Tuesday, May 19, 2009

Microsoft Office Sharepoint Authentication Explained

In order for people to use a MOSS web application, the web application must validate the person’s identity. This process is known as authentication. MOSS is not a directory service and the actual authentication process is handled by IIS, not MOSS.

However, MOSS is responsible for authorization to MOSS sites and content after a user successfully authenticates. Authentication happens like this: A user points their browser at a MOSS site and IIS performs the user validation using the authentication method that is configured for the environment.

If the user authentication is successful, then MOSS renders the web pages based on the access level of the user. If authentication fails, the user is denied access to the MOSS site. Authentication methods determine which type of identity directory can be used and how users are authenticated by IIS. MOSS supports three methods of authentication: Windows, ASP.NET Forms, and Web Single Sign-On.

Windows Authentication is the most common authentication type used in MOSS intranet deployments because it uses Active Directory to validate users. When Windows Authentication is configured, IIS uses the Windows authentication protocol that is configured in IIS. NTLM, Kerberos, certificates, basic, and digest protocols are supported. When Windows authentication is configured, the security policies which are applied to the user accounts are configured within Active Directory. For example, account expiration policies, password complexity policies, and password history policies are all defined in Active Directory and not in MOSS. When a user attempts to authenticate to a MOSS web application using Windows authentication, IIS validates the user against NTFS and Active Directory, and once the validation occurs the user is authenticated and the access levels of that user are then applied by MOSS.

Anonymous access is considered to be a Windows authentication method because it associates unknown users with an anonymous user account (IUSR_MACHINENAME). Anonymous access is commonly used in internet Web sites and in situations where web site users will not have their own user accounts. Since exposing content to unknown users is risky, this configuration is disabled by default. In order to configure anonymous access to a MOSS web application, anonymous access must be enabled in IIS, enabled in the MOSS web application, and the anonymous user account must be provisioned throughout the MOSS Web application. Even when anonymous access is configured, there are still several limitations compared to a Windows user. By default, anonymous users are only allowed to read, and they are unable to edit, update, or delete content. Additionally, anonymous users are not able to utilize personalization features such as Microsoft Office integration, check-in/check-out and email alerts. The ASP.NET Forms authentication method is commonly used in situations where a custom authentication provider is required. In other words, where a custom LDAP, SQL Server, or other type of identity repository will be storing user account information. This is common in extranet environments, such as partner collaboration sites, where it is not practical to create Active Directory user accounts for users or a different type of directory is required.

The Web Single Sign-On authentication method is used in environments that have federated identity systems or single sign-on systems configured. In this type of environment, an independent identity management system integrates user identities across heterogeneous directories and provides the user validation for IIS. Some examples of identity management systems with single sign-on capability include Microsoft Identity Information Server with Active Directory Federation Services, Oracle Identity Management with Single Sign-On and Web Access Control, Sun Microsystems Java System Identity Manager, and Netegrity SiteMinder.

Large enterprises often implement federated identity models to ease the administration of user provisioning and de-provisioning for systems that span across companies. Single Sign-On systems are used to consolidate user accounts across heterogeneous systems, allowing the end user to authenticate to systems with one set of credentials, rather than to use a different set of credentials for each unique system. In MOSS, it is possible to configure web applications to use a combination of authentication methods. This provides a great deal of flexibility because it makes it possible to serve a web application to different user bases which have different identity requirements. For example, an organization may have a Project Collaboration Web site that is used by employees and partners.

For security and compliance reasons, it is necessary to store employee user accounts in Active Directory and partner user accounts in a SQL Server database. In this case, MOSS can be configured to use Windows authentication and ASP.NET Forms authentication. This is achieved by defining various zones and associated authentication methods to the zones. In the example above, an intranet zone would be configured with Windows authentication and an extranet zone would be configured with ASP.NET Forms authentication.

No comments: