Share via


About authentication options

The type of authentication used in a Web publishing rule (including rules that publish Microsoft SharePoint sites and Microsoft Exchange Web client access) is specified in the configuration of the Web listener used by the rule. Web listener properties include how the client credentials are received and how they are validated. Delegation of credentials is configured in the rule itself rather than in the Web listener. For more information about delegating credentials, see About delegation of credentials.

For more information about authentication, see Overview of client authentication.

Based on the authentication options that you select, other options may or may not be available to you. The following options are examples:

  • Single sign-on is available only if you select HTML Form Authentication.
  • RADIUS one-time password (OTP) authentication is available only if you select HTML Form Authentication.
  • Validation of credentials with Active Directory over LDAP is available only if you select HTTP Authentication with Basic authentication or HTML Form Authentication.

A publishing rule with a Web listener that uses a specific method of credentials validation must use a user set that is consistent with that validation method. For example, a publishing rule with a Web listener that uses LDAP credential validation must also use a user set that consists of LDAP users. It cannot include Active Directory users.

Important

When enabling single sign-on, be sure to provide a specific single sign-on domain. Providing a generic domain, such as .condoso.com, allows the Web browser to send the Microsoft Forefront Threat Management Gateway single sign-on cookie to any Web site in that domain, creating a security risk.

Valid combinations of client credentials and delegation methods

The authentication method that you select in a Web listener also affects the authentication delegation options that are available to you in publishing rules. The following table summarizes the valid combinations of authentication and delegation methods.

Receipt of client credentials Authentication provider Delegation Comments

Forms-based authentication

Basic

Active Directory

LDAP (Active Directory)

RADIUS

No delegation, but client may authenticate directly

No delegation, and client cannot authenticate directly

Basic

NTLM

Negotiate

Kerberos constrained delegation

Single sign-on is supported for forms-based authentication, but not for Basic authentication.

An additional client certificate can be required (two-factor authentication).

Digest

Integrated

Active Directory

No delegation, but client may authenticate directly

No delegation, and client cannot authenticate directly

Kerberos constrained delegation

HTML form with one-time password

RSA SecurID

RADIUS OTP

No delegation, but client may authenticate directly

No delegation, and client cannot authenticate directly

Kerberos constrained delegation

Single sign-on is supported.

HTML form with collection of additional credentials

RSA SecurID

RADIUS OTP

No delegation, but client may authenticate directly

No delegation, and client cannot authenticate directly

Basic

NTLM

Negotiate

Kerberos constrained delegation

Single sign-on is supported.

Client certificate

Active Directory

No delegation, but client may authenticate directly

No delegation, and client cannot authenticate directly

Kerberos constrained delegation