Kerberos authentication on an NLB array
Forefront TMG Service Pack 2 enables you to allow users to authenticate to a Forefront TMG array with Network Load Balancing (NLB) enabled using the Kerberos version 5 protocol. To configure Forefront TMG to allow users to authenticate in this manner, you must configure a domain account for the Forefront TMG Firewall service, and configure the service principle name (SPN) to be mapped to the configured account. The SPN is the DNS name by which clients know the array.
To help protect your domain, we recommend the following:
- The domain account that you use for the Firewall service is not a member of any local or domain groups. However, an account must be a member of at least one primary group, define a new placeholder group and use that as the primary group. Make sure that the placeholder group does not have any permission on any domain resource.
- The domain account has no user rights on any domain computer.
- The domain account is used only for the Firewall service and not for any other purpose within the domain.
The default account for the Forefront TMG Firewall service is the Network Service account; however, you cannot use the Network Service account for Kerberos authentication when clients know the array by a single DNS name.
If you use Kerberos constrained delegation as the authentication delegation method, you must configure it for the domain account that you configure for the Firewall service in Active Directory Domain Services (AD DS). If the Firewall service uses the Network Service account, you must configure Kerberos constrained delegation for the Forefront TMG computer object in AD DS. For more information, see Kerberos Constrained Delegation in ISA Server 2006 (http://go.microsoft.com/fwlink/?LinkId=215159).
Configuring a domain account for the firewall service
In the Forefront TMG Management console in the left pane, right-click the array node, and then click Properties.
On the <array_name> properties dialog box, click the Credentials tab.
In the Firewall Service Account area, click Use "NT AUTHORITY\NETWORK SERVICE" account to use the default account, or click Use this account to use a different account, and then do the following:
Click Set Account.
On the Set Account dialog box, enter the user name, and password of the account, and then click OK.
On the <array_name> properties dialog box, click OK.
Configuring the SPN
Register the SPN in the Kerberos database using the Setspn.exe utility:
setSPN -U -A http/<array_name> <account_name>
array_name is the DNS name of the NLB array of Forefront TMG servers, for example: FW-A.contoso.com.
account_name is the user name of the account under which the Forefront TMG Firewall service runs, for example: fwsrv_user.