Previously, Office Integration with SharePoint secured by forms based authentication was not possible. The new ability of the Office client applications in Office 2007 SP2 to perform a forms login helps to solve this problem. You will need to install this post SP2 fix to your client machines to gain this functionality. What is needed in conjunction with it, is means to send an authentication prompt to the Office client if the login cookie doesn’t exist or has expired. The Identity Management team at Microsoft, in conjunction with the Microsoft Office team, have developed an HttpModule for SharePoint that does just that. The HttpModule is available as a source code sample download from this blog.
You will need to compile the source to a DLL and then install it to the GAC on the SharePoint front end servers.
To compile you will need Microsoft Visual C# 2008 edition .
You can download Microsoft Visual C# 2008 Express edition from http://www.microsoft.com/express/download/#webInstall
a. Extract the code sample locally for example c:\Patch
b. Open Microsoft Visual C# 2008
c. From the menu options select File / Open Project and browse to the file c:\Patch\retail\AdfsHttpModule.sln
d. Next, select build from the menu options
e. When prompted for password type “password”
f. The default location of the built DLL c:\Patch\release\release\bin
To install the compiled DLL to the GAC use the GACUTIL application. GACUTIL can be obtained by installing the .NET Framework 2.0 SDK
The command to install it would be:
“GACUTIL /i adfsfba.dll”
Next - make the following changes to SharePoint:
1. Go to Central Administration, click the Application Management tab, and click the Authentication Providers link.
2. In the Web Applications drop–down list, select the Web application that contains a forms authentication zone, and then click the link for the zone that is configured to use forms authentication.
3. On the Settings page for the zone, select the Enable anonymous access check box, and then set Enable Client Integration? to Yes.
Selecting the Enable anonymous access check box does not, by itself, grant anonymous access to any content in the Web application. However, it is needed to enable the Office client applications to gather enough information about the site to display the logon window.
4. Edit the web.config file as follows on each front end Web server in the farm for the zone that is secured with ADFS:
a. Add the entry for the HttpModule code sample after the ADFS module. You should see an existing entry such as the following.
name="Identity Federation Services Application Authentication Module"
Version=22.214.171.124, Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null"
b. Add the following entry immediately after the existing entry.
name="ADFS Module for Office Forms Based Auth"
c. Add the usettp element in the websso section, as follows.
After you complete these steps, you can use the Office client in a nearly seamless, integrated experience with SharePoint Server. The authentication prompts for an ADFS-secured site can be further reduced by adding the site for the account logon service (FS-A) to the Local Intranet Zone in Internet Explorer.
PingBack from http://microsoft-sharepoint.simplynetdev.com/office-2007-integration-mit-moss-und-adfs/
Great blog post. At the end you allude to reducing auth prompts, "The authentication prompts for an ADFS-secured site can be further reduced". Does this involve some Integrated Windows Authentiation site being used? I assume directing the Office User Agent to a Forms based site would always require a Forms authentication to occur. We have a use case in which we want to enable the ADFS WebAgent on Sharepoint, but we want to continue supporting pass through authentication in the Office client.
Jim, Can this be modified to use LDAP authentication? I would think that your solution could be used for more than just ADFS since both are a forms based authentication and the hard part is making the Office dll working across untrusted domains. trying to analyzie the XML code which is where I would need to make the Modification
Hi, I'm currently working on integrating word 2010 with an adfs-ssl enabled sharepoint 2010 site collection (as a blogging tool). Also, I'll need to integrate Word 2007 soon.
When I click "Launch blog program to post" in my site, SP launches Word 2010, and correctly imports the site's URL. But when I click OK, Word says that he "cannot register my account" (and that's pretty much it, since it does not offer any further details).
One of my managers pointed me to your article, and I would like to know if the solution you proposed works on the SP-Word2010 combo, or if there's another solution.
I supposed Word 2010 - SP 2010 integration should work out of the box (even with ADFS2.0), but it's not happening for me. Can you give me some pointers on why this could be happening?
I understand the code is provided as is but I wanted to see if you could shed some light on a problem we're having when using this module with custom http modules. Our custom modules are bound to run on PreRequestHeaderExecute. Whether we have these all these module merged into 1 (included this ADFS module) or separate, the ADFS module's behavior is not constant. Sometimes files open in Office, other times the login form comes in as text.
Does this stop promts using explorer view?
Hi thanks for sharing this useful information that really increased my technical knowledge about this type of issue.