[This topic is pre-release documentation and is subject to change in future releases. Blank topics are included as placeholders.]

This topic describes how to publish applications to users located on corporate networks by using Integrated Windows Authentication for Forefront Unified Access Gateway (UAG) session authentication. Using Integrated Windows Authentication, you can use a number of options for single sign-on to published applications, including Kerberos constrained delegation, passthrough authentication, and Forefront UAG single sign-on.

For instructions on how to configure single sign-on using Kerberos constrained delegation, see Configuring single sign-on with Kerberos constrained delegation. The following sections describe:

Prerequisites

The following are the prerequisites for configuring Integrated Windows Authentication in Forefront UAG:

  • The Forefront UAG server must be a member of an Active Directory® domain.

  • Transparent authentication is available only for users who access the Forefront UAG site from a client computer that is, either a member of the same Active Directory forest as the Forefront UAG server, or a member of a trusted forest. All other users will be presented with a Web browser authentication prompt.

  • To enable transparent authentication in Windows Internet Explorer®, the public host name of the Forefront UAG trunk must be included in the browser's local intranet zone, or added to the browser's trusted sites zone. To enable transparent Integrated Windows authentication with other Web browsers, refer to the Web browser's documentation.

  • If the trunk publishes Microsoft Office SharePoint Server Products and Technologies with alternate access mapping, all the relevant host names and the public host name of the Forefront UAG trunk must be enabled for transparent authentication on the browser.

  • For Integrated Windows Authentication to work with Kerberos authentication, the public host name of the trunk must be defined as an additional Service Principal Name (SPN) of the Forefront UAG server by the Active Directory domain administrator. For more information, see Setspn Examples (http://go.microsoft.com/fwlink/?LinkId=133778).

  • It is recommended that if you use NTLM authentication with Integrated Windows authentication, you should use NTLM version 2 on the Forefront UAG server and disable NTLM version 1.

Configuring a trunk with Integrated Windows Authentication

To configure a trunk with Integrated Windows Authentication

  1. In the Forefront UAG Management console, select the required trunk.

  2. On the Advanced Trunk Configuration dialog box, click the Authentication tab, and then click Use Integrated Windows authentication. Verify that one of the available protocols, NTLM or Kerberos, is selected, and then click OK. Note that the Active Directory authentication server configured for the trunk must point to the Active Directory forest to which the Forefront UAG server belongs.

    The selection of a protocol here enables its use both within the Negotiate wrapper and on its own.

  3. On the console toolbar, activate the configuration.

Configuring passthrough authentication

To configure passthrough authentication

  1. On the Forefront UAG server, click Start, and then click Run.

  2. Type the following, and then press ENTER:

    regedit

  3. In the Registry Editor, navigate to the following location:

    HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\UrlFilter\

  4. Right-click the window, click New, and then click DWORD VALUE. Name the registry value:

    FullAuthPassthru

  5. Right-click FullAuthPassthru, and then click Modify. In Value data, type 1, and then click OK.

  6. In the Forefront UAG Management console, select the required trunk.

  7. On the trunk, double-click the required application. On the Web Settings tab, clear the Use single-sign on to send credentials to published applications check box, and then click OK.

  8. Repeat steps 6 and 7 for each application in the trunk for which you want to enable passthrough authentication.

  9. On the console toolbar, activate the configuration. All existing IIS connections are reset.

Note:
If you want to use NTLM to authenticate to application servers, then you must make sure that the authentication to the trunk is done with NTLM.

Configuring single sign-on

The following procedure describes how to configure single sign-on to multiple applications by credentials delegation for trunks that use Integrated Windows Authentication. In this scenario, the Forefront UAG server that you select for application authentication must not be the same server that is used for session authentication in this trunk.

If the Forefront UAG server and the application server are in the same forest and require the same credentials, configure an authentication server with the same settings as the server that is used for session authentication, and assign it a different name. Select this server for application authentication.

To configure single sign-on to multiple applications

  1. In the Forefront UAG Management console, select the required trunk.

  2. Double-click the required application, and on the Web Settings tab, verify that the Use single-sign on to send credentials to published applications check box is selected.

  3. Select the authentication server against which users will authenticate when accessing the application, select the authentication method, and then click OK.

  4. Repeat steps 1 through 3 of this procedure for each application on the trunk for which you want to enable single sign-on.

  5. On the console toolbar, activate the configuration.

Copyright © 2009 by Microsoft Corporation. All rights reserved.