MOSS 2007 + SSO + ISA 2006 + Office 2007 Clients Integration = ?
MOSS 2007 provides a tight integration with Office 2007 client applications, allowing you to do things like open / create files from MOSS 2007 document libraries and save them right to the library itself (with a local copy in case you want to work offline). ISA 2006 offers Single Sign On (SSO) so you can embed / link other sites of yours (like OWA) on your sharepoint sites. One expects (or at least users do) that these “star” features work out of the box when he installs a server in a standard scenario, right?
Not quite so…
If you have tried that, you already know that some hacking is required in order to get all that running.
I’ve been there… that’s what you have to take into account to get the most out of your MOSS server:
Scenario
- ISA 2006 as gateway / firewall / proxy, OWA as Exchange frontend, MOSS 2007, Office 2007 client applications running on XP (there is a problem with Vista persistent cookies not being shared between applications, the bug is known and opened from December 31st 2007, see here)
- Access through https.
- All servers belong to the AD domain (yes, ISA 2006 too) and there is a split DNS configuration running.
- The MOSS 2007 application is already created.
Configuring MOSS 2007
Go to Central Administration, Application Management, Authentication Providers, select the Default Zone and set Authentication Type to Windows, Integrated Windows Authentication-NTLM and Enable Client Integration to Yes.
Go to Central Administration, Operations, Alternate Access Mappings, edit Public Zone URLs and add your MOSS external URL to the Extranet and Internet Zones.
Configuring ISA 2006
Export the certificates for OWA and sharepoint (with the private key). Copy the exported certificate files to ISA 2006, run MMC, add the Certificates snap-in for the Local Computer Account and import both certificates to the personal store.
On the ISA 2006 Console, select the Firewall Policy and create a Web Listener from Toolbox, Network Objects, Web Listeners, New Web Listener. Select the external IP for sharepoint, select one certificate for IP address and bound it to the corresponding certificate.
Once created, open the Listener, select HTML Form Authentication and Windows (Active Directory) from the Authentication tab. Select Allow users to change their password from the Forms tab. Select Advanced and enter a Cookie Name, select Use Persistent Cookies only on private computers. Select Enable Single Sign On from SSO tab and enter your domain name. Add the external IP address for OWA on the Networks tab and bound it to the corresponding certificate on the Certificates tab.
Create a new sharepoint publishing rule from the Tasks tab. Select NTLM Authentication, set the listener to the one you just created and Alternate Access Mapping is already configured. When created, open the rule and select NTLM authentication on the Authentication Delegation tab.
Ok and Apply.
IE
Open Tools, Internet Options, select Local Intranet on the Security tab, click on Sites, Advanced and Add your sharepoint and owa external names.
Client connection
When the users open your sharepoint, the ISA 2006 authentication form will display. They have to select I am on a private computer.