About single sign-on

Single sign-on (SSO) enables users to authenticate once to Microsoft Forefront Threat Management Gateway and then, without reauthenticating, access all of the Web sites with the same domain suffix that Forefront TMG publishes on a specific Web listener. Web sites can include Microsoft Outlook Web Access and SharePoint sites, as well as standard Internet Information Services (IIS) Web sites.

A typical example of SSO is a user who logs on to Outlook Web Access by providing credentials on a form. In one of the e-mail messages that the user receives, there is a link to a document that is stored on a SharePoint server. The user clicks the link, and the document opens without an additional request for authentication. This example relies on the use of persistent cookies.

Security notes

  • As long as a user's browser process is still running, that user is logged on. For example, a user logs on to Outlook Web Access. From the Microsoft Internet Explorer menu, the user opens a new browser window and then navigates to another site. Closing the Outlook Web Access window does not end the session, and the user is still logged on.
  • When enabling SSO, be sure to provide a restrictive SSO domain. Providing an inclusive domain, such as .co.uk, allows the Web browser to send the Forefront TMG SSO cookie to any Web site in that domain, creating a possible security risk.
  • In a scenario where you create a Web listener that uses forms-based authentication with RSA SecurID validation and you enable Collect additional delegation credentials in the form, Forefront TMG does not verify whether a user enters the same or a different name for the additional credentials.


There is no support for SSO between different Web listeners. SSO is supported for published Web sites whose host names have the same DNS suffix after the first dot. For example, you can configure SSO when publishing mail.fabrikam.com and team.fabrikam.com by specifying .fabrikam.com as the SSO domain. However, you cannot configure SSO for mail.fabrikam.com and mail.contoso.com. In addition, a DNS suffix specified as an SSO domain must consist of at least two segments separated by an embedded dot. For example, .fabrikam.com and .portal.fabrikam.com are valid SSO domains, but .com is not a valid SSO domain.