Article Contents:
SharePoint 2016, 2013 and 2010 support the concept of "multi-mode authentication" for a web application. What this means is that a given SharePoint web application, such as an extranet web application, can be connected to multiple authentication providers so that user accounts from multiple account directories can access the web application. Examples of authentication providers that SharePoint can use are Active Directory, LDAP, the ASP.NET SQL Membership Provider, and any Trusted Identity Providers (TIPs), such as ADFS.
Microsoft provides a nice diagram that depicts this capability:
By using the multi-mode authentication feature, you can have a single URL that both internal and external users navigate to. This simplifies the user experience and provides for easier maintenance of your extranet.
An example of these Central Administration settings for an extranet web application is shown here:
With the type of extranet web application configuration described above, certain parts of the end-user experience will differ for external users vs. internal users. Those differences are described in the sections below:
In an ExCM 2016 or 2013-based extranet site, you add internal users' Active Directory accounts to the site by using the standard SharePoint "Share" feature or the "People and Groups" feature.
For example, in the XYZ Corp extranet site, to add the internal user named Brenda Mason to the site and give her "Edit" permissions you use the Share button and start typing her name, and then the People Picker search feature queries Active Directory to find her account:
After selecting her account in the results list, you click on the Share button and then Brenda will now have access to the site with "Edit" permissions. If you left the check box checked under "Show Options" she will receive an automatic email from SharePoint telling her that she now has access to this site.
Behind the scenes, what the "Share" feature has done is added Brenda's Active Directory account to the SharePoint Members group for the site. By default, the Members group is granted Edit permissions to the site:
So, the process of adding an internal user, who uses an Active Directory account, to an extranet site is exactly the same as you would use to add the same user to an intranet-only site.
With an ExCM-based extranet, your external user accounts will be stored and maintained in a SQL Server database (commonly referred to as your Extranet Directory), rather than Active Directory. For a new external user, an account record in the SQL database must be created before you can give the external user permissions to an extranet site - just as a new Active Directory record needs to be created for a new employee who will need to access various SharePoint sites and services on your network.
With ExCM, external user account records can be created in any of three different ways:
1. Through the "Invite Users" and "Registration" features (the preferred approach in most extranet scenarios)
2. Through the administrative "Add Extranet User" feature
3. Through the "Anonymous Registration" feature
Approach #1 is the easiest and most commonly used method for adding new extranet user accounts and granting permissions to an extranet site to that new user.
You begin by selecting the "Invite Users" menu item from the Site Actions menu:
This will cause the New Invitation dialog to display and you can type the email address of the external user that you would like to invite to register and join the site:
If you have administrative permissions to the site, you can also specify the SharePoint Group or Extranet Role that the invited user(s) should be automatically added to upon successful registration:
When you click Save on the New Invitation dialog, it will close out and an invitation email will be immediately sent to the external user:
Ben can click on the Regsiter link in the email and access the Registration page and register for an account:
Assuming Ben's registration is successful, he will see a success confirmation page and will receive a confirmation email:
At this point, as a result of the Ben's successful registration, three additional things have happened behind the scenes in SharePoint:
Using ExCM, both internal and external users will see a custom, forms-based login page when they first try to access an extranet site. This custom login page looks like this when it is used as it comes out-of-the-box with ExCM:
Internal users can simply click on the link labeled "Sign in using Windows Authentication" to use their Active Directory user name and password to login to the extranet site:
If the URL to the site has been configured as a Trusted Site in Internet Explorer security settings, the user will automatically be logged into the site using the stored Windows credentials from when they logged into their PC.
If the URL to the site has not been configured as a Trusted Site in IE settings, the user will receive a standard Windows ChallengeResponse popup login box.
External Users login using the same form as shown above, but use the User Name and Password fields on the form to enter their credentials. Their entered credentials are checked agains the SQL database to verify the user name and password combination is valid. User Names for external users are always the email address of the external user.
Here is an example of Ben Johnson, an external user, logging in using his appropriate credentials:
©2019 PremierPoint Solutions. All Rights Reserved.