Question : TMG/ISA 2006 - Kerberos Authentication Issues

We have a large MOSS 2007 installation with numerous portals. These portals have webparts that access data on other servers, such as files servers and print servers.

Currently we use ISA 2006 to publish all MOSS sites using a HTTPS SSO listener with form based authentication. This works correctly, allowing the users login to be passed from ISA -> IIS -> File Server/print server.

However, I can't get TMG to work in the same way. If I publish the site through TMG, the user successfully authenticates with the MOSS/IIS servers, but the IIS servers fail to impersonate the user and authenticate correctly with the file server. The file server and print server security logs show the IIS servers are trying to connect with 'NT AUTHORITY\ANONYMOUS LOGON'

TMG is running on Windows Server 2008 R2 Enterprise.  MOSS 2007 is running on a farm of Server 2003 R2 x86 servers and the file and printer servers are 2008 R2.

Answer : TMG/ISA 2006 - Kerberos Authentication Issues

OK - suggested resolution from the MS team is as follows:

Go to the user/service account that you have set to run the IIS app pool and delegate it for any auth protocol with the SPN cifs/(file server).

Keith