locked
IAG - Publish Intranet-SharePoint via Extranet-IAG ends with NTLM/Kerberos Issue and IAG Message "You are not authorized to access this application" RRS feed

  • Question


  • Hello All,

    Requirement:
    Publish an Intranet-SharePoint with IAG SP2 for access over internet-url!
    The Authentification IAG>SharePoint MUST be Kerberos to use full sharepoint functionality!
    The Authentification should be single sign-On (SSO), but if not possible second logon via html-form on application start would be ok..

    Problem:
    I don't get the scenario running, not with SSO and not with dedicated second logon :(
    If i'm connected with RDP to IAG-Server i can open in IE the sharepoint with internal-url - SharePoint Log shows successfull kerberos-logon!
    If i'm trying to access via internet/IAG with external-url i get "You are not authorized to access this application" - SharePoint Log shows failed NTLM logon!

    So why does IAG not use kerberos for the sharepoint logon? IAG should have the credentials inputed with second form-inut and sould so be able to use kerberos!?
    Maybe i could force IAG to use sharepoint-kerberos via one more (hidden) registrykey on IAG server? :)
    Is the problem hat IAG resides in different domain then sharepoint?
    In this scenario Kerberos Constrained Delegation (KCD) is not the right app-config or? In my understand KCD must only be used in SSO and? or? ADFS Sencario?


    here is my configuration:

    Domain1: extranet.company.com (EXT)
    Domain2: intranet.int (INT)

    Server EXTIAG01 is domain member in EXT-Domain
    EXT-Domain trusts INT-Domain
    In the trunk i configured domincontroller EXTDC01 of EXT-Domain for authentification.

    I configured 3 Applications in the trunk:
    1. SharePoint1 (server EXTWEB01 in EXT-Domain) -> AAM2007 template
    2. SharePoint2 (INTWEB01 in INT-Domain) -> AAM2007 template
    2. RDP to servers (in INT-Domain and EXT-Domain)

    HTTPS Trunk Configuration:
    Advanced Settings>Authentification Server: --> EXT-Domain


    Application Configuration of SharePoint1 (INT-Domain):

    1. Application Properties>Web Settings>Automatically Reply to Application-Specific Auth.Req.: --> NO
    --> does IAG use kerberos in this scenario? to authenticate/passthrough/singlesigon the Users-Trunk-Login?

    2. Application Properties>Web Settings>Select Authentification Servers --> INT-DOMAIN
    --> IAG should use kerberos in this scenario? to authenticate to the published application when user inputs credentials separat

    3. Application Properties>Web Settings>Use Kerberos Constrained Delegation --> NO
    -->This scenario is needed only with ADFS and SSO, Not needed when auth. via separt logon?

    3. Application Properties>Web Settings>Choose Authentification method--> tryed "Both" and "HTML Form"


    Thanks so much for help!

    JJ

    Thursday, April 29, 2010 9:05 PM

Answers

  • Problem solved! At leas partial;)

    I can now access via internet with two logon, one for whale portal and one for application!
    The reason was some strange behaviour of IAG while Mapping the external HTTPS request to internal HTTP request to sharepoint.
    After i installed a selfsigned-certificate on sharepoint server to make sharepoint also available with HTTPS the access works for "normal" sharepoint sites.

    But now is the next problem. Excel Services doesn't render if it is accessed via INTERNET.
    So i created another post in excel services forum:
    http://social.msdn.microsoft.com/Forums/en-US/sharepointexcel/thread/131e79e4-46c2-4c2f-890e-bc0e859bc8c4

     

    • Marked as answer by JJ78 Friday, April 30, 2010 4:16 PM
    Friday, April 30, 2010 4:16 PM

All replies

  • found an excellent article for the topic:
    http://blogs.technet.com/edgeaccessblog/archive/2009/01/08/intelligent-application-gateway-iag-2007-goes-into-data-center-with-service-pack-2-sp2-part-2.aspx

    according to this info in the arcticle my scenario should be possible without KCD and credential re-type?

     "...When neither of the above options is possible to implement, you can still configure IAG authentication delegation.  User will be prompted for credentials when accessing the application, but only once through the session and these credentials can be reused to all applications that share same authentication server. For instance when you publish number of SharePoint servers that use same Active Directory, user will be prompted for credentials only when accessing first SharePoint server; when subsequently accessing other SharePoint servers, IAG will reuse provided credentials on behalf of the user and provide Single Sign-On experience."

    Thursday, April 29, 2010 9:40 PM
  • Problem solved! At leas partial;)

    I can now access via internet with two logon, one for whale portal and one for application!
    The reason was some strange behaviour of IAG while Mapping the external HTTPS request to internal HTTP request to sharepoint.
    After i installed a selfsigned-certificate on sharepoint server to make sharepoint also available with HTTPS the access works for "normal" sharepoint sites.

    But now is the next problem. Excel Services doesn't render if it is accessed via INTERNET.
    So i created another post in excel services forum:
    http://social.msdn.microsoft.com/Forums/en-US/sharepointexcel/thread/131e79e4-46c2-4c2f-890e-bc0e859bc8c4

     

    • Marked as answer by JJ78 Friday, April 30, 2010 4:16 PM
    Friday, April 30, 2010 4:16 PM