Authenticating to Sharepoint through APM

Verify that you have the proper host header entries in AAM (Alternate Access Mappings, Default Zone), and see if that helps.

You can have multiple entries in the Default Zone. What is happening is that SharePoint is accepting Windows Integrated and assuming you are on the LAN and redirecting you to the Default zone.

Hi Michael J,

Even though I'm not actually on the LAN would I still check the default zone...? I'll speak to our sharepoint guy.

Thanks for a such a quick response.

Yep. AAM is generally the issue.

An example where this comes in to play is when using SSL termination at the BIG-IP, as the header contains https://sharepointsite, but sharepoint AAM is not configured with a default zone mapping for https but for http. SharePoint will constantly redirect to http because it senses Windows Integrated. Simple fix is to just have AAM entries for:

https://sharepointsite & http://sharepointsite

Okay, so is there something specific I'll need to do in AAM? The reason I ask is because I perhaps dont actually want Windows Integrated to be used when accessing through the portal... on the local LAN its perfectly fine and works when browsing direct to sharepoint, as users are logged onto domain joined machines with their domain credentials. The portal is there for remote access for our users wherever they maybe... they may not necessarily be using their corporate laptops and the usernames they have logged into their machines willl be different to their domain usernames (they could be using home computers, personal laptops etc that arent even a member of our AD).. so we dont want to pass these credentials.

The credentials we want to pass are the credentials used to authenticate against the Portal... these credentials will be the users domain username and password that I want to seamlessly pass to sharepoint.

I dont think I'm explaining very well. Regardless I will check AAM as soon as I can find someone in our sharepoint team.

Specifically, add Host header mappings for all host headers used to access SharePoint.

Windows Integrated will be used by SharePoint regardless of where the users are accessing from. From External systems they will get a prompt. From Internal systems with the URL mapped to Local Intranet sites, they wont.

How can I configure it as such, so it will be take the username and password I typed into my Portal login page to access sharepoint, rather than it ask me to login again?

You can configure Single-Sign-On (SSO) fro Sharepoint to help you to login seamlessly

http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-sso-config-guide-11-3-0/3.html

How can I configure it as such, so it will be take the username and password I typed into my Portal login page to access sharepoint, rather than it ask me to login again?

You can configure Single-Sign-On (SSO) fro Sharepoint to help you to login seamlessly

http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-sso-config-guide-11-3-0/3.html

Okay, let me back to you. I'm hoping they dont even get a prompt from external systems (as thats whats happening now)... The only prompt they should get from external systems is the F5 Login Page for the Portal.

Internally, we access sharepoint direct, no need to go through APM.

Correct. If your SSO is configured properly, then updating the AAM will solve your problem.

Just another thing some of these issues might be the rewrite technology some of it does not agree with SharePoint (especially the if SP 2010 and Silverlight). URL sometimes become a problem if you want to send them to other users or bookmark.