Authentication Methods
You can configure which authentication method to use. You can configure different authentication methods for incoming Web requests and for outgoing Web requests.
Forefront TMG supports the following built-in Windows authentication methods:
- Basic authentication.
- Digest authentication.
- Advanced Digest authentication.
- Integrated authentication.
- Secure Sockets Layer (SSL) certificates.
Forefront TMG provides predefined authentication schemes that are defined by FPCAuthenticationScheme objects for authentication. The following authentication schemes are supplied with Forefront TMG:
- FBA with AD. A predefined authentication scheme that enables forms-based authentication using Active Directory.
- FBA with LDAP. A predefined authentication scheme that enables forms-based authentication of domain users using an LDAP server.
- FBA with RADIUS. A predefined authentication scheme that enables forms-based authentication using a RADIUS server.
- FBA with RADIUS OTP. A predefined authentication scheme that enables forms-based authentication using a RADIUS server in a one-time password (OTP) solution.
- LDAP. A predefined authentication scheme for authenticating domain users at workgroup Forefront TMG computers using the LDAP protocol.
- RADIUS. A predefined authentication scheme for authenticating users using the RADIUS protocol.
- SecurID. A predefined authentication scheme that enables forms-based (cookie) authentication using RSA SecurID.
Forefront TMG also supports third-party authentication schemes that are registered with Web filters. For more information about third-party authentication schemes, see the reference page for the FPCAuthenticationScheme object.
Microsoft Internet Explorer 7, Internet Explorer 6, and Internet Explorer 5 support all the authentication methods. Other Web browsers may support only Basic authentication. Be sure that the client Web browsers can use at least one of the authentication methods that you specify in the incoming Web request properties and outgoing Web request properties. Otherwise, the client will not be able to access the requested object.
The authentication method used for a Web request is determined by properties (FPCWebListenerProperties) of the applicable Web listener and by the UseDigestSSP property of the FPCWebProxy object. A Web listener can be configured to use any of the built-in Windows authentication methods supported by Forefront TMG or any combination of these methods to authenticate Web requests. Alternatively, a Web listener for incoming Web requests can be configured to use an authentication scheme defined by an FPCAuthenticationScheme object for authentication. Basic authentication can be combined with the LDAP or RADIUS authentication schemes. However, the Web listener for outgoing Web requests sent from a network can be configured to use only the built-in Windows authentication methods or the RADIUS authentication scheme.
Build date: 7/12/2010