ISA 2006 SP1 and External AD Domain
I am currently working on building a MOSS Extranet site to be utilized by 2 seperate AD domains utilizing a 1 way trust. I am using ISA 2006 SP1 to publish the Sharepoint site utilizing Kerberos Constrained delegation and Forms Based Auth.
Domain B Trusts Domain A.
The MOSS server, ISA server are in "Domain B". When I go to the website portal.company.com I get the correct ISA FBA page and I am able to authenticate using a user in Domain B. When I try to auth via the ISA Page with a Domain A User I get:
Status: 12202 The ISA Server denied the specified Uniform Resource Locator (URL).
Now when I try hit the sharepoint site directly, hostname.company.com, I am able to log into the site using both Domain A and Domain B user accounts.
The configuration of the ISA Server is:
ISA 2006 SP1 Enterprise, Running a 1 server array. DB is located on the ISA server as well.
ISA Server is member of Domain B.
Network Config is Edge Firewall.
ISA will only be used to for MOSS site Publishing.
Access to the site is via HTTP. I have no SSL certificate installed at this point.
So my question is, what am I missing that doesn't allow Domain A members to sign into the Sharepoint site?
Do i need to have SSL enabled for Kerberos Authentication to between the 2 domains?
I am out of ideas. Any help would be appreciated.
All Replies
- Is ISA able to communicate with domain controllers in Domain B?
This article may help: http://blog.msfirewall.org.uk/2008/06/using-isa-server-2006-to-protect-active.html
Cheers
JJ
Jason Jones | MVP Forefront | Silversands Ltd - Jason,
Thanks for the link. I believe this will help get me a little further down this path. Although, after implementing this I am now not able to bring up the ISA Forms based Authentication page. :( I am going to try to fix that and post back whether I made it any further on getting this functioning properly. - Ok I got the Forms Based Authentication page to work again. I am still receiving the same error and I am getting:
Description: ISA Server failed to delegate credentials using Kerberos constrained delegation to the Web site published by the rule ext-web01.extranet.lab. Check that the SPN: HTTP/ext-web01.extranet.lab configured in ISA Server matches the SPN in Active Directory.
The only thing I can think of right now that is causing an issue is that under the Authentication Delegation tab i have the SPN set as HTTP/ext-web01.extranet.lab, I have also seen this referenced as HTTP/* for a server farm. Can I assume that "farm" is referencing the MOSS site/farm?
If there is a MOSS Server farm, and you enter http/*, what does the SPN need to look like in AD? let me know if you need more detail. - Are you running on MOSS on Windows Server 2003 or Windows Server 2008? I'm not committing to too much information at this point as there's lots that can go wrong here, particularly with MOSS and Kerberos, AAM's and particularly with Win2k8 and Kernel-Mode Auth :-)
I've not tried doing KCD within a single forest (across a trust), but I've got a similar approach working using FBA(LDAP) to an external forest and then creating shadow accounts in an internal forest (with the ISA server being a member of the internal forest). I know that ISA2006SP1 supports the intra-forest (domain trust) configuration and I know JJ has described in on his blog (as per above) the various firewall permutations. Is Kerberos definitely working internally or is Negotiate falling back to NTLM?
If you're on Win2k8, I'm assuming you've set an SPN for the application pool in MOSS?
http://www.harbar.net/archive/2008/05/18/Using-Kerberos-with-SharePoint-on-Windows-Server-2008.aspx
On Win2k3 (ironically) it should be a little bit easier as there's no playing around (for MOSS) with applicationhost.config
Cheers,
Mylo - Kgosnell,
Do you have any further updates? I am sure there will be a number of people interested in how this went...
thanks
Keith - Jason/Keith,
I'm curious to know what's your take on this configuration?
I've setup a separate Active Directory forest (e.g. an Extranet forest) and tested access configurations so far with Smart Card/LDAP and RADIUS listeners on ISA Server 2006 SP1. This forest is being used as an authentication forest for third-party access which then relies on Kerberos Constrained Delegation to provide access to published resources in a separate Intranet forest. I've so far tested this with OWA 2007 / Windows Mobile Clients and MOSS 2007 and it seems to work fine. There's no trust in this scenario and the key is to generate "shadow" accounts for the respective users with the same user ID as the account that has been generated in the Authentication Forest. As far as the constrained delegation is concerned, provided authentication takes place correctly on the ISA listener and the shadow "account" exists, and the appropriate constrained delegation has been defined between the resource and ISA Server for the given service (in our case HTTP), then the user account is trusted for delegation in the Intranet forest. Conceivably the same configuration can be used with protocol transition to provide access to CIFS or similar protocols, assuming this can be exposed thru an HTTP interface.
Have you guys tried/tested this configuration?
Regards,
Mylo - *hic* remove Smart Card from the above.. that assumes the user is a user in the Intranet domain... this is a Forms-Based auth scenario.... no smart card.. LDAP/RADIUS only... sorry bout that.
Regards,
Mylo - I don't really want to carry a new thread inside an old question but no, it is not a configuration I have tried.
we have our sharepoint FE's (mossfis pair) in the DMZ with its own forest. The internal forest has a one-way trust with the dmz forest so we can administrate/control if from inside.
We also have a MOSS server inside. The external MOSS systems act as the portal and depending on the log on credentials (self-service, internal user, external client etc) will depend on whether the portal presents apps/services or passes them through to the internal systems through IAG/ISA. internal users have secureID hard tokens but we have not had to use KCD.
Keith
