IAG 2007 and SharePoint ECTS – UPN logon format not supported

Posted on 01/08/2008 by ee61re

The External Collaboration Toolkit for SharePoint (ECTS) is something I’m using at the moment to provide Extranet capabilities for a SharePoint 2007 farm.

ECTS uses an Active Directory Application Mode (ADAM) instance to store credentials for external users, and it registers those users by taking their email address as their user name, e.g. joe@bloggs.com.

I am using an Intelligent Application Gateway (IAG) appliance to publish the extranet site to the Internet, but I was having some problems getting the authentication to work for the external users.

On the IAG, I created an authentication repository for ADAM, and it seemed to work fine, plus I could connect using LDP.exe from the IAG to ADAM.

However, when an external user was authenticating, the IAG was logging a failure to authenticate, with the phrase ‘Missing Credentials’ involved.

A PSS call later, it transpires that IAG does not currently support UPN logons, without a lot of customisation.  Out of the box, it is only designed to handle domain\username type of logons.

Waiting to hear back about the nature of the customisation required, but in the meantime, I’ve configured IAG to not authenticate, but instead just perform the session validation, then display the normal SharePoint logon form.  Not as secure as I wanted, but it works.

This entry was posted in IAG, SharePoint and tagged , , , , . Bookmark the permalink.

3 Responses to IAG 2007 and SharePoint ECTS – UPN logon format not supported

  1. Dave says:
    01/10/2008 at 15:45

    Not sure if you solved this but I just deployed IAG with ECTS successfully.

    The trick was to set the of the ADAM repository type in your RepositoryType.xml on the IAG to the same value as the ADAM SharePoint membership provider in your web.config file. In my case I used ‘cn’, and it works perfect.

    Dave

    Reply
  2. ee61re says:
    01/10/2008 at 15:54

    Dave – can you please confirm the exact steps and changes you made, so I can test on our environment? Are you using peoples SMTP addresses as their ECTS logins?

    Thanks

    Rob

    Reply
  3. Dave says:
    07/10/2008 at 14:41

    Hi Rob,

    I installed ECTS as per the documentation and test/validated the installation. I created an external user and approved it. I then created the custom ADAM Repository on the IAG as per: http://www.ssl-vpn.de/wiki/(X(1)S(abexdgetfrzhga55u3fbcg55))/How%20to%20interface%20with%20ADAM.ashx

    I then changed the LoginNameAttr to cn which is what ECTS also uses. That did the trick: Matching the 2 attributes used for the login name. Drop me an e-mail if you need any more details.

    Dave

    Reply

Leave a comment