Accessing all the Sharepoint content through UAG seemed fine with just AAM setup on the Sharepoint side except when we attempted to open up Infopath forms. We had issues with the GetUserProfile() service not working and/or other Web services connections for populating the other drop downs in the Infopath forms failing. We were greeted with an error that said "Some rules were not applied" and "An error occured accessing a data source" or event id 5566.
Environment:
This setup included 2 load balanced UAG 2010 SP1 Update 1 boxes with a Cisco ACE NLB, 4 Sharepoint 2007 FE Farm servers, and 2 backend Web Services IIS boxes.
Solution:
The solution ended up requiring us to implement Kerberos authentication because we were faced with the "double hop" issue (See http://blogs.technet.com/b/askds/archive/2008/06/13/understanding-kerberos-double-hop.aspx ). To successfully implement Kerberos required a lot of changes to our environment. I'll describe below in more detail what was done.
- Create Sharepoint Alternate Access Mappings
Navigate to Sharepoint Central Administration->Operations->Alternate Access Mappings. Create AAMs that map a new dummy url to the public facing URL that is set for Sharepoint 2007 in UAG. Place the AAM in the internet zone and make sure that the Public URL for the zone is set to HTTPS.
- Extend Web Application
Next, extend the web application (Application Management > Create or Extend Web Application > Extend Web Application to Another IIS Web Site ). Make sure that Negotiate (Kerberos) is configured as the authentication provider and allow anonymous is set to No. Map the Zone to Internet.
- Add Host Entries on Sharepoint Front End hosts
Next add an entry to the hosts file that points the dummy URL to loopback IP address (127.0.0.1). Apply this to every Sharepoint Front end server.
- Add IIS Host Header Binding
In IIS add a host header binding for the dummy URL, to the original web application (the one on port 80). For example if your real site name is partners.company.com and your dummy url is partnersuag.company.com, make sure to add the host header binding to the partners.company.com site in IIS.
- Install SSL Cert on IIS SSL Binding
Install an SSL certificate on the newly created SSL web application in IIS. Validate that the certificate is correctly installed and not showing any errors from the Certificates MMC or via IIS view certificate dialog screen.Validate the root cert is in the Trusted Root Authorities certificate store. We ran in to an issue where even though the certificate showed no errors, we received errors in Sharepoint about trouble making an SSL connection and this was because the certificates whole chain was in the Personal store instead of placing the root certs in the Trusted Root Auth store.
- UAG Web Servers Config
Make sure to check the replace host header in the Web Servers tab for the application and apply the “bogus” url in the text box. We matched the internal URL and the public URL in our configuration.
- UAG Authentication Configuration
Check use Kerberos Constrained Delegation for single sign on and type in http/*
- Validate SPNs in environment
· Validate SPNs for Sharepoint Service Account for IIS Front End Application Pool
o Make sure every SP FE server has a corresponding HTTP/<FQDN> and HTTP/<Netbios name> via Setspn -L sharepointsvcaccount
o If missing an SPN add via setspn –A HTTP/<FQDN> sharepointsvcaccount
o Also add setspn –A HTTP/<netbios name> sharepointsvcaccount
· Validate SPNS for Service Account for Web services IIS Application Pool
o Make sure every IIS box in the pool has a corresponding HTTP/<FQDN> and HTTP/<Netbios name> via Setspn -L svc-account
o If missing an SPN add via setspn –A HTTP/<FQDN> svc-account
o Also add setspn –A HTTP/<netbios name> svc-account
- Set Delegation for UAG computer account(s)
Add the delegation in AD Users and Computers to the UAG computer accounts, go to the Delegation tab and click add and type in Sharepoint svc account and IIS Web Farm service account and make sure to add all related SPNs that show up to the delegation. Reboot UAG servers.
- Set Delegation to Sharepoint Farm Service Account
Delegation should be set by adding the next service hop in the path for authentication, in this case add the Web Service IIS Farm svc account so that Sharepoint can impersonate users coming from UAG to the web services. Allow time for replication.
- Set Delegation to IIS Web Services Farm Service Account
Set the Delegation to Trust this computer for delegation to any service ( Kerberos only ). Allow time for replication.
- Set Delegation for Sharepoint/Web Service Front End IIS Computers
Validate that all corresponding Sharepoint Front End boxes and Web Services Farm IIS boxes have the following delegation set: "Trust this computer for delegation to any service ( Kerberos only )"
- Set Component Services to Delegate on all Sharepoint Front End
Go to Start -> Administrative Tools -> Component Services,Open the Computers node and right click on My Computer and select Properties. Set the Default Impersonation Level to Delegate.
- Add Registry Key to support Kerberos in Server 2003
Add a DWORD 32bit to HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxPacketSize and set the value to 1
No comments:
Post a Comment