tags:

views:

54

answers:

3
Q: 

using both basic and Integrated authentication

We would like to use Integrated Windows Authentication if a user accesses our SharePoint site from within our organization, and Basic Authentication (using SSL) when someone tries to authenticate from outside our organization. Reading, it seems IE will try Windows Auth no matter what and ignore Basic Auth from outside our organization. This is undesirable because the user is required to enter in the DOMAIN into the login box (users are notorious for calling our helpdesk about this). Basic Auth allows us to specify a default domain. Windows auth does not do this. Hence the desire to use Basic Auth for outside, Windows Auth for inside.

What is the solution to enabling Windows Auth inside the network, and Basic Auth outside our network? Do I need to setup two separate sites inside IIS (one for windows auth, another for basic)? Would this require 2 different Host Names?

Is there a solution I am not thinking of here?

Thanks all.

+1  A: 

Windows auth uses a protocol to negotiate which authentication method will be used. I've been wrong before, but I don't think you can do both without using two separate virtual directories (which can point to the same physical directory, if you choose). The idea is that you configure a different auth mechanism for each.

kbrimington  2010-07-28 18:26:09
This would absolutely require 2 different domain names, correct? One for internal (internal.website.com) and external (external.website.com)? Is there any way to use a single domain name for both? Might be a silly question, as I cannot think of a way, except perhaps a 3rd IIS entry for redirect based upon whether Windows Auth fails or not?
Kolten  2010-07-28 20:27:21
Only, perhaps, if you need to apply these authentication settings at the top level.It's a stretch, but you could consider rolling your own authentication module. That would be taking the security protocol into your own hands, though, which would be a bummer.On our network, we use Integrated Windows Auth, and our servers are trusted (via group policy) so that users do not have to manually provide credentials. Is this option not available to you?
kbrimington  2010-07-29 02:36:36
+1  A: 

In order to configure different authentication methods on a SharePoint site (assuming you are talking about at least SharePoint 2007) you will need to extend the web application which results in additional sites created in IIS. You will need different host names, one for internal and one for external.

Once extended, Alternate Access Mappings will need to be configured (this is done through Central Admin). Authentication providers can then be configured in the 'Authentication Providers' section in Central Admin. Basic authentication would then be configured for the external site (make sure to use SSL since Basic authentication sends login info in clear text) and the internal site would be configured for integrated Windows authentication. Here are a couple of resources worth noting:

http://technet.microsoft.com/en-us/library/cc262309%28office.12%29.aspx http://go.microsoft.com/fwlink/?LinkID=79589

Hope that helps.

rfair01  2010-07-29 02:40:47
+2  A: 

Assumption: you want to have all users, both internal and external, authenticate against the same Active Directory domain.

If the main goal is for external users to be able to login without typing the domain name, you could use ISA server.

You can have internal users connect directly to your Sharepoint server by pointing your internal DNS directly to your sharepoint server. Thus, windows auth would work for them.

External users could then be pointed to your ISA server (via DNS), and ISA could be configured to show a login page for Sharepoint where no domain name is required. (It's a web form that they are filling out, but the authentication happens against Active Directory).

Getting ISA to work in this way is a little tricky, because you have to get the AAM settings in Sharepoint just right. And if you're doing SSL or SQL Reporting Services, it's even more tricky. The main problem is that there are no meaningful error messages telling you what's wrong. But it is possible. :)

We have this set up, and it works great, but it was definitely a pain to get working right.

Tim
Tim Larson  2010-07-29 02:58:43
Instead of using ISA, could I not just 'roll my own' authentication page in ASP.NET? We have control of both external and internal DNS settings, so pointing it wouldn't be a problem. I am unsure of the benefit of using ISA here though (I have little experience with it) - what benefits is it offering me in this situation?
Kolten  2010-07-29 17:18:12

related questions

Verifying files for testing
How do you create your own moniker (URL Protocol) on Windows systems?
Windows Equivalent of 'nice'
Is this a good way to determine OS Architecture?
Dual vs. Quadcore on a Webserver
Is there a WMI Redistributable Package?
PHP Error - Uploading a file
Ruby On Rails with Windows Vista - Best Setup?
OpenVPN Config file to prevent timeout
How can I create Debian install packages in Windows for a Visual Studio project?
How do I configure and communicate with a serial port?
What's the best setup for Mono development on Windows?
Appropriate pagefile size for SQL Server
XML Editing/Viewing Software
Linux shell equivalent on IIS
What is a better file copy alternative than the Windows default?
Windows Help files - what are the options?
Heap corruption under Win32; how to locate?
Best way to access Exchange using PHP?
Get a preview jpeg of a pdf on windows?
WinForms ComboBox data binding gotcha
How do you schedule tasks in Windows?
Register Windows program with the mailto protocol programmatically
Embedding Windows Media Player for all Browsers
Best Subversion clients for Windows Vista (64bit)