Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Single log-on for published SharePoint site
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Single log-on for published SharePoint site - 1.Dec.2005 8:33:03 PM
|
|
|
senad
Posts: 31
Joined: 27.Nov.2001
From: Brighton, MA
Status: offline
|
Guys,
Does anybody know how to get around the issue with published SharePoint site (ISA basic auth --> SPS basic auth, over SSL) forcing users to authenticate again every time they attempt to open MS Office document stored in Sharepoint library?
ISA 2004 Enterprise servers and Sharepoint (SPS) server are members of the same domain.
Thanks,
Senad
|
|
|
|
|
RE: Single log-on for published SharePoint site - 2.Dec.2005 4:09:57 PM
|
|
|
senad
Posts: 31
Joined: 27.Nov.2001
From: Brighton, MA
Status: offline
|
Hi Jason,
Thank you for replying. Yes, my setup looks more or less the same as the one recommeded in MS guide for ISA and Sharepoint (SSL to SSL, with basic authentication forwarding). I am not using any link translation rules. I did not make any changes to HTTP filter properties ('verify normalization' rule is disabled, as it should be).
I believe the problem is in IE design; every new browser executable has to re-authenticate, because internet explorer does not share cookies/crudentials across sessions. This means whether you click to open a new iexplore.exe or you use Office (which uses a new internet explorer instance in the background), your credentials cannot be carried forward. Therefore, every time you attempt to open a document stored in SharePoint library, you get prompted for user name and password. This make sense considering the fact that in case of SharePoint publishing rule (if I am correct) ISA server is not doing authentication itself, only passing it to SharePoint server, therefore crudentials can not be cached and repeated by the ISA.
I was hoping that there may be a way to get around this issue that I don't know about.
Senad
< Message edited by senad -- 2.Dec.2005 6:31:38 PM >
|
|
|
|
|
RE: Single log-on for published SharePoint site - 2.Dec.2005 6:41:51 PM
|
|
|
Jason Jones
Posts: 2247
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
Ah - I see...
Have you looked at FlexAuth from Collective Software? http://www.collectivesoftware.com/Products#FlexAuth
This may allows you to create a realm to reduce the need to login to multiple sessions - may do what you need, but if the problem lies within IE then I guess not...
BTW - if you are doing delegated basic auth (tick box on users part of the pubs rule) then ISA will indeed be authenticating the request and then forwarding it onto SPS, assuming the rule is configured for "All Authenticated Users" and not "All Users".
I will double check a similar setup and see if I get the same results...
Cheers
JJ
< Message edited by Jasonjo -- 2.Dec.2005 6:45:27 PM >
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Single log-on for published SharePoint site - 2.Dec.2005 9:08:18 PM
|
|
|
senad
Posts: 31
Joined: 27.Nov.2001
From: Brighton, MA
Status: offline
|
Nice suggestion but I am ahead of you already. :) I looked into FlexAuth myself and unfortunately it does not resolve this particular problem. I exchanged emails with Collective Software and they confirmed my suspicion about IE and its inability to carry crudentials across multiple sessions.
Thank you for bringing up the ISA basic authentication forwarding. I was under impression that SharePoint doesn't like it. I could swear I remember references in the documentation warning again using it and I looked them up, but couldn't find any. I just made the change in publishing rule and it is working just fine. I preffer this setup much better, I don't like letting any traffic through before authenticating users at the ISA first.
Unfortunately, the change makes no difference. Opening MS Office documents still require re-entering the crudentials. I think this is known behaviour, but I still wanted to see if somebody else came up with the solution.
Thanks,
Senad
|
|
|
|
|
RE: Single log-on for published SharePoint site - 7.Dec.2005 2:07:15 AM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Senad,
I publish my own SharePoint server and don't recall having to log in again when I'm at remote locations. It's been awhile, but I'd think that I'd be irritated enough with it to remember. This is a single SharePoint Portal Server install though. If you're publishing mulitple servers, then you'll need to reauth.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Single log-on for published SharePoint site - 8.Dec.2005 1:18:42 AM
|
|
|
Jason Jones
Posts: 2247
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
Tom/Senad,
That was my initail thoughts too, as we have customers using Sharepoint behind ISA (and us) and I am sure they would have complained by now if this was occuring.
When I get time (geez I'm busy!!!) I will double check our setup to be 100% if I get the same things...so I am correct, can you explain exactly when you get the issue??
Cheers
JJ
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Single log-on for published SharePoint site - 16.Dec.2005 7:06:58 PM
|
|
|
senad
Posts: 31
Joined: 27.Nov.2001
From: Brighton, MA
Status: offline
|
Hi Jason / Tom,
Sorry for taking this long to respond back, I was swamped lately. I am surprised you are not experiencing this problem, I was under impression it is to be expected when publishing SharePoint portal out of domain.
I am using following configuration:
- Two SPS servers in NLB and pointing to the same SharePoint database. Servers are the members of domain and have access to domain controller. Portal site is configured to use SSL and basic authentication only.
- Portal site is published through ISA, using SSL -> SSL forwarding, basic authentication, forward user credentials, certificate from internal Cert authority. It makes no difference if I force the authentication at the ISA or not.
Btw, ISA does not add anything to the problem. I am seeing the same authentication issue if I attempt to access the portal from internal network, as long as I use basic authentication. I was just hoping that I may be able to resolve the problem through ISA credential caching.
Now about the problem ... every time I attempt to open a document (Word, Excel) that is stored in SharePoint document library, it opens in new IE window and I am required to re-enter credentials in order to access and open the document. My understanding is that new IE process is being used and because every new browser executable has to re-authenticate (Internet Explorer does not share cookies/credentials across sessions), when Office document is accessed (which uses a new internet explorer instance in the background), your credentials cannot be carried forward.
I found an (MS KB) article that describes the problem. According to Microsoft there is no way around it (aside from switching to Integrated authentication that obviously does not do anything for sites used externally). http://support.microsoft.com/default.aspx?scid=kb;en-us;871155
Best,
Senad
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
