Delegation of credentials

After Microsoft Internet Security and Acceleration (ISA) Server 2006 has validated the credentials, it uses one of the following methods to delegate the authentication to servers that it is publishing:

No delegation - do not allow end-to-end delegation
No delegation - allow end-to-end delegation
Basic
NTLM
NTLM or Kerberos
SecurID
Kerberos constrained delegation

No delegation - do not allow end-to-end delegation

Credentials are not delegated. This is a new feature in ISA Server 2006, and is the default delegation setting. This is intended to prevent the unintentional delegation of plaintext credentials into the organization, where they might be found by a malicious user. To enable delegation you have to change the default.

If the server requires delegation, an ISA Server alert is triggered.

No delegation - allow end-to-end delegation

The user's credentials are passed to the destination server without any additional action on the part of ISA Server. The client and the destination server then negotiate the authentication. This is typically used in a scenario where the destination server requires some proprietary form of authentication.

Basic

In Basic delegation, credentials are forwarded in plaintext to the server that requires credentials. If authentication fails, ISA Server provides the server's failure notice to the client. If the server requires a different type of credentials, an ISA Server alert is triggered.

NTLM

In NTLM delegation, ISA Server delegates the credentials using the NTLM challenge/response authentication protocol. If authentication fails, ISA Server provides the server's failure notice to the client. If the server requires a different type of credentials, an ISA Server alert is triggered.

NTLM or Kerberos

When you select Negotiate as a delegation method, ISA Server first attempts to obtain a Kerberos ticket for the client from the domain controller. If ISA Server does not receive the Kerberos ticket, it uses the negotiate scheme to delegate the credentials using NTLM. If ISA Server receives the Kerberos ticket, it uses the negotiate scheme to delegate the credentials using Kerberos. If authentication fails, ISA Server provides the server's failure notice to the client. If the server requires a different type of credentials, an ISA Server alert is triggered.

Note

The default service principal name used to obtain the ticket is http/internalsitename. In the case of a server farm, the service principal name is the name of the farm. The default service principal name can be changed in ISA Server Management on the Authentication Delegation tab of the rule.

SecurID

When a client provides SecurID credentials, you can use SecurID delegation. ISA Server passes the proprietary SecurID cookie to the published server. Note that ISA Server and the published server must have the same domain secret and cookie name.

Kerberos constrained delegation

ISA Server 2006 introduces the use of Kerberos constrained delegation, which is described in the article Kerberos Protocol Transition and Constrained Delegation at the Microsoft TechNet Web site(http://www.microsoft.com/). Without Kerberos constrained delegation, ISA Server can delegate credentials only when client credentials are received using Basic or forms-based authentication. With Kerberos constrained delegation, ISA Server can accept other types of client credentials, such as client certificates. ISA Server must be enabled on the domain controller to use Kerberos constrained delegation (constrained to a specific service principal name).

If authentication fails, ISA Server provides the server's failure notice to the client. If the server requires a different type of credentials, an ISA Server alert is triggered.

Notes

Use of Kerberos constrained delegation requires that you configure Active Directory to recognize ISA Server as trusted for delegation.
The default service principal name used to obtain the ticket is http/internalsitename. In the case of a server farm, the service principal name is the name of the farm. The default service principal name can be changed in ISA Server Management on the Authentication Delegation tab of the rule.

Valid combinations of client credentials and delegation methods

Specific delegation methods are valid for different types of client credentials. The following table summarizes the valid combinations.

Receipt of client credentials	Authentication provider	Delegation	Comments
Forms-based authentication Basic	Active Directory RADIUS (LDAP)	No delegation - allow end-to-end delegation No delegation - do not allow end-to-end delegation Basic NTLM Negotiate Kerberos constrained delegation	Single sign-on is supported for forms-based authentication, but not for Basic. An additional client certificate can be required (two-factor authentication).
Digest Integrated	Active Directory	No delegation - allow end-to-end delegation No delegation - do not allow end-to-end delegation Kerberos constrained delegation
HTML form with one-time password	SecurID RADIUS one-time password	No delegation - allow end-to-end delegation No delegation - do not allow end-to-end delegation Kerberos constrained delegation	Single sign-on is supported.
HTML form with collection of additional credentials	SecurID RADIUS one-time password	No delegation - allow end-to-end delegation No delegation - do not allow end-to-end delegation Basic NTLM Negotiate Kerberos constrained delegation	Single sign-on is supported.
Client certificate	Active Directory	No delegation - allow end-to-end delegation No delegation - do not allow end-to-end delegation Kerberos constrained delegation

For more information about authentication in ISA Server, see Authentication Concepts in ISA Server 2006 at the Microsoft ISA Server TechCenter Web site (http://www.microsoft.com).

Get latest ISA Server content at ISA Server Guidance.

Send feedback about this page.

English-to-Russian translation