Plan for security when deploying an EPM/Office SharePoint Server 2007 extranet environment
Updated: February 25, 2010
This article describes how to plan for security in an Enterprise Project Management (EPM)/ Microsoft Office SharePoint Server 2007 extranet environment. For an overview of this chapter about how to plan for EPM extranets, see Plan an EPM/Office SharePoint Server 2007 extranet environment.
The Microsoft Office SharePoint Server 2007 environment is designed as an intranet environment to support internal user access plus partners and remote employees who may access the environment through an extranet configuration. Microsoft Office SharePoint Server 2007 will use an existing Active Directory for both the authentication of users and the authorization of content. Forms-based authentication (FBA) will be used to authenticate non-employees such as partners. Both methods are described in more detail here.
Authentication involves validating a user's identity. After a user's identity is validated, the authorization process determines which sites, content, and other features the user can access.
Microsoft Office SharePoint Server 2007 provides a flexible and extensible authentication system, which supports authentication for identity management systems that are based or are not based on the Microsoft Windows operating system. By integrating with ASP.NET pluggable authentication, Office SharePoint Server 2007 and then Office Project Server 2007 supports various forms-based authentication schemes.
In the Microsoft Office SharePoint Server 2007 and EPM Coexistence model, Kerberos authentication is better than NTLM due to its performance and security. Kerberos authentication offers the benefits of constrained delegation, mutually-authenticating communicating parties, and protecting the application message when it is in transit by using data encryption. The Kerberos protocol is based on ticketing. In this scheme, a user must first provide a valid user name and password to an authentication server. Then, the authentication server grants the user a ticket. The ticket can be used on the network to request other network resources. To use this scheme, both the client and server must have a trusted connection to the domain Key Distribution Center (KDC). Additionally, both the client and server must be compatible with the Active Directory service. The following diagram describes how a user is authenticated to a service by using Kerberos authentication.
For configuring Microsoft Office SharePoint Server 2007 to use Kerberos authentication, the following configuration is needed:
SharePoint Web Applications must be configured to use Negotiate (Kerberos) authentication as their Authentication Provider in their security configuration.
Service Principal Names (SPNs) are needed for the Microsoft Office SharePoint Server 2007 service (application pool) domain accounts for the Web application URLs, port numbers and protocols.
All instances of Office SharePoint Server and service accounts must be configured as “trusted for delegation”.
The Microsoft Support Knowledge Base (KB) article 832769 describes how to configure a Windows SharePoint Services virtual server to use Kerberos authentication and how to switch from Kerberos authentication back to NTLM authentication.
For the complete benefit of Kerberos authentication, end-to-end in the Microsoft Office SharePoint Server 2007 deployment, we also recommended configuring SQL Server services to use Kerberos authentication as described in KB article 319723.
SPNs are created in the following form:
Setspn –A service/hostname: port domain\account
For SharePoint Web applications:
service = HTTP or HTTPS because SharePoint is a Web application and servers requests over port HTTP or HTTPS if SSL is enabled.
hostname = the friendly name of the SharePoint Web application as configured in DNS
port = IIS port number of the SharePoint Web application if not on port 80
domain\account = domain account which runs the SharePoint Web application.