Right click on the listener that you created before and select the “Authentication” tab.
SSL Client Certificate Authentication
Select “SSL Client Certificate Authentication” from the dropdown menu. You can only choose “Windows Active Directory” to validate the credentials.
Click on “Advanced”, and then select the Client Certificate Trust list. You have two options.
You can either allow certificates from all issuers that are trusted on the TMG, or select only specific trusted certificates. I suggest accepting certificates only from those CAs that your users will actually use. If you want to accept certificates from a public CA that is not in the Trust List, you must also add the CA Root certificate to the TMG.
You can map a certificate to a user account using Active Directory, but first you need the user’s exported public key. Open Active Directory Users and Computers, select “View” and click on “Advanced Features”.
SSL Client Certificate Authentication – Active Directory Advanced Features
Now, navigate to the user account, right click the user name and select “Name Mappings”,
SSL Client Certificate Authentication – Name Mappings
Click “Add” and point to the CER file that contains the user’s public key. This user can now be authenticated on the TMG Listener.
Do not confuse this method with smart card authentication on workstations; you will still require specific certificates for smart card logins. I strongly recommend that you allow only user certificates that are stored on smart cards. As far as I know, this can’t be enforced on the TMG.
When a user accesses Outlook Web Access (OWA), he will be asked to provide a certificate and a smart card PIN. Once he authenticated successfully to the TMG, he will be automatically logged on to OWA.