As mentioned previously, whenever a SEG is inserted between the TMG and EAS servers, you need to first create a Service Principal Name (SPN) for the EAS server.

Then you need to create an SPN on the SEG by repeating all the steps in Create a Service Principal Name (SPN) for the EAS Server and replacing all references to EAS server with SEG. The SEG also needs to have a domain account that has access to write to the Active Directory.

The final result after using either the Command Line or ADSIedit should be...

  • You created an SPN for the EAS server,
  • You created an SPN for the SEG.

Next, you must Configure Service Account Delegation Rights on TMG.