• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 689
  • Last Modified:

SharePoint - NTLM Authentication Using Local Active Directory Plus Remote LDAP

I have SharePoint WSS 3.0 on a Windows 2003 Server Authenticating against the Active Directory on my Windows 2003 Domain Server using NTLM.  This works just fine.  

However, my corporate office has users that need to access Sharepoint as well.  Those users are on a separate network and I must manually enter them with new credentials in my Active Directory if they want to access SharePoint.  If they leave the company, I must get notified and remove them from the system.  The management in Active Directory of these users is very time consuming.

I can access the corporate users through LDAP.  Can I use this to provide them access to SharePoint instead of entering them manually into my Active Directory?  If so, how?
0
jmdyas
Asked:
jmdyas
  • 3
  • 2
1 Solution
 
ufarooqCommented:
Most of the times people who are not a part of your organization , you want to keep  them  in seperate repository. in most cases you use AD and Ldap can be used for external people partners and any one who is not AD member . you are using LDAP for your organization . you can use this to authenticate users from different network or better to configure another zone for them and set up authenticaion like FBA using data base . this is not the only solution. I am just trying to give you idea how  you can allow people to use your site and not to make them a  aprt of your AD or LDAP .  
0
 
jmdyasAuthor Commented:
ufarooq:  Currently I have separate OU's in Active Directory for each external organization, including our corporate users so that I keep the users organized and seperated.

Yes, your solution of dual authentication - one using NTLM (Active Directory for Internal Users) and one using LDAP (corporate users) is another approach I can take.  However, I do not know how to go about setting this up.  Don't I lose Microsoft Office functionality if those users authenticate using FBA?
0
 
ufarooqCommented:
To My information in case of people who are not part of your organization or company, having seperate OUs for them does not really consider ver good from security point of view . FBA is the best in this case .

You point out exactly the right issue with FBA . In MOSS 2007 was the case where you lose client integration with forms based authenticaion . you can still get some if you enable it .
i recently tested it with sharepoint 2010 . and once you enable client integration on external site it works much better.
by default client integration is turned off you will have to turn it on to make FBA like MS Office.
I am not saying it will work 100% as NTLM but again its for people who are not part of organization and depends how many they are and how many of them need this feature . and some functionalities come back after enabling it .
Let me know
0
 
jmdyasAuthor Commented:
Thank you for the background.  

The use of OU is just for organizational purposes.  I have a specific security group for them and have locked down their access rights (no access to any network resources), no dial in acces, remote access, etc and they are part of a specific SharePoint security group.

I agree about switching to FBA - you convinced me.  So how do we go about incorporating FBA for the external users that I can pull from LDAP while maintaining NTLM authentication for those in Active Directory?  Any ideas?  Anyone?
0
 
ufarooqCommented:
if you want to use  different URL for them :
Extending your exisiting web app to a new zone (extranet may be )  and configuring it to use FBA Membership to authenticate from LDAP, can be one solution .
if you want all users to use one url (LDAP and AD Users)
you can set up dual authentication on one zone (2010 only) . for example one url , one web app zone , 2 authentications methods .
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now