Jump to content

- - - - -

How to use Kerberos Constrained Delegation with Forefront TMG

  • Please log in to reply
No replies to this topic

#1 Michael Pietroforte

Michael Pietroforte

    Silver Member

  • Advanced user
  • 660 posts

Posted 13 July 2011 - 09:30 PM

This article describes how to configure Active Directory to use Kerberos Constrained Delegation with Forefront TMG.

As Alex already explained in a previous article, TMG secures backend servers as a proxy by reducing the attack surface. Primarily it reduces the number of ports that are accessible from the Internet and it allows only authenticated traffic to access backend servers running Outlook Web Access, Sharepoint and other Web Servers and applications.

Kerberos Constrained Delegation vs. Basic Delegation
TMG contains a mechanism that is called credential delegation, the simplest one being Basic delegation. Basic authentication is enabled on the TMG listener and the credentials that the user provides are simply forwarded to the published backend server, which also has to use Basic Authentication. If the Backend server is configured with Integrated Authentication, it will not work. Basic Delegation is simple and effective.

… read more of How to use Kerberos Constrained Delegation with Forefront TMG

Author: Simon Simcic
Copyright © 2006-2011, 4sysops, Digital fingerprint: 3db371642e7c3f4fe3ee9d5cf7666eb0

View the full article

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users