Authentication Options

The type of authentication you use for a Web publishing rule (including rules that publish Microsoft SharePoint sites and Microsoft Exchange Web client access) is determined by the configuration of the Web listener used by the rule. Web listener properties include how the client credentials are received and how they are validated. Delegation of credentials is configured in each rule, rather than in the Web listener.

More information about authentication is provided in Authentication Concepts in ISA Server 2006.

Based on the authentication options you select, other options may or may not be available to you. For example:

Single sign-on is available only if you select HTML Form Authentication.
RADIUS One-Time Password authentication is only available if you select HTML Form Authentication.
Validation of credentials with Active Directory over LDAP is available only if you select HTTP Authentication with Basic authentication.

Your authentication selections for a Web listener will also affect the authentication delegation options available to you in publishing rules.

A publishing rule with a Web listener that uses a specific form of credential validation must use a user set that is consistent with that form of validation. For example, a publishing rule with a Web listener that uses LDAP credential validation must also use a user set that consists of LDAP users. It cannot include Active Directory users.

Important

When enabling single sign-on, be sure to provide a specific single sign-on domain. Providing a generic domain, such as .co.uk, will allow the Web browser to send the ISA Server single sign-on cookie to any Web site in that domain, creating a security risk.

Valid combinations of client credentials and delegation methods

The following table summarizes the valid combinations of authentication and delegation methods.

Receipt of client credentials	Authentication provider	Delegation	Comments
Forms-based authentication Basic	Active Directory RADIUS (LDAP)	No delegation - allow end-to-end authentication No delegation - no not allow end-to-end authentication Basic NTLM Negotiate Kerberos constrained delegation	Single sign-on is supported for forms-based authentication, but not for Basic. An additional client certificate can be required (two-factor authentication).
Digest Integrated	Active Directory	No delegation - allow end-to-end authentication No delegation - no not allow end-to-end authentication Kerberos constrained delegation
HTML form with one-time password	SecurID RADIUS one-time password	No delegation - allow end-to-end authentication No delegation - no not allow end-to-end authentication Kerberos constrained delegation	Single sign-on is supported.
HTML form with collection of additional credentials	SecurID RADIUS one-time password	No delegation - allow end-to-end authentication No delegation - no not allow end-to-end authentication Basic NTLM Negotiate Kerberos constrained delegation	Single sign-on is supported.
Client certificate	Active Directory	No delegation - allow end-to-end authentication No delegation - no not allow end-to-end authentication Kerberos constrained delegation

Get latest ISA Server content at ISA Server Guidance.

Send feedback about this page.

English-to-Russian translation