IAG, KCD and Integrated Authentication
I wonder if I am the only person in the world trying this. Let's find out!
Here's the scenario. Fred is logged into a domain computer. I want him to fire up the URL for the IAG portal, which silently authenticates him via integrated authentication. Then Fred clicks on the link for OWA which again he is silently authenticated for. There's no SSL VPN or any client endpoint checking stuff going on.
All very easy, just make use of the "power" of Kerberos Contrstrianed Delegation which IAG 2007SP1 apparantly supports.
I've setup KCD and now have it error free, but when I try the scenario above, Fred gets prompted for a username and password (not by the IAG UI but the usual username/password popup) and Fred clicks on the OWA link, I get 500 server error.
Any ideas anyone?
- Moved byKeith AlabasterMVP, ModeratorTuesday, June 16, 2009 6:05 PMNew Forum (From:Forefront Edge Security - General)
Answers
Hi, Forogot about this post.
I got this working. Combination of schoolboy errors and unexpected settings
Firstly, to get integrated auth working, the IAG needed to be in the intranet zone of the client machine.
Secondly, the applications listed in the portal need to have a valid certificate, SPN setup properl or the portal willl not display.
- Marked As Answer byNathan BigmanMSFTSunday, January 18, 2009 10:11 AM
All Replies
Can you explain what you exactly did?
How did you set it up?
Hi, Forogot about this post.
I got this working. Combination of schoolboy errors and unexpected settings
Firstly, to get integrated auth working, the IAG needed to be in the intranet zone of the client machine.
Secondly, the applications listed in the portal need to have a valid certificate, SPN setup properl or the portal willl not display.
- Marked As Answer byNathan BigmanMSFTSunday, January 18, 2009 10:11 AM
- Hi,
This functionality with IAG 2007 Service Pack 2 can be done out of the box without requiring any configuration in ISA or any complicated settings. Once IAG 2007 SP2 is installed, configure an IAG trunk, open the Advanced Configuration, Select the "Authentication" tab and select the "Use Integrated Web Authentication" radio button. The use of this function is described in the Integrated Windows Authentication document on technet http://technet.microsoft.com/en-us/library/dd282928.aspx.
Regards,
Dan- Proposed As Answer bydjh-msft Wednesday, June 17, 2009 2:36 AM
- Hi Chaplic,
Microsoft's guide is telling about publishing application to internal users and corporate domain users. Where you able to use IWA also for users who has domain computer and account but they are accessing portal from internet? Did you use your IWA portal for internal or external users?
-Teemu Kirjavainen
