This article describes how to configure Active Directory to use Kerberos Constrained Delegation with Forefront TMG.

As Alex already explained in a previous article, TMG secures backend servers as a proxy by reducing the attack surface. Primarily it reduces the number of ports that are accessible from the Internet and it allows only authenticated traffic to access backend servers running Outlook Web Access, Sharepoint and other Web Servers and applications.

Kerberos Constrained Delegation vs. Basic Delegation

TMG contains a mechanism that is called credential delegation, the simplest one being Basic delegation. Basic authentication is enabled on the TMG listener and the credentials that the user provides are simply forwarded to the published backend server, which also has to use Basic Authentication. If the Backend server is configured with Integrated Authentication, it will not work. Basic Delegation is simple and effective.

The alternative to Basic Delegation is Kerberos Constrained Delegation, where the TMG server impersonates the user account to the backend server with a Kerberos Token. Kerberos is a token based authentication protocol which is used by default for authentication in Windows networks since Windows 2000. It improves security significantly because it reduces that passwords are intercepted.

Requirements for Kerberos Constrained Delegation

  • For Kerberos Constrained Delegation to work with Forefront TMG you will need the following:
  • Windows Server 2003 domain controllers or higher
  • Domain set to Windows 2003 functional level
  • The backend Web application (OWA) must use Windows Integrated authentication and not Forms based or Basic authentication
  • The TMG, ISA2006 or ISA2004 SP2 Server must be allowed to delegate to the backend application server within Active Directory where both machines have to be domain members

Active Directory configuration

  1. Open Active Directory Users and Computers and find the TMG server object:
    Kerberos Constrained Delegation - TMG - Active Directory
  2. Right click the TMG object and select “Properties” from the dropdown menu
  3. Click on the “Delegation” tab
    Kerberos Constrained Delegation - Allow this computer
  4. Click on the Radio Button next to “Allow this computer to delegate to specified services only” and select “Use Any Authentication protocol”
  5. Click on “Add” and find the Server that is running the published application, which is a server named “Exchange” in our case
    Kerberos Constrained Delegation - Search published server
  6. Select the appropriate SPN or Service Principal Name. You should use http://exchange.domain.local. This applies only if the service on the backend server runs under Network Service, Local System or Local Service accounts
    Kerberos Contstrained Delegation - Add Services
  7. Click OK

Now remember, if your application runs under a different domain account, i.e. if you are publishing a web farm, a NLB site or the application pool Identity is different, you should first check whether the account already has an assigned SPN. The easiest way to do this, is by using the setspn tool. Launch the command prompt and type:

Setspn –L domain\account

This will return a list of all SPNs for this account. If the account does not have a SPN, you can add it, but you have to be careful because you will encounter problems if you add a SPN that is already assigned to a different username or machine as an account can have multiple SPNs, but a SPN can only be assigned to a single account. In the following example we will add the http/webfarm.domain.local SPN to the domain service account. You can do this this with the following command:

Setspn –A http/webfarm.domain.local domain\accountname

When you add a new SPN to a domain service account (domain\accountname) you then have to allow TMG to delegate credentials to that account. You have to go back to steps 5-7 in the previous paragraph to first search for the account and select the target SPN that you created (http/webfarm.domain.local).

Forefront TMG configuration

To create a listener and a publishing rule on the TMG you can follow Alex’s procedures. With one exception: At the Credential delegation tab on the Publishing rule where he selected “Basic Delegation” you have to select “Kerberos Constrained Delegation” in the publishing rule, and at the bottom you have to enter the SPN from the previous steps (http/exchange.domain.local or http/webfarm.domain.local). You must also make sure that the backend website is using Integrated Authentication. Right Click on the publishing rule and select “properties” and then click the “Authentication Delegation” tab.

Kerberos Constrained Delegation - TMG Listener -SPN configure

When you access the TMG protected page of Outlook Web Access, the user experience will be the same as before with Basic Delegation. However, in the background a Kerberos token will be passed from the TMG to the backend server instead of username and password. An authentication event in the security event log would look like the one below on your backend server.

Kerberos Constrained Delegation - Authentication Event log

In the Transited Services section you should see the FQDN of your TMG server.

In the next article I will show you how to use KCD with Two-factor Authentication, which will demonstrate the flexibility of this mechanism.


Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account