Publishing applications to users located on corporate networks with IAG SP2
Updated: February 10, 2010
Applies To: Intelligent Application Gateway (IAG)
You can publish applications to users that are located on your corporate network with Intelligent Application Gateway (IAG) 2007 Service Pack 2 (SP2) by configuring Integrated Windows authentication on a trunk.
|Before you start the configuration process, be sure to read the requirements and limitations that are described in About publishing applications to users located on corporate networks with IAG SP2.|
Configuring a trunk with Integrated Windows authentication
To configure a trunk with Integrate Windows authentication
Create a new trunk as described in the procedure in Publishing applications in an IAG portal or Publishing a single Web application directly with IAG or select an existing trunk.
Note: You can only use Integrated Windows authentication with portal and basic trunks; you cannot use it with Web mail trunks. Note: The authentication server that you select during trunk configuration must be an Active Directory authentication server that points to the Active Directory forest to which IAG belongs.
On the Configuration console, in the navigation tree, click the trunk that you created or selected in step 1 of this procedure, and then, next to Advanced Trunk Configuration, click the Configure button.
On the Advanced Trunk Configuration dialog box, click the Authentication tab. In the Authenticate user on session login group box, click Use Integrated Windows authentication. You must select at least one of the following:
Enable NTLM protocol
Enable Kerberos protocol
- Enable NTLM protocol
On the Configuration console, on the toolbar, click the Activate Configuration icon, and then on the Activate Configuration dialog box, click Activate.
When the configuration is activated, the message "IAG configuration activated successfully" appears.
Authenticating to application servers for single sign-on
When working with Integrated Windows authentication, there are two options for authenticating to application servers for single sign-on:
Kerberos constrained delegation
Using Integrated Windows authentication with Kerberos constrained delegation
When IAG uses Integrated Windows authentication to authenticate users, it does not have the user's password. Given this limitation, it is recommended to use Kerberos constrained delegation to seamlessly authenticate to the application servers. For more information, see Configuring Kerberos constrained delegation with IAG SP2.
Using Integrated Windows authentication with authentication pass-through
|If you want to use NTLM to authenticate to application servers, then you must make sure that the authentication to the trunk is done with NTLM.|
To configure authentication pass-through
Follow the standard configuration procedure (for more information, see Preparing for authentication to application servers in IAG).
|Do not select Automatically reply to application-specific authentication requests.|
In HTTPS trunks, IAG manipulates the application request of the application server. As a result, the user is presented with a credentials prompt. In order to eliminate the credentials prompt, perform the following procedure.
To eliminate the credentials prompt
On the IAG computer, click Start, and then click Run.
Type the following, and then press ENTER:
In the Registry Editor, open the following file:
Right-click on the window, click New, and then click DWORD VALUE. Name the registry value as follows:
Right-click FullAuthPassthru, and then click Modify. In the Value data box, type 1, and then click OK.
On the IAG computer, at a command prompt, type iisreset, and then press ENTER.
All existing IIS connections are reset.
Authentication to application servers without single sing-on
If the application server does not use the same authentication server as the trunk, follow the standard configuration procedure (for more information, see Preparing for authentication to application servers in IAG). The user will need to provide credentials through a form login when accessing the application for the first time.