You need Client Authentication certificate installed on Client. The one which I had looks like this in User store:
Here are the steps that we need to take to Configure Client certificate in this scenario we need to copy
four files from this location :
C:\ProgramFiles\Microsoft Forefront Unified Access Gateway\von\InternalSite\samples
Files :
1. Repository_for_cert.inc
2. Site_secure_smartcard_cert.inc
3. Site_secure_login_for_cert.inc
4. Site_secure_validate_for_cert.inc
We need to paste them in this location:
C:\ProgramFiles\Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate
Now comes the interesting part where we need to make modifications to files:
1.
Repository_for_cert.inc
First we need to rename this file to the name of the repository that we are using on this portal. Eg
dc.nwtraders.com.inc where dc.nwtraders.com is set as AD repository on trunk.
Then open the file in notepad or any text editor and search for "SubjectEMAIL"
And this needs to be changed to "UserPrincipalName". Like this :
Then Save the fileWe need to rename the file to TrunkName1cert.inc where 1 defines it’s a secure trunk. So in our case it will be
Portal1cert.inc.
Then we need to make few changes to the file.
1)
For Smart Card Authentication Remove the Comment from the below lines so that they look like this:
'Smart Card Logon cert.inc
Const ENHANCED_KEY_USAGE = "Enhanced Key Usage"
Const CERTIFICATE_SMARTCARD_LOGON = "Smart Card Logon"
Const SMART_CARD_ENHANCED_KEY_USAGE_OID = "1.3.6.1.4.1.311.20.2.2"
2)
For Client Cert Auth remove the Comment from the below so that it looks like this:
‘Client Certificate Logon cert.inc
Const CERTIFICATE_SMARTCARD_LOGON = "Client Authentication"
Const SMART_CARD_ENHANCED_KEY_USAGE_OID = "1.3.6.1.5.5.7.3.2"
In our case it will be option 2 as we are using Client Certificate and we need to comment
on lines 4 and 5 which are for smart card authentication.
There is another change that we need to make at the end of this file. Like this:
Here we need to remove comment ' which is next to Subject_array(0)="Subject" After that
Save the file.
We need to rename this file to
TrunkName1login.inc. In our case it will be Portal1login.inc. Inside this file we DO NOT need to make any change.
This one also needs to be renamed to
TrunkName1Validate.inc which is Portal1validate.inc.
Inside the file we need to make a small change, Like this :
So in this file we need to add the name of the repository that is set on Portal. Like this :
Here we added "dc.nwtraders.com" (It’s the repository that I am using in my environment) next to
Session("repository1"="dc.nwtraders.com")
So all four files will be placed in this location as mentioned earlier:
After all this is done we just need to Activate the configuration and then while you will access portal from client, you will see certificate popping up :
Note:
If you want to enable Kerberos constrained delegation on any application that belongs to this trunk, open this <Authentication_Server_Name>.inc file. In our case
dc.nwtraders.com.inc, and make the following modification:
KCDAuthentication_on = true
Also we need to add following registry key :
HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\URLFilter\KCDUseUPN
DWORD VALUE 1
http://technet.microsoft.com/en-us/library/ee861163.aspx
http://technet.microsoft.com/en-us/library/ff607438.aspx
http://technet.microsoft.com/en-us/library/ff607363.aspx
http://technet.microsoft.com/en-us/library/ff607406.aspx
http://technet.microsoft.com/en-us/library/ee809087.aspx
Author :
Junaid Jan
Security Support Escalation Engineer
MSD Security