How To: Expose a SharePoint Application to the Extranet And Use Forms-based Authentication
If you want to share information between users who are within the corporate domain and external users you must
the SharePoint Web Application to create an extranet-facing access point. Extending an existing SharePoint Web application provides a separate Internet Information Services (IIS) Web site. This Web site exposes the same content to all users, even
if they are within different security domains. For example, extending the Partner Portal Web application provides access to the same collaboration areas, Contoso product catalog and pricing information to extranet partners as to intranet employees.
Extending the Web application
When organizations create extranet solutions, they often group external users into a different security domain than internal users. This separation makes it easier to manage different groups of users and to maintain security. SharePoint supports this approach
. Each zone can support a different authentication method. Companies often use forms-based authentication (FBA) with Internet-facing zones because it is straightforward to set up and does not require additional hardware. FBA relies upon
the ASP.NET forms-based authentication framework. By using the ASP.NET 2.0 pluggable authentication provider model, SharePoint can support authentication for user identities that are stored in a Microsoft SQL Server database, in Active Directory (using Active
Directory Application Mode, or ADAM), in an LDAP directory, or in any other source that implements an ASP.NET 2.0 membership provider.
The Partner Portal application uses the standard Microsoft SQL Server provider to store user credentials. Partners of Contoso authenticate to the extranet zone through FBA, while corporate users in the default zone rely upon their existing accounts, which are
contained in the corporate Active Directory (AD) store. For more information on the Partner Portal application's security approach, see <insert internal link>. For more information on choosing and implementing authentication on SharePoint, see
Plan Authentication Methods
The following procedure is a brief overview of how to enable forms-based authentication. It includes references to more detailed procedures.
To enable forms-based authentication
Note: When you install the Contoso Web application, the installation script creates the extended Web site but seems to extend the application to the Intranet zone. This is misleading but it is only a labeling issue. The SharePoint STSADM
Extendvsinwebfarm command extends Web applications in the following order: Intranet zone, Internet zone, Custom zone, Extranet zone. In order to create the correct extranet label,
every zone in between would have to be created, which significantly extends the installation time.
- 1. Extend the SharePoint Web application. See
Create or extend Web applicationsfor details. The Partner Portal application uses the default security settings: NTLM, Allow Anonymous set to
No and Use Secure Sockets Layer (SSL) set to No. Set Zone to Extranet in the Load Balanced URL section.
- 2. Configure the application to use forms-based authentication. See
Configure forms-based authentication on TechNet for details. Set the authentication provider under Application security for the Web application to
- 3. Edit the web.config file to register the authentication provider for the SharePoint Web application, the role provider for the SharePoint application and the membership provider (PeoplePicker) for the Central Administration site. For details on
the web.config modifications See
Forms Authentication in SharePoint Products and Technologies on MSDN for details.
For more information about forms-based authentication and extending SharePoint Web applications, see the following articles on MSDN and TechNet.
To give feedback.
Copyright (c) 2007 by Microsoft Corporation. All rights reserved.