Client authentication infrastructure design

Updated: June 1, 2010

Applies To: Unified Access Gateway

Forefront Unified Access Gateway (UAG) controls access to internal applications and resources that are published via Forefront UAG, by using client authentication.

Client authentication requires that you configure frontend authentication to verify the credentials of clients that connect to Forefront UAG portal and site sessions. If backend published servers require authentication, you must also set up authentication mechanisms for verifying client credentials on the backend servers. In addition, Forefront UAG supports single sign-on, which allows you to pass credentials supplied during session sign-on to the backend servers.

1. You can implement frontend authentication to make sure that remote clients authenticate before establishing sessions to Forefront UAG sites and portal.

2. In addition, you can require client authentication to published backend servers as follows:

   1. Use pass-through authentication so that clients authenticate on backend servers only.

   2. You can implement single sign-on so that clients need only specify credentials once by passing session credentials to backend servers using basic authentication (HTTP 401), an HTML form, Kerberos constrained delegation, or Active Directory Federation Services (AD FS).

The following infrastructure design is required for client authentication:

1. Authentication servers, to verify client credentials during frontend and backend authentication. For more information, see the Access control for publishing planning guide.

2. If you want to implement single sign-on using Kerberos constrained delegation, a Kerberos infrastructure must be configured. For more information, see Configuring single sign-on with Kerberos constrained delegation.

3. If you want to use Active Directory Federation Services (ADFS), an ADFS server must be deployed. For more information, see Deploying federation with AD FS.