Pass through authentication or by passing the authentication on the ISA server is used in certain cases or situations where admins want to go only with the authentication on the published server. To elaborate on that I would once again take the example of my OWA publishing post(please refer to it in case you have not or if you are not familiar with it) In my OWA publishing post what i am using is FBA(form based authentication) on the listener and in my publishing rule I have mentioned users have to be all authenticated users and authentication delegation that i am using in that is Basic authentication. Now let me explain what that means again so that you would know that by using these attributes what you have asked ISA to do. You told ISA to present a user with FBA page when he wants to access OWA and then get him authenticated using windows active directory method(domain controller of the domain) for more explanation on that please refer to my post about authentication with ISA server. Once user is authenticated forward the credentials to the CAS server in basic authentication format where CAS server would get the user authenticated from domain controller and then after authentication provide him access to his inbox.
When we want to by pass ISA server authentication and want only our CAS server to authenticate the user. Then we can do this by configuring listener with No authentication as shown below
and in the webpublishing rule under the users tab you have following
and authentication delegation in the publishing rule as shown below
After having set the rule and the listener as show above we have configured ISA not to authenticate the user and let the CAS server authenticate the user.This is how you would configure Pass through authentication on the ISA server.
I have seen admins going for it in scenarios where they want to present the form from there CAS server to the user and dont want ISA server form to be presented to the user.
some back ground on this....
I would like to mention a important point here that if you have configured your CAS server with FBA and you are also configuring ISA server's OWA publishing rule's listener to use FBA then this combination would not work. In such situations recommendation is to use basic authentication on CAS server and keep FBA on the ISA server. But in such situation our external users would get FBA page while accessing OWA but internal network users would get basic authentication prompt for OWA access within internal network. There are two options or solutions in this situation
a. configure ISA server OWA publishing rule's listener to listen on internal NIC for OWA requests and point all internal machines(configure DNS name resolution on the internal DNS server) to ISA server's internal NIC for OWA access (considering you have two NICs on ISA one internal and other External. For single NIC ISA server all that would be required is on internal DNS server point OWA to ISA server's NIC).
b. Keep Form based authentication on the CAS server and configure pass through authentication on the ISA server. But doing that you have only single point authentication not two point.
I happened to remember another example where we can use it and that is with websites on which we dont want to use any authenticationi.e. neither from web server norISA server.
So its a matter of choice ,whichever way you want to go.