We have been running WSS 3.0 for our intranet. We are going to be moving our internet site to WSS 3.0. The vast majority of people will access the new internet site anonymously. My question is in regards to the few people who will need to authenticate so that they can access intranet material from the internet.
We are going to host the intranet and internet sites on the same server. WSS 3.0 has already been installed, updated, and configured for our intranet. What would be the best way to set up the internet site collection so that it can be accessed anonymously but also so that when a user authenticates they can access intranet content as well? Currently the only way to access the intranet is to be on the companies domain with credentials that have access to it. What we would like to do, if possible, is use the login form that is built into WSS to make access to intranet content available opposed to setting up a sub domain.
You may use SharePoint alternte mapping feature as described in this article.
Configuring Multiple Authentication Mechanisms with Alternate Access Mappings in Windows SharePoint Services 3.0
I'm assuming that your Internet site collection and intranet site collection are not the same site collection with what I'm about to write. I am assuming, however, that they are housed in the same web application. If that's the case (and I understand enough of the specifics), here's how you'd carry out what you're trying to do:
Establish a Web application to house your site collections. You've already taken care of this (since you have your site collections available to you internally). In setting up a Web application, it (by default) is exposed at a URL (or server:port) through the Default zone mapping. For our purposes here, we'll assume that this is the URL through which you want to access the site internally (on your Intranet).
In order to expose your site collections via the Internet, you're going to want to extend the Web Application housing them. This is done through Central Admininstration > Application Management > Create or Extend Web Application. In extending the Web Application, you're creating another IIS site with (ideally) a publicly-accessible URL that can be exposed to the Internet. You'll be asked to pick a zone as part of the process; given your needs, I'd go with "Internet."
At this point, the Internet zone (you just extended) is still setup to use Windows authentication and Active Directory as it's membership provider. Though you probably want to keep AD as a membership provider (based on what you've stated), you'll probably want to look at enabling Forms-Based Authentication (FBA) on your Internet zone. Microsoft has a video on that here: http://technet.microsoft.com/en-us/windowsserver/sharepoint/dd355701.aspx. Note: you won't want to use the SQL membership provider if you intend to continue using Active Directory accounts. Instead, you'll have to wire-in the Active Directory Membership Provider for FBA. Some info on that can be found here: http://blogs.msdn.com/solutions/archive/2007/08/27/forms-based-authentication-fba-in-wss-3-0-moss-2007.aspx.
At this point, your Default zone site should use NTLM and an intranet-available URL. Your Internet zone site should use FBA and have an Internet-available URL. You'll need to enable anonymous access on your public site collection for the Internet zone. This is done through a combination of Central Administration changes and changes from within the site collection itself (http://www.mindsharpblogs.com/ben/archive/2007/02/11/1557.aspx). Important point: when going into the site collection to enable anonymous access, be sure to go through the Internet URL; don't go through the default zone (i.e., the intranet zone).
With all of these things in-place and your site collections (or more specifically, the IIS site servicing the Internet zone Web application) wired-up to the outside world, you should be good to go.
I made a number of assumptions as I wrote this, so you may (obviously) need to adjust. Setting up anonymous access isn't overly hard, but there are a lot of steps to it. If you hit hiccups along the way, don't be afraid to search for answers. Many folks have done it successfully ... but more often than not, there are challenges along the way.
Good luck!
You can also create a web application for your intranet use, so user's who are in the domain get access through an internal URL authenticated, and then extend that web application for the extranet application for anonymous users....
Related
I am currently trying to decide on a Sharepoint Farm Topology.
Currently (in terms of our needs), I think a simple three tier topology will work.
i.e.
Web Front-End Server
Application Server
Database server
To start with our primary aim will be to use SharePoint as a Intranet. However, on our roadmap we would like to extend some elements of this - as an Extranet with some coustomers.
Should we go with an Extranet option in the future, so do we just (in simple terms) create a new web application in Sharepoint 2013 on the existing web front end, sort out a host header and SSL and a means to manage permissions.
Or could we create a new front-end server, which is only houses a new web application (the Extranet) - but still uses the same Application and Database server (as it will be potentially sharing the some of the same content databases)?
I am primarily a C# Web Developer - which is typically how I view most things. As I am learning - in the world of SharePoint nothing is simple!
If the extranet users need access to the same content, you can stick with option 1 and and Extend the existing Webapplication for Extranet.
Having an issue with users of one domain from viewing a website being hosting on another domain. Both domains are internal, domain1.local & domain2.local.
The website hostname is webapp.domain1.local. It is being hosted on a server webserver.domain2.local. When i view the site off the "Default Web Site" as a sub-webapp, it renders correctly when a user, domain2\user, is accessing the "Default Web Site" it renders correctly. But if the same user were to access the webapp web site, with hostname webapp.domain.local, there is an access denied.
Default Web Site:
Hostname: localhost default for IIS 7.
webapp Web Site:
Hostname: webapp.domain1.local
Both IIS 7 websites having a webapplication named webapp.
According to our Network Administrator, there is an existing passthrough communication handle but seems to be quirky on what gets passed through.
Background
Over the last 5-7 years the company has been absorbing other smaller companies and during this time absorbed a company as big as them and hence the two domains. We are currently in the process of migrating to domain1.local but its taking time cause of the sheer size of domain2.local.
Its hard to say without Event Viewer and/or IIS logs from the troublesome server (in either direction) however it looks to me like passthrough is probably doing what it should and denying access because the users are not allowed to authenticate.
I would say your looking at setting up cross domain authentication in its entity e.g. file shares from one domain to another how does that work? If the problem is more wide spread then really your looking at setting up a domain trust relationship between Domain1 and Domain2 (http://technet.microsoft.com/en-gb/library/cc739693(v=ws.10).aspx) either this or allow anonymous access to the website but its not exactly secure :)
Any questions let me know.
Charles
I have a requirement, that the SharePoint portal of our company should be made accessible from internet, as in
once URL is entered in the browser, it should ask for credentials- once entered, should display the homepage of the portal.
Provided it should be accessible from the current intranet also.
It is in windows authentication mode currently.
Disclaimer: This question would be more appropriate in a forum like SuperUser or Sharepoint StackExchange. I am not a system administrator so my answer will lack detail and probably wont be optimal.
The only thing you need to provide is access from an external interface to your network. So something that routes requests from outside of your network to your sharepoint instance.
This is usually achieved through a reverse proxy and proper configuration of DNS. You can setup a reverse proxy by different means, if your organisation uses the Microsoft Stack then I suggest setting up IIS as a reverse proxy to your Sharepoint Instance. There are multiple tutorials on how to do this on the web.
http://sahelp.sharepointforall.com/FAQ/bconfigure_IIS.html
You then need to add an entry to your organisation DNS hosting something like sharepoint.organisation.com that points to your external interface (public IP) where the reverse proxy is sitting.
You will then need to add an Alternate Access Mapping to your Sharepoint WebApplication so Sharepoint can route the requests that the proxy sends to the appropriate Webapplication.
http://blog.blksthl.com/2012/12/03/a-guide-to-alternate-access-mappings-basics-in-sharepoint-2013/
If you are using basic authentication make sure you enable SSL. this can be done in several ways but a possible and easy (but not the most secure) is to enable SSL just externally and then use a normal unencrypted channel on the inside of your network, this is probably the easiest setup but again not very secure as people inside the newtork can snoop comms between the proxy and the sharepoint instance.
I was wondering whether or not Windows Azure is a viable option, now that they offer 10 free websites, for hosting a simple website with a database and domain name etc.. or is more traditional web hosting still the better option?
The database won't be that big, so the $5 for the 100MB database option will be plenty. I guess a few dollar's would be needed for traffic too?
Custom domain names can only be used in Shared or Reserved modes which are not free.
The free websites would be under [yourSubdomain].azurewebsites.net
So, it depends whether having your own domain matters to you and, if so, whether you are willing to pay for the website.
Notwithstanding this, Azure websites is a perfectly good cloud solution offering quick deployment of numerous CMS systems including WordPress, Joomla, etc.
I think it is a viable option. However, to get your own domain name you must change the website from free to shared or reserved mode. Heres description and link how to do this!
"When you create a web site, Windows Azure provides a friendly
subdomain on the azurewebsites.net domain so your users can access
your web site using a URL like http://.azurewebsites.net.
However, if you configure your web sites for shared or reserved mode,
you can map your web site to your own domain name."
http://www.windowsazure.com/en-us/develop/net/common-tasks/custom-dns-web-site/
I've got a little server plugging along, with IIS and some other stuff. Is it possible to allow a second user access to the IIS Manager, with the ability to create and edit sites, but keep the two accounts' sites separate?
I'm not worried about security between the two accounts, just separating the two account's sites for neatness and so that one user doesn't accidentally change something tied to the other account. At the moment I have two users part of the administrators group, and if I open IIS Manager with either one they both show all the sites.
A similar question has already been asked: how to create hidden web site on IIS
Can you please expand the answer of that thread?
Update 1
Connecting to sites remotely would allow the other sites to appear hidden as you would only see the connecting site. See: How to use Internet Information Services (IIS) 7 Manager to connect remotely to your website.
Update 0
As for hiding sites and other features, check out: What is administration.config for IIS?
One little known feature of IIS7 is that it's UI is entirely extensible! This means that anyone can write a C# assembly and get it displayed through the IIS Manager UI. The possibilities here are endless, anything from someone writing a new certificate management system, a website provisioning system, etc.
I haven't found documentation stating that the actual sites can be hidden but it sounds like it should be possible.
An Overview of Feature Delegation in IIS 7.0 may also provide the ability to hide sites.
Other links:
How do I hide 'non-delegated' features in IIS 7?
Based on your description, Microsoft's documentation on Configuring Permissions for IIS Manager Users and Windows Users (IIS 7) might prove helpful. For instance:
Allow an IIS Manager User Account to Connect to a Site or an Application (IIS 7)
Note: For IIS Manager users to connect to sites and applications for which you grant permission, you must configure the management service to accept connections from users who have IIS Manager credentials. For more information about how to configure the management service, see Configuring the Management Service in IIS 7.
Configuring Permissions for IIS Manager Users and Windows Users (IIS 7) - Emphasis added.
Use the IIS Manager Permissions feature to allow users to connect to sites and applications in IIS Manager. Remove a user account when you no longer want the user to configure delegated features in a site or an application.
Permitted users can configure delegated features in any sites or applications for which you grant them permission. Users can be either IIS Manager users, which are credentials created in IIS Manager by using the IIS Manager Users feature, or Windows users and groups on the local computer or on the domain to which the computer belongs.