SharePoint - MOSS Basic Auth. with SSL extended with Integrated Auth.

Asked By Miguel

25-Jan-08 05:24 PM

Hi,

I have a MOSS site using Basic Auth with SSL. Reason why I have this so I
don't have to enter DOMAIN\USERNAME everytime. Now I only have to enter the
username & password. I extended and map this site to Integrated auth on a
different web app so that I will be able to make search work.
http://www.kevincornwell.com/blog/index.php/windows-sharepoint-services-wss-30-search-setup-notes/ .

Now my problem is when I open a site such as http://abc.web.com/marketing,
it prompts for login but never accepts it. I notice when I cancel the login
prompt, it doesn't opens the images located in marketing/_layouts/images. I
can go on other pages in marketing. I'm able to open sub-sites under
marketing site.

I checked the main site in IIS, the _layouts folder (basic); the extended
site _layouts folder (integrated). So they both look fine. I just don't know
what am I missing in my configuration. no error related to the issue on the
logs.

25-Jan-08 05:59 PM

Did you make certain that the extended web app with Windows Integrated
authentication is the *Default* zone?  I had that problem once and found
that I'd forgotten to make that extended web app the default.  Search only
searches the Default zone, at least in my experience.

That's why you should always do the alternate authentication thing on a zone
other than default.

If default isn't the problem, then I'm out of ideas. ; )

-callahan

25-Jan-08 11:26 PM

yes, extended site is in default zone of AAM and basic site is on intranet
zone.

26-Jan-08 12:24 AM

Hmm, is it possible to have the web app have the windows integrated
authentication, and use the extended web app for the alternate, forms based
authentication?  I had one situation, now that I am home and had time to
think about it, where that worked for me.

Using forms based authentication has not been a hot topic for me in my area
though, so maybe there are others whose clients or business use it more than
I?

-callahan

27-Jan-08 01:46 AM

Hi Miguel -

A couple of comments...

1. The blog article you referenced has some instructions that I'm not
comfortable recommending because it creates a schism between your AAM
settings, authentication settings, and IIS settings.  Sometimes such a
schism is necessary, but this doesn't appear to be one of those times.
2. It's unclear whether http://abc.web.com/marketing is currently associated
with a zone that is configured for Basic vs. NTLM, and if you followed the
advice of #1, the URL may not even match the zone.  That said, if it's
configured for Basic authentication, then the authentication prompts you are
seeing would be expected if you were pointing to the _layouts/images
directory off of a subpath (<img src="/marketing/_layouts/images/foo.gif"
/>) rather than directly off the root (<img src="/_layouts/images/foo.gif"
/>).  All links to content in the _layouts/images directory should point to
it off the root (/_layouts/images).  Did you put content in there that is
trying to reference an image from the subpath or was that content
auto-generated by SharePoint?

- Troy Starr [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

27-Jan-08 07:30 PM

https://abc.web.com/ (basic auth) is under the intranet zone and
http://servername:9000/ (integrated auth.) on default zone.

all contents in the _layouts/images are default images (auto-generated).

28-Jan-08 05:17 PM

Miguel,

I wonder.  Is there anyway you could put the integrated authentication on
port 80? Such as http://servername:80?  Since the first one is on a host
header on that port, you can afford to have servername on that port as well.

I am just throwing it out there, because having the integrated
authentication on the web app at servername:80, and forms based on the host
headered extended web app is what works for me.  So if you're still having
problems, that's what I would try.

I'm sorry we're not hitting the solution right away... sometimes these
things take time (or a reinstall, lol).

-callahan

28-Jan-08 05:31 PM

I am not using port 80. I currently have http://servername:3000 which has the
integrated and the main site with SSL is using only basic not FBA.

28-Jan-08 10:19 PM

Gotcha. I only brought it up because you might be able to test it to see if
that helps, and the fact that it worked for me.

And I apologize, for some reason I thought you were doing FBA...

I know this may be a silly question, but do you have the SSL site set up in
AAM as https instead of http? It's an easy error to make, and that could
cause problems. Also, another way to test is to set up both http and https
addresses in AAM for the web app, make sure SSL is allowed but not required.
Then try running a crawl and seeing if it works, and if any errors show up
in the logs. (just trying to make absolute sure that basic is the problem
with crawling the SSL site, before continuing to try to force the integrated
one to work)

Understand, I have not run into your issues as you've described them.  So at
this point I am just trying to offer suggestions. : )

-callahan

29-Jan-08 11:54 AM

What I noticed so far, the problems are the images under the
subsite/_layouts/images. I tried accessing any images(of the _layouts/images)
directly from the top level site
(http://abc.web.com/_layouts/images/attach.gif) and it opens fine. But
accessing from the subsites
(http://abc.web.com/marketing/_layouts/images/attach.gif) will just keep on
prompting for login.

29-Jan-08 01:42 PM

?!  That bites.  It makes no sense.  If the authentication issue is at the
web application level, and the top-level site works, then the lower level
sites should work as well...

Let me confirm though-- you have two problems, yes?  One is searching
content on the Basic site.  You extended a web app.  Did that help fix that
issue?

With the images issue-- the one where the subsite is having problems-- I
know it was autocreated, you mentioned that, but did you change any of the
permissions while trying to get search to work?  The reason I ask this is,
again, I've never had these issues, nor can I find anyone else with this
problem discussing it in the newsgroups.  So I am wondering if it was a
change made early on and forgotten. Like messing with the virtual
directories or something...

I'm sorry Miguel, but it's looking like you are having a problem that might
require more than a quick fix... and although I will try to help, even if
I've never seen that exact problem before, chances are good that others are
not responding because they haven't seen it before either and can offer no
advice. And if we, collectively, cannot help, there may be not much more we
can do here.

If you do get it fixed (you have a "Eureka" moment or you put in a call to
MS), please let us know how.  Just because it's new to everyone here now
doesn't mean it won't happen to someone else in the future.

Thanks,
-callahan

29-Jan-08 03:09 PM

(1) searching content on basic site: works fine
(2) did not touch any permissions on the _layouts/images folder, it's all
default permissions

I tried accessing the image directly works for both toplevel and subsites on
the INTEGRATED web app. (DEFAULT AAM)
http://scxssp02:30000/_layouts/images/attach.gif  and
http://scxssp02:30000/marketing/_layouts/images/attach.gif

but using the site name (basic auth with ssl, in CUSTOM AAM)
toplevel site:
http://abc.web.com/_layouts/images/attach.gif this opens fine;
subsites:
http://abc.web.com/marketing/_layouts/images/attach.gif which prompts for
credentials but never works

29-Jan-08 05:17 PM

I finally fixed it. The culprit is the authentication on the images virtual
directory under the layouts of the basic site. It shows anonymous access and
integrated.
SOLUTION:
1. In IIS, open the web application, expand the _layouts, right click on the
images virtual directory and select properties
2. Click on Directory Security tab and click Edit button under the
Authentication and access control.
3. Uncheck the enable anonymous access and integrated windows authentication.
4. Check the Basic Authentication.

Open the sites having the issue, no more authentication prompts.

29-Jan-08 07:21 PM

Woo hoo!!

Congrats on fixing it.  It's troubling though that authentication on the
directory under layouts was set with the wrong authentication, without human
intervention.  It
looks likely that it could easily be a problem for someone using Basic
authentication in the future.

I'm glad it worked out.
-callahan

29-Dec-09 05:19 AM

Many thanks for that hint, Miguel!