Home > certificate, SSL, UAG > UAG SSL Client Certificate Authentication Problems…

UAG SSL Client Certificate Authentication Problems…

June 17th, 2011

It is pretty straight forward to configure SSL Client Certificate Authentication in UAG, just follow the steps in the online guide at http://technet.microsoft.com/en-us/library/ee861163.aspx and you should be able to run in almost no time except for an issue that occurs whenever your logon name and  common name does not match!

An authentication error will occur with the error message in UAG telling that the user account does not have the expected cn, upn or email value that has been extracted from the users SSL authentication certificate at the time of logon. Looking at the certificate all values of cn, upn and email shows a 100% match of the same values on the user account!

Looking at the cert auth scripts in UAG we can see that UAG is using the value of the common name of the certificate subject as the user_name. The user_name is then used to obtain information from Active Directory regarding that user account. And this is where the error occurs, the matching for the username is simply wrong.

To correct this you can obtain the UPN value from the client certificate in the certificate validation script and use that value to obtain the user logon name by simply splitting at the @ sign.

Download the UAG customupdate-cert scripts and make sure to change the authserver01 key word to the name of your authentication repository.

/Hasain

Categories: certificate, SSL, UAG Tags: , , ,
  1. Nadasback
    July 21st, 2011 at 21:09 | #1
    Reply | Quote

    Can you please explain exactly how to accomplish this. I have a requirement to allow access to the portal by CAC authentication only. However, I can not get client certificates to work on the UAG portal. My error is…

    Error code is The user [1111111111] information [CertificateUPN] is not [1111111111@xxx]

  2. Hasain
    July 24th, 2011 at 08:57 | #2
    Reply | Quote

    I have attached the complete custom scripts to the post above.

  3. Nadasback
    July 26th, 2011 at 16:54 | #3
    Reply | Quote

    Thanks for the files but I still get the error below. Is there something I’m missing?

    User 1111111111 with source IP address 10.xx.xx.xx failed to log into trunk mainportal (secure=1) using authentication server xxxxxxx.lcl with session ID 69B8860C-A2D7-42DE-A328-94CCF6D2A35E. Error code is The user [1111111111] information [CertificateUPN] is not session:[1111111111@mil] user:[].

  4. Aahz
    October 19th, 2011 at 14:37 | #4
    Reply | Quote

    Hasain, thanks a lot!
    Guided by sample files you provided, I’ve successfully setup UAG for smartcard A&A with ‘SubjectCN’ (not ‘Subject’, as stated in Technet’ article) and UPN, then split UPN in repository inc. Freakin’ error messages like “Parameter ‘X’ is not parameter ‘X'” are gone.

Comments are closed.