Office Integration with MOSS and ADFS

Previously, Office Integration with SharePoint secured by forms based authentication was not possible. The new ability of the Office client applications in Office 2007 SP2 to perform a forms login helps to solve this problem. You will need to install this post SP2 fix to your client machines to gain this functionality. What is needed in conjunction with it, is means to send an authentication prompt to the Office client if the login cookie doesn’t exist or has expired. The Identity Management team at Microsoft, in conjunction with the Microsoft Office team, have developed an HttpModule for SharePoint that does just that. The HttpModule is available as a source code sample download from this blog.

You will need to compile the source to a DLL and then install it to the GAC on the SharePoint front end servers.

To compile you will need Microsoft Visual C# 2008 edition .

You can download Microsoft Visual C# 2008 Express edition from

a. Extract the code sample locally for example c:\Patch

b. Open Microsoft Visual C# 2008

c. From the menu options select File / Open Project and browse to the file c:\Patch\retail\AdfsHttpModule.sln

d. Next, select build from the menu options

e. When prompted for password type “password”

f. The default location of the built DLL c:\Patch\release\release\bin

To install the compiled DLL to the GAC use the GACUTIL application. GACUTIL can be obtained by installing the .NET Framework 2.0 SDK

The command to install it would be:

“GACUTIL /i adfsfba.dll”

Next - make the following changes to SharePoint:

1. Go to Central Administration, click the Application Management tab, and click the Authentication Providers link.

2. In the Web Applications drop–down list, select the Web application that contains a forms authentication zone, and then click the link for the zone that is configured to use forms authentication.

3. On the Settings page for the zone, select the Enable anonymous access check box, and then set Enable Client Integration? to Yes.


Selecting the Enable anonymous access check box does not, by itself, grant anonymous access to any content in the Web application. However, it is needed to enable the Office client applications to gather enough information about the site to display the logon window.

4. Edit the web.config file as follows on each front end Web server in the farm for the zone that is secured with ADFS:

a. Add the entry for the HttpModule code sample after the ADFS module. You should see an existing entry such as the following.


Copy Code


name="Identity Federation Services Application Authentication Module"

type="System.Web.Security.SingleSignOn.WebSsoAuthenticationModule, System.Web.Security.SingleSignOn,

Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null"


b. Add the following entry immediately after the existing entry.


Copy Code


name="ADFS Module for Office Forms Based Auth"




c. Add the usettp element in the websso section, as follows.


Copy Code


<usettp enabled="false"/>


After you complete these steps, you can use the Office client in a nearly seamless, integrated experience with SharePoint Server. The authentication prompts for an ADFS-secured site can be further reduced by adding the site for the account logon service (FS-A) to the Local Intranet Zone in Internet Explorer.