none
Can UAG authenticate external user accounts (customers) hosted within a domain on the DMZ for access to SharePoint web servers on the internal network? RRS feed

  • Question

  • Hi,

    Can UAG authenticate external user accounts (customers) hosted within a domain on the DMZ for access to SharePoint web servers on the internal network?

    The user accounts are in AD in a domain in the DMZ but I want them to access sharepoint web servers in the internal corporate network behind...

    I do not want the internal/corporate network to have to trust the domain in the DMZ...

    Thanks.


    • Edited by xyz2012 Friday, November 30, 2012 10:23 AM
    Friday, November 30, 2012 10:20 AM

All replies

  • UAG can authenticate the users in the DMZ forest, but when it attempts to delegate the credentials to SharePoint, this will fail. Even if you disabled SSO, users would still need some form of credentials to authenticate against SharePoint.

    Have you considered a SharePoint instance in the DMZ?


    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Wednesday, December 5, 2012 5:25 PM
    Moderator
  • Thanks Jason for your reply...

    Yes I have pondered a SharePoint IIS server in the DMZ...I will need to have some in the DMZ in any event for Internet sites...

    Can I have extranet sites on SharePoint IIS servers on the internal domain if I have 2 trusts:

    1. 1 way domain wide authentication trust and

    2. 1 way selective authentication trust

    Would that allow me to have the extranet servers in the internal domain?

    Thanks,

    Wednesday, December 12, 2012 10:01 AM
  • I've done it with one-way forest trusts, but not personally used selective auth.

    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk


    Wednesday, December 12, 2012 1:10 PM
    Moderator
  • As far as I know it should be possible. UAG can do RADIUS or LDAP pre-authentication against an internal domain, and after authentication forward your criedentials with Basic Authentication to the SharePoint Servers. UAG is also designed to operate in a DMZ. As Jason mentions there is no SSO. You have to use FBA (Form Based Authentication).


    Boudewijn Plomp, BPMi Infrastructure & Security

    Wednesday, December 12, 2012 3:38 PM
  • Thanks BP - so if you want UAG SSO and your extranet sharepoint web servers are in the internal domain you must use FBA...is that right?

    ALSO - I read earlier today that if the active directory domain controller in the dmz is read only then extranet servers can be on th einternal domain and only 1 trust is needed!

    Have either of you/anyone else ever done this?

    Thanks!

    Wednesday, December 12, 2012 5:32 PM
  • No, SSO is not possible. Not even your UAG is in the same domain. That's just the way UAG has been designed. Correct me if I'm wrong.

    Boudewijn Plomp, BPMi Infrastructure & Security

    Wednesday, December 12, 2012 6:06 PM
  • This can be accomplished using ADFS 2.0...doing it now and it works like a charm
    Thursday, December 13, 2012 10:30 PM
  • This can be accomplished using ADFS 2.0...doing it now and it works like a charm
    Thursday, December 13, 2012 10:31 PM
  • This can be accomplished using ADFS 2.0...doing it now and it works like a charm
    Thursday, December 13, 2012 10:31 PM
  • This can be accomplished using ADFS 2.0...doing it now and it works like a charm
    Thursday, December 13, 2012 10:31 PM
  • So convinced, you had to say it four times??!! ;)

    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Thursday, December 13, 2012 11:31 PM
    Moderator
  • Can it be done using AD only though?
    Friday, December 14, 2012 12:08 PM
  • @ Jason J - lol :)
    Friday, December 14, 2012 12:08 PM