This post will discuss an issue that has cropped up a few times when clients try and access an SSL application on a backend server published through Forefront UAG.
A client that is trying to access an SSL application on a backend server (e.g. Exchange) that is published through the Forefront UAG portal gets an error, specifically:
“An unknown error occurred while processing the certificate. Contact the site administrator”.
This has nothing to do with the UAG certificates themselves but is most likely caused by an invalid certificate on the backend server. By default, Forefront UAG validates both the certificate and the revocation list of each SSL backend server during the TLS handshake procedure. In the event where the certificate or the CRL are not valid, users are denied access to that given backend server. This is also the case if the CRL distribution point is unavailable for any reason.
An easy way to identify if this is indeed the case is to open Internet Explorer on the Forefront UAG computer, and then try to access the backend server directly. If you get a certificate error at this stage, you have identified the problem as a certificate issue on the backend server.
The best practice is to fix the certificate on the backend server, making sure to use a valid certificate. If you cannot (or don't want to) fix the certificate for some reason, another option is available: Disable the registry key(s) controlling the validation and/or the CRL checks that Forefront UAG performs.
Note that disabling the validation and/or the CRL check is not recommended (the validation check that Forefront UAG performs is there for a reason after all), but is offered as an alternative workaround to be used at your own discretion.
So, to disable the(se) checks in the Registry Editor:
Authors: Meir Feinberg, Technical Writer, Forefront Edge David Bahat, SDET, Forefront Edge Revised on 1 Nob 2011 by Ben Ari, UAG Support
Nice article but I know my SSl certificate is valid + I performed your recommended registry changes and still have the same error.
please contact firstname.lastname@example.org
This was a work around and not an identification of root cause.
We found a duplicate certificate in the mmc/certificate component that was removed quite some time ago.
Once we removed the certificate and set the registry keys back, all worked.
Same here, I've disabled the certificates through registry, but I still get the error. When trying from UAG machine with IE, no certificate error (I've entered the IP with corresponding hostname from certificate to hosts file).