Firstly let’s look at intranet users and make a valid assumption that we are working with a Microsoft based architecture using Active Directory (AD) as their directory services model. Next we need partners to be able to access the MOSS 2007 server but let’s assume the client doesn’t want to allocate them each an AD account on their domain, even if that account were locked down. Architecturally, the most obvious solution is Forms Based Authentication (FBA) using a role and membership provider to allocate and authenticate credentials. And finally let’s supply internet users with anonymous access to the server. Of course, we will have planned the security groups within which the access accorded to each of our types of user (intranet, extranet, internet) is restricted and have strict governance of how and when access is granted between these groups to have a foolproof solution. So an internet user may have access to published pages but not to the collaborative working areas of the site. Extranet users may only have access to dedicated partner sites in which they have been explicitly granted access and any general partner sites. Intranet users will have access to general staff areas an any site explicitly granted to them.
There would be many scenarios similar to the one I mentioned above and the above solution can be one of the answer to this situation. But I still believe this may not be the optimal solution in every case and hence one would need to know the different authentication methods available. Many articles/blogs have explained each of these methods in detail so I would not repeat that rather have links of the good articles explaining each of these techniques. Mentioned below are the methods that exist:
- NTLM/Kerberos through AD
- Forms Based Authentication (FBA)
- Anonymous Access
- ADAM (Active Directory Application Mode) -well everybody has his/her own perspective and one would treat ADAM method as the one using ASP.NET 2.0 forms-based authentication against a different membership database (AD) for the Extranet, perfect but I thought it to mention it seperately as it is one unique method.
Reference Links
- http://blogs.msdn.com/sharepoint/archive/2006/08/16/configuring-multiple-authentication-providers-for-sharepoint-2007.aspx
- https://blogs.pointbridge.com/Blogs/morse_matt/Pages/Post.aspx?_ID=2
- http://www.andrewconnell.com/blog/articles/HowToConfigPublishingSiteWithDualAuthProvidersAndAnonAccess.aspx
- http://www.sharepointu.com/andynoon/archive/2007/07/04/defining-multiple-authentication-providers-to-a-single-moss-2007-web-application.aspx
Since this is the article which talks about authentication so I thought I would add the SSO piece as well in here so that the users need not go to any other place to search for it. Here's the link for two of the good articles to solve this mystery:
- http://jcapka.blogspot.com/2009/04/multiple-authentication-providers-and.html
- http://technet.microsoft.com/en-us/library/cc262932.aspx