About delegation of credentials
In Web publishing scenarios, Microsoft Forefront Threat Management Gateway can validate the client's credentials and then forward or delegate the credentials to the published server for authentication. The following authentication delegation options are available:
- No delegation, and client cannot authenticate directly
- No delegation, but client may authenticate directly
- Basic authentication
- NTLM authentication
- Negotiate (Kerberos/NTLM)
- RSA SecurID
- Kerberos constrained delegation
Note
The delegation methods available vary according to the type of publishing rule you create and the type of authentication used by the Web listener.
No delegation, and client cannot authenticate directly
No credentials are passed to the published server. If the published server requires authentication, a Forefront TMG alert is triggered.
No delegation, but client may authenticate directly
Forefront TMG passes the user's credentials to the published server without performing any additional action. The client and the published server then negotiate the authentication. This is typically used in a scenario where the published server requires some proprietary form of authentication.
Note
When this option is selected in a Web publishing rule and the Web listener is configured to apply no authentication and not to require all users to authenticate, Forefront TMG blocks HTTP requests for the published Web site and returns error 403 (Forbidden), even if the Web site does not require authentication.
Basic authentication
In Basic authentication, credentials are forwarded in plaintext to the published server that requires credentials. If authentication fails, Forefront TMG prompts the user for authentication according to the authentication type configured on the Web listener. If the published server requires a different type of credentials, a Forefront TMG alert is triggered.
NTLM authentication
In NTLM delegation, Forefront TMG delegates the credentials by using the NTLM challenge/response authentication protocol. If authentication fails, Forefront TMG provides the Web server's failure notice to the client. If the published server requires a different type of credentials, a Forefront TMG alert is triggered.
Negotiate (Kerberos/NTLM)
When you select Negotiate as a delegation method, Forefront TMG first attempts to obtain a Kerberos ticket for the client from the domain controller. If Forefront TMG does not receive the Kerberos ticket, it uses the negotiate scheme to delegate the credentials by using NTLM. If Forefront TMG receives the Kerberos ticket, it uses the negotiate scheme to delegate the credentials by using Kerberos. If authentication fails, Forefront TMG provides the Web server's failure notice to the client. If the published server requires a different type of credentials, a Forefront TMG alert is triggered.
Note
The default service principal name used to obtain the ticket is http/internalsitename. In the case of a server farm, the service principal name is the name of the farm. The default service principal name can be changed in Forefront TMG Management on the Authentication Delegation tab of the rule.
RSA SecurID
When a client provides SecurID credentials, you can use SecurID delegation. Forefront TMG passes the proprietary SecurID cookie to the published server. Note that Forefront TMG and the published server must have the same domain secret and cookie name.
Kerberos constrained delegation
With the other types of delegation, Forefront TMG can delegate credentials only when client credentials are received by using Basic or forms-based authentication. With Kerberos constrained delegation, Forefront TMG can accept other types of client credentials, such as client certificates. Forefront TMG must be enabled on the domain controller in order to use Kerberos constrained delegation (constrained to a specific service principal name).
If authentication fails, Forefront TMG provides the Web server's failure notice to the client. If the published server requires a different type of credentials, a Forefront TMG alert is triggered.
Note
Use of Kerberos constrained delegation requires that you configure Active Directory to recognize Forefront TMG as trusted for delegation.
The default service principal name used to obtain the ticket is http/internalsitename. In the case of a server farm, the service principal name is the name of the farm. The default service principal name can be changed in Forefront TMG Management on the Authentication Delegation tab of the rule.
Valid combinations of client credentials and delegation methods
Specific delegation methods are valid for different types of client credentials. The following table summarizes the valid combinations.
| Receipt of client credentials | Authentication provider | Delegation | Comments |
|---|---|---|---|
Forms-based authentication Basic |
Active Directory LDAP (Active Directory) RADIUS |
No delegation, but client may authenticate directly No delegation, and client cannot authenticate directly Basic NTLM Negotiate Kerberos constrained delegation |
Single sign-on is supported for forms-based authentication, but not for Basic authentication. An additional client certificate can be required (two-factor authentication). |
Digest Integrated |
Active Directory |
No delegation - allow end-to-end delegation No delegation - do not allow end-to-end delegation Kerberos constrained delegation |
None |
HTML form with one-time password |
SecurID RADIUS one-time password |
No delegation, but client may authenticate directly No delegation, and client cannot authenticate directly Kerberos constrained delegation |
Single sign-on is supported. |
HTML form with collection of additional credentials |
SecurID RADIUS one-time password |
No delegation, but client may authenticate directly No delegation, and client cannot authenticate directly Basic NTLM Negotiate Kerberos constrained delegation |
Single sign-on is supported. |
Client certificate |
Active Directory |
No delegation, but client may authenticate directly No delegation, and client cannot authenticate directly Kerberos constrained delegation |
none |
For more information about authentication in Forefront TMG, see