Configuring single sign-on with Kerberos constrained delegation to non-claims-aware applications
Updated: July 31, 2012
Applies To: Unified Access Gateway
When you publish applications through Forefront Unified Access Gateway (UAG) that support the Kerberos version 5 protocol, and you use claims-based trunk authentication, Forefront UAG can provide single sign-on (SSO) to the published application using Kerberos constrained delegation. In this topology, Forefront UAG requests a Kerberos ticket on behalf of the user and uses it to authenticate to the published application.
In this topology, you must define claim transformation rules on the federation server that take the incoming claims from the partner user and modify them such that the partner user signs in to the published application that supports Kerberos with the credentials of the shadow user that you define.
Important
You must take care when defining the rules that you do not allow partner users to sign in with elevated security privileges within your organization.
Prerequisites
Make sure that the claims that you want to send to Forefront UAG are published in the federation metadata.
Claim rule recommendations
When configuring claim transformation rules use the following recommendations. For information about the claim rule language, see The Role of the Claim Rule Language (https://go.microsoft.com/fwlink/?LinkId=199144).
Do not transform (using the Transform an Incoming Claim, Pass Through or Filter an Incoming Claim, or Send Claims Using a Custom Rule templates) any claim types from the partner federation server into the shadow user claim type. Additionally, all of the claim types of the shadow users should be based on information that is only available within your organization. For example, in the following custom transformation rule, the incoming claim is reissued by your AD FS 2.0 server, which could reduce the security of your deployment.
c: [type = "https://www.contoso.com/uag/kcd/shadowuser"] => issue(claim = c);
Do not transform (using the Transform an Incoming Claim, Pass Through or Filter an Incoming Claim, or Send Claims Using a Custom Rule templates) any claim values from the partner user into the shadow user claim value. For example, in the following custom transformation rule, your AD FS 2.0 server issues a claim that contains the claim value provided by the partner user, which could reduce the security of your deployment.
c: [type = "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"] => issue(type = "https://www.contoso.com/uag/kcd/shadowuser", value = c.value);
Make sure that the claim type and value that you are using for Kerberos constrained delegation is an output from the claim rules that you configure.
To configure SSO with Kerberos constrained delegation
Configure Forefront UAG and Active Directory Domain Services (AD DS) as described in Configuring single sign-on with Kerberos constrained delegation.
Define a shadow user or set of users in AD DS that will be used as the partner employee accounts when partner employees log on to the Forefront UAG trunk and access non-claims-aware applications.
On your AD FS 2.0 server (the resource federation server), configure claim transformation rules to provide values for the shadow user name.
When you configure Kerberos constrained delegation on Forefront UAG, you select a claim type whose value will be used as the user name when performing Kerberos constrained delegation. The claim type value is the shadow user name value, which is stored in AD DS.
For information about creating claim transformation rules, see When to Use a Transform Claim Rule (https://go.microsoft.com/fwlink/?LinkId=198271) and Create a Rule to Transform an Incoming Claim (https://go.microsoft.com/fwlink/?LinkId=198272).
In the Forefront UAG Management console, in the Applications area, click the published application, and then click Edit.
On the Application Properties dialog box, click the Authentication tab.
On the Authentication tab, make sure that the Use SSO check box is selected, and then click Use Kerberos constrained delegation for single sign-on.
In the Application SPN box, enter the application service principal name (SPN). Make sure that the Use the value from this claim type as the shadow account user name for KCD when using federated authentication check box is selected.
In the drop-down list, select the claim type for the shadow account user name.
The drop-down list shows the friendly name for each claim type instead of the full URI.
Note
Forefront UAG supports only English characters in the claim type.
On the Application Properties dialog box, click OK.
Activate the configuration.