3

This has me beat...

we have microsoft dynamics with a sharepoint business portal interface using sharepoint services 3.0. im trying to configure the sharepoint interface to accept basic auth, so that reverse proxying works. ive found a couple of places that need changes, both in sharepoint and IIS, but whenever i switch it over, certain pieces of business portal start to error out - things like the project communicator and expense reports section. basically, it looks like anything that appears in an IFRAME doesnt work.

while we dont use these pieces yet, we will, so this is basically a showstopper for me.

so far ive tried:

  • just changing IIS from integrated to basic
  • changing IIS and the sharepoint config for the site to basic
  • configuring the reverse proxy to present authentication the way that IIS expects with integrated auth enabled (ie <domain>\<user>)

im hesitant to try bringing up another duplicate site (a best practice i read in a sharepoint book) to support both integrated and basic, but i dont fully understand how sharepoint works, and im loathe to break it again. additionally, since i cant make the one we have work the way i want, im skeptical ill be able to do so for an additional site.

anyone have any magic that might help me out of this?

edited to include the error below:
Error:

Connector:Unspecified HTTP error. HRESULT=0x800A1518 - Client:An unanticipated error occurred during the processing of this request. HRESULT=0x800A1518 - Client:Sending the Soap message failed or no recognizable response was received HRESULT=0x800A1518 - Client:Unspecified client error. HRESULT=0x800A1518

faultcode=Client

faultstring=Connector:Unspecified HTTP error.

faultactor=

detail=Connector:Unspecified HTTP error. HRESULT=0x800A1518 - Client:An unanticipated error occurred during the processing of this request. HRESULT=0x800A1518 - Client:Sending the Soap message failed or no recognizable response was received HRESULT=0x800A1518 - Client:Unspecified client error. HRESULT=0x800A1518

Devnull
  • 951
  • 1
  • 7
  • 23

1 Answers1

1

You probably need to enable Kerberos and delegation.

The second link talks about delegation, which is what you will use to send the user's login token from SharePoint to MS Dynamics.

You can also take a look at Ken Schaefer's IIS (Internet Information Services) and Kerberos FAQ . These articles are excellent.

Christopher_G_Lewis
  • 3,647
  • 21
  • 27
  • Im very hesitant to do that. When users access the page now, with Windows Integrated auth enabled, but do so externally via HTTP auth, the site works normally. Based on this i strongly suspect theres a way to handle the problem without involving the complexity of kerberos. – Devnull Sep 18 '09 at 20:03
  • Well, yes, Basic authentication always works with delegation since you're passing a plain text password to the server. Because the IIS server has the password, it can then log in to dynamics as the user with that plain text password. With WIA, the server doesn't have the password, so the second hop doesn't work. Google "double hop authentication" and you'll realize that this is one of the key strengths of Kerberos. – Christopher_G_Lewis Sep 23 '09 at 22:13