This article describes how to configure Active Directory to use Kerberos Constrained Delegation with Forefront TMG.
As Alex already explained in a previous article, TMG secures backend servers as a proxy by reducing the attack surface. Primarily it reduces the number of ports that are accessible from the Internet and it allows only authenticated traffic to access backend servers running Outlook Web Access, Sharepoint and other Web Servers and applications.
Kerberos Constrained Delegation vs. Basic Delegation
TMG contains a mechanism that is called credential delegation, the simplest one being Basic delegation. Basic authentication is enabled on the TMG listener and the credentials that the user provides are simply forwarded to the published backend server, which also has to use Basic Authentication. If the Backend server is configured with Integrated Authentication, it will not work. Basic Delegation is simple and effective.
… read more of How to use Kerberos Constrained Delegation with Forefront TMG
Author: Simon Simcic
Copyright © 2006-2011, 4sysops, Digital fingerprint: 3db371642e7c3f4fe3ee9d5cf7666eb0
View the full article
How to use Kerberos Constrained Delegation with Forefront TMG
No replies to this topic