Home
About UsOur CustomersContact Us 24/7MVP Expert Zone
WRTU
Forefront EDGE | TMG | UAG | IAG | DAForefront Endpoint | FEP | FCSForefront Server | FPE | FPSP | FSOCS | FSMMCIdentity and Access Management | IAM | IDM | FIMGeneral ForefrontMicrosoft Security
Articles
Intelligent Application Gateway | IAG 2007Forefront Unified Access Gateway | UAG 2010Forefront Threat Management Gateway | TMG 2010Forefront UAG DirectAccess | DAForefront Endpoint Protection | FEP 2010Forefront Client Security | FCSForefront Protection for Exchange | FPEForefront Protection for SharePoint | FPSPForefront Security for OCS | FSOCSForefront Server Security Management Console FPMCSForefront Identity Manager | FIM 2010Active Directory SecurityActive Directory Rights Management Services AD RMSActive Directory Federation Services | AD FSActive Directory Certificate Services | AD CS PKI
Videos
Intelligent Application Gateway | IAG 2007Forefront Unified Access Gateway | UAG 2010Forefront Threat Management Gateway | TMG 2010Forefront UAG DirectAccess | DAForefront Endpoint Protection | FEP 2010Forefront Client Security | FCSForefront Protection for Exchange | FPEForefront Protection for SharePoint | FPSPForefront Security for OCS | FSOCSForefront Server Security Management Console FPMSCActive Directory SecurityActive Directory Rights Management Services AD RMSActive Directory Federation Services | AD FSActive Directory Certificate Services | AD CS PKI
Forums
General for all Forums | AnnouncementsIntelligent Application Gateway | IAG 2007Forefront Unified Access Gateway | UAG 2010Forefront Threat Management Gateway | TMG 2010Forefront UAG DirectAccess | DAForefront Client Security | FCSForefront Endpoint Protection | FEP 2010Forefront Online Protection for Exchange | FOPEForefront Protection for Exchange | FPEForefront Protection for SharePoint | FPSPForefront Security for OCS | FSOCSForefront Identity Manage | FIM 2010Active Direcroty SecurityActive Direcroty Rights Management Services AD RMSActive Directory Federation Services | AD FS | WIFActive Directory Certificate Services | AD CS PKI
TechNet Forums
Services
DesignImplementationProject ManagementCustom Development and Customization
Online Training
Online Store
Shopping Cart
Online Support
Online Support and Debugging Tools
ForefrontSecurity TV
       
Article View
How to Configure Remote File Access Single Sign On (SSO) with Kerberos Constrained Delegation (KCD) Before SP1 - PART 1
Created by forefrontsupport on 10/13/2010 9:39:10 PM

Before you begin

If you don't any have prior experience with the Kerberos protocol (RFC 1510 - http://www.ietf.org/rfc/rfc1510.txt), please read this article from Wikipedia first Kerberos (Protocol) - http://en.wikipedia.org/wiki/Kerberos_protocol

If you have already knowledge with Kerberos Constrained Delegation (KCD), you can move forward to the next section.

If not, please read the upcoming short and exhaustive paper - What is Kerberos Constrained Delegation (KCD), how it works, and why it's good for me

Please watch the video before implementing File Access SSO (in the Screencasts section)

Important to know!

Microsoft IAG server is the only SSLVPN product in the market today that provides secure access to internal File Shares with Smart Card or OTP authentication, and also performs:

  1. FULL Single-Sign-On (SSO)
  2. FULL Audit trail of the end user to the back-end servers (IIS, SQL, AD etc ...)
  3. Granular Access Controls per users/groups

Prerequisites

  1. Microsoft Windows Server 2003 must run in Native mode for the domain in which Kerberos Constrained Delegation (KCD) is configured
  2. You must raise each domain controller's domain level to Windows Server 2003 Domain Functional Level
  3. You must configure KCD on your IAG server

Configuration Procedures

The following How-To document describe the procedures you need to perform to configure Single Sign On (SSO) for remote File Access

The following procedures must be implemented before you configure KCD on your IAG machine

  1. Configure the Domain Controller
  2. Add File Access application to the portal
  3. Configure the IIS server on the IAG server
  4. Configure the ISA Server Publishing Rule

Configure the Domain Controller

  1. Go to your Domain Controller and open "Active Directory Users and Computer" (start->run->dsa.msc)
  2. Double click on the IAG computer account and navigate to Delegation tab and add the Computer Account (that you want to use its shares) and choose "cifs" service type

  3. Press Ok

Add File Access application to the portal

  1. Open the IAG Configuration manager
  2. Choose the relevant Trunk
  3. On the Applications section click "Add"

  4. Choose "File Access" in the "Built-in Services" section
  5. Press "Finish"

  6. Choose "Admin" in the tool bar
  7. Choose "File Access"

  8. You will see the following message that you are going to open NETBIOS from the ISA Server to the back-end network
  9. Press Ok

  10. The File Access administration window will open
  11. Please enter Domain Credentials in the following syntax Domain\User

  12. Choose the relevant Domain (if you have more than one domain)
  13. Press Apply

  14. Move forward to the "Servers" section
  15. Choose the relevant server
  16. Press Apply

Please continue reading part 2 of this document to finish the configuration procedures

If you have any issues with File Access and KCD please go to our Technical Forums in the following link: http://Forums.ForefrontSecurity.ORG

powered by metaPost

print
rating
 Comments