Since joining the Exchange Customer Experience team a few months ago, a question I'm commonly asked (aside from “When are you taking over the storage calculator from Ross? He’s a busy chap and as t...
Updated Jul 01, 2019
Version 2.0
Blog Post
@Peter - so the validation with cert solution I mentioned would not work for EAS, or OA, it only works for browser based clients. That approach does not require TMG to be domain joined, as the cert is only used for validation, and it is not the primary form of authentication (FBA is).
If you want to use a client certificate for authentication, which can be done for either OWA or EAS users (but not OA), and you want pre-authentication, then TMG needs to be domain joined, so it can do KCD to CAS. As to whether this works for users in an account forest, take a look at http://technet.microsoft.com/en-us/library/cc752953.aspx - as 'it depends'. TMG and CAS would need to be in the same domain/forest for KCD to work.
DJ Ball covered the steps to get cert auth for OWA working in his post at http://msexchangeteam.com/archive/2008/10/07/449942.aspx and I will be publishing another paper showing the steps for OWA with TMG and EAS cert auth too, just as soon as I can.
So, certificate authentication, requires TMG be in the same domain as CAS. The certificate validation option I mentioned will work even if TMG is in a workgroup.
If you want to use a client certificate for authentication, which can be done for either OWA or EAS users (but not OA), and you want pre-authentication, then TMG needs to be domain joined, so it can do KCD to CAS. As to whether this works for users in an account forest, take a look at http://technet.microsoft.com/en-us/library/cc752953.aspx - as 'it depends'. TMG and CAS would need to be in the same domain/forest for KCD to work.
DJ Ball covered the steps to get cert auth for OWA working in his post at http://msexchangeteam.com/archive/2008/10/07/449942.aspx and I will be publishing another paper showing the steps for OWA with TMG and EAS cert auth too, just as soon as I can.
So, certificate authentication, requires TMG be in the same domain as CAS. The certificate validation option I mentioned will work even if TMG is in a workgroup.