• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Authentication prompt when using integrated authentication

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> SharePoint Publishing >> Authentication prompt when using integrated authentication Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Authentication prompt when using integrated authentication - 26.Jun.2009 7:44:39 PM   
vkumar_72

 

Posts: 8
Joined: 2.Jun.2009
Status: offline
Hi,

I am having an issue with authentication pop ups internally as well as externally for sharepoint published on ISA 2006. The configuration I have done is:

1. ISA 2006 in DMZ with single NIC as a member of same domain as sharepoint servers.
2. sharepoint farm with 2 SP servers published.
3. Web Listener Authentication configured as Basic with Windows (Active Directory).
4. Authentication delegation configured as NTLM authentication.
5. IIS website for sharepoint configured as "Integrated Windows Authetication" checked on both the SP servers.
6. This is seperate domain for sharepoint extranet.
7. There is a trust with corporate domain for corporate user access.

Issue:

1. Internal Users get pop up for authentication even if they are on sharepoint domain or corporate domain.
2. After login if they try to access published documents like word docs they are prompted for authentication again.

Is there a way to avoid autentication pop up for internal users?

Please help me identify the issue and resolve it. Appreciate your help.

Thanks,
Vijay
Post #: 1
RE: Authentication prompt when using integrated authent... - 30.Jun.2009 10:33:07 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Make sure that the Web Listener is not configure to require authentication.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to vkumar_72)
Post #: 2
RE: Authentication prompt when using integrated authent... - 9.Sep.2009 7:02:47 AM   
bluwe

 

Posts: 10
Joined: 9.Sep.2009
Status: offline
We're having similar issues. Two ISA 2006 SP1 servers configured as an array and three MOSS servers configured as a farm. I've tried the suggestion to remove authentication from the web listener but it hasn't made any difference.

We are also seeing authentication prompts when users jump from one MOSS site to another on the same farm (all published by the same ISA array) and when they open pages that contain images from other sites. The funny thing is we have an ISA 2006 array (no service pack) where this works fine.

I have played around with Trusted Sites settings, etc but this has not made any difference. Plus all of our desktop estate can access these Sharepoint sites without any problems when they go via our old ISA 2006 array.

Has anyone got any suggestions?

Thanks in advance!

(in reply to tshinder)
Post #: 3
RE: Authentication prompt when using integrated authent... - 9.Sep.2009 7:59:19 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
The cross-site auth prompts should be solved by configuring SSO and using a single web listener for all three sites.

Auth prompts in Office apps can be cured by using persistant cookies.

If these don;t help, can you provide more detail on your problems and current publishing configuration?

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to bluwe)
Post #: 4
RE: Authentication prompt when using integrated authent... - 9.Sep.2009 8:14:05 AM   
bluwe

 

Posts: 10
Joined: 9.Sep.2009
Status: offline
Thanks for replying, Jason. I'm not sure if SSO would satisfy our requirements because these are internal users accessing the MOSS sites via ISA so they want to be able top open the sites without any authentication prompts. Admittedly I'm fairly new to ISA but I wasn't aware that you could configure SSO when using HTTP authentication...

Our configuration consists of two rules for each site with one rule listening on an Internal address using HTTP Integrated authentication, and a second rule listening on an External IP address configured with Forms authentication.

What's really puzzling me is that this works fine on our old ISA array and as far as I can tell the rules are configured identically.

Thanks Again!

(in reply to Jason Jones)
Post #: 5
RE: Authentication prompt when using integrated authent... - 9.Sep.2009 10:18:14 AM   
bluwe

 

Posts: 10
Joined: 9.Sep.2009
Status: offline
I've just had a play around with the authentication on the rule and I didn't realise that you could configure FBA with NTLM and it doesn't prompt. However, I do still seem to be having the same issue so I think I may need to go back and check my rule configuration...

(in reply to bluwe)
Post #: 6
RE: Authentication prompt when using integrated authent... - 9.Sep.2009 8:56:58 PM   
AnthonyP

 

Posts: 23
Joined: 5.Dec.2006
Status: offline
Having the same issue as well.

Currently have 1 rule that handles both internal and external users.  It uses KCD and SSL Client Certificate Auth on the listener.  This is working just fine.  However, internal users don't want to be prompted for a certificate anymore, so we need to create a new rule that listens only internally and changes the listener authentication to HTTP Integrated.

I copied the first rule, made the appropriate listener changes and users are getting prompted internally for username and password.  No combination of credentials is letting us through.  I've tried all authentication and delegation combinations (KCD, the 2 no delegation options, no authentication)... All no go.

I can, however, use the same rule and setup FBA and after putting in my credentials I can get right through.  This would be using KCD as well.

I've ensured that require all users to authenticate is unchecked and it's not a IE Trusted Sites or IE Integrated Auth issue.

Any ideas?

(in reply to bluwe)
Post #: 7
RE: Authentication prompt when using integrated authent... - 10.Sep.2009 2:44:54 AM   
bluwe

 

Posts: 10
Joined: 9.Sep.2009
Status: offline
Yes, it's very frustrating and there doesn't seem to be any consistency to the way the authentication prompts behave either. My previous post about FBA with NTLM not prompting seems to be from an inconsistency on the array because I'm not sure that's how it should behave.

We have our MOSS sites listed in Trusted Sites and it does seem to alleviate some of the problems so that might be worth trying.

Also, have you tried removing authentication all together from your internal rule? In testing I managed to get that to work on the array in our lab but I'm not sure if that will alleviate our "SSO" issues when users jump from one site to another and when I tried implementing the same change in the LIVE environment it didn't work in the same way as the lab and I was prompted for a username and password.

(in reply to AnthonyP)
Post #: 8
RE: Authentication prompt when using integrated authent... - 10.Sep.2009 3:51:27 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Maybe I am missing something here, but do you gain a lot of value by authenticating internal users at ISA? Surely it would be a lot more efficient to to use a No Authentication web listener combined with No delegation, but client can authenticate for internal users?

You then have two rules (or more) defined using split DNS:

sharepoint.domain.com interally points to No auth web listener using an internal IP

sharepoint.domain.com externally points to the FBA web listener using an external IP (or SSL cert auth if preferred)

If you have multiple rules that use each listener, you should then be able to enable SSO across the rules.

To keep a consistent protocol, I would also use HTTPS both internally and externally (and confuse users less). The cert on the internal No Auth web listener could be issued from an internal CA to save public certs cost.

If you want to eliminate Office auth prompts, you can then enable persistent cookies on the external FBA web listener.

One last question, are you using Windows Vista clients with SharePoint, if so, you may be experiencing this: http://blog.msfirewall.org.uk/2008/07/problems-accessing-office-documents.html

Thoughts?

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to bluwe)
Post #: 9
RE: Authentication prompt when using integrated authent... - 10.Sep.2009 4:41:14 AM   
bluwe

 

Posts: 10
Joined: 9.Sep.2009
Status: offline
You're absolutely right, there is no added value by using ISA internally and in fact it just adds an extra layer of complexity and impacts on performance in my opinion. However, using ISA internally is a mandatory requirement for our customer and we have agreed to meet that requirement so I need to make it work.

Having done some more testing I am beginning to see that "No Authentication" on the listener could well be the solution to this. We have some discrepancies between our Lab environment and the LIVE environment which may have been causing the odd behaviour I saw yesterday, so it's back to the drawing board today to try and get all the sites to working happily internally with "No Authentication" listeners.

Thanks for taking the time to reply, I really appreciate your help.

I'll let you know how it goes....

(in reply to Jason Jones)
Post #: 10
RE: Authentication prompt when using integrated authent... - 10.Sep.2009 5:59:12 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: bluwe

You're absolutely right, there is no added value by using ISA internally and in fact it just adds an extra layer of complexity and impacts on performance in my opinion. However, using ISA internally is a mandatory requirement for our customer and we have agreed to meet that requirement so I need to make it work.



No problem

Note that I didn't say "dont use ISA for internal users", I said "dont authenticate internal users with ISA" a subtle difference  ISA can add a lot of value, even for internal access; i'm just not sure pre-auth with ISA is necessary in that scenario.

Keep us posted on your findings...

Cheers

JJ 

< Message edited by Jason Jones -- 10.Sep.2009 6:00:36 AM >


_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to bluwe)
Post #: 11
RE: Authentication prompt when using integrated authent... - 10.Sep.2009 6:54:21 AM   
AnthonyP

 

Posts: 23
Joined: 5.Dec.2006
Status: offline
We're using ISA as the load balancer for the Web FE farm. 

I tried No Authentication as well, along with no delegation (but client can authenticate directly) but I get an immediate "403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)"


< Message edited by AnthonyP -- 10.Sep.2009 8:48:46 AM >

(in reply to Jason Jones)
Post #: 12
RE: Authentication prompt when using integrated authent... - 10.Sep.2009 12:43:51 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: AnthonyP

We're using ISA as the load balancer for the Web FE farm. 

I tried No Authentication as well, along with no delegation (but client can authenticate directly) but I get an immediate "403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)"



Did you change from All Authenitcated Users to All Users?

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to AnthonyP)
Post #: 13
RE: Authentication prompt when using integrated authent... - 10.Sep.2009 1:51:11 PM   
AnthonyP

 

Posts: 23
Joined: 5.Dec.2006
Status: offline
quote:

ORIGINAL: Jason Jones

Did you change from All Authenitcated Users to All Users?

Cheers

JJ


D'oh.  Of course not.  It's always the little things.  Thank you!!

-Anthony

(in reply to Jason Jones)
Post #: 14
RE: Authentication prompt when using integrated authent... - 10.Sep.2009 6:38:00 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
No problem, that one is easily forgotten!

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to AnthonyP)
Post #: 15
RE: Authentication prompt when using integrated authent... - 17.Sep.2009 6:27:56 AM   
bluwe

 

Posts: 10
Joined: 9.Sep.2009
Status: offline
OK, time for an update and I have good and bad news....

The Good:

Removing authentication from the rules for our MOSS sites has completely resolved the authentication prompts issue....woohoo!!

The Bad:

Users are now reporting performance problems when accessing the MOSS sites...doh!!

My immediate reaction was to blame MOSS, however, when accessing the sites through the old array it is lightning fast. One subtle difference is that the old array is in the same domain as the MOSS servers so I am starting to think the performance problems are authentication related. Has anyone got any ideas? I think this problems is going to send me mental!

(in reply to Jason Jones)
Post #: 16
RE: Authentication prompt when using integrated authent... - 22.Sep.2009 1:56:02 PM   
bluwe

 

Posts: 10
Joined: 9.Sep.2009
Status: offline
Quick update, guys. All performance problems now resolved...hoorah! The issues turned out to be DNS related so it's onwards and upwards now.

Thanks to everyone who contributed, your thoughts were invaluable.

(in reply to bluwe)
Post #: 17
RE: Authentication prompt when using integrated authent... - 22.Sep.2009 2:57:15 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Cool

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to bluwe)
Post #: 18
RE: Authentication prompt when using integrated authent... - 25.Sep.2009 12:05:53 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Yay!

Thanks for the follow up!

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Jason Jones)
Post #: 19
RE: Authentication prompt when using integrated authent... - 7.Oct.2009 6:02:39 AM   
guyhorn

 

Posts: 3
Joined: 7.Oct.2009
Status: offline
Hallo,
Jason Jones wrote: "Auth prompts in Office apps can be cured by using persistant cookies. "

We have the same problem withthe behavior of MS-office apps.

Situation:
1. SSO for internet users for OWA and Sharepoint internal site. Works good.
2. When a user try to open a MS-office doc like .xls or .doc he gets the basic authentication prompt.

My questions:
1. How persistant cookies help?
2. What's the risk?
3. Is there a drawback?

< Message edited by guyhorn -- 7.Oct.2009 6:05:29 AM >

(in reply to Jason Jones)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> SharePoint Publishing >> Authentication prompt when using integrated authentication Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts