This will return a list of all SPNs for this account. The easiest way to do this, is by using the setspn tool. if you are publishing a web farm, a NLB site or the application pool Identity is different, you should first check whether the account already has an assigned SPN. Now remember, if your application runs under a different domain account, i.e.
This applies only if the service on the backend server runs under Network Service, Local System or Local Service accounts
#Forefront tmg 2010 owa publishing windows
The backend Web application (OWA) must use Windows Integrated authentication and not Forms based or Basic authentication.
Domain set to Windows 2003 functional level.Windows Server 2003 domain controllers or higher.For Kerberos Constrained Delegation to work with Forefront TMG you will need the following:.Requirements for Kerberos Constrained Delegation It improves security significantly because it reduces that passwords are intercepted. Kerberos is a token based authentication protocol which is used by default for authentication in Windows networks since Windows 2000. The alternative to Basic Delegation is Kerberos Constrained Delegation, where the TMG server impersonates the user account to the backend server with a Kerberos Token. Basic Delegation is simple and effective. If the Backend server is configured with Integrated Authentication, it will not work. Basic authentication is enabled on the TMG listener and the credentials that the user provides are simply forwarded to the published backend server, which also has to use Basic Authentication. TMG contains a mechanism that is called credential delegation, the simplest one being Basic delegation.