Kerberos Constrained Delegation in ISA Server 2006

Публикация web-сайтов через ISA с использованием KDC

Configuring Exchange Server for Kerberos constrained delegation

In this scenario, to use Kerberos constrained delegation, the virtual directory used for Outlook Web Access on all the Exchange servers in your deployment (the /Exchange virtual directory in this solution) must be configured to accept Kerberos authentication, and Kerberos constrained delegation must be enabled on your Exchange servers. If your deployment includes both Exchange front-end and back-end servers, your Exchange front-end servers must be configured as front-end servers that support Kerberos constrained delegation.

Configuring the /Exchange virtual directory to accept Kerberos authentication

In the solution described in this section, the /Exchange virtual directory is used for Outlook Web Access on the Exchange server. To enable Kerberos constrained delegation from ISA Server, this virtual directory must be configured to accept Kerberos authentication. This is accomplished by setting the authentication method allowed on the /Exchange virtual directory to Integrated authentication. With Integrated authentication, users are authenticated by using either the Kerberos V5 authentication protocol, the NTLM authentication protocol, or a challenge/response authentication protocol.

To set the authentication method for the /Exchange virtual directory on an Exchange server

1. Open System Manager for Exchange Server.
2. If administrative groups are displayed, expand the Administrative Groups node, and expand Administrative_Group_Name.
3. Expand Servers, and then expand Exchange_Server_Name.
4. Expand Protocols, expand HTTP, expand Exchange Virtual Server, right-click Exchange, and then click Properties.
5. On the Access tab, click Authentication.
6. Select the Integrated Windows Authentication check box and verify that the Basic Authentication check box is cleared.
7. Click OK, and then click OK again.
8. Repeat this procedure on each Exchange server in your deployment.

Enabling Kerberos constrained delegation on Exchange servers

Kerberos constrained delegation must be enabled on the Exchange servers in your deployment.

To enable Kerberos constrained delegation on Exchange servers

1. In System Manager, locate the administrative group that contains the Exchange servers on which you want to enable Kerberos constrained delegation.
2. Right-click Administrative_Group_Name, and then click Properties.
3. Select the Enable Kerberos Constrained Delegation check box, and then click Modify.
4. Type the credentials for the account under which the KCD Service runs.
5. Click Apply, and then click OK.

Configuring an Exchange front-end server to support Kerberos constrained delegation

If your deployment includes both Exchange front-end and back-end servers, each of your Exchange front-end servers must be configured as a front-end server that supports Kerberos constrained delegation.

To configure an Exchange front-end server as a front-end server that supports Kerberos constrained delegation

1. In System Manager, right-click the applicable server, and then click Properties.
2. On the General tab, verify that the This is a front-end server check box is selected to confirm that you are configuring a front-end server.
3. On the KCD-FE tab, click This server is a KCD-FE server for the organization.
4. Click Apply, click OK, and then restart the Exchange System Attendant service.
5. Repeat these steps on each front-end server that you want to enable as a front-end server that supports Kerberos constrained delegation.

After completing the preceding three procedures, restart Microsoft Internet Information Services (IIS) on all your Exchange servers to propagate the changes in the authentication mechanisms. To do this, type iisreset at a command prompt, and then press ENTER.

Requiring secure communications to the Web site

After an SSL server certificate is installed on the Exchange server, you need to require the Web site to accept communications only over a secure (SSL) channel.

Perform the following procedure to require an SSL channel for communication to the Web site.

To enable secure communications

1. Open IIS Manager.
2. Expand the local computer, and then expand the Web Sites folder.
3. Right-click the Web site where the Exchange front-end services have been installed, by default, the Default Web Site, and click Properties.
4. On the Directory Security tab, under Secure communications, click Edit.
5. Select Require secure channel (SSL) on the Secure Communication page, and then click OK. Click OK again to close the Web site properties dialog box.

Deployments with Exchange front-end and back-end servers

If your deployment includes Exchange servers that are configured as front-end and back-end servers, ISA Server can forward Web requests to an Exchange front-end server using Kerberos constrained delegation after authenticating the user just as it does to the Exchange servers in the preceding sections, and ISA Server computers can be configured for this by following the steps for configuring Exchange servers in the preceding sections. In addition, the /Exchange virtual directory on Exchange back-end servers can be configured to accept Kerberos authentication by performing the same steps that are performed for an Exchange front-end server. However, these steps do not configure Exchange front-end servers to be trusted for delegation or allow Exchange back-end servers to trust the Kerberos service tickets sent by an Exchange front-end server. This is accomplished by performing the following steps.

To configure Active Directory to recognize an Exchange front-end server as trusted for delegation and to allow an Exchange back-end server to trust Kerberos service tickets sent by the Exchange front-end server

1. In the Active Directory Users and Computers console tree, expand the Domain_Name node and click Computers.
2. In the details pane, double-click the name of an Exchange front-end server.
3. On the Delegation tab, select Trust this computer for delegation to specified services only, and then select Use any authentication protocol.
4. Click Add.
5. In the Add Services dialog box, click Users or Computers.
6. In the Select Users or Computers dialog box, enter the NetBIOS name of the Exchange back-end servers that serve the selected Exchange front-end server. Click Check Names after you type each name, and then click OK.
7. In the Add Services dialog box, find http in the list of available services. Select the entry for an Exchange back-end server (or hold down the CTRL key and select the entries for all the Exchange back-end servers that serve the selected front-end server) and click OK.
8. On the Delegation tab, verify that http appears under Service Type and that the names of the Exchange back-end servers appear under User or Computer, and then click OK.
9. Repeat this procedure for each Exchange front-end server in your deployment.

The computers specified in the list of SPNs created by this procedure must contain only back-end servers. The Exchange System Attendant service automatically maintains this list and ensures that it includes all the back-end servers in the domain after installation of the software update described in the Microsoft Knowledge Base article 920209, "Description of the new feature in Exchange Server 2003 that supports Smart Card authentication to Outlook Web Access."

Источник: http://technet.microsoft.com/en-au/library/bb794858.aspx