Prepare to crawl host-named sites that use forms authentication

Applies To: Windows SharePoint Services 3.0

 

Topic Last Modified: 2008-09-19

In this article:

  • Solution prerequisites

  • High-level solution overview

  • Deploy the solution

When configuring a Web application to use host-named sites, Web hosters typically use forms authentication for the default zone. The index component of the search server, sometimes called the crawler, cannot crawl host-named Web sites that are deployed in the usual way for the following reasons:

  • The crawler cannot authenticate using forms authentication.

  • Host-named sites do not enable the index component of the search server to authenticate by using another zone in the polling order.

For more information about how polling order works with non-host-named sites, see the “Authentication requirements for crawling content” section in Plan authentication methods (Windows SharePoint Services).

This article describes how to create a solution in Windows SharePoint Services 3.0 so the crawler can crawl your host-named sites. The components of the solution are to:

  • Create two zones for your Web application.

  • Direct requests from end-users to the default zone, which is configured for forms authentication.

  • Direct requests from intranet users and the crawler directly to the Intranet zone, which you configure for NTLM authentication.

Solution prerequisites

The procedures included in this solution require the following types of administrators:

  • Domain Name System (DNS) administrator

  • Server administrator

  • Farm administrator

Other requirements include:

  • Two DNS servers: one Internet-facing DNS server and one intranet-facing DNS server.

  • Two static IP addresses: one from the Internet-facing DNS server and a different static IP address from the intranet-facing DNS server. These two IP addresses must be associated with the same site name.

This solution assumes the following:

  • A server administrator will either configure separate network interface cards (NICs) on all front-end Web servers in the server farm with both static IP addresses or will add both static IP addresses to one NIC.

  • The search server that you will use for your Web application is running.

  • You do not have another Web application using port 80.

    Note

    Although it is possible to implement this solution by using a different port (as long as both zones use the same port), port 80 is typically used so end-users don’t see a port number in the URL of their host-named site.

  • You have already implemented forms authentication in your environment. Note that forms authentication can be implemented using several different authentication providers. The authentication provider you use with your implementation of forms authentication determines where user accounts are stored.

High-level solution overview

The following figure shows a high-level overview of this solution.

Host-named sites with forms authentication

This solution requires two DNS servers. Each DNS server maps the same host name to a different static IP address. This is typically referred to as a split DNS environment. The Internet-facing DNS server resolves the URL of the host-named site to the default zone of your Web application. This is the zone end-users use to access the site using forms authentication. The intranet-facing DNS server resolves this same URL to an IP address that is mapped to the Intranet zone of your Web application. This is the zone intranet users and the crawler use to access the site using NTLM authentication.

This mapping is possible because when a new zone is created by extending the Web application, Windows SharePoint Services 3.0 creates an Internet Information Services (IIS) Web site for that zone. A server administrator can use IIS Manager to map a static IP address directly to an IIS Web site, which is associated with a particular zone of a particular Web application.

High-level steps

The following list describes the high-level steps for this solution.

  1. The farm administrator uses the Central Administration Web site to create a Web application on port 80 without a host header assigned to it.

  2. The farm administrator configures the default zone of this Web application to use forms authentication.

  3. The server administrator adds a custom XML element to the appropriate Web.config files to specify the name of the authentication provider used with forms authentication.

  4. The server administrator creates a file named stsadm.exe.config to enable the Stsadm command-line utility to determine how to find the authentication provider you want to use with forms authentication.

  5. The farm administrator extends the Web application, specifies the host header name, and then specifies NTLM authentication on the Intranet zone.

  6. The DNS administrator maps the site name to the static IP addresses in DNS.

  7. The server administrator uses IIS Manager to do the following:

    • Map the static IP address from the Internet-facing DNS server to the IIS Web site associated with the default zone (that is, the zone using forms authentication) of your Web application.

    • Map the static IP address from the intranet-facing DNS server to the IIS Web site associated with the Intranet zone (that is, the zone using NTLM authentication) of your Web application and removes the IIS host header that was assigned to this site in step 5.

  8. The server administrator creates a host header-based site collection by using the Stsadm command-line utility.

    Note

    You must use the Stsadm command-line utility to specify the URL you want for your host header-based site collection.

  9. The farm administrator can grant permissions to the Web application and the site collection administrator can grant permissions to the site collection.

Deploy the solution

Use the following procedures in the order listed to deploy the solution described earlier in this article.

Create a Web application

  1. Click Start, point to All Programs, point to Administrative Tools, and then click SharePoint 3.0 Central Administration.

  2. On the top link bar of the Central Administration home page, click Application Management.

  3. On the Application Management page, in the SharePoint Web Application Management section, click Create or extend Web application.

  4. On the Create or Extend Web Application page, in the Adding a SharePoint Web Application section, click Create a new Web application.

  5. On the Create New Web Application page, in the IIS Web Site section, configure the following settings for your new Web application.

    1. Accept the default setting, Create a new IIS web site, and then type a name for the Web site in the Description box.

    2. In the Port box, type 80.

    3. Ensure that the Host Header box is blank.

  6. In the Application Pool section, select Use existing application pool, or accept the default setting, Create new application pool. If you are creating a new application pool, specify the security account to use for the new application pool.

  7. In the Search Server section, select the search server that you want to use to index this Web application from the Select Windows SharePoint Services search server list.

  8. Click OK.

Perform the following procedure on all front-end Web servers in the server farm.

Restart IIS

  1. Click Start and then click Run.

  2. In the Run dialog box, in the Open box, type cmd, and then click OK.

  3. In the command window, type the following command, and then press ENTER**:**

    iisreset /noforce

  4. Close the command prompt window.

Perform the following procedure to configure the Web application to use forms authentication.

Configure the default zone to use forms authentication

  1. On the Central Administration home page, click Application Management.

  2. On the Application Management page, in the Application Security section, click Authentication providers.

  3. On the Authentication Providers page, in the Zone column, click Default.

  4. On the Edit Authentication page, in the Authentication Type section, select Forms.

  5. In the Membership Provider Name section, in the Membership provider name box, type the name of your membership provider.

  6. Optionally, in the Role Manager Name section, in the Role manager name box, type the name of your role manager.

  7. Click Save.

Add configuration settings to the applicable Web.config files

The server administrator must add an XML element to the Web.config file for the default zone of the Web application created earlier in this article and to the Web.config file for the Central Administration site. This XML element must specify the name of the authentication provider and optionally other information about the authentication provider your organization uses with forms authentication.

Note that the contents of this XML element (and even the name of the element itself) will differ from one organization to another. For more information about constructing this required XML element, see Authentication samples (Windows SharePoint Services).

After you have constructed the required XML element, you must add it to the appropriate Web.config files on the appropriate servers in your server farm. On each server in the farm running the Windows SharePoint Services Web Application service, add the required XML element to the Web.config file of the IIS Web site associated with the default zone for your Web application. On each server in your server farm running the Central Administration service, add the required XML element to the Web.config file of the Central Administration site.

Note

Farm administrators can use the Services on Server page in Central Administration to determine which servers are running these services.

Add the custom XML element to servers running the Windows SharePoint Services Web Application service

  1. Log on to a server in your server farm that is running the Windows SharePoint Services Web Application service.

  2. Click Start, and then click Run. In the Run dialog box, type inetmgr, and then click OK.

  3. In IIS Manager, in the console tree, expand the local computer node, and then expand Web Sites.

  4. Right-click the Web site associated with the default zone of the Web application you created earlier, and then click Explore.

  5. In the Name column, right-click web.config, select Open, and then open the file using an ASCII text editor, such as Notepad.

  6. Insert your custom XML element named <connectionStrings> immediately after the </configSections> element.

  7. If you are inserting the optional <membership> or <roleManager> elements, you must insert them inside the <system.web> element.

  8. Save and close the Web.config file.

  9. Repeat steps 1 through 7 on any additional server in your farm running the Windows SharePoint Services Web Application service.

You must be a member of the Administrators group to perform the following procedure.

Add the custom XML element to servers running the Central Administration service

  1. Log on to a server in your server farm that is running the Central Administration service.

  2. Click Start, and then click Run. In the Run dialog box, type inetmgr, and then click OK.

  3. In IIS Manager, in the console tree, expand the local computer node, and then expand Web Sites.

  4. Right-click the Central administration Web site, and then click Explore. This site is named SharePoint Central Administration v3, by default.

  5. In the Name column, right-click web.config, click Open, and then open the file using an ASCII text editor, such as Notepad.

  6. Insert your custom XML element named <connectionStrings> immediately after the </configSections> element.

  7. If you are using custom <membership> or <roleManager> elements, you must insert them inside the <system.web> element.

  8. Save and close the Web.config file.

  9. Repeat steps 1 through 7 on any additional server in your farm running the Central Administration service.

Use the following procedure to create a file named stsadm.exe.config. This file must contain the same XML element that you added to the Web.config files. This file enables the Stsadm command-line utility to determine how to find the authentication provider you want to use.

Create the stsadm.exe.config file

  1. Open an ASCII text editor, such as Notepad, and add the following text:

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <configuration>
    <system.web>
    </system.web>
    </configuration>
    
  2. Insert the same custom XML element named <connectionStrings> that you added to your Web.config files in the preceding step after the <configuration> tag.

  3. If you are using custom <membership> or <roleManager> elements, you must insert them inside the <system.web> element.

  4. Save the file and name it stsadm.exe.config.

  5. You must ensure that the text editor you are using does not add the .txt extension to the filename. If this occurs, remove the .txt extension before proceeding to the next step.

  6. Copy the stsadm.exe.config file to the following folder on each server in the farm from which a farm administrator might use the stsadm.exe utility:

    systemdrive:\Program Files\Common Files\Microsoft Shared\web server extensions\12\BIN

    We recommend that you copy this file to each server in the server farm.

Extend the Web application

Use the following procedure to extend the Web application to create a new zone that uses NTLM authentication.

Extend the Web application

  1. On the Central Administration home page, click Application Management.

  2. On the Application Management page, in the SharePoint Web Application Management section, click Create or extend Web application.

  3. On the Create or Extend Web Application page, in the Adding a SharePoint Web Application section, click Extend an existing Web application.

  4. On the Extend Web Application to Another IIS Web Site page, in the Web Application section, on the Web Application menu, click Change Web Application.

  5. On the Select Web Application page, select the Web application you want to extend from list.

  6. In the IIS Web Site section, do the following:

    1. In the Description box, type a description for the new site.

    2. In the Port box, type 80.

    3. In the Host Header box, type a host header name.

  7. In the Security Configuration section, ensure that NTLM is selected.

  8. In the Load Balanced URL section, select the zone you want to use (in this example, Intranet.)

    Note

    The intranet-facing DNS server must be able to resolve this load-balanced URL to the static IP address that you assign to the Web site that you configure to use NTLM authentication.

  9. Click OK.

Perform the following procedure on all front-end Web servers in the server farm.

Restart IIS

  1. Click Start, and then click Run.

  2. In the Run dialog box, in the Open box, type cmd, and then click OK.

  3. At the command prompt, type the following and then press ENTER.

    iisreset /noforce

  4. Close the command prompt window.

Map site names to static IP addresses in DNS

Host-named sites enable farm administrators to choose the name they want to use in the URL for their sites. Note that the name (that is, the URL) must be a unique name on the domain. The administrator for the Internet-facing DNS must map the site name chosen by the farm administrator to the appropriate static IP address. In a later step, the server administrator maps this static IP address to the IIS Web site that is configured to use the default zone used by the Web application.

Likewise, the administrator for the intranet-facing DNS must map this same site name to a different static IP address. In a later step, the server administrator will map this static IP address to the IIS Web site that is configured to use the Intranet zone used by the Web application. Additionally, this DNS administrator must also map the host header name that the farm administrator used when extending the Web application to this static IP address. Even though this host name is removed in a later procedure, this host name is used by the crawler to access the Web application on the Intranet zone.

The following procedure must be done by a server administrator on each front-end Web server in the server farm.

Map the static IP addresses to the Web sites

  1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. In the console tree, expand the local computer node, expand Web Sites, right-click the Web site you configured for forms authentication and then click Properties.

  3. In the Properties dialog box, on the Web Site tab, in the Web site identification section, select the IP address that you want to map to the customer-facing Web site from the IP address list.

  4. Click OK to close the Properties dialog box.

  5. In the console tree, right-click the Web site you configured for NTLM authentication and then click Properties.

  6. In the Properties dialog box, on the Web Site tab, in the Web site identification section, click Advanced.

  7. In the Advanced Web Site Identification dialog box, in the Multiple identities for this Web site section, select the row containing the host header name you configured for the Web site that is using NTLM authentication and then click Edit.

  8. In the Add/Edit Web Site Identification dialog box, select the IP address you want to map to the Web site that is using NTLM authentication from the IP address list.

  9. In the Host Header value box, make a note of the host header name. This is the host header name you assigned to the site that you configured for NTLM authentication. You will need to use this name in the next procedure.

  10. In the Host Header value box, delete the host header name and then click OK.

  11. Click OK to close the Advanced Web Site Identification dialog box.

  12. Click OK to close the Properties dialog box.

  13. Close IIS Manager.

Use the following procedure to create a site collection for your Web application. You must be a server administrator to perform the following steps.

Create a site collection for the Web application

  1. Click Start and then click Run.

  2. In the Run dialog box, in the Open box, type cmd, and then click OK.

  3. Browse to the following folder:

    systemdrive:\Program Files\Common Files\Microsoft Shared\web server extensions\12\BIN

    where systemdrive is the drive on which Windows SharePoint Services 3.0 is installed.

  4. In the command window, type the following command, and then press ENTER:

    stsadm.exe -o createsite -url http://<HostNamedSiteAddress>

    -ownerlogin <ProviderName:UserName> -owneremail <username@example.com>

    -hostheaderwebapplicationurl http://<WebApplicationUrl>

The following table describes the variables used in step 4 of the previous procedure.

Variable Description

HostNamedSiteAddress

URL chosen by the farm administrator for users to access the top-level site of the site collection. The DNS administrator maps this name to the IP address used to access the Default zone of your Web application.

ProviderName:UserName

Primary owner of the host header based site collection.

username@example.com

E-mail address of the site collection owner.

WebApplicationUrl

URL on the default zone of the Web application. You can find this address on the Web Application List page in Central Administration.

Grant user permissions

Before users can access the sites on the Web application you have created, you must grant those users the appropriate permissions to your sites. If you want to manage security at the Web application level, a farm administrator can create a policy to grant permissions to the Web application. Alternatively, if you want to manage permissions at the site collection level and at lower levels, site collection administrators can add users to the appropriate SharePoint groups.

For information about using a policy to grant users permissions, see "Manage permissions through policy" in the Help system. For more information about managing permissions at the site collection and lower levels, see Plan site and content security (Windows SharePoint Services).

Download this book

This topic is included in the following downloadable book for easier reading and printing:

See the full list of available books at Downloadable content for Windows SharePoint Services 3.0.