Public-facing on-premises SharePoint with NTLM authentication

I've been searching for authentication best practices for public-facing SharePoint site but I didn't find any useful resources on the issue that is troubling me.
Assume I set up a web application with Classic NTLM authentication. On that web application I enable
Anonymous access. This means that users inside organization's network will be able to authenticate (actually use SSO) using organization's DC. They will be able to access and administer all content. All other anonymous users will be able to see
published content only i.e. content which is permitted to anonymous users.
My question is: Is this kind of setup a security issue because if a potential attacker hacks a WFE then he has direct access to DC?
Is FBA maybe a better solution for public-facing sites? Or maybe use NTLM, but create a separate domain with one-way trust to organization's domain?

There are many variations you can take with this - and really you need to consider more than just your content. For true separation:
I would have a dedicated DC to manage service accounts.
I would break up my DMZ behind firewall contexts with a reverse proxy publishing SharePoint at the edge.
proxy/firewall -- SP Server -- Firewall -- SQL/DC
For true separation you don't want to share any underlying infrastructure with internal either, although in reality logical separation is usually enough.
Now you have to deal with internal user authentication and how to handle that. The first thing is I would have at minimum two webs available, your primary for editing and the extended version for public access.
While a one way trust would work - you still do expose user info out to the public which you may not want. With this configuration you could configure people picker to only select from a particular OU to minimize this.
Another option however is to look at using ADFS between your domains and create the trust there. You would have to configure the farm for claims auth to make this work, but this would eliminate the possibility of probing all the users in AD or the OU you expose.
With the ADFS method when you update documents you user name is still tagged to content - however if you don't populate the user profiles this will be the only information available about any internal user.
You may even want to go a step further and when you extend the public site, use forms authentication but don't provide any users. Then there is no authenticated access from the public URL. And with ADFS/Reverse Proxy may you even be able to configure some pre
authentication for your internal users before they can even reach the internal SharePoint pages.
I would strongly consider moving to SharePoint 2013 and looking at the cross site publishing (2010 and below have the content publishing - but stay away from that, when it works it's great, but when it doesn't it's a PITA to get back in sync). with cross site
publishing you have an editing site and the publishing site pulls from the Search index and the permissions are completely separate.

Similar Messages

  • Grant read permission on List for Anonymous user for public facing site in Sharepoint 2013 Online

    I have a public facing SP site ( SP online 2013 with Office 365 ). There are certain app parts added to it which read data from a
    custom list created on that site. By default anonymous users do not have read permissions list. I want users to see the list data without login in . I tried modifying the settings for anonymous users , however I am unable to do it as the "anonymous user"
    permissions cannot be checked by me.
    How do I provide read permissions to anonymous users?
    Thanks in advance

    once you make the web site online anonymous users get the read access to list.
    You can add the list view webpart and show the details to anonymous users. In the below link i have added the announcement list view webpart to a page.
    https://velegandla-public.sharepoint.com/Pages/Page.aspx
    My Blog- http://www.sharepoint-journey.com|
    If a post answers your question, please click Mark As Answer on that post and Vote as Helpful

  • How to open an external link with NTLM authentication

    Hi,
    My customer needs to open a link with parameters, and go directly to a specific page. The problem is the application uses NTLM to get the session first. After silence login, the parameter value is lost. Here is the link look like:
    f?p=200:1:0::::P1_ID:602:
    After authentication, it gets session and becomes:
    f?p=200:1:24365643544345
    Can anybody help me with this?
    Edited by: user8991541 on Apr 20, 2011 5:57 AM

    A UDL is technically a text file, so you could open it with "Read Characters from file", put the result string into a string control, edit it and save it back using the "Write Characters to File".
    UDLs however have their own configuration dialog embedded in the Windows OS. You can use this dialog in your LabVIEW application. The attached VI shows how to create a new UDL. You can edit an existing UDL by switching the method node to PromptEdit and wiring in an open ADO connection reference.
    Attachments:
    ConfigureDatabaseConnection.vi ‏26 KB

  • Public IP address requirerement for a Public facing SharePoint 2013 website.

    I am planning to implement a public facing website on SharePoint 2013 platform. Following are the proposed server setup.
    2 x Web Front End (WFE) hosting SharePoint 2013 (Load Balanced)
    2 x  Search and Application server hosting SharePoint 2013 (Load Balanced)
    2 x Application Server (non-SharePoint with separate .NET web applications linked through SharePoint site)
    2 x SQL 2012 Servers (Clustered with two instances for SharePoint and .NET applications)
    I understand that SQL servers will not require a public IP.  What about other servers?  Also, there is no tight integration between the Application (# 3) and SharePoint servers.  It is just a hyperlink provided on the WFE website.  In
    this scenario, do we need public IPs for # 2 and 3?
    Thanks in advance!
    LM

    Hi,
    In your scenario, if your Application servers run apps that need to be accessed from the Internet, these need to be published as well. Your Search And Application hosting SharePoint 2013 (SharePoint app servers) don't need to be connected to the internet.
    So all in all, make sure you publish your WFE's (using your load-balancer IP) and your Application (Non-SharePoint, through load-balancer).
    The best way to do this is using a reverse proxy to publish your SharePoint and application servers. This means you only need 1 public IP address in this scenario.
    If you need more guidance, let us know.
    Nico Martens
    SharePoint/Office365/Azure Consultant

  • WWSAPI - Cannot connect to web service via SSL and HTTP proxy authentication with NTLM, errorCode 0x803d0016, HTTP status 407

    Hi,
    I built a web service client using WWSAPI. The connection works via SSL (without HTTP proxy) and it works with SSL and proxy with basic authentication as well. When I try to connect using a proxy with NTLM authentication, then I get the errorCode
    0x803d0016, HTTP status "407 (0x197)", "Proxy Authentication Required".
    In WireShark I see only one HTTP request to connect to the proxy with NTLM Message Type: NTLMSSP_NEGOTIATE. The HTTP Response returns Status 407 and the connection ist closed. Comparing this to Internet Explorer - the Connection is not closed and
    a second request with NTLMSSP_AUTH is sent.
    Why doesn't it make the complete NTLM handshake? Why wasn't sent the NTLMSSP_AUTH directly?
    I oriented in the HttpCalculatorWithKerberosOverSslClientExample.
    Using WS_HTTP_HEADER_AUTH_SECURITY_BINDING,
    WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_SCHEME was set to WS_HTTP_HEADER_AUTH_SCHEME_NTLM, WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_TARGET to WS_HTTP_HEADER_AUTH_TARGET_PROXY. I tried WS_DEFAULT_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE but also WS_STRING_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE.
    Any idea?
    Thanks

    Hi,
    I built a web service client using WWSAPI. The connection works via SSL (without HTTP proxy) and it works with SSL and proxy with basic authentication as well. When I try to connect using a proxy with NTLM authentication, then I get the errorCode
    0x803d0016, HTTP status "407 (0x197)", "Proxy Authentication Required".
    In WireShark I see only one HTTP request to connect to the proxy with NTLM Message Type: NTLMSSP_NEGOTIATE. The HTTP Response returns Status 407 and the connection ist closed. Comparing this to Internet Explorer - the Connection is not closed and
    a second request with NTLMSSP_AUTH is sent.
    Why doesn't it make the complete NTLM handshake? Why wasn't sent the NTLMSSP_AUTH directly?
    I oriented in the HttpCalculatorWithKerberosOverSslClientExample.
    Using WS_HTTP_HEADER_AUTH_SECURITY_BINDING,
    WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_SCHEME was set to WS_HTTP_HEADER_AUTH_SCHEME_NTLM, WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_TARGET to WS_HTTP_HEADER_AUTH_TARGET_PROXY. I tried WS_DEFAULT_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE but also WS_STRING_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE.
    Any idea?
    Thanks

  • Setting up an external content type without having to change it to NTLM authentication?

    Referring to: https://www.kenplaysviola.com/content/sharepoint2010-business-connectivity-path-unavailable
    and tested to be true. However, I have a site that I am not using NTLM - is there a way around this??? 

    Hi,
    Based on your description, my understanding is that you can’t 
    set up an external content type with Basic authentication web application.
    What errors have you got?
    I have done a test in my SharePoint, when I opened Basic authentication site with SharePoint Designer, I got an error
    ”Access to this web server is disabled by default because it is controlled by basic authentication and doesn't use SSL…”.
    But I could create an External List in the Basic authentication site successfully. I set up an external content type with NTLM authentication site. Then I created an External List in the Basic authentication
    site which referred to the existing external content type, it worked fine.
    So if you don’t want to change your web Application to NTLM authentication, try to create another web Application with NTLM authentication, then create a site collection and create an external content type,
    last create an External List in the Basic authentication site referring to the existed external content type in NTLM authentication site.
    Also, here is a blog about 
    Access denied by Business Data Connectivity, you can take a look at:
    http://blogs.msdn.com/b/ericwhite/archive/2010/06/11/access-denied-by-business-data-connectivity.aspx
    Best Regards,
    Lisa Chen

  • Safari on Mavericks with NTLM Proxy

    Hello,
    we use a Bluecoat Proxy in our Company with NTLM Authentication.
    I login to the Mac (10.9.2) with my AD Account.
    The proxy is configured with hostname and port.
    Surfing in Firefox and Chrome works without a problem.
    If i sniff the traffic for this two browsers i can see that
    both browsers use NTMLSSP for authentication to the proxy.
    If i try to use safari i does not work.
    If i want to open a website the behaviour is always the same.
    The blue bar in the address field stops at specific point but then nothing happens.
    Even after half an hour i do not get an error message or the website.
    There ist just nothing happening anymore.
    Has anybody an idea what the problem could be?
    Thanks

    I have this same issue, and I have posted requesting insight on it here as well. But this has been to no avail.
    It seems the proxy breaks only on networked accounts.
    If you use a local account the proxy (in my experience) works fine if set up normally as you would.
    -----TEMPORARY WORKAROUND-----
    This is just something that I have tried that has worked for me, it may not work for you or anyone else.
    Our proxy is a windows server set up with TMG2010 and a web proxy address that is different from the DNS name of the server machine.
    Normally we enter into the web proxy address which is something like: proxy.mydomain.com
    I had the idea to try entering the local network name of the proxy as the proxy server in the network settings, then set up the user name and password boxes as I normally would as well. This actually worked.
    Although I am not sure what to take from WHY it works. DNS has no issues, so it seems to me the authentication through HTTP/HTTPS has broke.
    I have also read that somewhere else explaining it more in-depth than I feel necessary here but I will link you: http://apple.stackexchange.com/questions/118150/safari-7-cant-connect-to-intrane t-using-http-authentication
    I have found the location to toggle the authentication on our TMG2010 server so now I'm just waiting until closing time to test.
    ---EDIT---
    I just realized that most people tackling these issues look at what could be the problem on the MAC OS X side/Client Side….maybe the web server/proxy could use a good update to support more authentication control/methods/error handling…but then again that is what happens when you have two big brands with different architecture and software competing for floor space.

  • WLS 10.3.3 - Web service - NTLM authentication

    Hi,
    We have generated web service proxy based on a wsld file for a .Net web service secured with NTLM authentication.
    Running the code that connects to the web service from a java class main method works fine, but when running the same code from a web application deployed on weblogic server (we have tried both integrated and standalone) we get the following error: com.sun.xml.ws.client.ClientTransportException: The server sent HTTP status code 401: Unauthorized.
    Is there something that we should set in weblogic?
    Regards,
    Delia

    Delia,
    We had exactly the same issue and it took ages to resolve! Oracle didn't have a solution so I knuckled down and eventually worked out a solution...
    When running your JAR under WLS you may have noticed that the exception looks like this:
    java.io.FileNotFoundException: Response: '401: Unauthorized' for url: 'http://+your.domain.here+/default.aspx'
    at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:474)
    Notice that it is not using the java.net.HttpURLConnection as you might have expected (and your Java code explicitly imports!), rather it employs weblogic.net.http.HttpURLConnection and there lies the rub.
    As it turns out, it is easy to have your code force the use of the handler you desire.
    Instead of:
    HttpURLConnection http = (HttpURLConnection) new URL(+yourURL+).openConnection();
    Use:
    URL url = new URL(null, yourURL, new sun.net.www.protocol.http.Handler());
    HttpURLConnection http = (HttpURLConnection) url.openConnection();
    Regards,
    Jerome

  • Anyconnect - NTLM authentication on internal website

    Hi..
    I'm setting up a portal on the ASA - and I need the users to access an internal site with NTLM authentication.
    They all share the same password - but we need it to be single sign on.
    I can't get it working with the post codes..
    I have looking with live http headers in Firefox - but no help.
    Any hints???
    Best regards
    Tue

    Hi Jesper,
    the ~HTTP_REMOTE_USER was set by the NTLM PAS module. PAS is an proprietary addon for ITS 6.20 provided by SAP to allow external authentication via PAS modules. With Netweaver 2004 the integrated ITS no longer has anything to do with authentication. This is done by the webAS. WebAs does not support PAS but provide a similar technique call JAAS (Java Authentication and Authorization Service) which other than SAP PAS is a industrial standard. SAP Note 858138 points to SAP documentation, Teched Sessions and e-learning. I would suggest that you use this note as a starting point. I assume there is a NTLM JAAS module available but have no further information about it. Maybe this module passes the user ID to the called service.
    Best regards,
    Klaus

  • Sharepoint 2013 Public Facing Website With Managed Metadata Navigation on Office365 E3 Trial Online

    Warning: I am a complete novice in sharepoint
    I have subscribed to office365 online trial Enterprise edition to learn sharepoint
    I have created a Public facing Website
    Through the site-collection setting -> navigation created a new metadata group named navigation and chose it for global and current menu(I switched on the publishing service)
    Under the term Management I added two sub terms(for navigation group) with links to document and home.aspx
    The team site immediately showed the global menu with only two options(home and document) as needed
    Unfortunately the public facing site did not show any such options and instead showed a different menu(default one)
    I tried to add the navigation snippet to the master page and it showed the same default menu.
    The public site has no navigation option in Site setting either
    QUESTION: How can I get managed navigation in public facing site? Is it possible or it is not allowed?

    Hi,
    According to your post, my understanding is that you wanted to use the Managed Metadata Navigation in Public Website.
    Per my experience, we could not use the managed metadata navigation in public website, it is only available for the internal site collections.
    For more information:
    http://community.office365.com/en-us/forums/154/t/166500.aspx
    You can refer to the following article to know the public website and internal site collections on Office 365.
    http://blogs.sharepoint911.com/blogs/jennifer/Lists/Posts/Post.aspx?ID=76
    As this is the forum for the SharePoint server, , I’m not sure whether it supported managed metadata navigation now.
    I recommend you can post your question to the forum for SharePoint Online:
    http://community.office365.com/en-us/forums/154.aspx.
    More experts will assist you, then you will get more information relation to SharePoint Online.
    Thank you for your understanding and support.
    Thanks & Regards,
    Jason
    Jason Guo
    TechNet Community Support

  • Create public facing web site of SharePoint intranet portal with Public IP Address

    Hi,
    I did below steps to create public facing URL and to access outside domain network (Internet).
    1. Got a public IP Address.
    2. Created an extending web application to existing Web Application (default zone - intranet) and Zone selected to Internet and host header given test.contoso.com.
    3. Went to IIS and edit binding of Internet site. Provided public IP Address in 'IP Address' textbox and given host name as test.contoso.com. 
    Above are the 3 steps used to get access http://test.contoso.com in internet. But unable to access it and not seen any relavant message.
    Please help me and provide me steps to achieve.

    Did you actually register the contoso.com address on the Internet?  And is it associated with the public IP Address?  To access SharePoint from the Internet you are going to use http://test.contoso.com.  The Internet DNS servers need to be
    able to resolve that to your Public IP in order to find the SharePoint server.
    Second, did you bind your external IP address to one of the network cards on your SharePoint server?  Or is your Firewall or other gateway device forwarding traffic to the SharePoint server at that address?
    Another problem you may have is whether that Internet IP address is even reachable on your internal network from the Internet.  Most companies have Firewalls inplace to keep external users from accessing addresses inside your network.
    It sounds like you've done all the SharePoint configuration correctly, but you also need to make sure that TCP/IP is correctly configured.
    Paul Stork SharePoint Server MVP
    Principal Architect: Blue Chip Consulting Group
    Blog: http://dontpapanic.com/blog
    Twitter: Follow @pstork
    Please remember to mark your question as "answered" if this solves your problem.

  • OneDrive for Business iPad App with on-premise SharePoint 2013

    I don't know if this has more to do with OneDrive for Business or SharePoint 2013 itself.
    Basically we are trying to log into OneDrive for Business on the iPad app but it says "Sorry, this app doesn't support this type of authentication"
    We are using Claims Based Authentication with our On-premise SharePoint 2013 environment, which according to this table is a supported method: h**p://office.microsoft.com/en-us/office365-sharepoint-online-enterprise-help/use-the-onedrive-for-business-app-on-an-iphone-or-ipad-HA104005688.aspx#_Supported__authentication
    We have tried different combinations of the username and url. Windows username, DOMAIN\username, email address, username@domain, etc. nothing seems to work.
    Any ideas on how to fix this?

    according to office blog, it does support SharePoint on prem with following authentication(NTLM & FBA)
    Introducing OneDrive for Business for iOS v1.2
    Q. Does this announcement apply to customers who have deployed SharePoint 2013 on-premises?
    A. Yes. The OneDrive for Business for iOS v1.2 app does support some SharePoint on-premises configurations (NTLM & FBA). We are committed to providing customers access to their OneDrive for Business in SharePoint 2013 on-premises. We also recently introduced
    new capabilities in SharePoint 2013 SP1 to more seamlessly connect on-premises investments to OneDrive for Business in Office 365. More information to be shared at SharePoint Conference 2014 (March 3-6 in Las, Vegas); we will link to the relevant information
    once it has been posted next week.
    Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog

  • Sharepoint 2010 - Not able to access Sharepoint 2010 Public facing site on mobile browsers

    Hi All,
    Earlier, I posted a similar question in the forum , but did not get appropriate response . Posting it again with some more information .
    We are not able to access Sharepoint public facing site on Mobile browsers like chrome, IE, Safari (However the site is working fine on Firefox mobile browser and on PC/Laptops as well .)
    Following is the error we are getting :
     "Cannot set custom attribute on mobile controls in this page. Custom attributes specified are Access Key=0."
    I checked in the event logs , following was the exception :
    Exception captured in Exception HttpModule: System.Web.HttpException: Server cannot append header after HTTP headers have been sent.
       at System.Web.HttpResponse.set_RedirectLocation(String value)
       at Microsoft.SharePoint.Utilities.SPMobileUtility.Redirect(String url, SPRedirectFlags flags, HttpContext context, String queryStrings)
       at Microsoft.SharePoint.ApplicationRuntime.SPRequestModule.HandleMobilePageRequest(HttpContext context)
       at Microsoft.SharePoint.ApplicationRuntime.SPRequestModule.PostResolveRequestCacheHandler(Object oSender, EventArgs ea)
       at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
       at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
    Also, there was a microsoft OS security  patching on our farm servers post which the error starts coming . Following were the patches that were installed
    1. MS14-005          
    KB2916036          Security Update for Windows Server 2008 R2 x64
    Edition (KB2916036)
    MS14-009          
    KB2898857          Security Update for Microsoft .NET Framework 3.5.1
    2. on Windows 7 and Windows Server 2008 R2 SP1 for x64-based Systems
    (KB2898857)
    3. MS14-009          
    KB2901112          Security Update for Microsoft .NET Framework 3.5.1
    on Windows 7 and Windows Server 2008 R2 SP1 for x64-based Systems
    (KB2901112)
    4. MS14-009          
    KB2911501          Security Update for Microsoft .NET Framework 3.5.1
    on Windows 7 and Windows Server 2008 R2 SP1 for x64-based Systems
    (KB2911501)
    5. MS14-011          
    KB2909210          Security Update for Windows Server 2008 R2 x64
    Edition (KB2909210)
    6. MS14-012          
    KB2925418          Cumulative Security Update for Internet Explorer 8
    for Windows Server 2008 R2 x64 Edition (KB2925418)
    7. MS14-015          
    KB2930275          Security Update for Windows Server 2008 R2 x64
    Edition (KB2930275)
    8. MS14-016          
    KB2923392          Security Update for Windows Server 2008 R2 x64
    Edition (KB2923392)
    Has anyone of you ever faced similar(site not opening on mobile browsers) issue after installing these patches on farm servers .
    Any help would be much appreciated .
    Thanks
    Saquib Khan

    We have found below error related in ULS as well as event viewer both :
    Exception captured in Exception HttpModule: System.Web.HttpException: Server cannot append header after HTTP headers have been sent.   
     at System.Web.HttpResponse.set_RedirectLocation(String value)   
     at Microsoft.SharePoint.Utilities.SPMobileUtility.Redirect(String url, SPRedirectFlags flags, HttpContext context, String
    queryStrings)   
     at Microsoft.SharePoint.ApplicationRuntime.SPRequestModule.HandleMobilePageRequest(HttpContext context)   
     at Microsoft.SharePoint.ApplicationRuntime.SPRequestModule.PostResolveRequestCacheHandler(Object oSender, EventArgs ea)   
     at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()   
     at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
    Saquib Khan

  • SharePoint 2013 public facing site - need to mask url in search results

    Hi, we have sp2013 public facing site. Can we mask the display url in search results? Actually we are pointing two urls(ex: A & B) to same web application. Search results are already crawled based on A URL, so when people search in  browsing 'B'
    URL search results is giving URL with 'A' site. Please let me know if anyone have possible solution.
    Can we have more than one url for internet zone in AAM? i browsed in blogs most of them say it is not possible.
    Thanks,
    JB
    JB

    Please don't create multiple questions for same issue, below one is the duplicate thread
    http://social.msdn.microsoft.com/Forums/sharepoint/en-US/25a31628-1a96-4d6d-a792-3493af5bdd83/unable-to-find-manage-site-feature-in-sharepoint-2013-public-facing-site?forum=sharepointgeneral
    My Blog- http://www.sharepoint-journey.com|
    If a post answers your question, please click Mark As Answer on that post and Vote as Helpful

  • SharePoint public facing site does not open in sharepoint designer after giving http redirect in IIS

    I have a public facing sharepoint site
    We gave http redirect in IIS due to which I am unable to open the site in SharePoint Designer and gives error message site not found in webserver.
    If i revert back the settings (remove the http redirect link) i m able to open the site in designer.Please let me know how can I resolve the issue in opening site in SharePoint designer after http redirect setting done in IIS

    Looks like an AAM issue. What URL of the site you are trying to open with designer and what are your AAM settings?
    Ronald Bruinsma - Independent SharePoint Consultant - iDocs.info - The Netherlands
    Ronald I got the same issue here is my info:
    sharepoint site: http://<servername>/sites/mycompany
    <ServerIP>
    Default
    http://servername
    <Servername>
    Default
    http://servername
    http://contoso.mycompany.com
    Extranet
    http://contoso.mycompany.com
    In IIS webapp 80. http redirect:
    redirect requests to this destination is checked: http://contoso.mycompany.com/sites/mycompany
    can you help me? thanks

Maybe you are looking for