If you publish multiple Web Applications through ISA Server you might have experienced that users are asked to re-validate when one published site is linking to another published site even thought the sites are using the same user repository to validate users.

Fortunately, there is an easy fix for that: ISA Server SSO

ISA SSO offers Single Sign-on between site in the same DNS domain, provided:

• the published sites share the same Web Listener
• the same port number and protocol is used
• the users must be validated in the same user repository using the same authentication method

This means that SSO between http://sales.contoso.com and http://marketing.contoso.com is possible but SSO between http://sales.contoso.com and http://sales.contoso.org is not.

ISA SSO is enabled on the SSO tab in the Web Listener.

More information:

• Authentication in ISA Server 2006
• Secure Application Publishing

Finally, we’ve arrived at the last part of the series where everything should come together!

Let the SharePoint publishing begin!

1. On the right pane, select the Tasks tab and click Publish SharePoint sites
2. Name the publishing rule and click Next
3. Select Publish a single Web site or load balancer and click Next 
4. Use SSL to connect to the published Web server or server farm and click Next 
5. Enter the Internal site name. The internal name is in this case the host header in the Extranet Web application that was extended to the Extranet zone: dmz.extranet.sharepointnotes.local
6. If the ISA server cannot resolve the internal site name (e.g. if it is not created as a A record in DNS), specify the computer name or IP address. Click Next
7. Accept requests for This domain name (type below), enter the Public name and click Next. The public name is the web site name, the clients will use to access the site. In this case extranet.sharepointnotes.local
8. Select the Web listener to use. If you haven’t one already, here’s how to create one:
   • Click New 
   • Name the listener and click Next
   • Select Require SSL secured connection with clients and click Next
   • Select the External network interface and click Select IP Addresses
   • Select Specified IP Addresses on the ISA Server computer in the selected network and select the IP Address that is used to server internal users coming from the Internet. Click Add and OK
   • Back on the Web Listener IP Addresses page click Next
   • Select Assign a certificate for each IP address and click Select Certificate 
   • Choose the certificate issued to extranet.sharepointnotes.local and click Select and then Next 
   • Use HTML Forms Authentication and let ISA validate using LDAP (Active Directory). Click Next
   • Do not enable SSO and click Next
   • Click Finish and OK to accept the warning
9. Make sure the newly created listener is selected and click Next 
10. Use Basic authentication and click Next 
11. Select SharePoint AAM is already configured and click Next
12. Remove All Authenticated users and click Add to add the User Set you created earlier. Click Next
13. Click Finish and Apply the changes
14. Right-click the new rule and select Properties
15. Select the To tab. Since we are forwarding requests from one URL to another, make sure the Forward the original host header option is not selected.
16. Select the Bridging tab
17. Since we are redirecting from SSL to HTTP, make sure the Redirect requests to HTTP port 80 is selected and that Redirect requests to SSL port is not selected
18. Click OK and Apply the changes

The rule is now created and out Extranet site is published and available for external users. Let’s test it:

1. To test external access, browse to https://extranet.sharepointnotes.local
2. Login using a administrative user in the format user@dmzad.local
3. Once the credentials are validated by ISA Server, the request is forwarded to MOSS and the user is presented with a new Sign In page. Log in again using the same credentials.
4. A good method to test access and especially Alternate Access Mappings is to create a new site:
   • From Site Actions select Create
   • In the Web Pages section select Sites and Workspaces
   • Enter a Title, URL name and select a site template. 
   • Leave other settings with their default values and click Create
5. Verify the new site was created and displayed correctly. If that isn’t the case it normally indicates that the Alternate Access Mappings is configured incorrectly. 

Done! I hope you enjoyed the series. If so, drop me a note Please also drop me a note, if you know how to avoid to enter crendetials twice (once on ISA and again on MOSS)!

The last thing we need before we can create the SharePoint Publishing rules, are two ISA User Sets. ISA Server user sets are used to segment internal and external users into groups that the ISA Server uses when granting or denying access.

It is assumed that the following groups are created and populated with appropriate users:

• External Extranet Users exists in the DMZ Active Directory
• Internal Extranet Users exists in the corporate domain

Creating a User Set for External users

1. In the ISA Server Management Console navigate to Array -> <instance> -> Firewall Policy
2. On the right pane select Toolbox and then Users. Select New to create a new user set
3. Name the set and click Next
4. Select Add -> LDAP
5. Select the LDAP server set from the drop-down box. If a server set is not available, create one as described part 6
6. In Specified group or user enter the External Extranet Users group created for External Access and click OK
7. Enter credentials to the LDAP Server and click OK
8. Verify the group is added to the list and click Next
9. Click Finish and Apply

Creating a User Set for Internal users

1. In the ISA Server Management Console navigate to Array -> <instance> -> Firewall Policy
2. On the right pane select Toolbox and then Users. Select New to create a new user set
3. Name the set and click Next
4. Select Add -> Windows users and groups
5. Click Locations…
6. Expand Entire Directory and select the corporate domain. Click OK
7. In the Enter the object names to select text box, enter Internal Extranet Users and click Check Names. Verify the group name is underlines and click OK
8. Verify the group is added to the list and click Next. Note the group name is listed as a GUID and not the actual user name. Click Next
9. Click Finish and Apply

OK, let’s turn our attention to the ISA Server configurations again. It’s time to configure the LDAP connectivity! 

Create Connectivity Verifier
To test and verify the LDAP connection to the Active Directory in the DMZ, a Connectivity verifier can be created:

1. In the ISA Server Management Console navigate to Array -> <Instance> -> Monitoring
2. Select the Connectivity Verifiers tab
3. On the right pane click Create New Connectivity Verifier
4. Name the Verifier and click Next
5. Enter the IP address or server name of the LDAP Server
6. In Group type used to categorize the connectivity verifier select Active Directory
7. Verify the Establish a TCP connection to port is set to LDAP and click Next
8. Click Finish and Apply

The connectivity is now being verified and the Result should evaluate to Good in a few seconds. The status is also being propagated to the Dashboard view

Add LDAP Server

1. In the ISA Server Management Console navigate to Array -> <Instance> -> Configuration -> General
2. Click Specify RADIUS and LDAP Servers
3. Select the LDAP Servers Tab
4. Click Add
5. Name the LDAP Set and click Add
6. Enter Server name, Server description and Time-out and click OK. The Server name must either be an IP address or a name that is resolvable in DNS
7. Enter the fully-qualified domain name (e.g. dmzad.local) and clear the option to Use Global Catalog
8. Enter the User name and Password of the user account that is used to lookup users in the DMZ Active Directory Domain
9. Click OK
10. Back on the Authentication Servers page, click New
11. Enter the Login expression and LDAP server set. The Login expression is the string that the users enters when they authenticate, is it usually in the form of a Active Directory login or an email address, for example:
         DMZAD\*
         *@dmzad.local
    Since we configured the MOSS LDAP connection the way we did, use *@dmzad.local
12. It is possible to create several login expressions for the same LDAP server set if you want to allow for more flexibility
13. Click OK
14. Click Close
15. Finally, Apply the changes

The next version of ISA Server is available online.

Overview:

Microsoft® Forefront™ codename “Stirling” is an integrated security system that delivers comprehensive, coordinated protection across endpoints, messaging and collaboration servers and the network edge that is easier to manage and control.

By delivering simplified management and providing critical visibility into threats, vulnerabilities, and configuration risks, Forefront codename “Stirling” helps reduce costs and achieve greater insight into the enterprise security state.

At release, “Stirling” will include:

• A central management console and dashboard for security configuration and enterprisewide visibility.
• The next-generation versions of Forefront products: the next generation of Forefront Client Security, Forefront Security for Exchange Server, Forefront Security for SharePoint and the Internet Security & Acceleration Server (to be renamed the Forefront Threat Management Gateway).
• Dynamic Response, an innovative Microsoft technology built into each component of “Stirling” that allows the entire system to share and use security information to dynamically respond to threats across multiple layers of the organization.

In part three we created an Alternate Access Mapping http://dmz.extranet.sharepointnotes.local/, and assigned them the public URL https://extranet.sharepointnotes.local.  This implies that our Extranet solution must support SSL from the client to the ISA Server, so let’s install the Stand-alone CA so we can issue some certificates:

1. The Cerficate Services are installed through Add/Remove Programs (Start -> Control Panel -> Add or Remove Programs)
2. Click Add/Remove Windows Components
3. Select Cerficate Services (remember to select both Certificate Services CA and Certificates Services Web Enrollment support)
4. Click Yes to continue and then Next
5. Select Stand-alone root CA and click Next
6. Enter the Common name for this CA and click Next 
7. Select where to place the Certificate Database files and click Next
8. Click Yes to stop the Internet Information Services 
9. If prompted, select Yes to enable ASP
10. Click Finish

Next, Let’s issue some certificates to extranet.sharepointnotes.local:

1. Point your browser to http://localhost/certsrv
2. Select Request a certificate
3. Submit an Advanced certificate request
4. Select Submit and submit an request to this CA
   • Name: the public name of the web site (extranet.sharepointnotes.local)
   • Type of Certificate Needed: Server Authentication Certificate
   • Mark keys as exportable
   • Store the certificate in the local computer store
   • Friendly Name: same as Name
5. Hit Submit
6. Select Yes to request a certificate
7. To issues the pending certificate, start Certification Authority (Start -> Administrative Tools -> Certification Authority)
8. Select Pending Requests
9. Right click the certificate and select All Tasks -> Issue
10. Point your browser once again to http://localhost/certsrv
11. Click View the status of a pending certificate request
12. Click the server certificate link
13. Select Install this certificate and Yes to confirm
14. The certificate is now installed in the Personal certificate store of the local computer

Export the certificate (skip this part if the certificates are already installed on the ISA Server):

1. Start a MMC console (Start -> Run -> mmc)
2. Add/Remove Snapp-in (File -> Add/Remove Snapp-in)
3. Click Add
4. Select Certificates and click Add
5. Select to manage the Computer account and click Next
6. Select to manage the Local computer and click Finish
7. Click Close and OK
8. Navigate to Personal Certificates (Console -> Certificates -> Personal -> Certificates)
9. Right click the certificate created above and select All Tasts -> Export
10. In the Certificates Export Wizard click Next
11. Export the private key and click Next
12. Make sure Include all certificates in the certification path if possible and Enable strong encryption is selected and click Next
13. Enter and confirm a Password and click Next
14. Select a path and file name and click Next
15. Click Finish and OK 
16. Copy the certificate file to the ISA Server

Import the certificate (skip this part if the certificates are already installed on the ISA Server)

1. On the ISA Server, perform steps 1 to 7 in the Export-section above
2. Navigate to Personal (Console -> Certificates -> Personal)
3. Right click Personal and select All Tasks -> Import
4. In the Certificates Export Wizard click Next 
5. Change the file type filter to All Files and browse to the location where the certificate is stored. Select the certificate and click Open and Next 
6. Enter the password if the certificate is password protected and click Next
7. Make sure the certificate is placed in the Personal certificate store and click Next
8. Click Finish and OK

In this post we will configure our Extranet Web Application to authenticate users in the Extranet Zone using LDAP.  However, not any LDAP server can be used since it must be supported by ISA Server 2006, so we are using a Active Directory in the DMZ.

The trick is to configure web.config files are the Central Administration IIS site as well as all IIS sites for that is part of the Extranet Web Application. When that is done, the Authentication Provider for the extended web application must be changed to use the new provider. Finally, we add some Site Collection Administrators and users.

Still with me? Good, let’s go!

Oh, BTW, the web.config for a SharePoint Web Application is normally located at this location:

     C:\Inetpub\wwwroot\wss\VirtualDirectories\xxx

where xxx is the directory for the Web Application. If the exact location is not known, use the Internet Information Services (IIS) Manager to locate it:

1. Start Internet Information Services (IIS) Manager(Start -> Administrative Tools -> Internet Information Services (IIS) Manager)
2. Navigate to <Server> -> Web Sites
3. Right-click the Web Application in question and select Properties
4. Select the Home Directory tab
5. The Local Path setting is the Web Application path

Step 1: Edit Web.config for Central Administration
Modifying the web.config for Central Administration is needed in order to add a Site Collection administrator or to add users in a Policy for Web Application.

1. Open Web.config for Central Administration
2. Between the </configSections> and <SharePoint>tags, create a LDAP connection string.
<connectionStrings>

  <add name=”ADConnectionString“

    connectionString=

      “LDAP://dmz.dmzad.local:389/CN=Users,DC=DMZAD,DC=local“/>

</connectionStrings>

3. Between <system.web> and <securityPolicy> tags add the following:
<membership defaultProvider=”LDAP“>
  <providers>
    <add
      name=”LDAP“
      connectionStringName=”ADConnectionString“
      connectionUsername=”DMZAD\administrator“
      connectionPassword=”password“
      enableSearchMethods=”true”
      attributeMapUsername=”userPrincipalName”
      type=”System.Web.Security.ActiveDirectoryMembershipProvider,
        System.Web, Version=2.0.0.0,
        Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” />
  </providers>
</membership>
4. The settings in bold are provided as an example and are customizable. The settings must be changed to match the settings in your environment. Under normal circumstances these settings are the same as the ones used for the Extranet Web Application below.

Step 2: Edit Web.config for the Extranet Web Application
Modifying the web.config for Extranet Web Application is needed in order to add a Site Collection administrator or to add users in a Policy for Web Application. Modifying web.config for the extended web application (dmz.extranet.sharepointnotes.local) is necessary for authenticating external users. Modifying the web.config in the Default Zone will allow a site administrator in that zone to add users in the Extranet Zone.

1. Open Web.config for the (Extended) Extranet Web Application
2. Between the </configSections> and <SharePoint>tags, create a LDAP connection string.
<connectionStrings>

  <add name=”ADConnectionString“

    connectionString=

      “LDAP://dmz.dmzad.local:389/CN=Users,DC=DMZAD,DC=local“/>

</connectionStrings>

3. Between <system.web> and <securityPolicy> tags add the following:
<membership defaultProvider=”LDAP“>
  <providers>
    <add
      name=”LDAP“
      connectionStringName=”ADConnectionString“
      connectionUsername=”DMZAD\administrator“
      connectionPassword=”password“
      enableSearchMethods=”true”
      attributeMapUsername=”userPrincipalName”
      type=”System.Web.Security.ActiveDirectoryMembershipProvider,
        System.Web, Version=2.0.0.0,
        Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” />
  </providers>
</membership>
4. Again, the settings in bold are provided as an example and are customizable. The settings must be changed to match the settings in your environment. Under normal circumstances these settings are the same as the ones used for Central Administration above.

Step 3: Change the Authentication Provider the Extranet Zone
Follow these instructions to chance the authentication provider:

1. Go to the Application Management section of Central Administration
2. In the Application Security section click Authentication Providers
3. Select the Extranet Web Application
4. Click the Extranet Zone
5. In the Authentication Type section select Forms
6. In the Membership Provider Name enter the same provider name that was used in step 1 and 2, for example LDAP
7. Click Save
8. Verify that the Membership Provider Name for the Extranet Zone has changed from Windows to the new name, for example LDAP

Step 4: Add Site Administrators
Follow these instructions to add LDAP user as a Site Administrator:

1. Go to the Application Management section of Central Administration
2. In the SharePoint Site Management section click Site collection administrators
3. In the Site Collection section select the Extranet Web Application
4. In the Secondary Site Collection Administrator add a user account from the DMZ Active Directory. Remember that the format is: *@dmzad.local
5.  Click OK

Site Collection administrators can also be added through the Site Settings interface:

1. Log on to http://extranet.sharepointnotes.local as a site administrator
2. Navigate to Site Actions -> Site Settings
3. In the Users and Permissions section click Site collection administrators
4. In the Site Collection Administrators section, add the user or group you want to add and select the Check Names-icon (or press CTRL+K). Verify that the user/group was found.

Step 5: Add Users to the Extranet Web Application
Follow these instructions to add users to the Extranet Web Application

1. Log on to http://extranet.sharepointnotes.local as a site administrator
2. Navigate to Site Actions -> Site Settings
3. In the Users and Permissions section click People and groups
4. Select the group that suite the user or groups of users you want to add
5. Select New -> Add users
6. In the Add Users section, add the user or group you want to add and select the Check Names-icon (or press CTRL+K). Verify that the user/group was found.
7. In the Give Permission section check the correct permission level is granted and click OK

This completes the configuration on the SharePoint site of thing. In the coming posts, we’ll install the Root CA, issue and install some certificates, create some ISA User Sets and finally publish the Extranet Web Application through ISA Server.

In part 2 of this series, we created and exended the Extranet Web Application. In this part we will configure the Alternate Access Mapping to be able to access the Web Application from multiple locations using the same URL.

1. Go to the Operations section of Central Administration
2. In the Global configuration section click Alternate access mappings
3. Click Add Internal URLs
4. Select the Extranet Web Application and the host header for the extended web application, in this case http://dmz.extranet.sharepointnotes.local
5. Assign the Internal URL to the Extranet zone and click Save

The Alternate Access Mappings should now be the following for the extranet.sharepointnotes.local Web Application:

I got this email today, stating that the External Collaboration Toolkit for SharePoint has been released. No big surprise, really, since it has been available on TechNet since February 28, but still good news:

I’m happy to announce that the External Collaboration Toolkit for SharePoint has been released and is now available on Microsoft TechNet at http://www.microsoft.com/collabkit. This accelerator helps you easily deploy a SharePoint-based external collaboration facility at your organization. Once this facility is in place, end users can quickly create a new collaboration site (using a SharePoint site collection) and add internal and external users to that site. Both these process can be workflow enabled so that an administrator must approve both site and user creation.

The toolkit runs on both MOSS 2007 and Windows SharePoint Services 3.0. It also leverages SQL Server 2005 and ADAM. All external users are created in the ADAM directory so they are segregated from your primary user store.

Thank you for your help during development of the External Collaboration Toolkit for SharePoint. If you have any questions, please let me know.

Bill Canning
Senior Program Manager
Solution Accelerators

I find it slightly odd that ADAM has been chosen as a user repository for an External solution since ISA Server 2006 does not support ADAM, not even when using LDAP. The people within Microsoft I have talked to about ISA/ADAM support cannot even confirm if ADAM is supported when the next version of ISA is released in Q1 2009.

Update: The previous post was a bit too complex. It has been modified a bit so now it should actually work  

Let’s create and extend the Extranet Web Application. Since we need to access it in three different ways, the web application will be extended so it covers two zones:

• Default Zone: extranet.sharepointntes.local. This zone is used for access by internal corporate users as well as services like search. Will use Windows authentication.
• Extranet Zone: dmz.extranet.sharepointnotes.local. This zone is used for external partners. Will use a DMZ AD for authentication

Step 1: Create the Extranet Web Application

1. In Central Administration navigate to Application Management 
2. In the SharePoint Web Application Management section select Create or extend Web application
3. Select Create a new Web application
4. In the IIS Web Site section opt to Create a new IIS web site and enter the required information, e.g:
   • Description: SharePoint Extranet – 80
   • Port: 80
   • Host Header: extranet.sharepointnotes.local
   • Path: use default
5. Keep the default selections for Security Configuration
6. In the Load Balanced URL change the URL to http://extranet.sharepointnotes.local (remove :80)
7. In the Application Pool section select to Create new application pool. Name the new application pool and enter user name and password.
8. In the Database Name and Authentication section, enter the Database server and  Database Name.Is is recommended not to accept the suggested database name, but rather to name your database something that is specific related to your Web Application, e.g WSS_Content_Extranet
9. Finally, select which Search Server that should be used if you have more than one
10. Click OK to create the Web Application.
11. Click Create Site Collection to create the site collection to be hosted by the new Web App. Use the template and quota settings that are applicable in your environment, This Web Application will be used to host an partner collaboration site, so the Collaboration Portal-template is used.
12. Once the Site Collection is created, test that it can be accessed using the Host Header name you specified when the Web Application was created

Step 2: Extend the Web Application to facilitate external access for partners

So far so good. Now we have the web application created and extended to use different zones. Next step is to use ISA Server 2006 to publish the Extranet for corporate users across the Internet.