The type of authentication you use for a Web publishing rule (including rules that publish Microsoft SharePoint sites and Microsoft Exchange Web client access) is determined by the configuration of the Web listener used by the rule. Web listener properties include how the client credentials are received and how they are validated. Delegation of credentials is configured in each rule, rather than in the Web listener.
More information about authentication is provided in Authentication Concepts in ISA Server 2006.
Based on the authentication options you select, other options may or may not be available to you. For example:
Your authentication selections for a Web listener will also affect the authentication delegation options available to you in publishing rules.
A publishing rule with a Web listener that uses a specific form of credential validation must use a user set that is consistent with that form of validation. For example, a publishing rule with a Web listener that uses LDAP credential validation must also use a user set that consists of LDAP users. It cannot include Active Directory users.
Important
When enabling single sign-on, be sure to provide a specific single sign-on domain. Providing a generic domain, such as .co.uk, will allow the Web browser to send the ISA Server single sign-on cookie to any Web site in that domain, creating a security risk.
The following table summarizes the valid combinations of authentication and delegation methods.
Receipt of client credentials | Authentication provider | Delegation | Comments |
---|---|---|---|
Forms-based authentication
Basic |
Active Directory
RADIUS (LDAP) |
No delegation - allow end-to-end authentication
No delegation - no not allow end-to-end authentication Basic NTLM Negotiate Kerberos constrained delegation |
Single sign-on is supported for forms-based authentication, but
not for Basic.
An additional client certificate can be required (two-factor authentication). |
Digest
Integrated |
Active Directory | No delegation - allow end-to-end authentication
No delegation - no not allow end-to-end authentication Kerberos constrained delegation |
|
HTML form with one-time password | SecurID
RADIUS one-time password |
No delegation - allow end-to-end authentication
No delegation - no not allow end-to-end authentication Kerberos constrained delegation |
Single sign-on is supported. |
HTML form with collection of additional credentials | SecurID
RADIUS one-time password |
No delegation - allow end-to-end authentication
No delegation - no not allow end-to-end authentication Basic NTLM Negotiate Kerberos constrained delegation |
Single sign-on is supported. |
Client certificate | Active Directory | No delegation - allow end-to-end authentication
No delegation - no not allow end-to-end authentication Kerberos constrained delegation |
|