ISA / MOSS 2007 Authentication Issues (Extranet)
Hi All,This is either an issue I need help with or a serious limitation to ISA / MOSS 2007 / Windows authentication. Read on. We are directing extranet traffic to SharePoint through MS ISA server with Forms Based Authentication (FBA) using their AD credentials. Users log in using the ISAs HTML based form with persistent cookies. The ISA server is accepting https (ssl) requests using a wildcard certificate. Then the ISA makes an http (port 80) request to the SharePoint server. The first time users access the site they are prompted to enter a username and password on the ISA HTML form. After doing so they are also prompted to login again with a Windows Integrated Authentication popup. After the user enters their credentials and checks Remember my password checkbox they can access the site. Users were instructed to add the site to Internet Explorers Trusted Sites. At this point users can navigate the site, open PDFs, add content etc. Great! But when users try to open any MS Office documents they are prompted by the Windows Integrated Authentication popup again. To avoid this, we changed the Internet Explorer setting [Tools/Internet Options/Security/Trusted Sites/Custom Level/User Authentication/ Logon] to Automatic logon with current username and password Now users are not required to further authenticate in order to use MS Office documents. However We have discovered a problem. User A (Andrew) logs onto the computer and then logs into SharePoint. When he is finished Andrew logs out of SharePoint but leaves the computer running. User B (Beverley) sits at the computer and opens SharePoint. She is prompted to logon by the ISA FBA. She does so and is authenticated. PROBLEM when SharePoint opens, Beverley is in fact logged into SharePoint as Andrew. If we go to Start/Settings/Control Panel/User Accounts/Advanced/Manage Passwords we notice that a record exists for the SharePoint site. Click properties and we find Andrews Active Directory account is stored as the automatic logon for this site. We realize this is because we selected Remember my password and set Automatic logon with current username and password in the browser. So, as we are reading it right now, we are faced with the following: a) Do not use Automatic logon with current username and password and force users to enter a username and password every time they touch an office document. Not acceptable. b) We turn on Automatic logon with current username and password and risk users on shared computers accessing each others content. Not acceptable.c) We are totally missing something and one of you fine folks is going to point it out to us and save the day. We like option C ;) Any help is appreciated. Thanks.
October 3rd, 2008 8:49pm

Did you try to clear cache in your browser, before second user tries to logon?!Visual C# MVP | My SharePoint blog
Free Windows Admin Tool Kit Click here and download it now
October 4th, 2008 5:51pm

Hi Michael,Thanks for the reply.Yes, we did, and it did resolve the issue. However, advising the client to always clear the cache will be something is cumbersome. My question is whether or not we could tie in a control to the SharePoint log-out, which clears the cache? Is that perhaps something that could be do-able? Or is there another way we can force ISA to clear a brower cache when logging out of the Forms based authentication? Technically, when a user clicks the Log-out feature in SharePoint, shouldn't that release the cached credentials? Otherwise, it shouldn't be called log-out.
October 4th, 2008 9:52pm

I not competely sure if you can set clearing cache on Sharepoint side. ButI think the best way is to check ISA or setup group policy for windows boxes.I'd start with ISA, but I'm not very good with it. Try to google andask in ISA groups.I pretty sure you can solve it with ISA settingsVisual C# MVP | My SharePoint blog
Free Windows Admin Tool Kit Click here and download it now
October 5th, 2008 12:56am

Well the problem with group policies is that this site is completely external, so users are not on the network accessing the SharePoint site. Any other ideas that may be SharePoint based? I'll look into the capabilities of the ISA server.
October 6th, 2008 2:44pm

Have you tried to toss in a IaG (Internet Access Gateway)to prevent cookies and cache from being saved on the remote computer? I can't recall if ISA server can perform this task or not. BP
Free Windows Admin Tool Kit Click here and download it now
October 6th, 2008 4:36pm

Just spoke to MSFT premier support. They advised this is a functionality oversight for SP, and how it interacts with the OS, which is doing the .NET password cache. I guess there is no way around it.
October 9th, 2008 4:06pm

Did you ever find a solution? We are facing the same problem as you are (a) and (b).
Free Windows Admin Tool Kit Click here and download it now
March 31st, 2010 5:11pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics