Results 1 to 9 of 9

Thread: IIS Authentication

Hybrid View

  1. #1
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    SC
    Posts
    718

    IIS Authentication

    We recently setup a server to host a SharePoint site so that a few select users can access files from home. After talking with a couple IT guys that manage our portal, we were recommended to use SharePoint. Our current LAN exists within a portal, and we were told if we setup SharePoint on our end, that they would setup security and access through the portal on their end. Now, here's my dilemma. We setup IIS 6 using Sharepoint. Everything is working fine but, I now have the question of authentication.
    From what I've read, Digest Authentication is barely better than Basic (plain text) authentication. Integrated Authentication is more ideal for Intranets (and won't work with what we're looking to do). So, .NET Passport or Certificate Authentication is basically what I'm considering. I've read about both and really can't figure out which way to go. I'm leaning towards using Certificates but from what I've read, it's a pain in the ass to setup.
    Any ideas and/or suggestions would be greatly appreciated.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  2. #2
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    Integrated authentication will work. The only thing is that your clients will get prompted for a login. This happens to me when I go to sharepoint sites using the mozilla browser, which is very much like what you are doing when you have users in another domain, or another network, browse to your sharepoint sites that are in a different domain/network.

  3. #3
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    SC
    Posts
    718
    mohaughn,
    Yeah, I was working with Integrated Authentication when I ran into a slight problem. What I did was this, I rebooted the system and logged on to the local machine instead of the domain. Now, I was able to access the SharePoint site fine (onced I logged in via the SharePoint prompt) but the problem was when I attempted to access files on the server via SharePoint links.
    I couldn't access any files on the server because I wasn't logged into the domain itself. It's almost as if I was logging into the SharePoint site but not the domain. Once I connected to the server manually, I was able to get files via SharePoint. It's like I have to logon twice (once to SharePoint and once to the domain). I'm a bit annoyed at this point with this whole authentication bit, but thanks for the help anyways.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  4. #4
    Certificates are good but yes they *can* be a pain to set up.
    Would you look to issue your own certificates or would you use a certificate provider such as verisign?
    There are advantages and disadvantages to both. Setting up your own you don't have to purchase the certificates but you do have to configure certificate services (I am running with Microsoft Example here because thats what I have used) and all the pains that it brings. I have been heavily involved in setting up Microsoft Certificate Services in my organisation and it was quite painful initially but eventually we got there.
    How many users would you need to issue certificates to?
    If there is not that many my advice is to go with Verisign (or similar - Verisign is what I have used in past) as they can issue you an appropriate certificate and often the trust chain for these certificates is already built in to a Windows machines (you don't have to set up and distribute the trust chain). If however you think you may need to issue quite a few certificates then go with setting it up yourself. I have included some links below I found handy when setting up the Microsoft CA in my organisation.

    http://technet2.microsoft.com/window...es/pubkey.mspx
    http://technet2.microsoft.com/Window....mspx?mfr=true

  5. #5
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    Certificates are good, if you have the right PKI setup on your domain. I have just finished setting up SharePoint, LCS and Exchange as hosted services and internally for some of our customers.

    It depends how you want to play it, I used an internal CA for everything except for the external IM presence for LCS as Microsoft will only accept a third party certificate for this.

    Have a root CA, which can be 2003 Enterprise or 2003 Standard and have an Issuing subordinate CA which HAS to be either 2003 Enterprise or 2003 Datacentre - you need version 2 certificates to customize your own templates and 2003 Standard does not support this.

    If your user’s connecting to the portal already trust the root CA then all is well and they will accept the certificate, if they do no trust your CA you will need to export the root CA path to them unless you use SSH instead of TLS

    Name the certificates with the FQDN of the server and give it a SAN (subject alternate name) of any other domain specific names it may have, i.e. internal DNS names.

    The SharePoint authentications should be LDAP and authenticate the user to the domain once they access it, but only for SharePoint and not for the rest of the domain, unless they are using a VPN solution of some kind and have authenticated to a DC already.

    Can't really think of any other point I can add to help you further but as it is all still fresh in my mind, if you have any specific questions I will be happy to answer them if I can

    How big is it going to be? I tend to go with SharePoint services instead of the SharePoint portal if it meet the requirments, due to it being very easy to install and configure.
    Last edited by Nokia; November 17th, 2006 at 09:50 PM.

  6. #6
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    SC
    Posts
    718
    Nokia,
    Ok, well a couple things. I'm a little new to setting up certificates so you'll have to forgive me if I didn't totally follow everything you said, although I did understand most of it.
    Also, I have SharePoint setup but, I'm annoyed by a few factors. Basically, I can upload the server files to the SharePoint workspace but, once the work is done on those files, I wasn't able to upload them back onto the server. There's always the "save as" option but my users are not that patient (to navigate where the file needs to be saved on the server).
    This whole SharePoint and CA/Certificates bit is a little overwhelming for me right now, so bear with me. Another tool I found to be very helpful was the IIS 6 toolkit which included a nice little program called SelfSSL. I created my own certificate and managed to get it to work...but I'm a long ways away from understanding all this stuff.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  7. #7
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Don't dismiss basic or digest authenticaiton too quickly..:

    Both will do just fine IF you use then inside an SSL connection...


    Ammo
    Credit travels up, blame travels down -- The Boss

  8. #8
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    SC
    Posts
    718
    Ok, a couple more questions.
    Let's say I have SharePoint on a server, within a LAN. This LAN sits within a portal. Now, the guys over at the portal administration say they'll open up a port that will connect to my server. I trust they'll take care of security on their end.
    Now, a user logs into the portal and then connects to our SharePoint. This user is at home grabbing files from our server and uploading them to the SharePoint workspace...blah blah blah.

    Ok, enough about the setup. I need to know how to secure this as best as possible. I used SelfSSL to create my own server certificate. This allows me to use SSL. The client connects and uses the server certificate to verify the server. It's nothing fancy, I just wanted to use SSL.
    Do I use my home-made certificate + SSL and Digest Authentication? Is this enough security? Sensative files are going across the internet via SSL (I know this is encrypted). Is their anyway I can verify the client connecting (besides a certificate)? We're only going to have two laptops setup to use SharePoint so I don't need to verify many clients.

    Also, unrelated security question. Can I setup File Replication to work with the SharePoint shares?

    Sigh. Alot of questions. Sorry guys. I'm just a bit overwhelmed right now.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  9. #9
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Careful with the self-signed certificate; make sure users validate the certificate hash when they first log on and that they then install the certificate if valid. And of course, never continu on a ssl with an invalid certificate...
    Credit travels up, blame travels down -- The Boss

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •