Walk-through for RSA SecurID Authentication for TMG 2010 Part 3: Configure TMG Authentication and Delegation


Configuring Authentication on the Listener

• On the Authentication tab of the Listener, select “HTML Form Authentication” from the drop down list and select “RSA SecurID” as the Authentication Validation Method.

• Check “Collect additional delegation credentials in the form” if you would like TMG to delegate Active Directory credentials to the published server. It should be noted that these “additional credentials” are not used to authenticate to TMG. TMG will simply pass along/delegate those additional credentials to the published server if:

1. The published server requires authentication

2. The Delegation Method of the Publishing rule matches the authentication type configured on the published server




• Configuring Delegation on the Publishing Rule

On the Authentication Delegation tab of the Publishing Rule, choose one of the following options:

1. No delegation, but the client may authenticate directly

User will receive the RSA Authentication form prompting them for their SecurID Username and Passcode.

NOTE: Even if you select “Collect additional delegation credentials in the form” in the Web Listener, those collected credentials will not be sent to the published web server if you choose “No delegation…”

2. Basic, NTLM or Negotiate (Kerberos/NTLM) Authentication

These Delegation options are only available when you have selected “Collect additional delegation credentials” on the Authentication tab of the Web Listener.

The user will receive a form prompting for both RSA SecurID and Active Directory credentials.

NOTE: If you select NTLM or Negotiate (Kerberos/NTLM) delegation, the published server must be configured to accept Integrated authentication.

3. RSA SecurID

User will receive a form prompting for only RSA SecurID credentials. Once the user has successfully authenticated to the RSA Authentication Manager, the TMG server will delegate these RSA credentials to the published server; therefore the published server should be configured to accept RSA credentials. For example, the published server is IIS with the RSA web agent installed. In this scenario, the IIS (with RSA web agent) is another Authentication Agent of the RSA Authentication Manager. The following Blog discusses RSA SecurID Delegation in ISA Server 2006. Most, if not all, of the same concepts apply to TMG 2010

Walk-through for RSA SecurID Delegation for ISA Server 2006





Richard Barker - Sr Security Support Escalation Engineer, Microsoft CSS Forefront Security Edge Team