Windows SharePoint Authentication

Question

hi all,

just beggin with wss3,0 and i have a question please

wich is the best way to configure a wss site for extrernal access via authentication
i dont want to implement a recomended extranet scenario

my current users are authenticate via internal windows domain an i want a couple of partners to have access to this site, but i dont want to create new users on my A,D for these exteranl users

so one option is to create another domain an make a trust beetwen two domains right?

is there any other way? i dont want to use sql based users because is hard to manage by helpdesk team, what about SSO and federation services? 

what is the best way to proceed on your opinion?

my regards and thanks for your time :)

 

Answer 1

I feel in this case Web SSO using Federation Services is the right option.
http://technet.microsoft.com/en-us/library/cc262696.aspx

---

Sundar Narasiman

Answer 2

Hi all

i plan a windows sharepoint 3 Infrastructure and i have some questions about authentication

i have wss3 server joined to domainA, i have a site http://portal/test with seperate WebApplication Pool (separate IIS site) i use intergrated authentication on IIS site and NTLM configured on wss portal  with default zone.
Users on domainA can authenticate fine to this site

i want to install a second separate forrest-domain in order to create some users and grand them accees to site http://portal/test

my implementation path is the following with some quenstions

install the new forest-domain with name domainB and create one way trust beetwen the forest
ussually the resource forest must trust the other right? the trust path in no my problem for now

with is the next step?

should i extented the site http://portal/test (extend web application pool) in order to give access to users on domainB? is this necessary? i think we extend the site only when we use diferent authentication modes right? i plan to use NTLM authentication for both domains,is this necessary when we plan an extranet scenario? is yes wich zone should i use? the next after default?

the web.config file is something i must consider for NTLM authentication on multi domains enviroments or is something we modify only with form authentication?

i think the next step is to add users from domainB to visitors group on the portal site

is something missing on this plan?

sorry for the long post, these are my first steps on wss3 and i get in deep waters

thanks you for your time!
Regards,

Answer 3

Domain A will need to Trust Domain B

See this http://technet.microsoft.com/en-us/library/bb727050.aspx  for more info on Domain Trusts

As you say, you will need to add Domain B to any sites you wish them to have access to.

You shouldn't need to modify the web.config to get any of this to work.

---

.NET Developer, Brisbane, Australia, http://httpcode.com

Answer 4

thanks for your response i make this works on my test side 

but i am trying to work out with something, i have problem to implement this on my production site, on the test site i created works fine, the only differents are on production site the application pool's service is a domain account and not a system service,

be noticed that i use kerberos authentication and its need advanced configuration when no system service is used on application pool,

i tried the setspn command in order the account and the server to be able for delegetion but still not work

any ideas?

Answer 5

thanks for you response i make this works on my test site 

but i am trying to work out with something, i have problem to implement this on my production site, on the test site i created works fine, the only differents are on production site the application pool's service is a domain account and not a system service,

be noticed that i use kerberos authentication and its need advanced configuration when no system service is used on application pool,

i tried the setspn command in order the account and the server to be able for delegetion but still not work

any ideas?

thanks

Answer 6

Here (after my merge) you see what happens when you post two different threads on the same question instead of following up with a new post in your original thread - i.e. you are forced to write a similar post to both threads ...

Next time please add the extra detail to your *existing* thread.

---

WSS FAQ sites: WSS 2.0: http://wssv2faq.mindsharp.com WSS 3.0 and MOSS 2007: http://wssv3faq.mindsharp.com
Total list of WSS 3.0 and MOSS 2007 Books (including foreign language titles) http://wss.asaris.de/sites/walsh/Lists/WSSv3%20FAQ/V%20Books.aspx

Answer 7

thanks you and sorry for the inconvenience

Answer 8

hi all  again

i changed the application pool account to network and also change the kerberos authentication on sharepoint to ntlm in order to isolate these parameters on my problem

i have two identical sites on my windows sharepoint server with same permisions assigned, but still i cannot authenticate users from the other forest for my production site, the test site works fine with cross forest authentication!!!

i have check everthing, at least i believe so

i start and investigate logging monitoring on ISS and Windows Sharepoint Services when the user try to logging to my production site and gets the "You are not authorized to view this page" "HTTP Error 403 - Forbidden" and compare the logs with successful loged user

the only differents was on sc-status 302 but i thing is now relative with my problem

Logging investigation on WSS is more complex and too long, is something i must take importance on logs?

generally speaking any ideas why i cannot authenticate the external users on production site?

i even check sql permision on db but still nothing

thanks for your time once again

Answer 9

  found the following error on the sharepoint log

PermissionMask check failed. asking for 0x00040000, have 0x00000000

i think its relative with my case, i capture this the time that user tried to log on on the page

but i did not find any info on web

anybody has an idea?

thanks!!