Certificates on IAG 2007

1. Introduction


The use of Digital Certificates with IAG 2007 is essential for several IAG authentication and access scenarios as well as for providing encryption of sensitive data. There are two main scenarios when using certificates; it is common to have misunderstandings about which scenarios each type of certificates are used. The first article of this series will give you an overview of the different types and usages of each certificate when you are using IAG 2007.


2. When does IAG use Certificates?


The diagram below shows the various scenarios where IAG uses certificates for authentication and/or data encryption:


Figure 1 – IAG SSL Communication


This diagram shows the two parts of the communication when IAG 2007 is used to allow external access to internal resources. The main purpose here is to define which type of certificates are involved when each communication happening, therefore let’s see the following table:


Communication Channel

Certificate Type

Certificate Usability

Where the Certificate is Installed

Client to Server

Client Authentication

·         Client authentication

·         Endpoint Detection

Client workstation

Server to Client

Server Authentication

·         Regular Publishing Scenarios

·         Network Connector

·         IAG Portal

IAG Server

Server to Server

Server Authentication

·         Encrypted connection to protocol transaction, such as LDAPs and HTTPs

Application Server (Web Server) or in the Authenticator (Domain Controller for instance)


3. Client Certificate Authentication with IAG


The previous table summarizes the scenarios where a certificate is used, but how really IAG authenticates the user when using client certificate?  IAG certificate authentication works in four main phases:


1)      Certificate is checked in IIS against CRL to make sure it is not revoked

2)      Certificate validity is checked to make sure it’s not expired (cert.asp)

3)      Two pieces of data are collected from the cert the “username” and the “email address” (cert.asp)

4)      The directory service choose in the authentication repository is queried using the “username” and then if a match is found is that user is queried for the “email” parameter ([repositoryname].inc.)  The email parameter retrieved from the directory is compared to the value retrieved from the certificate([trunkname]1validate.inc).  If any of the 4 checks or subset of the checks fail or do not match the user is not authenticated.


It is important to remember that the IAG certificate authentication mechanisms are provided as samples.  These samples are intended to be re-written or modified to match the requirements each particular customer has.  Customer PKI schema vary so significantly customer to customer that it’s not possible to have a default configuration that knows how to deal with even most cases. 


There were some cases where the DN used as the Certificate SubjectCN, in this case our sample would properly pick up that object and use it for authentication.  However there are other cases the certificate does not contain DN or UPN but contains some other collection of objects we can use to write a custom ADSI query to AD to look up the user’s DN.  The framework provided is very flexible and customizable and is designed to allow as many cases as possible.


4. What comes next?


This post gives you an overview of how IAG uses certificate and starts to introduce client certificate mechanism. The coming articles will cover:

·         Certificate Authentication with and without Kerberos

·         Implementing Client Certificate Authentication

·         Understanding IAG’s “Certified Endpoint” feature

·         Understanding Endpoint Detection of Client Certificates


Stay tuned.




Yuri Diogenes

Security Support Engineer – ISA/IAG Team

Microsoft – Texas


Dan Herzog

Security Support Engineer – IAG Team

Microsoft – Washington



Comments (1)

  1. Anonymous says:

    Hi all. First of all let me say that the articles in the blog are really useful. Regarding the use of certificates, what about if the username cannot be retrieved from the certificate?. Let’s supose a situation where the CN in the certiticate doesn’t contain the username or UPN or so. Is it possible to match the user with other attributes? I am currently working on an scenario where the user certificate is imported into Active Directory as user Name Mappings.Is it feasible to query the active directory using the attribute altsecurityidentities? If so, where is that attribute to be included? Maybe customizing the xml file of the repository definition?

    Thanks in advance