Forefront Unified Access Gateway (UAG) controls access to internal applications and resources that are published via Forefront UAG, by using client authentication.
Client authentication requires that you configure frontend authentication to verify the credentials of clients that connect to Forefront UAG portal and site sessions. If backend published servers require authentication, you must also set up authentication mechanisms for verifying client credentials on the backend servers. In addition, Forefront UAG supports single sign-on, which allows you to pass credentials supplied during session sign-on to the backend servers.
- You can implement frontend authentication to make sure that
remote clients authenticate before establishing sessions to
Forefront UAG sites and portal.
- In addition, you can require client authentication to published
backend servers as follows:
- Use passthrough authentication so that clients authenticate on
backend servers only.
- You can implement single sign-on so that clients need only
specify credentials once by passing session credentials to backend
servers using basic authentication (HTTP 401), an HTML form,
Kerberos constrained delegation, or Active Directory Federation
- Use passthrough authentication so that clients authenticate on backend servers only.
The following infrastructure design is required for client authentication:
- Authentication servers, to verify client credentials during
frontend and backend authentication. For more information, see the
for publishing planning guide.
- If you want to implement single sign-on using Kerberos
constrained delegation, a Kerberos infrastructure must be
configured. For more information, see Configuring single
sign-on with Kerberos constrained delegation.
- If you want to use Active Directory Federation Services (ADFS),
an ADFS server must be deployed. For more information, see Deploying federation
with AD FS.