Whenever a SEG is inserted between the TMG and EAS servers, you need to enable delegation rights and permissions on the SEG by repeating all the steps below, followed by Configure Service Account Delegation Rights on TMG and replacing all references to TMG with SEG.

The final result is you should have completed the following.

  • Configure Service Account Delegation Rights on TMG by...
    • Configuring Local Security Policy for TMG to Act as Part of OS,
    • Configuring Local Security Policy for TMG to Impersonate a Client after Authentication.
  • Verify the Identity of the SEG
  • Configure Service Account Delegation Rights on SEG by...
    • Configuring Local Security Policy for SEG to Act as Part of OS,
    • Configuring Local Security Policy for SEG to Impersonate a Client after Authentication.

In order to verify the service account that needs to be enabled with delegation rights, you can open IIS on the SEG server and follow this procedure. If you are already aware of the SEG service account, proceed with replacing all references to TMG with SEG.

  1. Launch Internet Information Services (IIS) Manager by selecting Start > Run.
  2. Type inetmgr and select OK. The IIS Manager window appears.
  3. In the left-hand Connections pane, select the SEG server.
  4. Click the Application Pools folder.
  5. In the right-hand Application Pools pane, locate the SecureEmailGateway.
  6. Under the Identity column, verify the identity of the SecureEmailGateway is Network Service.

    Certs_TMG_SEG_KERB_38

Next, you must Configure IIS for Certificate Authentication with SEG.