Authenicating with Sharepoint team service 3.0

Dear Zephyr_hex,

Are all these only apply to Sharepoint server 2007 but not Sharepoint team service 3.0 ?

Sharepoint uses Windows Authentication by default which is VERY secure.  The background services should be configured to use domain service accounts.  Form Based Authentication is actually less secure unless you use SSL (which slows the site) and many features don't work with it.

If your client computers are on the same domain as the Sharepoint server use the default Windows Authentication.  It's secure and fast.

authentication in sharepoint 2007 is the same as WSS 3.0  (what you're calling sharepoint team services 3.0).

WSS 3.0 is the core of sharepoint 2007.  sharepoint 2007 adds extra functionality... but the authentication methods are not different.

tedbilly,

Right now the point is the user account is stored locally on the sharepoint team service server, which is in the DMZ, I don't think it is secure enought!

I can't see it prompt the domain when logging in.

Sorry, I disagree.  Sharepoint only stores the user SID.  I don't see the security risk you seem to be concerned about.  Sharepoint doesn't store any user credentials.  The SID has to be generated using the on the fly NTLM authentication process which is already encrypted.

Note: With Windows Authentication if the client system is in the same domain as the Sharepoint server, IE will sign in using NTLM automatically without a prompt.  This is also true if the site is marked as 'Trusted' with the 'Automatically Login' option selected.

Dear Tedbily,

This sharepoint service will use local login acount and we don't user domain login.

the user will be internet users.

How about that? How can you verify that that login is very secure, how many bits of encrption it use?

if your users are internet and not intranet users, then FBA with SSL is probably the way to go

If you want to use 'Form Based Authentication' here is a starting point: http://www.codeplex.com/fba

As zephyr_hex recommended use SSL for the log in page.

Do not use SQL accounts for the Sharepoint services and be sure to use a local login account.

tedbilly,

The main objective is do not use local login account in that local Sharepoint team service account.

But as far as I konw, the FBA comes from Sharepoint team server 3.0 doesnt' works, I tried that, the same login account and password used in Windows Authenication doesn't work. So that only way is to use www.codeplex.com/fba?

for intranet user, I agree to use domain login of course as it is NTLM, but the main point is it is not released to public and it is already very secured.

Yeah, SSL of course, for any kinds of internet based login page !

the one in http://www.codeplex.com/fba apply for shareteam service 3.0 also?

Well I've been told it will work but to be honest I've never tried it.

tedbilly,

Yeah, that one still in beta and in WSP format, I will try it and I am wondering !

But if you try to setup sharepoint team service for external staff need to login from internet/from home, what authenication method will you use?

that codeplex, someone tell me this also, I am afraid that it is some kind of application back door from security point of view.

IMHO I'd never expose a corporate website that staff can use to the internet.  Our remote staff use secure VPN and/or RDP.

tedbilly,

VPN is good. This might not a company's web site but a workspace for staff to work from home! We also need  antivirus tools for anything upload to this workspace also.

Your case is VPNed to it and then open the intranet web site, right? so the end to end connection is encrypted, right?

tedbilly,

Do you know if I have to use the codeplex to work, do I need to create a separate database to store user login name ? using http://technet.microsoft.com/en-us/library/cc262350.aspx#section2 ?

Yes VPN can be encrypted and yes once the VPN connection is established they simply use the intranet like they would if they were at work.

If use use secure VPN you can simply use the default Windows Authentication without any extra work.

If you use 'Forms Based Authentication' and a SQL authentication provider then yes you'd need a SQL database to store the logins.  However, I'd avoid this if you can.  Windows Authentication is a better choice for Sharepoint because all features are supported in Sharepoint with it.

Dear tedbilly,

OK, you mean don't use FBA as long as it is really needed, but for internet user, FBA with SSL is necessary, right?

Then what I am thinking is how/where to store to userID, How to intergrate the FBA with the DB created by using http://technet.microsoft.com/en-us/library/cc262350.aspx#section2?

Based on your requirements I feel that 'Form Based Authentication' isn't a good choice.  I'd use Windows Authentication with secure VPN.  FBA has many problems with Sharepoint.

Even if your staff work from home to access a corporate website on the internet I would still use Windows Authentication with SSL because it's more secure.

Tedbiliy,

For your comment: "Even if your staff work from home to access a corporate website on the internet I would still use Windows Authentication with SSL because it's more secure.", this is for FBA, right?

What is the problme you found out for FBA? the white paper say this also but it just say problem, it didnt' sya what problem it is.

if our staff don't have VPN, then your suggestion doesn't works, right?

Many features won't work with FBA.  Specifically the client integration.

Read the following from http://msdn.microsoft.com/en-us/library/bb975136.aspx#MOSS2007FBAPart1_Intro

Important:

When you use forms authentication, client integration is disabled by default because client integration does not natively support forms authentication. You might be able to use many client integration features with forms authentication, and there are workarounds available to implement varying levels of client integration functionality with forms authentication. Specifically, starting in the Office 2007 Cumulative Update for April 2009 (Microsoft Help and Support), Microsoft Office Word, Microsoft Office Excel, Microsoft Office PowerPoint, and Microsoft Office SharePoint Designer all have native support for forms authentication, as described in Forms Authentication in SharePoint Products and Technologies (Part 3): Forms Authentication vs. Windows Authentication. If you plan to use client integration with forms authentication, you must fully test any available solutions or workarounds to determine whether the performance and functionality are acceptable in your environment. Microsoft Customer Support can provide commercially reasonable support to help you troubleshoot published workarounds.
Deciding to Use Forms Authentication

Some organizations want to use Windows users and groups in SharePoint Products and Technologies, but enter credentials via forms authentication. Before using forms authentication, determine why to use forms authentication in the first place: What is the business driver? If user accounts are stored in a location other than an Active Directory domain controller, or if Active Directory is not available in a particular environment, using forms authentication with a membership provider is a good choice. But if you want to force logon only via forms authentication, but still use Windows and all of the integrated features it provides, you should consider an alternative such as publishing the SharePoint site with Microsoft Internet Security and Acceleration (ISA) Server 2006. ISA Server 2006 allows users to log on by using a forms authentication Web form, but treats them like Windows users after authentication. This implementation provides a more consistent and compelling experience for end users.

tedbilly,

As we said before, to use FBA for internet user only solution, we have to use SSL with this, am I right?

I dont' think we have to use ISA 2006 and I have read that link before, it doens't tells a lot and make me confuse.

Tedbilly,

Thanks for this.