locked
Publishing Sharepoint site that is claims (ADFS) aware RRS feed

  • Question

  • All,

     

    I am trying to publish a Sharepoint site that uses our ADFS2.0 server for authentication, for use by an external company.  I know how to do this in ISA 2006, I'd just publish two separate sites and call it a day.

    In UAG though, how do I go about accomplishing this?  I noticed there is an ADFS trunk now, but can't seem to find much in the way of how it works in relation to publishing a claims aware application or website, for example.  It also seems kind of confusing because when you setup the ADFS trunk it also wants what kind of authentication server it should use for authentication -- that seems kind of redundant since ADFS is doing authentication.  Very strange.

    What is also confusing is that when I want to publish the Sharepoint site through UAG, it wants to know which authentication server it should use.  Technically speaking, I want it to use the ADFS server since that is what ADFS does for us.  Yet, it forces me to select the authentication servers on our domain.

    Anyway, should I just use TMG that comes with UAG to do what I need and bypass the trunk stuff?

    Thanks!

    Wednesday, August 4, 2010 12:13 AM

Answers

  • Hi Sam

     

    The current UAG version does not support authentication using AD FS v2 .

     

    There are two options to publish a claims-aware SharePoint site:

     

    1.     You can use AD FS v1. This would require using the AD FS trunk you saw in the UAG Management console. See http://technet.microsoft.com/en-us/library/dd857271.aspx for more information.

     

    2.     Another option is to publish both the SharePoint application and the AD FS v2 server through the same UAG portal trunk. In this case you would publish the AD FS v2 server as an Other Web Application (application specific name), and the SharePoint site using the normal SharePoint application template. Make sure to remove authentication from this trunk (after you create the trunk using the wizard, click on the Configure Trunk Settings button, which opens the Advanced Trunk Configuration, access the Authentication tab and remove the “Require users to authenticate” option). Also make sure that on your SharePoint Application Properties window -> Authentication tab, you do not have selected the “use single sign-on” option.

     

     

    As for your last question regarding using TMG - this is not a supported configuration of TMG running on a UAG server, as described here: http://technet.microsoft.com/en-us/library/ee522953.aspx.

     

    -Ran

    • Proposed as answer by Ran [MSFT] Thursday, August 5, 2010 8:42 AM
    • Marked as answer by SamEvans Thursday, August 5, 2010 3:42 PM
    Wednesday, August 4, 2010 10:48 AM

All replies

  • Hi Sam

     

    The current UAG version does not support authentication using AD FS v2 .

     

    There are two options to publish a claims-aware SharePoint site:

     

    1.     You can use AD FS v1. This would require using the AD FS trunk you saw in the UAG Management console. See http://technet.microsoft.com/en-us/library/dd857271.aspx for more information.

     

    2.     Another option is to publish both the SharePoint application and the AD FS v2 server through the same UAG portal trunk. In this case you would publish the AD FS v2 server as an Other Web Application (application specific name), and the SharePoint site using the normal SharePoint application template. Make sure to remove authentication from this trunk (after you create the trunk using the wizard, click on the Configure Trunk Settings button, which opens the Advanced Trunk Configuration, access the Authentication tab and remove the “Require users to authenticate” option). Also make sure that on your SharePoint Application Properties window -> Authentication tab, you do not have selected the “use single sign-on” option.

     

     

    As for your last question regarding using TMG - this is not a supported configuration of TMG running on a UAG server, as described here: http://technet.microsoft.com/en-us/library/ee522953.aspx.

     

    -Ran

    • Proposed as answer by Ran [MSFT] Thursday, August 5, 2010 8:42 AM
    • Marked as answer by SamEvans Thursday, August 5, 2010 3:42 PM
    Wednesday, August 4, 2010 10:48 AM
  • Thanks, Ran.

    What we ended up doing was standing up a separate TMG instance and are publishing the SP and ADFS v2 through it.  I eventually ran into the link describing using TMG on UAG for anything other than UAG as a no-no, so that was what really drove us to a separate TMG installation.

    Thursday, August 5, 2010 3:43 PM