Share via

Authenticating with UPN in the certificate SAN

  • Article

Updated: February 1, 2011

Applies To: Unified Access Gateway

This topic describes how to configure the SSL client certificate authentication scheme in Forefront Unified Access Gateway (UAG) to require a certificate that contains the user principal name (UPN) in the certificate subject alternative name (SAN), in order to compare it with the SAM Account Name attribute in Active Directory.

For this scenario, the certificate SAN must contain the UPN in the form “username@upnsuffix”; for example “scott@contoso.com".

Note

This scenario works with the default Active Directory Certificate Services (AD CS) “User” certificate template.

To authenticate using a certificate with UPN in the SAN

  1. Copy the file site_secure_SmartCard_cert.inc from:

    ...\Microsoft Forefront Unified Access Gateway\von\InternalSite\samples

    to the following custom folder:

    ...\ Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate

  2. Rename the file as follows:

    <Trunk_Name>1cert.inc

    For example, for a trunk named UAGPortal, name the file UAGPortal1cert.inc.

  3. From the samples folder, copy the file repository_for_cert.inc to the CustomUpdate folder. Rename the file, as follows:

    <Server_Name>.inc

    where <Server_Name> is the name of your LDAP authentication server. For example, if you named the server "ContosoAD", name the file ContosoAD.inc.

  4. In the UAGPortal1cert.inc file, locate the line subject_array(0) = “SubjectEMAIL” and comment it out.

  5. In the UAGPortal1cert.inc file, locate the line ‘subject_array(0) = “Subject” and remove the comment mark.

    The file should now contain the following:

    'SubjectEMAIL
'subject_array(0) = "SubjectEMAIL"

'Subject
subject_array(0) = "Subject"

'SubjectCN
'subject_array(0) = "SubjectCN"

  6. In the ContosoAD.inc file locate the line param_email.Name = “SubjectEMAIL” for the Session Manager object and change it to param_email.Name = “CertificateUPN”

  7. In the ContosoAD.inc file locate the line param_email.Name = “mail” for the User Manager object and change it to param_email.Name = “sAMAccountName”