Plan for users, zones, and authentication in an EPM/Office SharePoint Server 2007 extranet environment

Project 2007

Updated: February 25, 2010

This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.


Topic Last Modified: 2016-11-14

This article describes a model about how to plan for users, zones and authentication in an Enterprise Project Management (EPM)/ Microsoft Office SharePoint Server 2007 extranet environment. For an overview of this chapter about how to plan for EPM extranets, see Plan an EPM/Office SharePoint Server 2007 extranet environment.

The model shows four classes of users, each assigned to a different zone. Within each Web application, you can create up to five zones using one of the available zone names: Default, Intranet, Custom, or Extranet. A farm that hosts more than one Web application can support user requests from more than five network zones (up to five zones per Web application). However, the model shows only five zones.

The model shows users from different network zones or, for administrators, users who have greatly different permissions requirements. The model demonstrates how authentication is applied across the users. The following table lists how users are authenticated for each zone.

Table 1. Users and authentication for each zone

Zone Users Authentication



Kerberos (Integrated Windows)


Internal employees

NTLM (Integrated Windows)


Remote employees

NTLM (Integrated Windows) or forms-based authentication with Lightweight Directory Access Protocol (LDAP).


Partner employees

Forms authentication

In the model, not all users are given access to all areas of the farm.

The Custom zone is used for secure administrative access to sites. This approach provides the opportunity to do the following:

  • Implement an independent set of URLs and policies. For example, administrators can use URLs associated with the Custom zone to perform administrative tasks according to the policies of the zone. Administrators can use the intranet URLs for all other tasks according to the policies that are configured for the applications that compose the intranet. This approach separates the two contexts and ensures that policy permissions do not conflict.

  • Implement a more secure method of authentication for administrators. This provides better security for the overall solution.

  • Authenticate against a different provider in scenarios where support for sites is provided by an external vendor.

The model assumes that administrators are employees of Fabrikam and have internal access to the network. The model incorporates Integrated Windows authentication for administrators (that is, either Kerberos authentication or NTLM).

The Intranet zone is used for internal employee access. Integrated Windows authentication is used.

The Default zone is used for remote employee access. The design goals in the model are as follows:

  • Authenticate against the internal Active Directory service environment.

  • Simplify permissions management by using Windows authentication for both internal employees and remote employees. This goal is important because if users connect to sites through two authentication providers, Office SharePoint Server 2007 creates two accounts for each user, and each account must have permissions.

The model presents two options for authenticating remote employees. The first option (Integrated Windows authentication using NTLM) achieves both design goals. The second option (forms-based authentication) satisfies the first goal but not the second. Consequently, the first option is the preferred method.

The following table summarizes the differences between these two approaches.

Table 2. Two options for authenticating remote employees

This authentication method Integrated Windows authentication using NTLM Forms authentication using an LDAP provider

How it works

This method relies on ISA Server to authenticate users and then to send the user credentials to Office SharePoint Server 2007. ISA Server uses forms-based authentication to authenticate users against the Active Directory environment. ISA then forwards the Windows credentials to Office SharePoint Server 2007. For more information, see Authentication in ISA Server 2006 (

Because the zone is the Default zone, NTLM authentication is used to satisfy a requirement of the index component. For more information, see "Configuration requirements of the Default zone" later in this article.

Office SharePoint Server 2007 uses forms-based authentication with an LDAP provider to authenticate remote employees against the internal Active Directory environment.

If this method is chosen, ensure that the index component can authenticate through another zone. For more information, see "Configuration requirements of the Default zone" later in this article.


Office SharePoint Server 2007 does not create different accounts for users who work both internally and remotely. This greatly simplifies permissions management.

Does not require a proxy server to authenticate users and forward credentials.


Requires additional coordination with and configuration of ISA Server 2006 or another proxy server product.

If users connect to Office SharePoint Server 2007 both internally and remotely, two user accounts are created in Office SharePoint Server 2007. Consequently, both accounts require permissions to sites and documents. Employees can potentially create two My Sites. Employees have to manage permissions for their own sites and documents for both user accounts if they plan to work from both the internal network and remotely.

Partner employees access the network through the Extranet zone and are authenticated by using forms-based authentication. This requires a separate directory and provider, such as a SQL Server database and provider, to store partner accounts in the extranet. The advantages of this approach are that you can manage partner accounts separately, and you do not have to add partner accounts to the internal employee directory.

Or, you can use Web single sign-on (SSO) to authenticate against a partner's own directory. However, this approach requires a separate zone for each partner directory.

Because the model assumes that Fabrikam is working with partners from several different companies within the same partner application, forms-based authentication is used. The directory and provider are not specified.

The Internet zone is used for customer access. This zone is configured to enable anonymous access with read-only permissions.

When you design zones, several key decisions are important to the success of the deployment. These decisions include design and configuration decisions for the following zones:

  • The Default zone.

  • Zones for external access.

The following sections describe the decisions that are incorporate into the model.

The zone that involves the greatest consideration is the Default zone. Office SharePoint Server 2007 puts the following requirements on how the Default zone is configured:

  • When a user request cannot be associated with a zone, the authentication and policies of the Default zone are applied. Consequently, the Default zone must be the most secure zone.

  • The index component requires access to content through at least one zone to crawl content. By default, the index component uses NTLM authentication. The SSP administrator can configure crawl rules to use either Basic authentication or a client certificate when crawling a particular range of URLs. Consequently, in order to crawl content, at least one of the zones must be configured to use NTLM authentication, Basic authentication, or certificates. Also, the crawler will poll zones in the following order until it encounters a zone that it can authenticate through: default zone, intranet zone, Internet zone, custom zone, extranet zone. However, if the crawler first encounters a zone that is configured to use Kerberos authentication, the crawler will not authenticate and will not attempt to access the next zone. Therefore, ensure that the configuration of zones using Kerberos authentication does not prevent the index component from crawling content. For more information about authentication requirements related to crawling content, see Plan authentication methods [Office SharePoint Server].

  • Administrative e-mail is sent with links from the Default zone. These include e-mail to owners of sites that are approaching quota limits. Consequently, users who receive these kinds of e-mails and alerts must be able to access links through the Default zone. This is especially important for site owners.

  • Host-named site collections are available only through the Default zone. All users who are intended to access host-named site collections must have access through the Default zone.

In the model, the Default zone is used for remote employee access for the following reasons:

  • Employees can access links in administrative e-mail regardless of where they are located.

  • Internal server names and URLs are protected from being exposed when the zone associated with a user request cannot be determined. Because the Default zone is already configured for remote employees, URLs do not expose sensitive data when this zone is applied.

In an extranet environment, the design of zones is very important for the following two reasons:

  • User requests can be initiated from several different networks. In the model, users begin requests from the internal network, the extranet, and partner companies.

  • Users consume content across multiple Web applications. In the model, the intranet is composed of three Web applications. Additionally, internal and remote employees can potentially contribute to and administer content across all of the Web applications: intranet, Partner Web.

In an extranet environment, ensure that the following design principles are followed:

  • Configure zones across multiple Web applications to mirror one another. The configuration of authentication and the intended users should be the same. However, the policies associated with zones can differ across Web applications. For example, ensure that the intranet zone is used for the same employees across all Web applications. In other words, do not configure the Intranet zone for internal employees in one Web application and remote employees in another.

  • Configure alternate access mappings appropriately and accurately for each zone and each resource.

In the model, the Default zone for each Web application is configured identically for remote employee access. Additionally, the Intranet zone is configured identically across all Web applications for internal employee access. The Extranet zone is configured for only one Web application.

Alternate access mappings are automatically created when you create the zone. However, Office SharePoint Server 2007 can be configured to crawl content in external resources, such as a file share. Links to these external resources must be created manually for each zone by using alternate access mappings. For example, a file share can be exposed to internal users by using an internal URL (file://). The same file share can be exposed as an FTP link to external users (ftp://). This ensures that these resources are available to users according to the context of their zone. When users receive links to these resources in search results, the links can be accessed.

If zones across Web applications do not mirror one another and links to external resources are not appropriate, the risks include the following:

  • Server names, Domain Name System (DNS) names, and IP addresses can potentially be exposed outside the internal network.

  • Users might be unable to access Web sites and other resources.