How To: Expose a SharePoint Application to the Extranet And Use Forms-based Authentication
If you want to share information between users within the corporate domain and external users you must
the SharePoint Web Application to create the extranet facing access. Extending an existing SharePoint Web application provides a separate Internet Information Services (IIS) Web site that exposes the same content to users who are within different
security domains. For example, extending the Partner Portal Web application provides access to the same collaboration areas, Contoso product catalog and pricing information to extranet partners and intranet employees.
Figure xx illustrates the extended Contoso Web application.
The extended Contoso Web application
When organizations create extranet solutions, they often group external users into a different security domain than internal users for better maintainability and security separation. . SharePoint supports this approach through a concept called
. Each zone can support a different authentication method. Companies often use forms-based authentication (FBA) with internet facing zones because it is straightforward to set up and does not require additional hardware. FBA relies upon the ASP.NET
forms-based authentication framework. By using the ASP.NET 2.0 pluggable authentication provider model, SharePoint supports authentication for user identities that are stored in a Microsoft SQL Server database, in Active Directory (using Active Directory Application
Mode, or ADAM), in an LDAP directory, or in any other source that implements an ASP.NET 2.0 membership provider.
The Partner Portal application uses the standard Microsoft SQL Server provider to store user credentials. Partners of Contoso authenticate to the extranet zone through FBA, while corporate users in the default zone rely upon their existing accounts, which are
contained in the corporate Active Directory (AD) store. For more information on the Partner Portal application's security approach, see <insert internal link>. For more information on choosing and implementing authentication on SharePoint, see
Plan Authentication Methods
in the SharePoint on TechNet.
Follow these steps to enable forms-based authentication. The values for the various settings are those used by the Partner Portal application.
- Extend the SharePoint Web application. See Cannot resolve macro, invalid parameter 'input'.for details.
The Partner Portal application uses the default security settings. These are NTLM, Allow Anonymous set to
No and Use Secure Sockets Layer (SSL) set to No. Set Zone to Extranet in the Load Balanced URL section.
- Configure the application to use forms-based authentication. See
Configure forms-based authentication in the product documentation. Set the authentication provider under Application security for the web application to
- Edit the application’s web.config file to register the authentication provider for the SharePoint Web application, the role provider for the SharePoint application and the membership provider (PeoplePicker) for the Central Administration site. For details
on the web.config modifications see
Forms Authentication in SharePoint Products and Technologies.
When you install the Contoso Web application, the script creates the extended Web site but seems to extend the application to the Intranet zone. This is misleading but it is only a labeling issue. The SharePoint STSADM
command extends Web applications in the following order: Intranet zone, Internet zone, Custom zone, Extranet zone. In order to create the correct extranet label, every
zone in between would have to be created, which significantly extends the installation time.
For more information about forms-based authentication, see the following articles by Steve Peschka.