Kerberos authentication has always been a challenge specially when deploying complex environments with many different components and authentication requirements. There are some good guides about how to deploy kerberos authentication and delegate constrained authentications in general but as my colleague and Sharepoint expert Thomas Balkeståhl already realized there are very few ones focusing specific products. Thomas has in a recent blog post about how to bring together kerberos and Sharepoint done some wonderful job in bringing real life experience into one of the best guides I found about kerberos and Sharepoint.
Enjoy reading the complete “The final Kerberos guide for SharePoint technicians”
It is pretty straight forward to configure SSL Client Certificate Authentication in UAG, just follow the steps in the online guide at http://technet.microsoft.com/en-us/library/ee861163.aspx and you should be able to run in almost no time except for an issue that occurs whenever your logon name and common name does not match!
An authentication error will occur with the error message in UAG telling that the user account does not have the expected cn, upn or email value that has been extracted from the users SSL authentication certificate at the time of logon. Looking at the certificate all values of cn, upn and email shows a 100% match of the same values on the user account!
Looking at the cert auth scripts in UAG we can see that UAG is using the value of the common name of the certificate subject as the user_name. The user_name is then used to obtain information from Active Directory regarding that user account. And this is where the error occurs, the matching for the username is simply wrong.
To correct this you can obtain the UPN value from the client certificate in the certificate validation script and use that value to obtain the user logon name by simply splitting at the @ sign.
Download the UAG customupdate-cert scripts and make sure to change the authserver01 key word to the name of your authentication repository.