You can select that Forefront TMG will not require authentication. If you do so, you are not able to configure a delegation method on rules that use this Web listener.

You can use forms-based authentication in Forefront TMG for publishing any Web server. Three types of forms-based authentication are available in Forefront TMG:

• Password form—The user enters a user name and password on the form. This is the type of credentials needed for AD DS, LDAP, and RADIUS credential validation.
  
  
• Passcode form—The user enters a user name and passcode on the form. This is the type of credentials needed for SecurID and RADIUS one-time password validation.
  
  
• Passcode/Password form—The user enters a user name and passcode and a user name and password. The user name and passcode are used for authentication to Forefront TMG by applying SecurID or RADIUS one-time password authentication methods. The user name and password are used for delegation.
  
  

Fallback to Basic authentication

Forms for mobile clients

Password management in forms-based authentication

When you use forms-based authentication, Forefront TMG enables you to warn users about passwords that are about to expire (in a number of days that you configure) and to allow users to change their passwords. You can use these two functionalities separately or in combination. For example, you can warn users that their passwords are about to expire but not allow them to change their passwords. Or you can allow them to change passwords but not provide a warning about passwords that are about to expire.

When you allow users to change their passwords, that option is available on the logon form. When you configure Forefront TMG to warn users about passwords that are about to expire, users receive a separate warning page on which they can choose whether to change their passwords. For instructions about how to configure the change password feature, see Configuring the change password feature.

Note:

The HTML forms for forms-based authentication can be fully customized. When you configure Forefront TMG to require authentication, when a publishing rule applies to a specific user set or All Authenticated Users, or a Web listener is configured to Require all users to authenticate, Forefront TMG validates the credentials before forwarding the request. By default, the language setting of the client's browser determines the language of the form that Forefront TMG provides. Forefront TMG provides forms in 26 languages. Forefront TMG can also be configured to serve forms in a specific language regardless of the browser's language. The following security issues should be noted: When you configure a time-out for forms-based authentication, we recommend that the time-out be shorter than that imposed by the published server. If the published server times out before Forefront TMG, the user may mistakenly think that the session ended. This could allow attackers to use the session, which remains open until actively closed by the user or timed out by Forefront TMG as configured on the form setting. You should ensure that your Web application is designed to resist session riding attacks (also known as cross-site-posting, cross-site-request-forgery, or luring attacks) before publishing it by using Forefront TMG. This is particularly important for Web servers published through Forefront TMG, because clients must use the same trust level for all of the Web sites they access through the publishing Forefront TMG firewall. In a forms-based authentication scenario where a client certificate is required and the user declines to provide a certificate, the user is able to access the logon form. The logon is then denied by Forefront TMG because of the lack of a client certificate. Forms customization involves modification of the Strings.txt file. If you provide the Strings.txt file to a third party for modification, validate that non-text additions have not been made to the file, because these may provide a means of attack on your networks.

Forefront TMG supports the following types of HTTP authentication:

• Basic authentication—Using Basic authentication, the requesting client is prompted for credentials. Forefront TMG validates the credentials and, in passing the request to the Web server, uses the credentials in order to authenticate to the Web server in accordance with the configured delegation method. The Web server must be configured to use the authentication scheme that matches the delegation method used by Forefront TMG. For more information about Basic authentication, see About authentication methods.
  
  
• Digest and WDigest authentication—Using Digest or WDigest authentication, the client makes a request. Forefront TMG denies the request and asks the client for authentication information. The credentials are sent to a domain controller for validation. For more information, see About authentication methods.
  
  
• Integrated Windows authentication (NTLM)—Uses the NTLM, Kerberos, and Negotiate authentication mechanisms. The current Windows information on the client computer is used for authentication. If the authentication exchange fails, the browser prompts until the user enters valid credentials or closes the prompt dialog box. For more information about this authentication method, see About authentication methods.
  
  

In the client certificate scenario, the client provides a certificate, and Forefront TMG authenticates the client on the basis of that certificate. This might be a certificate that is embedded in a smart card or a certificate that is used by a mobile device so that it can connect to Microsoft ActiveSync.

Delegation of client credentials is configured on the publishing rule. In the Publishing Rule wizard, configure this on the Authentication Delegation page. In the publishing rule properties, the authentication settings are on the Authentication Delegation tab.

In this option, Forefront TMG does not delegate credentials. This is intended to prevent the unintentional delegation of credentials into the organization, where they might be sniffed. This is the default setting in some Forefront TMG publishing wizards, so you must change the default if you want to delegate the credentials.

When you select the delegation method No Delegation, but client may authenticate directly, Forefront TMG passes the user's credentials to the destination server without any additional action on the part of Forefront TMG. The client and the destination server then negotiate the authentication.

In Basic delegation, Forefront TMG forwards credentials in plaintext to the server that requires credentials. If authentication fails, Forefront TMG prompts the user for authentication according to the authentication type configured on the Web listener. If the server requires a different type of credentials, Forefront TMG triggers an alert.

In NTLM delegation, Forefront TMG delegates the credentials by using the NTLM challenge/response authentication protocol. If authentication fails, Forefront TMG replaces the delegation with the authentication type used by the Web listener. If the server requires a different type of credentials, Forefront TMG triggers an alert.

When you select Negotiate as a delegation method, Forefront TMG first attempts to obtain a Kerberos ticket for the client from the domain controller. If Forefront TMG does not receive the Kerberos ticket, it uses the negotiate scheme to delegate the credentials by using NTLM. If Forefront TMG receives the Kerberos ticket, it uses the negotiate scheme to delegate the credentials by using Kerberos. If authentication fails, Forefront TMG provides the server's failure notice to the client. If the server requires a different type of credentials, Forefront TMG triggers an alert.

The default service principal name (SPN) used to obtain the ticket is http/internalsitename. In the case of a server farm, the SPN is the name of the farm. You can chance the default SPN in Forefront TMG Management on the Authentication Delegation tab of the rule.

Note:
In Microsoft Exchange Server 2003, Internet Information Services (IIS) runs under the Network Service account. Forefront TMG uses the wildcard SPN HTTP\* and replaces the asterisk with the host name of the published site.

When a client provides SecurID credentials, you can use SecurID authentication delegation. Forefront TMG passes the proprietary SecurID cookie to the published server. Note that Forefront TMG and the published server must have the same domain secret and cookie name.

Beginning with ISA Server 2006, Kerberos constrained delegation is supported. For more information about Kerberos constrained delegation, see Kerberos Protocol Transition and Constrained Delegation (http://go.microsoft.com/fwlink/?LinkID=56785&clcid=0x409).

Without Kerberos constrained delegation, Forefront TMG can delegate credentials only when client credentials are received using Basic or forms-based authentication. With Kerberos constrained delegation, Forefront TMG can accept other types of client credentials, such as client certificates. Forefront TMG must be enabled on the domain controller in order to use Kerberos constrained delegation (constrained to a specific service principal name).

If authentication fails, Forefront TMG provides the server's failure notice to the client. If the server requires a different type of credentials, Forefront TMG triggers an alert.

Note:

Use of Kerberos constrained delegation requires that you configure AD DS to recognize Forefront TMG as trusted for delegation. The default SPN used to obtain the ticket is http/internalsitename. In the case of a server farm, the SPN is the name of the farm. You can change the default SPN in Forefront TMG Management on the Authentication Delegation tab of the rule. To use Kerberos constrained delegation, your domain must run in the Windows Server 2003 or higher domain functional level. Kerberos authentication depends upon UDP packets. These are commonly fragmented. If your Forefront TMG computer is in a domain and you enable the blocking of IP fragments, Kerberos authentication fails. For example, if the computer uses Kerberos for authentication during user logon, logon fails. In scenarios where Kerberos authentication is used, we recommend that you do not enable the blocking of packets containing IP fragments. SharePoint Portal Server 2003 disables Kerberos by default, so NTLM/Kerberos (Negotiate) and Kerberos constrained delegation do not work with SharePoint publishing. To enable Kerberos, follow the instructions in How to configure a Windows SharePoint Services virtual server to use Kerberos authentication and how to switch from Kerberos authentication back to NTLM authentication (http://go.microsoft.com/fwlink/?LinkId=160327). In Microsoft Exchange Server 2003, IIS runs under the Network Service account, and Forefront TMG uses the wildcard SPN HTTP\* and replaces the asterisk with the host name of the published site.