Your network contains an internal network and a perimeter network. The internal network contains an
Active Directory forest named contoso.com. The forest contains a Microsoft Exchange Server 2010
organization. All of the domain controllers in contoso.com run Windows Server 2012.
The perimeter network contains an Active Directory forest named litware.com.
You deploy Microsoft Forefront Unified Access Gateway (UAG) to litware.com. All of the domain
controllers in litware.com run Windows Server 2012.
Some users connect from outside the network to use Outlook Web App.
You need to ensure that external users can authenticate by using client certificates.
What should you do?
More than one answer choice may achieve the goal. Select the BEST answer.
A.
To the perimeter network, add an Exchange server that has the Client Access server role installed.
B.
Deploy UAG to contoso.com.
C.
Enable Kerberos delegation in litware.com.
D.
Enable Kerberos constrained delegation in litware.com.
Explanation:
Forefront TMG provides support for Kerberos constrained delegation (often abbreviated as KCD) to
enable published Web servers to authenticate users by Kerberos afterForefront TMG verifies their
identity by using a non-Kerberos authentication method. When used in this way, Kerberos constrained
delegation eliminates the need for requiring users to provide credentials twice.
About Kerberos constrained delegation
https://technet.microsoft.com/en-us/library/cc995228.aspx