we have a sharepoint 2010 site and are using the same url to access it from inside and outside the network.
our issue is that we don't want users inside our network to get asked for credentials when accessing the site.
if, for example, the url we wanted to use was https://sp.domain.com, how would we set this up?
You can do this via Alternate Access mappings. Have two zones for your sharepoint site: Intranet and Extranet. In AAM settings:
Intranet : http://sp.domain.com
Extranet: http://extranet.domain.com
You did not specify which authentication scheme if you are using for outside network. If its forms authentication, you can set Windows for 1 and Forms authentication for 2.
However, if its AD only for both, you will have to have sp.domain.com configured as Intranet Url and extranet.domain.com as Internet Url in each of client computer. This can be done using group policy.
Your proxy server will have to do the work of transferring the sp.domain.com from external network to extranet.domain.com internally.
Good to read:
http://sharepoint.microsoft.com/blog/Pages/BlogPost.aspx?pID=804
Related
I have a server and I make a tunnel with cloudflare to be able to access from outside creating an application in Cloudflare Zero Strust and I am trying to disable all the policies so that it allows me to access the application without authentication.
But nothing works, whenever I try to enter my linkstream.domain.org application, it asks me for authentication via email.
The reason is that this application allows me to play streams so I don't want it to have authentication to access.
I've searched and configured everything, but I can't remove this authentication from cloudflare:
Cloudflare Access is a product that can be used to add authentication to an application. If you want your application to be public (i.e. no authentication), I'd recommend not adding it to Access at all. You can set up a Cloudflare Tunnel without adding any Access application, for example to expose a webserver to the public.
I'd recommend looking also at the Allow policies.
Our SharePoint environment uses Claims Based Authentication - using
FBA for external users and AD for internal users.
I have not been able to connect using default credentials or Windows
authentication to a test SharePoint site using the SharePoint Client
Side Object Model (CSOM). I am able to connect using an FBA user but
require connecting using default credentials (assuming this is the
app pool id tied to the SharePoint application) or at least an AD
account.
The message I get when executing ClientContext.ExecuteQuery is - Cannot Contact Site at the Specified URL. I
have researched this extensively and have tried numerous suggestions including the following:
Using an event handler tied to the clientContext.ExecutingWebRequest
which adds to the WebRequest headers. Solution found here
https://social.technet.microsoft.com/Forums/office/en-US/16cd0e26-8f3b-4ef2-bac4-c2c59849ab96/authentication-in-clientcontext-in-sharepoint-2010?forum=sharepointdevelopmentprevious.
Using System.Net.CredentialCache.DefaultCredentials
Using System.Net.NetworkCredential passing in AD account
Thanks for any ideas or suggestions.
Tom
I should have mentioned that we are using SharePoint 2010 and that I'm trying to retrieve and update user profile properties. As I was beginning to code a solution to do this (using my FBA connected ClientContext), I read that in SharePoint 2010, you can only update user properties using the UserGroup web service. I get an Access Denied when trying to connect via the web service. I believe the ClientContext sits on top of the web services so the scenario/issue is the same. Again, any thoughts or suggestions are greatly appreciated.
Well, after much research, it seems that there is a solution. Adding a header to the request programmatically is the first step. The only issue is that in addition to adding the header, you must add an additional Windows authentication zone to SharePoint. I do not want to add another zone to our production environment.
Since the program I'm putting together accesses SharePoint and non-SharePoint databases, I would like to run it on a non-SharePoint server so I will most likely use an FBA account that is specifically created for this purpose.
In case anyone is interested, here is another link explaining how to add the header to the web request. You will receive an error - Object Moved without adding an additional zone. Here is a link which describes adding a zone.
I've managed to setup two virtual machines in my local windows 7 laptop. Both of them are Windows server 2008 R2. One acts as Active Directory Domain controller and also as Active Directory Federation Services, and one other as the web app server. This second one is where I've set up my claims aware asp.net mvc web application and I also plan to setup ThinkTecture Identity Server later as my way to authenticate against custom username and password outside AD.
I've successfully implemented the installation and configuration needed for connecting our ASP.NET MVC apps through ADFS. They include :
Configure first server as Domain Controller and add domain account store (add user as testing -> this user belongs to Domain Users Group).
Configure first server also as active directory federation services.
configure relying party trust identifier from federation metadata generated from FedUtil.exe in second server.
Configure group claim mapping and assign Domain Users to this group.
Configure web apps server to be claims aware agent.
The one that's always troubled me is that every time I access my apps, it successfully prompts login dialog box. Once I enter My AD account and password, it always gives me the following error message : "There was a problem accessing the site. Try to browse to the site again.
If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.
Reference number: c558ed55-b203-42cc-b6bd-3d66bddb96cd".
Any idea from you guys how to get this to work?? Any suggestion and ideas will be highly appreciated.
Have you looked in the event log?
Open Event Viewer > Go to Applications and Services Logs > AD FS 2.0
You'll see an list of errors which should give you some more guidance.
If you see the ADFS login screen, you can get to ADFS so I suspect it's something to do with your RP configuration.
Just to check - you are using ADFS 2.0 which you downloaded?
I want to create the sharepoint 2010 site on SahrePoint 2010 server. I want to make it available in intranet as well as internet. what exactly i need to do ? is i need to configure mix mode authentication ? how ?
Look at Alternate Access Mappings:
How Do I: Configure an Alternate Access Mapping in SharePoint 2010?
Server Name Mapping and Alternate Access Mapping (AAM)
Making a SharePoint 2010 site externally available
Regarding authentication, you can use Classic Mode Authentication for externally available sites, but all users will need an Active Directory account. Otherwise, you might want to use a web application with Claims Based Authentication that uses a mix of Windows Authentication and Forms Based Authentication.
Note that externally available sites that require authentication are technically extranet sites. An internet site usually means that anonymous access is allowed (at least in part). In the case of SharePoint internet sites, special licensing might be required.
I want to have a mixed mode SharePoint 2010 install where intranet users are authenticated via Windows Authentication, and extranet users are authenticated via forms authentication.
There is an existing solution here, http://www.orbitone.com/en/blog/archive/2010/06/23/sharepoint-2010-mixed-authentication-automatic-login.aspx, but I have one unusual difference. In most cases, the Windows authentication goes against an AD server and the forms authentication goes against an ASP.Net membership database. In my case, they're both going against AD servers. The users who use forms authentication are stored on an extranet AD server, and the users who use Windows authentication are stored on an intranet AD server. The extranet AD server has pass through authenciation set up with the intranet AD server, so SharePoint is always directly connected to the extranet AD server.
Is there a better approach to automatic mixed mode authentication in this case?
You are already doing things correctly. When you have internal users on an external farm, SharePoint will look for an available AD server and send the user in question to AD for verification. With the one way trust, AD knows to check the trusted domain for the user in question if it does not exist in its own domain. The whole point of the trust to to avoid calls through the network to your internal domain directly. So technically the users are being authenticated to the domains as you described. If its not working, I would bet your trust is not correctly configured.