Hi mate

You can use an AD/LDAP provider to do FBA with internal staff as you
describe. The other factor that affects the decision to use FBA is the
client integration. This posts hints at some of the issues you can face.
http://planetmoss.blogspot.com/2009/02/using-ldap-authentication-with.html

Client integration is disabled by default when you use forms-based
authentication because it does not natively support FBA. There are
workarounds for varying levels of client integration functionality there is
no MS support for them.

Now when you stick to native authentication and a user's browser is
configured for the internet zone, you get a generic login/password dialogue
box that is not as 'nice' as a FBA login page which can be branded. But ISA
may have some smarts here. ISA (if my memory serves me correctly), can
present an FBA style login to the user, and then pass those credentials to
the SharePoint server as NTLM credentials. This *may* get around the
application integration issue. (If I am wrong someone please correct me -
it's been a while).

Regards

Paul Culmsee
www.cleverworkarounds.com


-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of
[email protected]
Sent: Wednesday, 8 April 2009 11:17 AM
To: [email protected]
Cc: [email protected]
Subject: RE: Preparing MOSS for internet access

Hi Paul,

That makes perfect sense, forms authentication for external party access,
cant believe i am not seeing that picture until now! I was confused what's
all the fuss with that because that means the internal staff will have to
remember 2 passwords instead of 1 but of course we can use AD as provider
instead of SQL but there is no difference with browser prompting for
credentials, or is there?

what's the issue with browser prompting for password compared to forms
authentication that is using AD as provider?

The ISA is not really in the picture, but it was mentioned by them before
however i doubt they will approve that.

Many thanks for your help,

Christian



                                                                           
             "Paul Culmsee"                                                
             <paul.culm...@sev                                             
             ensigma.com.au>                                            To 
             Sent by:                  <[email protected]>                 
             [email protected]                                          cc 
                                                                           
                                                                   Subject 
             04/08/2009 11:08          RE: Preparing MOSS for internet     
             AM                        access                              
                                                                           
                                                                           
             Please respond to                                             
             [email protected]                                             
                                                                           
                                                                           




Hi

Client certificates = good thing. Reduce the surface for exploitation. I
assume you already have a decent PKI infrastructure set-up because that is
a
project in itself.

FBA I use in general when the logins are not internal staff members. So
this
tends to fall into the group of 'client extranet' as opposed to 'staff
extranet'. Integrated auth is obviously an issue with the way that the
browser prompts for credentials, but this can be mitigated by using ISA
Server to publish the site. You never mentioned ISA server - is that in the
picture?

Regards

Paul

-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of
[email protected]
Sent: Wednesday, 8 April 2009 10:37 AM
To: [email protected]
Cc: [email protected]
Subject: Preparing MOSS for internet access

Hi guys

I am wondering what would be the best practice, from architecture and
development point of view to have moss exposed on the internet. I have a
site that have been configured with 2 zones, one is default and the other
one is extranet.

The public facing website will not allow any login activity as it will
automatically redirect the authenticate.aspx page to https (extranet) site
and will require client certificate to access. Extranet will be used by our
staff to update the contents of the public site.

 We are currently thinking to use forms authentication for extranet site
but was wondering what does forms authentication have over integrated
windows in term of security. What is the best practice out there and the
most secure way or what did you actually do for your public facing MOSS
projects to secure logins/authentication? I would love to hear everyone's
experience :)

Regards,

Christian



=====================================================================

Disclaimer:

This message is intended only for the use of the person to whom it is
expressly addressed and may contain information that is confidential and
legally privileged. If you are not the intended recipient, you are hereby
notified that any use, reliance on, reference to, review, disclosure or
copying of the message and the information it contains for any purpose is
prohibited. If you have received this message in error, please notify the
sender by reply e-mail of the misdelivery and delete all its contents.

Opinions, conclusions and other information in this message that do not
relate to the official business of the Company shall be understood as
neither given nor endorsed by it.

----------------------------------------------------------------------------

----
Support procedure: http://www.codify.com/lists/support
List address: [email protected]
Subscribe: [email protected]
Unsubscribe: [email protected]
List FAQ: http://www.codify.com/lists/ozmoss
Other lists you might want to join: http://www.codify.com/lists

----------------------------------------------------------------------------
----

Support procedure: http://www.codify.com/lists/support
List address: [email protected]
Subscribe: [email protected]
Unsubscribe: [email protected]
List FAQ: http://www.codify.com/lists/ozmoss
Other lists you might want to join: http://www.codify.com/lists




=====================================================================

Disclaimer:

This message is intended only for the use of the person to whom it is
expressly addressed and may contain information that is confidential and
legally privileged. If you are not the intended recipient, you are hereby
notified that any use, reliance on, reference to, review, disclosure or
copying of the message and the information it contains for any purpose is
prohibited. If you have received this message in error, please notify the
sender by reply e-mail of the misdelivery and delete all its contents.

Opinions, conclusions and other information in this message that do not
relate to the official business of the Company shall be understood as
neither given nor endorsed by it.

----------------------------------------------------------------------------
----
Support procedure: http://www.codify.com/lists/support
List address: [email protected]
Subscribe: [email protected]
Unsubscribe: [email protected]
List FAQ: http://www.codify.com/lists/ozmoss
Other lists you might want to join: http://www.codify.com/lists

--------------------------------------------------------------------------------
Support procedure: http://www.codify.com/lists/support
List address: [email protected]
Subscribe: [email protected]
Unsubscribe: [email protected]
List FAQ: http://www.codify.com/lists/ozmoss
Other lists you might want to join: http://www.codify.com/lists

Reply via email to