Hello everybody,
I'd like to publish an internal website over Forefront TMG and would like to authenticate the users (iPhone clients) via SSL certificates.
So far the internal webserver is configured to acceppt anonymous connections. The TMG is configured to request client certificates. So far so good. This setting works. The client (iPhone) is asked for the certificate. The user selects it and is successfully
authenticated. Then the internal (anonymous) site is beeing displayed.
The problem now is, that I need to find out the username of the connected user on the internal server (IIS). For this I disabled anonymous authentication and only enabled basic authentication. I am using an asp site to display the current user.
When I now connect to the internal server via internal LAN, I have to enter my credentials and the site is displayed, showing my username.
From the external side, I have a problem. I set delegation to "kerberos constrained delegation" with SPN "http/VM_WEB" (VM_WEB) is the internal Webserver name. In active directory, computer account of the TMG, I already set allow delegation for http and computername VM_WEB.
When I now connect from outside, I select the certificate and then get the error 401. Not authorized due to invalid credentials. Your entered credentials do not allow you to show the current file or folder".
Is it possible to authenticate only via user-certificates and pass the username to the internal webserver, so I can read the username for further actions (ASP, PHP)??
Thanks in Advance