To configure single sign-on

  1. In the Forefront TMG Management console, in the tree, click the Firewall Policy node.

  2. In the Tasks pane, click the applicable Web publishing rule.

  3. On the Tasks tab, click Edit Selected Rule.

  4. On the Listener tab, click Properties.

  5. On the Authentication tab, verify that Method clients use to authenticate to Forefront TMG is set to HTML Form Authentication.

  6. On the SSO tab, select Enable Single Sign On.

  7. Under Specify the Single Sign On domains for this Web listener, perform the following steps for the Web sites for which you want to allow single sign-on (SSO).

    1. Click Add.

    2. Type the SSO domain for two or more Web sites.

  8. Click OK.

  9. In the details pane, click Apply, and then click OK.

  • With SSO, users can click a link on a Web page supplied by one Web site and move safely to another Web site without having to supply their credentials again.

  • The SSO domain for a set of Web sites is the DNS suffix of the host names of the Web sites. For example, the SSO domain for and is

  • Single sign-on is available for Web sites that are published by rules that use the same Web listener. The Web listener must be configured to use HTML forms-based authentication, and SSO must be enabled for it.

  • Single sign-on between different applications requires persistent cookies, which are disabled by default. For example, persistent cookies allow users to navigate to Word documents from links provided by a Microsoft Office SharePoint Server site without being prompted for credentials. As a security best practice, we recommend that you use persistent cookies only on private computers.

Related Topics

Copyright © 2009 by Microsoft Corporation. All rights reserved.