This topic describes how to configure the SSL client certificate authentication scheme in Forefront Unified Access Gateway (UAG) to require a certificate that contains the user’s e-mail address in the certificate subject, in order to compare it with the mail attribute in Active Directory.

For this scenario, the certificate subject must include the user’s e-mail address.

This scenario works with the default Active Directory Certificate Services (AD CS) “User” certificate template, when the user’s e-mail adderss is configured in Active Directory Domain Services (AD DS).

To authenticate using a certificate with e-mail in the subject

  1. Copy the file from:

    ...\Microsoft Forefront Unified Access Gateway\von\InternalSite\samples

    to the following custom folder:

    ...\ Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate

  2. Rename the file as follows:


    For example, for a trunk named UAGPortal, name the file

  3. In the file, locate the line subject_array(0) = “SubjectEMAIL” and make sure it does not have a comment mark.

    The file should contain the following:

      Copy Code
    subject_array(0) = "SubjectEMAIL"
    'subject_array(0) = "Subject"
    'subject_array(0) = "SubjectCN"
  4. From the samples folder, copy the file to the CustomUpdate folder. Rename the file as follows:


    where <Server_Name> is the name of your LDAP authentication server. For example, if you named the server "ContosoAD", name the file

  5. In the file make sure that param_email.Name = “SubjectEMAIL” for the Session Manager parameter.

  6. In the file make sure that param_email.Name = “mail” for the User Manager parameter.