Configuring Authentication

You configure authentication for Web sites based on Microsoft Windows SharePoint Services by configuring authentication methods in Internet Information Services (IIS) (Internet Information Services (IIS): Software services from Microsoft that support Web site creation, configuration, and management, along with other Internet functions.). Windows SharePoint Services uses the authentication method you specify for a virtual server (virtual server: A virtual computer that resides on an HTTP server but appears to the user as a separate HTTP server. Several virtual servers can reside on one computer. Each virtual server can have its own domain name and IP address.) in IIS to control authentication for all top-level Web site (top-level Web site: The default, top-level site provided by a Web server or virtual server. To gain access to the top-level Web site, you supply the URL of the server without specifying a page name or subsite.) and subsites (subsite: A complete Web site stored in a named subdirectory of the top-level Web site. Each subsite can have administration, authoring, and browsing permissions that are independent from the top-level Web site and other subsites.) of that virtual server. Windows SharePoint Services works with the following authentication methods in IIS:

  • Anonymous authentication
  • Basic authentication
  • Integrated Windows authentication
  • Certificates authentication (SSL)

You can change authentication methods for virtual servers hosting Web sites based on Windows SharePoint Services, and you can change the authentication method used for the SharePoint Central Administration site. You can also enable Secure Sockets Layer (SSL) security in IIS to help protect your sites or the administration port (administration port: The Internet Information Services (IIS) virtual server and port used for SharePoint Central Administration.) for your server.

Changing Authentication Methods

Each virtual server can use a different authentication method in Internet Information Services (IIS). You can even enable multiple authentication methods if you are using the same Web site content in more than one environment. For example, if you have a Web site that is primarily for internal use within your organization, you would most likely choose Integrated Windows authentication. If, however, your use of the site changes, and you must allow your organization's members to access the site externally through a firewall (firewall: A security system that uses a proxy server outside of an organization's network to protect the network against external threats, such as malicious users or corrupt files.), you might also want to enable Basic authentication.

 Note   Basic authentication is less secure than Integrated Windows authentication. For this scenario it is recommended that you use Basic authentication with SSL to help make your environment more secure.

When you change authentication methods in IIS, you do not need to change any settings in Windows SharePoint Services. For example, if you decide to use Integrated Windows authentication instead of Basic authentication, you make the change only in IIS.

Change authentication methods
  1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. Click the plus sign (+) next to the server name that contains the virtual server you want to change.
  3. Click the plus sign (+) next to Web sites.
  4. Right-click the virtual server, and then click Properties.
  5. On the Directory Security tab, under Authentication and access control, click Edit.
  6. Select the check boxes for the authentication methods you want to enable, and clear the check boxes for the authentication methods you want to disable.
  7. Click OK to close the Authentication Methods dialog box.
  8. Click OK again to close the Properties dialog box.

 Note   For more information about IIS authentication methods, see the topic About Authentication in IIS 6.0 Help.

Enabling Secure Sockets Layer (SSL)

To enable SSL for a virtual server hosting Web sites based on Windows SharePoint Services, you can simply turn on SSL in IIS. If you want to use SSL for the SharePoint Central Administration virtual server, you must also use the setadminport command-line operation to enable SSL in Windows SharePoint Services.

Enabling SSL in IIS

You can enable SSL for a virtual server by using Internet Information Services (IIS) Manager. Note that you must have a certificate before you can enable SSL. For more information about SSL certificates, see the topics About Certificates and Setting Up SSL on Your Server in IIS 6.0 Help.

Enable SSL in IIS
  1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. Click the plus sign (+) next to the server name that contains the virtual server you want to change.
  3. Click the plus sign (+) next to Web sites.
  4. Right-click the virtual server, and then click Properties.
  5. On the Directory Security tab, under Secure communications, click Edit.
  6. In the Secure Communications dialog box, select the Require secure channel (SSL) check box, and then click OK.
  7. Click OK again to close the Properties dialog box.

Enabling SSL for the SharePoint Central Administration Pages

After you have enabled SSL for the SharePoint Central Administration virtual server in IIS, you must use the command line to configure Windows SharePoint Services to use SSL. Perform the following steps to configure Windows SharePoint Services to use SSL for the Central Administration pages.

Enable SSL for the SharePoint Central Administration pages
  1. If you have a server farm (server farm: A centralized grouping of network servers maintained by an enterprise or, often, an Internet service provider (ISP). A server farm provides a network with load balancing, scalability, and fault tolerance.), you must set all of the servers in your server farm to use the same administration port by using syntax similar to the following:
stsadm.exe –o setadminport –p 443

Replace the port number in the example syntax with the port number you want to use for remote administration. Run this command on each Web front-end server in your server farm. Note that this step is for server farms only; you do not need to change the administration port if you are running Windows SharePoint Services on a single server.

  1. Configure the administration pages to use SSL by using syntax similar to the following:
stsadm.exe –o setadminport –ssl

If you have a server farm, you must run this command on each Web front-end server in your server farm.

 Note   If you want a more secure administration port, it is recommended that you also use your firewall or the IIS IP and domain restrictions feature to restrict access to the administration port. With either the firewall or IP and domain restrictions, you can specify that requests from unauthorized IP addresses or network domain names (network domain name: A group of users in a network who share a common set of shared resources, such as server disk drives and printers. A large network may have several domains based upon the needs of each set of users.) be ignored. For more information about configuring IP and domain restrictions in IIS, see the IIS Help system. For more information about configuring your firewall to reject unauthorized requests, see the documentation for your firewall.

Related Topics

For more information about authentication methods or SSL, see "Windows SharePoint Services Security Model" in the Windows SharePoint Services Administrator's Guide.

For more information about using command-line operations such as setadminport, see Command-Line Operations.

 
 
Applies to:
Deployment Center 2003