Publishing Microsoft SharePoint 2010 with Forefront TMG and different authentication options (Part 1)

by [Published on 31 Jan. 2012 / Last Updated on 20 May 2013]

This two part article series will explain how to use the different authentication options to securely publish Microsoft SharePoint Server 2010 using Forefront TMG.

If you would like to read the next part in this article series please go to Publishing Microsoft SharePoint 2010 with Forefront TMG and different authentication options (Part 2).

Let's begin

The first article will start with an overview about the authentication options in Microsoft SharePoint Server 2010 and Microsoft Forefront TMG. I will show you how to set the different authentication options in Microsoft SharePoint Server 2010 and will start with the Standard publishing wizard of Forefront TMG.

SharePoint Server 2010 comes with a lot of supported authentication mechanisms. The supported authentication mechanisms are:

Windows authentication

  • NTLM
  • Kerberos
  • Anonymous
  • Basic
  • Digest

Forms based authentication

  • LDAP
  • Microsoft SQL Server database
  • Third party application and role provider

Using Forms-based authentication in Microsoft SharePoint Server 2010 is primarily done at the Microsoft SharePoint Server 2010. It is not the Forms-based authentication provided with Microsoft Forefront TMG. If you want to learn more about how to enable Sharepoint Server 2010 for FBA, read the following article.

SAML token-based authentication

SAML (Security Assertion Markup Language) is an open Standard based on XML for exchanging authorization data and authentication data between different domains/realms.

  • ADFS 2.0
  • LDAP
  • Third party Identity provider

Using SAML based authentication with SharePoint Server 2010 and Microsoft Forefront TMG is out of the scope of this article. If you want to use ADFS 2.0 based claims authentication you should have a look into Microsoft Forefront UAG which comes with a lot of enhancements for publishing Microsoft SharePoint 2010. Forefront UAG comes with integrated support for publishing internal resources based on ADFS 2.0.


Get your copy of the German language "Microsoft ISA Server 2006 - Das Handbuch"

To configure the different SharePoint authentication options we must use the SharePoint 2010 Central Administration Website and edit the Authentication settings for a Web Application.


Figure 1: SharePoint 2010 – Authentication options based on Windows

If you create a new Web Application you are able to distinguish between Claims Based Authentication and Classic Mode Authentication (Windows NTLM, Kerberos, Digest for example) as you can see in the following screenshot.


Figure 2: SharePoint 2010 – Claims based Authentication

If we go for Claims Based Authentication we are able to select different Authentication providers like Forms Based Authentication (FBA) or Third Party Trust Providers if they has been registered and configured at the SharePoint Server 2010.


Figure 3: SharePoint 2010 – Enable Forms based Authentication

Creating the SharePoint publishing rule in Forefront TMG

Start the Forefront TMG Management console and create a new SharePoint Site Publishing Rule.

Give the SharePoint publishing rule a name like “Sharepoint publish”. We will publish a single Web site or load balancer.

The assistant uses non secured connections to connect the published Web server or server farm. We will change this in article two to a secure HTTPS connection between the TMG Server and the published SharePoint server.

Enter the Internal site name of the SharePoint Server. We will use the internal DNS FQDN (Fully Qualified Domain Name) of the SharePoint Server.

In the public name details we will accept requests for the external DNS domain name from the Internet.

Create a new Web Listener. I will only give you the high level steps how to create the Weblistener:

  • Require SSL secured connections with clients
  • Listener External
  • Select certificate
  • HTML Form Authentication with Windows (Active Directory)
  • No SSO

We will use NTLM authentication as the wizard suggests.

SharePoint AAM configuration

Alternate Access Mapping (AAM) is used in SharePoint Server 2010 or in combination with Forefront TMG. AAM in Microsoft Sharepoint Server 2010 is used to map web requests from the Internet to the correct web applications and web sites of the internal SharePoint Server 2010.

If SharePoint AAM (Alternate Access Mapping) has not been configured at the Sharepoint Server or if you are not sure, select the second radio button.


Figure 4: AAM configuration options

We will remove the “Authenticated Users” setting from the wizard and use a new created user set in Forefront TMG, filled with an Active Directory user group which should be able to access the SharePoint Server over the Internet.

When the SharePoint publishing wizard is completed and the TMG configuration change has been applied to the Forefront TMG storage we should be able to test the connection using the Test Button or by trying to access the SharePoint Server from the Internet.

SSL on the SharePoint Server

As the last step in our first article we will enable the Sharepoint Server 2010 to listen on HTTPS requests.

First, we have to request a new certificate from an internal Certification Authority (CA) or a self signed certificate. In our environment we will request a certificate from an internal Enterprise Certification Authority. We will use the certificate request wizard of the Internet Information Services (IIS) Manager, but it is also possible to request the certificate using the Certificate Snap-in.

Attention:
The CN (Common Name) of the certificate must match the Internal Site Name in the TMG publishing rule – in this case the internal DNS FQDN.

After the certificate has been issued from the CA, we must change the bindings of the SharePoint Website in the Internet Information Services (IIS) Manager so that IIS listens on Port 443 in addition to port 80 as shown in the following screenshot.  


Figure 5: Certificate for HTTPS bindings on the IIS

Conclusion

In this first article we had a look into the different authentication options of Microsoft SharePoint Server 2010 and Microsoft Forefront TMG and how the options work together. We also started with publishing Microsoft SharePoint Server 2010 with the default SharePoint publishing rule wizard in Forefront TMG. In the second article we will talk about other Forefront TMG publishing options for Microsoft SharePoint Server like Kerberos Constrained Delegation (KCD), SSL Client certificate authentication and redirecting the authentication directly to the Microsoft SharePoint Server.

Related links

If you would like to read the next part in this article series please go to Publishing Microsoft SharePoint 2010 with Forefront TMG and different authentication options (Part 2).

The Author — Marc Grote

Marc Grote avatar

Marc Grote is an MCSA/MCSE Messaging & Security, MCSE Private Cloud and Server Virtualization, an MCTS/MCITP and a Microsoft Certified Trainer and MCLC. He is a freelance Consultant and IT Trainer in the north of Germany near Hanover. He specializes in System Center, TMG/UAG Server, Exchange, Security for Windows Server 2012 R2 and Windows Server 2012 R2 designs, migrations and implementations. His efforts have earned him recognition as a Microsoft MVP for ISA Server since 2004 until 2014. Starting in 2014 he has been awarded as an MVP for Hyper-V.

Latest Contributions

Featured Links