Hi - hoping someone out there has seen this issue and can help.
We're in the process of migrating to TMG 2010 in a single-network adapter config to reverse-publish SharePoint 2010 sites. We're presently using ISA 2006 in a dual-NIC configuration (one NIC internal, one connected to Internet)
TMG is taking the request, offloading the SSL and sending it to port 80 (we've also tried using TMG as an SSL pass-through and having SSL terminate on the SharePoint web front-end). We're using LDAP-AD validation for our HTTP Basic auth.
Clients can authenticate successfully and all SharePoint functionality is there, but when a user chooses Sign In As A Different User, instead of being presented with an auth prompt, a 403 Forbidden The server denied the specified Uniform Resource Locator (URL) results.
Here is the GET from a Fiddler trace of the page when the 403 is generated ---- I've changed the URLs, IP's and usernames to generic ones:
GET /_layouts/accessdenied.aspx?loginasanotheruser=true&Source=https%3A%2F%2Fsharepoint%2Esite%2Ecom%2FSitePages%2FHome%2Easpx HTTP/1.1
The referer:
Referer: https://sharepoint.site.com/_layouts/closeConnection.aspx?loginasanotheruser=true&Source=https%3A%2F%2Fsharepoint%2Esite%2Ecom%2FSitePages%2FHome%2Easpx
TMG logs show first a 12210 An Internet Server API (ISAPI) filter has finished handling the request
Failed Connection Attempt TMGSERVER 6/20/2013 8:20:54 AM
Log type: Web Proxy (Reverse)
Status: 12210 An Internet Server API (ISAPI) filter has finished handling the request. Contact your system administrator.
Rule: sharepoint.site.com
Source: Internal (ip coming from internet)
Destination: Local Host (ip of sharepoint web server:80)
Request: GET http://sharepoint.site.com/_layouts/blank.htm
Filter information: Req ID: 0e5cbf7c; Compression: client=Yes, server=Yes, compress rate=0% decompress rate=0%
Protocol: https
User: (LDAP)xxxxx
Additional information
Client agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x4000008 (Request includes the AUTHORIZATION header. Response includes the WWW-AUTHENTICATE header.)
Processing time: 94 MIME type:
Then further down the logs
Denied Connection TMGSERVER 6/20/2013 8:31:43 AM
Log type: Web Proxy (Reverse)
Status: 12202 Forefront TMG denied the specified Uniform Resource Locator (URL).
Rule: sharepoint.site.com
Source: Internal (ip coming from internet)
Destination: Local Host (ip of sharepoint web server:80)
Request: GET http://sharepoint.site.com/_layouts/accessdenied.aspx?loginasanotheruser=true&Source=https%3A%2F%2Fsharepoint%2Esite%2Ecom%2FSitePages%2FHome%2Easpx
Filter information: Req ID: 0e5cc098; Compression: client=Yes, server=Yes, compress rate=0% decompress rate=0%
Protocol: https
User: (LDAP) xxxxx
Additional information
Client agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x6020008 (Request includes the AUTHORIZATION header. Response includes the CACHE-CONTROL: PRIVATE header. Response includes the SET-COOKIE header. Response includes the WWW-AUTHENTICATE header.)
Processing time: 94 MIME type:
I've tried re-publishing the rule, doing various link translations, the Path is set to /* to include everything after the host header. Tried using different listeners/recreating listener. We've even built TMG with a 2-NIC setup to match closely as possible the current ISA 2006 setup. Always the same behavior. ISA works fine, TMG behaves as outlined above.
I think I've run out of things to check, I've probably combed through every setting on each server and made sure they're identical.
Hopefully someone has seen/experienced this and has some things I can try. Let me know if I need to supply more information about our environment/config.
Many thanks!
Tom