CAC Card Authentication Using KCD With CRM 2011 and TMG
CRM Allow website to use Kerberos Create an SPN for CRM setspn -a http/crm-2011.test.local Domain/User AD Open TMG Computer Account in AD and allow delegation to the SNP you created earlier. TMG Install DoD Root Certificates (http://iase.disa.mil/pki-pke/function_pages/tools.html) Install Tumbleweed on TMG Server ***** this is extremely important on gov sites that use this software. ***** Import Tumbleweed client configuration file Disable HTTPS Inspection and NIS in TMG Publish DoD E-mail certs to the NT Auth Store certutil -dspublish -f <filename> NTAuthCA Make sure GPO for TMG machine is updated with the following. Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Certificate Services Client - Auto-Enrollment Configuration Model should be enabled and Renew expired certificates and Update certificates should both be checked. Create Listener Create Rule Under Authentication Delegation choose Negotiate (Kerbe