Leave a Comment:
14 comments
[…] SharePoint Blog Post From SharePoint Security – Google Blog Search: Goto IIS console and to the new website created, enable the anonymous authentication in the […]
Reply
Hello Mahendra,
Thank you for the helpful article. Do you think is it possible to implement multi-domain sso with IWA enabled ? Because if you select one of the IIS servers to be primary one, then how can it complete IWA process without being aware of the other IIS server. Actually I have a requirement like this, and can’t figure out how to implement it .
Thank you
Reply
Hi Ece,
Yes, I think IWA may be achieved in multi domain environment as well, though I have not tried this before.
Suppose, you have 2 apps in 2 domains protected with 2 diff authentication schemes. You will be specifying the Redirection URL in the authentication scheme used by the webgate designated as the secondary authentication server. This redirection URL will be of the primary server URL. So, even if it is IWA or normal OAM authentication mechanism, it should work the same way.
In your case, if you designate one IIS server as primary and you will specify this IIS server URL in the authentication scheme protecting the other domain URL where you protect using webgate(secondary authentication server) . Does this answer your question?
Reply Yes, actually we have implemented the solution in a similar way. After discovering out that these two domains trust each other, it was possible to pick one IIS as primary and point that IIS in challenge redirect parameter. I couldn’t really figure out how to do this without trusted domains. There was a problem with using two authentication schemas, because the url to be protected is an ebs url, that was the same for both apps. And it’s only possible to specify one url in one auth. schema. Thanks a lot..
Reply Hi Ece,
It is not mandate to have 2 auth schemes for those 2 diff protected resources.
If you use 1 auth scheme, you need to specify the primary IIS server url in the redirection for the auth scheme. So it actually redirects everytime, the secondary server (webgate) checks for the auth scheme with the access server.
Hi Mahendra,
I think I get the concept but I couldn’t think of it at first time. Now IWA authentication works fine with trusted domains. I’ll keep in mind that when no trust is available in a multi-domain environment.
Thank you..
Reply
Hi Mahendra,
As refer to your post. I am integrating sharepoint sever 2007, IIS 6.0, windows 64 bits with IWA autheication scheme.
And we encounter this issue.
Error:The following file(s) have been blocked by the administrator: /access/oblix/apps/webgate/bin/webgate.dll
Probable Solution: Goto Policy Manager console, access the sharepoint policy domain. Goto Authorization rules and check the access is allowed to all users. If not select Any One and try accessing the SPPS resource.
What else could be a possible issue?
Reply
@ Kiat,
Do you have any policy which protectes /access or / (with deny on not protected rule) ?
You can view this information in your policy manager.
Reply Hi Kiat,
If you have given authorization to a specific set of users/groups in Authorization Rule of a policy domain, please check if the same set of users are privileged to access your sharepoint site?
Mahendra.
Reply
Hi Mahendra,
Good day!
I am in the midst to setup the OAM and Sharepoing 2007 integration with Impersonation.
As per your post, you mentioned that “The Sharepoint portal website should have anonymous access checkbox enabled, but IWA checkbox disabled.”
In this case, which authentication method should we use in the Policy Domain?
My current setup is
– Trusted user is created with act as part of OS and bind in the webgate.
– On Sharepoint Portal website (IIS)- anonymous Access is checked; IWA is unchecked.
– ImpersonationExtension.dll is added to the Home Directory of the Sharepoint Portal Website.
– In Policy Domain, IWA authentication schme is used, header IMPERSONATE is returned, Authorization: Everyone is allowed.
The outcome of above setup is that when user click on the Sharepoint Portal website, an error is return “http://sharepoint.test.local/access/oblix/apps/webgate/bin/webgate.dll?status%3D500%20errmsg%3DErrInvalidSchemeMapping%20p1%3DIWA%2520Scheme%20p2%3DResource%253d%2F%2520RequesterIP%253d10.205.92.244%2520HostTarget%253dhttp%3A%2F%2Fsharepoint.test.local%2520Operation%253dGET”
It seems that there is a error mapping in the authentication schme.
The IWA scheme works fine without Impersonation. When Impersonation came in, things are not working.
Is there something wrong with my setup?
Thank you for your time & Best Regards,
Wingie
Hi Wingie,
I used Basic Over LDAP in my case in policy domain. Please test the protected sharepoint website in Access Tester to find whether it is protected or not. If you are getting expected results, then test it using Basic over ldap. See, if it authentication is happening or not.
For good, use ie http headers tool to read the headers and redirection URLs.
Post me the output please to dig further.
HTH
Reply Dear Mahendra,
Greatly appreciate your prompt reply!!! 😀
I have tested with Basic Over LDAP and it does prompt for authentication. However, I noticed that if I used Basic Over LDAP (not form based), on and off it will prompt Basic over LDAP throughout the process of loading the website until its done with loading.
FYI, I am currently testing with Microsoft Dynamic CRM, the Sharepoint image is down at the moment.
What I am hoping to achieve is to simulate IWA authentication; when user click on a internal URL it will not prompt users to input their userid & password but with Impersonation in place. As it will be a multi domains environment. Is this possible?
I do understand that IWA with work w/o Impersonation, by setting “UseIISBuiltinAuthentication=true” under Webgate “User Defined Parameters”.
The Redirected URL from the HTTP Header as below.
[/access/oblix/apps/webgate/bin/webgate.dll?status%3D500%20errmsg%3DErrInvalidSchemeMapping%20p1%3DIWA%2520Scheme%20
p2%3DResource%253d%2Ftest%2Fpublic.asp%2520RequesterIP%253d192.168.32.166%2520HostTarget%253dhttp%3A%2F%2Fwww.mdcrm
.test.local%2520Operation%253dGET]
This happened when [credential_mappings=”obMappingBase=,obMappingFilter=”(&(objectclass=inetOrgPerson)(uid=%REMOTE_USER%))”]
Thank you for you time, much appreciate your kind assistance.
Best Regards,
Wingie
Hi Wingie,
Few observations:
1. The credential mapping plugin of Basic Over LDAP scheme should take uid as userid instead of REMOTE_USER header variable. It should be like this (uid=%userid%).
2. May I know the reason why you are so specific about IWA authentication?
3. This is correct, “UseIISBuiltinAuthentication=true” under Webgate “User Defined Parameters”
4. While testing the sharepoint website, it should be up and running. I dont know about Dynamic sharepoint CRM.
5. Is Sharepoint and OAM access server in different domains? So, is it multi domain SSO you are trying to achieve?
6. Multiple prompt of LDAP window should not appear during the process of loading the website.
7. Please confirm if you are able to see the ObSSOCookie after authentication and authorization.
HHT
Mahendra.
Hi Mahendra,
Thanks for replying.
2. One of the reason is because I am trying to achieve a seamless access to protected intranet URLs without prompting user for credentials. Hence IWA come into the picture and this works fine in a single domain.
What troubles me is that, for example User-B.Clane logon to a desktop & authenticated to Domain B, and he needs to access intranet URLs hosted and authenticated to Domain A, but without prompting user’s credentials. There are 2 domains in this scenario and wondering how seamless authentication can be done. Either through crendetial_mapping in Plugins or via Authentication scheme.
Domain B will contain ID-B.Clane, and Domain A will contain ID-Clane which is refer to the same person.
Many thanks for your help.
Will try figure a way out how mapping can be done.
Best regards,
Wingie