locked
ISA2006 / TMG2010 authentication providers RRS feed

  • Question

  • Am I right in thinking that ISA 2006 and TMG2010 can only authenticate users from AD?  I need to allow external users to access our SharePoint farm, which is currently published via ISA 2006, but ideally without having to add their accounts to the internal AD.  I know with SharePoint FBA you can use either SQL or AD LDS to authenticate against.  However, authentication directly against SharePoint would not be allowed and as far as I can see ISA FBA will only work with AD.  Does that change with TMG2010?  Failing that is it possible for either ISA or TMG to authenticate against a separate non-trusted domain, or can it only authenticate against a domain in its own forest?

    Monday, September 27, 2010 7:27 PM

Answers

All replies

  • You have to use Active Directory, but TMG (and ISA) support the use of LDAP which can be configured to address domain controllers in non-trusted domains or even separate forests.

    This should help: http://technet.microsoft.com/en-us/library/dd440987.aspx

    Cheers

    JJ

     


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Daryl T Tuesday, September 28, 2010 9:52 AM
    Monday, September 27, 2010 8:56 PM
  • Thanks for clarifying that Jason.  I'm not sure how I'll get SharePoint to recognise the separate domain without enabling forms on the web front end, which I don't think works with the ISA publishing rule authentication delegation.  But that is probably for a different forum.

    Cheers,

    Daryl

    Tuesday, September 28, 2010 9:55 AM
  • I think SharePoint will require that its joined domain will have a trust to the associated user domain in order to validate the credentials presented by UAG.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, September 28, 2010 11:43 AM
  • Interesting scenario.  So if you use ISA FBA, the delegation won't work, but if you use the sharepoint FBA, you can't get single sign on. 

    If you configure both FBAs but forget about delegation and SSO for the moment, can you get it working?  In other words, both forms are shown so the user has to log in TWICE in a row.  But other than that, work?

    If so then I may have a solution.  You can keep both FBAs running and delegate the credentials from the ISA form to the sharepoint form using FlexForm .  Weird situations like this are exactly what it's designed for :)  As long as the same username and password will work in both forms, flexform should work.

    Saturday, October 2, 2010 1:11 AM