Since joining the Exchange Customer Experience team a few months ago, a question I'm commonly asked (aside from “When are you taking over the storage calculator from Ross? He’s a busy chap and as t...
Updated Jul 01, 2019
Version 2.0
Blog Post
@Peter - Interesting question - so there are a couple of thoughts I have.
Firstly, if you are using a resource forest, you still use the Exchange resource forest to publish/authenticate the user - the Exchange servers in that forest go chase down the user object in the other forest to make sure it has the permissions necessary to access the mailbox. As to whether TMG needs to be in one domain or the other, I would put it in the Exchange forest, or don't put it in the domain, and just use LDAP to the Exchange forest DC's.
On the question of using certificate + user/password - that's an interesting scenario - what you can do is require a certificate to validate the user (not authenticate) before they get to see the Forms Based auth page - if you want to do that, go to the FBA listener on TMG, to the Authentication tab, then click the Advanced button - put a check in Require SSL client certificate.
When you do that, the user will be prompted for a user certificate, and if they provide one from a trusted CA (you can scope that down in the additional settings available in Advanced Auth Options) then they get to see the FBA page. If they can't provide one, they won't get to see FBA at all. It's not authenticating the user, it's more like validating the user. Dioes that answer the question?
Firstly, if you are using a resource forest, you still use the Exchange resource forest to publish/authenticate the user - the Exchange servers in that forest go chase down the user object in the other forest to make sure it has the permissions necessary to access the mailbox. As to whether TMG needs to be in one domain or the other, I would put it in the Exchange forest, or don't put it in the domain, and just use LDAP to the Exchange forest DC's.
On the question of using certificate + user/password - that's an interesting scenario - what you can do is require a certificate to validate the user (not authenticate) before they get to see the Forms Based auth page - if you want to do that, go to the FBA listener on TMG, to the Authentication tab, then click the Advanced button - put a check in Require SSL client certificate.
When you do that, the user will be prompted for a user certificate, and if they provide one from a trusted CA (you can scope that down in the additional settings available in Advanced Auth Options) then they get to see the FBA page. If they can't provide one, they won't get to see FBA at all. It's not authenticating the user, it's more like validating the user. Dioes that answer the question?