Planning for backend authentication to published servers

Updated: February 1, 2010

Applies To: Unified Access Gateway

Forefront Unified Access Gateway (UAG) allows you to delegate credentials, so that when a client authenticates during logon to a Forefront UAG site session, the credentials that are provided can be sent to backend servers that require authentication. This single sign-on (SSO) mechanism allows the user to log on to Forefront UAG with a single set of credentials that are then used to authenticate and gain access to any application for which the credentials are valid.

Forefront UAG can implement single sign-on by using session credentials to authenticate to published backend applications using the following methods:

• Basic, NTLM, or HTTP forms authentication─Forefront UAG supports Basic, NTLM, and HTTP forms-based authentication. When a backend server requires Basic or NTLM authentication, it sends an HTTP 401 response to the Forefront UAG server. When a backend server requires HTTP forms-based authentication, Forefront UAG can be configured to provide the user credentials automatically.

• Kerberos constrained delegation—Forefront UAG supports the use of Kerberos constrained delegation to authenticate users, after Forefront UAG has verified their identity by using a non-Kerberos authentication method.