SharePoint
can support various authentication scenarios. SharePoint has been used
successfully for Internet, intranet, and extranet scenarios. And with
the new features in SharePoint 2010, Microsoft has made substantial
improvements to better support the different authentication scenarios
including multi-authentication scenarios, mixed-mode authentication
scenarios, alternate access mappings, and improvements for mobile
access.
Configuring Mixed-Mode Authentication Scenarios
Mixed-mode authentication, illustrated in Figure 1,
uses the same approach used in SharePoint 2007 for authenticating
different types of users with different authentication providers. In
mixed-mode authentication, the primary web application uses the default
security zone with Windows authentication. To use more than one
authentication provider, the primary web application must be extended to
another IIS application. Each IIS application requires a unique URL. A
different authentication provider can be configured for each IIS
application. SharePoint recognizes the new IIS applications as part of
the primary web application. As a result, the specific IIS applications
share the same content (content databases) in SharePoint.
Note
An IIS application
supports only a single scheme or protocol. Therefore, two IIS
applications are required to support HTTP and HTTPS individually.
Configuring Multiple Authentication Scenarios
Multi-authentication mode, illustrated in Figure 2,
differs in that it allows for multiple authentication types to be
specified on a single web application and does not require a web
application to be extended. This allows users to choose the type of
login they want to use on the web application.
Multiple Authentication Versus Mixed Authentication
Table 1
shows a comparison between multimode authentication and mixed-mode
authentication, and some of the common usage scenarios for each.
Table 1. Multimode Versus Mixed-Mode Authentication
| | Multi-Authentication Mode | Mixed-Mode Authentication |
|---|
| Advantages | Single URL with multiple authentication providers
Open standard (more support for third-party authentication systems)
Support for complex | Automated authentication |
| Disadvantages | Single prompt for authentication type | Single URL per authentication provider |
| Common use scenarios | Single experience for different types of users
Single URL experience
Partner/collaboration sites
Federation between two organizations | Different protocols on different channels:
Intranet (HTTP)
Extranet (HTTPS)
Isolation of authentication providers:
Internet sites
Publishing portal authored by employees and consumed by customers |
Using Alternate Access Mappings in Extranet Deployments
Alternate
access mappings (AAM) are rules used by SharePoint that describe how to
map web requests to the proper web application and site. It tells
SharePoint what URLs to return in the content so that users can properly
navigate the SharePoint site. Most commonly, AAMs are used with reverse
proxy-publishing and load-balancing scenarios. A reverse proxy is a
device that sits between the end user and the SharePoint server.
Requests made to the SharePoint server are first received by the reverse
proxy firewall, such as an Internet request via HTTPS. The reverse
proxy will then forward the request to the SharePoint server as an HTTP
request. This process is referred to as off-box Secure Sockets Layer
(SSL) termination. The AAMs are used to translate the internal URL back
to the correct public URL. This ensures that the end user navigates the
SharePoint site seamlessly when accessing resources from an external
URL. Additional AAM scenarios include forwarding the web requests to
different port numbers.
Understanding Host-Named Site Collections
In SharePoint,
host-named site collections provide a scalable hosting solution with
distinct host names or URLs for accessing specific site collections.
This allows a user to access a specific root-level site collection using
a unique URL, a concept commonly referred to as a “vanity” URL. A
single web application can support up to 100,000 host-named site
collections. Host-named site collections are only available through the
default security zone. Also, users authenticated through other zones
cannot access host-named site collections.
In SharePoint 2010,
host-named site collections support off-box SSL termination. With
host-named site collections, the reverse proxy server cannot modify the
host name or the port number (except to 80 and 443 for SSL).
Administration of host-named site collections is available through
Windows PowerShell commands.
Examining Mobile Administration for SharePoint Extranets
Mobile administration has
been very limited in previous versions of SharePoint. In SharePoint
2010, mobile administration has been improved by supporting common
mobile interfaces, making improvements to leverage mobile technologies
such as SMS, and improving the support for accessing SharePoint websites
across firewalls using SSL. Mobile views are enabled by default for
most lists and libraries. Custom lists and libraries, and libraries that
were created in a previous version of SharePoint (via upgrade), are not
enabled by default. Some lists and libraries will contain views where a
mobile view is not available, such as the datasheet view and the Gantt
view.
In SharePoint 2010, users
can enable email and SMS alerts on changes made in SharePoint lists,
libraries, or items. For extranet SharePoint websites that are published
across the firewall using SSL, administrators must specify a
cross-firewall access zone. A cross-firewall access zone is used for
generating proper external client and mobile URLs for mobile alert
messages. This enables users to send an externally accessible URL from
SharePoint by clicking the E-Mail a Link button on the Library Tools or
List Tools on the Ribbon.
Note
To enable SMS alerts in the
SharePoint farm, a mobile account for an SMS service must be configured.
The mobile account to be configured via central administration or
PowerShell. In Central Administration, to enable SMS with the same
mobile account, click System Settings, and then under E-Mail and Text
Messages (SMS), click Configure Mobile Account. In Central
Administration, to enable SMS with the specific mobile accounts per web
application, under the Application Management section, click Manage Web
Applications. On the Web Applications page, choose the web application
to configure. In General Settings on the Ribbon, click Mobile Account.
