[This topic is pre-release documentation and is subject to change in future releases. Blank topics are included as placeholders.]

One of the technologies used by Forefront Unified Access Gateway (UAG) to accomplish single sign-on functionality is Kerberos constrained delegation. Kerberos constrained delegation enables users to access a Forefront UAG site using strong authentication such as smart-card authentication, or one-time passwords. Users authenticate once only, and are not required to supply their credentials to log on to applications that require authentication. For more information about Kerberos constrained delegation technology, see Kerberos Protocol Transition and Constrained Delegation (http://go.microsoft.com/fwlink/?LinkId=122608).

The following procedures describe how to configure Kerberos constrained delegation:

  1. Requirements—Read this section before configuring Kerberos constrained delegation.

  2. How to raise domain and forest functional levels in Windows Server 2003—Provides information on how to set the domain to the Windows Server 2003 functional level.

  3. Configuring LDAP client certificate authentication in IAG, at Microsoft TechNet—Describes how to authenticate users with client certificates. When you reach step 7 in this procedure, open the file: <Server_Name>.inc, and make the following modification: KCDAuthentication_on = true

  4. Configuring Kerberos constrained delegation for an application—To complete this procedure, note the service principal name (SPN) of the application. Each instance of a service that uses Kerberos authentication must have an SPN defined for it, so that clients can identify that instance of the service on the network. For more information, see Service Principal Names (http://go.microsoft.com/fwlink/?LinkId=123632).

  5. Configuring Active Directory computer accounts for Kerberos constrained delegation—The application SPN must be registered in Active Directory Domain Services. This maps the SPN to the Windows account under which the service specified in the SPN is running. Instances of some services can automatically register their SPNs at startup. Only an Active Directory domain administrator can register SPNs in Active Directory Domain Services.

  6. Specifying how Kerberos performs backend authentication─You can specify whether authentication should be performed with a user name or UPN.

  7. Ensure application servers are configured for Kerberos authentication. For examples of application server configuration, see How to configure a Windows SharePoint Services virtual server to use Kerberos authentication and how to switch from Kerberos authentication back to NTLM authentication (http://go.microsoft.com/fwlink/?LinkID=82876), and Configure Kerberos authentication (Office SharePoint Server) (http://go.microsoft.com/fwlink/?LinkID=109491).

Requirements

The following are the requirements for Kerberos constrained delegation:

  • The Forefront UAG server must be part of a domain.

  • You must define only one authentication server for the trunk to which the application belongs.

  • All domain controllers in the internal network must be running Windows Server 2003.

  • Users must be part of the same Active Directory forest as the Forefront UAG server and the application servers.

  • Forefront UAG servers and application servers must be part of the same domain.

Configuring Kerberos constrained delegation for an application

To configure Kerberos constrained delegation for an application
  1. On the Forefront UAG Management console, in the Applications group box, click the application, and then click Edit.

  2. On the Application Properties page, click the Web Settings tab.

  3. On the Web Settings tab, do the following:

    1. Select Use single sign-on to send credentials to published applications.

    2. Select Use Kerberos constrained delegation.

    3. In the Application service principal name text box, type the SPN, and then click OK. You can set the SPN explicitly, or you can use the wildcard * (for example, owa/*).

      Note the following:

      • You must use the SPN explicitly if the SPN of this application was not defined in the default format SPNs (service name/hostname) in the application server. This might happen when an application is published as part of a load-balanced Web farm, and runs with an application account identity and not with a computer account identity.

      • If you choose to use a wildcard, the addresses for all the servers of this application (defined on the Web Servers tab) cannot be IP addresses and must be host names. The wildcard is translated to each of the host names defined on the Web Servers tab. If the SPN of the application in the application server is defined as a fully qualified domain name (FQDN), Forefront UAG translates it to two SPNs: host name and FQDN (for example, owa and owa.contoso.com). If the application's SPN in the application server is defined as a host name, Forefront UAG translates it to two SPNs: a hostname and an FQDN with the Forefront UAG Domain Name System domain.

  4. Repeat Step 3 for all applications that you want to publish using Kerberos constrained delegation.

Configuring Active Directory computer accounts for Kerberos constrained delegation

To configure Active Directory computer accounts for Kerberos constrained delegation
  1. To register the SPNs, create a file containing a list of SPNs. The SPNs in this file represent the applications for which Forefront UAG enables Kerberos constrained delegation. You can create this file as a simple text file, from where the Active Directory domain administrator must manually copy the information to Active Directory Domain Services, or you can create this file as a Lightweight Directory Access Protocol Data Interchange Format (LDIF) file, that the Active Directory domain administrator can import into Active Directory Domain Services by using the standard Windows utility ldifde. For more information, see Delegating authentication (http://go.microsoft.com/fwlink/?LinkId=138436). Create the file as follows:

    1. In the Forefront UAG Management console, on the menu, click Admin, and then click Export to Active Directory.

    2. On the Export to Active Directory dialog box, click either Export to Text File or Export to LDIF File.

    3. Save the file, and then transfer it to the Active Directory domain administrator. It is recommended that the LDIF file is used soon after it is created, to ensure consistency in Active Directory Domain Services settings.

Note:
If you use an LDIF file to configure delegation in Active Directory Domain Services, the LDIF file replaces the existing delegation information in Active Directory Domain Services with the information in the file, thus deleting any delegation settings that were configured manually. If any settings that were configured manually need to be preserved, when you transfer the LDIF file to the Active Directory domain administrator, inform them that they should note the existing settings before they import the LDIF file, and then manually re-apply the settings that were deleted.

Specifying how Kerberos performs backend authentication

To specify how backend authentication is performed
  • On the Forefront UAG server, run Regedit

  • Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\UrlFilter.

  • Modify or create the DWORD value KCDUseUPN as follows:

    1. To perform Kerberos authentication using UPN, set the DWORD value to 1.

    2. To perform Kerberos authentication using the format DOMAIN\UserName, set the DWORD value to 0. If no value is set, DOMAIN\UserName will be used.