AF010234232 Planning an Extranet Environment for Windows SharePoint Services

7/27/2019 AF010234232 Planning an Extranet Environment for Windows SharePoint Services

1/84

Planning an Extranet Environment for Windows SharePoint Services

Microsoft Corporation

Published: April 2009

Author: Microsoft Office System and Servers Team ([email protected])

AbstractThis guide provides planning recommendations for deploying Windows SharePoint Services 3.0in an extranet environment. It discusses the extranet topologies that are supported and details thehardening requirements for servers within an extranet environment. The audiences for this guideinclude information architects, IT generalists, and program managers who are planning to makeWindows SharePoint Services 3.0 sites accessible from the Internet.

The content in this book is a copy of selected content in the Windows SharePoint Servicestechnical library (http://go.microsoft.com/fwlink/?LinkId=81199 ) as of the publication date. For themost current content, see the technical library on the Web.
http://go.microsoft.com/fwlink/?LinkId=81199http://go.microsoft.com/fwlink/?LinkId=81199http://go.microsoft.com/fwlink/?LinkId=81199http://go.microsoft.com/fwlink/?LinkId=81199http://go.microsoft.com/fwlink/?LinkId=81199


2/84

2


3/84

The information contained in this document represents the current view of Microsoft Corporationon the issues discussed as of the date of publication. Because Microsoft must respond tochanging market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after thedate of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting therights under copyright, no part of this document may be reproduced, stored in or introduced into aretrieval system, or transmitted in any form or by any means (electronic, mechanical,

photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any

written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no associationwith any real company, organization, product, domain name, email address, logo, person, placeor event is intended or should be inferred.

2009 Microsoft Corporation. All rights reserved.

Microsoft, Microsoft, Access, Active Directory, Excel, Groove, InfoPath, Internet Explorer,OneNote, Outlook, PowerPoint, SharePoint, SQL Server, Visio, Windows, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the

United States and/or other countries.The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

iii


4/84

ContentsPlanning an Extranet Environment for Windows SharePoint Services.....................................1

Abstract..............................................................................................................................1

Contents................................................................................................................................... v

Getting Help............................................................................................................................ vii

Plan for redundancy................................................................................................................. 1 About redundancy................................................................................................................. ... 1Define server redundancy requirements...................................................................................1Plan for a limited server deployment........................................................................................ 2Plan for a minimum level of server redundancy........................................................................3

Four-server farm................................................................................................................ 3Five-server farm................................................................................................................. 3Three-server farm.............................................................................................................. 4

Choosing a baseline server farm topology......................................................................... ......5Plan front-end Web server redundancy................................................................................... .5Plan search server redundancy................................................................................................ 6Plan database server redundancy............................................................................................6Select a baseline topology........................................................................................................ 7

Design extranet farm topology..................................................................................................8 About extranet environments.................................................................................................... 8Planning for extranet environments..........................................................................................9Edge firewall topology.................................................................................................... ........ 13Back-to-back perimeter topology............................................................................................ 14Split back-to-back topology.....................................................................................................15

Plan authentication methods.................................................................................................. 17 About authentication............................................................................................................... 17Supported authentication methods......................................................................................... 17Configure authentication.........................................................................................................19Plan authentication for crawling content................................................................................. 28

Planning zones for your authentication design.................................................................31

Choose methods of authentication allowed in your environment............................................32Worksheet........................................................................................................................ ...... 38

Plan authentication settings for Web applications.............................................................. ....40Plan authentication settings.................................................................................................... 40

Authentication type...........................................................................................................40 Anonymous access.......................................................................................................... 41Client integration.............................................................................................................. 42

v


5/84

Settings for ASP.NET forms authentication and Web SSO................................... ...........46Plan authentication exclusions............................................................................................... 46Worksheet.............................................................................................................................. 47

Plan security hardening for extranet environments.................................................................48Network topology.................................................................................................................... 48Domain trust relationships...................................................................................................... 49Communication with server-farm roles................................................................................... 52Communication with infrastructure server roles......................................................................54

Active Directory communication between network domains...................................................55

Plan security hardening for server roles within a server farm................................................. 57 About security hardening........................................................................................................57 Application server recommendations......................................................................................59Secure communication with the Microsoft SQL Server database...........................................59

Blocking the standard SQL Server ports......................................................................... .60Configuring SQL Server database instances to listen on a nonstandard port.......... ........60Configuring SQL client aliases......................................................................................... 60Hardening steps............................................................................................................... 61

File and Printer Sharing service requirements........................................................................65Service requirements for e-mail integration............................................................................66Windows SharePoint Services services............................................................................... ..66

Accounts and groups.............................................................................................................. 67Web.config file........................................................................................................................ 67Secure snapshot additions................................................................................................ ..... 68

Plan security for an external secure collaboration environment..............................................73Protect back-end servers........................................................................................................73Secure client-server communication.......................................................................................73Secure the Central Administration site....................................................................................74Secure design checklist.......................................................................................................... 74Plan security hardening for server roles................................................................................. 75Plan secure configurations for Windows SharePoint Services features................................ .75

Plan security for an external anonymous access environment...............................................76Protect back-end servers........................................................................................................76Configure anonymous access................................................................................................ 77Secure the Central Administration site....................................................................................77

Disable incoming e-mail......................................................................................................... 77Secure design checklist.......................................................................................................... 77Plan security hardening for server roles................................................................................. 78Plan secure configurations for Windows SharePoint Services features................................ .78

vi


6/84

Getting Help

Every effort has been made to ensure the accuracy of this book. This content is also availableonline in the Office System TechNet Library, so if you run into problems you can check for updates at:

http://technet.microsoft.com/office

If you do not find your answer in our online content, you can send an e-mail message to theMicrosoft Office System and Servers content team at:

[email protected]

If your question is about Microsoft Office products, and not about the content of this book, pleasesearch the Microsoft Help and Support Center or the Microsoft Knowledge Base at:

http://support.microsoft.com

vii


7/84

Plan for redundancy

In this article: About redundancy Define server redundancy requirements Plan for a limited server deployment Plan for a minimum level of server redundancy Choosing a baseline server farm topology Plan Web server redundancy Plan search server redundancy Plan database server redundancy

Select a baseline topologyThis article describes the options for scaling out redundant server roles included in a WindowsSharePoint Services 3.0 farm. After reading this article, you will be able to identify and record theredundancy options that are appropriate for the environment.

For more information about availability, see Plan for availability (http://technet.microsoft.com/en-us/library/cc748832.aspx ).

About redundancyThe term redundancy is often misinterpreted to be synonymous with availability . While theseconcepts are related, they are not the same. Redundancy refers to the use of multiple servers ina load-balanced environment for any of several purposes, such as to improve farm performance,to scale out to accommodate additional users, and to improve availability.

Availability is a more specialized concept that refers to a multiple-server environment that isdesigned to accept connections and operate normally even when one or more of the servers inthe farm are not operational. Therefore, availability implies redundancy, and additionally implies afailover mechanism and several other possible characteristics. A redundant system, however,might not be highly available.

This article describes how to implement redundant servers in an Windows SharePoint Services3.0 farm.

Define server redundancy requirementsWindows SharePoint Services 3.0 supports scalable server farms for capacity, performance andavailability. Typically, capacity is the first consideration in determining the number of server computers to start with. After factoring in performance, availability also plays a role in determiningboth the number of servers and the size or capacity of the server computers in a server farm.

1
http://technet.microsoft.com/en-us/library/cc748832.aspxhttp://technet.microsoft.com/en-us/library/cc748832.aspx


8/84

By the end of this section, you will be able to decide if you need to build expandable capacity intothe server deployment topology by deploying redundant servers (three or more servers), or if itmakes sense for the organization to plan for a limited server deployment that has no redundantservers.

Plan for a limited server deploymentIf you do not need to build additional capacity and performance into the server deployment, thestarting point for the server topology is one or two servers. For a limited-use purpose, you candeploy a single server.

Limited-use purposes include the following: Installing Windows SharePoint Services 3.0 for evaluation purposes. Deploying Windows SharePoint Services 3.0 for a limited purpose (such as for a singledepartment) or for a limited number of users.

The recommended starting point for most Windows SharePoint Services 3.0 deployments is atleast two server computers:

Server 1: Front-end Web server and search server computer Server 2: Dedicated SQL Server computer

If you have determined that you do not require server redundancy in the environment, you cannow go to the following article to complete the next planning step: Plan for performance andcapacity (http://technet.microsoft.com/en-us/library/cc288124.aspx ). The completion of this

2
http://technet.microsoft.com/en-us/library/cc288124.aspxhttp://technet.microsoft.com/en-us/library/cc288124.aspxhttp://technet.microsoft.com/en-us/library/cc288124.aspxhttp://technet.microsoft.com/en-us/library/cc288124.aspx


9/84


10/84

This topology optimizes the performance of the front-end Web server computers by offloadingsearch to a dedicated server computer.

Three-server farmThere is another alternative for deploying fewer servers. With a three server farm, you mustchoose which of the server roles to make redundant: either the Web server role or the databaseserver role.

By adding the third server to the Web tier, you achieve redundancy of the Web server role. The

search role can either be installed on either Web server.While availability is limited, this topology increases the overall performance of the small farm. Usethis topology when performance is more important than data redundancy.

4


11/84

By adding a third server to the database tier, you can help ensure availability of critical data. Planto use this small-farm topology when availability of your data is critical but temporary loss of user access is acceptable.

Choosing a baseline server farm topologyEach of the server farm topologies described earlier in this article represents a baseline startingpoint for designing the deployment. The starting point that best suits the organization depends onthe server roles for which you require redundancy.

The rest of this article describes the redundancy options for each of the server roles. By the timeyou are finished with this article, you will be able to identify the baseline topology that can deliver the redundancy that the organization requires. This is the topology that you will use as a baseline

when you start planning for capacity and performance.

Plan front-end Web server redundancyUse this section to:

Determine if the organization requires redundancy built into the Web tier. Plan which Web server load balancing technology to implement.

Most organizations require redundancy at the Web tier. There are a small number of scenarios inwhich a three-server farm with one server running the Web server role makes sense.

The next step is to plan which load balancing technology to implement. Windows SharePoint

Services 3.0 supports two methods of load balancing: Software, such as Network Load Balancing (NLB) services in the Microsoft WindowsServer 2003 operating system. NLB runs on the front-end Web servers, and uses TCP/IP toroute requests. Because NLB (and other software load balancing solutions) runs on the front-end Web servers, it uses the front-end Web system resources, and thereby reduces theresources you can use for serving Web pages. However, the impact on system resources isnot great, and a software solution can handle up to 32 front-end Web servers. For more

5


12/84


13/84

The database server role affects the availability of your solution more than any other role. If aWeb server or an application server fails, these roles can quickly be restored or redeployed.However, if a database server fails, your solution depends on restoring the database server. Thiscan potentially include rebuilding the database server and then restoring data from the backup

media. In this case, you can potentially lose any new or changed data dating back to the lastbackup job, depending on how SQL Server 2005 is configured. Additionally, the solution will becompletely unavailable for the time it takes to restore the database server role.

Select a baseline topology After you identify the redundancy requirements for the individual server roles, review the baselineserver topologies and choose the topology that is most appropriate for the environment.

7


14/84

Design extranet farm topology

In this article: About extranet environments Planning for extranet environments Edge firewall topology Back-to-back perimeter topology Split back-to-back topology

This article can be used with the following model: Extranet Topologies for SharePoint Productsand Technologies (http://go.microsoft.com/fwlink/?LinkID=73153&clcid=0x409 ).

About extranet environments An extranet environment is a private network that is securely extended to share part of anorganization's information or processes with remote employees, external partners, or customers.By using an extranet, you can share any type of content that is hosted by Windows SharePointServices 3.0, including documents, lists, libraries, calendars, blogs, and wikis.

The following table describes the benefits that the extranet provides for each group.

Remote employees Remote employees can access corporateinformation and electronic resources anywhere,anytime, and any place, without requiring a

virtual private network (VPN). Remoteemployees include:

Traveling sales employees. Employees working from home officesor customer sites. Geographically dispersed virtual teams.

8
http://go.microsoft.com/fwlink/?LinkID=73153&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=73153&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=73153&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=73153&clcid=0x409


15/84

External partners External partners can participate in businessprocesses and collaborate with employees of your organization. You can use an extranet tohelp enhance the security of data in the

following ways: Apply appropriate security and user-interface components to isolate partnersand to segregate internal data. Authorize partners to use only sites anddata that are necessary for their contributions. Restrict partners from viewing other partners data.

You can optimize processes and sites for

partner collaboration in the following ways: Enable employees of your organizationand partner employees to view, change,add, and delete content to promotesuccessful results for both companies. Configure alerts to notify users whencontent changes or to start a workflow.

Customers Makes sites available to customers: Provide anonymous access toinformation about your business. Allow clients to log on and participate ina workflow.

Windows SharePoint Services 3.0 provides flexible options for configuring extranet access tosites. You can provide Internet-facing access to a subset of sites on a server farm or make allcontent on a server farm accessible from the Internet. You can host extranet content inside your corporate network and make it available through an edge firewall, or you can isolate the server farm inside a perimeter network.

Planning for extranet environmentsThe rest of this article discusses specific extranet topologies that have been tested with WindowsSharePoint Services 3.0. The topologies that are discussed in this article can help you tounderstand the options that are available with Windows SharePoint Services 3.0, includingrequirements and tradeoffs.

The following sections highlight additional planning activities for an extranet environment.

9


16/84

Plan network edge technology

In each topology, the network edge technology illustrated is one or both of the following productsfrom the Microsoft Forefront Edge suite of products: Microsoft Internet Security and Acceleration(ISA) Server and Intelligent Application Gateway (IAG) 2007. For more information about these

Microsoft Forefront Edge products, see the following resources: ISA Server home page (http://go.microsoft.com/fwlink/?LinkId=86495&clcid=0x409 ) Network Concepts in ISA Server 2006 (http://go.microsoft.com/fwlink/?LinkId=86497&clcid=0x409 ) Intelligent Application Gateway home page (http://technet.microsoft.com/en-us/library/cc287908.aspx ) Intelligent Application Gateway 2007 technical library (http://technet.microsoft.com/en-us/library/cc303240.aspx )

Note:

You can substitute a different network edge technology.

IAG Server provides these additional features: Information leakage prevention: No residues are left on the client computer, and allcache, temporary files, and cookies are deleted. Endpoint, health-based authorization: Administrators can define an access policy that isbased not only on the identity of the user and the information that is exposed but also on thecondition of the client computer. Access SharePoint sites from Outlook Web Access: Users can access SharePoint sitesfrom links sent in e-mail through Outlook Web Access. IAG provides the link translation for links that refer to internal URLs. Unified portal: Upon logon, IAG presents to each user the list of SharePoint sites andother applications that are available and authorized for that user.

The following table summarizes the difference between the servers.

Capability ISA 2006 IAG 2007

Publish Web applications usingHTTPS

X X

Publish internal mobileapplications to roaming mobile

devices

X X

Layer 3 firewall X X*

Outbound scenarios support X X*

Array support X

Globalization and administration X

10
http://go.microsoft.com/fwlink/?LinkId=86495&clcid=0x409http://go.microsoft.com/fwlink/?LinkId=86497&clcid=0x409http://technet.microsoft.com/en-us/library/cc287908.aspxhttp://technet.microsoft.com/en-us/library/cc303240.aspxhttp://technet.microsoft.com/en-us/library/cc303240.aspxhttp://go.microsoft.com/fwlink/?LinkId=86495&clcid=0x409http://go.microsoft.com/fwlink/?LinkId=86497&clcid=0x409http://technet.microsoft.com/en-us/library/cc287908.aspxhttp://technet.microsoft.com/en-us/library/cc303240.aspx


17/84


18/84

The following table summarizes these authentication options and indicates whether a trustrelationship is required.

Scenario Description

Windows authentication If the perimeter domain trusts the corporatenetwork domain, you can authenticate bothinternal and remote employees by using their corporate domain credentials.

Forms authentication and Web SSO You can use forms authentication and WebSSO to authenticate both internal employeesand remote employees against an internal

Active Directory environment. For example youcan use Web SSO to connect to ActiveDirectory Federation Services (ADFS). Using

forms authentication or Web SSO does not require a trust relationship between domains.

However, several features of WindowsSharePoint Services 3.0 might not available,depending on the authentication provider. For more information about features that might beaffected when forms authentication or WebSSO is used, see Plan authentication settingsfor Web applications .

For more information about configuring a one-way trust relationship in an extranet environment,see Plan security hardening for extranet environments .

Plan for availability

The extranet topologies described in this article are intended to illustrate: Where a server farm is located within an overall network. Where each of the server roles is located within an extranet environment.

This article is not intended to help you plan which server roles you need to deploy or how manyservers for each role you need to deploy to achieve redundancy. After you determine how manyserver farms are required for your environment, use the following article to plan the topology for each server farm: Plan for redundancy .

12


19/84


20/84

Back-to-back perimeter topology A back-to-back perimeter topology isolates the server farm in a separate perimeter network, as

shown in the following illustration.

This topology has the following characteristics: All hardware and data reside in the perimeter network. The server farm roles and network infrastructure servers can be separated acrossmultiple layers. Combining the network layers can reduce the complexity and cost. Each layer can be separated by additional routers or firewalls to ensure that onlyrequests from specific layers are allowed. Requests from the internal network can be directed through the internal-facing ISA server or routed through the public interface of the perimeter network.

Advantages Content is isolated to a single farm on the extranet, simplifying sharing and maintenanceof content across the intranet and the extranet. External user access is isolated to the perimeter network. If the extranet is compromised, damage is potentially limited to the affected layer or to theperimeter network. By using a separate Active Directory infrastructure, external user accounts can becreated without affecting the internal corporate directory.

Disadvantages Requires additional network infrastructure and configuration.

14


21/84

Split back-to-back topologyThis topology splits the farm between the perimeter and corporate networks. The computersrunning Microsoft SQL Server database software are hosted inside the corporate network. Webservers are located in the perimeter network. Search servers can be hosted in either theperimeter network or the corporate network.

In the preceding illustration: The search server is hosted inside the perimeter network. This option is illustrated by theblue server inside the dashed line. Search servers can optionally be deployed inside the corporate network, with thedatabase servers. This option is illustrated by the gray server inside the dashed line. If youdeploy search servers inside the corporate network with the database servers, you must alsohave an Active Directory environment to support these servers (illustrated as gray serversinside the corporate network).

If the server farm is split between the perimeter network and the corporate network with the

database servers located inside the corporate network, a domain trust relationship is required if Windows accounts are used to access SQL Server. In this scenario, the perimeter domain musttrust the corporate domain. If SQL authentication is used, a domain trust relationship is notrequired. For more information about configuring accounts for this topology, see "Domain trustrelationships" in the following article: Plan security hardening for extranet environments .

To optimize search performance and crawling, place the search server role inside the corporatenetwork with the database servers. You can also add the Web server role to a search server

15


22/84

inside the corporate network and configure this Web server for dedicated use by the search rolefor content crawling. If you place Web servers in the perimeter network and the search role insidethe corporate network, you must configure a one-way trust relationship in which the perimeter network domain trusts the corporate network domain. This one-way trust relationship is required

in this scenario to support inter-server communication within the farm, regardless of whether youare using Windows authentication or SQL authentication to access SQL Server.

Advantages

Advantages of the split back-to-back topology include the following: Computers running SQL Server are not hosted inside the perimeter network. Farm components both within the corporate network and the perimeter network canshare the same databases. With a separate Active Directory infrastructure, external user accounts can be createdwithout affecting the internal corporate directory.

Disadvantages Complexity of the solution is greatly increased. Intruders who compromise perimeter network resources might gain access to farmcontent stored in the corporate network by using the server farm accounts. Inter-farm communication is typically split across two domains.

16


23/84

Plan authentication methods

In this article: About authentication Supported authentication methods Configure authentication Plan authentication for crawling content Planning zones for your authentication design Choose methods of authentication allowed in your environment Worksheet

This article describes the authentication methods that are supported by Windows SharePoint

Services 3.0. After reading this article, you will be able to: Understand how authentication is implemented in Windows SharePoint Services 3.0. Identify the authentication methods that are appropriate for your environment.

About authentication Authentication is the process of validating a user's identity. After a user's identity is validated, theauthorization process determines which sites, content, and other features the user can access.

In Windows SharePoint Services 3.0, the authentication process is managed by InternetInformation Services (IIS). After IIS performs authentication of users, the security features inWindows SharePoint Services 3.0 perform the authorization process.

For more information about implementing Windows SharePoint Services 3.0 authorization, seePlan site and content security (http://technet.microsoft.com/en-us/library/cc288189.aspx ).

Planning for authentication is important not only to protect your solution by validating users'identities, but also to secure user credentials over the network.

Supported authentication methodsWindows SharePoint Services 3.0 provides a flexible and extensible authentication system, whichsupports authentication for identity management systems that are based or are not based on theMicrosoft Windows operating system. By integrating with ASP .NET pluggable authentication,

Windows SharePoint Services 3.0 supports a variety of forms-based authentication schemes. Authentication support in Windows SharePoint Services 3.0 enables a variety of authenticationscenarios, including:

Using standard Windows authentication methods. Using a simple database of user names and passwords. Connecting directly to an organization's identity management system.

17
http://technet.microsoft.com/en-us/library/cc288189.aspxhttp://technet.microsoft.com/en-us/library/cc288189.aspx


24/84


25/84

Authentication of system accounts

ASP.NET forms authentication and Web SSO can be used to authenticate only user accounts.The process accounts used to connect to Microsoft SQL Server database software and run the

Web farm must be Windows accounts, even when using alternative methods of authentication toauthenticate users.

Windows SharePoint Services 3.0 supports SQL Server authentication and local computer process accounts for farms that are not running Active Directory. For example, you can implementlocal accounts by using identical user names and passwords across all servers within a farm.

Configure authentication Although configuring Windows authentication is a straightforward process, configuringauthentication to use ASP.NET forms or Web SSO requires more planning. This section providesa summary of how authentication is configured in Windows SharePoint Services 3.0. Thisinformation will help you understand how to put together an authentication strategy for your solution and determine who in your organization needs to be involved in planning for authentication.

19


26/84

Configure authentication for SharePoint Web applications

Authentication in Windows SharePoint Services 3.0 is configured at the SharePoint Webapplication level. The following diagram illustrates a Windows SharePoint Services server farmthat is configured to host sites for multiple companies. Authentication is configured separately for each company.

When you initially create or extend a Web application, you are presented with a limited number of authentication options (Kerberos, NTLM, and anonymous). If you are using one of thesemethods, you can configure authentication when you create or extend the Web application.

20


27/84

The following illustration shows the limited authentication choices that are available when youinitially create or extend a Web application:

However, if you are using different authentication settings, select the default authenticationoptions, and then configure authentication after the Web application is created or extended. (Todo so, in Central Administration, on the Application Management page, in the ApplicationSecurity section, select Authentication providers , and then click the zone to open the Edit

Authentication page.) The settings that are configured on this page depend on the type of authentication that is selected: Windows, forms, or Web SSO.

21


28/84

The following illustration shows the Edit Authentication page:

Depending on the authentication choices that you select in Central Administration, additionalconfiguration might be necessary. The following table summarizes the configuration steps basedon the authentication method. This table also indicates if specialized roles in addition toSharePoint Administrator are needed.

Authentication method Additional configuration Specialized roles

Anonymous, None None

Basic None None

Digest Configure digest

authentication directly in IIS.

None

22


29/84


Certificates 1. Select Windowsauthentication in Central

Administration.

2. Configure IIS for certificate authentication.

3. Enable SecureSockets Layer (SSL).

4. Obtain and configurecertificates from acertification authority (CA).

Windows Server 2003administrator, to obtain andconfigure certificates

NTLM (Integrated Windows) None None

Kerberos (IntegratedWindows)

1. Configure the Webapplication to useKerberos authentication.

2. Configure a ServicePrincipal Name (SPN) for the domain user accountthat is used for theapplication pool identity(application pool processaccount).

3. Register the SPN for

the domain user accountin Active Directory.

IIS administrator

Forms 1. Register themembership provider inthe Web.config file for theSharePoint Webapplication.

2. Register the rolemanager in the Web.configfile for the SharePoint Webapplication (optional).

3. Register themembership provider inthe Web.config file for theCentral Administration site.

ASP.NET developer Administrator of theidentity managementsystem you are connectingto

23


30/84


Web SSO In addition to configurationsteps required for ASP.NETforms authentication, register an HTTP module for the WebSSO provider.

ASP.NET developer Administrator of the

identity managementsystem you are connectingto

Connect to identity management systems that are external or not based on Windows

To use ASP.NET forms or Web SSO to authenticate users against an identity managementsystem that is not based on Windows or that is external, you must register the membershipprovider in the Web.config file. In addition to registering a membership provider, you can register a role manager as well. Windows SharePoint Services 3.0 uses the standard ASP.NET rolemanager interface to gather group information about the current user. Each ASP.NET role is

treated like a domain group by the authorization process in Windows SharePoint Services 3.0.You register role managers in the Web.config file the same way you register membershipproviders for authentication.

If you want to manage membership user or roles from the Central Administration site, you canoptionally register the membership provider and the role manager in the Web.config file for theCentral Administration site (in addition to registering these in the Web.config file for the Webapplication that hosts the content).

Ensure that the membership provider name and role manager name that you registered in theWeb.config file is the same as the name that you entered in the Central Administration

Authentication.aspx page. If you do not enter the role manager in the Web.config file, the defaultprovider specified in the machine.config file might be used instead.

For example, the following string in a Web.config file specifies a SQL membership provider:

For additional information about using ASP.NET forms authentication to connect to a SQL Server authentication provider, see Authentication samples (http://technet.microsoft.com/en-us/library/cc288259.aspx ).

Finally, if you are using Web SSO to connect to an external identity management system, youmust also register an HTTP module for the Web SSO. An HTTP module is an assembly that iscalled on every request made to your application. HTTP modules are called as part of the

ASP.NET request pipeline. For more information, see Introduction to HTTP Modules (http://go.microsoft.com/fwlink/?LinkId=77954&clcid=0x409 ).

24
http://technet.microsoft.com/en-us/library/cc288259.aspxhttp://technet.microsoft.com/en-us/library/cc288259.aspxhttp://go.microsoft.com/fwlink/?LinkId=77954&clcid=0x409http://technet.microsoft.com/en-us/library/cc288259.aspxhttp://go.microsoft.com/fwlink/?LinkId=77954&clcid=0x409


31/84

Integrating with ASP.NET forms authentication places additional requirements on theauthentication provider. In addition to registering the various elements in the Web.config file, themembership provider, role manager, and HTTP module must be programmed to interact withWindows SharePoint Services 3.0 and ASP.NET methods, as indicated in the following table:

Category Description

Membership provider To work with Windows SharePoint Services 3.0, themembership provider must implement the followingmethods:

GetUser (String) Windows SharePointServices 3.0 calls this method to resolve user names during invitations and to get the user'sdisplay name. GetUserNameByEmail Windows

SharePoint Services 3.0 calls this method toresolve user names in invitations. FindUsersByName,FindUsersByEmail Windows SharePointServices 3.0 calls these methods to populatethe user picker control on the Add Users page.If the membership provider does not return anyusers, the picker will not function andadministrators will need to type the user nameor e-mail address in the Add User text box.

Role manager The role manager must implement the followingmethods:

RoleExists Windows SharePointServices 3.0 calls this method during invitationsto verify that a role name exists. GetRolesForUser Windows SharePointServices 3.0 calls this method at access checkto gather the roles for the current user. GetAllRoles Windows SharePointServices 3.0 calls this method to populate the

group and role picker. If the role provider doesnot return any groups or roles, the WindowsSharePoint Services 3.0 picker will not functionand the administrator will need to type thename of the role in the Add User text box.

25


32/84


33/84

Using different authentication methods to access a site

You can configure Web applications in Windows SharePoint Services 3.0 to be accessed by up tofive different authentication methods or identity management systems. The following figureillustrates a partner application that is configured to be accessed by users from two differentidentity management systems. Internal employees are authenticated by using one of the standardWindows authentication methods. Employees of the partner company are authenticated againsttheir own company's identity management system.

To configure a Web application to be accessed by two or more different authentication systems,you must configure additional zones for the Web application. Zones represent different logicalpaths of gaining access to the same physical application. With a typical partner application,employees of a partner company access the application through the Internet, while internalemployees access the application directly through the intranet.

To create a new zone, extend the Web application. On the Extend Web Application to Another IISWeb Site page, in the Load Balanced URL section, specify the URL and zone type. The zonetype is simply a category name applied to the zone and does not affect the configuration of thezone.

27


34/84

After extending the Web application, you can configure a separate authentication method for thenew zone. The following figure shows the Authentication Providers page for a Web applicationthat is configured by using two different zones. The default zone is the zone used by internalemployees. The Internet zone is configured for partner access and uses ASP.NET forms to

authenticate partner employees against the partner identity management system.

Plan authentication for crawling contentTo perform successful crawls of content in a Web application, you must understand theauthentication requirements of the index component of the search server (also known as thecrawler ). This section describes how to configure authentication for Web applications to ensurethat the content in those Web applications can be successfully crawled.

When a farm administrator creates a Web application by using all default settings, the defaultzone for that Web application is configured to use NTLM. The farm administrator can change theauthentication method for the default zone to any authentication method supported by WindowsSharePoint Services 3.0.

The farm administrator can also extend a Web application one or more times to enable additionalzones. Up to five zones can be associated with a particular Web application, and each zone canbe configured to use any authentication method supported by Windows SharePoint Services 3.0.

Order in which the crawler accesses zones

When planning the zones for a Web application, consider the polling order in which the crawler accesses zones when attempting to authenticate. The polling order is important, because if thecrawler encounters a zone configured to use basic, digest, or Kerberos authentication,authentication fails and the crawler does not attempt to access the next zone in the polling order.

If this occurs, the crawler will not crawl content on that Web application.Tip:

Ensure that a zone configured for NTLM is earlier in the polling order than a zoneconfigured for basic, digest, or Kerberos authentication.

28


35/84

The crawler polls the zones in the following order: Default zone Intranet zone Internet zone Custom zone Extranet zone

The following figure shows the decisions that are made by the authentication system when thecrawler attempts to authenticate:

29


36/84


37/84

In addition to properly configuring the authentication method, you must ensure that the crawler isauthorized to crawl content within the Web application. To do this, you must ensure that thecredentials used for the content access account have the Full Read permission level or higher onthe Web application that you want to crawl. Farm administrators can use the Policy for Web

Application page in Central Administration to create a policy that gives the content accessaccount the Full Read permission level on a particular Web application.

Crawling host-named site collections

The process and rules illustrated in the previous figure do not apply to host-named sitecollections. This is because host-named site collections are available only through the defaultzone. If you do not configure the default zone to use NTLM when deploying host-named sitecollections, you must configure an alternate method for the index component to access content.

For more information about crawling host-named site collections that are not configured for NTLMauthentication, see the following articles:

Prepare to crawl host-named sites that use forms authentication Prepare to crawl host-named sites that use basic authentication

Planning zones for your authentication designIf you plan to implement more than one authentication method for a Web application by usingzones, use the following guidelines:

Use the default zone to implement your most secure authentication settings. If a requestcannot be associated with a specific zone, the authentication settings and other securitypolicies of the default zone are applied. The default zone is the zone that is created when youinitially create a Web application. Typically, the most secure authentication settings aredesigned for end-user access. Consequently, the default zone will likely be the zone that isaccessed by end users. Use the minimum number of zones that is required by the application. Each zone isassociated with a new IIS site and domain for accessing the Web application. Only add newaccess points when these are required. If you want content within the Web application to be included in search results, ensurethat at least one zone is configured to use NTLM authentication. NTLM authentication isrequired by the index component to crawl content. Do not create a dedicated zone for theindex component unless necessary.

31


38/84

Choose methods of authentication allowed in your environment

In addition to understanding how authentication is configured, planning for authenticationincludes:

Considering the security context or environment of your Web application in WindowsSharePoint Services 3.0. Evaluating the recommendations and tradeoffs for each method. Understanding how user credentials and related identity data are cached and consumedby Windows SharePoint Services 3.0. Understanding how user accounts are managed. Ensuring that authentication methods are compatible with browsers that are used by your users.

Worksheet action

Use the Authentication methods worksheet (http://go.microsoft.com/fwlink/?LinkId=77970&clcid=0x409)to identify which authentication methods you are willing tosupport in your environment and to record your decisionsand recommendations for each. This worksheet will be usedwhen planning authentication methods for individual Webapplications in Windows SharePoint Services 3.0.

Recommendations for specific security environments

Your choice of authentication methods will primarily be driven by the security context of your application. The following table provides recommendations based on the most common securityenvironments:

Environment Considerations

Internal intranet At a minimum, protect user credentials from plain view. Integratewith the user management system that is implemented in your environment. If Active Directory is implemented, use the

Windows authentication methods built into IIS.

32
http://go.microsoft.com/fwlink/?LinkId=77970&clcid=0x409http://go.microsoft.com/fwlink/?LinkId=77970&clcid=0x409http://go.microsoft.com/fwlink/?LinkId=77970&clcid=0x409http://go.microsoft.com/fwlink/?LinkId=77970&clcid=0x409


39/84

Environment Considerations

External secure collaboration Configure a separate zone for each partner company thatconnects to the site. Use Web SSO to authenticate against eachpartners own identity management system. This eliminates theneed to create accounts in your own identity managementsystem and also ensures that contributor identities continue to bemaintained and validated by partner employers. If a contributor isno longer employed by a partner company, the contributor cannotcontinue to gain access to your partner application.

External anonymous Enable anonymous access (no authentication) and allow Read-Only permissions for users who connect from the Internet. If youwant to provide targeted or role-based content, you can use

ASP.NET forms authentication to register users by using a simpledatabase of user names and roles. Use the registration process

to identify users by role (such as doctor, patient, or pharmacist).When users log on, your site can present content that is specificto the user role. In this scenario, authentication is not used tovalidate credentials or to limit who can access the content; theauthentication process simply provides a method of targetingcontent.

Recommendations and tradeoffs for authentication methods

Understanding the advantages, recommendations, and tradeoffs for each specific authenticationmethod can help you to determine which methods to use in your environment. The following table

highlights the recommendations and tradeoffs for each authentication method. For moreinformation about each of the Windows authentication methods supported by IIS, see IIS

Authentication (http://go.microsoft.com/fwlink/?LinkId=78066&clcid=0x409 ).

Authentication method Advantages and recommendations Tradeoffs

Windows Authenticate by using your existing Active Directoryaccounts. Simplify user management. Take advantage of ActiveDirectory groups whenconfiguring Windows SharePointServices 3.0 authorization. Avoid writing custom code.

Each of the methodshas its own associatedpros and cons. Some IISauthentication protocols

are not supported by allWeb browsers.

33
http://go.microsoft.com/fwlink/?LinkId=78066&clcid=0x409http://go.microsoft.com/fwlink/?LinkId=78066&clcid=0x409http://go.microsoft.com/fwlink/?LinkId=78066&clcid=0x409http://go.microsoft.com/fwlink/?LinkId=78066&clcid=0x409http://go.microsoft.com/fwlink/?LinkId=78066&clcid=0x409


40/84

Authentication method Advantages and recommendations Tradeoffs

ASP.NET forms Set up Windows SharePointServices 3.0 in an environmentthat does not use ActiveDirectory (does not requireWindows accounts). Authenticate against two or more different identitymanagement systems whencreating partner applications. Implement a customauthentication scheme usingarbitrary criteria. Authenticate users comingfrom the Internet.

Requirescustomization of theWeb.config file. Subject to replayattacks for the lifetime of the cookie, unless usingSSL Transport Layer Security (TLS).

Web SSO Implement WindowsSharePoint Services 3.0 in anenvironment that uses federatedauthentication to secure digitalidentities across organizationsand security environments. Implement WindowsSharePoint Services 3.0 in anenvironment that provides SSO

to services running on disparateplatforms, includingenvironments that do not use

Active Directory. Take advantage of AD FS. Authenticate against two or more different identitymanagement systems whencreating partner applications.

Requires an existingfederated authenticationsystem. Requirescustomization of theWeb.config file. AD FS requires SSL.Other SSO systems mighthave other requirements.

34


41/84


42/84

Management of user accounts

Understanding how Windows SharePoint Services 3.0 handles typical user account managementtasks can also influence which authentication method you choose. Generally, users who aremembers of an authentication provider in one zone can manage accounts across all zones as

long as they are granted permissions. The information in the following list applies regardless of which authentication method is implemented: Adding and inviting new users You can add or invite a new user from any zone andall authentication methods that are configured if the membership provider and role manager are registered in the current Web.config file. When you add a new user, Windows SharePointServices 3.0 resolves the user name against the following sources in the following order:

The UserInfoList table stored by Windows SharePoint Services 3.0. User informationwill be in this list if users have already been added to another site. The authentication provider that is configured for the current zone. For example, if auser is a member of the authentication provider that is configured for the default zone,Windows SharePoint Services 3.0 first checks this associated membership provider. All other authentication providers.

Deleting users User accounts are marked as deleted in the Windows SharePointServices 3.0 database. However, the user record is not removed.

Some user account management behaviors within Windows SharePoint Services 3.0 differ,depending on the authentication provider. The following table highlights several common user account tasks that differ depending on the authentication method that is implemented:

Task Windows authenticated accounts ASP.NET formsauthenticated

and Web SSO-authenticated

accounts

Adding and inviting newusers

Windows SharePoint Services 3.0validates user identities by using

Active Directory.

Windows SharePoint Services3.0 calls the membershipprovider and the role manager to verify that the user and rolesexists.

Changes to logon names Updated user names areautomatically recognized byWindows SharePoint Services 3.0.New entries are not added to theUserInfoList table.

You must delete the old accountname and then add the newaccount name. Permissionscannot be migrated.

36


43/84

Task Windows authenticated accounts ASP.NET formsauthenticated

and Web SSO-authenticated

accounts

Logging on If Integrated Windowsauthentication (Kerberos or NTLM)is used and the browser isconfigured to automatically log on,users do not need to manually logon to SharePoint sites. By default,Internet Explorer is configured toautomatically log on to intranetsites. If a logon is required (for example, sites that require adifferent set of credentials), usersare prompted only for a user nameand password. However, if basicauthentication is used, or the user is using a browser that is notconfigured to automatically log on,users might be prompted for logoncredentials when they access aSharePoint site.

Windows SharePoint Services3.0 provides a standard logonpage for use with formsauthentication. This pageincludes the following fields:user name, password, sign inautomatically (to persist thecookie). You can create your own logon page to addadditional logon controls (for example, create a new account,or reset password).

Browser support

Not all browsers work with each of the authentication methods that are supported. Beforeselecting authentication methods to allow in your environment, determine which browsers youneed to support. Then, determine which authentication methods are supported by the browsers.Internet Explorer works with each of the supported authentication methods. Additional browsersthat are supported by Windows SharePoint Services 3.0 include:

Netscape 8.0 Netscape 7.2 Mozilla 1.7.12 Firefox 1.5 Safari 2.02

37


44/84

WorksheetUse the following worksheet to record which authentication methods are appropriate for your

environment: Authentication methods worksheet (http://go.microsoft.com/fwlink/?LinkId=77970&clcid=0x409 )

The following table represents an example of a completed worksheet:

Authentication method Allow Don't allow Notes and recommendations

Anonymous x

Basic x

Digest x

Certificates x

NTLM (IntegratedWindows)

x "Use NTLM for all department sites except finance."

Kerberos (IntegratedWindows)

x "Use Kerberosauthentication for sites witha high security service level agreement."

ASP.NET forms x "Use forms authentication

to allow partner company access to sites hosted inthe partner extranet. Wecurrently allow authentication against thefollowing identity management systems:

Active Directory, LDAP.Work with Sidney Higa todevelop authenticationsettings for use with forms

authentication."

38
http://go.microsoft.com/fwlink/?LinkId=77970&clcid=0x409http://go.microsoft.com/fwlink/?LinkId=77970&clcid=0x409


45/84


46/84

Plan authentication settings for Web

applicationsIn this article:

Plan authentication settings Plan authentication exclusions Worksheet

This article discusses the authentication configuration settings that need to be planned for individual Web applications in Windows SharePoint Services 3.0. Use this article with the Webapplication authentication settings worksheet (http://go.microsoft.com/fwlink/?LinkID=73334&clcid=0x409 .) Complete a separate worksheet for each of the following elementsthat are a part of your solution design in Windows SharePoint Services 3.0:

New or extended Web applications in Windows SharePoint Services 3.0. Additional zones within a Web application (other than the default zone). Include zonesthat are created for the search account.

Use completed worksheets with Deploy and configure SharePoint sites [Windows SharePointServices].

Plan authentication settingsThis section discusses each of the settings on the Edit Authentication page of the SharePointCentral Administration Web site. To get to this page, on the Application Management page, in theApplication Security section, click Authentication providers . Click the zone that you want tomodify authentication settings for. The Edit Authentication page opens.

Depending on the authentication options you choose, you might be able to specify your authentication settings directly when you create or extend the Web application in WindowsSharePoint Services 3.0. However, not all options are available when you initially create or extenda Web application. If you cannot configure authentication when you create or extend the Webapplication, you can accept the default authentication settings initially and then edit the settingson the Edit Authentication page.

Authentication typeSelect the method that you want to use. If you are planning to allow anonymous access instead of implementing an authentication method listed in this section, select Windows authentication.

If you select Windows , specify the Windows authentication method in the IIS AuthenticationSettings section of the Edit Authentication page. If you select Forms or Web single sign on , theoptions on the Edit Authentication page change to allow you to enter the membership provider name and the role manager name.

40
http://go.microsoft.com/fwlink/?LinkID=73334&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=73334&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=73334&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=73334&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=73334&clcid=0x409


47/84


48/84

Client integrationYou can disable client integration, which removes features that start client applications. This is theoptimal configuration for some scenarios, such as publishing read-only content to the Web for anonymous access. Additionally, if you select ASP.NET forms authentication or Web Single Sign-

On (SSO) authentication, client integration is set to No by default.

Notes Client integration is disabled by default when you use forms-based authentication.This is because client integration does not natively support forms-based authentication.You might be able to use many client integration features with forms-basedauthentication, and there are workarounds available to implement varying levels of clientintegration functionality with forms-based authentication. However, if publishedworkarounds are inadequate, or if you find unexpected issues using workarounds, we donot provide support and there are no product changes to address these issues. If youplan to use client integration with forms-based authentication, you must fully test any

available solutions or workarounds to determine if the performance and functionality areacceptable in your environment. Product Support can provide commercially reasonable support to help youtroubleshoot published workarounds.

Expected behaviors when client integration is disabled

When client integration is disabled, sites behave in the following ways: Links that start client applications are not visible. Documents are opened in the browser. Documents cannot be opened by clientapplications.

Users cannot edit documents on the site directly from the client applications. However,users can download the document, edit the document locally, and then upload the document.

The following table lists specific menu commands and features that are not available when clientintegration is disabled.

Category Command or feature that is unavailable

Toolbars New document

Work in Microsoft Office Outlook

Open in Windows Explorer

Export to spreadsheet

Open with Database Program

Editing documents Edit in Microsoft Office applications such asWord and Excel.

Views Explorer view

Create an Access view

42


49/84

Category Command or feature that is unavailable

Picture libraries Upload multiple

Edit picture

DownloadSend to

Slide libraries Publish slide

Send to Microsoft Office PowerPoint

Other Discuss

Connect to Office Outlook

Behaviors of specific authentication methods

In addition to the deployment scenario (such as publishing read-only content), the choice of authentication method might determine how to configure client integration. Some authenticationmethods behave differently with client applications. In some cases, the behavior depends onwhether client browsers are configured to use persistent cookies or session cookies.

43


50/84

The following table summarizes the potential behaviors of client integration when used withspecific authentication methods.

Authentication method Behavior

Basic Users are prompted to enter their credentials each time theyaccess a document. Other features might also require that theyenter their credentials again.

ASP.NET forms and Web SSO If the following conditions are true, a persistent cookie iscreated:

The authentication provider supports persistentcookies. The user clicks Sign me in automatically when theylog in.

The persistent cookie is shared by all applications that use thesame cookie store and the user can open documents in theclient applications. The persistent cookie is created with adefault time-out value of 30 minutes. This value can bechanged by adding or updating the time-out parameter in theforms node in the Web.config file. For example:

When the cookie expires, client integration stops working. If users are in a browser, they will be prompted to re-enter credentials.

If the authentication provider does not support persistentcookies or the user did not click Sign me in automatically when they logged in, a session cookie is used. A sessioncookie is only accessible by the browser. The user will not beable to open document directly in the client applications.

If the authentication provider does not provide support for persistent cookies or if persistent cookies are not allowed inyour environment, turn off client integration. For example,

Active Directory Federation Services (AD FS) does not providesupport for persistent cookies.

Anonymous When opening a document, users are repeatedly prompted for their credentials. If they click Cancel in the authenticationdialog box 10 times, the site might open the document byusing the client application. Because of this poor experience, itis recommended that client integration be turned off for anonymous access scenarios.

44


51/84

Using the Windows Vista operating system with Internet Explorer 7

In Windows Vista, Internet Explorer 7 includes an additional security feature called protectedmode. By default, protected mode is enabled for the Internet, Intranet, and Restricted Siteszones. Because this feature places persistent cookies in a location that prevents sharing across

applications, client integration does not work as intended.To configure Internet Explorer 7 to work with client integration, do one of the following:

Disable protected mode. If protected mode is enabled, add SharePoint sites to the Trusted sites zone in InternetExplorer.

For information about disabling protected mode, see "Configuring Protected Mode" inUnderstanding and Working in Protected Mode Internet Explorer (http://go.microsoft.com/fwlink/?LinkId=78098&clcid=0x409 ).

Testing client integrations settings

If you are uncertain about how to configure the client integration setting, test the results in a testenvironment before deploying sites into production. If this setting is changed after it is applied,sites and client applications might behave unusually.

Worksheet action

On the Web application authentication settings worksheet (http://go.microsoft.com/fwlink/?LinkID=73334&clcid=0x409),in the Enable Client Integration section, select Yes or No .

45
http://go.microsoft.com/fwlink/?LinkId=78098&clcid=0x409http://go.microsoft.com/fwlink/?LinkId=78098&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=73334&clcid=0x409http://go.microsoft.com/fwlink/?LinkId=78098&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=73334&clcid=0x409


52/84

Settings for ASP.NET forms authentication and Web SSOIf you are implementing ASP.NET forms authentication or Web SSO, you must develop theconfiguration settings to insert into the applicable Web.config files. See Authentication samples (http://technet.microsoft.com/en-us/library/cc288259.aspx ) to review examples of properlyconfigured strings for several common scenarios.

Worksheet action

On the Web application authentication settings worksheet (http://go.microsoft.com/fwlink/?LinkID=73334&clcid=0x409 ),enter the following two types of information:

Name The name of the membership provider, rolemanager, and HTTP module (if applicable). Thesenames appear in the Central Administration site. Web.config configuration Paste the appropriateconfiguration strings into the worksheet. These stringscan be copied from the worksheet into the Web.configfiles when the Web application is deployed.

Ensure that the MembershipProvider name and RoleManager name you registered in theWeb.config file is the same as the name that you entered in the Central Administrationauthentication.aspx page. If you do not enter the role manager in the Web.config file, the defaultprovider specified in the machine.config file might be used instead.

For example, the following string in a Web.config file specifies a SQL membership provider:

For more information about requirements for membership providers and role managers, see"Connect to identity management systems that are not based on Windows or that are external" inPlan authentication methods .

Plan authentication exclusionsIf you are implementing ASP.NET forms authentication or Web SSO, you need to plan for authentication exclusions. If you are implementing Windows authentication, you do not need toread this section.

When you create or extend a Web application or when you add a zone to a Web application, IIScreates a new Web site. Authentication settings that are registered in the Web.config file for thisWeb application are inherited by virtual directories below the Web site. Virtual directories that areadded below a Web application in Windows SharePoint Services 3.0 are not managed byWindows SharePoint Services 3.0 and are considered to be excluded virtual directories.

46
http://technet.microsoft.com/en-us/library/cc288259.aspxhttp://go.microsoft.com/fwlink/?LinkID=73334&clcid=0x409http://technet.microsoft.com/en-us/library/cc288259.aspxhttp://go.microsoft.com/fwlink/?LinkID=73334&clcid=0x409


53/84

If you are implementing ASP.NET forms authentication or Web SSO and you plan to add virtualdirectories below these Web sites, you need to decide whether you want these excluded virtualdirectories to inherit the ASP.NET forms authentication or Web SSO settings.

Worksheet action

On the Web application authentication settings worksheet (http://go.microsoft.com/fwlink/?LinkID=73334&clcid=0x409),indicate whether excluded virtual directories will be added inIIS beneath the Web site that corresponds to this Webapplication in Windows SharePoint Services 3.0. If excludedvirtual directories will be added, indicate whether authentication settings should be inherited.

Use the following procedure to configure IIS so authentication settings are not inherited.

Configure IIS so authentication settings are not inherited

1. Add a new IIS virtual directory beneath the IIS Web site that corresponds to theapplicable Web application or zone in Windows SharePoint Services 3.0.

2. In IIS Manager, right-click the new virtual directory, and then click Properties .

3. Click the Virtual Directory tab.

4. Click Create (this makes the virtual directory an application).

5. Click Configuration .

6. Select the wildcard application maps, and then click Remove .

7. Click Yes , and then click OK .

8. Create a new Web.config file at the root of the new virtual directory file system path,and add the following entries:

WorksheetUse the following worksheet to plan and record configuration settings for each of your Webapplications in Windows SharePoint Services 3.0.

Web application authentication settings worksheet (http://go.microsoft.com/fwlink/?LinkID=73334&clcid=0x409 )

47
http://go.microsoft.com/fwlink/?LinkID=73334&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=73334&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=73334&clcid=0x409http://go.microsoft.com/fwlink/?LinkID=73334&clcid=0x409


54/84

Plan security hardening for extranet

environmentsIn this article:

Network topology Domain trust relationships Communication with server-farm roles Communication with infrastructure server roles Active Directory communication between network domains

This article details the hardening requirements for an extranet environment in which a WindowsSharePoint Services 3.0 server farm is placed inside a perimeter network and sites are available

from the Internet or from the corporate network.

Network topologyThe hardening guidance in this article can be applied to many different extranet configurations.The following figure shows an example implementation of a back-to-back perimeter networktopology that illustrates the server and client roles across an extranet environment.

The purpose of the figure is to articulate each of the possible roles and their relationship to theoverall environment. The Central Administration site can be installed to either a Web server or tothe Search server (pictured). The routers illustrated can be exchanged for firewalls.

48


55/84

Domain trust relationshipsThe requirement for a domain trust relationship depends on how the server farm is configured.This section discusses two possible configurations.

Server farm resides in the perimeter networkThe perimeter network requires its own Active Directory directory service infrastructure anddomain. Typically, the perimeter domain and the corporate domain are not configured to trusteach other. However, to authenticate intranet users and remote employees who are using their domain credentials (Windows authentication), you must configure a one-way trust relationship inwhich the perimeter domain trusts the corporate domain. Forms authentication and Web SSO donot require a domain trust relationship.

Server farm is split between the perimeter network and the corporate network

If the server farm is split between the perimeter network and the corporate network with thedatabase servers residing inside the corporate network, a domain trust relationship is required if Windows accounts are used. In this scenario, the perimeter network must trust the corporatenetwork. If SQL authentication is used, a domain trust relationship is not required. The followingtable summarizes the differences between these two approaches.

Windows authentication SQL authentication

Description Corporate domain accounts areused for all Windows SharePointServices 3.0 service andadministration accounts, includingapplication pool accounts.

A one-way trust relationship, inwhich the perimeter networktrusts the corporate network, isrequired.

Windows SharePoint Services 3.0 accountsare configured in the following ways:

SQL authentication is used for every database that is created. All other administration and serviceaccounts are created as domainaccounts in the perimeter network. Web servers and search serversare joined to the perimeter network.

A trust relationship is not required but canbe configured to support clientauthentication against an internal domaincontroller.

Note:

If search servers reside in thecorporate domain, a one-way trustrelationship, in which the perimeter network trusts the corporatenetwork, is required.

Setup Setup includes the following: Windows SharePoint

Setup includes the following: All database accounts must be

49


56/84


Services 3.0 administrationand service accounts arecreated in the corporatedomain. Web servers andapplication servers are joinedto the perimeter network. A trust relationship isestablished in which theperimeter domain trusts thecorporate domain.

created as SQL login accounts in SQLServer 2000 Enterprise Manager or SQL Server 2005 Management Studio.These accounts must be createdbefore the creation of any WindowsSharePoint Services 3.0 databases,including the configuration databaseand the SharePoint_AdminContentdatabase. You must use the Psconfigcommand-line tool to create theconfiguration database and the

AdminContent database. You cannot

use the SharePoint Products andTechnologies Configuration Wizard tocreate these databases. In addition tousing the -user and -password parameters to specify the server farmaccount, you must use the -dbuser and-dbpassword parameters to specifySQL authentication accounts. You can create additional contentdatabases in Central Administration byselecting the SQL authentication

option. However, you must first createthe SQL login accounts in SQL Server 2000 Enterprise Manager or SQLServer 2005 Management Studio. Secure all communication with thedatabase servers using SSL. Ensure that ports used for communication with SQL Server remainopen between the perimeter networkand the corporate network

50


57/84


Additionalinformation

The one-way trust relationshipallows the Web servers andapplication servers that are joinedto the extranet domain to resolveaccounts that are in the corporatedomain.

SQL login accounts are encryptedin the registry of the Web servers andapplication servers. The server farm account is notused to access the configurationdatabase and theSharePoint_AdminContent database.The corresponding SQL login accountsare used instead.

The information in the preceding table assumes the following: Both the Web servers and the application servers reside in the perimeter network. All accounts are created with the least privileges necessary, including the followingrecommendations:

Separate accounts are created for all administrative and service accounts. No account is a member of the Administrators group on any computer, including theserver computer that hosts SQL Server.

For more information about Windows SharePoint Services 3.0 accounts, see Plan for administrative and service accounts (http://technet.microsoft.com/en-us/library/cc288210.aspx ).

For more information about creating databases by using the Psconfig command-line tool, seeCommand-line reference for the SharePoint Products and Technologies Configuration Wizard (http://technet.microsoft.com/en-us/library/cc288944.aspx ).

51
http://technet.microsoft.com/en-us/library/cc288210.aspxhttp://technet.microsoft.com/en-us/library/cc288210.aspxhttp://technet.microsoft.com/en-us/library/cc288210.aspxhttp://technet.microsoft.com/en-us/library/cc288944.aspxhttp://technet.microsoft.com/en-us/library/cc288210.aspxhttp://technet.microsoft.com/en-us/library/cc288210.aspxhttp://technet.microsoft.com/en-us/library/cc288944.aspx


58/84

Communication with server-farm rolesWhen configuring an extranet environment, it is important to understand how the various server

roles communicate within the server farm.Communication between server roles

The following figure illustrates the communication channels within a server farm. The table thatfollows the figure describes the ports and protocols that are represented in the figure. The arrowsindicate which server role initiates communication. For example, the Web server initiatescommunication with the database server. The database server does not initiate communicationwith the Web server. This is important to know when configuring inbound and outboundcommunication on a router or firewall.

Callout Ports and protocols

1 Client access (including Information Rights Management (IRM)and search queries), one or more of the following:

TCP port 80 TCP/SSL port 443 Custom ports

2 File and printer sharing service Either of the following: Direct-hosted server message block (SMB) (TCP/UDP445) Recommended NetBIOS over TCP/IP (TCP/UDP ports 137, 138,139) Disable if not used

52


59/84

Callout Ports and protocols

3 Search crawling Depending on how authentication isconfigured, SharePoint sites might be extended with anadditional zone or Internet Information Services (IIS) site toensure that the index component can access content. Thisconfiguration can result in custom ports.

TCP port 80 TCP/Secure Sockets Layer (SSL) port 443 Custom ports

4 Database communication: TCP/SSL port 1433 (default) for default instance(customizable) TCP/SSL random port for named instances

(customizable)

Communication between administrator workstations and Central Administration

The Central Administration site can be installed on any Web server or the search server.Configuration changes that are made through the Central Administration site are communicatedto the configuration database. Other server roles in the farm pick up configuration changes thatare registered in the configuration database during their polling cycles. Consequently, the Central

Administration site does not introduce any new communication requirements to other server rolesin the server farm. However, depending on

AF010234232 Planning an Extranet Environment for Windows SharePoint Services

Documents

Transcript of AF010234232 Planning an Extranet Environment for Windows SharePoint Services