Authentication issue between sharepoint and distant resource with ISA Server (Full Version)

All Forums >> [ISA 2006 Publishing] >> SharePoint Publishing



Message


ooyeah -> Authentication issue between sharepoint and distant resource with ISA Server (31.Aug.2009 8:11:19 AM)

Hi,

I'm facing an issue that I do not manage to resolve.
My configuration is the following:
-2 ISA Server load balanced
-2 Sharepoint Web server in NLB
-1 Reporting Server

All of them are part of the same domain.

The sharepoint site is published through ISA Server and is accessible without issue via the web publishing rule.

One of my sharepoint page need to access a shared folder which is located on the reporting server. This page will check the content of this folder (pdf files) and will dynamically create link to download these files. Let's call this pages the PDF page.

When I browse my sharepoint site without ISA Server there is no issue, everything is working perfectly.

But when I'm trying to browse my sharepoitn site via the ISA Web publishing rules this specific pages is not working.

The fact is open a connection on the sharepoint site using ISA rule, I can see that I'm authenticate on my Sharepoint server with kerberos (and that's what I want). Then I click on my PDF link, the page is displayed but link are not built. So I check the security event log of my reporting server and I have a the following events :


Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 8/31/2009
Time: 7:44:59 AM
User: IIT\PRP1WBS1$
Computer: PRP1RPC1
Description:
Successful Network Logon:
User Name: PRP1WBS1$
Domain: IIT
Logon ID: (0x0,0x207A654)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {bd0536c5-fb76-58f9-9833-a24132ffb1fd}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.104.19.182
Source Port: 0


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 8/31/2009
Time: 7:44:59 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: PRP1RPC1
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x207A65F)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: PRP1WBS1
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.104.19.182
Source Port: 0


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

While when I'm browsing my shrarepoint site without the ISA rule I'm having the following event:

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 8/31/2009
Time: 8:03:30 AM
User: IIT\PRP1WBS2$
Computer: PRP1RPC1
Description:
Successful Network Logon:
User Name: PRP1WBS2$
Domain: IIT
Logon ID: (0x0,0x2162793)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {fd3e148f-7466-bdc2-8176-859a4743e278}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.104.19.183
Source Port: 0


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 576
Date: 8/31/2009
Time: 8:03:30 AM
User: IIT\jeremief
Computer: PRP1RPC1
Description:
Special privileges assigned to new logon:
User Name: jeremief
Domain: IIT
Logon ID: (0x0,0x21627A1)
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 8/31/2009
Time: 8:03:30 AM
User: IIT\jeremief
Computer: PRP1RPC1
Description:
Successful Network Logon:
User Name: jeremief
Domain: IIT
Logon ID: (0x0,0x21627A1)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {7fff673a-f630-5509-1d65-a3da78ab4070}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.104.19.183
Source Port: 0


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


I have tried many configuration on my ISA rule authentication delegation tabe (negotaite and KCD and I have the same result in both cases. I have certainly forgot something when I have setup my rules but I don't know what.

Is there maybe someone that can help me?

Thanks a lot




ooyeah -> RE: Authentication issue between sharepoint and distant resource with ISA Server (31.Aug.2009 8:19:01 AM)

I have forgot to mention that I'm using Windows Integrated Authentication.




ooyeah -> RE: Authentication issue between sharepoint and distant resource with ISA Server (31.Aug.2009 1:40:18 PM)

Hi,

I finally found the solution, I just update the delegation for my sharepoint sites application pool service account (add the service type cifs for the reporting server).




Page: [1]