SharePoint 2010 - two web applications - single sign on --> do I need claims based auth.?

Question

Hi! We are planning to create two sharepoint web applications using SharePoint 2010 Enterprise Edition. All Users that have access to web app 1, should also be able to access web app 2. This authentication shall be powered by server 2003 active directory.

--> do I need to use claims based authentication? If so --> can I use Windows Based Authentication with NTLM for that?

The only thing I really want is that users navigating from web app 1 to web app 2 (and vice versa) do not have to authenticate twice.

I do NOT want to configure Kerberos if it is not absolutely necessare though...

Can you give me any hints? Thanks!

Answer 1

ok - I'll try to be more precise:

In our SharePoint 2010 environment, we've got two web applications running

http(s)://humanresources.domain.com http(s)://sales.domain.com Both are running on the same IIS and have host headers configured (with wildcard domain certificate for HTTPS).

Both apps provide a link to the other web application (sales -> humanresources and humanresources -> sales)

Now whenever someone logged in to sales navigates to humaresources, I do not want that that person needs to login again. Therefore I thought I would need claims based authentication???...

Please enlight my brain! :D

Answer 2

IF you are using Active Directory and running both sites within your domain you should not be challenged when users go to either site. It just becomes an implementation issue about who has access to what, either via AD Groups or SharePoint groups.

Claims based authentication is a bit of a different animal. You need to have a security token which contains a number of "claims" about the user, for example UserA is a member of HR and UserB is a member of Sales. Based on these claims you can then have your site/application respond correspondingly. Claims based auth is relatively new for SharePoint and Microsoft and is a bit of steeper learning curve. It may make more sense if you have a mixed mode environment, with both AD and Forms Based Users getting access. However with your described heterogeneous environment it doesn't seem like it's needed.

More info on SharePoint 2010 Authentication is available here.

John

Answer 3

The easiest solution is to create an AD group with the users of both sites and add the group as a user to the Members Sharepoint group of each site. This way users will not have to login at all since Sharepoint will detect the identity of the logged-in user automatically. Why are you asking about login, claims, and why are you using certificates? None of this is necessary in an intranet scenario where the farm and users are in the same domain or if the farm's domain trusts the user's domain. Do you have users accessing the site from outside your domain?

Answer 4

hank you for your answers! @Panagiotis Kanavos - yes we have Users accessing the site from outside our environment: 1) Users which have an AD accound and are working on their laptops outside of our building (e.g.: they have been all day at a customer and are working at home for the remaining hours) 2) We plan to have users without an AD Accound --> Forms Based Authentication: (e.g.: customers accessing our TFS 2010 project protals to get an overview of the project). As far as I know, if you want FBA and WIN-Auth you need to configure Claims Based Authentication... However configuring a Web Application with Claims Based Authentication did not work. I chose "Enable Windows Authentication" together with "Integrated Windows authentication -> NTLM" as we do not have Kerberos configured (and I'd love to leave it like that ;-)). However the Users could not login to that application sometimes, and five minutes afterwards it worked. Additionally, when I added permissions to an AD user, SharePoint seemed to save the Token instead of the Group-/Account Id: e.g.: Instead of MyDomain\user1 it saved something like "0|=MyDomain\user1" and for groups it even only saved weird character strings "022-12.3" Could it be the case, that my 2003 windows AD does not support that?

Answer 5

Hey there!!

Hope you all are doing good!! I've similar requirement where user LogsIn Application A (SP-2010) and gets authenticated by CBA (Claims based authentication) and we need to implement SSS/SSO in SP2010 so that user can access other applications say B (SP2010) and C (SP2007)?

It would be really great if you could share some pointers on the same.