validate.inc
    repository_for_cert.inc                 --> IDEDC01.inc

    This line was changed in IDETrunk1validate.inc:
    Session("repository1") = ""           --> Session("repository1") = "IDEDC01"

    This line was changed in IDEDC01.inc:
    KCDAuthentication_on = false --> KCDAuthentication_on = true


    Once I can at least be prompted for a certificate, I was expecting to execute the 2nd section of the TechNet article to change the scheme to customize what cert attributes are pulled for authentication. I am sure it is some small item i have missed. Thoughts?

    -Joe
    Thursday, February 11, 2010 5:00 PM
  • Joe,

    If your trunk is named IDETrunk1 then your custom files should be named IDETrunk11<file_name>.inc
    Note the two consecutive '1'. As I said before, the file name should be composed of the trunk_name, then the digit '1', then the file name.

    So, for example, your custom Login.inc file, placed in the "...\Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate" folder, should be named IDETrunk11Login.inc

    -Ran
    • Marked as answer by Erez Benari Thursday, February 11, 2010 11:02 PM
    Thursday, February 11, 2010 5:51 PM
  • Ran,

    Well, that did it. It's functional now. I can't believe I missed that, it's so obvious. ;-) Thanks a bunch for the assistance.

    -Joe
    Thursday, February 11, 2010 6:05 PM