Hi mate You can use an AD/LDAP provider to do FBA with internal staff as you describe. The other factor that affects the decision to use FBA is the client integration. This posts hints at some of the issues you can face. http://planetmoss.blogspot.com/2009/02/using-ldap-authentication-with.html
Client integration is disabled by default when you use forms-based authentication because it does not natively support FBA. There are workarounds for varying levels of client integration functionality there is no MS support for them. Now when you stick to native authentication and a user's browser is configured for the internet zone, you get a generic login/password dialogue box that is not as 'nice' as a FBA login page which can be branded. But ISA may have some smarts here. ISA (if my memory serves me correctly), can present an FBA style login to the user, and then pass those credentials to the SharePoint server as NTLM credentials. This *may* get around the application integration issue. (If I am wrong someone please correct me - it's been a while). Regards Paul Culmsee www.cleverworkarounds.com -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: Wednesday, 8 April 2009 11:17 AM To: [email protected] Cc: [email protected] Subject: RE: Preparing MOSS for internet access Hi Paul, That makes perfect sense, forms authentication for external party access, cant believe i am not seeing that picture until now! I was confused what's all the fuss with that because that means the internal staff will have to remember 2 passwords instead of 1 but of course we can use AD as provider instead of SQL but there is no difference with browser prompting for credentials, or is there? what's the issue with browser prompting for password compared to forms authentication that is using AD as provider? The ISA is not really in the picture, but it was mentioned by them before however i doubt they will approve that. Many thanks for your help, Christian "Paul Culmsee" <paul.culm...@sev ensigma.com.au> To Sent by: <[email protected]> [email protected] cc Subject 04/08/2009 11:08 RE: Preparing MOSS for internet AM access Please respond to [email protected] Hi Client certificates = good thing. Reduce the surface for exploitation. I assume you already have a decent PKI infrastructure set-up because that is a project in itself. FBA I use in general when the logins are not internal staff members. So this tends to fall into the group of 'client extranet' as opposed to 'staff extranet'. Integrated auth is obviously an issue with the way that the browser prompts for credentials, but this can be mitigated by using ISA Server to publish the site. You never mentioned ISA server - is that in the picture? Regards Paul -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: Wednesday, 8 April 2009 10:37 AM To: [email protected] Cc: [email protected] Subject: Preparing MOSS for internet access Hi guys I am wondering what would be the best practice, from architecture and development point of view to have moss exposed on the internet. I have a site that have been configured with 2 zones, one is default and the other one is extranet. The public facing website will not allow any login activity as it will automatically redirect the authenticate.aspx page to https (extranet) site and will require client certificate to access. Extranet will be used by our staff to update the contents of the public site. We are currently thinking to use forms authentication for extranet site but was wondering what does forms authentication have over integrated windows in term of security. What is the best practice out there and the most secure way or what did you actually do for your public facing MOSS projects to secure logins/authentication? I would love to hear everyone's experience :) Regards, Christian ===================================================================== Disclaimer: This message is intended only for the use of the person to whom it is expressly addressed and may contain information that is confidential and legally privileged. If you are not the intended recipient, you are hereby notified that any use, reliance on, reference to, review, disclosure or copying of the message and the information it contains for any purpose is prohibited. If you have received this message in error, please notify the sender by reply e-mail of the misdelivery and delete all its contents. Opinions, conclusions and other information in this message that do not relate to the official business of the Company shall be understood as neither given nor endorsed by it. ---------------------------------------------------------------------------- ---- Support procedure: http://www.codify.com/lists/support List address: [email protected] Subscribe: [email protected] Unsubscribe: [email protected] List FAQ: http://www.codify.com/lists/ozmoss Other lists you might want to join: http://www.codify.com/lists ---------------------------------------------------------------------------- ---- Support procedure: http://www.codify.com/lists/support List address: [email protected] Subscribe: [email protected] Unsubscribe: [email protected] List FAQ: http://www.codify.com/lists/ozmoss Other lists you might want to join: http://www.codify.com/lists ===================================================================== Disclaimer: This message is intended only for the use of the person to whom it is expressly addressed and may contain information that is confidential and legally privileged. If you are not the intended recipient, you are hereby notified that any use, reliance on, reference to, review, disclosure or copying of the message and the information it contains for any purpose is prohibited. If you have received this message in error, please notify the sender by reply e-mail of the misdelivery and delete all its contents. Opinions, conclusions and other information in this message that do not relate to the official business of the Company shall be understood as neither given nor endorsed by it. ---------------------------------------------------------------------------- ---- Support procedure: http://www.codify.com/lists/support List address: [email protected] Subscribe: [email protected] Unsubscribe: [email protected] List FAQ: http://www.codify.com/lists/ozmoss Other lists you might want to join: http://www.codify.com/lists -------------------------------------------------------------------------------- Support procedure: http://www.codify.com/lists/support List address: [email protected] Subscribe: [email protected] Unsubscribe: [email protected] List FAQ: http://www.codify.com/lists/ozmoss Other lists you might want to join: http://www.codify.com/lists
