Share via


SSL client certificate authentication

Updated: April 8, 2010

Applies To: Unified Access Gateway

Secure Sockets Layer (SSL) client certificate authentication schemes require end users to authenticate by supplying a client certificate, which is installed on their device or on a smart card. No login information, such as user name and password, is required for the authentication process. You can only use client certificate authentication for Forefront Unified Access Gateway (UAG) sites published over an HTTPS connection.

The SSL client certificate authentication scheme supported by Forefront UAG operates with one or two authentication servers. Authentication servers keep information about users in directories, including authentication and authorization information, such as user properties and access rights. Before end users can access Forefront UAG using an SSL client certificate, Forefront UAG performs the following steps to verify the end user’s identity:

  1. Verifies that the client certificate is valid, using Internet Information Services (IIS) 7.0.

  2. Maps the certificate to the user account in Active Directory Domain Services (AD DS) or any other LDAP server.

  3. Verifies that the certificate belongs to this user account.

Because IIS validates the certificate, IIS prevents access to the portal if the certificate is not valid.

Each registered user in the authentication server is assigned a Distinguished Name (DN), which includes a hierarchical address; for example, organization\organizational_unit\username.

When the SSL client certificate scheme operates with two authentication servers, if the primary server fails, the User Manager accesses the alternate server.

Mapping certificates to Active Directory users

To authenticate end users by using their certificate, Forefront UAG maps the certificate to the Active Directory user, and then verifies that certain fields in the certificate match the Active Directory user attributes.

  1. To map the certificate, Forefront UAG requires a username that it can match to an Active Directory username. Forefront UAG constructs the username from information in the certificate, using one of the following:

    • The common name (CN); for example, “CN=username”.

    • The user principal name (UPN); for example, username@contoso.com.

  2. After mapping the user, Forefront UAG compares the value of a certificate field to the corresponding Active Directory attribute. If the field comparison is successful, the user is authenticated.

SSL client certificate authentication flow

The following figure illustrates the authentication process for users when the SSL client certificate authentication scheme is implemented with one authentication server. This flow uses an LDAP server for authentication.

SSL client certificate authentication flow

26bd513b-625b-4eda-b2bd-9aafc0cf6cd8