One of the technologies used by Forefront Unified Access Gateway (UAG) to accomplish single sign-on functionality is Kerberos constrained delegation. Kerberos constrained delegation enables users to access a Forefront UAG site using strong authentication such as smart-card authentication, or one-time passwords. Users authenticate once only, and are not required to supply their credentials to log on to applications that require authentication. For more information about Kerberos constrained delegation technology, see Kerberos Protocol Transition and Constrained Delegation (http://go.microsoft.com/fwlink/?LinkId=122608).
The following procedures describe how to configure Kerberos constrained delegation:
- Requirements—Read this section
before configuring Kerberos constrained delegation.
- How to raise domain and forest functional levels in
Windows Server 2003—Provides information on how to set the
domain to the Windows Server 2003 functional level.
- Configuring LDAP client certificate authentication
in IAG, at Microsoft TechNet—Describes how to authenticate
users with client certificates. When you reach step 7 in this
procedure, open the file:
<
Server_Name>.inc
, and make the following modification:KCDAuthentication_on = true
- Configuring Kerberos
constrained delegation for an application—To complete this
procedure, note the service principal name (SPN) of the
application. Each instance of a service that uses Kerberos
authentication must have an SPN defined for it, so that clients can
identify that instance of the service on the network. For more
information, see Service Principal Names
(http://go.microsoft.com/fwlink/?LinkId=123632).
- Configuring Active Directory computer
accounts for Kerberos constrained delegation—The application
SPN must be registered in Active Directory Domain Services. This
maps the SPN to the Windows account under which the service
specified in the SPN is running. Instances of some services can
automatically register their SPNs at startup. Only an Active
Directory domain administrator can register SPNs in Active
Directory Domain Services.
- Specifying how Kerberos performs backend
authentication─You can specify whether authentication should be
performed with a user name or UPN.
- Ensure application servers are configured for Kerberos
authentication. For examples of application server configuration,
see How to configure a Windows SharePoint Services
virtual server to use Kerberos authentication and how to switch
from Kerberos authentication back to NTLM authentication
(http://go.microsoft.com/fwlink/?LinkID=82876), and Configure Kerberos authentication (Office SharePoint
Server) (http://go.microsoft.com/fwlink/?LinkID=109491).
Requirements
The following are the requirements for Kerberos constrained delegation:
- The Forefront UAG server must be part of a
domain.
- You must define only one authentication
server for the trunk to which the application belongs.
- All domain controllers in the internal
network must be running Windows Server 2003.
- Users must be part of the same Active
Directory forest as the Forefront UAG server and the application
servers.
- Forefront UAG servers and application servers
must be part of the same domain.
Configuring Kerberos constrained delegation for an application
-
On the Forefront UAG Management console, in the Applications group box, click the application, and then click Edit.
-
On the Application Properties page, click the Web Settings tab.
-
On the Web Settings tab, do the following:
- Select Use single sign-on to send credentials to published
applications.
- Select Use Kerberos constrained delegation.
- In the Application service principal name text box, type
the SPN, and then click OK. You can set the SPN explicitly,
or you can use the wildcard * (for example,
owa/*).
Note the following:
- You must use the SPN explicitly if the SPN of
this application was not defined in the default format SPNs
(service name/hostname) in the application server. This
might happen when an application is published as part of a
load-balanced Web farm, and runs with an application account
identity and not with a computer account identity.
- If you choose to use a wildcard, the
addresses for all the servers of this application (defined on the
Web Servers tab) cannot be IP addresses and must be host
names. The wildcard is translated to each of the host names defined
on the Web Servers tab. If the SPN of the application in the
application server is defined as a fully qualified domain name
(FQDN), Forefront UAG translates it to two SPNs: host name and FQDN
(for example, owa and owa.contoso.com). If the
application's SPN in the application server is defined as a host
name, Forefront UAG translates it to two SPNs: a hostname and an
FQDN with the Forefront UAG Domain Name System domain.
- You must use the SPN explicitly if the SPN of
this application was not defined in the default format SPNs
(service name/hostname) in the application server. This
might happen when an application is published as part of a
load-balanced Web farm, and runs with an application account
identity and not with a computer account identity.
- Select Use single sign-on to send credentials to published
applications.
-
Repeat Step 3 for all applications that you want to publish using Kerberos constrained delegation.
Configuring Active Directory computer accounts for Kerberos constrained delegation
To configure Active Directory computer accounts for Kerberos constrained delegation
-
To register the SPNs, create a file containing a list of SPNs. The SPNs in this file represent the applications for which Forefront UAG enables Kerberos constrained delegation. You can create this file as a simple text file, from where the Active Directory domain administrator must manually copy the information to Active Directory Domain Services, or you can create this file as a Lightweight Directory Access Protocol Data Interchange Format (LDIF) file, that the Active Directory domain administrator can import into Active Directory Domain Services by using the standard Windows utility ldifde. For more information, see Delegating authentication (http://go.microsoft.com/fwlink/?LinkId=138436). Create the file as follows:
- In the Forefront UAG Management console, on the menu, click
Admin, and then click Export to Active Directory.
- On the Export to Active Directory dialog box, click
either Export to Text File or Export to LDIF
File.
- Save the file, and then transfer it to the Active Directory
domain administrator. It is recommended that the LDIF file is used
soon after it is created, to ensure consistency in Active Directory
Domain Services settings.
- In the Forefront UAG Management console, on the menu, click
Admin, and then click Export to Active Directory.
Note: |
---|
If you use an LDIF file to configure delegation in Active Directory Domain Services, the LDIF file replaces the existing delegation information in Active Directory Domain Services with the information in the file, thus deleting any delegation settings that were configured manually. If any settings that were configured manually need to be preserved, when you transfer the LDIF file to the Active Directory domain administrator, inform them that they should note the existing settings before they import the LDIF file, and then manually re-apply the settings that were deleted. |
Specifying how Kerberos performs backend authentication
-
On the Forefront UAG server, run Regedit
-
Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\UrlFilter.
-
Modify or create the DWORD value KCDUseUPN as follows:
- To perform Kerberos authentication using UPN, set the DWORD
value to 1.
- To perform Kerberos authentication using the format
DOMAIN\UserName, set the DWORD value to 0. If no value is set,
DOMAIN\UserName will be used.
- To perform Kerberos authentication using UPN, set the DWORD
value to 1.