We have some integration code to enable SSO to SharePoint through ISAPI extension. It worked fine with SharePoint 2007, but with SharePoint 2010, SSO stops working unless SharePoint's anonymous access is enabled.
The key component of the Integration code is an ISAPI extension installed on IIS. This extension uses the user attributes available on the incoming request to get a Kerberos ticket (through S4U2proxy) and impersonate the user through HSE_REQ_EXEC_UNICODE_URL
With anonymous authentication enabled in IIS and our ISAPI extension first on the handler mapping list, we found that we also had to enable SharePoint's anonymous access by following the steps listed in
; otherwise, users would get prompted for username/password, before our ISAPI extension was even invoked. Note that we didn't need to enable anonymous access for SharePoint 2007.
So the questions are:
1. Is enabling anonymous access the right thing to do? Any security implications?
2. Why anonymous access needs to be enabled for SP 2010 but not SP 2007?
3. In general, how SharePo
View Complete Post