Home
About UsOur CustomersContact Us 24/7MVP Expert Zone
WRTU
Forefront EDGE | TMG | UAG | IAG | DAForefront Endpoint | FEP | FCSForefront Server | FPE | FPSP | FSOCS | FSMMCIdentity and Access Management | IAM | IDM | FIMGeneral ForefrontMicrosoft Security
Articles
Intelligent Application Gateway | IAG 2007Forefront Unified Access Gateway | UAG 2010Forefront Threat Management Gateway | TMG 2010Forefront UAG DirectAccess | DAForefront Endpoint Protection | FEP 2010Forefront Client Security | FCSForefront Protection for Exchange | FPEForefront Protection for SharePoint | FPSPForefront Security for OCS | FSOCSForefront Server Security Management Console FPMCSForefront Identity Manager | FIM 2010Active Directory SecurityActive Directory Rights Management Services AD RMSActive Directory Federation Services | AD FSActive Directory Certificate Services | AD CS PKI
Videos
Intelligent Application Gateway | IAG 2007Forefront Unified Access Gateway | UAG 2010Forefront Threat Management Gateway | TMG 2010Forefront UAG DirectAccess | DAForefront Endpoint Protection | FEP 2010Forefront Client Security | FCSForefront Protection for Exchange | FPEForefront Protection for SharePoint | FPSPForefront Security for OCS | FSOCSForefront Server Security Management Console FPMSCActive Directory SecurityActive Directory Rights Management Services AD RMSActive Directory Federation Services | AD FSActive Directory Certificate Services | AD CS PKI
Forums
General for all Forums | AnnouncementsIntelligent Application Gateway | IAG 2007Forefront Unified Access Gateway | UAG 2010Forefront Threat Management Gateway | TMG 2010Forefront UAG DirectAccess | DAForefront Client Security | FCSForefront Endpoint Protection | FEP 2010Forefront Online Protection for Exchange | FOPEForefront Protection for Exchange | FPEForefront Protection for SharePoint | FPSPForefront Security for OCS | FSOCSForefront Identity Manage | FIM 2010Active Direcroty SecurityActive Direcroty Rights Management Services AD RMSActive Directory Federation Services | AD FS | WIFActive Directory Certificate Services | AD CS PKI
TechNet Forums
Services
DesignImplementationProject ManagementCustom Development and Customization
Online Training
Online Store
Shopping Cart
Online Support
Online Support and Debugging Tools
ForefrontSecurity TV
       
Article View
How to configure transparent (Kerberos) Integrated Windows Authentication (IWA) in IAG as Internal Authentication Gateway
Created by forefrontforums on 10/13/2010 9:30:46 PM

Before you begin

Microsoft released a new feature in IAG SP2 that will allow you to use IAG as internal transparent authentication, authorization, network and application gateway to protect your internal assets!

The following technical article describes how to configure Integrated Windows Authentication (IWA) - Kerberos Authentication (NTLM will be covered in a different article)

Important to know!

  1. Only logged-in users to a domain members computers will be able to enter the IAG portal internally without entering its credentials
  2. When using Kerberos authentication (IWA) there are only 4 events for each session, which means that Kerberos traffic is 33% cheaper than NTLM traffic

Prerequisites

Installing ADSIEDIT on your Domain Controller

  1. Download ADSIEDIT

    http://www.computerperformance.co.uk/ScriptsGuy/adsi.zip

  2. Register the adsiedit DLL

    regsvr32 %path%\adsiedit.dll

Configuration Procedures

Configuration Procedures on the IAG side

  1. Please pay attention! You must use the same public hostname that you configure in IAG Trunk all the way,through the entire process. To be able to create Kerberos ticket, you must register servicePrincipalName (SPN) Attribute in Active Directory that is identical to the URL that the user will enter in the browser
  2. We will use internal.iagserver.org as our internal URL / SPN

  3. In the Trunk configuration, please choose "Advanced Trunk Configuration"

  4. Go to the "Authentication" tab
  5. Under the "Use Integrated Windows authentication" choose "Enable Kerberos protocol"

  6. Press "Ok" and move to the next phase

Configuration Procedures on the Domain Controller side

  1. On the Domain Controller machine, open adsiedit.msc (You need to install it - read the Prerequisites section)
  2. Find the IAG computer account, in our environment the computer name is IAGSP2 (see the print screen below)
  3. Right click on the computer account, choose "Properties"

  4. On the "Attribute Editor" tab find the "servicePrincipalName" (SPN) Attribute

  5. Double Click on the SPN Attribute will open a window with all of its current values
  6. Add http/internal.iagserver.org - the SPN MUST be identical to the public hostname you configured on the IAG Trunk and the hostname in the URL
  7. Press "Add", validate that your SPN is in the list and click "Ok"

Configuration Procedures on the Client side - Manually

  1. You will need to add the internal URL which you configured on the IAG Trunk to the Local Intranet zone on your clients IE so the IE will be able to send the Kerberos ticket to the IAG
  2. For this demo I will explain how to do it manually and also via Group Policy for the entire organization
  3. navigate to Tools->Internet Options

  4. Choose the "Security" tab
  5. Choose "Local intranet" and click on "Sites"

  6. In the following windows, choose "Advanced"

  7. In the following windows please write the internal URL - the same hostname you configured in the IAG Trunk and in the SPN Attribute
  8. click on "Add" and then click on "Close"

  9. Now you will be able to access the internal IAG portal without entering your credentials again!

Configuration Procedures on the Client side - via Group Policy Configuration

  1. To add the internal URL to the Intranet Zone via Group Policy for the entire organization follow these phases
  2. Open the Domain Group Policy Object Editor
  3. Navigate to User Configuration->Windows Settings->Internet Explorer Maintenance->Security

  4. Duble Click on "Security Zone and Content Ratings"
  5. Choose "Import the current security zones and privacy settings"

  6. If this is the first time you configure it, the following notification will appear, read it and click on "Continue" to continue to the next phase

  7. Choose "Modify Settings"

  8. Navigate to the "Security" tab
  9. click on "Sites"

  10. In the following windows please write the internal URL -the same hostname you configured in the IAG Trunk and in the SPN Attribute
  11. click on "Add" and then click on "Close"

  12. On the Domain Controller, open cmd and perform gpupdate /force, validate that you see event 1704 SceCli

  13. Now you will be able to access the internal IAG portal without entering your credentials again!

Under the hood

Kerberos authentication via HTTP is assembled from 4 events:

  1. The user enters the URL, the IE perform HTTP Request
  2. The IAG Response with HTTP 401 Unauthorized message with the WWW-Authenticate header that contains the Authentication method = Negotiate (see the Response print screen below)
  3. The IE inserts the Kerberos ticket into the Request to the same Header WWW-Authenticate: Negotiate (see the Request print screen below)
  4. The IAG sends back HTTP 200 if the token is authorized

It's important to say that the Kerberos ticket value is longer than NTLM challenge/response value

Response Header

Request Header

If you have any issues with the following configuration please go to our Technical Forums in the following link: http://Forums.ForefrontSecurity.ORG

powered by metaPost

print
rating
 Comments