How to configure TMG for SSL Client Certificate Authentication

SSL Client Certificate Authentication allows users authenticate to TMG using smart cards. This post explains how to configure TMG and Active Directory for certificate authentication.

Author
Recent Posts

Simon Simcic

Simon Simcic works as a systems engineer for one of largest slovenian Systems integrations firms. He is especially interested in working with remote access solutions.

Latest posts by Simon Simcic (see all)

How to configure TMG for SSL Client Certificate Authentication - Fri, Jul 29 2011
Using TMG, one-time passwords and Kerberos Constrained Delegation - Fri, Jul 22 2011
How to use Kerberos Constrained Delegation with Forefront TMG - Wed, Jul 13 2011

In my previous article I explained the use of one-time passwords with Forefront Threat Management Gateway (TMG). Today, I will discuss an alternative to this method that leverages smart cards and Public Key Infrastructure (PKI). I will describe how to use certificates that are published on the TMG.

For this to work, you don’t' have to deploy an Enterprise Certification Authority. You can use any certificate issued by a public or private CA. Two things are required for this:

The CA that issued the user certificate has to be added to the Certificate trust list (CTL) on the TMG Listener
The user certificate has to be mapped to the user’s Active Directory credentials

First, locate the Listener from our previous articles.

TMG Web Listener

Next, click the Toolbox tab, and then Network Objects.

Now, right click on the listener that you created before and select the "Authentication" tab.

SSL Client Certificate Authentication

Select "SSL Client Certificate Authentication" from the dropdown menu. You can only choose "Windows Active Directory" to validate the credentials.

Click on "Advanced", and then select the Client Certificate Trust list. You have two options here:

SSL Client Certificate Authentication - Advanced Authentication Options

You can either allow certificates from all issuers that are trusted on the TMG, or select only specific trusted certificates. I suggest accepting certificates only from those CAs that your users will actually use. If you want to accept certificates from a public CA that is not in the Trust List, you must also add the CA Root certificate to the TMG.

You can map a certificate to a user account using Active Directory, but first you need the user’s exported public key. Open Active Directory Users and Computers, select "View" and click on "Advanced Features".

SSL Client Certificate Authentication - Active Directory Advanced Features

Now, navigate to the user account, right click the user name and select "Name Mappings",

SSL Client Certificate Authentication - Name Mappings

Click "Add" and point to the CER file that contains the user's public key. This user can now be authenticated on the TMG Listener.

SSL Client Certificate Authentication - Security Identity Mapping

Do not confuse this method with smart card authentication on workstations; you will still require specific certificates for smart card logins. I strongly recommend that you allow only user certificates that are stored on smart cards. As far as I know, this can't be enforced on the TMG.

When a user accesses Outlook Web Access (OWA), he will be asked to provide a certificate and a smart card PIN. Once he authenticated successfully to the TMG, he will be automatically logged on to OWA.

Want to write for 4sysops? We are looking for new authors.

4sysops members can earn and read without ads!