This topic describes how to configure the SSL client certificate authentication scheme in Forefront Unified Access Gateway (UAG) to require a certificate that contains the user’s e-mail address in the certificate subject, in order to compare it with the mail attribute in Active Directory.

For this scenario, the certificate subject must include the user’s e-mail address.

Note:
This scenario works with the default Active Directory Certificate Services (AD CS) “User” certificate template, when the user’s e-mail adderss is configured in Active Directory Domain Services (AD DS).

To authenticate using a certificate with e-mail in the subject

  1. Copy the file site_secure_SmartCard_cert.inc from:

    ...\Microsoft Forefront Unified Access Gateway\von\InternalSite\samples

    to the following custom folder:

    ...\ Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate

  2. Rename the file as follows:

    <Trunk_Name>1cert.inc

    For example, for a trunk named UAGPortal, name the file UAGPortal1cert.inc.

  3. In the UAGPorta1cert.inc file, locate the line subject_array(0) = “SubjectEMAIL” and make sure it does not have a comment mark.

    The file should contain the following:

      Copy Code 
    'SubjectEMAIL
subject_array(0) = "SubjectEMAIL"

'Subject
'subject_array(0) = "Subject"

'SubjectCN
'subject_array(0) = "SubjectCN"

  4. From the samples folder, copy the file repository_for_cert.inc to the CustomUpdate folder. Rename the file as follows:

    <Server_Name>.inc

    where <Server_Name> is the name of your LDAP authentication server. For example, if you named the server "ContosoAD", name the file ContosoAD.inc.

  5. In the ContosoAD.inc file make sure that param_email.Name = “SubjectEMAIL” for the Session Manager parameter.

  6. In the ContosoAD.inc file make sure that param_email.Name = “mail” for the User Manager parameter.