About authentication servers

This topic provides an overview of authentication servers that can be used to validate client credentials in Microsoft Forefront Threat Management Gateway.

Windows Active Directory

In Windows Active Directory validation, the credentials entered by the client are passed to a domain controller, which checks the credentials against the Active Directory list of users. The client must use one of the following formats when entering the credentials recognized by the domain controller:

  • Security Accounts Manager (SAM) account name (domain\username)
  • User principal name (username@domain.com)
  • Distinguished name

Active Directory validation can take place only when Forefront TMG is a domain member (either the same domain as the domain controller or in a trusted domain).

Active Directory can be used to validate client credentials for outbound Web requests and inbound requests for published Web servers.

LDAP Server

This validation method is similar to Windows Active Directory validation. In this method, Forefront TMG connects to an LDAP server over an LDAP protocol. (LDAP, LDAPS, LDAP-GC, and LDAPS-GC are supported.) Note that every domain controller is an LDAP server. The LDAP server has a store of the Active Directory users' credentials. Because each domain controller is only able to authenticate the users in its domain, Forefront TMG, by default, queries the global catalog for a forest in order to validate user credentials.

The client must use one of the following formats when entering the credentials recognized by Active Directory:

  • SAM account name (domain\username)
  • User principal name (username@domain.com)
  • Distinguished name

LDAP can be used to validate client credentials only for inbound requests for published Web servers.


RADIUS is an industry standard authentication protocol used by Microsoft Forefront Threat Management Gateway to authenticate client requests. When Forefront TMG acts as a RADIUS client, it sends user credentials to a RADIUS server. The RADIUS server authenticates the RADIUS client request and sends back a RADIUS message response. In Forefront TMG console, you configure RADIUS servers to be used for authentication and you configure a shared secret. You configure the same shared secret on the RADIUS server.

RADIUS authentication can be used for outbound Web proxy requests and incoming requests for published Web servers.

RADIUS one-time password

Forefront TMG can use a RADIUS one-time password in order to validate credentials for incoming requests to published Web servers. One-time password mechanisms typically consist of portable devices (physical tokens) and a server. The server and the devices each produce a new passcode at a given frequency. The passcodes are specific to each device. (No two devices share the same passcode.) The server that validates the passcodes is installed on a RADIUS server and can be associated with the existing list of RADIUS users. Note the following information about passcodes:

  • Each passcode can only be used once.
  • On the form provided by Forefront TMG, the user enters the user name and passcode provided by the portable device. Forefront TMG sends the user name and passcode to the RADIUS server for validation.
  • Because the passcode cannot be used a second time, Forefront TMG does not revalidate the credentials for each request. Rather, Forefront TMG issues a cookie to the client that allows continued communication without reauthenticating.
  • Some RADIUS servers block the logon of a user who has failed to log on a specified number of times. If a malicious user intentionally attempts to log on that many times by using a legitimate user name and wrong passcodes, that user is locked out of the system until you reset access for that user. We recommend that you disable the lockout feature on the RADIUS one-time password server in order to prevent this from occurring. The Forefront TMG **HTTP requests per minute, per IP address **setting (which you can configure on the Flood Mitigation properties of Forefront TMG) mitigates brute force password-guessing attacks, so you can disable the RADIUS lockout feature safely.


RSA SecurID is based on technology from RSA Security Inc. Forefront TMG can also use SecurID to validate credentials for incoming requests for published Web resources. SecurID requires that a remote user must provide the following information in order to gain access to protected resources:

  • Personal identification number (PIN)
  • Physical token that produces a time-limited one-time password

Neither the PIN nor the token-generated one-time password grant access in isolation from each other. Both are required.

When a user attempts to access Web pages controlled by a rule using SecurID authentication, the Forefront TMG server, on behalf of the server running Internet Information Services (IIS)that Forefront TMG secures, checks for a cookie. This cookie will be present only if the user has authenticated recently and it is not persistent. If the user's cookie is missing, the user is prompted for a user name and passcode for SecurID. The passcode consists of a combination of the user's PIN and tokencode. The RSA ACE/Agent on the Forefront TMG server passes these credentials to the RSA ACE/Server computer for validation. If the RSA ACE/Server successfully validates the credentials, a cookie is delivered to the user's browser for subsequent activity during the session, and the user is granted access to the content. Note the following information:

  • For SecurID delegation, Forefront TMG generates cookies that are compatible with RSA Authentication Agent 5.0. When you use SecurID delegation, you must configure the authentication agent computer to trust those cookies. To do so, in the authentication agent computer registry, add the following string value:Agent50CompatibleCookies under HKLM\Software\SDTI\RSAAgent
  • If Forefront TMG is configured with multiple network adapters and you create a Web listener with RSA SecurID authentication enabled, you should explicitly configure the network adapter address through which Forefront TMG connects to the RSA ACE/Server for authentication purposes. Otherwise, Forefront TMG may fail to perform SecurID authentication. Specify the IP address in the following registry key as a string value: **HKEY_LOCAL_MACHINE\SOFTWARE\SDTI\AceClient\**PrimaryInterfaceIP
  • We recommend that you use SSL to encrypt the communication between the client and Forefront TMG.
  • For additional information about RSA ACE/Server installation, configuration, and authentication concepts, see the documentation available at the RSA Web site (https://www.rsasecurity.com).