locked
SSO to SharePoint through ISAPI extension RRS feed

  • Question

  • Greetings,
     
    We have some integration code to enable SSO to SharePoint through ISAPI extension. It worked fine with SharePoint 2007, but with SharePoint 2010, SSO stops working unless SharePoint's anonymous access is enabled.

    The key component of the Integration code is an ISAPI extension installed on IIS. This extension uses the user attributes available on the incoming request to get a Kerberos ticket (through S4U2proxy) and impersonate the user through HSE_REQ_EXEC_UNICODE_URL support function.
     
    With anonymous authentication enabled in IIS and our ISAPI extension first on the handler mapping list, we found that we also had to enable SharePoint's anonymous access by following the steps listed in http://blog.drisgill.com/2009/11/sp2010-branding-tip-9-turn-on-anonymous.html; otherwise, users would get prompted for username/password, before our ISAPI extension was even invoked. Note that we didn't need to enable anonymous access for SharePoint 2007.
     
    So the questions are:
    1. Is enabling anonymous access the right thing to do? Any security implications? 
    2. Why anonymous access needs to be enabled for SP 2010 but not SP 2007?
    3. In general, how SharePoint 2010's authentication affects IIS's authentication? Why the anonymous access setting in SharePoint 2010 can prevent our ISAPI extension from being invoked? Conceptually, ISAPI extension should gets the request before SharePoint, shouldn't it?
     
    SharePoint is new to me. Any explanation will be greatly appreciated.
     
    Thanks,
    Yang
    Friday, October 8, 2010 9:52 PM

Answers

  • This is a good start point:

    http://learn.iis.net/page.aspx/244/how-to-take-advantage-of-the-iis7-integrated-pipeline/

    Enabling anonymous isn't really viable. you are building a authentication module basically. you can't do that and pass any form of security review if it requires anonymous access!!

    Fundamentally building a "SSO" solution in this manner is an outadated approach, given we have support for claims based authentication in SharePoint 2010.

    hth


    Cheers
    Spence
    www.harbar.net
    Microsoft Certified Master | SharePoint 2010
    Microsoft Certified Master | SharePoint 2007
    • Marked as answer by Yang Yu Monday, October 11, 2010 5:52 AM
    Friday, October 8, 2010 11:23 PM

All replies

  • SharePoint 2010 uses the new Integrated pipeline in IIS7 and above. You really shouldn't be using ISAPI extensions with this pipeline, as this approach is considered deprecated.


    Cheers
    Spence
    www.harbar.net
    Microsoft Certified Master | SharePoint 2010
    Microsoft Certified Master | SharePoint 2007
    • Proposed as answer by V284 Saturday, October 9, 2010 3:36 AM
    Friday, October 8, 2010 10:46 PM
  • Hi Spencer,

    Thank you very much for the quick response. Could you point me to any resource that can give me a better understanding of this new Integrated pipeline in IIS7? Also, do you think enabling anonymous access is a viable solution before we move away from this deprecated approach?

    Cheers,

    Yang

    Friday, October 8, 2010 10:59 PM
  • This is a good start point:

    http://learn.iis.net/page.aspx/244/how-to-take-advantage-of-the-iis7-integrated-pipeline/

    Enabling anonymous isn't really viable. you are building a authentication module basically. you can't do that and pass any form of security review if it requires anonymous access!!

    Fundamentally building a "SSO" solution in this manner is an outadated approach, given we have support for claims based authentication in SharePoint 2010.

    hth


    Cheers
    Spence
    www.harbar.net
    Microsoft Certified Master | SharePoint 2010
    Microsoft Certified Master | SharePoint 2007
    • Marked as answer by Yang Yu Monday, October 11, 2010 5:52 AM
    Friday, October 8, 2010 11:23 PM
  • Hi Spencer,

    Thanks a lot for the link. One thing about anonymous access that confuses me is this MS link. It says that "Indicate whether anonymous access is allowed. If you selected Forms or Web single sign-on in the Authentication Type section, select the Enable anonymous access check box." It sounds like enabling anonymous access is necessary for some SSO workflow. Maybe it's totally unrelated to the problem in discussion, but I'm really curious to know why enabling anonymous access is necessary there.

    Cheers,

    Yang

    Friday, October 8, 2010 11:45 PM
  • Yeah, it is unrelated to the external to sharepoint "SSO" thing. And it's not correct either! :) you don't need to enable anonymous for FBA or external Web SSO. it's just the most common scenario. i.e. anonymous and FBA for example.
    Cheers
    Spence
    www.harbar.net
    Microsoft Certified Master | SharePoint 2010
    Microsoft Certified Master | SharePoint 2007
    Friday, October 8, 2010 11:49 PM
  • Hi Spencer,

    Thank you very much for the information. Your help is greatly appreciated. Have a great weekend!

    Yang

    Friday, October 8, 2010 11:56 PM