Forefront Unified Access Gateway (UAG) allows you to delegate credentials, so that when a client authenticates during logon to a Forefront UAG site session, the credentials that are provided can be sent to backend servers that require authentication. This single sign-on (SSO) mechanism allows the user to log on to Forefront UAG with a single set of credentials that are then used to authenticate and gain access to any application for which the credentials are valid.
Forefront UAG can implement single sign-on by using session credentials to authenticate to published backend applications using the following methods:
- Basic, NTLM, or HTTP
forms authentication─Forefront UAG supports Basic, NTLM, and
HTTP forms-based authentication. When a backend server requires
Basic or NTLM authentication, it sends an HTTP 401 response to the
Forefront UAG server. When a backend server requires HTTP
forms-based authentication, Forefront UAG can be configured to
provide the user credentials automatically.
- Kerberos constrained
delegation—Forefront UAG supports the use of Kerberos
constrained delegation to authenticate users, after Forefront UAG
has verified their identity by using a non-Kerberos authentication