I have very strange problem with Forefront TMG 2010 Single Sign On feature.
SSO settings:
- I'm publishing two websites (https://site1.domain.com and https://site2.domain.com) by using the same web listener with SSO enabled for *.domain.com
- SSO is working as charm for Windows 8.1 clients
The issue when accessing sites from Windows 7 clients:
- On the first access to any of the sites (i.e. site1), I'm getting TMG forms login form - as expected.
- I login, then visit few pages of the same site (i.e. site1), and everything works as expected. I'm logged in, and I can surf.
- The problem arises when I try to open the other site (i.e. site2). I'm getting TMG forms login form again! And even worse - as soon as new TMG login form opens -I'm logged off from the first site also. So not just I must login separately for both sites - I can't be logged to both sites in the same time because as soon as I login to one site, the session with other site is terminated!
- Interesting thing is that behavior is the same in any browser. I've tried with IE, Chrome and Mozilla - the problem is the same.
When external client tries to open the second site, TMG logs one interesting message:
- Req ID: 0ae9f57b; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% ;FBA cookie: exists=yes, valid=no, updated=no, logged off=no, client type=private, user activity=yes
It looks that TMG finds that cookie is not valid and deletes it, terminating this way existing session with all sites.
My setup:
- Array of two TMG's 2010 SP2 RU4, on Windows Server 2008 R2, all updates installed.
- Published websites (site1.domain.com and site2.domain.com) are residing on two different servers (srv1 and srv2)
- Websites are published over https by using SSL certificate gotten from local PKI. All clients and servers do have PKI CA in their "Trusted Root Certificates" storage. No client or server reports any certificate issue. Websites are "green" in address bar.
I'm really confused with this behavior. Especially due to the fact that the same third-party browser (Chrome), can be used with SSO without any problem when installed on Windows 8.1, but not when installed on Windows 7!?!?
Any help would be appreciated...
Thanks!
Fat Dragon