Public-facing on-premises SharePoint with NTLM authentication
I've been searching for authentication best practices for public-facing SharePoint site but I didn't find any useful resources on the issue that is troubling me.
Assume I set up a web application with Classic NTLM authentication. On that web application I enable
Anonymous access. This means that users inside organization's network will be able to authenticate (actually use SSO) using organization's DC. They will be able to access and administer all content. All other anonymous users will be able to see
published content only i.e. content which is permitted to anonymous users.
My question is: Is this kind of setup a security issue because if a potential attacker hacks a WFE then he has direct access to DC?
Is FBA maybe a better solution for public-facing sites? Or maybe use NTLM, but create a separate domain with one-way trust to organization's domain?
There are many variations you can take with this - and really you need to consider more than just your content. For true separation:
I would have a dedicated DC to manage service accounts.
I would break up my DMZ behind firewall contexts with a reverse proxy publishing SharePoint at the edge.
proxy/firewall -- SP Server -- Firewall -- SQL/DC
For true separation you don't want to share any underlying infrastructure with internal either, although in reality logical separation is usually enough.
Now you have to deal with internal user authentication and how to handle that. The first thing is I would have at minimum two webs available, your primary for editing and the extended version for public access.
While a one way trust would work - you still do expose user info out to the public which you may not want. With this configuration you could configure people picker to only select from a particular OU to minimize this.
Another option however is to look at using ADFS between your domains and create the trust there. You would have to configure the farm for claims auth to make this work, but this would eliminate the possibility of probing all the users in AD or the OU you expose.
With the ADFS method when you update documents you user name is still tagged to content - however if you don't populate the user profiles this will be the only information available about any internal user.
You may even want to go a step further and when you extend the public site, use forms authentication but don't provide any users. Then there is no authenticated access from the public URL. And with ADFS/Reverse Proxy may you even be able to configure some pre
authentication for your internal users before they can even reach the internal SharePoint pages.
I would strongly consider moving to SharePoint 2013 and looking at the cross site publishing (2010 and below have the content publishing - but stay away from that, when it works it's great, but when it doesn't it's a PITA to get back in sync). with cross site
publishing you have an editing site and the publishing site pulls from the Search index and the permissions are completely separate.
Similar Messages
-
Grant read permission on List for Anonymous user for public facing site in Sharepoint 2013 Online
I have a public facing SP site ( SP online 2013 with Office 365 ). There are certain app parts added to it which read data from a
custom list created on that site. By default anonymous users do not have read permissions list. I want users to see the list data without login in . I tried modifying the settings for anonymous users , however I am unable to do it as the "anonymous user"
permissions cannot be checked by me.
How do I provide read permissions to anonymous users?
Thanks in advanceonce you make the web site online anonymous users get the read access to list.
You can add the list view webpart and show the details to anonymous users. In the below link i have added the announcement list view webpart to a page.
https://velegandla-public.sharepoint.com/Pages/Page.aspx
My Blog- http://www.sharepoint-journey.com|
If a post answers your question, please click Mark As Answer on that post and Vote as Helpful -
How to open an external link with NTLM authentication
Hi,
My customer needs to open a link with parameters, and go directly to a specific page. The problem is the application uses NTLM to get the session first. After silence login, the parameter value is lost. Here is the link look like:
f?p=200:1:0::::P1_ID:602:
After authentication, it gets session and becomes:
f?p=200:1:24365643544345
Can anybody help me with this?
Edited by: user8991541 on Apr 20, 2011 5:57 AMA UDL is technically a text file, so you could open it with "Read Characters from file", put the result string into a string control, edit it and save it back using the "Write Characters to File".
UDLs however have their own configuration dialog embedded in the Windows OS. You can use this dialog in your LabVIEW application. The attached VI shows how to create a new UDL. You can edit an existing UDL by switching the method node to PromptEdit and wiring in an open ADO connection reference.
Attachments:
ConfigureDatabaseConnection.vi 26 KB -
Public IP address requirerement for a Public facing SharePoint 2013 website.
I am planning to implement a public facing website on SharePoint 2013 platform. Following are the proposed server setup.
2 x Web Front End (WFE) hosting SharePoint 2013 (Load Balanced)
2 x Search and Application server hosting SharePoint 2013 (Load Balanced)
2 x Application Server (non-SharePoint with separate .NET web applications linked through SharePoint site)
2 x SQL 2012 Servers (Clustered with two instances for SharePoint and .NET applications)
I understand that SQL servers will not require a public IP. What about other servers? Also, there is no tight integration between the Application (# 3) and SharePoint servers. It is just a hyperlink provided on the WFE website. In
this scenario, do we need public IPs for # 2 and 3?
Thanks in advance!
LMHi,
In your scenario, if your Application servers run apps that need to be accessed from the Internet, these need to be published as well. Your Search And Application hosting SharePoint 2013 (SharePoint app servers) don't need to be connected to the internet.
So all in all, make sure you publish your WFE's (using your load-balancer IP) and your Application (Non-SharePoint, through load-balancer).
The best way to do this is using a reverse proxy to publish your SharePoint and application servers. This means you only need 1 public IP address in this scenario.
If you need more guidance, let us know.
Nico Martens
SharePoint/Office365/Azure Consultant -
Hi,
I built a web service client using WWSAPI. The connection works via SSL (without HTTP proxy) and it works with SSL and proxy with basic authentication as well. When I try to connect using a proxy with NTLM authentication, then I get the errorCode
0x803d0016, HTTP status "407 (0x197)", "Proxy Authentication Required".
In WireShark I see only one HTTP request to connect to the proxy with NTLM Message Type: NTLMSSP_NEGOTIATE. The HTTP Response returns Status 407 and the connection ist closed. Comparing this to Internet Explorer - the Connection is not closed and
a second request with NTLMSSP_AUTH is sent.
Why doesn't it make the complete NTLM handshake? Why wasn't sent the NTLMSSP_AUTH directly?
I oriented in the HttpCalculatorWithKerberosOverSslClientExample.
Using WS_HTTP_HEADER_AUTH_SECURITY_BINDING,
WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_SCHEME was set to WS_HTTP_HEADER_AUTH_SCHEME_NTLM, WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_TARGET to WS_HTTP_HEADER_AUTH_TARGET_PROXY. I tried WS_DEFAULT_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE but also WS_STRING_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE.
Any idea?
ThanksHi,
I built a web service client using WWSAPI. The connection works via SSL (without HTTP proxy) and it works with SSL and proxy with basic authentication as well. When I try to connect using a proxy with NTLM authentication, then I get the errorCode
0x803d0016, HTTP status "407 (0x197)", "Proxy Authentication Required".
In WireShark I see only one HTTP request to connect to the proxy with NTLM Message Type: NTLMSSP_NEGOTIATE. The HTTP Response returns Status 407 and the connection ist closed. Comparing this to Internet Explorer - the Connection is not closed and
a second request with NTLMSSP_AUTH is sent.
Why doesn't it make the complete NTLM handshake? Why wasn't sent the NTLMSSP_AUTH directly?
I oriented in the HttpCalculatorWithKerberosOverSslClientExample.
Using WS_HTTP_HEADER_AUTH_SECURITY_BINDING,
WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_SCHEME was set to WS_HTTP_HEADER_AUTH_SCHEME_NTLM, WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_TARGET to WS_HTTP_HEADER_AUTH_TARGET_PROXY. I tried WS_DEFAULT_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE but also WS_STRING_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE.
Any idea?
Thanks -
Setting up an external content type without having to change it to NTLM authentication?
Referring to: https://www.kenplaysviola.com/content/sharepoint2010-business-connectivity-path-unavailable
and tested to be true. However, I have a site that I am not using NTLM - is there a way around this???Hi,
Based on your description, my understanding is that you can’t
set up an external content type with Basic authentication web application.
What errors have you got?
I have done a test in my SharePoint, when I opened Basic authentication site with SharePoint Designer, I got an error
”Access to this web server is disabled by default because it is controlled by basic authentication and doesn't use SSL…”.
But I could create an External List in the Basic authentication site successfully. I set up an external content type with NTLM authentication site. Then I created an External List in the Basic authentication
site which referred to the existing external content type, it worked fine.
So if you don’t want to change your web Application to NTLM authentication, try to create another web Application with NTLM authentication, then create a site collection and create an external content type,
last create an External List in the Basic authentication site referring to the existed external content type in NTLM authentication site.
Also, here is a blog about
Access denied by Business Data Connectivity, you can take a look at:
http://blogs.msdn.com/b/ericwhite/archive/2010/06/11/access-denied-by-business-data-connectivity.aspx
Best Regards,
Lisa Chen -
Safari on Mavericks with NTLM Proxy
Hello,
we use a Bluecoat Proxy in our Company with NTLM Authentication.
I login to the Mac (10.9.2) with my AD Account.
The proxy is configured with hostname and port.
Surfing in Firefox and Chrome works without a problem.
If i sniff the traffic for this two browsers i can see that
both browsers use NTMLSSP for authentication to the proxy.
If i try to use safari i does not work.
If i want to open a website the behaviour is always the same.
The blue bar in the address field stops at specific point but then nothing happens.
Even after half an hour i do not get an error message or the website.
There ist just nothing happening anymore.
Has anybody an idea what the problem could be?
ThanksI have this same issue, and I have posted requesting insight on it here as well. But this has been to no avail.
It seems the proxy breaks only on networked accounts.
If you use a local account the proxy (in my experience) works fine if set up normally as you would.
-----TEMPORARY WORKAROUND-----
This is just something that I have tried that has worked for me, it may not work for you or anyone else.
Our proxy is a windows server set up with TMG2010 and a web proxy address that is different from the DNS name of the server machine.
Normally we enter into the web proxy address which is something like: proxy.mydomain.com
I had the idea to try entering the local network name of the proxy as the proxy server in the network settings, then set up the user name and password boxes as I normally would as well. This actually worked.
Although I am not sure what to take from WHY it works. DNS has no issues, so it seems to me the authentication through HTTP/HTTPS has broke.
I have also read that somewhere else explaining it more in-depth than I feel necessary here but I will link you: http://apple.stackexchange.com/questions/118150/safari-7-cant-connect-to-intrane t-using-http-authentication
I have found the location to toggle the authentication on our TMG2010 server so now I'm just waiting until closing time to test.
---EDIT---
I just realized that most people tackling these issues look at what could be the problem on the MAC OS X side/Client Side….maybe the web server/proxy could use a good update to support more authentication control/methods/error handling…but then again that is what happens when you have two big brands with different architecture and software competing for floor space. -
WLS 10.3.3 - Web service - NTLM authentication
Hi,
We have generated web service proxy based on a wsld file for a .Net web service secured with NTLM authentication.
Running the code that connects to the web service from a java class main method works fine, but when running the same code from a web application deployed on weblogic server (we have tried both integrated and standalone) we get the following error: com.sun.xml.ws.client.ClientTransportException: The server sent HTTP status code 401: Unauthorized.
Is there something that we should set in weblogic?
Regards,
DeliaDelia,
We had exactly the same issue and it took ages to resolve! Oracle didn't have a solution so I knuckled down and eventually worked out a solution...
When running your JAR under WLS you may have noticed that the exception looks like this:
java.io.FileNotFoundException: Response: '401: Unauthorized' for url: 'http://+your.domain.here+/default.aspx'
at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:474)
Notice that it is not using the java.net.HttpURLConnection as you might have expected (and your Java code explicitly imports!), rather it employs weblogic.net.http.HttpURLConnection and there lies the rub.
As it turns out, it is easy to have your code force the use of the handler you desire.
Instead of:
HttpURLConnection http = (HttpURLConnection) new URL(+yourURL+).openConnection();
Use:
URL url = new URL(null, yourURL, new sun.net.www.protocol.http.Handler());
HttpURLConnection http = (HttpURLConnection) url.openConnection();
Regards,
Jerome -
Anyconnect - NTLM authentication on internal website
Hi..
I'm setting up a portal on the ASA - and I need the users to access an internal site with NTLM authentication.
They all share the same password - but we need it to be single sign on.
I can't get it working with the post codes..
I have looking with live http headers in Firefox - but no help.
Any hints???
Best regards
TueHi Jesper,
the ~HTTP_REMOTE_USER was set by the NTLM PAS module. PAS is an proprietary addon for ITS 6.20 provided by SAP to allow external authentication via PAS modules. With Netweaver 2004 the integrated ITS no longer has anything to do with authentication. This is done by the webAS. WebAs does not support PAS but provide a similar technique call JAAS (Java Authentication and Authorization Service) which other than SAP PAS is a industrial standard. SAP Note 858138 points to SAP documentation, Teched Sessions and e-learning. I would suggest that you use this note as a starting point. I assume there is a NTLM JAAS module available but have no further information about it. Maybe this module passes the user ID to the called service.
Best regards,
Klaus -
Sharepoint 2013 Public Facing Website With Managed Metadata Navigation on Office365 E3 Trial Online
Warning: I am a complete novice in sharepoint
I have subscribed to office365 online trial Enterprise edition to learn sharepoint
I have created a Public facing Website
Through the site-collection setting -> navigation created a new metadata group named navigation and chose it for global and current menu(I switched on the publishing service)
Under the term Management I added two sub terms(for navigation group) with links to document and home.aspx
The team site immediately showed the global menu with only two options(home and document) as needed
Unfortunately the public facing site did not show any such options and instead showed a different menu(default one)
I tried to add the navigation snippet to the master page and it showed the same default menu.
The public site has no navigation option in Site setting either
QUESTION: How can I get managed navigation in public facing site? Is it possible or it is not allowed?Hi,
According to your post, my understanding is that you wanted to use the Managed Metadata Navigation in Public Website.
Per my experience, we could not use the managed metadata navigation in public website, it is only available for the internal site collections.
For more information:
http://community.office365.com/en-us/forums/154/t/166500.aspx
You can refer to the following article to know the public website and internal site collections on Office 365.
http://blogs.sharepoint911.com/blogs/jennifer/Lists/Posts/Post.aspx?ID=76
As this is the forum for the SharePoint server, , I’m not sure whether it supported managed metadata navigation now.
I recommend you can post your question to the forum for SharePoint Online:
http://community.office365.com/en-us/forums/154.aspx.
More experts will assist you, then you will get more information relation to SharePoint Online.
Thank you for your understanding and support.
Thanks & Regards,
Jason
Jason Guo
TechNet Community Support -
Create public facing web site of SharePoint intranet portal with Public IP Address
Hi,
I did below steps to create public facing URL and to access outside domain network (Internet).
1. Got a public IP Address.
2. Created an extending web application to existing Web Application (default zone - intranet) and Zone selected to Internet and host header given test.contoso.com.
3. Went to IIS and edit binding of Internet site. Provided public IP Address in 'IP Address' textbox and given host name as test.contoso.com.
Above are the 3 steps used to get access http://test.contoso.com in internet. But unable to access it and not seen any relavant message.
Please help me and provide me steps to achieve.Did you actually register the contoso.com address on the Internet? And is it associated with the public IP Address? To access SharePoint from the Internet you are going to use http://test.contoso.com. The Internet DNS servers need to be
able to resolve that to your Public IP in order to find the SharePoint server.
Second, did you bind your external IP address to one of the network cards on your SharePoint server? Or is your Firewall or other gateway device forwarding traffic to the SharePoint server at that address?
Another problem you may have is whether that Internet IP address is even reachable on your internal network from the Internet. Most companies have Firewalls inplace to keep external users from accessing addresses inside your network.
It sounds like you've done all the SharePoint configuration correctly, but you also need to make sure that TCP/IP is correctly configured.
Paul Stork SharePoint Server MVP
Principal Architect: Blue Chip Consulting Group
Blog: http://dontpapanic.com/blog
Twitter: Follow @pstork
Please remember to mark your question as "answered" if this solves your problem. -
OneDrive for Business iPad App with on-premise SharePoint 2013
I don't know if this has more to do with OneDrive for Business or SharePoint 2013 itself.
Basically we are trying to log into OneDrive for Business on the iPad app but it says "Sorry, this app doesn't support this type of authentication"
We are using Claims Based Authentication with our On-premise SharePoint 2013 environment, which according to this table is a supported method: h**p://office.microsoft.com/en-us/office365-sharepoint-online-enterprise-help/use-the-onedrive-for-business-app-on-an-iphone-or-ipad-HA104005688.aspx#_Supported__authentication
We have tried different combinations of the username and url. Windows username, DOMAIN\username, email address, username@domain, etc. nothing seems to work.
Any ideas on how to fix this?according to office blog, it does support SharePoint on prem with following authentication(NTLM & FBA)
Introducing OneDrive for Business for iOS v1.2
Q. Does this announcement apply to customers who have deployed SharePoint 2013 on-premises?
A. Yes. The OneDrive for Business for iOS v1.2 app does support some SharePoint on-premises configurations (NTLM & FBA). We are committed to providing customers access to their OneDrive for Business in SharePoint 2013 on-premises. We also recently introduced
new capabilities in SharePoint 2013 SP1 to more seamlessly connect on-premises investments to OneDrive for Business in Office 365. More information to be shared at SharePoint Conference 2014 (March 3-6 in Las, Vegas); we will link to the relevant information
once it has been posted next week.
Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog -
Sharepoint 2010 - Not able to access Sharepoint 2010 Public facing site on mobile browsers
Hi All,
Earlier, I posted a similar question in the forum , but did not get appropriate response . Posting it again with some more information .
We are not able to access Sharepoint public facing site on Mobile browsers like chrome, IE, Safari (However the site is working fine on Firefox mobile browser and on PC/Laptops as well .)
Following is the error we are getting :
"Cannot set custom attribute on mobile controls in this page. Custom attributes specified are Access Key=0."
I checked in the event logs , following was the exception :
Exception captured in Exception HttpModule: System.Web.HttpException: Server cannot append header after HTTP headers have been sent.
at System.Web.HttpResponse.set_RedirectLocation(String value)
at Microsoft.SharePoint.Utilities.SPMobileUtility.Redirect(String url, SPRedirectFlags flags, HttpContext context, String queryStrings)
at Microsoft.SharePoint.ApplicationRuntime.SPRequestModule.HandleMobilePageRequest(HttpContext context)
at Microsoft.SharePoint.ApplicationRuntime.SPRequestModule.PostResolveRequestCacheHandler(Object oSender, EventArgs ea)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Also, there was a microsoft OS security patching on our farm servers post which the error starts coming . Following were the patches that were installed
1. MS14-005
KB2916036 Security Update for Windows Server 2008 R2 x64
Edition (KB2916036)
MS14-009
KB2898857 Security Update for Microsoft .NET Framework 3.5.1
2. on Windows 7 and Windows Server 2008 R2 SP1 for x64-based Systems
(KB2898857)
3. MS14-009
KB2901112 Security Update for Microsoft .NET Framework 3.5.1
on Windows 7 and Windows Server 2008 R2 SP1 for x64-based Systems
(KB2901112)
4. MS14-009
KB2911501 Security Update for Microsoft .NET Framework 3.5.1
on Windows 7 and Windows Server 2008 R2 SP1 for x64-based Systems
(KB2911501)
5. MS14-011
KB2909210 Security Update for Windows Server 2008 R2 x64
Edition (KB2909210)
6. MS14-012
KB2925418 Cumulative Security Update for Internet Explorer 8
for Windows Server 2008 R2 x64 Edition (KB2925418)
7. MS14-015
KB2930275 Security Update for Windows Server 2008 R2 x64
Edition (KB2930275)
8. MS14-016
KB2923392 Security Update for Windows Server 2008 R2 x64
Edition (KB2923392)
Has anyone of you ever faced similar(site not opening on mobile browsers) issue after installing these patches on farm servers .
Any help would be much appreciated .
Thanks
Saquib KhanWe have found below error related in ULS as well as event viewer both :
Exception captured in Exception HttpModule: System.Web.HttpException: Server cannot append header after HTTP headers have been sent.
at System.Web.HttpResponse.set_RedirectLocation(String value)
at Microsoft.SharePoint.Utilities.SPMobileUtility.Redirect(String url, SPRedirectFlags flags, HttpContext context, String
queryStrings)
at Microsoft.SharePoint.ApplicationRuntime.SPRequestModule.HandleMobilePageRequest(HttpContext context)
at Microsoft.SharePoint.ApplicationRuntime.SPRequestModule.PostResolveRequestCacheHandler(Object oSender, EventArgs ea)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Saquib Khan -
SharePoint 2013 public facing site - need to mask url in search results
Hi, we have sp2013 public facing site. Can we mask the display url in search results? Actually we are pointing two urls(ex: A & B) to same web application. Search results are already crawled based on A URL, so when people search in browsing 'B'
URL search results is giving URL with 'A' site. Please let me know if anyone have possible solution.
Can we have more than one url for internet zone in AAM? i browsed in blogs most of them say it is not possible.
Thanks,
JB
JBPlease don't create multiple questions for same issue, below one is the duplicate thread
http://social.msdn.microsoft.com/Forums/sharepoint/en-US/25a31628-1a96-4d6d-a792-3493af5bdd83/unable-to-find-manage-site-feature-in-sharepoint-2013-public-facing-site?forum=sharepointgeneral
My Blog- http://www.sharepoint-journey.com|
If a post answers your question, please click Mark As Answer on that post and Vote as Helpful -
SharePoint public facing site does not open in sharepoint designer after giving http redirect in IIS
I have a public facing sharepoint site
We gave http redirect in IIS due to which I am unable to open the site in SharePoint Designer and gives error message site not found in webserver.
If i revert back the settings (remove the http redirect link) i m able to open the site in designer.Please let me know how can I resolve the issue in opening site in SharePoint designer after http redirect setting done in IISLooks like an AAM issue. What URL of the site you are trying to open with designer and what are your AAM settings?
Ronald Bruinsma - Independent SharePoint Consultant - iDocs.info - The Netherlands
Ronald I got the same issue here is my info:
sharepoint site: http://<servername>/sites/mycompany
<ServerIP>
Default
http://servername
<Servername>
Default
http://servername
http://contoso.mycompany.com
Extranet
http://contoso.mycompany.com
In IIS webapp 80. http redirect:
redirect requests to this destination is checked: http://contoso.mycompany.com/sites/mycompany
can you help me? thanks
Maybe you are looking for
-
Hello, our customer plans to use a Non-SAP solution for variant configuration (Camos) in SAP ERP (ECC 6.0) and in SAP CRM 7.0 EHP1 as well. ERP sales orders (and ERP quotations) should be created in SAP CRM (CRM WebUI). Is it possible to use variant
-
Can I create User profile service sync connection for my site without Active directory?
Hi everyone, Is it possible to use my site without active directory? our AD policy don't allow farm account to have "Replicating directory changes", If I export AD information to SQL and sync profile from SQL is it possible? Thanks TanaponP
-
Kernell security check failure issue
Hi. I installed a webcam with mic integrated (external device) to my lenovo T61 computer, running 8.1 windows. When trying to use the webcam, the kernel security check failure appears, crashes my computer and restarts it. What can I do? Thanks
-
Are there pre-defined photo layouts in Aperture as there are in iphoto
I have looked at Aperture Boo layouts but pre-defined page layouts as per iphoto seem to be missing do I have to start from scratch and design my own? Am thinking I should stick with iphoto.....
-
How do I overlay two scanned photos of a real painting?
I'm a professional artist so I need really good photos of my work for promo and gallery applications. My Brother gave me a really good Canon Scanner. He told me I should try and scan my paintings, laying them on the scanner one way then the other (