Thursday, December 20, 2012

Microsoft SharePoint Server 2010 using Forefront TMG

SharePoint Server 2010 comes with a lot of supported authentication mechanisms. The supported authentication mechanisms are:
Windows authentication
  • NTLM
  • Kerberos
  • Anonymous
  • Basic
  • Digest
Forms based authentication
  • LDAP
  • Microsoft SQL Server database
  • Third party application and role provider
Using Forms-based authentication in Microsoft SharePoint Server 2010 is primarily done at the Microsoft SharePoint Server 2010. It is not the Forms-based authentication provided with Microsoft Forefront TMG. If you want to learn more about how to enable Sharepoint Server 2010 for FBA, read the following article.
SAML token-based authentication
SAML (Security Assertion Markup Language) is an open Standard based on XML for exchanging authorization data and authentication data between different domains/realms.
  • ADFS 2.0
  • LDAP
  • Third party Identity provider
Using SAML based authentication with SharePoint Server 2010 and Microsoft Forefront TMG is out of the scope of this article. If you want to use ADFS 2.0 based claims authentication you should have a look into Microsoft Forefront UAG which comes with a lot of enhancements for publishing Microsoft SharePoint 2010. Forefront UAG comes with integrated support for publishing internal resources based on ADFS 2.0.
To configure the different SharePoint authentication options we must use the SharePoint 2010 Central Administration Website and edit the Authentication settings for a Web Application.

Figure 1: SharePoint 2010 – Authentication options based on Windows
If you create a new Web Application you are able to distinguish between Claims Based Authentication and Classic Mode Authentication (Windows NTLM, Kerberos, Digest for example) as you can see in the following screenshot.

Figure 2: SharePoint 2010 – Claims based Authentication
If we go for Claims Based Authentication we are able to select different Authentication providers like Forms Based Authentication (FBA) or Third Party Trust Providers if they has been registered and configured at the SharePoint Server 2010.

Figure 3: SharePoint 2010 – Enable Forms based Authentication

Creating the SharePoint publishing rule in Forefront TMG

Start the Forefront TMG Management console and create a new SharePoint Site Publishing Rule.
Give the SharePoint publishing rule a name like “Sharepoint publish”. We will publish a single Web site or load balancer.
The assistant uses non secured connections to connect the published Web server or server farm. We will change this in article two to a secure HTTPS connection between the TMG Server and the published SharePoint server.
Enter the Internal site name of the SharePoint Server. We will use the internal DNS FQDN (Fully Qualified Domain Name) of the SharePoint Server.
In the public name details we will accept requests for the external DNS domain name from the Internet.
Create a new Web Listener. I will only give you the high level steps how to create the Weblistener:

  • Require SSL secured connections with clients
  • Listener External
  • Select certificate
  • HTML Form Authentication with Windows (Active Directory)
  • No SSO
We will use NTLM authentication as the wizard suggests.

SharePoint AAM configuration

Alternate Access Mapping (AAM) is used in SharePoint Server 2010 or in combination with Forefront TMG. AAM in Microsoft Sharepoint Server 2010 is used to map web requests from the Internet to the correct web applications and web sites of the internal SharePoint Server 2010.
If SharePoint AAM (Alternate Access Mapping) has not been configured at the Sharepoint Server or if you are not sure, select the second radio button.

Figure 4: AAM configuration options
We will remove the “Authenticated Users” setting from the wizard and use a new created user set in Forefront TMG, filled with an Active Directory user group which should be able to access the SharePoint Server over the Internet.
When the SharePoint publishing wizard is completed and the TMG configuration change has been applied to the Forefront TMG storage we should be able to test the connection using the Test Button or by trying to access the SharePoint Server from the Internet.

SSL on the SharePoint Server

As the last step in our first article we will enable the Sharepoint Server 2010 to listen on HTTPS requests.
First, we have to request a new certificate from an internal Certification Authority (CA) or a self signed certificate. In our environment we will request a certificate from an internal Enterprise Certification Authority. We will use the certificate request wizard of the Internet Information Services (IIS) Manager, but it is also possible to request the certificate using the Certificate Snap-in.
The CN (Common Name) of the certificate must match the Internal Site Name in the TMG publishing rule – in this case the internal DNS FQDN.
After the certificate has been issued from the CA, we must change the bindings of the SharePoint Website in the Internet Information Services (IIS) Manager so that IIS listens on Port 443 in addition to port 80 as shown in the following screenshot.

Figure 5: Certificate for HTTPS bindings on the IIS


In this first article we had a look into the different authentication options of Microsoft SharePoint Server 2010 and Microsoft Forefront TMG and how the options work together. We also started with publishing Microsoft SharePoint Server 2010 with the default SharePoint publishing rule wizard in Forefront TMG. In the second article we will talk about other Forefront TMG publishing options for Microsoft SharePoint Server like Kerberos Constrained Delegation (KCD), SSL Client certificate authentication and redirecting the authentication directly to the Microsoft SharePoint Server.

Change the authentication settings on the Forefront TMG Server to the following:

  • KCD (Kerberos Constrained Delegation)
  • SSL Client Certificate Authentication
  • No Delegation / authentication at the TMG Server

Before we start with the different authentication options let us change the HTTPS-to-HTTP bridging of Forefront TMG to SharePoint HTTPS-to-HTTPS bridging. In the first article we requested a certificate from our internal Certification Authority for SharePoint so now we can change the Bridging on Forefront TMG as shown in the following screenshot.

Figure 1: Change HTTP to HTTPS redirection

Kerberos Constrained Delegation

Kerberos Constrained Delegation (KCD) is a primary functionality of the Kerberos protocol introduced in Windows Server 2000 domain environments for authenticating users, services and computers. If a published Web server like the SharePoint needs to authenticate a user that sends a request to it and if the Forefront TMG computer cannot delegate authentication to the published Web server by passing user credentials to the published Web server or impersonating the user, the published Web server will request the user to provide credentials for a second time. ISA Server 2006 introduced support for Kerberos constrained delegation to enable published Web servers to authenticate users by Kerberos, after their identity has been verified by the ISA Server using a non-Kerberos authentication method. When used in this way, Kerberos constrained delegation eliminates the need for requiring users to provide credentials twice. To get Kerberos Constrained Delegation to work, we must change the Authentication Delegation method to Kerberos Constrained Delegation in the Forefront TMG Management console for the SharePoint publishing rule. The Service Principal Name (SPN) is host/InternalDNSFQDN of the SharePoint Server.

Figure 2: Using KCD
Next, we must change the Client Authentication Method to HTTP-authentication with Integrated Authentication.

Figure 3: Integrated HTTP authentication
To get KCD (Kerberos Constrained Delegation) working, the Sharepoint Server must trust the Forefront TMG Server for Kerberos Delegation. Open the Active Directory User and Computers console, make sure that the “advanced Feature” view is activated, navigate to the Forefront TMG computer account, select the Delegation tab and specify the SharePoint Server for the Service type HOST.

Figure 4: The Sharepoint Server trusts Forefront TMG for delegation

SSL Client Certificate authentication

Now, we want to change the authentication between the Forefront TMG Server and the client to SSL Client Certificate Authentication. First, we need to change the allowed Client Authentication Method to SSL Client Certificate Authentication. If the client is not able to authenticate with the SSL client certificate, you can use different fallback authentication methods like Basic, Digest and Integrated.

Figure 5: SSL Client Certificate Authentication
Next, the client which must access the SharePoint Server from the Internet must have a user certificate installed into the local certificate store of the user account. There are some ways how to enroll the certificate to the client. If you have a large number of clients you can use the certificate auto enrollment with Active Directory and Group Policies, but if you only have few clients, then you are able to request the certificate manually. Start an empty MMC, add the certificate snap-in for the local current user account and request a user certificate based on the certificate templates provided by your internal Certification Authority (CA).

Figure 6: Request a certificate for SSL client certificate authentication
After the user account has received the correct certificate we are able to test the connection. Open the SharePoint website published by Forefront TMG and instead of entering the correct username and password, you now only have to select the issued certificate.
This is not two-factor authentication. Using certificate authentication on its own is a secure way only when giving access to known clients.

Figure 7: Test access to the Sharepoint Server with a client certificate

Enforce authentication only at the SharePoint Server

For some reasons it might be necessary to only let the SharePoint Server authenticate the client requests from the Internet. You can do this if you change the client Authentication method in the SharePoint Listener on Forefront TMG to “No Authentication”.

Figure 8: NO authentication at Forefront TMG
In addition we must change the Authentication Delegation to “No delegation, but client may authenticate directly” in the SharePoint publishing rule at the Forefront TMG console as shown in the following screenshot.

Figure 9: Let SharePoint Server 2010 do the authentication
Now, every authentication request will be forwarded to the Microsoft SharePoint Server 2010 without any pre authentication on the Forefront TMG Server.


In this second article about Microsoft SharePoint 2010 publishing, we configured the different authentication options in Microsoft Forefront TMG working together with Microsoft SharePoint Server 2010. We talked about other Forefront TMG publishing options for Microsoft SharePoint Server 2010 like Kerberos Constrained Delegation (KCD), SSL Client certificate authentication and redirecting the authentication directly to the Microsoft SharePoint Server.


1 comment:

  1. đồng tâm
    game mu
    cho thuê nhà trọ
    cho thuê phòng trọ
    nhac san cuc manh
    số điện thoại tư vấn pháp luật miễn phí
    văn phòng luật
    tổng đài tư vấn pháp luật
    dịch vụ thành lập công ty trọn gói
    nước cờ trên bàn thương lượng
    nghịch lý
    chi square test
    nghệ thuật nói chuyện
    thuyết kỳ vọng
    chiến thắng con quỷ trong bạn
    cân bằng nash

    - Ngoài ra Phó bí thư Triệu, mai Phòng du lịch thành lập, chúng ta cũng tỏ vẻ một chút. Anh xem các xã, thị trấn khác tặng quà như thế nào thì tính. Xã ta nghèo nên chắc ba, năm trăm là đủ.

    Hà Chí Xương cố nhịn cơn tức giận trong lòng. Chẳng qua Thôi Minh Khang lại luôn cười cười rạng rỡ khiến Triệu Quốc Đống thở dài một tiếng. Xem ra sức quan sát của mình có vấn đề.

    Thôi Minh Khang cũng không đơn giản. Nhìn biểu hiện hôm nay của y là biết tên này đang chờ cơ hội. Triệu Quốc Đống vừa đứng ra liền nhân cơ hội túm lấy. Triệu Quốc Đống lại nhìn mấy Phó chủ tịch xã và Ủy viên khác thì rõ ràng là ngồi ngoài xem tình hình. Tình hình Lĩnh Đông có lẽ sẽ có biến khi mình gây chuyện nhỉ?

    Hội nghị đảng ủy kết thúc trong không khí khá kỳ quái. Triệu Quốc Đống là người châm ngòi lại không thèm để ý. Hắn rất nhàn hạ đi về văn phòng của mình, vui vẻ thu thập đồ đạc.

    Chuyến xe cuối cùng từ Lĩnh Đông về huyện là lúc 6h tối. Chính quyền xã có hơn 20 cán bộ thì có khoảng 7, 8 người ở trên huyện. Trong này ngoài Triệu Quốc Đống, chủ tịch xã Thôi Minh Khang thì còn có Phó chủ tịch phụ trách nông nghiệp Lý Ngọc Hòa, Công an viên Ngưu Bưu.

    Hơn 6h là hết xe về huyện, nếu muốn về chỉ có thể tìm người đưa. Mà Hà Chí Xương lại đưa ra quy định ngoài y và Thôi Minh Khang, những người khác không được tự tiện dùng xe công, điều này làm các lãnh đạo xã rất khó chịu.

    Triệu Quốc Đống cũng thấy không tiện. Lĩnh Đông đến tầm 6h là vắng người, tối trực ban ở trụ sở càng không có ai. Ngoài chiếc Tv 21 inch để xem thì không ai nói chuyện. Người trực ban với hắn đều là cán bộ địa phương, bình thường đến tầm 11, 12h đêm mới tới.

    Triệu Quốc Đống nhỡ xe nên không thể về.

    - Cậu không muốn ở lại Lĩnh Đông sao?
    Lão Mạc không đợi Triệu Quốc Đống ra ngoài đã đóng cửa lại mà nhỏ giọng nói:
    - Hà Chí Xương thù dai, cậu làm như vậy sẽ tự hại cho mình.

    - Tôi vốn không muốn ở lại Lĩnh Đông, có thể đuổi tôi đi thì tôi còn tìm không được.
    Triệu Quốc Đống cười nói:
    - Về phần thành súng của người khác cũng được, nhưng phải xem người cầm súng có bản lĩnh không, có đáng để tôi nổ súng không. Không có bản lĩnh sẽ bị thương đó.