Your network contains an internal network and a perimeter network. The internal network
contains an Active Directory forest named contoso.com. The forest contains a Microsoft
Exchange Server 2010 organization. All of the domain controllers in contoso.com run
Windows Server 2012.
The perimeter network contains an Active Directory forest named litware.com.
You deploy Microsoft Forefront Unified Access Gateway (UAG) to litware.com. All of the
domain controllers in litware.com run Windows Server 2012.
Some users connect from outside the network to use Outlook Web App.
You need to ensure that external users can authenticate by using client certificates.
What should you do?
More than one answer choice may achieve the goal. Select the BEST answer.
A.
To the perimeter network, add an Exchange server that has the Client Access server role
installed.
B.
Deploy UAG to contoso.com.
C.
Enable Kerberos delegation in litware.com.
D.
Enable Kerberos constrained delegation in litware.com.
Correct answer: D
Forefront TMG provides support for Kerberos constrained delegation (often abbreviated as KCD) to enable published Web servers to authenticate users by Kerberos afterForefront TMG verifies their identity by using a non-Kerberos authentication method. When used in this way, Kerberos constrained delegation eliminates the need for requiring users to provide credentials twice.