Skip to main content

Using Forms Authentication for SharePoint 2007

What is Authentication?
"Authentication is the process of obtaining identification credentials such as name and password from a user and validating those credentials against some authority. If the credentials are valid, the entity that submitted the credentials is considered an authenticated identity." (Quoted from MSDN)
 What is Authorization?
"Authorization determines whether an identity should be granted access to a specific resource." (Quoted from MSDN)
 What Authentication Types are Supported by SharePoint?
In SharePoint 2003, only Active Directory authentication was supported.  New to SharePoint 2007 is the extensible ASP.Net 2.0 Provider Model.  This allows a range of standard authentication types and the ability to create a custom provider.  Listed below are the methods available to authenticate to SharePoint 2007.  Another change from SharePoint 2003 to SharePoint 2007 are Zones.
 Windows (Integrated)
  • NTLM (Local Users or Active Directory)
  • Kerberos (Requires Active Directory)
Forms
  • SQL Membership Provider
  • Lightweight Directory Access Protocol (LDAP) Provider
  • Active Directory Provider
  • Active Directory Application Mode (ADAM)
  • Custom Provider
Single Sign-On (SSO)
  • Active Directory Federation Services (ADFS)
  • Other Identity Management Systems (3rd party)
 Here is a brief summary of each authentication type listed above.
Windows(Integrated)
NTLM - Is a challenge-response authentication protocol, which allows a client to prove its identity without sending a password to the server by creating a shared context between the two involved parties, and using a shared session key.  This method is used with Active Directory or local accounts.
Kerberos - Requires a trusted third-party(Active Directory) in order to mediate between two entities that want to authenticate to one another, such as a User and a Resource.  This is done through a ticketing system known as a Key Distribution Center(KDC) which in this case is Active Directory.  By the way, Kerberos communications are encrypted using symmetric cryptography.  Kerberos has some another advantage over NTLM, delegation, it can perform a double-hop which means Entity A can forward(delegate) a ticket to Entity B which can then use Entity A's ticket to authenticate to Entity C.  Kerberos also scales better for large environments because one Entity 1 doesn't need to request authentication from another Entity to prove its identity, it just needs to send its ticket to the Entity.
Forms - Uses an authentication ticket created when the user logs on to a site.  The ticket can be contained in a cookie or passed in a query string.  Each time a request is received, after the initial authentication process, the authentication cookie is retrieved, decrypted and compared with its key.  The user credentials are stored in one of the user stores listed above or a custom provider can be created to use another type.
SQL Membership - Accesses user credentials from a SQL Membership Database.
Lightweight Directory Access Protocol(LDAP) - Accesses user credentials from a non-Microsoft or Legacy user store.
Active Directory - Accesses user credentials from a Microsoft Active Directory user store.  Can be used to access Active Directory in a different domain or in a hosting scenario.
Active Directory Application Mode(ADAM) - Accesses user credentials from a application specific lightweight version of Active Directory.
Custom - Accesses user credentials from a custom defined user store that is not supported by a method above or has specialized features.
Single Sign-On (SSO) - Provides access to resources across domains without the need to provide a credential every time.  The simple answer is you login to your domain and through defined trusts you can be granted access to various resources outside of your own domain.
Active Directory Federation Services(ADFS) - Enables secure Single Sign-On between domains to allow Entities from one Domain to access Entities in another Domain.  This can allow Company A to grant access to a resource on its Domain to Company B by creating a Trust Relationship between the companies and allow specific Entities access to specific resources.
Other Identity Management Systems(3rd Party) - Same concept as ADFS but a 3rd-party solution with a custom SSO module.  This would provide support for systems such as those made by Novell, RSA Security, IBM, Sun MicroSystems, SAP and Computer Associates.

What is a Zone?
A zone serves several purposes which include Load Balancing and Authentication boundaries.  SharePoint’s authentication model is specified at the Web Application level, which is associated with an IIS web site.  Site Collections and sub-sites are expressed as part of the application tier and have no physical presence on the file system.  If you choose to implement multiple authentication providers, you can extend the Web Application by extending additional Zones.  Zones allow the site to implement additional authentication providers for the same Web Application.  Zones available are Default, Intranet, Internet, Extranet and Custom; the default Zone is Default. A Web Application can use any single Zone or extend to any combination of them.  When extending a Web Application to a new Zone, a new physical IIS web site is created.
An important thing to note about Zones and Authentication is that the Default Zone needs to use NTLM in order for the Search Index service to crawl content within a Site Collection.  A Policy also needs to be created for the Web Application to allow the account for the Index to read all content for the Web Application.

We know the ways to authenticate to SharePoint 2007, so what do all these terms mean?  Below are some links on planning your authentication for SharePoint and information about the different types of authentication. 

Plan authentication methods for SharePoint 2007
Plan for user accounts and authentication - Authentication Samples
About Microsoft NTLM Authentication
About Microsoft Kerberos Authentication
Understanding LDAP (Light Weight Directory Access Protocol)
LDAP Query Basics
Blog: Jeff Schroeder - Setting up ADFS for a Web Application (maybe even SharePoint 2007...)
Identity & Access Management: Create Custom Directories with ADAM
ASP.NET 2.0 Provider Model: Introduction to the Provider Model

Comments

Post a Comment

Popular posts from this blog

Tab Control in Asp.Net

Scenerio: I need your help in designing tab control in   asp.net .My requirement is I need a tab control in   asp.net (C#) like  for example goto my computer ,right click c drive and select properties.we get tabs like general,security etc....... like that i need to design one tab control(no need of any rightclick) in my web page and the database table columns should come as tabs and inseide the tab data of that particular column should come.   Example:Employee master tab1:Employee name.........his name in the tab tab2:Age.............his age tab3:Address........his address   Solution:   You can do this using a simple div <style type="text/css"> .tabs         {             position: relative;             height: 20px;             margin: 0;   ...
Post a Comment
Read more

AI and Microsoft: Revolutionizing Efficiency in Nonprofit Organizations

  How AI and Microsoft Enhance Efficiency in Nonprofit Organizations In today’s fast-paced world, nonprofit organizations face unique challenges—limited resources, increasing demands, and the constant need to do more with less. But what if technology could be the game-changer they need? In my latest research paper,  "How AI and Microsoft Enhance Efficiency in Nonprofit Organizations" , I explore how cutting-edge technologies like Artificial Intelligence (AI) and Microsoft’s innovative tools are revolutionizing the way nonprofits operate. From streamlining administrative tasks to enhancing donor engagement and optimizing resource allocation, AI and Microsoft’s solutions are empowering nonprofits to focus on what truly matters—their mission. This paper dives deep into real-world examples, practical applications, and the transformative potential of these technologies. Whether you’re a nonprofit professional, a tech enthusiast, or simply curious about the intersection of technolo...
Post a Comment
Read more

Social tagging overview in Sharepoint 2010

A tag is a word or phrase that identifies an individual piece of information according to a set of attributes or criteria. Tags make it easy to find and share information about a specific subject or task. Social tagging helps users categorize information in ways that are meaningful to them. Social tagging can improve the quality of search results by filtering against specific tags, and it can also connect individuals who want to share information with other users who have like interests. This article describes the social tagging features in Microsoft SharePoint Server 2010. This article does not describe how to configure social tagging features. It also does not discuss how to implement social tagging features as part of an overall social media strategy for an enterprise. About using social tagging features Social tagging features help users to share information and to retrieve relevant, high-quality content more efficiently. Such sharing encourages collaboration and b...
295 comments
Read more