This is an update to the UAG Integration blog post we wrote back in June 2012.
As you will note below, there are some significant changes to how we now recommend that you configure ForeFront UAG and most of it has to deal with the fact that our previous recommendation either did not work at all or prevented users from opening SharePoint documents directly in Office applications. We are now recommending to use the default SharePoint 2010 application type, but the drawback is that you will have to modify the default UAG files in order to make UAG work with the custom Extradium 2010 sign in form (/_layouts/exs/login.aspx)
- First of all, download Extradium for SharePoint 2010 (you might have to register if you haven’t done so already).
- Next, install Extradium 2010 in your SharePoint environment (by following the instructions in our Extradium 2010 Quick Start Guide)
- Navigate to the C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\TEMPLATE\ADMIN\XtrashareAdmin folder and grab the Extradium_UAG.zip archive.
- Move and unzip Extradium_UAG.zip onto your UAG server. The structure of the unzipped folder follows the exact same structure as the UAG product, starting from the UAG installation folder (usually C:\Program Files\Microsoft Forefront Unified Access Gateway).
- Copy the Extradium.inc file from the von\InternalSite\inc\CustomUpdate folder to the corresponding UAG folder (C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate).
This file is responsible for authenticating the user on the UAG login screen and calls the Authentication.asmx web service.
- Edit the Extradium.inc file and on line 22 replace the following highlighted value with the url of the SharePoint zone where FBA will be enabled: strSharePointFBAWebAppUrl = “https://extranet.company.com”
- Edit the FormLogin.xml file from the C:\Program Files\Microsoft Forefront Unified Access Gateway \von\Conf\WizardDefaults\FormLogin folder and identify the SharePoint14AAM section (we strongly recommend that you back the FormLogin.xml file before updating it).
- Comment the <PRIMARY_HOST_URL> tag and instead, insert the following one:
- Next, before the closing </LOGIN_FORM> tag, insert the following 2 <CONTROL> tags:
- Save and close the FormLogin.xml file.
- Navigate to the C:\Program Files\Microsoft Forefront Unified Access Gateway \von\Conf folder and edit the FormLoginDataDefinitions.xml file and identify the FormLoginSubmitSP14AAM script section.
- Right below the following lines:
insert the following lines:
var submitbtn = document.getElementById('ctl00_PlaceHolderMain_ucLogin_loginControl_btnLogin');
- Save and close the FormLoginDataDefinitions.xml file.
Note: Those 2 files (FormLogin.xml and FormLoginDataDefinitions.xml) are responsible for the Single Sign On. Note that they work both with the Extradium Sign In page (/_layouts/exs/login.aspx) and the default SharePoint Forms Sign In page (/_forms/default.aspx). However, in a mixed authentication scenario (where both Windows and FBA authentication schemes are enabled on the same zone), the user will first have to select her authentication method (Windows or Forms), if the default Sign In page is used (not when the Extradium Sign In page is used). In that case only, once Forms is selected, the SSO script will be triggered and the user will be seamlessly redirected to the SharePoint site.
- Next, open the ForeFront UAG Management console and select the trunk through which the SharePoint Extranet site will be available
- In the Trunk Configuration section, press the Configure button:
- Select the Authentication tab and press the Add button:
- In the Authentication and Authorization Servers window, press the Add button:
- In the Add Authentication Server window, select Other and type Extradium in the Server name text box:
Note: the “Extradium” server name MUST match the name of the Extradium.inc file as mentioned in point #5 above, so if you want to pick another name (which will appear in the UAG login screen), you should rename the Extradium.inc file accordingly.
- Press OK. In the Authentication and Authorization Servers window, select Extradium and press Select:
- Press Close and OK to close all the windows and go back to the main trunk screen.
- In the Applications section, press Add :
- Press Next and in the following window, select Microsoft SharePoint Server 2010 and press Next:
- In Step 2 – Configure Application, enter an application name (for instance, “SharePoint Extranet” – this is the name of the application that will appear on the UAG home page) and press Next.
- In Step 3 – Select EndPoint Policies, adjust the policies as shown below and press Next.
- In Step 4, select the option that matches your SharePoint farm deployment (in the next screens, we assume that we chose the first option – Configure an application server) and press Next.
- In Step 5 – Web Servers, enter in Addresses the internal Url of the SharePoint zone where Extradium FBA is enabled, its HTTP and HTTPS ports and in Public host name, the public url that external users will use:
To be accurate, Extradium FBA was activated on the (internal) https://sp2010.company.com url:
An https://clients.company.com Alternate Access Mapping was then added to the Extranet zone:
Last, but not least, a clients.company.com host name was manually added to the sp2010.company.com IIS site:
Note that this is necessary even if internal users may not be able to access the site via https://clients.company.com
- Do NOT check the “Replace the host header with the following” check box and press Next.
- In Step 6 – Authentication, check Use SSO, press the Add button, select the Extradium Authentication Server, and press the Select button. In Select authentication method, select Both , check “Allow rich clients to bypass authentication trunk” and “Use Office Forms Based Authentication for Office clients applications” and check press Next:
- You may the following pop-up window appear. Don’t worry about it and just press Yes.
- In Step 7, adjust the application’s parameters to your liking (such as check “Open in a new window”) and press Next.
- In Step 8 – Authorization, leave Authorize all users checked and press Next.
- Press the Finish button.
- Back in the UAG Management Console, press the Activate button in the top navigation bar (as shown below):
This launches the activation wizard. Once the activation wizard has completed, you can test UAG again.
Note: you can monitor the actual update process in the ForeFront TMG console in Monitoring è Configuration. In that screen, wait until the UAG server(s) are marked as synced before proceeding with your tests:
- Browse to the external url of your SharePoint site (https://clients.company.com in my case). The login page of UAG should now look like in the following screenshot. Enter the credentials of an Extradium user (for instance, the admin user) and press the Log On button:
- The home page of UAG now displays the SharePoint Extranet application:
After selecting the SharePoint Extranet link, the following page should briefly appear (this is where the Single Sign On is happening):
- Last, the home page of the SharePoint Extranet should appear! (below is a screenshot when the portal is launched inside the UAG page).
You will also notice that users who open Office documents from the site should not have to authenticate again with Internet Explorer, but they might have to authenticate against ForeFront UAG when launching the Office documents from other browsers (such as FireFox):
Once again, to get those UAG scripts, you must download Extradium for SharePoint 2010, install it on a SharePoint server and grab the scripts in the Extradium_UAG.zip archive, from the C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\TEMPLATE\ADMIN\XtrashareAdmin folder.by