There is a never ending source of learning in EBS and I wanted to document a solution we rendered for Michael Hensley around Single Sign On with TMG and EBS to deliver SharePoint without multiple prompts. Before Available Technology resolved the issues, every time a SharePoint page was loaded from the outside world through the Remote Web Workplace, the user was prompted several times for various reasons.
The first was because of unsecured content being presented through the https page. This caused a warning to fire for each bit of content that was coming from an http source.
The second was related to portal issues with TMG rules and the need to enable SSO in the SharePoint rule.
Issue 1: Security warnings for http content through https page.
The first issue was related a couple of logos which had been added to the internal SharePoint site, known as Companyweb, which referenced the public website for the organization. Although the native SharePoint tools had been used to reference these image resources, the images remained as reference to the public website resources. Every time the page was loaded internally or externally, the page would go out ot the Internet and retrieve the logo. Because the SharePoint site is used internally through *http*://companyweb/SharePoint the issue was noticed. It was only in the context of remote secure access which uses *https*:// that the extra warning prompts were raised.
The solution was to add the logos to the Company Logos section of Companyweb and then reference those links as the image sources. In straight SharePoint talk, add the logos to the sharepoint site. The first benefit was that the Security warnings stopped which reduced the prompts by two per page load. The secondary benefit was a reduction in bandwidth consumption from their internal use of SharePoint which was referencing public websites. With 150 users using SharePoint extensively all day that is a big factor with every page load adding 10-50KB to their Internet usage. If the majority of users are external however, the solution might be to use a https:// reference to the external site.
Issue 2: Configuring the TMG SharePoint rule for SSO
From the TMG interface on the security server we selected the SharePoint Rule.
- From the properties we selected the Listener Tab
- and the External Listener from the Dropdown
- Then we selected the Properties button.
From the External Web Listener Properties we selected:
- The SSO tab
- Enable Single Sign On Check Box was checked
- Clicked the add button
- added the FQDN for the domain including the prefix period ( . )
As a result non-domain joined computers can authenticate through the TMG interface when connecting to the SharePoint internal website and are only prompted for credentials once.
The net result was that we reduced all prompting to a single log on to TMG.
Subscribe in a reader