Federated SharePoint: ADFS is not for everyone
Active Directory Federation Services (ADFS) and hosted Office SharePoint Server (MOSS) do not play nicely together. ADFS currently breaks many core MOSS 07 functions and it is extremely complex (and expensive) to configure in a SharePoint environment.
This topic is fresh in my mind right now because we have a very large client who wants to use ADFS to tie their legacy systems together with their Fpweb.net hosted SharePoint Server. In the past we avoided ADFS work with SharePoint like the bubonic plague – since we knew its complexities, it’s insanely expensive cost, as well as it’s insatiable hunger for more FTEs to keep it running. In other words, ADFS + SharePoint are a serious six-figure pain in the Kanye West. It’s simply not what most clients are looking for in an economic downturn.
One-Way Active Directory Trust via secure VPN
Enter our knight in shining armor: Using a one-way AD trust via secure VPN to accomplish active directory integration between the client and Fpweb.net’s hosting network. The solution works very well for our Enterprise WSS & MOSS clients. It is simple, secure and economical.
For those of you who are still chasing the golden fleece of ADFS and SharePoint: Here are a few of the more significant documented issues:
- Using Office 2003 clients to open and save documents on a SharePoint server is not a supported scenario, when SharePoint is running under ADFS authentication.
- Even if the file is opened successfully, problems may occur if the ADFS cookie times out. If the user attempts to save the document after the cookie has expired, errors during the redirects required to re-authenticate the user may make it impossible to save the document back to the server. In this case, the user could save the document locally, and then upload it back to the server using a browser.
- To avoid problems, we suggest that you turn off the Office 2003 open features in SharePoint, and revert to file download and file upload using your Web browser instead.
- Web Folders (e.g. Network Places) which rely on the WebDAV redirector, will no longer work as expected. Web folders are typically created in order to have a file explorer view of a site or document library to easily copy and move files. Using this feature when SharePoint is working with ADFS is not supported.
- If you are not using ADFS, however, give this excellent Fpweb.net blog post about using Network Drives for SharePoint a quick read.
- SharePoint Portal Services Alternate Access Mappings are not supported with ADFS Web SSO. Alternate Access Mappings allow multiple URLs that correspond to the same Internet Information Services (IIS) virtual server, or Web site. You can read more about this from the SharePoint Team Blog.
If you really want to dive further into the issue of ADFS and SharePoint, be my guest. If you make it all the way through this Technet article without having an aneurism, please forward your resume to jobs@fpweb.net… Seriously. And if you’re looking for a good laugh, and a good intro to ADFS, check out this post we ran a while back on The Lighter Side of ADFS.
That’s all for now, still gearing up for SPC09 – be sure to stop by booth #420 for free daily Samsung NetBook giveaways… or lively ADFS + SharePoint discussions.
Is it as painful and expensive even w/ ADFS v. 2?
How do you overcome the security barriers that are often associated with trusts and can you get Sharepoint to work seamlessly without opening rafts of ports between the trusted and trusting networks?