1

How to set up client side certificate authentication using an enterprise CA for a TS gateway via Forefront TMG 2010?

To date I have executed the following:

  • I have a Terminal Services Gateway configured and working in house.
  • I set up a basic unauthenticated publishing rule to test that the certificates, etc are good.
  • I updated this rule according to this technet article.

At varying points I have also tried enabling / disabling the client certificates on my IIS instance, the 'require ssl client certificate' and 'require all users to authenticate' options in TMG and a couple options in the client client certificate trust list.

There have been several additional pages I've looked over as well - 2 and 3 and 4 among many others.

EDIT - I'm specifically interested in any listener, IIS or RADIUS specific parts of the configuration but a summary of the whole would probably be beneficial to the community at large.

TristanK
  • 8,953
  • 2
  • 27
  • 39
Tim Brigham
  • 15,465
  • 7
  • 72
  • 113

1 Answers1

0

TMG can convert a client certificate associated with a Windows user account into an authenticated (i.e. NTLM or Kerb) connection with the TSG internally.

But the TSG won't see the client certificate; client certificates work for a single hop, that's all.

So functionally, you treat TSG like any other website:

  • make TMG a domain member (and ensure it trusts the issuing CA; that's "natural" for a domain member with an Ent Issuing CA installed in the forest so shouldn't require work)
  • ensure the client certificates issued to client users are associated with that user in AD
  • disable client certificate authentication at the website level (i.e. the TSG) and use Integrated Auth
  • configure TMG to accept client certificates and forward integrated creds to the website (TSG)

Any of the Exchange (/activesync) client certificate authentication guides using ISA or TMG can be used as a template for this.

TristanK
  • 8,953
  • 2
  • 27
  • 39
  • Thanks Tristan. Additionally there is a bug in the mstsc executable at current that stops CRL lookups, thus requiring an enterprise edition certificate server with an OCSP server in place. – Tim Brigham Jan 05 '12 at 15:47
  • Do you have any more details on that? – TristanK Jan 06 '12 at 00:21
  • I ran across a couple vague references (mostly on experts exchange) and one half way decent description. I tested it out by adding a bogus OCSP entry to a test certificate - without it I don't see any firewall traffic or IIS logs generated. The execution dies on the client box. – Tim Brigham Jan 06 '12 at 03:40
  • So the client otherwise doesn't look up the CRL specified on the server certificate? Weird. (or is this the client cert we're discussing?) – TristanK Jan 06 '12 at 04:55
  • The client does not look up the server cert. I tried generating them independently to see if the problem exists in the reverse direction. It does not (or at least this error pops up first). – Tim Brigham Jan 06 '12 at 12:50