About authentication options
The type of authentication used in a Web publishing rule (including rules that publish Microsoft SharePoint sites and Microsoft Exchange Web client access) is specified in the configuration of the Web listener used by the rule. Web listener properties include how the client credentials are received and how they are validated. Delegation of credentials is configured in the rule itself rather than in the Web listener. For more information about delegating credentials, see About delegation of credentials.
For more information about authentication, see Overview of client authentication.
Based on the authentication options that you select, other options may or may not be available to you. The following options are examples:
- Single sign-on is available only if you select HTML Form Authentication.
- RADIUS one-time password (OTP) authentication is available only if you select HTML Form Authentication.
- Validation of credentials with Active Directory over LDAP is available only if you select HTTP Authentication with Basic authentication or HTML Form Authentication.
A publishing rule with a Web listener that uses a specific method of credentials validation must use a user set that is consistent with that validation method. For example, a publishing rule with a Web listener that uses LDAP credential validation must also use a user set that consists of LDAP users. It cannot include Active Directory users.
Important
When enabling single sign-on, be sure to provide a specific single sign-on domain. Providing a generic domain, such as .condoso.com, allows the Web browser to send the Microsoft Forefront Threat Management Gateway single sign-on cookie to any Web site in that domain, creating a security risk.
Valid combinations of client credentials and delegation methods
The authentication method that you select in a Web listener also affects the authentication delegation options that are available to you in publishing rules. The following table summarizes the valid combinations of authentication and delegation methods.
| Receipt of client credentials | Authentication provider | Delegation | Comments |
|---|---|---|---|
Forms-based authentication Basic |
Active Directory LDAP (Active Directory) RADIUS |
No delegation, but client may authenticate directly No delegation, and client cannot authenticate directly Basic NTLM Negotiate Kerberos constrained delegation |
Single sign-on is supported for forms-based authentication, but not for Basic authentication. An additional client certificate can be required (two-factor authentication). |
Digest Integrated |
Active Directory |
No delegation, but client may authenticate directly No delegation, and client cannot authenticate directly Kerberos constrained delegation |
|
HTML form with one-time password |
RSA SecurID RADIUS OTP |
No delegation, but client may authenticate directly No delegation, and client cannot authenticate directly Kerberos constrained delegation |
Single sign-on is supported. |
HTML form with collection of additional credentials |
RSA SecurID RADIUS OTP |
No delegation, but client may authenticate directly No delegation, and client cannot authenticate directly Basic NTLM Negotiate Kerberos constrained delegation |
Single sign-on is supported. |
Client certificate |
Active Directory |
No delegation, but client may authenticate directly No delegation, and client cannot authenticate directly Kerberos constrained delegation |