Solved

Configuring a extranet/intranet Sharepoint site behind ISA with Forms-Based Authentication and SSL

Posted on 2008-06-11
5
3,226 Views
Last Modified: 2012-06-21
I am working on a very specific configuration for a Sharepoint site, so my question will also be very specific. Here's the requirement: I am trying to create a Sharepoint site with the front and several sub pages available publicly on the internet. Then, I need users to click Sign-In, and authenticate with their Active Directory ID's (which are already created). Upon login, they will have various levels of access to private team sites AND the ability to manage content of the private and public areas.

Here's the issue: the server sits behind an ISA firewall, which listens for traffic on port 80 and converts traffic to SSL (https). Internally, it communicates with the SharePoint server in regular http because there are no security threats within the network. I want users from the internet to hit the site on http://. Then, I want ISA to redirect the connection to https:// and display the public-facing SharePoint site with no login. This, I have gotten to work. ***However, when they click sign in, instead of Windows login dialog popping-up, I want them to be redirected to ISA's web-based form, and use their Active Directory logins to authenticate.*** I also tried to set up Sharepoint's web-based forms by modifying the web.config file, but this failed with an ambiguous error that I could not trace.

What is the best configuration to use in Sharepoint, IIS, and ISA to create this experience?

Thank you!

Versions:
Windows Server 2003 SP2
MOSS 2007
ISA 2006
0
Comment
Question by:gmoncada
  • 3
  • 2
5 Comments
 
LVL 22

Accepted Solution

by:
cj_1969 earned 500 total points
ID: 21769034
My understanding of what you want is a web form that authenticates a user against AD ... is this correct?
If so, then I believe you are going to have to create that code youself, this is not an "out of the box" configuration.  You can either use windows Integrated authentication ... which pops up the little dialog window and prompts for authentication OR you can use forms based authentication, in which case you have to write the code that tells it where and how to authenticate the credentials that are entered.

check out these links ...
http://support.microsoft.com/kb/326340
http://msdn.microsoft.com/en-us/library/aa480476.aspx
http://msdn.microsoft.com/en-us/library/ms998360.aspx

Or try this search and see what else applies ...
http://www.google.com/search?hl=en&q=forms+based+authentication+to+AD
0
 

Author Comment

by:gmoncada
ID: 21772681
Hi, thanks for the response. I've made some progress based on the resources but haven't gotten it work work fully yet. Yes, you are correct that I want to use FBA against AD. I followed the steps outlined in the article you posted:

http://msdn.microsoft.com/en-us/library/ms998360.aspx

to use Visual Studio to create a custom login. I was sucessful in this--able to login and even create new ActiveDirectory accounts. Knowing my connection string in Web.config was correct, I set Sharepoint's settings and copied the information into the Sharepoint site's web.config (and the Central Admin web.config) as outlined here:

http://blogs.msdn.com/solutions/archive/2007/08/27/forms-based-authentication-fba-in-wss-3-0-moss-2007.aspx

Here's what happens now

1) On Central admin site: The web form comes up as soon as I hit the URL. When I login with invalid credentials, an invalid password error messages comes. With valid credentials, the page simply reloads, displaying the login form, but with no error message. So the connection string to AD is working, but not forwarding properly. Then, if I manually change the url to the root again, I get Error: Access denied. You are currently logged in (my user name)

So, why is the page not redirected into the Sharepoint site upon sucessful login, and why is Access denied. If I am using the WIndows login pop-up, I am allowed right in.

2) On the actual sharepoint site, the form simply reloads with no error message whether valid or invalid credentials are provided. After login and reload, hitting the site root manually simply redirects to the login page.

What can I do to properly authenticate and rediret?
0
 

Author Comment

by:gmoncada
ID: 21772987
Another note I forgot to mention... the login form being used is Sharepoints, not the custom one I developed. So the web.config provides


   <authentication mode="Forms">

      <forms loginUrl="/_layouts/login.aspx" />

    </authentication>

Open in new window

0
 

Author Closing Comment

by:gmoncada
ID: 31466407
Thanks for your help. In the end I am using a workaround with two separate sites and authentication providers. Although I've gotten ISA to authenticate against AD with a web form, it won't pass the login information through to Sharepoint, so a second HTTP authentication form is generated by Sharepoint after the user clears ISA. Not ideal, but close. Still working on it. Thanks for your help.
0
 
LVL 22

Expert Comment

by:cj_1969
ID: 21802573
to get forms authentication working from IIS to SharePoint using the network credentials you will need to set up Kerberos authentication.  
To make this work you will need to configure the IIS server in AD for delegate authority and then make sure that SharePoint is enabled for Kerberos authentication ... most likely menas having to set an SPN for the SharePoint services.

Check out this page it might help ... http://www.sharepointjoel.com/Lists/Posts/Post.aspx?ID=2
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SharePoint Designer 2010 has tools and commands to do everything that can be done with web parts in the browser, and then some – except uploading a web part straight into a page that is edited in SPD. So, can it be done? Scenario For a recent pr…
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now