Mac OS Clients fail to access SSL Websites after you enable HTTPS Inspection in Forefront TMG 2010

The concept of HTTPS Inspection (referred to HTTPSi later) was covered in a previous blog article by Yuri Diogenes, which also contains helpful formation about common issues that may occur. If you have missed it, you can find it here.

This current article is intended to explain the root cause of a specific issue and how to solve this.
The issue is: Mac OS clients are not able to use a certificate which is created by Microsoft Forefront TMG 2010 for HTTPSi when using the option “Use Forefront TMG to automatically generate a certificate”.

image

See the following TechNet Article which provides more information on this process: http://technet.microsoft.com/en-us/library/dd441053.aspx

When analyzing this issue, we found that the issue is connected to the fact that TMG uses Unicode and not ASCII to create these certificates. If you take a look at the details of the certificate, you can see that the Subject and Issuer fields for a Certification Authority created certificate are CERT_RDN_PRINTABLE_STRING (ASCII), whilst in the certificate generated by TMG the above fields are CERT_RDN_UNICODE_STRING.

TMG is only able to create a UNICODE certificate when issuing a self-signed certificate for HTTPSi. However, Microsoft completely sticks to the RFC 3280 by using UNICODE.
http://www.ietf.org/rfc/rfc3280.txt
Here is some more information on UTF-8 which is used:
http://en.wikipedia.org/wiki/UTF-8
http://msdn.microsoft.com/en-us/library/aa377501(VS.85).aspx

You can display this certificate’s details if you use the following syntax: ‘certutil –verify –v certname.cer’
Analyzing the output, you can see the following properties:

Issuer:

CN=Microsoft Forefront TMG HTTPS Inspection Certification Authority

[0,0]: CERT_RDN_UNICODE_STRING, Length = 128 (64/64 Characters)

2.5.4.3 Common Name (CN)="Microsoft Forefront TMG HTTPS Inspection Certi

fication Authority"

Subject:

CN=Microsoft Forefront TMG HTTPS Inspection Certification Authority

[0,0]: CERT_RDN_UNICODE_STRING, Length = 128 (64/64 Characters)

2.5.4.3 Common Name (CN)="Microsoft Forefront TMG HTTPS Inspection Certi

fication Authority"

If you compare this to a certificate issued by a Certification Authority, it looks like this:

[2,0]: CERT_RDN_PRINTABLE_STRING, Length = 13 (13/64 Characters)

2.5.4.3 Common Name (CN)="DCTMGNETZ1-CA"

Subject:

CN=A2-EE-DOM-1.TMGNETZ.LOCAL

[0,0]: CERT_RDN_PRINTABLE_STRING, Length = 25 (25/64 Characters)

2.5.4.3 Common Name (CN)="A2-EE-DOM-1.TMGNETZ.LOCAL"

Solution:
As described, TMG is 100% RFC compliant in this case. However, you are able to issue a certificate from a Windows Server 2003 or Windows Server 2008 (R2) Certification Authority which can be handled by Mac clients.

The following screenshots are intended to provide assistance on how to enroll for a Subordinate CA certificate using a Windows Server CA and how to install it in TMG 2010.

Connect to the Certification Authority and open the CA MMC.
First you will need to duplicate the existing template for a Subordinate CA and edit the properties before you are going to publish that new template.

image

image

image

image

image

image

image

image

image

image

image

Then you must grant the permissions to enroll. Open the Security tab and click on Add. Click on Object Types to be able to choose from computer accounts, too.

image

In this example I am granting the enroll permission to both the DC DCTMGNETZ1 and my TMG server A2-EE-DOM-1. If your TMG server does have connectivity to the CA, you can enroll for this certificate using the TMG server itself. If this is not the case, you could also create it on the CA first using this permission example.

image

Then please click on OK to save the template.
Now you will need to issue this certificate template before you enroll for a certificate

image

image

After you have clicked on OK, you are ready to enroll for this certificate. There are multiple ways to do this. One of them is to use the tool certreq.exe. Using certreq.exe to achieve this is pretty similar to the procedure described in the following two articles:
http://blogs.technet.com/b/pki/archive/2009/08/05/how-to-create-a-web-server-ssl-certificate-manually.aspx

http://support.microsoft.com/kb/321051

Assuming you might be inexperienced in this area, I am going to show you how to do this using GUI tools.

Assuming TMG is a domain member and has connectivity to the CA, open a MMC on the TMG server by clicking on Start and then type MMC. In the new MMC window, click on File > Add/Remove Snap-in > Choose ‘Certificates’ from the available snap-ins > Add > Choose ‘Computer Account’ and click on Finish.

After you have expanded the list, right-click on Certificates (Local Computer)\Personal\Certificates and choose ‘Request New Certificate” as shown below.

image

After you have clicked through the first two screens, you will hit the list of certificate templates which you are eligible to enroll for. Navigate to the name of the created template and click on “Click here to configure settings”. This is necessary to enter required information manually, like the Common Name for example.

image

image

If you want to be able to archive the private key afterwards, you will need to switch to the ‘Private Key’ tab and check this option.

image

After you complete this wizard, you should receive a confirmation that the certificate has been enrolled.

image

Back in the MMC, right click on the new certificate and choose All Tasks > Export

image

In the new wizard, choose ‘Yes, export the private key’ and click on next > optionally choose one of the options and click on Next > type a password > Next > Choose a path and filename (e.g. c:\certificate.pfx) for the exported certificate.

Now we are ready to import this certificate into TMG for HTTPSi. Open the Forefront TMG MMC, navigate to Web Access Policy in the left pane > click on ‘Configure HTTPS Inspection’ in the tasks pane which will take you to the following screen. Choose ‘Import a certificate’.

image

Browse to the pfx file you exported before and enter the password you chose. This is it. After you have applied the configuration in TMG, you are ready. You can verify the installed certificate to double-check everything by clicking on ‘HTTPS Inspection Trusted Root CA Certificate Options’ and ‘View Certificate Details…’.

The next screen is intended to illustrate that the created custom template was used to issue to the certificate to the TMG Server.

Assuming that the CA is already trusted by your clients, you don’t need to add anything for your clients. Otherwise you would need to install/deploy the CA Server’s root certificate into the Trusted Root CA’s store of your HTTPSi clients. Coming back to the MAC clients, the following article might be helpful to you:
How to install a trusted root CA certificate and an intermediate CA certificate on a computer that is running Microsoft Entourage 2004 for Mac on a Mac OS X 10.3 or a Mac OS X 10.2 operating system
http://support.microsoft.com/kb/887413

I hope this article explains the background information for this issue and how to work around it for if you need to use Mac clients. I am looking forward to your comments.

Author:
Frank Hennemann
Microsoft CSS Forefront Security Edge Team

Reviewer:
Philipp Sand
Microsoft CSS Forefront Security Edge Team