Share via


Office Integration with MOSS and ADFS

Previously, Office Integration with SharePoint secured by forms based authentication was not possible. The new ability of the Office client applications in Office 2007 SP2 to perform a forms login helps to solve this problem. You will need to install this post SP2 fix to your client machines to gain this functionality. What is needed in conjunction with it, is means to send an authentication prompt to the Office client if the login cookie doesn’t exist or has expired. The Identity Management team at Microsoft, in conjunction with the Microsoft Office team, have developed an HttpModule for SharePoint that does just that. The HttpModule is available as a source code sample download from this blog.

You will need to compile the source to a DLL and then install it to the GAC on the SharePoint front end servers.

To compile you will need Microsoft Visual C# 2008 edition .

You can download Microsoft Visual C# 2008 Express edition from https://www.microsoft.com/express/download/#webInstall

a. Extract the code sample locally for example c:\Patch

b. Open Microsoft Visual C# 2008

c. From the menu options select File / Open Project and browse to the file c:\Patch\retail\AdfsHttpModule.sln

d. Next, select build from the menu options

e. When prompted for password type “password”

f. The default location of the built DLL c:\Patch\release\release\bin

To install the compiled DLL to the GAC use the GACUTIL application. GACUTIL can be obtained by installing the .NET Framework 2.0 SDK

The command to install it would be:

“GACUTIL /i adfsfba.dll”

Next - make the following changes to SharePoint:

1. Go to Central Administration, click the Application Management tab, and click the Authentication Providers link.

2. In the Web Applications drop–down list, select the Web application that contains a forms authentication zone, and then click the link for the zone that is configured to use forms authentication.

3. On the Settings page for the zone, select the Enable anonymous access check box, and then set Enable Client Integration? to Yes.

Note:

Selecting the Enable anonymous access check box does not, by itself, grant anonymous access to any content in the Web application. However, it is needed to enable the Office client applications to gather enough information about the site to display the logon window.

4. Edit the web.config file as follows on each front end Web server in the farm for the zone that is secured with ADFS:

a. Add the entry for the HttpModule code sample after the ADFS module. You should see an existing entry such as the following.

Xml

<add

name="Identity Federation Services Application Authentication Module"

type="System.Web.Security.SingleSignOn.WebSsoAuthenticationModule, System.Web.Security.SingleSignOn,

Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null"

/>

b. Add the following entry immediately after the existing entry.

Xml

<add

name="ADFS Module for Office Forms Based Auth"

type="ADFSFBA.ADFSFBAHttpModule,ADFSFBA,Version=1.0.0.0,

Culture=neutral,PublicKeyToken=083ff59054782422,Custom=null"

/>

c. Add the usettp element in the websso section, as follows.

Xml

<websso>

<usettp enabled="false"/>

</websso>

After you complete these steps, you can use the Office client in a nearly seamless, integrated experience with SharePoint Server. The authentication prompts for an ADFS-secured site can be further reduced by adding the site for the account logon service (FS-A) to the Local Intranet Zone in Internet Explorer.

 

 

release.zip

Comments

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    PingBack from http://microsoft-sharepoint.simplynetdev.com/office-2007-integration-mit-moss-und-adfs/

  • Anonymous
    January 01, 2003
    Jim, Can this be modified to use LDAP authentication? I would think that your solution could be used for more than just ADFS since both are a forms based authentication and the hard part is making the Office dll working across untrusted domains. trying to analyzie the XML code which is where I would need to make the Modification

  • Anonymous
    January 01, 2003
    Great blog post.  At the end you allude to reducing auth prompts, "The authentication prompts for an ADFS-secured site can be further reduced".  Does this involve some Integrated Windows Authentiation site being used?  I assume directing the Office User Agent to a Forms based site would always require a Forms authentication to occur.  We have a use case in which we want to enable the ADFS WebAgent on Sharepoint, but we want to continue supporting pass through authentication in the Office client.

  • Anonymous
    January 01, 2003
    thanks

  • Anonymous
    July 26, 2010
    Hi, I understand the code is provided as is but I wanted to see if you could shed some light on a problem we're having when using this module with custom http modules. Our custom modules are bound to run on PreRequestHeaderExecute. Whether we have these all these module merged into 1 (included this ADFS module) or separate, the ADFS module's behavior is not constant. Sometimes files open in Office, other times the login form comes in as text. Any ideas?

  • Anonymous
    December 04, 2011
    The comment has been removed

  • Anonymous
    October 15, 2012
    Hi thanks for sharing this useful information that really increased my technical knowledge about this type of issue. www.mytechbay.com

  • Anonymous
    December 12, 2014
    Some time ago, a customer requested a clear statement from Microsoft Support regarding
    “Office