This project is read-only.

How To: Expose a SharePoint Application to the Extranet And Use Forms-based Authentication

If you want to share information between users within the corporate domain and external users you must extend the SharePoint Web Application to create the extranet facing access. Extending an existing SharePoint Web application provides a separate Internet Information Services (IIS) Web site that exposes the same content to users who are within different security domains. For example, extending the Partner Portal Web application provides access to the same collaboration areas, Contoso product catalog and pricing information to extranet partners and intranet employees.
Figure xx illustrates the extended Contoso Web application.
FBA Zones.png
Figure xx
The extended Contoso Web application

When organizations create extranet solutions, they often group external users into a different security domain than internal users for better maintainability and security separation. . SharePoint supports this approach through a concept called zones. Each zone can support a different authentication method. Companies often use forms-based authentication (FBA) with internet facing zones because it is straightforward to set up and does not require additional hardware. FBA relies upon the ASP.NET forms-based authentication framework. By using the ASP.NET 2.0 pluggable authentication provider model, SharePoint supports authentication for user identities that are stored in a Microsoft SQL Server database, in Active Directory (using Active Directory Application Mode, or ADAM), in an LDAP directory, or in any other source that implements an ASP.NET 2.0 membership provider.
The Partner Portal application uses the standard Microsoft SQL Server provider to store user credentials. Partners of Contoso authenticate to the extranet zone through FBA, while corporate users in the default zone rely upon their existing accounts, which are contained in the corporate Active Directory (AD) store. For more information on the Partner Portal application's security approach, see <insert internal link>. For more information on choosing and implementing authentication on SharePoint, see Plan Authentication Methods in the SharePoint on TechNet.
Follow these steps to enable forms-based authentication. The values for the various settings are those used by the Partner Portal application.
  1. Extend the SharePoint Web application. See Cannot resolve macro, invalid parameter 'input'.for details. The Partner Portal application uses the default security settings. These are NTLM, Allow Anonymous set to No and Use Secure Sockets Layer (SSL) set to No. Set Zone to Extranet in the Load Balanced URL section.
  2. Configure the application to use forms-based authentication. See Configure forms-based authentication in the product documentation. Set the authentication provider under Application security for the web application to Forms.
  3. Edit the application’s web.config file to register the authentication provider for the SharePoint Web application, the role provider for the SharePoint application and the membership provider (PeoplePicker) for the Central Administration site. For details on the web.config modifications see Forms Authentication in SharePoint Products and Technologies.
When you install the Contoso Web application, the script creates the extended Web site but seems to extend the application to the Intranet zone. This is misleading but it is only a labeling issue. The SharePoint STSADM Extendvsinwebfarm command extends Web applications in the following order: Intranet zone, Internet zone, Custom zone, Extranet zone. In order to create the correct extranet label, every zone in between would have to be created, which significantly extends the installation time.

More Information

For more information about forms-based authentication, see the following articles by Steve Peschka.

Last edited May 28, 2009 at 7:41 PM by ckeyser, version 3


No comments yet.