Forms-Based Authentication
Forms-based authentication uses HTML forms to authenticate users, and ISA Server 2006 supports forms-based authentication to published SharePoint servers. ISA Server 2006 provides three sets of forms: HTML for standard browsers, and Compact HTML (cHTML) and Extensible HTML (XHTML) for mobile browsers. ISA Server serves up the appropriate form based on the User-Agent header sent by the client. In addition, ISA Server 2006 supports three types of forms-based authentication:
- Password—The user enters the username and password. This type supports AD, LDAP, and Remote Authentication Dial-In User Service (RADIUS) authentication.
- Passcode—The user enters a username and passcode (i.e., a single-use password such as those generated by security token devices). This authentication type supports SecurID and RADIUS one-time password authentication.
- Passcode/Password—The user enters a username with passcode and a username with password. The username/passcode combination is used to authenticate to ISA Server using SecurID or RADIUS, and the username/password combination is used for delegation.
The forms used for SharePoint are stored in the \CookieAuthTemplates\ISA folder. This folder contains three subfolders, one each for HTML, cHTML, and XHTML forms. You can customize these forms to brand them or add functionality. For example, you might add disclaimers or notifications to the logon form.
The forms contain input tags, form tags, and placeholders, and you must leave these elements intact for the forms to work. However, you can modify the logon_style.css file to change page and form background color, font style and color, and other visual characteristics of the form. You can also modify the strings.txt file to change the text that ISA Server displays in the forms, as well as to add new text to the file. To add new text, you must add a new, unique placeholder in the form’s .htm file, then add a corresponding entry in the strings.txt file with the same placeholder. ISA Server replaces the placeholder with the text when it displays the form.
You can also change or add graphics for the forms. For example, you might want to include your company logo on the logon form or even use a graphic as the background for the form. The graphics that ISA Server uses by default are stored in the same folder as the .htm files. Changing the graphics is as simple as replacing those graphics files with your own files. You can add additional graphics by modifying the .htm files.
In addition to modifying the existing form sets, you can create a custom form set, enabling you to use the standard set for some web listeners and a custom set for other web listeners. To create a custom set, first create a new folder in the CookieAuthTemplates folder to contain the custom form set. Copy all of the files from the appropriate default form folder (such as HTML) to the new folder. Then modify the forms in the new folder to create your custom set.
To use the new form set, create a web listener, then open the property sheet for the web listener and click the Forms tab. Select the option to use customized HTML forms, and specify your custom form set directory. If you’re using an ISA Server array, the custom set’s folder must exist on all servers in the array.
While you’re visiting the Forms tab of the web listener’s property sheet, note that you have a couple of other options you can set for forms-based authentication. If you enable the option to let users change their passwords, ISA Server offers that option when users log on. In addition, you can also have ISA Server notify the user when their password is scheduled to expire within a time period that you specify. After you’ve modified the forms files as needed, restart the Firewall service for the changes to take effect.
Note that ISA Server forms-based authentication as described here is different from forms-based authentication provided as an optional authentication provider for SharePoint. The latter provides a mechanism to store user credentials in a SQL Server database instead of AD, and present a form requesting those credentials from the user during logon to SharePoint.
Performance, Reliability, and User Happiness
Understanding how ISA Server can function as a front end for SharePoint helps you provide a stable, robust load-balancing solution for SharePoint, which ultimately makes it easier to add and remove servers from a farm when necessary. For example, choosing the right monitoring option helps ensure that ISA Server can recognize failures when they occur and adjust to them accordingly. While the capability to customize ISA Server’s authentication forms might not have an impact on performance or reliability, it can improve branding and user experience. After all, like it or not, it’s all about keeping your users happy.