12-22-2009 06:27 AM
Hi,
we're on working with Cisco ASA 5520 and IOS 8.2
I would like to use Sharepoint with SSL VPN: how can I activate passthrought authentication, using the same ID and password used to access on SSL Cisco web portal into Sharepoint session ?
Thanks in advance for any kind of support on this matter.
Best Regards
Fausto
12-22-2009 02:29 PM
ASA 8.2 supports various forms of single sign-on (SSO). Please see the docs below for additional details regarding auto sign-on and forms based authentication.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/webvpn.html#wp1003053
12-23-2009 03:14 AM
Thx for quickly reply.
I have just seen these documents, but I cannot find the solution.
I need the same way used in the document with Outllok Web Access..... Using any kind of way explained, accessing to my internal sharepoint portal, the system still require me Username and password.
Which is the way that Cisco suggest to use ?
Thx in advance for any kind of suggestion for SSO with Cisco SSL VPN and Sharepoint .......
Regards
Fausto
12-23-2009 11:18 AM
Fausto, it depends on what the application (ie. Sharepoint) is expecting for authentication.
You must first determine whta authentication Sharepoint is using. By default it uses NTLM, I believe. From a PC that has a http-based sniffer tool (ie. httpwatch, http-analyzer) connect directly to Sharepoint server, login and captute the exchange. You'll then verify which auth it is using.
1) If it uses NTLM, then u you will use auto-signon command feature set in group-policy. The auto-signon signon featute now suports macro/variables as parameters, just like we always done with post-forms SSO method specified in the bookmark for the UR/resource.
2) If is it using Post then you can use the same procedure as you would do for a POST-FOrms-based OWA/Citrix, etc, as specified in the SSL VPN Deployment guide.
HTH,
Nelson
12-28-2009 02:39 AM
Nelson, thx for your clear reply.
I just used http traffic analyzer, but Sharepoint used a strange authentication (seems based under cookie) that intercept integrated authentication. I don't find any kind of entry where I can use Cisco macro/variables.
Regarding auto-signon feature under group-policy they're correlate only in the smart tunnel parameters..... it's correct ?
In the Cisco Lab , none tested this functionality (like made for Citrix Metaframe or OWA) ? On my ASA i have installed last IOS version 8.2(1)11.
Thx in advance for any help ....
Fausto
03-09-2010 05:05 PM
i am currently having issues with my sharepoint server link as well. i dont mind my users being prompted for their creds, and they have access to the site after that, but whenever anyonw tries to download a document for editing or viewing, such as an excel spreadsheet, they are taken back to the ssl vpn login page INSIDE the document, so they are never able to view it, and setting that link as a smart tunnel DOES NOT WORK. i am running asa8.2.2 on asa5520's. any help would be awesome.
07-01-2010 11:17 AM
We are having the same issue where when you click to download a link, the end user gets ask for a login. Our work around was to right click on the link and open in a new window and it seems to work. Also the documentaion they have for single sign on are most likely for the VPN portal. In our case, when end users log they get directed to our sharepoint intranet and they have to login again. I wonder if this can be done when you are just redirecting directly to sharepoint. We are using NTLM for authentication.
07-01-2010 12:10 PM
Fausto,
First find out via an http analyzer what type of authentication the Sharepoint 2007 server is using (basic, NTLM, POST-Forms).
If it is basic or NTLM based, then you can use one of th emodes of onboard- SSO o nthe ASA , called aut-signon for Clienless SSl VPN (aka.WebPVN).
By default auto-sign will take the username and password used for the WebVPN login and pass them throough to the backend web-services (OWA, Citrix, Sharepoint,Lotus,etc).
1) Auto-sign is enabled in the group-policy. Use ASDM to enable this , pretty easy.
http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/webvpn.html#wp1021966
2) configure your Sharepoint bookmark and should work.
3) Now if you are using POST-FORMS, then your bookmark has to be configured with all the right parameters. Again to find out these parameters, you need to use an HTTP analayzer from a PC to the Sharerepoint server directly (without ASA i nthe pictute). Once you have the paramters you can program the bookmark properly. See macro/variable substitution area of the config guide http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/webvpn.html#wp1347365
The ASA 8.xSSL VPN Deployment guide will also give you some nice details https://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html
Cheers and BR,
Nelson
07-28-2010 11:15 AM
Did you find an asnwer for this?
Try the link below
http://cisconetworkadmin.blogspot.com/2010/07/single-sign-on-with-cisco-ssl-vpn-and.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide