ISA Server 2006 provides the following new authentication features:
· Single sign on (SSO), in which a user authenticates once with ISA Server and can access any number of servers that are behind ISA Server, without reauthenticating.
· Two-factor authentication using forms-based authentication and a client certificate.
· Forms-based authentication support for publishing any Web server.
· Customizable forms for forms-based authentication and forms for mobile clients, and use of per-user-agent authentication schemes.
· Fallback from forms-based authentication to Basic authentication, for non-browser clients.
· Delegation of credentials by using NTLM or Kerberos authentication.
· Kerberos constrained delegation.
· Credentials caching.
· Password management, in which ISA Server can check the status of the user’s account and report it to the user. This feature can also be configured to enable users to change their passwords.
· Secure Sockets Layer (SSL) client certificate constraints.
· Ability to assign a different digital certificate to each IP address on a network adapter.
· A new type of forms-based authentication: User name passcode/password, where the passcode is used for ISA Server authentication and the password is used for authentication delegation.
· Support for Active Directory® directory service authentication using the Lightweight Directory Access Protocol (LDAP), allowing Active Directory authentication when ISA Server is in a workgroup, or in a forest other than the one that contains the accounts of the user. ISA Server also supports multi-forest configurations, in which the user can be authenticated on a different set of LDAP servers.
· One-time password support for Remote Authentication Dial-In User Service (RADIUS). In ISA Server 2004, this support was provided for RSA SecurID only.
· Default blocking of authentication delegation.
These features are described in more detail in Authentication in ISA Server 2006.
ISA Server User Education