none
UAG client certificate check and forward RRS feed

  • Question

  • Here is my situation. I have web server that uses client certificate authentication. Now the Idea is to publish this web site trough UAG so it would be more secure.

    The idea is that UAG checks client certificate(CRL, Trusted Publisher) --> UAG forwards information from the certificate to internal web server. The authentication is done by web server with some propriatery auth. mechanisms, so I can't do authentication on UAG.

    Basicly UAG should do only the certificate check and forward all the traffic to internal web server. The internal web server shouldn't be aware of the UAG in the middle.

    Is this possible and how to achive it?

    Tuesday, February 7, 2012 5:10 PM

All replies

  • Hi Amig@. It's not feasible to use certificate authentication in the internal web server because UAG can't authenticate on behalf of the user as the certificates cannot be delegated (UAG doesn't have the user's certificate private key to negotiate the schannel with the internal server

    :(

    Sorry


    // Raúl - I love this game

    Tuesday, February 7, 2012 8:55 PM
  • Maybe I didn't correctly explain, as I don't know how web server works exactly. As I understand the developers, they only check the parameters of the user certificate, compare them to the database if the certificate is/was registered in the database and then do third party authentication with password(certificate is used to pair to username in the database).

    Private key is not stored at the web server. Users only register/authorize their certificate in the database for use with the web service.

    Could I get/read information from certificate and then forward it to internal web server?

    Something like this link:
    http://blogs.technet.com/b/edgeaccessblog/archive/2010/05/09/how-to-configure-uag-to-send-request-headers-to-published-web-applications.aspx

     

    Tuesday, February 7, 2012 10:41 PM
  • Hi again. I still think there is no way to request the user certificate through a reverse proxy. An option could be to define in UAG a custom authentication repository that implements the logic that your application has inside. Other option is to deploy a custom routine in UAG that retrieves the fields from the certificate and forwards to the internal server inside HTTP headers (similar to the one in the blog you referenced)

    Regards


    // Raúl - I love this game

    Thursday, February 9, 2012 10:30 AM
  • If I find a way I will let You know. If somebody has another idea or script it would be helpful :)

    thx

    Thursday, February 9, 2012 4:37 PM
  • Hi,

    I managed to get CERT_SUBJECT server variable to my internal web server required by application(changes in bold code below). That was my goal and it works :)

    but the problem is that I  neded to modify cert.asp file in UAG. As that is not supported I would like to know if anyone has a a way to include this changed code to some kind of include file, like done in this case http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/7903db0a-ccb1-4e21-bf5f-2a33c297f109/

    cert.asp

    ................

    dim url
    dim cSubject
    ' DetectionDOSFix - Storing include files in application and not in session
    if Application(g_site_name&g_secure&CERT_INC) <> FILE_NOT_EXIST then
     ' the include file must declare subject_array as an array
     include Application(g_site_name&g_secure&CERT_INC)

     if IsClientCertificateValid () then
      MEDIUM_TRACE "The client certificate is valid"
      subject_array_value = GetClientCertificateSubject (subject_array)
      i = 0
      
      For Each name In Request.ServerVariables
                     if name = "CERT_SUBJECT" then
         cSubject = Request.ServerVariables(name)
        exit for
       end if  
               next

      for each s in subject_array_value
       HEAVY_TRACE "Add to the session the parameter [" & subject_array(i) & "]"
       SetSessionParamWithType g_cookie,subject_array(i),cSubject,CERTIFICATE_PARAM_TYPE
       i = i + 1
      next
     else
      LIGHT_TRACE "ERROR: The client certificate is not valid"
     End if
     url = "/InternalSite/Validate.asp"
    end if

    .....................

    Friday, March 30, 2012 2:35 PM