Configuring single sign-on with Kerberos constrained delegation
Updated: February 1, 2011
Applies To: Unified Access Gateway
One of the technologies used by Forefront Unified Access Gateway (UAG) to accomplish single sign-on functionality is Kerberos constrained delegation. Kerberos constrained delegation enables users to access a Forefront UAG site, using strong authentication such as smart-card authentication or one-time passwords. Users authenticate once only, and are not required to supply their credentials to log on to applications that require authentication. For more information about Kerberos constrained delegation technology, see Kerberos Protocol Transition and Constrained Delegation (https://go.microsoft.com/fwlink/?LinkId=122608).
Prerequisites
The following are the requirements for Kerberos constrained delegation:
The Forefront UAG server must be part of a domain.
You must define only one authentication server for the trunk to which the application belongs.
All domain controllers in the internal network must be running Windows Server 2003.
Users must be part of the same Active Directory forest as the Forefront UAG server and the application servers.
Forefront UAG servers and application servers must be part of the same domain.
The following procedures describe:
How to raise domain and forest functional levels in Windows Server 2003—How to set the domain to the Windows Server 2003 functional level.
Configuring SSL client certificate authentication—How to authenticate users with client certificates. When you reach step 7 in this procedure, open the file: <Server_Name>.inc, and make the following modification:
KCDAuthentication_on = true
Configuring Kerberos constrained delegation for an application—To complete this procedure, note the service principal name (SPN) of the application. Each instance of a service that uses Kerberos authentication must have an SPN defined for it, so that clients can identify that instance of the service on the network. For more information, see Service Principal Names (https://go.microsoft.com/fwlink/?LinkId=123632).
Configuring Active Directory computer accounts for Kerberos constrained delegation—The application SPN must be registered in Active Directory Domain Services. This maps the SPN to the Windows account under which the service specified in the SPN is running. Instances of some services can automatically register their SPNs at startup. Only an Active Directory domain administrator can register SPNs in Active Directory Domain Services.
Specifying how Kerberos performs backend authentication─You can specify whether authentication should be performed with a user name or SPN.
Ensure application servers are configured for Kerberos authentication. For examples of application server configuration, see How to configure a Windows SharePoint Services virtual server to use Kerberos authentication and how to switch from Kerberos authentication back to NTLM authentication (https://go.microsoft.com/fwlink/?LinkID=82876), and Configure Kerberos authentication (Office SharePoint Server) (https://go.microsoft.com/fwlink/?LinkID=109491).
Configuring Kerberos constrained delegation for an application
To configure Kerberos constrained delegation for an application
In the Forefront UAG Management console, in the Applications group box, click the application, and then click Edit.
On the Application Properties dialog box, click the Authentication tab.
On the Authentication tab, do the following:
Select Use single sign-on to send credentials to published applications.
Click Use Kerberos constrained delegation for single sign-on.
In the Application SPN box, type the SPN, and then click OK. You can set the SPN explicitly, or you can use the wildcard * (for example, owa/*).
Note the following:
You must use the SPN explicitly if the SPN of this application was not defined in the default format SPNs (service name/hostname) in the application server. This might happen when an application is published as part of a load-balanced Web farm, and runs with an application account identity and not with a computer account identity.
If you choose to use a wildcard, the addresses for all the servers of this application (defined on the Web Servers tab) cannot be IP addresses, but must be host names. The wildcard is translated to each of the host names defined on the Web Servers tab. If the SPN of the application in the application server is defined as a fully qualified domain name (FQDN), Forefront UAG translates it to two SPNs: host name and FQDN (for example, owa and owa.contoso.com). If the application's SPN in the application server is defined as a host name, Forefront UAG translates it to two SPNs: a hostname and an FQDN with the Forefront UAG Domain Name System domain.
Repeat Step 3 for all applications that you want to publish using Kerberos constrained delegation.
Note
Note that the File Access application does not support use of Kerberos constrained delegation (KCD) to provide single sign-on (SSO) functionality.
Configuring Active Directory computer accounts for Kerberos constrained delegation
To configure Active Directory computer accounts for Kerberos constrained delegation
To register the SPNs, create a file containing a list of SPNs. The SPNs in this file represent the applications for which Forefront UAG enables Kerberos constrained delegation. You can create this file as a simple text file, from where the Active Directory domain administrator must manually copy the information to Active Directory Domain Services, or you can create this file as a Lightweight Directory Access Protocol Data Interchange Format (LDIF) file, that the Active Directory domain administrator can import into Active Directory Domain Services by using the standard Windows utility ldifde. For more information, see Delegating authentication (https://go.microsoft.com/fwlink/?LinkId=138436).
Create the file as follows:
In the Forefront UAG Management console, on the menu, click Admin, and then click Export KCD Settings to Active Directory.
On the Active Directory Delegation dialog box, click either Export settings to a text file or Export settings to an LDIF file.
Save the file, and then transfer it to the Active Directory domain administrator. It is recommended that the LDIF file is used soon after it is created, to ensure consistency in Active Directory Domain Services settings.
Note
If you use an LDIF file to configure delegation in Active Directory Domain Services, the LDIF file replaces the existing delegation information in Active Directory Domain Services with the information in the file, thus deleting any delegation settings that were configured manually. If any settings that were configured manually need to be preserved, when you transfer the LDIF file to the Active Directory domain administrator, advise them to note the existing settings before they import the LDIF file, and then manually re-apply the settings that were deleted.
Specifying how Kerberos performs backend authentication
To specify how backend authentication is performed
On the Forefront UAG server, run Regedit.
Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\UrlFilter.
Modify or create the DWORD value KCDUseUPN as follows:
To perform Kerberos authentication using UPN, set the DWORD value to 1.
To perform Kerberos authentication using the format DOMAIN\UserName, set the DWORD value to 0. If no value is set, DOMAIN\UserName will be used.