Configuring Kerberos constrained delegation with IAG SP1
Applies To: Intelligent Application Gateway (IAG)
This topic describes how to enable Kerberos constrained delegation in the Intelligent Application Gateway (IAG) 2007 with Service Pack 1. This setting enables users to access both the IAG site and the applications that are enabled through it by using client certificate authentication, such as smart card authentication. When this feature is enabled, users authenticate to the site by using a client certificate. They are not required to supply their credentials to log on to applications that require users' authentication.
To configure Kerberos constrained delegation with IAG SP1, do the following:
Check the requirements and known issues listed in the "Requirements" and "Known Issues" sections below.
Read the information in IAG_Before You Begin.
Configure KCD according to the instructions in Configuring Kerberos constrained delegation with IAG SP1.
In some cases you might want to revert a configuration prior to configuring Kerberos constrained delegation in SP1. To do this, see Undoing IAG SP1 Kerberos constrained delegation settings before configuring Kerberos in IAG SP2.
Note
You must have administrative privileges in the domain controller and in the local computer to perform the procedures described in this section.
Requirements
The following are the requirements for Kerberos constrained delegation:
Microsoft .NET Framework version 2.0 must be installed on the same computer that the IAG is installed on.
Microsoft Windows Server® 2003 R2, Service Pack 2 (SP2) must be installed.
An Active Directory repository is used for authentication.
The IAG server must be a domain member.
This feature is applicable only for HTTPS Connections trunks.
The IAG trunk for which you are enabling this feature must be fully configured and active prior to the configuration of this feature:
All the applications for which you want to enable Kerberos constrained delegation are configured in the trunk.
The trunk is activated.
Known issues
The following are known issues:
Disabling or deleting a trunk that is configured for Kerberos constrained delegation can only be performed on a trunk for which the configuration of Kerberos constrained delegation was removed.
When adding a SharePoint® 2007 application to a trunk configured for Kerberos constrained delegation, the Web server address can only be a host name and not an IP.
You can only configure one SharePoint product in the portal, either Microsoft Office SharePoint Server 2007 or Microsoft Office SharePoint Portal Server 2003.
Microsoft Office 2007 integration with SharePoint Products and Technologies is not supported.
Microsoft Office SharePoint Portal Server 2003 and Microsoft Office SharePoint Server 2007 do not support Kerberos constrained delegation by default. To enable Kerberos constrained delegation authentication, follow the instructions in KB article 832769.
The Web monitor built-in service application does not work with trunks configured to Kerberos constrained delegation.
HTTPS trunks that are the target of HTTP redirect trunks cannot be configured to Kerberos constrained delegation.