There's a statement in the below article that Exchange 2013 "out of the box" works just fine behind TMG when TMG is configured for delegated auth using NTLM. It explains that FBA and Windows Integrated auth are both enabled for OWA/ECP.

http://blogs.technet.com/b/exchange/archive/2015/02/11/configuring-multiple-owa-ecp-virtual-directories-on-the-exchange-2013-client-access-server-role.aspx

Can anybody confirm that this is still the case? I'm experiencing double prompt with TMG and Exchange 2013 (CU8) forms. I notice that Windows Integrated is disabled, and if I enable it FBA is automatically disabled (just like in 2010).

Hi,

According to you description, I understand that facing double prompt with TMG and Exchange 2013 (CU8) forms with a delegation authentication using NTLM.
If I misunderstand your concern, please do not hesitate to let me know.

If you want use NTLM, we need add NTLM to the authentication methods enabled on the CAS for OAB and EWS.
Please run below command to double check the authentication method for secondly virtual directory:
Get-OwaVirtualDirectory | FL Identity,*Auth*,*SSL*
Get-EcpVirtualDirectory | FL Identity,*Auth*,*SSL*

Also, please try to check the authentication for listener in TMG configuration, its same with the value for Internet-facing Exchange CAS servers.
More details about Publishing Exchange Server 2013 using TMG, for your reference: http://blogs.technet.com/b/exchange/archive/2012/11/21/publishing-exchange-server-2013-using-tmg.aspx
Meanwhile, please refer to Publishing Exchange Server 2010 with Forefront UAG and TMG: http://blogs.technet.com/b/exchange/archive/2010/07/16/publishing-exchange-server-2010-with-forefront-uag-and-tmg.aspx

Thanks

Thanks Allen,

Only Basic and FBA are enabled. If I enable Windows Integrated then it works correctly, however FBA is automatically disabled. This statement in the article suggests they are both enabled by default and "it just works".

"Exchange 2013 ships with Integrated Windows auth enabled on the OWA and ECP virtual directories as well as Forms based auth. So, if you choose NTLM delegation, or KCD, from TMG/UAG to Exchange, it just works."

So just wondering if anyone else has tried it. The alternative is to create an additional virtual directory for OWA/ECP, as mentioned it the article, or to stop TMG from doing any delegated auth.

Hi,

For Exchange 2013, it only supports Basic or NTLM delegation. Therefore, we need to choose use NTLM to delegate or use FBA without delegation.
Please refer to Publishing Exchange Server 2013 using TMG: http://blogs.technet.com/b/exchange/archive/2012/11/21/publishing-exchange-server-2013-using-tmg.aspx

Thanks