Sharepoint 2010-ISA2006 AD users cannot authenticate against site published by reverse proxy

Question

We are using ISA2006 to publish our sharepoint site. All the servers are in the perimeter network but split into 2 zones and there is a firewall in between. ISA2006, sharepoint WFEs/Apps are in DMZ1 while Domain controller and SQL server are in DMZ2.

I'm able to login to the site through the original URL but when I tried to access it throught the public URL provided by the reverse proxy the AD login credentials wouldn't go through. It just refreshes the login window and errors out after 3 attempts.

Any idea what may caused this? Are any ports needed to be open between the reverse proxy and the domain controller?

Thanks a lot.

---

Little fish 920

Answer 1

We are using ISA2006 to publish our sharepoint site. All the servers are in the perimeter network but split into 2 zones and there is a firewall in between. ISA2006, sharepoint WFEs/Apps are in DMZ1 while Domain controller and SQL server are in DMZ2.

I'm able to login to the site through the original URL but when I tried to access it throught the public URL provided by the reverse proxy the AD login credentials wouldn't go through. It just refreshes the login window and errors out after the 3rd attempt.

Any idea what may caused this? Are any ports needed to be open between the reverse proxy and the domain controller?

Thanks a lot.

---

Little fish 920

Answer 2

I am assuming you are wanting to authenticate straight against the SharePoint server rather than having ISA authenticate you first. If so, in your publishing rule, ensure Delegation Authentication is set to "No delegation, but client may authenticate directly." However, this is not the most secure method for setting up this rule.

This article can help you setup your configuration in a more secure manner where you authenticate on the ISA server:

http://www.isaserver.org/tutorials/how-to-publish-microsoft-sharepoint-service-isa-server-2006.html

---

JD Wade
Senior SharePoint Consultant, MCTS
Horizons Consulting, Inc.
Blog: http://wadingthrough.com
Twitter: http://twitter.com/jdwade

Answer 3

Which authentication method do you use in your SharePoint site? Does the ISA server require authentication as well in reverse proxy mode?

---

Stefan Goßner
Senior Escalation Engineer - Microsoft CSS
This post is provided "AS IS" with no warrenties and confers no rights.

Answer 4

Thanks for your reply Stefan. The sharepoint uses NTML, and the ISA server is set to use http basic in the firewall policy and NTML for the listener for sharepoint.

---

Little fish 920

Answer 5

The problem might be that ISA server requires auth and the web server. In reverse proxy mode the browser does not know about the proxy and expects only one instance to request authentication.

Can you disable authentication on ISA for the listener and test if it works with this setup?

---

Stefan Goßner
Senior Escalation Engineer - Microsoft CSS
This post is provided "AS IS" with no warrenties and confers no rights.

Answer 6

Hi JD,

I changed the delegation authentication of the publishing rule to "No delegation, but client may authenticate directly." and kept "Https, basic" for the listener. Now when I enter the login credentials it still refreshes the login window and won't let me through..

One thing is we have 2 ADs both in DMZ, AD1 is in the same environment as the Sharepoint servers. The users from this zone can log in through the original URL but not public URL no matter whether NTML or No Authentication is used for the delegation authentication of the publishing rule. And the users from AD2 which is DMZ2 (AD2 trusts AD1) are able to login with NTML but not No Authentication.

The sharepoint farm uses NTML for user authentication.

Please let me know what you think.

Thanks very much

---

Little fish 920

Answer 7

I changed the delegation authentication of the publishing rule to "No delegation, but client may authenticate directly." and kept "Https, basic" for the listener. Now when I enter the login credentials it still refreshes the login window and won't let me through..

One thing is we have 2 ADs both in DMZ, AD1 is in the same environment as the Sharepoint servers. The users from this zone can log in through the original URL but not public URL no matter whether NTML or No Authentication is used for the delegation authentication of the publishing rule. And the users from AD2 which is DMZ2 (AD2 trusts AD1) are able to login with NTML but not No Authentication.

The sharepoint farm uses NTML for user authentication.

Please let me know what you think.

Thanks very much

---

Little fish 920

Answer 8

How has the public URL been mapped to the original URL?

• Have you extended the original site to internet Zone and provided your public URL as its URL?
• Have you added the public URL to the internal site bindings in IIS directly and not provided it in Alternate Access Mappings for the internal site?

If its the first option, then the error is something else.
If it is the second option provide Alternate Access Mappings for the internal site.

---

Arvit

Answer 9

Approach 1 is how I did it. I also edited the binding but it did not make any difference.

The fact that AD2 users are able authenticate makes me think that the mapping is set up correctly. But maybe there is something wrong with the authentication or ports? Should any ports be opened between the ISA server and the domain controller?

 

---

Little fish 920

Answer 10

Hi,

  

From your narration, the SharePoint uses NTML, and the ISA server is set to use http basic in the firewall policy and NTLM for the listener for SharePoint.

 

I suggest that you select HTML form authentication and Windows (Active Directory) as the authentication provider when create the publish rule, then test again.

 

For the detailed steps, see

http://www.isaserver.org/tutorials/How-to-Publish-Microsoft-Sharepoint-Service-ISA-Server-2006.html

 

Thanks,

Rock Wang

Answer 11

Thanks for your reply Rock.

I tried HTML form authentication: AD before, and ended up the same place. It just refreshes the login page and won't let me through :(

---

Little fish 920

Answer 12

Be sure Kerberos is working for the SharePoint site first.

In ISA create a Web Listener:    Pick your inbound network and assign certificate to web listener (must use https).  Set Authentication 'HTML Form Authentication'; and Validation Method Windows (Active Directory)

Publish SharePoint Site using this listener; in the 'To' section uncheck Forward and select Request appear to come from ISA/TMG; in the 'Authentication' section select Neogotiate (Kerberos/NTLM); and enter SPN below (this was added to get Kerberos working internally); we do SSL Termination so redirect to HTTP (80).  Now the tricky part requires Link Translation:

http%253A%252F%252Finternalname%253A12345%252F à https%253A%252F%252Fmy%252Edomain%252Ecom%252F

http%3A%2F%2Finternalname%3A12345%2F à https%3A%2F%2Fmy%2Edomain%2Ecom%2F

http:\u002f\u002finternalname:12345 à https:\u002f\u002fmy.domain.com

http\u00253A\u00252F\u00252Finternalname\u00253A12345\u00252F à https\u00253A\u00252F\u00252Fmy\u00252Edomain\u00252Ecom\u00252F

https:\/\/my.domain.com à https:\/\/my.domain.com

Answer 13

Hi Littlefish920,

Did you ever manage to resolve this issue? I am experiencing the same issue - users can't seem to authenticate unless they are a member of the local admin group on the sharepoint server? I am using NTLM authentication and created an alternate access mappings domain through https port 443.

Thanks.

Answer 14

Yes I managed to resolve it. In my experience it can be caused by 2 things: 1. Required ports are not opened properly. 2. Some access/deny rules on the reverse proxy are blocking the authentication.

---

Little fish 920