SharePoint - NTLM Authentication Using Local Active Directory Plus Remote LDAP

Posted on 2011-05-10
Last Modified: 2012-05-11
I have SharePoint WSS 3.0 on a Windows 2003 Server Authenticating against the Active Directory on my Windows 2003 Domain Server using NTLM.  This works just fine.  

However, my corporate office has users that need to access Sharepoint as well.  Those users are on a separate network and I must manually enter them with new credentials in my Active Directory if they want to access SharePoint.  If they leave the company, I must get notified and remove them from the system.  The management in Active Directory of these users is very time consuming.

I can access the corporate users through LDAP.  Can I use this to provide them access to SharePoint instead of entering them manually into my Active Directory?  If so, how?
Question by:jmdyas
    LVL 7

    Expert Comment

    Most of the times people who are not a part of your organization , you want to keep  them  in seperate repository. in most cases you use AD and Ldap can be used for external people partners and any one who is not AD member . you are using LDAP for your organization . you can use this to authenticate users from different network or better to configure another zone for them and set up authenticaion like FBA using data base . this is not the only solution. I am just trying to give you idea how  you can allow people to use your site and not to make them a  aprt of your AD or LDAP .  

    Author Comment

    ufarooq:  Currently I have separate OU's in Active Directory for each external organization, including our corporate users so that I keep the users organized and seperated.

    Yes, your solution of dual authentication - one using NTLM (Active Directory for Internal Users) and one using LDAP (corporate users) is another approach I can take.  However, I do not know how to go about setting this up.  Don't I lose Microsoft Office functionality if those users authenticate using FBA?
    LVL 7

    Expert Comment

    To My information in case of people who are not part of your organization or company, having seperate OUs for them does not really consider ver good from security point of view . FBA is the best in this case .

    You point out exactly the right issue with FBA . In MOSS 2007 was the case where you lose client integration with forms based authenticaion . you can still get some if you enable it .
    i recently tested it with sharepoint 2010 . and once you enable client integration on external site it works much better.
    by default client integration is turned off you will have to turn it on to make FBA like MS Office.
    I am not saying it will work 100% as NTLM but again its for people who are not part of organization and depends how many they are and how many of them need this feature . and some functionalities come back after enabling it .
    Let me know

    Author Comment

    Thank you for the background.  

    The use of OU is just for organizational purposes.  I have a specific security group for them and have locked down their access rights (no access to any network resources), no dial in acces, remote access, etc and they are part of a specific SharePoint security group.

    I agree about switching to FBA - you convinced me.  So how do we go about incorporating FBA for the external users that I can pull from LDAP while maintaining NTLM authentication for those in Active Directory?  Any ideas?  Anyone?
    LVL 7

    Accepted Solution

    if you want to use  different URL for them :
    Extending your exisiting web app to a new zone (extranet may be )  and configuring it to use FBA Membership to authenticate from LDAP, can be one solution .
    if you want all users to use one url (LDAP and AD Users)
    you can set up dual authentication on one zone (2010 only) . for example one url , one web app zone , 2 authentications methods .

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Join & Write a Comment

    Pimping Sharepoint 2007 without Server-Side Code Part 1 One of my biggest frustrations with Sharepoint 2007 in the corporate world is that while good-intentioned managers lock down the more interesting capabilities of Sharepoint programming in…
    I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now