ene 25

MOSS 2007 + SSO + ISA 2006 + Office 2007 Clients Integration = ?

Tag: SystemsJoaquim Anguas @ 7:51 pm

MOSS 2007 provides a tight integration with Office 2007 client applications, allowing you to do things like open / create files from MOSS 2007 document libraries and save them right to the library itself (with a local copy in case you want to work offline). ISA 2006 offers Single Sign On (SSO) so you can embed / link other sites of yours (like OWA) on your sharepoint sites. One expects (or at least users do) that these “star” features work out of the box when he installs a server in a standard scenario, right?

Not quite so…

If you have tried that, you already know that some hacking is required in order to get all that running.

I’ve been there… that’s what you have to take into account to get the most out of your MOSS server:

Scenario

  • ISA 2006 as gateway / firewall / proxy, OWA as Exchange frontend, MOSS 2007, Office 2007 client applications running on XP (there is a problem with Vista persistent cookies not being shared between applications, the bug is known and opened from December 31st 2007, see here)
  • Access through https.
  • All servers belong to the AD domain (yes, ISA 2006 too) and there is a split DNS configuration running.
  • The MOSS 2007 application is already created.

Configuring MOSS 2007

Go to Central Administration, Application Management, Authentication Providers, select the Default Zone and set Authentication Type to Windows, Integrated Windows Authentication-NTLM and Enable Client Integration to Yes.

Go to Central Administration, Operations, Alternate Access Mappings, edit Public Zone URLs and add your MOSS external URL to the Extranet and Internet Zones.

Configuring ISA 2006

Export the certificates for OWA and sharepoint (with the private key). Copy the exported certificate files to ISA 2006, run MMC, add the Certificates snap-in for the Local Computer Account and import both certificates to the personal store.

On the ISA 2006 Console, select the Firewall Policy and create a Web Listener from Toolbox, Network Objects, Web Listeners, New Web Listener. Select the external IP for sharepoint, select one certificate for IP address and bound it to the corresponding certificate.

Once created, open the Listener, select HTML Form Authentication and Windows (Active Directory) from the Authentication tab. Select Allow users to change their password from the Forms tab. Select Advanced and enter a Cookie Name, select Use Persistent Cookies only on private computers. Select Enable Single Sign On from SSO tab and enter your domain name. Add the external IP address for OWA on the Networks tab and bound it to the corresponding certificate on the Certificates tab.

Create a new sharepoint publishing rule from the Tasks tab. Select NTLM Authentication, set the listener to the one you just created and Alternate Access Mapping is already configured. When created, open the rule and select NTLM authentication on the Authentication Delegation tab.

Ok and Apply.

IE

Open Tools, Internet Options, select Local Intranet on the Security tab, click on Sites, Advanced and Add your sharepoint and owa external names.

Client connection

When the users open your sharepoint, the ISA 2006 authentication form will display. They have to select I am on a private computer.

33 Responses to “MOSS 2007 + SSO + ISA 2006 + Office 2007 Clients Integration = ?”

  1. sacha says:

    how does one get my site working as it uses a diferent port

  2. Joaquim Anguas says:

    Hi Sacha,

    If it is the internal site (the one sitting in your LAN) that is running on a different port, you want to change settings for the ISA 2006 publising rule:

    – Open ISA 2006 Server Management and navigate to the Firewall Policy of your ISA 2006 Server
    – Then open the properties for the corresponding sharepoint publishing rule and on the Bridging tab
    – Change the port on “Redirect requests…” to the apropriate value

    If its the external site (the port seen from the WAN) you want to change, then you have to modify the listener acordingly:

    – Move to the Toolbox pane on the right, select Network Objects, navigate to Web Listeners and select properties right clicking on the one for your server
    – On the Connections tab you will see the ports you want to change

    Hope this helps,

    Joaquim

  3. dan says:

    i found your guide on google, thanks for making it, it was useful. i have one clarification question for you, if you have a moment. (ive never actually seen a working isa 2006 + moss 2007 setup myself, but i am attempting to configure one.) once the user browses to the isa website login screen, and then they login, what should they see next? in other words, how does it know if it should show them owa or sharepoint? i followed your steps and once i login i just get “page cannot be displayed” error. do i need to do something with external dns? thanks again.
    dan

  4. Joaquim Anguas says:

    Hello Dan,

    In fact ISA knows that you want to see owa or sharepoint because you entered the corresponding URL in your browser.

    You may get this error if you try to access your OWA server without entering the “Exchange/” directory. You should use http://owa.whatever.com/Exchange/ for example.

    I hope this helps.

    Joaquim

  5. dan says:

    joaquim,
    thanks for your reply. that makes sense and works!
    dan

  6. James Kryten says:

    Hi! I am thoroughly impressed with your knowledge of Isa Server. Your insights into this article about Isa Server was well worth the the time to read it. I thank you for posting such awsome information. Signed James Kryten on this Day Wednesday.

  7. Ahmed Shaaban says:

    Hello Sir,
    thanks for your useful article. we have the following situation:
    – ISA 2006 in front of OWA & MOSS 2007 server
    – we have Active directory and NTLM for authentication
    – we need to do SSO for both
    – we need to have a https login page and then going back http when login successful.

    can we do that ?
    your fast response is highly appreciated.
    thanks again.
    Ahmed.

  8. Joaquim Anguas says:

    Hello Ahmed,

    Yes you can.
    The last change to go back to http after login can be achieved by creating a redirection rule.
    As for the rest, I think it is described already in my post.

    Let me know if you need any help.

    Regards,

    Joaquim Anguas

  9. Ahmed Shaaban says:

    Hello again :)
    I tried the following:
    i added a web publishing rule that denies https traffic and redirects to http traffic. but when this rule executes it doesn’t redirect the authentication cookie and i hafe to authenticate again after redirection.

    is this what you mean be redirection rule? and if yes how can i transfer the user credentials after login with https to http ?

    thanks again. your fast response is very appreciated.
    Ahmed.

  10. Ahmed Shaaban says:

    any update ?

  11. Joaquim Anguas says:

    Hello Ahmed,

    Sorry for my late answer.
    You want to perform authentication when in https because it is basic authentication?
    If you are using a more secure authentication method you could redirect first and then request credentials when in http.
    What happens is that the cookie generated in the firt https phase belongs to a different site (https, not http) and it is discarded.

    I hope this helps.

    Regards,

    Joaquim Anguas

  12. Omkar says:

    Hello Sir,
    Your Artical is just Superb.
    I have created ISA 2006 Sharepoint Rule as per your artical as well as Sharepoint settings.. Our Sharepoint
    Site is on port 80. MySites is on port 2002. When i try to access MySites
    I get an error Page Cannot Display.
    What should i do for this?

    Thanks & Regards,
    Omkar.Damle.

  13. Ahmed Shaaban says:

    So, is there any way to secure only the login page ?

    thanks for your cooperation.
    Ahmed.

  14. Joaquim Anguas says:

    Hello Ahmed,

    Sorry, I somehow missed your comment.

    No, not as far as I know.

    Regards,

    Joaquim Anguas

  15. Avis says:

    Hello,

    I have followed the post well (I think) and when I login to the ISA login screen from a computer on the internet, I get the following error:

    Error Code: 408. The operation timed out. The remote server did not respond within the set time allowed. The server might be unavailable at this time. Try again later or contact the server administrator. (12002)

    Any thoughts?

    Thank you!

  16. Sander says:

    Hi,

    we are in the process of creating an architectural diagram. The question that we face is this:
    is a single homed ISA server sufficient for SSO using MOSS 2007 + OWA?

    Thnx!

  17. Joaquim Anguas says:

    Hello Sander,

    SSO MOSS 2007 and OWA would work, I guess; I have never tried.

    But if you do not plan to perform the deployment for testing purposes inside a segregated network, I do not recommend the approach.

    See
    http://support.microsoft.com/kb/838364/en-us
    and
    http://technet.microsoft.com/en-us/library/cc302586.aspx

    I advise you to get a second network interface and plan a recommended scenario.

    See recommended scenarios here
    http://technet.microsoft.com/en-us/library/bb794774.aspx

    I hope this helps.

    Regards,

    Joaquim Anguas

  18. NL12143 says:

    Yes. Office 2007 – ISA 2006 – MOSS 2007 works fine. But only if using Windows XP. We are now in Windows 7 epoque and then the \Open with Windows Explorer\ and check-in (save) a doc does not work.

    Any progress on getting the integration to work for Windows 7 ?

    Has the problem with persistent cookies KB932118 been resolved ?

  19. Yeva says:

    Hi, I currently having a MOSS 2007 and ISA 2006. My MOSS has 2 URLs, one is for internal (http://portal)
    and the second one is for external (htts://portal.domain.com).
    We want to only allow the external URL to be use in both intranet and internet.
    However, everytime we try to access using the external URL in intranet, we will encounter the micsoft
    authentication prompt.
    As we have already logon to the domain via our system, having such prompt is confusing the users.
    Is it possible to remove such prompt for intranet but remain prompting for external access using
    firwall rules (ISA)?
    Tne MOSS server is on DMZ and IIS setting is basic authentication.
    The firewall authentication is FBA with AD.
    Any advise?
    Thank you

  20. Joaquim Anguas says:

    Hello Yeva,

    Notice that ISA is ONLY seen from the outside network.

    So I guess your problem may come from the way you have authentication configured at the server itself and/or at your clients.

    My guess is that you may not have IE configured to pass authentication. Set the site inside the Intranet Zone at the security settings and allow IE to pass authentication for this zone (I believe its set by default, but just make sure).

    I hope this helps.

    Regards,

    Joaquim Anguas

  21. Joaquim Anguas says:

    Hello NL12143,

    Sorry, I was trying to get my hands on a W7 system to try what you point.
    I’ll let you know as soon as I can test it.

    Best regards,

    Joaquim Anguas

  22. Marc says:

    Hello,

    I configured MOSS and ISA 2006 like this for a portal it works well for:
    – main web application (80)
    – web application for mysites (83)
    – exchange web service (88 on another server)

    But it does not work when I add a new office document, or update an existing office document of a document library.
    I get the windows authentification pop up each time I open an office document. If I check “Save the password”, the login and password are saved but the pop up still appear each time.

    Can you help me?

  23. Marc says:

    Do I need another rule for Office applications Web Service? (I have seen an IIS web site called Office Web Services)

  24. Joaquim Anguas says:

    Hello Marc,

    Can you please try to perform the same operation from the internal network, please?
    I just want to discard ISA intervention in the problem…

    Let me know,

    Joaquim Anguas

  25. Marc says:

    Hi thanks for your anwser, I tried with the internal network:
    I don’t have any connection pop up, it logs me with my windows session account on sharepoint, and when I open a document, I am already logged with my account.

  26. Joaquim Anguas says:

    Hello Marc,

    This may indicate the problem comes from a ISA / cookies issue.
    Can you please, clear your cookies and retry the operation (now from the outside network) and make sure the cookie is created? You can browse the cookies in your browser at Tools -> Internet Options -> Browse History – Configuration -> See files.

    Let me know,

    Joaquim Anguas

  27. Marc says:

    Yes I have a cookie created after the deleting operation:
    cookie:login@url/

  28. Joaquim Anguas says:
  29. Marc says:

    Hi, this answer sounds very good to me, I’ll test it on monday (when I am back to my office)

    Thanks for your help, I’ll give you a feedback after my test.

  30. Marc says:

    Hi,
    The persistent cookies were the solution to my problem thanks!

    I have another question: you wrote “Open Tools, Internet Options, select Local Intranet on the Security tab, click on Sites, Advanced and Add your sharepoint and owa external names.”

    But even without my domain name in the “Local Intranet” (for sharepoint and owa), it works with “private computer” checked. Do we really need to add the sharepoint site and owa to the local intranet list?

  31. InfoPath Web Forms + SSO | KB :-) says:

    […] MOSS 2007 + SSO + ISA 2006 + Office 2007 Clients Integration = ? […]

  32. Computer Tech Support & repair says:

    Do you mind if I quote a few of your articles as long as I
    provide credit and sources back to your webpage?
    My blog site is in the exact same area of interest as yours and my users would
    really benefit from a lot of the information you provide here.
    Please let me know if this alright with you. Appreciate it!

  33. Joaquim Anguas says:

    Sure!
    Go ahead.

    Regards,

    Joaquim Anguas