Back in November when testing TMG and AD FS 2.0, I messed around with TMG delegation and AD FS 2.0 with little success. A couple of months on and a bit of time away from the problem seems to have helped!
With no AD FS Proxy functionality within TMG at present, the latter is unable to act as an in-line authentication proxy for claims-aware applications such as Sharepoint 2010; unlike UAG functionality in SP1. TMG can, however, supplant the AD FS proxy functionality for logon purposes (in a roundabout way). In this post I illustrate how.
It’s done by setting up two web listeners within TMG, so I’m kind of cheating. Yes, there’s always a downside 😉
As per standard TMG fayre, each listener should have their own public IP address and appropriate certificates for the domain in question. In my test setup, I used the same wildcard certificate for both. Each listener should be configured thus:
- A listener using FBA with Active Directory should be configured. This will perform the AD FS proxy function.
- A listener with no authentication configured. This is used for reverse proxy of traffic to claims-aware web applications.
In addition, at least two web publishing rules are required:
The first is for the AD FS server(s) sts.mydomain.com, and the second for the claims-aware web application(s) that need to be published. In this example, it’s Sharepoint 2010 Teamsites and teams.mydomain.com.
When configured correctly (oxymoron.. see the footnote at the end), TMG works in a proxy capacity for the AD FS service. One possible use case for this that springs to mind could be for mixing authentication schemes on the web listener against the username/password on the federated logon, e.g. SecurID on the TMG instance and then delegation to the back-end AD user account.
In short, the key to this process working is using a separate listener for the TMG “AD FS Proxy”, independent of the reverse proxy listener used for the claims-aware web applications.
As usual, this is a test sandpit. Don’t use it in a production environment, until you’ve battered it senseless with the testing stick. I’ve tried this with various authentication schemes so far and it works. Will continue testing… if I break it meanwhile, I’ll post an update. Enjoy!