One of the technologies used by Forefront Unified Access Gateway (UAG) to accomplish single sign-on functionality is Kerberos constrained delegation. Kerberos constrained delegation enables users to access a Forefront UAG site, using strong authentication such as smart-card authentication or one-time passwords. Users authenticate once only, and are not required to supply their credentials to log on to applications that require authentication. For more information about Kerberos constrained delegation technology, see Kerberos Protocol Transition and Constrained Delegation (http://go.microsoft.com/fwlink/?LinkId=122608).
Prerequisites
The following are the requirements for Kerberos constrained delegation:
- The Forefront UAG server must be part of a
domain.
- You must define only one authentication
server for the trunk to which the application belongs.
- All domain controllers in the internal
network must be running Windows Server 2003.
- Users must be part of the same Active
Directory forest as the Forefront UAG server and the application
servers.
- Forefront UAG servers and application servers
must be part of the same domain.
The following procedures describe:
- How to raise domain and forest functional levels in
Windows Server 2003—How to set the domain to the Windows
Server 2003 functional level.
- Configuring SSL client
certificate authentication—How to authenticate users with
client certificates. When you reach step 7 in this procedure, open
the file: <Server_Name>.inc, and make the following
modification:
KCDAuthentication_on = true
- Configuring Kerberos constrained
delegation for an application—To complete this procedure, note
the service principal name (SPN) of the application. Each instance
of a service that uses Kerberos authentication must have an SPN
defined for it, so that clients can identify that instance of the
service on the network. For more information, see Service Principal Names
(http://go.microsoft.com/fwlink/?LinkId=123632).
- Configuring Active
Directory computer accounts for Kerberos constrained
delegation—The application SPN must be registered in Active
Directory Domain Services. This maps the SPN to the Windows account
under which the service specified in the SPN is running. Instances
of some services can automatically register their SPNs at startup.
Only an Active Directory domain administrator can register SPNs in
Active Directory Domain Services.
- Specifying how Kerberos
performs backend authentication─You can specify whether
authentication should be performed with a user name or SPN.
- Ensure application servers are configured for
Kerberos authentication. For examples of application server
configuration, see How to configure a Windows SharePoint Services virtual
server to use Kerberos authentication and how to switch from
Kerberos authentication back to NTLM authentication
(http://go.microsoft.com/fwlink/?LinkID=82876), and Configure Kerberos authentication (Office SharePoint
Server) (http://go.microsoft.com/fwlink/?LinkID=109491).
Configuring Kerberos constrained
delegation for an application
To configure Kerberos constrained delegation for an application
-
In the Forefront UAG Management console, in the Applications group box, click the application, and then click Edit.
-
On the Application Properties dialog box, click the Authentication tab.
-
On the Authentication tab, do the following:
- Select Use single sign-on to send credentials to published
applications.
- Click Use Kerberos constrained delegation for single
sign-on.
- In the Application SPN box, type the SPN, and then click
OK. You can set the SPN explicitly, or you can use the
wildcard * (for example, owa/*).
Note the following:
- You must use the SPN explicitly if the SPN of
this application was not defined in the default format SPNs
(service name/hostname) in the application server. This
might happen when an application is published as part of a
load-balanced Web farm, and runs with an application account
identity and not with a computer account identity.
- If you choose to use a wildcard, the
addresses for all the servers of this application (defined on the
Web Servers tab) cannot be IP addresses, but must be host
names. The wildcard is translated to each of the host names defined
on the Web Servers tab. If the SPN of the application in the
application server is defined as a fully qualified domain name
(FQDN), Forefront UAG translates it to two SPNs: host name and FQDN
(for example, owa and owa.contoso.com). If the application's SPN in
the application server is defined as a host name, Forefront UAG
translates it to two SPNs: a hostname and an FQDN with the
Forefront UAG Domain Name System domain.
- You must use the SPN explicitly if the SPN of
this application was not defined in the default format SPNs
(service name/hostname) in the application server. This
might happen when an application is published as part of a
load-balanced Web farm, and runs with an application account
identity and not with a computer account identity.
- Select Use single sign-on to send credentials to published
applications.
-
Repeat Step 3 for all applications that you want to publish using Kerberos constrained delegation.
Note:Note that the File Access application does not support use of Kerberos constrained delegation (KCD) to provide single sign-on (SSO) functionality.
Configuring Active Directory
computer accounts for Kerberos constrained delegation
To configure Active Directory computer accounts for Kerberos constrained delegation
-
To register the SPNs, create a file containing a list of SPNs. The SPNs in this file represent the applications for which Forefront UAG enables Kerberos constrained delegation. You can create this file as a simple text file, from where the Active Directory domain administrator must manually copy the information to Active Directory Domain Services, or you can create this file as a Lightweight Directory Access Protocol Data Interchange Format (LDIF) file, that the Active Directory domain administrator can import into Active Directory Domain Services by using the standard Windows utility ldifde. For more information, see Delegating authentication (http://go.microsoft.com/fwlink/?LinkId=138436).
Create the file as follows:
- In the Forefront UAG Management console, on the menu, click
Admin, and then click Export KCD Settings to Active
Directory.
- On the Active Directory Delegation dialog box, click
either Export settings to a text file or Export settings
to an LDIF file.
- Save the file, and then transfer it to the Active Directory
domain administrator. It is recommended that the LDIF file is used
soon after it is created, to ensure consistency in Active Directory
Domain Services settings.
- In the Forefront UAG Management console, on the menu, click
Admin, and then click Export KCD Settings to Active
Directory.
| Note: |
|---|
| If you use an LDIF file to configure delegation in Active Directory Domain Services, the LDIF file replaces the existing delegation information in Active Directory Domain Services with the information in the file, thus deleting any delegation settings that were configured manually. If any settings that were configured manually need to be preserved, when you transfer the LDIF file to the Active Directory domain administrator, advise them to note the existing settings before they import the LDIF file, and then manually re-apply the settings that were deleted. |
Specifying how Kerberos performs
backend authentication
To specify how backend authentication is performed
-
On the Forefront UAG server, run Regedit.
-
Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\UrlFilter.
-
Modify or create the DWORD value KCDUseUPN as follows:
- To perform Kerberos authentication using UPN, set the DWORD
value to 1.
- To perform Kerberos authentication using the format
DOMAIN\UserName, set the DWORD value to 0. If no value is set,
DOMAIN\UserName will be used.
- To perform Kerberos authentication using UPN, set the DWORD
value to 1.