Forefront Unified Access Gateway (UAG) can use Kerberos constrained delegation (KCD) to provide single sign-on (SSO) functionality. KCD allows end users to access both the Forefront UAG site and the applications that are enabled through it, by using client-certificate authentication, such as, smart-card authentication, Active Directory Federation Services (AD FS), or one-time passwords. When using KCD, end users authenticate to the site only once, and are not required to supply their credentials to log on to applications that require user authentication, and are not required to provide their domain password.

For more information about KCD technology, see Kerberos Protocol Transition and Constrained Delegation (

System requirements

The following are the requirements for using KCD in your Forefront UAG deployment:

  • The Forefront UAG server must be part of a domain.

  • You must define at least one authentication server for the trunk to which the application belongs.

  • All domain controllers in the internal network must be computers running Windows Server 2008 or Windows Server 2003.

  • Users must be part of the same Active Directory forest as the Forefront UAG server and the application servers.

  • Forefront UAG and the application servers must be part of the same domain.