Authenticating with CN in the certificate subject

This topic describes how to configure the SSL client certificate authentication scheme in Forefront Unified Access Gateway (UAG) to require a certificate that contains the common name (CN) in the subject, in order to compare it with the CN attribute in Active Directory.

The following lists the supported user names and certificates for this scenario:

The certificate subject must include the CN of the user.

The CN should be the same as the user name. For example, if the certificate subject includes “CN=Scott, CN=users, DC=contoso, DC=com”, the certificate can be authenticated. If the certificate subject includes “CN=Scott Bishop, CN=users, DC=contoso, DC=com”, it cannot be authenticated.

Note:
This behavior is not the default when using Active Directory Domain Services (AD DS). By default, AD DS constructs the CN as “FirstName LastName” which Forefront UAG cannot use to authenticate the user with a certificate. To overcome this limitation, you can do one of the following: After creating a user, rename the user from “FirstName LastName” to “username”. Include the user principal name (UPN) in the subject alternative name (SAN) of the certificate, and refer to the scenario with UPN. See Authenticating with UPN in the certificate SAN.

Note:

This behavior is not the default when using Active Directory Domain Services (AD DS). By default, AD DS constructs the CN as “FirstName LastName” which Forefront UAG cannot use to authenticate the user with a certificate. To overcome this limitation, you can do one of the following:

After creating a user, rename the user from “FirstName LastName” to “username”.
Include the user principal name (UPN) in the subject alternative name (SAN) of the certificate, and refer to the scenario with UPN. See Authenticating with UPN in the certificate SAN.

The following procedure describes how to use the SubjectCN from a smart card certificate to authenticate users instead of the SubjectEMAIL.

Note:
This procedure describes the changes that you must make to the site_secure_smartcard_cert.inc and repository_for_cert.inc files.

To authenticate using a certificate with CN in the subject

Copy the file site_secure_SmartCard_cert.inc from:

...\Microsoft Forefront Unified Access Gateway\von\InternalSite\samples

to the following custom folder:

...\ Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate
Rename the file as follows:

<Trunk_Name>1cert.inc

For example, for a trunk named UAGPortal, name the file UAGPortal1cert.inc.
In the UAGPortal1cert.inc file, locate the line subject_array(0) = “SubjectEMAIL” and comment it out.
In the UAGPortal1cert.inc file, locate the line ‘subject_array(0) = “SubjectCN” and remove the comment mark.

The file should now contain the following:
Copy Code
'SubjectEMAIL 'subject_array(0) = "SubjectEMAIL" 'Subject 'subject_array(0) = "Subject" 'SubjectCN subject_array(0) = "SubjectCN"
From the samples folder, copy the file repository_for_cert.inc to the CustomUpdate folder. Rename the file as follows:

<Server_Name>.inc

where <Server_Name> is the name of your LDAP authentication server. For example, if you named the server "ContosoAD", name the file ContosoAD.inc.
In the ContosoAD.inc file locate the line param_email.Name = “SubjectEMAIL” for the Session Manager object and change it to param_email.Name = “SubjectCN”
In the ContosoAD.inc file locate the line param_email.Name = “mail” for the User Manager object and change it to param_email.Name = “<Common Name>”

where <Common Name> is the field used within your Active Directory deployment to represent the common name for users.

Note:

The default value for the <Common Name> field in an Active Directory deployment is the cn attribute.