I stumbled upon the above blog post which talks about implementing the custom authentication using Forms based authentication to authenticate users through SiteMinder. I have read couple of other blogs about the same topic but this blog is unique, it explains well in layman terms. However, this blog didn’t mention the technical implementations in detail and didn’t mention anything about providing multiple authentication providers. But it sure will help me for my case where I have to implement dual authentication i.e clients are authenticated through SiteMinder and the internal employees through Active Directory.
Below two blog posts are an excellent help if anyone is looking for implementing more than one authentication mechanism.
Let me clarify why would someone look for implementing multiple authentication: Usually companies and corporations have their user or employee accounts in Windows Active Directory. When Sharepoint/MOSS is installed by default it has the support to authenticate the users in the active directory. Thus, when a web application is extended the default zone which would be the intranet zone authenticates users against the Active Directory. The same application could be extended to an extranet zone still using the Activation Directory. But lets say a company want to provide the sharepoint site to its clients or partners who are not in their employee active directory. The company might have all of its clients/partners in a separate directory or data store like SQL Server or ther LDAP implementations like SiteMinder. So the webapplication should be able to authenticate users both from its employee active directory and the partners or clients who are in a separate directory.
Assuming that all of the users in a SQL Server, the same web application can be extended to internet zone and provide a form based authentication to authenticate users in the SQL Server. If the company wants to have anonymous access i.e anyone can see the default content on the site, the same internet zone properties can be changed to allow anonymous access. Thus a company can have:
- Internet Website which can be accessed by anyone (Limited access)
- Internet/Extranet access for the clients or partners using the form based authentication
- Intranet/Extranet for the employees of the company who could use their Active Directory Credentials.
I would like to add a point which the above 2 blogs didn’t mention but is crucial for the setup to work properly.
The Identity(User Account) of the Application Pool associated to the web application must be given access to both the site related database and the Membership database in SQL Server. Unless this is done, the form based authentication fails even though you are giving the correct user credentials.
On the Internet zone even after enabling the Forms base authentication, opening the site might ask for the windows credentials and then open up the sign in page. If this happens, Enable Anonymous access either through Central Administration or using IIS.
IIS 6.0 Authentication Model: An important part of many distributed applications is the ability to identify someone, known as a principal or client, and to control the client’s access to resources. Authentication is the act of validating a client’s identity. Generally, clients must present some form of evidence, known as credentials, proving who they are for authentication. Typically, credentials include a username/password pair.
SharePoint Portal 2003 is built upon IIS 6.0. Lets first take a look at the authentication model of IIS.
IIS provides a variety of authentication schemes:
Anonymous (enabled by default):
Anonymous authentication allows a user to access web and FTP sites without having to provide a username and password. When a client user accesses a web or FTP site, IIS uses the Internet Guest Account to authenticate that user.
The Internet Guest Account is created when IIS is installed, and it is named IUSR_<Computername>, where <Computername> is the name of the host machine. Having an account to use for anonymous access allows you to configure which resources all anonymous users can access on your server. The anonymous account is also added to the Guests group when IIS is installed, so any restrictions or permissions applied to that group also apply to the account.
When a server uses Basic Authentication, the Web browser (or the FrontPage client) prompts the user for a name and password. The user name and password are then transmitted across HTTP, in clear text. Using this user name and password, IIS authenticates the corresponding Windows NT user.
To use Basic authentication, a user account must be defined on either the local machine or on a trusted domain controller. The account-based access control is all done through the NT File System (NTFS) permissions on the file system.
Integrated Windows authentication:
Integrated Windows authentication is the most secure method of authentication, but it is available only with Internet Explorer. In Integrated Windows authentication, the user’s browser proves itself to the server using a cryptographic exchange during the authentication process.
Integrated Windows authentication supports both the Kerberos v5 and the NTLM (NT LAN Manager) protocols for authentication through the Negotiate package.
Like Basic Authentication, Digest Access Authentication is based on a simple challenge-response method. The Digest scheme challenges using a nonce value (a server-specified data string which may be uniquely generated each time a 401 error is made.). A valid response contains a checksum of the user name, the password, the given nonce value, the HTTP method, and the requested URL. In this way, the password is never sent as easily decoded text, which is Basic Authentication’s biggest weakness.
.NET Passport Authentication:
IIS 6 can use Microsoft’s .NET Passport to authenticate users requesting resources from a web site or a web site virtual directory. The benefit that this solution offers is that the credentials are stored and managed on another server that you are not responsible for building or maintaining. Users can authenticate using the .NET Passport service and then be allowed access to the web site hosted on your WS03 server.
This is an extract from here. I will soon post on sharepoint authentication model and integration with SiteMinder LDAP.