This article describes how to configure Citrix ADC for performing Single Sign-on (SSO) to claims based SharePoint 2010 web servers and thereby edit Word documents inline from the web browser without having to add them in the trusted sites.

Prerequisites

• Citrix ADC version 10.1 or later

• SharePoint 2010 web server - Create forms-based authentication for claims-based SharePoint 2010 web applications by using the following link:

Claims Walkthrough: Creating Forms-Based Authentication for Claims-Based SharePoint 2010 Web Applications Using ASP.NET SQL Membership and Role Providers

• Citrix ADC Load Balancing Server object or objects created for the real IP addresses of SharePoint Servers. (Server Name and IP address 10.217.28.45 in example below)

Instructions

The following are the steps involved in the process of SSO from AAATM to SharePoint server and inline editing of Word documents from the web browser:

1. Have a Content Switching (CS) virtual server front ending two Load Balancing (LB) virtual servers, each load balancing the SharePoint server. One LB virtual server should have authentication set to ON and the other with authentication set to OFF.

2. User accesses the CS for the first time, goes to LB with authentication ON.

3. LB redirects user to authentication page. User submits logon credentials.

4. Authentication virtual server redirects user back to LB and SSO to SharePoint server is performed and user starts seeing the SharePoint site.

5. User navigates to a folder, say "Shared documents"; right-clicks a document, then selects "EDIT".

6. This response triggers a mini-browser from the client. It sends OPTIONS request to that folder.

7. This request does not come with any cookie.

8. This is where responder on Citrix ADC happens. A responder policy is bound to the LB with authentication OFF. The CS policy rule will be such that if there is no cookie and its not an authenticated connection then these OPTIONS requests will go to the LB with authentication OFF.

9. The responder action will cause the Citrix ADC to perform a 403 with specific headers.

10. The mini-browser navigates to Citrix ADC authentication page. User logs on for a second time.

11. Post logon, mini-browser comes back to "LB with authentication ON" along with proper cookie. Another SSO to SharePoint server is performed and document is then opened for edit in inline mode.

Configuration

1. LB virtual server and CS virtual server configuration

   add lb vserver lb_auth_ON HTTP 0.0.0.0 0 -AuthenticationHost auth.nsi-test.com -Authentication ON -authnVsName av1
   add lb vserver lb_auth_OFF HTTP 0.0.0.0 0
   add service sp 10.217.28.45 HTTP 600
   bind lb vserver lb_auth_ON sp
   bind lb vserver lb_auth_OFF sp
   
   add cs action act_auth_ON -targetLBVserver lb_auth_ON
   add cs action act_auth_OFF -targetLBVserver lb_auth_OFF
   add cs policy pol_auth_ON -rule "http.req.hostname.contains(\"nsi-test.com\")" -action act_auth_ON
   add cs policy pol_auth_OFF -rule "!(HTTP.REQ.COOKIE.exists)  && HTTP.REQ.METHOD.EQ(\"OPTIONS\") && !(http.req.user.name.length.gt(0))" -action act_auth_OFF
   add cs vserver cs1 HTTP 10.217.28.165 600 -cltTimeout 180 -Listenpolicy None
   bind cs vserver cs1 -policyName pol_auth_OFF -priority 10
   bind cs vserver cs1 -policyName pol_auth_ON -priority 20

2. Configuration for SSO to SharePoint server

   add tm formSSOAction sp -actionURL "default.aspx?ReturnUrl=%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252FSitePages%252FHome%252Easpx&Source=%2fSitePages%2fHome.aspx" -userField "ctl00$PlaceHolderMain$signInControl$UserName" -passwdField "ctl00$PlaceHolderMain$signInControl$password" -ssoSuccessRule "HTTP.RES.STATUS.EQ(\"302\")" -responsesize 10000 -submitMethod POST
   add tm trafficAction traf_sp -SSO ON -formSSOAction sp -persistentCookie ON
   add tm trafficPolicy traf_sp "http.req.url.contains(\"/_forms/default.aspx\")" traf_sp
   bind lb vserver lb_auth_ON -policyName traf_sp -priority 10 -gotoPriorityExpression END -type REQUEST

   As discussed in the Instructions section, you will need to log on at /vpn/tmindex.html for a second time in a mini window after you click "Edit Document" (This logon is required even in case of direct access to SharePoint). And we can have a second FormSSO profile for performing SSO to the back end for this second logon.

   The traffic profile to facilitate this is as follows:

   add tm formSSOAction sp_second -actionURL "default.aspx?ReturnUrl=%2f_layouts%2fError.aspx" -userField "ctl00$PlaceHolderMain$signInControl$UserName" -passwdField "ctl00$PlaceHolderMain$signInControl$password" -ssoSuccessRule "HTTP.RES.SET_COOKIE.CONTAINS(\"FedAuth\")" -responsesize 10000
   add tm trafficAction traf_sp_second -SSO ON -formSSOAction sp_second
   add tm trafficPolicy traf_sp_second "http.req.url.contains(\"/_forms/default.aspx?ReturnUrl=/_layouts/Error.aspx\")" traf_sp_second
   bind lb vserver lb_auth_ON -policyName traf_sp_second -priority 1 -gotoPriorityExpression END -type REQUEST

3. Responder policy configuration for enabling inline edit of Word documents

   add responder action sharepoint respondwith q{"HTTP/1.1 403 FORBIDDEN\r\nContent-Type: text/html; charset=utf-8\r\nServer: Microsoft-IIS/7.5\r\nSPRequestGuid: 81ad2c8b-7802-449d-9fbc-5f1b73c8683c\r\nX-SharePointHealthScore: 1\r\n"+"X-Forms_Based_Auth_Required: http://spnew.nsi-test.com:600/_login/default.aspx?ReturnUrl=/_layouts/Error.aspx\r\nX-Forms_Based_Auth_Return_Url: http://spnew.nsi-test.com:600/_layouts/Error.aspx\r\n"+"X-Powered-By: ASP.NET\r\nMicrosoftSharePointTeamServices: 14.0.0.4762\r\n"+"Content-Length: 13\r\n\r\n403 FORBIDDEN”}
   add responder policy sharepoint "!(HTTP.REQ.COOKIE.exists)  && HTTP.REQ.METHOD.EQ(\"OPTIONS\") && !(http.req.user.name.length.gt(0))" sharepoint
   bind lb vserver lb_auth_OFF -policyName sharepoint -priority 100 -gotoPriorityExpression END -type REQUEST

   You need to substitute the BOLD parts in the preceding configuration with the FQDN of the TM virtual server.

   Responder policy rule can be true or same as the CS rule.

Notes

• The configuration has been tested to be working with Internet Explorer and Firefox.

• In Firefox, there is a popup asking you to Allow running Microsoft Office. You need to Allow it and remember the setting for future sessions.

• You will need to log on at /vpn/tmindex.html for a second time in the mini window that opens after you click on "Edit Document" (This logon is required even in case of direct access to SharePoint). Hence, total logons required will be two in this use case.