Delegation of credentials

After Microsoft Internet Security and Acceleration (ISA) Server 2006 has validated the credentials, it uses one of the following methods to delegate the authentication to servers that it is publishing:

No delegation - do not allow end-to-end delegation

Credentials are not delegated. This is a new feature in ISA Server 2006, and is the default delegation setting. This is intended to prevent the unintentional delegation of plaintext credentials into the organization, where they might be found by a malicious user. To enable delegation you have to change the default.

If the server requires delegation, an ISA Server alert is triggered.

No delegation - allow end-to-end delegation

The user's credentials are passed to the destination server without any additional action on the part of ISA Server. The client and the destination server then negotiate the authentication. This is typically used in a scenario where the destination server requires some proprietary form of authentication.

Basic

In Basic delegation, credentials are forwarded in plaintext to the server that requires credentials. If authentication fails, ISA Server provides the server's failure notice to the client. If the server requires a different type of credentials, an ISA Server alert is triggered.

NTLM

In NTLM delegation, ISA Server delegates the credentials using the NTLM challenge/response authentication protocol. If authentication fails, ISA Server provides the server's failure notice to the client. If the server requires a different type of credentials, an ISA Server alert is triggered.

NTLM or Kerberos

When you select Negotiate as a delegation method, ISA Server first attempts to obtain a Kerberos ticket for the client from the domain controller. If ISA Server does not receive the Kerberos ticket, it uses the negotiate scheme to delegate the credentials using NTLM. If ISA Server receives the Kerberos ticket, it uses the negotiate scheme to delegate the credentials using Kerberos. If authentication fails, ISA Server provides the server's failure notice to the client. If the server requires a different type of credentials, an ISA Server alert is triggered.

Note

SecurID

When a client provides SecurID credentials, you can use SecurID delegation. ISA Server passes the proprietary SecurID cookie to the published server. Note that ISA Server and the published server must have the same domain secret and cookie name.

Kerberos constrained delegation

ISA Server 2006 introduces the use of Kerberos constrained delegation, which is described in the article Kerberos Protocol Transition and Constrained Delegation at the Microsoft TechNet Web site(http://www.microsoft.com/). Without Kerberos constrained delegation, ISA Server can delegate credentials only when client credentials are received using Basic or forms-based authentication. With Kerberos constrained delegation, ISA Server can accept other types of client credentials, such as client certificates. ISA Server must be enabled on the domain controller to use Kerberos constrained delegation (constrained to a specific service principal name).

If authentication fails, ISA Server provides the server's failure notice to the client. If the server requires a different type of credentials, an ISA Server alert is triggered.

Notes

Valid combinations of client credentials and delegation methods

Specific delegation methods are valid for different types of client credentials. The following table summarizes the valid combinations.

Receipt of client credentials Authentication provider Delegation Comments
Forms-based authentication

Basic

Active Directory

RADIUS (LDAP)

No delegation - allow end-to-end delegation

No delegation - do not allow end-to-end delegation

Basic

NTLM

Negotiate

Kerberos constrained delegation

Single sign-on is supported for forms-based authentication, but not for Basic.

An additional client certificate can be required (two-factor authentication).

Digest

Integrated

Active Directory No delegation - allow end-to-end delegation

No delegation - do not allow end-to-end delegation

Kerberos constrained delegation

HTML form with one-time password SecurID

RADIUS one-time password

No delegation - allow end-to-end delegation

No delegation - do not allow end-to-end delegation

Kerberos constrained delegation

Single sign-on is supported.
HTML form with collection of additional credentials SecurID

RADIUS one-time password

No delegation - allow end-to-end delegation

No delegation - do not allow end-to-end delegation

Basic

NTLM

Negotiate

Kerberos constrained delegation

Single sign-on is supported.
Client certificate Active Directory No delegation - allow end-to-end delegation

No delegation - do not allow end-to-end delegation

Kerberos constrained delegation

For more information about authentication in ISA Server, see Authentication Concepts in ISA Server 2006 at the Microsoft ISA Server TechCenter Web site (http://www.microsoft.com).




web link Get latest ISA Server content at ISA Server Guidance.
Send feedback about this page Send feedback about this page.