locked
Sharepoint Authenication using sql RRS feed

  • Question

  • Hello,
    I'm trying to configure my new UAG box to allow external users (not in our AD) to connect to our sharepoint 2010 seerver.I've been following the intstructions i found at http://microsoft-iag.blogspot.com/2010/10/uagenable-sso-by-passing-user.html.

    We have a sqlserver and a sharepoint server both inside the firewall, and our UAG Box has one NIC on our internal network, and one on the Internet.

    TheSQL Database that stores the user IDs and Passwords is on the sql server inside the firewall.  The authentication method in von/InternalSite/Inc/CustomUpdate calls the sql Server inside the firewall to authentocate the user. 

    To get this to work I had to open up port 1433 on the TMG that came with UAG. This concens me, as a lot of corporate data is stored on that server.

    I considered moving the aspnet db to the uag server, but then if that machine got breached, someone would have access to all the user ids stored in that database.

    The other option I see is to use WinHttp authentitcation, so that UAG would call some webpage to authenticate the user against the database. I could then closed down port 1433, and no data would be stored on the UAG.

    I'm new to UAG and don't know if this is a good approach and would appreciate any feedback. Also does anyone know of any good documentation on how to create a winhttp authentication server?

    Thanks

    Monday, October 10, 2011 5:51 PM

All replies

  • Hi Rgover,

    if the database is too sensitive, then you may deploy some custom code to authenticate through a "fetched cookie" form the internal SharePoint site. In this case UAG will use your provided credentials to logon (on behalf of the user) to the SharePoint site. If UAG gets a valid cookie, then UAG would know the authentication is valid. After, UAG could also pass the cookie to your client to allow SSO to the backend application...

    Unfortunately you need some coding experience for this task, since it requires either some custom "repository.inc" or "postpostvalidate.inc" code to get it up an running. The user "BingDude" posted his Siteminder customization a while ago inb this forum. If you have some ASP experience, then you could use his code as a good starting point. I guess it won't require that much changes...

    http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/62b9cd27-8760-4e2d-a12b-0efb8da3cc5a

    BTW: Using the build-in WinHTTP repository type will only allow you to authenticate to "HTTP-Authentication" (e.g. BASIC) backend applications, but its not designed to work with "Forms" based logon applications.

    -Kai


    This posting is provided "AS IS" whithout any warranties. Kai Wilke | ITaCS GmbH | GERMANY, Berlin | www.itacs.de
    • Edited by Kai Wilke Tuesday, October 11, 2011 6:11 AM
    Tuesday, October 11, 2011 6:08 AM