Share via

Web listener advanced authentication options

You can configure the following advanced authentication options in the properties of the Web listener:

  • Require all users to authenticate—This option forces clients to authenticate by using one of the selected authentication methods.
  • Require SSL client certificate—This option forces the client to present the proper Secure Sockets Layer (SSL) client certificate. If the proper certificate is not provided, Microsoft Forefront Threat Management Gateway will end the session. This option is available only when using HTML form authentication.
  • SSL client certificate time out (seconds)—This option applies when you require client certificate authentication. This security feature requires that the certificate be presented again after a time-out period that you configure. In a scenario where a user presents a certificate on a smart card, removes the smart card, and then forgets to end the session, Forefront TMG will request the certificate after the time-out period. If the certificate is not provided, Forefront TMG will end the session. If the smart card is present, or if the certificate is installed on the client computer, the request for the certificate after the time-out period will not be noticed by the user.
  • Allow client authentication over HTTP—Enabling this option results in clients sending their credentials in an unencrypted form to the Forefront TMG computer; therefore, we do not recommend this. However, in some scenarios where security concerns are not paramount, such as blogs, this setting may be desired.
  • Validate credentials for every HTTP request—This option causes Forefront TMG to validate the client credentials for every HTTP request. This is useful for enforcing immediate changes to the domain. For example, if the user is removed from the domain, the user's credentials will be denied at the next HTTP request.
  • Validate credentials every (seconds)—This option enables the caching of client credentials for a configurable period of time.
  • Domain name—The default Windows domain to which users authenticate is the Active Directory domain in which the Forefront TMG computer is active. Forefront TMG appends the default domain to the client's user name, if the client does not provide a domain name. If you want users to authenticate to a different domain (meaning that Forefront TMG will append a different domain to the client's name), specify it here.
  • RSA SecurID—If RSA SecurID is selected as the Authentication Validation Method on the Authentication tab of the Web listener, the RSA SecurID tab appears in the Advanced Authentication Options dialog box. On this tab, you can configure the Authentication Manager (formerly called RSA ACE/Server 5.0) Name Locking feature, the SecurID cookie name, and a domain secret.


The domain for single sign-on (SSO) is configured on the SSO tab of the Web listener properties.