Extend a Web application that uses Windows-claims authentication (SharePoint Server 2010)

Applies to: SharePoint Server 2010

This article describes how to extend a Web application that uses Windows-claims authentication.

Before you perform these procedures, confirm the following:

• Your system is running Microsoft SharePoint Server 2010.

• You already have a Web application to extend.

• You have read Plan authentication methods (SharePoint Server 2010) and know which authentication method to use.

• You have read about zones, anonymous access, and permissions. For more information, see Logical architecture components (SharePoint Server 2010).

• If you have User Account Control (UAC) turned on in Windows, and you use Windows PowerShell to extend a Web application, you must right-click the SharePoint 2010 Management Shell and select Run as administrator.

You can extend a Web application that uses Windows-claims authentication by using Central Administration or Windows PowerShell. Use one of the following procedures to extend a Web application. You typically use Central Administration to extend a Web application. If you want to automate the task of extending a Web application, which is common in enterprises, use Windows PowerShell. After the procedure is complete, you will have two separate IIS Web sites that expose the same content to users.

To extend a Web application that uses Windows-claims authentication by using Central Administration

1. Verify that you have the following administrative credentials:

   • To create a Web application, you must be a member of the Farm Administrators SharePoint group and a member of the local Administrators group on the computer running Central Administration.

2. On the Central Administration Home page, in the Application Management section, click Manage web applications.

3. On the ribbon, click Extend.

4. On the Extend Web Application to Another IIS Web Site page, in the IIS Web Site section, you can configure the settings for your extended Web application by selecting one of the following two options:

   • Click Use an existing web site, and then select the Web site on which to extend your existing Web application.

   • Click Create a new IIS web site, and then type the name of the Web site in the Name box.

5. In the IIS Web Site section, in the Port box, type the port number you want to use to access the Web application. If you are creating a new Web site, this field is populated with a suggested port number. If you are using an existing Web site, this field is populated with the current port number.

   Note

   The default port number for HTTP access is 80, and the default port number for HTTPS access is 443. If you want users to access the Web application without typing in a port number, they should use the appropriate default port number.

6. Optional: In the IIS Web Site section, in the Host Header box, type the host name (for example, www.contoso.com) that you want to use to access the Web application.

   Note

   In general, this field is not set unless you want to configure two or more IIS Web sites to use port 80 on the same server and DNS has been configured to point multiple server names to the same server.

7. In the IIS Web Site section, in the Path box, type the path to the site directory on the server. If you are creating a new Web site, this field is populated with a suggested path. If you are using an existing Web site, this field is populated with the current path of that Web site.

8. In the Security Configuration section, choose whether to use allow anonymous access and whether to use Secure Sockets Layer (SSL).

   1. Under Allow Anonymous, click Yes or No. If you choose to allow anonymous access, this enables anonymous access to the Web site by using the computer-specific anonymous access account (that is, IIS_IUSRS).

      Note

      If you want users to be able to access any site content anonymously, you must enable anonymous access for the entire Web application zone before you enable anonymous access at the SharePoint site level; later, site owners can configure how anonymous access is used within their sites. If you do not enable anonymous access at the Web application level, you cannot enable anonymous access later, at the site level. For more information, see Choose security groups (SharePoint Server 2010).

   2. Under Use Secure Sockets Layer (SSL), click Yes or No. If you choose to enable SSL for the Web site, you must configure SSL by requesting and installing an SSL certificate. For more information about setting up SSL, see How to Setup SSL on IIS 7.0 (https://go.microsoft.com/fwlink/p/?LinkId=187887).

9. In the Claims Authentication Types section, select the authentication that you want to use for the Web application.

   1. If you want to enable Windows authentication, select Enable Windows Authentication and, in the drop-down menu, select Negotiate (Kerberos) or NTLM. For more information, see Plan for Kerberos authentication (SharePoint Server 2010).

      If you do not want to use Integrated Windows authentication, clear Integrated Windows authentication.

      If you want users' credentials to be sent over a network in a nonencrypted form, select Basic authentication (password is sent in clear text).

      Note

      You can select basic authentication or integrated Windows authentication, or both. If you select both, SharePoint Server 2010 will offer both authentication types to the client Web browser. The client Web browser then determines which type of authentication to use. If you only select basic authentication, ensure that SSL is enabled; otherwise, the credentials can be intercepted by a malicious user.

   2. If you want to enable forms-based authentication, select Enable Forms Based Authentication (FBA), and then enter the membership provider name and the role manager name in the boxes.

      For more information, see Configure forms-based authentication for a claims-based Web application (SharePoint Server 2010).

      Note

      If you select this option, ensure that SSL is enabled; otherwise, the credentials can be intercepted by a malicious user.

   3. If you have set up Trusted Identity Provider authentication in Windows PowerShell, the Trusted Identity provider check box is selected.

      For more information, see Configure authentication using a SAML security token (SharePoint Server 2010).

   You can use one or more claims authentication types. For more information, see Plan authentication methods (SharePoint Server 2010).

10. In the Sign In Page URL section, choose one of the following options to sign into SharePoint Server 2010.

    • Select Default Sign In Page URL if you want users to be redirected to a default sign-in Web site for claims-based authentication.

    • Select Custom Sign In page URL and then type the sign-in URL if you want users to be redirected to a custom sign-in Web site for claims-based authentication.

11. In the Public URL section, type the URL for the domain name for all sites that users will access in this Web application. This URL will be used in all links shown on pages within the Web application. The default URL is the current server name and port.

12. In the Public URL section, select the zone to use for the Web application in the drop-down menu.

    Note

    You can create up to five zones within a Web application.

13. Click OK to extend the existing Web application.

To extend an existing Web application that uses Windows-claims authentication by using Windows PowerShell

1. Verify that you meet the following minimum requirements: See Add-SPShellAdmin. You also need to be local Administrator on the computer that is running Windows PowerShell.

2. On the Start menu, click All Programs.

3. Click Microsoft SharePoint 2010 Products.

4. Click SharePoint 2010 Management Shell.

5. To change the authentication from Windows-claims authentication to forms-based authentication, at the Windows PowerShell command prompt, type the following command:

   $ap = New-SPAuthenticationProvider -ASPNETRoleProviderName <RoleProviderName> -ASPNETMembershipProvider <MembershipProviderName>
   

   To extend a Web application to the same port, but with a different host header, at the Windows PowerShell command prompt, type the following command:

   Get-SPWebApplication -Identity http://sitename | New-SPWebApplicationExtension -Name <Name> -HostHeader <HostHeader> -Zone <Zone> -URL <URL> -Port <Port> -AuthenticationProvider $ap
   

   Where:

   • <RoleProviderName> is the name of the role provider.

   • <MembershipProviderName> is the name of the membership provider.

   • <Identity> is the Web application that you want to extend.

   • <Name> is the name of the new IIS Web site in the Web application.

   • <HostHeader> is the hostname assigned to this zone of the Web application.

   • <Zone> is the zone with which this new extension is to be associated.

   • <URL> is the public URL for this Web application zone.

   • <Port> is the port on which this zone of the Web application can be accessed.

   Example

   $ap = New-SPAuthenticationProvider -ASPNETRoleProviderName roleprovidername -ASPNETMembershipProvider membershipprovidername
   
   Get-SPWebApplication -Identity http://sitename | New-SPWebApplicationExtension -Name IntranetSite -HostHeader www.contoso.com -Zone Intranet -URL http://intranet.sitename.com -Port 9876 -AuthenticationProvider $ap
   

For more information, see New-SPWebApplicationExtension.

See Also

Concepts

Create claims-based web applications in SharePoint 2010
Extend a Web application that uses Windows-classic authentication (SharePoint Server 2010)