We would like to set up a forefront TMG listener with client certificate authentication, which will pass on information from the client certificate to the web farm for application side validation.
While the authentication part of the listener works, i.e. only users presenting a certificate from the configured CA will be able to establish an HTTPS connection, the application on the web farm is not able to determine which certificate was used to authenticate against TMG.
It appears to be possible to pass on user identity information to the web server by using Kerberos/delegation in conjunction with Active Directory. However since the smart card based certificates issued within the organization do not contain information which can be directly mapped to an Active Directory Account (requires custom processing of certificate attributes), this seems not to be an option.
The authentication part should be completely handled by the web application based on the public key presented by the user. This works well if a single web server which accepts client certificates is transparently published through TMG. In that case, client certificate information is made available by IIS.
Since the SSL connection is terminated on TMG, it would be necessary provide certificate information from the SSL layer within the HTTP header. Can this be achieved through configuration options or by adding custom logic on the firewall?
Similar to this post which refers to UAG: http://blogs.technet.com/b/edgeaccessblog/archive/2010/05/09/how-to-configure-uag-to-send-request-headers-to-published-web-applications.aspx