Microsoft SharePoint Server and Authentication modes on the Proxy SG

book

Article ID: 168247

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Depending on the authentication mode used for Sharepoint deployment on the ProxySG it will be necessary to amend the authentication mode to resolve the error "file is read only".

Cause

This is related to how the Microsoft SharePoint Server is deployed (HTTP or HTTPS) and it’s advisable to review the Microsoft Support website in the first instance.

Resolution

From a Proxy prospective we can do the following-

1.  Disable Authentication to the SharePoint Server.

2.  If the SharePoint Server has been setup for NTLM authentication. NTLM authentication is designed to take place between the client and server (point-to-point protocol) with no intermediary terminating device, such as a proxy. If the SharePoint Server supports both NTLM and BASIC authentication then the browser can still successfully authenticate while proxied using BASIC authentication.

3.  If your particular authentication mode does not work or you get the error mentioned above, it will be necessary to authenticate the user with a different mode in order for authentication to work properly. To address the problem you use the “Proxy-ip” authentication mode instead of the “proxy”  authentication mode. NOTE: This example does not bypass authentication.

•Proxy:  The ProxySG uses an explicit proxy challenge.  No surrogate credentials are used.  This is the typical mode for an authenticating explicit proxy.  In some situations proxy challenges do not work; origin challenges are then issued.

•Proxy-IP:  The ProxySG uses an explicit proxy challenge and the client's IP address as a surrogate credential,  Proxy-IP could possibly specify an insecure forward proxy.

Please see ProxySG Authentication Modes explained for a list of the authentication modes available for use.

This example assumes that you already have policy in place to authenticate users.  It also assumes that the authentication mode used is “proxy”.  The following steps will help you create a second authentication object that uses a different authentication mode than the one currently configured.  In this example, any SharePoint traffic will be authenticated using the “proxy-ip” mode instead of the “proxy” mode.

A.) Open the Management Console on the ProxySG (https://<ip.address.of.proxysg>:8082/ )
B.)  Click on the Configuration tab > Policy > Visual Policy Manager > Launch
C.)  Click on the Web Authentication Layer.  Add a new rule above the current authentication rule that is causing problems.
D.)  In the Destination column, right click and select Set... > New... > Destination Host/Port... > and complete the “host” details.  Click on the "Add" button and then click ok.
E.)  Right click in the Action column, select Set... > New... > Authenticate... > Give it a meaningful name (ShareAuth), select your realm, and change your mode to “Proxy-ip”.  Click on the OK button twice.  Install policy.  NOTE:  You may not be using proxy-ip and proxy.  Select the appropriate authentication mode as needed for your environment.  Please see 000012964 for a list of the authentication modes available for use.
F.)  Test and make sure the problem is resolved.

NOTE:  The Web Access layer does not need any new rules because the request is still being authenticated.  It is just using a different mode of authentication.