Sunday, 13 December 2009

ISA 2006, Forms, SharePoint 2007 Extranet and Client Integration

Anyone who has worked on SharePoint 2007 extranet project with ISA 2006 used as reverse proxy and to publish SharePoint Farm, knows about Client integration challenges…

When users try to edit a document, they are challenged and required to authenticate and even after a successful authentication, it is not possible to check the document back in to SharePoint.

This is because despite the existing session, office client initiate another session and ISA treats this as a new session.

The short answer to this problem is to configure a Persistent cookie on ISA web listener (Under Forms –> Advance)

clip_image001

BUT there are several security issues that are highlighted by MS and need to be considered:

  • A malicious attacker who obtains a persistent cookie may be able to perform a brute force attack to obtain user credentials from the cookie.
  • On a public computer, if the user does not log off, the session cookie can be used by the next user to access published sites. This threat can be mitigated by not enabling persistent cookies for public computers.
  • Spyware may be able to access the cookie.

The important point to consider here is that the client needs to be making the decision between Security and User experience / functionality

In a recent project I spent some times to identify few factors that the client needed to take into consideration when making this decision:

 

This is a public or shared computer

This is a private computer

Persistent cookie file on logout

Deleted

Not Deleted but user is required to authenticate (Domain name and user name are saved)

Persistent cookie file when user closes the browser

Not Deleted - Session is available before cookie timeout

Not Deleted - Session is available before cookie timeout

Temporary Internet Files

Enabling persistent cookie has no effect

Enabling persistent cookie has no effect

Temporary Draft Files

Enabling persistent cookie has no effect

Enabling persistent cookie has no effect

Ability to open documents on SharePoint within session time (browser closed)

Yes

Yes

FAQ:
Q) Is the cookie hashed e.g. using Hashed MACs (HMACs)?
A) Yes

Q) Are server tokens erased after session end?
A) Yes

Q) Is the cookie transmitted via SSL?
A) It is highly recommended

Q) Are Temporary Internet files deleted when session ends?
A) No, But this is not caused by the persistent cookie

Q) Are copy of the draft documents deleted if the user fail to check in / overwrite checkout?
A) No, But this is not caused by the persistent cookie

Q) are there any extra consideration when accessing the site though Kiosk Stations when using persistent cookies?
A) Yes the followings should be considered:

  • Do not select “This is a private computer”.
  • Perform logoff on published applications.

Additional consideration when accessing the site though Kiosk Stations (regardless of the usage of the persistent cookies):

  • Delete cookies after you finish using published applications.
  • Delete temporary Internet files.
  • Delete temporary files that Office created when working with Microsoft Office SharePoint® Portal Server.
  • Delete any files that were manually downloaded to the kiosk.
  • Close all browser windows.
  • Log off from Windows, if possible.

No comments: