[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


SharePoint - NTLM Authentication Using Local Active Directory Plus Remote LDAP

Posted on 2011-05-10
Medium Priority
Last Modified: 2012-05-11
I have SharePoint WSS 3.0 on a Windows 2003 Server Authenticating against the Active Directory on my Windows 2003 Domain Server using NTLM.  This works just fine.  

However, my corporate office has users that need to access Sharepoint as well.  Those users are on a separate network and I must manually enter them with new credentials in my Active Directory if they want to access SharePoint.  If they leave the company, I must get notified and remove them from the system.  The management in Active Directory of these users is very time consuming.

I can access the corporate users through LDAP.  Can I use this to provide them access to SharePoint instead of entering them manually into my Active Directory?  If so, how?
Question by:jmdyas
  • 3
  • 2

Expert Comment

ID: 35730149
Most of the times people who are not a part of your organization , you want to keep  them  in seperate repository. in most cases you use AD and Ldap can be used for external people partners and any one who is not AD member . you are using LDAP for your organization . you can use this to authenticate users from different network or better to configure another zone for them and set up authenticaion like FBA using data base . this is not the only solution. I am just trying to give you idea how  you can allow people to use your site and not to make them a  aprt of your AD or LDAP .  

Author Comment

ID: 35730593
ufarooq:  Currently I have separate OU's in Active Directory for each external organization, including our corporate users so that I keep the users organized and seperated.

Yes, your solution of dual authentication - one using NTLM (Active Directory for Internal Users) and one using LDAP (corporate users) is another approach I can take.  However, I do not know how to go about setting this up.  Don't I lose Microsoft Office functionality if those users authenticate using FBA?

Expert Comment

ID: 35733661
To My information in case of people who are not part of your organization or company, having seperate OUs for them does not really consider ver good from security point of view . FBA is the best in this case .

You point out exactly the right issue with FBA . In MOSS 2007 was the case where you lose client integration with forms based authenticaion . you can still get some if you enable it .
i recently tested it with sharepoint 2010 . and once you enable client integration on external site it works much better.
by default client integration is turned off you will have to turn it on to make FBA like MS Office.
I am not saying it will work 100% as NTLM but again its for people who are not part of organization and depends how many they are and how many of them need this feature . and some functionalities come back after enabling it .
Let me know

Author Comment

ID: 35738566
Thank you for the background.  

The use of OU is just for organizational purposes.  I have a specific security group for them and have locked down their access rights (no access to any network resources), no dial in acces, remote access, etc and they are part of a specific SharePoint security group.

I agree about switching to FBA - you convinced me.  So how do we go about incorporating FBA for the external users that I can pull from LDAP while maintaining NTLM authentication for those in Active Directory?  Any ideas?  Anyone?

Accepted Solution

ufarooq earned 2000 total points
ID: 35738698
if you want to use  different URL for them :
Extending your exisiting web app to a new zone (extranet may be )  and configuring it to use FBA Membership to authenticate from LDAP, can be one solution .
if you want all users to use one url (LDAP and AD Users)
you can set up dual authentication on one zone (2010 only) . for example one url , one web app zone , 2 authentications methods .

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question