Planning for backend authentication to published servers
Published: January 11, 2010
Updated: February 1, 2010
Applies To: Unified Access Gateway
Forefront Unified Access Gateway (UAG) allows you to delegate credentials, so that when a client authenticates during logon to a Forefront UAG site session, the credentials that are provided can be sent to backend servers that require authentication. This single sign-on (SSO) mechanism allows the user to log on to Forefront UAG with a single set of credentials that are then used to authenticate and gain access to any application for which the credentials are valid.
Forefront UAG can implement single sign-on by using session credentials to authenticate to published backend applications using the following methods:
Basic, NTLM, or HTTP forms authentication─Forefront UAG supports Basic, NTLM, and HTTP forms-based authentication. When a backend server requires Basic or NTLM authentication, it sends an HTTP 401 response to the Forefront UAG server. When a backend server requires HTTP forms-based authentication, Forefront UAG can be configured to provide the user credentials automatically.
Kerberos constrained delegation—Forefront UAG supports the use of Kerberos constrained delegation to authenticate users, after Forefront UAG has verified their identity by using a non-Kerberos authentication method.