MOSS Forum

Ask Question   UnAnswered
Home » Forum » MOSS       RSS Feeds

ISA \ MOSS 2007 Authentication Issues (Extranet)

  Asked By: Shonda    Date: Jan 02    Category: MOSS    Views: 1984

We are directing extranet traffic to SharePoint through MS ISA server
with Forms Based Authentication (FBA) using their AD credentials.
Users log in using the ISAs HTML based form with persistent cookies.
The ISA server is accepting https (ssl) requests using a wildcard
certificate. Then the ISA makes an http (port 80) request to the
SharePoint server.

The first time users access the site they are prompted to enter a
username and password on the ISA HTML form. After doing so they are
also prompted to login again with a Windows Integrated Authentication
popup. After the user enters their credentials and checks "Remember
my password" checkbox they can access the site.

Users were instructed to add the site to Internet Explorer's Trusted

At this point users can navigate the site, open PDFs, add content
etc…. Great!

But… when users try to open any MS Office documents they are prompted
by the Windows Integrated Authentication popup again.

To avoid this, we changed the Internet Explorer setting
[Tools/Internet Options/Security/Trusted Sites/Custom Level/User
Authentication/ Logon] to "Automatic logon with current username and
password" Now users are not required to further authenticate in order
to use MS Office documents.

However… We have discovered a problem. User A (Andrew) logs onto the
computer and then logs into SharePoint. When he is finished Andrew
logs out of SharePoint but leaves the computer running. User B
(Beverley) sits at the computer and opens SharePoint. She is prompted
to logon by the ISA FBA. She does so and is authenticated. PROBLEM…
when SharePoint opens, Beverley is in fact logged into SharePoint as

If we go to Start/Settings/Control Panel/User
Accounts/Advanced/Manage Passwords we notice that a record exists for
the SharePoint site. Click properties and we find Andrew's Active
Directory account is stored as the automatic logon for this site. We
realize this is because we selected "Remember my password" and
set "Automatic logon with current username and password" in the

So, as we are reading it right now, we are faced with the following:
a) Do not use "Automatic logon with current username and
password" and force users to enter a username and password every time
they touch an office document. Not acceptable.

b) We turn on "Automatic logon with current username and
password" and risk users on shared computers accessing each other's
content. Not acceptable.

c) We are totally missing something and one of you fine folks is
going to point it out to us and save the day.

We like option C.



1 Answer Found

Answer #1    Answered By: Candy Walter     Answered On: Jan 02

I haven't used ISA, but I have some experience setting up
forms authentication  for extranet  - enough to know that it can be a
real nightmare.

We use dual access modes to give us essentially two sites; one on the
internal network that users are logged into automatically through
their Windows logon (AD). The "external site" uses forms
authentication to authenticate against AD accounts. Also have an
application firewall in place.

I know this is different from your ISA setup; the only point I can
offer is that the "Remember me" checkbox is not intended to be used
on a shared computer. (Users who login to windows separately should
be fine their cookies would be separate, though I haven't tested this)
I don't think any setup that *requires* this is a good design.

Also, the fact that users must authenticate both through forms and
through windows sounds very odd to me. Again, I have no experience
with ISA but I suspect something is wrong. What is the point of using
forms auth at all if users must authenticate via windows? What is the
benefit why not dump forms auth all together?

Didn't find what you were looking for? Find more on ISA \ MOSS 2007 Authentication Issues (Extranet) Or get search suggestion and latest updates.