Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Setting up your SP 2013 Web App for MIM SP1 & Kerberos SSO

$
0
0

I confess: when it comes to getting an Microsoft product based website working with Kerberos and Single Sign On (i.e. without authentication prompts from a domain joined workstation or server) working, it feels somewhat of a ‘black art’ for me.

I’m generally ok with registering SPNs, SSLs, working with load balancing IPs etc, but when it comes to the final Internet Explorer test, and it fails and I see an NTLM style auth. prompt, it’s enough to send me into a deep rage (or depression or both).

So, recently, I’ve had a chance to review the latest guidance on getting the Microsoft Identity Manager (MIM)SP1 Portal setup on windows Server 2012 R2 and SharePoint Foundation 2013 SP1for both of the following customerrequirements:

SSL (port 443) Single Sign On from domain joined workstations / servers

The official MIM guidance here is a good place to start if you’re building out a lab ( https://docs.microsoft.com/en-us/microsoft-identity-manager/deploy-use/prepare-server-sharepoint ). There’s a major flaw however in this guidance it’ll work, but you’ll still get your NTLM style auth. prompt should you configure the SharePoint Web Application initially under port 82 (if you’re following this guidance like I did) and then in the words of this article: “Initially, SSL will not be configured. Be sure to configure SSL or equivalent before enabling access to this portal.”

Unfortunately, this article doesn’t elaborate on how to configure Kerberos and SSL post FIM portal installation, andto then get SSO working across it.

To further my understanding of the root cause, I built out two MIM servers in the same AD:

MIM server #1 FIM portal installed onto theWeb Application onport 82, with SSL configured post installation with SSL bindings in IIS Manager and a new ‘Intranet’Alternate AccessMapping configured in the SharePoint Central Administration MIM server #2 , FIM portalinstalledonto the Web Applicationbuilt onport 443 (no Alternate Access Paths specified) and SSL bindings configured in IIS Manager.

After completion, I foundMIMServer #1was working with Kerberos and SSO under port 82, but each time I accessed it using the SSL URL I configured post installation, I would get the NTLM style auth. prompt regardless of workstation or server used to access it.

With MIM server #2, I built the web application purely into port 443 using this command:

New-SpWebApplication -Name “MIM Portal” -ApplicationPool “MIMAppPool” -ApplicationPoolAccount $dbManagedAccount -AuthenticationMethod “Kerberos” -SecureSocketsLayer:$true -Port 443 -URL https ://<snip>.mimportal.com.au


Setting up your SP 2013 Web App for MIM SP1 &amp; Kerberos SSO

The key switches are:

-SecureSocketsLayer:$true -Port 443 -URL (with URL starting with https:// )

I then configured SSL after this SharePoint Web Application command in IIS Manager with a binding similar to this:


Setting up your SP 2013 Web App for MIM SP1 &amp; Kerberos SSO

A crucialway tosee if it’s configured properly is totestthe MIM Portal FQDN (without the /identitymanagement specification) you’re intending to use after you configure SharePoint Web Application and bind the SSL certificatein IIS Manager but BEFORE you install the FIM Service and Portal.

So in summary test this:

https://mimportal.somewhere.com.au

Verify it working with SSO, then install the FIM Portal to get this URL working:

https://mimportal.somewhere.com.au/identitymanagement

The first test should appear as a generic ‘Team Site’ in your browser without authentication prompt from a domain joined workstationor serverif it’s working correctly.

The other item to take note is that I’ve seen other guidance that this won’t work from a browser locally on the MIM server something that I haven’t seen in any of my tests. All test results that I’ve seen are consistent with using a browser from any domain joined workstation, remote domain joinedserver or the domain joined MIM server itself. There’s no difference in results in terms of SSO in my opinion. Be sure to add the MIM portal to the ‘Intranet’ site as well for you testing.

Also, I never had to configure ‘Require Kerberos = True’ for the Web Config that used to be part of the guidance for FIM and previous versions of SharePoint. This might work as well, but wouldn’t explain the port 82/443 differences for MIM Server #1 (ie. why would that work for443 and not 82? etc.)

I’ve seen other MIM expert peers configure their MIM sites using custom PowerShell installations of SharePoint Foundation to configure the MIM portal under port 80 (overwriting the default SharePoint Foundation 2013 taking over port 80 during it’s wizard based installation). I’m sure that mighta valid strategy as well, and may work as well with SSL, but I personally can’t attest to that working.

Good luck!


Viewing all articles
Browse latest Browse all 12749

Trending Articles