In order for the Threat Management Gateway (TMG) to impersonate a device user when authenticating on an EAS server, the TMG server must be given the appropriate permissions in the Active Directory (AD) server.

This step must be completed whether or not you are employing the use of a Secure Email Gateway (SEG). There are instructions at the end of this topic that direct you to the next step, SEG or no SEG.

First, you must configure AD to enable the TMG for delegation.

  1. On the AD server, select Active Directory Users and Computers.
  2. In the left-hand pane, select the folder where the TMG server is located (e.g., Computers). The available TMG servers display in the right-hand pane as show below.

    Certs_TMG_SEG_KERB_22

  3. Right-click the TMG server name and select Properties. The Properties window for the TMG server displays.

    Certs_TMG_SEG_KERB_23

  4. Click the Delegation tab.

  5. Select the Trust this computer for delegation to specified services only.

  6. Select Use any authentication protocol.

  7. Click Add. The Add Services window displays.

    Next, you must enable the TMG to delegate HTTP EAS traffic to the EAS server.

  8. Click Users or Computers

    Certs_TMG_SEG_KERB_25

  9. The Select Users or Computers window displays. Enter the name of the EAS server.

  10. Click OK. The Add Services window displays.

    Certs_TMG_SEG_KERB_26

  11. Under Available services, select http Service Type.

  12. Click OK.

    Certs_TMG_SEG_KERB_27

  13. You now see on the Delegation tab, a listing for the http Service Type and the name of your EAS server under the User or Computer column.

  14. Click OK.

If you are not employing the use of a SEG, then skip to Create a Service Principal Name (SPN) for the EAS Server. Otherwise, proceed to Enable Delegation from Active Directory when using a SEG.