locked
UAG SSL client certificate, User validation error RRS feed

  • Question

  • I have followed the technet article to setup SSL Client Certificate for UAG (http://technet.microsoft.com/en-us/library/ee861163.aspx). When I connect to my https portal it gives me the following error:

    User validation error

    The user cannot be authenticated.

    I have tried each of the three options  that was discussed in the technet article. The results were the same, User validation error.

    I do have a validate user cert that was issued from my internal CA. The UAG server does have the Root ca in the Trusted root.

    Thank you in advance for your assistance.


    Wednesday, January 2, 2013 9:02 PM

Answers

  • Thank you for your assistance. MS support gave me the hot fix and also did some changes to the files. It is working now since I have the right name for the server.inc.
    Monday, January 28, 2013 12:41 AM

All replies

  • Hi Amig@. Can you check the properties of the user certificate?. Specifically the Subject Name and the Subject Alternative Name. Sometimes when using Windows CA the built-in templates use the Distinguised Name for composing the Common Name of the certificate. The DN is not a valid property to locate the user in the AD. You should include the samAccountName instead of the DN in the SubjectName (alternatively you can develop your own customization in cert.inc to extract the right name from the certificate. Take a look here http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/69ad0f78-c4a6-43a0-ac3b-829f48aec089/ and here http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/7903db0a-ccb1-4e21-bf5f-2a33c297f109/)

    Regards


    // Raúl - I love this game



    • Edited by RMoros Friday, January 4, 2013 12:26 PM
    Friday, January 4, 2013 12:20 PM
  • Thank you for your response.

    Subject shows

    E = (this displays my email address)

    CN= lastname, firstname

    Subject alternative name

    other name:

     Principle Name=firstname.lastname@domainname.local

    RFC822 Name= (My email address)

    I have look on my Windows CA and did not see a way to set a template to include samAccountname.

    I have did some of the suggestions from the links and the results were the same, Validation Error. I do not understand why this is so difficult to accomplish. 

    Monday, January 7, 2013 6:16 PM
  • Hi Amig@. Your scenario seems the same than the one corrected with the code in the posts I previously metioned. To be sure that the code is getting applied you could "harcode" the username to be the UPN included in the certificate's SubjectAlternativeName (PrincipalName). If this works then we would have to review the extraction of the SAN from the certificate and activate the tracing

    Regards


    // Raúl - I love this game

    Tuesday, January 8, 2013 8:03 AM
  • Which file and code will I change for the "hardcode". Sorry, I am having a hard time rapping my mind around it.

    Tuesday, January 8, 2013 1:40 PM
  • Forget about the previous one

    Did you try this?

    http://technet.microsoft.com/en-us/library/ff607438.aspx

    That should work


    • Edited by RMoros Tuesday, January 8, 2013 4:06 PM
    Tuesday, January 8, 2013 3:57 PM
  • Yes I have tried it a little while ago with the settings as mention in the link. The results were the same:
    User validation error

    The user cannot be authenticated.

    This is so frustrating. :(



    Tuesday, January 8, 2013 4:27 PM
  • Hi Amig@. Sometimes it takes a little faith :D

    First, I would like to share with you the way certificate authentication works (surely you already know it, but just to recap). (Referring to the third case of the article in Technet) UAG will extract two values from the certificate: 1) PrincipalName from the Subject Alternative Name 2) Email from the SubjectName. Then it will remove the "domain" portion of the Principalname and will query AD trying to locate a user whose samAccountName matches the "user" portion of the Principalname. If the query can locate a user, his mail attribute will be retrieved from AD and compared to the one extracted from the certificate. If both match then the authentication succeeds. Can you check the EventLog in Web Monitor to see what email or username is UAG trying to match?


    // Raúl - I love this game

    Tuesday, January 8, 2013 8:45 PM
  • I have looked into the log and here what it stated. I have removed the IP address.

    Severity: Warning

    Event ID: 108

    Type: Unable to Retrieve Information from LDAP server.

    Description:

    Information from the LDAP server at IP address xxx.xxx.xxx.xxx cannot be retrieved.
    The error code is Invalid DN Syntax.



    Tuesday, January 8, 2013 9:02 PM
  • Hi Amig@. That sounds to me like another bug http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/bf0c9206-e53f-4c06-bf3c-1f9b7b07ed8d

    Could you please configure the trunk to autehnticate using username/password and see if it works?


    // Raúl - I love this game

    Saturday, January 12, 2013 12:55 PM
  • Thank you for your assistance. MS support gave me the hot fix and also did some changes to the files. It is working now since I have the right name for the server.inc.
    Monday, January 28, 2013 12:41 AM