Can UAG be used to eliminate the double hop MS Office SharePoint issue RRS feed

  • Question

  • I have a large client that has been using TMG to publish SharePoint 2010 sites using Windows NTLM - of course we get double hop prompts when we work Office Applications to upload and download documents from SharePoint when access is through TMG.  This occurs with Client machines unless those client machines are VPN’d in.  When using VPN, clients can login without additional office app prompts as we configured the SharePoint farm using Kerberos.

    We are looking for an interim solution to resolve the double hop issue for external users whether domain joined or not.  (This is because we have partners and internal users accessing resources from non-domain joined machines externally) Kerberos works fine for the VPN users, no double hops but obviously that fails when coming in from the internet as Kerberos communication ports are often blocked.   

    At this time we would rather not migrate to a full claims model but implement a proxy solution using windows authentication.  Can a UAG configuration do this for us without using a full claims provider model?  I am less confident using TMG to tackle this issue given input from blog users, but it is a possibility.

    Wednesday, October 24, 2012 8:06 PM


All replies

  • Have you considered using persistent cookies with TMG to provide access to SharePoint with SSO?




    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Wednesday, October 24, 2012 10:52 PM
  • Thanks for the response, yes I read that article and that approach is being considered, it does however have some security risks and describes using TMG rather than UAG.

    "The only way to maintain direct-edit functionality and also not be prompted by the Office application is to implement a proxy/firewall server by using Forms Based Authentication with persistent cookies (such as an ISA server or a Forefront Threat Management Gateway)"

    I was hoping for something more specific to UAG, does UAG have the same problem when using Windows authentication?   And would you still need to use a FBA design to eliminate the multiple prompts.

    Thursday, October 25, 2012 8:03 PM
  • Yes, UAG works in a similar way with a persistent cookie, but UAG has the ability to remove the cookie upon browser close (or various other conditions) using the Attachement Wiper unlike TMG...

    UAG also includes support for MSOFBA and rich client trunk bypass authentication which are both relevant for SharePoint...http://technet.microsoft.com/en-us/library/ee406224.aspx



    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Thursday, October 25, 2012 11:18 PM