This topic describes how to publish applications to users located on corporate networks by using Integrated Windows Authentication for Forefront Unified Access Gateway (UAG) session authentication. Using Integrated Windows Authentication, you can use a number of options for single sign-on to published applications, including Kerberos constrained delegation, passthrough authentication, and Forefront UAG single sign-on.
For instructions on how to configure single sign-on using Kerberos constrained delegation, see Configuring single sign-on with Kerberos constrained delegation. The following sections describe:
- Prerequisites—The prerequisites for
configuring Integrated Windows Authentication.
- Configuring a trunk
with Integrated Windows Authentication—How to configure a trunk
with Integrated Windows Authentication.
- Configuring
passthrough authentication—How to configure passthrough
authentication with Integrated Windows Authentication.
- Configuring single
sign-on—How to configure single sign-on with Integrated Windows
Authentication.
Prerequisites
The following are the prerequisites for configuring Integrated Windows Authentication in Forefront UAG:
- The Forefront UAG server must be a member of
an Active Directory® domain.
- Transparent authentication is available only
for users who access the Forefront UAG site from a client computer
that is, either a member of the same Active Directory forest as the
Forefront UAG server, or a member of a trusted forest. All other
users will be presented with a Web browser authentication
prompt.
- To enable transparent authentication in
Windows Internet Explorer®, the public host name of the Forefront
UAG trunk must be included in the browser's local intranet zone, or
added to the browser's trusted sites zone. To enable transparent
Integrated Windows authentication with other Web browsers, refer to
the Web browser's documentation.
- If the trunk publishes Microsoft Office
SharePoint Server Products and Technologies with alternate access
mapping, all the relevant host names and the public host name of
the Forefront UAG trunk must be enabled for transparent
authentication on the browser.
- For Integrated Windows Authentication to work
with Kerberos authentication, the public host name of the trunk
must be defined as an additional Service Principal Name (SPN) of
the Forefront UAG server by the Active Directory domain
administrator. For more information, see Setspn Examples
(http://go.microsoft.com/fwlink/?LinkId=133778).
- It is recommended that if you use NTLM
authentication with Integrated Windows authentication, you should
use NTLM version 2 on the Forefront UAG server and disable NTLM
version 1.
Configuring a trunk with Integrated Windows Authentication
To configure a trunk with Integrated Windows Authentication
-
In the Forefront UAG Management console, select the required trunk.
-
On the Advanced Trunk Configuration dialog box, click the Authentication tab, and then click Use Integrated Windows authentication. Verify that one of the available protocols, NTLM or Kerberos, is selected, and then click OK. Note that the Active Directory authentication server configured for the trunk must point to the Active Directory forest to which the Forefront UAG server belongs.
The selection of a protocol here enables its use both within the Negotiate wrapper and on its own.
-
On the console toolbar, activate the configuration.
Configuring passthrough authentication
To configure passthrough authentication
-
On the Forefront UAG server, click Start, and then click Run.
-
Type the following, and then press ENTER:
regedit
-
In the Registry Editor, navigate to the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\UrlFilter\
-
Right-click the window, click New, and then click DWORD VALUE. Name the registry value:
FullAuthPassthru
-
Right-click FullAuthPassthru, and then click Modify. In Value data, type 1, and then click OK.
-
In the Forefront UAG Management console, select the required trunk.
-
On the trunk, double-click the required application. On the Web Settings tab, clear the Use single-sign on to send credentials to published applications check box, and then click OK.
-
Repeat steps 6 and 7 for each application in the trunk for which you want to enable passthrough authentication.
-
On the console toolbar, activate the configuration. All existing IIS connections are reset.
Note: |
---|
If you want to use NTLM to authenticate to application servers, then you must make sure that the authentication to the trunk is done with NTLM. |
Configuring single sign-on
The following procedure describes how to configure single sign-on to multiple applications by credentials delegation for trunks that use Integrated Windows Authentication. In this scenario, the Forefront UAG server that you select for application authentication must not be the same server that is used for session authentication in this trunk.
If the Forefront UAG server and the application server are in the same forest and require the same credentials, configure an authentication server with the same settings as the server that is used for session authentication, and assign it a different name. Select this server for application authentication.
To configure single sign-on to multiple applications
-
In the Forefront UAG Management console, select the required trunk.
-
Double-click the required application, and on the Web Settings tab, verify that the Use single-sign on to send credentials to published applications check box is selected.
-
Select the authentication server against which users will authenticate when accessing the application, select the authentication method, and then click OK.
-
Repeat steps 1 through 3 of this procedure for each application on the trunk for which you want to enable single sign-on.
-
On the console toolbar, activate the configuration.
Copyright © 2009 by Microsoft Corporation. All rights reserved.