Custom Title

How To: Expose a SharePoint Application to the Extranet And Use Forms-based Authentication

If you want to share information between users who are within the corporate domain and external users you must extendthe SharePoint Web Application to create an extranet-facing access point. Extending an existing SharePoint Web application provides a separate Internet Information Services (IIS) Web site. This Web site exposes the same content to all users, even if they are within different security domains. For example, extending the Partner Portal Web application provides access to the same collaboration areas, Contoso product catalog and pricing information to extranet partners as to intranet employees.
Extending the Web application

cf8df632-39b7-4fa8-8062-6b07f93b47cc.png



When organizations create extranet solutions, they often group external users into a different security domain than internal users. This separation makes it easier to manage different groups of users and to maintain security. SharePoint supports this approach through zones. Each zone can support a different authentication method. Companies often use forms-based authentication (FBA) with Internet-facing zones because it is straightforward to set up and does not require additional hardware. FBA relies upon the ASP.NET forms-based authentication framework. By using the ASP.NET 2.0 pluggable authentication provider model, SharePoint can support authentication for user identities that are stored in a Microsoft SQL Server database, in Active Directory (using Active Directory Application Mode, or ADAM), in an LDAP directory, or in any other source that implements an ASP.NET 2.0 membership provider.

The Partner Portal application uses the standard Microsoft SQL Server provider to store user credentials. Partners of Contoso authenticate to the extranet zone through FBA, while corporate users in the default zone rely upon their existing accounts, which are contained in the corporate Active Directory (AD) store. For more information on the Partner Portal application's security approach, see <insert internal link>. For more information on choosing and implementing authentication on SharePoint, see Plan Authentication Methods on TechNet.

The following procedure is a brief overview of how to enable forms-based authentication. It includes references to more detailed procedures.
To enable forms-based authentication
  • 1. Extend the SharePoint Web application. See Create or extend Web applicationsfor details. The Partner Portal application uses the default security settings: NTLM, Allow Anonymous set to No and Use Secure Sockets Layer (SSL) set to No. Set Zone to Extranet in the Load Balanced URL section.
  • 2. Configure the application to use forms-based authentication. See Configure forms-based authentication on TechNet for details. Set the authentication provider under Application security for the Web application to Forms.
  • 3. Edit the web.config file to register the authentication provider for the SharePoint Web application, the role provider for the SharePoint application and the membership provider (PeoplePicker) for the Central Administration site. For details on the web.config modifications See Forms Authentication in SharePoint Products and Technologies on MSDN for details.
Note: When you install the Contoso Web application, the installation script creates the extended Web site but seems to extend the application to the Intranet zone. This is misleading but it is only a labeling issue. The SharePoint STSADM Extendvsinwebfarm command extends Web applications in the following order: Intranet zone, Internet zone, Custom zone, Extranet zone. In order to create the correct extranet label, every zone in between would have to be created, which significantly extends the installation time.

More Information

For more information about forms-based authentication and extending SharePoint Web applications, see the following articles on MSDN and TechNet.


To give feedback.
Copyright (c) 2007 by Microsoft Corporation. All rights reserved.

Last edited Jul 9, 2009 at 2:33 PM by ckeyser, version 4

Comments

No comments yet.