Hi All,

we have deployed TMG in our client environment for publishing their in-house SharePoint application on internet.

There are two domains in their environment say DOMAIN1 and DOMAIN2, both the domains are in bidirectional trust relationship. the SharePoint application is hosted in DOMAIN1.

We have deployed TMG with single network adapter topology with NO AUTHENTICATION configuration at the web listener, so the authentication was handled at the SharePoint level. With this configuration, all the users from DOMAIN1 and DOMAIN2 were able to access the SharePoint site on internet.

Now, client wants to setup pre-authentication at TMG, so that authentication can be done at TMG level.

For this, we have modified the publishing rule configurations as:

1. In web Listener Authentication tab, changed the authentication mechanism from NO AUTHENTICATION to HTML FORM  AUTHENTICATION with LDAP.
2.  In validate LDAP configurations, created the two LDAP SETS for the two domains.
3. In AUTHENTICATION DELEGATION tab, delegate the authentication with NTLM authentication.

The problem is that after the pre-authentication configurations, the users from DOMAIN1 (on which the application is hosted) are able to login to the SharePoint site on internet and the username is visible in TMG live logging, but the users from DOMAIN2 are unable to login to the site, getting access denied red colored logs in TMG live logging,and the username is getting displayed as anonymous user.

I am wondering why the users from DOMAIN2 are unable to login with pre-authentication configuration when they were able to login with NO AUTHENTICATION configurations.
Can anybody help me in identifying the issue for this? or please tell me if there is any limitation at TMG level to not to authenticate the users from the trusted domains of the host domain (on which the application is hosted)

Quick response will be really helpful.

Thanks,

Sanjog

Hi Sanjog,

Can you reach Domain2 from TMG over LDAPS (636)? Check it. Run ldp.exe > connect domain2, port 636, SSL.

Check this as well http://blogs.technet.com/b/keithab/archive/2012/02/29/setting-up-and-troubleshooting-ldaps-authentication-in-forefront-tmg-2010.aspx

Hi Sanjog,

It looks like something wrong with cert from Domain2. Have put a cert from domain2 to TMG local PC store >trusted root?

Hi Vasily,

Thanks for the reply.

Following the link provided, I tried to test the connectivity on port 389 and 636 to DOMAIN2 DC using ldp.exe tool, and I got the error : "Cannot open connection". Then I tried to test the connectivity to DOMAIN1 DC (to which I am able to connect and authenticate the users), the strange thing is that, it is also not connecting and giving me the same "Cannot open connection" error.

I have checked the prerequisites again:

1. LDAP ports are open between TMG server and DC. able to telnet on Port 389 and Port 636.
2. DOMAIN1 DC and DOMAIN2 DC are up and running, reachable over PING.

Analyzed the event viewer logs and found, whenever a user from DOMAIN2 tries to access the sharepoint site on Internet, it generates the below errors in event viewer:

have you seen this issue earlier? Please suggest how to rectify this issue.

Is there any limitation at TMG level to not authenticate the users from trusted domain of the host domain where the SharePoint site is hosted.

For quick configuration check, can you please suggest the pre-authentication configurations for authenticating the users against multiple trusted domain, we might be missing some basic configuration steps.

Thanks,

Sanjog