Configuring single sign-on with Kerberos constrained delegation

Published: January 11, 2010

Updated: February 1, 2011

Applies To: Unified Access Gateway

One of the technologies used by Forefront Unified Access Gateway (UAG) to accomplish single sign-on functionality is Kerberos constrained delegation. Kerberos constrained delegation enables users to access a Forefront UAG site, using strong authentication such as smart-card authentication or one-time passwords. Users authenticate once only, and are not required to supply their credentials to log on to applications that require authentication. For more information about Kerberos constrained delegation technology, see Kerberos Protocol Transition and Constrained Delegation (

The following are the requirements for Kerberos constrained delegation:

  • The Forefront UAG server must be part of a domain.

  • You must define only one authentication server for the trunk to which the application belongs.

  • All domain controllers in the internal network must be running Windows Server 2003.

  • Users must be part of the same Active Directory forest as the Forefront UAG server and the application servers.

  • Forefront UAG servers and application servers must be part of the same domain.

The following procedures describe:

To configure Kerberos constrained delegation for an application

  1. In the Forefront UAG Management console, in the Applications group box, click the application, and then click Edit.

  2. On the Application Properties dialog box, click the Authentication tab.

  3. On the Authentication tab, do the following:

    1. Select Use single sign-on to send credentials to published applications.

    2. Click Use Kerberos constrained delegation for single sign-on.

    3. In the Application SPN box, type the SPN, and then click OK. You can set the SPN explicitly, or you can use the wildcard * (for example, owa/*).

      Note the following:

      • You must use the SPN explicitly if the SPN of this application was not defined in the default format SPNs (service name/hostname) in the application server. This might happen when an application is published as part of a load-balanced Web farm, and runs with an application account identity and not with a computer account identity.

      • If you choose to use a wildcard, the addresses for all the servers of this application (defined on the Web Servers tab) cannot be IP addresses, but must be host names. The wildcard is translated to each of the host names defined on the Web Servers tab. If the SPN of the application in the application server is defined as a fully qualified domain name (FQDN), Forefront UAG translates it to two SPNs: host name and FQDN (for example, owa and If the application's SPN in the application server is defined as a host name, Forefront UAG translates it to two SPNs: a hostname and an FQDN with the Forefront UAG Domain Name System domain.

  4. Repeat Step 3 for all applications that you want to publish using Kerberos constrained delegation.

    Note that the File Access application does not support use of Kerberos constrained delegation (KCD) to provide single sign-on (SSO) functionality.

To configure Active Directory computer accounts for Kerberos constrained delegation

  • To register the SPNs, create a file containing a list of SPNs. The SPNs in this file represent the applications for which Forefront UAG enables Kerberos constrained delegation. You can create this file as a simple text file, from where the Active Directory domain administrator must manually copy the information to Active Directory Domain Services, or you can create this file as a Lightweight Directory Access Protocol Data Interchange Format (LDIF) file, that the Active Directory domain administrator can import into Active Directory Domain Services by using the standard Windows utility ldifde. For more information, see Delegating authentication (

    Create the file as follows:

    1. In the Forefront UAG Management console, on the menu, click Admin, and then click Export KCD Settings to Active Directory.

    2. On the Active Directory Delegation dialog box, click either Export settings to a text file or Export settings to an LDIF file.

    3. Save the file, and then transfer it to the Active Directory domain administrator. It is recommended that the LDIF file is used soon after it is created, to ensure consistency in Active Directory Domain Services settings.

If you use an LDIF file to configure delegation in Active Directory Domain Services, the LDIF file replaces the existing delegation information in Active Directory Domain Services with the information in the file, thus deleting any delegation settings that were configured manually. If any settings that were configured manually need to be preserved, when you transfer the LDIF file to the Active Directory domain administrator, advise them to note the existing settings before they import the LDIF file, and then manually re-apply the settings that were deleted.

To specify how backend authentication is performed

  1. On the Forefront UAG server, run Regedit.

  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\UrlFilter.

  3. Modify or create the DWORD value KCDUseUPN as follows:

    1. To perform Kerberos authentication using UPN, set the DWORD value to 1.

    2. To perform Kerberos authentication using the format DOMAIN\UserName, set the DWORD value to 0. If no value is set, DOMAIN\UserName will be used.