In addition to configuring delegation rights on the TMG server, the service account that is attached to the TMG Application Pool must also be given delegation permissions.

This step must be completed whether or not you are employing the use of a Secure Email Gateway (SEG). There are instructions at the end of this topic that direct you to the next step, SEG or no SEG.

First, you must configure the local security policy for TMG to act as part of the operating system.

  1. On the TMG server, open a command prompt by selecting Start > Run.
  2. Type cmd and then select OK.
  3. In the command prompt, type secpol.msc and then select OK. A Local Security Policy window displays.
  4. In the left-hand pane, select Security Settings > Local Policies > User Rights Assignments.
  5. In the right-hand pane, under Policy, select Act as part of the operating system. A dialog window appears.

    Certs_TMG_SEG_KERB_33

  6. Click Add User or Group.

  7. Type the name of the Service Account attached to the Application Pool. The name must be the same as the name associated to the TMG (i.e., Network Service).

  8. Click OK. The Local Security Policy window displays.

    Next, you must configure the local security policy for TMG to impersonate a client after authentication.

  9. In the right-hand pane, under Policy, double-click Impersonate a client after authentication. A Properties dialog box appears.

    Certs_TMG_SEG_KERB_36

  10. The Service Account that is attached to the Application Pool must be the same as the name associated to the TMG (i.e., Network Service). Verify that name displays in the list. If not, do the following:

    1. Click Add User or Group.

    2. Add the name of the Service Account.

  11. Select the Service Account in the list (i.e., Network Service).

  12. Click OK.

    Certs_TMG_SEG_KERB_37

If you are not employing the use of a SEG, then skip to Configure IIS for Certificate Authentication with TMG. Otherwise, proceed to Create a Service Principal Name (SPN) for the SEG.