TMG provides 3 general methods of authenticating users and they are:
HTTP authentication:
Basic authentication - The user enters a username and password which the TMG server validates against the specified authentication server.
Digest and WDigest authentication - Has the same features as the Basic authentication but provides a more secure way of transmitting the authentication credentials.
Integrated windows authentication - Uses the NTLM, Kerberos, and Negotiate authentication mechanisms. These are more secure forms of authentication because the user name and password are hashed before being sent across the network.
Forms-based authentication:
Password form - Prompts the user to enter a username and a password.
Passcode form - Prompts the user to enter a username and a passcode.
Passcode and Password form - Prompts the user to enter a username/password combination and a username/passcode combination.
Client certificate authentication
When users make a request for published resources, the client certificate sent to Forefront TMG is passed to a domain controller, which determines the mapping between certificates and accounts. The certificate must be matched to a user account.
Note: Client certificate authentication is not supported for authenticating outbound Web requests.