Your network contains an internal network and a perimeter network. The internal network
contains an Active Directory forest named contoso.com. The forest contains a Microsoft
Exchange Server 2010 organization. All of the domain controllers in contoso.com run
Windows Server 2012.
The perimeter network contains an Active Directory forest named litware.com.
You deploy Microsoft Forefront Unified Access Gateway (UAG) to litware.com. All of the
domain controllers in litware.com run Windows Server 2012.
Some users connect from outside the network to use Outlook Web App.
You need to ensure that external users can authenticate by using client certificates.
What should you do?
More than one answer choice may achieve the goal. Select the BEST answer.
A.
To the perimeter network, add an Exchange server that has the Client Access server role
installed.
B.
Deploy UAG to contoso.com.
C.
Enable Kerberos delegation in litware.com.
D.
Enable Kerberos constrained delegation in litware.com.
Correct:
Forefront TMG provides support for Kerberos constrained delegation (often abbreviated as KCD) to enable published Web servers to authenticate users by Kerberos afterForefront TMG verifies their identity by using a non-Kerberos authentication method. When used in this way, Kerberos constrained delegation eliminates the need for requiring users to provide credentials twice. For example, because it is unrealistic to perform Kerberos authentication over the Internet, SSL certificates might be used for authenticating users at the Forefront TMG computer. After Forefront TMG verifies the user’s identity, Forefront TMG cannot pass the SSL client certificate provided by the user to a published server, but it can impersonate the user and obtain a Kerberos service ticket for authenticating the user (client) to a published Web server.
Source: https://technet.microsoft.com/en-us/library/cc995228.aspx
Kerberos constrained delegation provides a way for Forefront TMG to impersonate a user sending a Web request and to authenticate to specific services running on specific, published Web servers, including Exchange Outlook Web Access servers, when Forefront TMG knows only the user name after it verifies the identity of the user.
This has nothing to do with Microsoft TMG. But is has everything to do with cross-forest Kerberos Constrained Delegation which is possible starting with Windows Server 2012: https://social.technet.microsoft.com/Forums/windowsserver/en-US/f47b10c6-f546-49b4-9bff-4ef534297675/crossforest-kerberos-authentication-delegation-of-client-credentials?forum=winserverDS