Share via


About delegation of credentials

In Web publishing scenarios, Microsoft Forefront Threat Management Gateway can validate the client's credentials and then forward or delegate the credentials to the published server for authentication. The following authentication delegation options are available:

  • No delegation, and client cannot authenticate directly
  • No delegation, but client may authenticate directly
  • Basic authentication
  • NTLM authentication
  • Negotiate (Kerberos/NTLM)
  • RSA SecurID
  • Kerberos constrained delegation

Note

The delegation methods available vary according to the type of publishing rule you create and the type of authentication used by the Web listener.

No delegation, and client cannot authenticate directly

No credentials are passed to the published server. If the published server requires authentication, a Forefront TMG alert is triggered.

No delegation, but client may authenticate directly

Forefront TMG passes the user's credentials to the published server without performing any additional action. The client and the published server then negotiate the authentication. This is typically used in a scenario where the published server requires some proprietary form of authentication.

Note

When this option is selected in a Web publishing rule and the Web listener is configured to apply no authentication and not to require all users to authenticate, Forefront TMG blocks HTTP requests for the published Web site and returns error 403 (Forbidden), even if the Web site does not require authentication.

Basic authentication

In Basic authentication, credentials are forwarded in plaintext to the published server that requires credentials. If authentication fails, Forefront TMG prompts the user for authentication according to the authentication type configured on the Web listener. If the published server requires a different type of credentials, a Forefront TMG alert is triggered.

NTLM authentication

In NTLM delegation, Forefront TMG delegates the credentials by using the NTLM challenge/response authentication protocol. If authentication fails, Forefront TMG provides the Web server's failure notice to the client. If the published server requires a different type of credentials, a Forefront TMG alert is triggered.

Negotiate (Kerberos/NTLM)

When you select Negotiate as a delegation method, Forefront TMG first attempts to obtain a Kerberos ticket for the client from the domain controller. If Forefront TMG does not receive the Kerberos ticket, it uses the negotiate scheme to delegate the credentials by using NTLM. If Forefront TMG receives the Kerberos ticket, it uses the negotiate scheme to delegate the credentials by using Kerberos. If authentication fails, Forefront TMG provides the Web server's failure notice to the client. If the published server requires a different type of credentials, a Forefront TMG alert is triggered.

Note

The default service principal name used to obtain the ticket is http/internalsitename. In the case of a server farm, the service principal name is the name of the farm. The default service principal name can be changed in Forefront TMG Management on the Authentication Delegation tab of the rule.

RSA SecurID

When a client provides SecurID credentials, you can use SecurID delegation. Forefront TMG passes the proprietary SecurID cookie to the published server. Note that Forefront TMG and the published server must have the same domain secret and cookie name.

Kerberos constrained delegation

With the other types of delegation, Forefront TMG can delegate credentials only when client credentials are received by using Basic or forms-based authentication. With Kerberos constrained delegation, Forefront TMG can accept other types of client credentials, such as client certificates. Forefront TMG must be enabled on the domain controller in order to use Kerberos constrained delegation (constrained to a specific service principal name).

If authentication fails, Forefront TMG provides the Web server's failure notice to the client. If the published server requires a different type of credentials, a Forefront TMG alert is triggered.

Note

Use of Kerberos constrained delegation requires that you configure Active Directory to recognize Forefront TMG as trusted for delegation.
The default service principal name used to obtain the ticket is http/internalsitename. In the case of a server farm, the service principal name is the name of the farm. The default service principal name can be changed in Forefront TMG Management on the Authentication Delegation tab of the rule.

Valid combinations of client credentials and delegation methods

Specific delegation methods are valid for different types of client credentials. The following table summarizes the valid combinations.

Receipt of client credentials Authentication provider Delegation Comments

Forms-based authentication

Basic

Active Directory

LDAP (Active Directory)

RADIUS

No delegation, but client may authenticate directly

No delegation, and client cannot authenticate directly

Basic

NTLM

Negotiate

Kerberos constrained delegation

Single sign-on is supported for forms-based authentication, but not for Basic authentication.

An additional client certificate can be required (two-factor authentication).

Digest

Integrated

Active Directory

No delegation - allow end-to-end delegation

No delegation - do not allow end-to-end delegation

Kerberos constrained delegation

None

HTML form with one-time password

SecurID

RADIUS one-time password

No delegation, but client may authenticate directly

No delegation, and client cannot authenticate directly

Kerberos constrained delegation

Single sign-on is supported.

HTML form with collection of additional credentials

SecurID

RADIUS one-time password

No delegation, but client may authenticate directly

No delegation, and client cannot authenticate directly

Basic

NTLM

Negotiate

Kerberos constrained delegation

Single sign-on is supported.

Client certificate

Active Directory

No delegation, but client may authenticate directly

No delegation, and client cannot authenticate directly

Kerberos constrained delegation

none

For more information about authentication in Forefront TMG, see

Overview of client authentication.