none
UAG + SharePoint 2010 + Office 2010 = authentication problems RRS feed

  • Question

  • Hi!

    We have sharepoint solution on the web published through UAG 2010 SP1 and we receive authentication dialogs each time we try to open a Office document. We have tried to add the site to local intranet and to trusted sites but it still asks for authentication.

    The users are not part of the domain that the sharepoint server is a member of. Is there a way around this?

    Best Regards

    Carl

    Wednesday, March 23, 2011 1:41 PM

Answers

  • Alright, we have now received a working solution from Microsoft support. You need to create custom rules to achieve compatibility with WebDAV in SharePoint 2010

    1. 1)     Open the UAG Console, highlight the trunk where you are publishing Sharepoint and navigate to the “Advanced Trunk Configuration”

       

      2)     Navigate to the “URL Inspection” tab and add “PROPFIND” (in uppercase) and if not present GET, POST, HEAD, MOVE, COPY, PUT, DELETE, PROPFIND, OPTIONS, LOCK, UNLOCK, MKCOL, PROPPATCH, GETLIB to the list of predefined and custom methods.

       

      3)     Navigate to the “URL Set” tab.

       

      4)     Click “Add Primary” and enter the following details:-

       

      a.     Name = GENERAL_Rule1

      b.    Action = Accept

      c.     URL = /.*

      d.    Parameters = Ignore

      e.     Note = this can be anything you wish to allow you to remember why this was configured

      f.     Methods = “GET, POST, HEAD, MOVE, COPY, PUT, DELETE, PROPFIND, OPTIONS, LOCK, UNLOCK, MKCOL, PROPPATCH, GETLIB” (you will need to hold the CTRL key to make multiple selections here.

       

      5)     Ensure that the newly created rule appears at the bottom of the URL Set list.

       

      6)     Click Ok and activate the configuration. Again allow a couple of minutes for this to be replicated.

       

      7)     Finally test and confirm if you can now access the document.

       

      We still have an open case with Microsoft and we are going to make changes to this rule so that we don’t allow anything that’s unnecessary. I’ll let you know the final configuration as soon as we are finished.

       

      Regards

      Carl

    • Marked as answer by Carl Hagstrom Thursday, June 9, 2011 8:49 PM
    Thursday, June 9, 2011 8:49 PM
  • Hi!

     

    We have registered a support case with Microsoft.

     

    Microsoft Support Case: 111032456656734.

     

    Hopefully they will find a solution. Matis, I have not tried your solutions yet but I will give you points if your solution is correct =)

     

    Thanks for the help guys!

    /Carl

    • Marked as answer by Erez Benari Wednesday, May 4, 2011 11:48 PM
    Friday, March 25, 2011 12:51 PM

All replies

  • Are you using the Allow rich clients to bypass trunk authentication option as discussed here: http://technet.microsoft.com/en-us/library/dd903064.aspx#MSOFBA

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, March 23, 2011 11:44 PM
    Moderator
  • Yes, that box is ticked but i don't have form based authentication ticked. When I try FBA I still have to authenticate.
    Thursday, March 24, 2011 8:38 AM
  • The public names are definitely added to Trusted Sites?

    Also, maybe have a look at these:

    http://support.microsoft.com/kb/932118

    http://support.microsoft.com/kb/943280/en-us

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, March 24, 2011 8:57 AM
    Moderator
  • Yes, I have tried all of those solutions. Still no cigar.

     

    Thursday, March 24, 2011 12:47 PM
  • Running out of ideas :)

    "After installing SP1 on a u server that publishes SharePoint Server, clients might experience issues when syncing with Office applications."

    Source: http://technet.microsoft.com/en-us/library/gg315322.aspx

    "In some circumstances, requests for files in SharePoint 2010 published via Forefront UAG use the WebDAV user agent. This might result in the endpoint users being prompted multiple times for credentials before the requested file is opened. This affects only sessions initiated by Office client applications."

    Source: http://technet.microsoft.com/en-us/library/dd772157.aspx

    The I have successfully used the combination you describe, so it may be a SharePoint issue. What authentication is SharePoint using and how is UAG configured to provide SSO to SharePoint?

    Given all of that, you may need to log an MS support call for better investigation...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, March 24, 2011 1:57 PM
    Moderator
  • Which security provider are used for the external users ? 

    Have you checked that the URL in the UAG trunk is listed in Alternate Access Mappings in the webapplication - a note, from IAG if you call a site from internet via. https the adress in IAG trunk should ALSO be https to the webapplication NOT http and visa versa.

    To better understand your issue; when calling a office document on SharePoint this will be done by Microsoft Office Protocol Discovery, its by design that when you open a Office document on a SharePoint server with authentication enable, it will prompt you for credentials, there for its important to have the correct IE security settings:

    IE 7 Local Intranet - be sure to check "automatic logon with current username and password"

    IE 8 Now its possible to do the same in "Trusted Site" but you do have to change the Security Level to allow "automatic logon......"

    The reason for that is that Office is not able to cache your credentials as IE is - offcourse if its a domain member device no problemo.

    An OLD trick but still working on 2010 to get Single Sign On with XP, IE7 and SharePoint 2007 if NOT using IAG/UAG, is to, put in the domain and username and password in the credential manager - located in controlpanel, you can do it with a script. This workaround "imitates" that the client device is a member of the domain.

    But i would advise you to take a look in TMG logs on the UAG to see if th MSO discovery protocol is being denied, one of the symptoms of that protocol being denied is countless logon prompts.

    You could also monitor the process on the on the client machine with procmon, http://technet.microsoft.com/en-us/sysinternals/bb896645, this would also give you valuable info.

    As regards to Jason Jones pointing at the SharePoint maybe having an issue, this is NOT correct, the issue is with Office Protocol Discovery:

    You may be prompted for authentication when you open Office files. This behavior occurs if the Web server requires authentication to process an OPTIONS call to the URI of the folder. Changes to the server configuration can typically be made to avoid this problem by giving anonymous users browse permissions to the folder. Browse permissions are also know as list permissions. The prompt for authentication is expected if the server requires authentication.

    http://support.microsoft.com/kb/838028

    And ofcourse if you dont need Office Client Integration on the webapplication you could disable it, then you have a SharePoint without the integration but no Logon Prompts, the Office document would be handle as pdf, txt etc.


    Friday, March 25, 2011 12:58 AM
  • Which security provider are used for the external users ? 

    Have you checked that the URL in the UAG trunk is listed in Alternate Access Mappings in the webapplication - a note, from IAG if you call a site from internet via. https the adress in IAG trunk should ALSO be https to the webapplication NOT http and visa versa.

    To better understand your issue; when calling a office document on SharePoint this will be done by Microsoft Office Protocol Discovery, its by design that when you open a Office document on a SharePoint server with authentication enable, it will prompt you for credentials, there for its important to have the correct IE security settings:

    IE 7 Local Intranet - be sure to check "automatic logon with current username and password"

    IE 8 Now its possible to do the same in "Trusted Site" but you do have to change the Security Level to allow "automatic logon......"

    The reason for that is that Office is not able to cache your credentials as IE is - offcourse if its a domain member device no problemo.

    An OLD trick but still working on 2010 to get Single Sign On with XP, IE7 and SharePoint 2007 if NOT using IAG/UAG, is to, put in the domain and username and password in the credential manager - located in controlpanel, you can do it with a script. This workaround "imitates" that the client device is a member of the domain.

    But i would advise you to take a look in TMG logs on the UAG to see if th MSO discovery protocol is being denied, one of the symptoms of that protocol being denied is countless logon prompts.

    You could also monitor the process on the on the client machine with procmon, http://technet.microsoft.com/en-us/sysinternals/bb896645, this would also give you valuable info.

    As regards to Jason Jones pointing at the SharePoint maybe having an issue, this is NOT correct, the issue is with Office Protocol Discovery:

    You may be prompted for authentication when you open Office files. This behavior occurs if the Web server requires authentication to process an OPTIONS call to the URI of the folder. Changes to the server configuration can typically be made to avoid this problem by giving anonymous users browse permissions to the folder. Browse permissions are also know as list permissions. The prompt for authentication is expected if the server requires authentication.

    http://support.microsoft.com/kb/838028

    And ofcourse if you dont need Office Client Integration on the webapplication you could disable it, then you have a SharePoint without the integration but no Logon Prompts, the Office document would be handle as pdf, txt etc.



    My comment about a SharePoint issue was related to AAM configuration errors, not authentication...
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, March 25, 2011 1:38 AM
    Moderator
  • Hi!

     

    We have registered a support case with Microsoft.

     

    Microsoft Support Case: 111032456656734.

     

    Hopefully they will find a solution. Matis, I have not tried your solutions yet but I will give you points if your solution is correct =)

     

    Thanks for the help guys!

    /Carl

    • Marked as answer by Erez Benari Wednesday, May 4, 2011 11:48 PM
    Friday, March 25, 2011 12:51 PM
  • Yes please make a follow up post, i have never hat problems with missing SSO when using IAG, UAG, so its good to be prepared if it should happen.

    Jason i am not native in english, so if i sound rude this is not by design, just by mistake.

     

    Friday, March 25, 2011 1:20 PM
  • Jason i am not native in english, so if i sound rude this is not by design, just by mistake.

     


    No problem, I don't mind being wrong :)
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, March 25, 2011 1:22 PM
    Moderator
  • Hi..Have you found a resolution from Microsoft on this issue? We have a similar thing going on.

     

    Thanks

     

    Patrick

    Wednesday, April 20, 2011 3:03 AM
  • I'm running into the same issue. Did you ever resolve this ?
    Tuesday, May 10, 2011 9:17 PM
  • Hi,

    we are still having the same issue. The Microsoft technician has not been able to solve this problem. We are going to have to implement another solution. Anyone know of a rock solid reverse proxy for sharepoint 2010 which doesn't have any problems with Office?

    Tuesday, May 31, 2011 5:35 PM
  • Alright, we have now received a working solution from Microsoft support. You need to create custom rules to achieve compatibility with WebDAV in SharePoint 2010

    1. 1)     Open the UAG Console, highlight the trunk where you are publishing Sharepoint and navigate to the “Advanced Trunk Configuration”

       

      2)     Navigate to the “URL Inspection” tab and add “PROPFIND” (in uppercase) and if not present GET, POST, HEAD, MOVE, COPY, PUT, DELETE, PROPFIND, OPTIONS, LOCK, UNLOCK, MKCOL, PROPPATCH, GETLIB to the list of predefined and custom methods.

       

      3)     Navigate to the “URL Set” tab.

       

      4)     Click “Add Primary” and enter the following details:-

       

      a.     Name = GENERAL_Rule1

      b.    Action = Accept

      c.     URL = /.*

      d.    Parameters = Ignore

      e.     Note = this can be anything you wish to allow you to remember why this was configured

      f.     Methods = “GET, POST, HEAD, MOVE, COPY, PUT, DELETE, PROPFIND, OPTIONS, LOCK, UNLOCK, MKCOL, PROPPATCH, GETLIB” (you will need to hold the CTRL key to make multiple selections here.

       

      5)     Ensure that the newly created rule appears at the bottom of the URL Set list.

       

      6)     Click Ok and activate the configuration. Again allow a couple of minutes for this to be replicated.

       

      7)     Finally test and confirm if you can now access the document.

       

      We still have an open case with Microsoft and we are going to make changes to this rule so that we don’t allow anything that’s unnecessary. I’ll let you know the final configuration as soon as we are finished.

       

      Regards

      Carl

    • Marked as answer by Carl Hagstrom Thursday, June 9, 2011 8:49 PM
    Thursday, June 9, 2011 8:49 PM
  • Carl,

    Seems to be working well for me so far.

    I have Office 2010 64bit with SharePoint 2010 Multi-Tenanted (Hostname based site collections, not AAM) so I have had a bit of hacking to do already but this might just sort out the last little integration piece.

    I would be very interested in seeing if you manage to reduce the scope while still covering off all document libraries.

    Thanks,

    Michael Kovalik

    Friday, May 31, 2013 4:57 AM
  • Carl,

    Seems to be working well for me so far.

    I have Office 2010 64bit with SharePoint 2010 Multi-Tenanted (Hostname based site collections, not AAM) so I have had a bit of hacking to do already but this might just sort out the last little integration piece.

    I would be very interested in seeing if you manage to reduce the scope while still covering off all document libraries.

    Thanks,

    Michael Kovalik

    Hello Michael,

    can you tell us please what have been done? Carl's instruction does not help me.

    Monday, July 1, 2013 5:01 PM