Publish IIS site with TMG pre-authentication

We wanted to enable Forms Based Authentication with AD for a SharePoint site and a standard IIS site with Forefront Threat Management Gateway. We had the issue that we already created the rule with no authentication and we did not receive a login screen for the default IIS site. We did not get the loginscreen from TMG until we changed the firewall rule.

The set-up pretty straightforward and only requires a small adjustment for a standard Firewall rule. I will show you step by step how I have set-up TMG pre-authentication for a basic site and this also applies for SharePoint.

I have created a basic IIS site with the wizard ‘Add Website…’

clip_image002

I then went to our TMG server and created a rule.

clip_image004

Click on ‘Publish Web Sites’

clip_image006

Fill in a name and click on ‘Next >’

clip_image008

Allow the rule and click on ‘Next >’

clip_image010

Publish a single Web site or load balancer and click on ‘Next >’

clip_image012

Our site is HTTPS, click on ‘Next >’

clip_image014

Fill in the site name and an IP address if TMG cannot resolve this, Click on ‘Next >’

clip_image016

Click on ‘Next >’

clip_image018

Fill in the information and click on ‘Next >’

clip_image020

Click on ‘New…’

clip_image022

Fill in the name for the listener and click on ‘Next >’

clip_image024

Select HTTPS and click on ‘Next >’

clip_image026

Select the network according to your situation and click on ‘Next >’

clip_image028

Select the certificate and click on ‘Next >’

clip_image030

Select ‘HTML Form Authentication’ and click on ‘Next >’

clip_image032

Fill in your domain name for SSO and click on ‘Next >’

clip_image034

Click on ‘Finish’

clip_image036

Click on ‘Next >’

clip_image038

Select ‘NTLM authentication’ and click on ‘Next >’

clip_image040

Make sure ‘All Authenticated Users’ has been added to the site. Note that you will see ‘All Users’ if you have not followed the steps above and used No Authentication for the web listener. You will have to change this setting to All authenticated users to be able to receive the login screen from TMG.

clip_image042

Click on ‘Finish’

Navigate to your site and you will now see the following login screen from TMG

clip_image043

The Specified user or domain group was not found

I got this error today when someone wanted to create a document set in SharePoint 2013. This small post shows a possible solution to this issue.

Scenario

A user wants to create a document set in a standard document library but faces the below error.

image

The specified user of domain group was not found

I went looking in the ULS logs and found a good lead. There were certain parts that came up:

  • UserAgent not available, file operations may not be optimized.
  • Application error when access /_layouts/15/NewDocSet.aspx, Error=Some or all identity references could not be translated.
  • Unable to write SPDistributedCache call usage entry.

 

Solution

I went to look at the cache accounts (SuperUser and SuperReader) because of the message “unable to write SPDistributedCache call usage entry” and I noticed that superaccounts were not setup correctly.

image

I was able to create the document set after fixing the cache accounts.
You can set the cache accounts using the PowerShell script located at http://www.sharepointfire.com/2014/03/set-sharepoint-cache-accounts-with-powershell/