Configuring Active Directory authentication
Updated: February 1, 2011
Applies To: Unified Access Gateway
This topic describes how to configure Active Directory authentication on Forefront Unified Access Gateway (UAG).
When using Active Directory authentication, open these destination ports to your corporate domain controllers:
LDAP ports: 389, 636 (TCP)
Global catalog ports: 3268, 3269 (TCP)
RPC services: 1025-5000 (TCP)
RPC portmapper listener: 135 (TCP)
RPC in NT 4.0: 139 (TCP)
Kerberos exchanges: 88 (TCP, UDP)
RPC services can be configured using a fixed port. For more information, see Restricting Active Directory replication traffic and client RPC traffic to a specific port (http://go.microsoft.com/fwlink/?LinkId=179664). Only Registry key 1 from this Microsoft Knowledge Base article needs to be modified on the domain controller used by Forefront UAG.
Make sure that the server is configured to enable users to change their password while authenticating against the Active Directory authentication server, if required.
To configure Active Directory authentication
In the Forefront UAG Management console, on the Admin menu, click Authentication and Authorization Servers.
On the Authentication and Authorization Servers dialog box, click Add.
In the Server type list, click Active Directory, and on the Add Authentication Server dialog box, configure the server settings.
In Server name, enter the name of the server or repository. This name is used when you select the server or repository during the configuration of Forefront UAG. It is also displayed to end users when they are prompted to select a server during authentication.
In the Connection settings area, select to either define specific domain controllers or to use any available domain controller in the Active Directory forest to which Forefront UAG belongs:
Define domain controllers—Select this option to specify the Active Directory domain controllers to use for authentication, click Define, and then on the Domain Controllers dialog box, enter the Primary domain controller and Secondary domain controller settings:
IP address/host—IP address or host name of the Active Directory domain controller.
It is recommended that the domain controller you select is a domain controller that serves as the global catalog.
Forefront TMG includes system policy rules that allow access from the server running Forefront UAG to domain controllers in the internal network. Ensure that the system policy rules allow traffic to the domain controller (global catalog) that you are using for authentication, as follows:
In the Forefront TMG Management console, click the Firewall Policy node.
On the Tasks tab, click Edit System Policy.
In System Policy Editor, in the Configuration Groups tree, click the Authentication Servers group.
Right-click the first rule (Allow Access to directory services for authentication purposes), and then click Edit.
On the To tab, ensure that the destination includes the network in which the domain controller is located, or click Add to specifically add the domain controller. Click Close, and then click OK.
If you enter an IP address, users will not be able to change their password when using the site. To enable users to change their password, enter a Fully Qualified Domain Name (FQDN) in this field; for example, activedirectory.contoso.com.
If you select to use an HTTPS port by selecting the Connect to the domain controller using SSL/TLS check box, you must define the domain controller by using the FQDN that is defined in the LDAP server certificate. The Active Directory FQDN of the domain controller appears in the server certificate, in one of the following locations:
The Common Name (CN) in the Subject field.
DNS entry in the Subject Alternative Name extension.
Port—Port number of the Active Directory domain controller.
If the port is an HTTPS port, select the Connect to the domain controller using SSL/TLS check box.
If the authentication server uses a secure port, Forefront UAG uses a secure connection, even if you haven’t configured a secure port.
Use local Active Directory forest authentication—By selecting this option, you do not need to specify an Active Directory domain controller; instead, any available domain controller in the forest to which Forefront UAG belongs will be used. It is recommended to use this option if the Forefront UAG server is domain joined in a forest and you want to authenticate users from that forest.
In the Search settings area, select how to search for the groups and users that are used for authentication and authorization, as follows:
Next to the Base DN list, click Browse (...), and on the Search Root (Base DN) dialog box, select the search root under which to search for groups and users. You can select the search root in two ways:
From the drop-down list, select one of the search roots.
In Base DN, enter a custom value for the search root.
To include subfolders in the search you define in Base DN, select the Include subfolders check box.
Level of nested groups—Defines whether to search for the user in additional groups to which the user belongs, and the number of nested groups in which to search:
Using the default value, which is 0, the search includes only the groups to which the user belongs directly. For example, if the user John is a member of group QA, the search includes the group QA, but not any of the groups to which QA belongs.
If you enter a value other than 0 in this field, it defines the number of nested groups included in the search. In the above example, if you enter 1, and QA is a member of the R&D group, the search includes both the QA group and the R&D group.
If you leave this field empty, the number of nested groups is unlimited. The search includes all the groups to which the user belongs, both directly and indirectly.
In the Server access area, enter credentials to access the Active Directory server and perform Server Access functions, such as retrieving the users/groups lists, retrieving user information, and changing passwords, as follows:
User (domain\user)—Enter a user name that is used to access the Active Directory server. The user you assign here must have read permissions (or higher) on this server. Make sure that you enter the domain and the user name.
Password—Enter the password of the user you defined in User (domain\user).
In the Default domain name area, in Domain, enter a default domain name to be used when users log on.
You must enter a default domain name to use this repository when authenticating users to published applications with single sign-on (SSO).
On the Add Authentication Server dialog box, click OK, and then on the Authentication and Authorization Servers dialog box, click Close.