We have a website that we want to publish using TMG 2010 SP2 RU1
We would like to use FBA, protected by a certificate. Goal is that only have users access the FBA when they have a correct ClientCertificate. After that, LDAP authentication is used. To be clear: It is not the intention to use the client certificate to authenticate the user to AD.
To accomplish this I have done the following:
- Working installation of TMG, not domain joined
- installed a Enterprise Sub CA which deployes UserCertificates to users.
- Deployed a user certificate to the user with which I am trying access the webpage
- Installed the ROOT and SubCa certificates on the TMG server, so it will trust the client certificates
- Created a HTTP location for CRL which is accessible for the TMG servers
- The TMG listener is configured with: Require SSL client certificate
When I access the site, I get an error:
"Error Code: 403 Forbidden. The page requires a client certificate as part of the authentication process. If you are using a smart card, you will need to insert your smart card to select an appropriate certificate. Otherwise, contact your server administrator. (12213) .
The following error is logged in TMG: "12313 The page requires a client certificate as part of the authentication
process. If you are using a smart card, you will need to insert your smart card
to select an appropriate certificate. Otherwise, contact your server
administrator"
As far as I understand IE should come up with a popup to select the usercertificate to authenticate with. But it does not.
To fix the problem I used this URL:
http://blogs.technet.com/b/isablog/archive/2013/03/06/clients-are-not-prompted-to-choose-a-certificate-when-authenticating-to-isa-tmg.aspx : I added the regkey, but no effect.
I also following the next post, but without luck. I have the same scenario as in this thread:
An help would be much appreciated.