About publishing applications to users located on corporate networks with IAG SP2
Updated: February 10, 2010
Applies To: Intelligent Application Gateway (IAG)
You can publish applications to users located on corporate networks with IAG by using Integrated Windows authentication. Integrated Windows authentication uses the NTLM, Kerberos, and Negotiate authentication mechanisms. For your security, these forms of authentication hash the user name and password before sending them across the network. When you enable NTLM, Kerberos, or Negotiate authentication, the user's browser proves its knowledge of the password through a cryptographic exchange with your Web server, involving hashing. For more information about Integrated Windows authentication, see Integrated Windows Authentication (IIS 6.0) (http://go.microsoft.com/fwlink/?LinkId=136281&clcid=0x409)
When you enable Integrated Windows authentication in IAG, IAG functions not only as the gateway from the Internet into the organization but also as a gateway from within the corporate network to the more secure data center within that network. In this scenario, internal users who are logged on to the Active Directory domain are not prompted for their credentials, thus making for transparent authentication and a smooth user experience.
The following are the requirements for working with Integrated Windows authentication in IAG:
The IAG server must be a member of an Active Directory domain.
Transparent authentication is available only for users who log on to the Active Directory domain from a client computer that is either a member of same the Active Directory forest as the IAG server or a member of a trusted forest. All other users will be presented with a Web browser authentication prompt.
To enable transparent authentication in Windows Internet Explorer, the public host name of the IAG trunk must be one of the following:
Included in the browser's local intranet zone.
Added to the browser's trusted sites zone.
Note: If this trunk also publishes SharePoint Products and Technologies with alternate access mapping, all the relevant host names need to be enabled for transparent authentication on the browser as well.
- Included in the browser's local intranet zone.
For Integrated Windows authentication to work with Kerberos authentication, the public host name of the trunk must be defined as an additional Service Principal Name (SPN) of the IAG server by the Active Directory domain administrator. For more information, see Setspn Examples (http://go.microsoft.com/fwlink/?LinkId=133778&clcid=0x409).
Note: If this trunk also publishes SharePoint Products and Technologies with alternate access mapping, all the relevant host names need to be defined as additional SPNs of the IAG server as well.
The following are the limitation of working with Integrated Windows authentication in IAG:
You cannot use Integrated Windows authentication with Web mail trunks. Only portal and basic trunks are supported.
HTTPS redirect is not supported for trunks configured with Integrated Windows authentication.
Integrated Windows authentication is not supported for users that access IAG with Microsoft Office applications outside of an existing IAG session. In this case, users are presented with a Basic authentication prompt.
The following are our security recommendations:
It is recommended that Integrated Windows authentication is used only to publish applications to users located inside the corporate network and not to Internet users.
It is recommended that if you use NTLM authentication with Integrated Windows authentication, then on the IAG server, you use NTLM version 2 and disable NTLM version 1.
Authenticating to application servers
IAG can publish applications and authenticate users in order to verify their identity before allowing them to access a published application (for more information, see Preparing for authentication to application servers in IAG).
When working with Integrated Windows authentication, there are two options for authenticating to application servers for performing single sign-on:
Kerberos constrained delegation—When IAG uses Integrated Windows authentication to authenticate users, it does not have the user's password. Given this limitation, it is recommended to use Kerberos constrained delegation to seamlessly authenticate to the application servers. For more information, see Configuring Kerberos constrained delegation with IAG SP2.
Authentication pass-through—For more information, see Publishing applications to users located on corporate networks with IAG SP2.
You can also configure credentials delegation. In this case, users are prompted for their domain credentials, after which they are passed to the application. For more information, see Preparing for authentication to application servers in IAG.