同时使用基本身份验证和集成身份验证
如果用户从我们的组织内部访问我们的 SharePoint 网站,我们希望使用集成 Windows 身份验证,而当有人尝试从我们组织外部进行身份验证时,我们希望使用基本身份验证(使用 SSL)。 阅读后,似乎 IE 无论如何都会尝试 Windows Auth,并忽略来自我们组织外部的基本身份验证。这是不可取的,因为用户需要在登录框中输入 DOMAIN(用户因致电我们的服务台询问此事而臭名昭著)。基本身份验证允许我们指定默认域。 Windows 身份验证不会执行此操作。因此,希望外部使用基本身份验证,内部使用 Windows 身份验证。
在网络内部启用 Windows Auth 并在网络外部启用基本身份验证的解决方案是什么?我是否需要在 IIS 中设置两个单独的站点(一个用于 Windows 身份验证,另一个用于基本)?这需要 2 个不同的主机名吗?
有没有我在这里没有想到的解决方案?
谢谢大家。
We would like to use Integrated Windows Authentication if a user accesses our SharePoint site from within our organization, and Basic Authentication (using SSL) when someone tries to authenticate from outside our organization.
Reading, it seems IE will try Windows Auth no matter what and ignore Basic Auth from outside our organization. This is undesirable because the user is required to enter in the DOMAIN into the login box (users are notorious for calling our helpdesk about this). Basic Auth allows us to specify a default domain. Windows auth does not do this. Hence the desire to use Basic Auth for outside, Windows Auth for inside.
What is the solution to enabling Windows Auth inside the network, and Basic Auth outside our network? Do I need to setup two separate sites inside IIS (one for windows auth, another for basic)? Would this require 2 different Host Names?
Is there a solution I am not thinking of here?
Thanks all.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
假设:您希望所有用户(包括内部用户和外部用户)针对同一 Active Directory 域进行身份验证。
如果主要目标是外部用户无需输入域名即可登录,则可以使用 ISA 服务器。
通过将内部 DNS 直接指向 Sharepoint 服务器,您可以让内部用户直接连接到 Sharepoint 服务器。因此,Windows 身份验证将适合他们。
然后,外部用户可以被指向您的 ISA 服务器(通过 DNS),并且可以将 ISA 配置为显示不需要域名的 Sharepoint 登录页面。 (这是他们正在填写的 Web 表单,但身份验证是针对 Active Directory 进行的)。
让 ISA 以这种方式工作有点棘手,因为您必须正确设置 Sharepoint 中的 AAM 设置。如果您正在使用 SSL 或 SQL 报告服务,那就更棘手了。主要问题是没有有意义的错误消息告诉您出了什么问题。但这是可能的。 :)
我们已经设置好了,效果很好,但要正常工作绝对是一件痛苦的事。
Assumption: you want to have all users, both internal and external, authenticate against the same Active Directory domain.
If the main goal is for external users to be able to login without typing the domain name, you could use ISA server.
You can have internal users connect directly to your Sharepoint server by pointing your internal DNS directly to your sharepoint server. Thus, windows auth would work for them.
External users could then be pointed to your ISA server (via DNS), and ISA could be configured to show a login page for Sharepoint where no domain name is required. (It's a web form that they are filling out, but the authentication happens against Active Directory).
Getting ISA to work in this way is a little tricky, because you have to get the AAM settings in Sharepoint just right. And if you're doing SSL or SQL Reporting Services, it's even more tricky. The main problem is that there are no meaningful error messages telling you what's wrong. But it is possible. :)
We have this set up, and it works great, but it was definitely a pain to get working right.
Windows 身份验证使用协议来协商将使用哪种身份验证方法。我以前就错了,但我认为如果不使用两个单独的虚拟目录(如果您选择,可以指向同一个物理目录),您就无法同时执行这两项操作。这个想法是为每个配置不同的身份验证机制。
Windows auth uses a protocol to negotiate which authentication method will be used. I've been wrong before, but I don't think you can do both without using two separate virtual directories (which can point to the same physical directory, if you choose). The idea is that you configure a different auth mechanism for each.
为了在 SharePoint 站点上配置不同的身份验证方法(假设您至少谈论的是 SharePoint 2007),您将需要扩展 Web 应用程序,从而在 IIS 中创建其他站点。您将需要不同的主机名,一种用于内部,一种用于外部。
扩展后,需要配置备用访问映射(这是通过中央管理完成的)。然后可以在 Central Admin 的“身份验证提供程序”部分中配置身份验证提供程序。然后,将为外部站点配置基本身份验证(确保使用 SSL,因为基本身份验证以明文形式发送登录信息),并为内部站点配置集成 Windows 身份验证。以下是一些值得注意的资源:
http:// /technet.microsoft.com/en-us/library/cc262309%28office.12%29.aspx
http://go.microsoft.com/fwlink/?LinkID=79589
希望这有帮助。
In order to configure different authentication methods on a SharePoint site (assuming you are talking about at least SharePoint 2007) you will need to extend the web application which results in additional sites created in IIS. You will need different host names, one for internal and one for external.
Once extended, Alternate Access Mappings will need to be configured (this is done through Central Admin). Authentication providers can then be configured in the 'Authentication Providers' section in Central Admin. Basic authentication would then be configured for the external site (make sure to use SSL since Basic authentication sends login info in clear text) and the internal site would be configured for integrated Windows authentication. Here are a couple of resources worth noting:
http://technet.microsoft.com/en-us/library/cc262309%28office.12%29.aspx
http://go.microsoft.com/fwlink/?LinkID=79589
Hope that helps.