cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8685
Views
10
Helpful
8
Replies

WEB SSL VPN and Microsoft Sharepoint 2007

it
Level 1
Level 1

Hi,

we're on working with Cisco ASA 5520 and IOS 8.2

I would like to use Sharepoint with SSL VPN: how can I activate passthrought authentication, using the same ID and password used to access on SSL Cisco web portal into Sharepoint session ?

Thanks in advance for any kind of support on this matter.

Best Regards

Fausto

8 Replies 8

Todd Pula
Level 7
Level 7

ASA 8.2 supports various forms of single sign-on (SSO).  Please see the docs below for additional details regarding auto sign-on and forms based authentication.

https://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html#wp1002989

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/webvpn.html#wp1003053

Thx for quickly reply.

I have just seen these documents, but I cannot find the solution.

I need the same way used in the document with Outllok Web Access..... Using any kind of way explained, accessing to my internal sharepoint portal, the system still require me Username and password.

Which is the way that Cisco suggest to use ?

Thx in advance for any kind of suggestion for SSO with Cisco SSL VPN and Sharepoint .......

Regards

Fausto

Fausto, it depends on what the application (ie. Sharepoint) is expecting for authentication.

You must first determine whta authentication Sharepoint is using. By default it uses NTLM, I believe.  From a PC that has a http-based sniffer tool (ie. httpwatch, http-analyzer) connect directly to Sharepoint server, login and captute the exchange. You'll then verify which auth it is using.

1) If it uses NTLM, then u you will use auto-signon command feature set in group-policy. The auto-signon signon featute now suports macro/variables as parameters, just like we always done with post-forms SSO method specified in the bookmark for the UR/resource.

CSCsr21867 - Support for Domain insertion for auto-signon and non-forms based SSOThis was added after 8.2.1.1 interim. I don't believe it is integrated in 8.0.4/8.0.5 yet.

2) If is it using Post then you can use the same procedure as you would do for a POST-FOrms-based OWA/Citrix, etc, as specified in the SSL VPN Deployment guide.

HTH,

Nelson

Nelson, thx for your clear reply.

I just used http traffic analyzer, but Sharepoint used a strange authentication (seems based under cookie) that intercept integrated authentication. I don't find any kind of entry where I can use Cisco macro/variables.

Regarding auto-signon feature under group-policy they're correlate only in the smart tunnel parameters..... it's correct ?

In the Cisco Lab , none tested this functionality (like made for Citrix Metaframe or OWA) ? On my ASA i have installed last IOS version 8.2(1)11.

Thx in advance for any help ....

Fausto

i am currently having issues with my sharepoint server link as well. i dont mind my users being prompted for their creds, and they have access to the site after that, but whenever anyonw tries to download a document for editing or viewing, such as an excel spreadsheet, they are taken back to the ssl vpn login page INSIDE the document, so they are never able to view it, and setting that link as a smart tunnel DOES NOT WORK. i am running asa8.2.2 on asa5520's. any help would be awesome.

We are having the same issue where when you click to download a link, the end user gets ask for a login. Our work around was to right click on the link and open in a new window and it seems to work. Also the documentaion they have for single sign on are most likely for the VPN portal. In our case, when end users log they get directed to our sharepoint intranet and they have to login again. I wonder if this can be done when you are just redirecting directly to sharepoint. We are using NTLM for authentication.

Nelson Rodrigues
Cisco Employee
Cisco Employee

Fausto,

First find out via an http analyzer what type of authentication the Sharepoint 2007 server is using (basic, NTLM, POST-Forms).

If it is basic or NTLM based, then you can use one of th emodes of onboard- SSO o nthe ASA , called aut-signon for Clienless SSl VPN (aka.WebPVN).

By default auto-sign will take the username and password used for the WebVPN login and pass them throough to the backend web-services (OWA, Citrix, Sharepoint,Lotus,etc).

1) Auto-sign is enabled in the group-policy. Use ASDM to enable this , pretty easy.

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/webvpn.html#wp1021966

2) configure your Sharepoint bookmark and should work.

3) Now if you are using POST-FORMS, then your bookmark has to be configured with all the right parameters. Again to find out these parameters, you need to use an HTTP analayzer from a PC to the Sharerepoint server directly (without ASA i nthe pictute). Once you have the paramters you can program the bookmark properly. See macro/variable substitution area of the config guide  http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/webvpn.html#wp1347365

The ASA 8.xSSL VPN Deployment guide will also give you some nice details https://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html

Cheers and BR,

Nelson

bauti1428
Level 1
Level 1
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: