Management of external users
https://sharepoint.stackexchange.com/questions/13023
-
16-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm planning a SharePoint2010 application where most of our users are on an intranet and authenticated through Active Directory, but where ~20% of the users are external to the organization. We are planning to let the external users connect through the internet. These users are only loosely affiliated with the organization, and I need some way for site owners (which may not have AD administrator privileges or even knowledge of what AD is!) to easily be able to create and delete accounts for these external users to be able to contribute or edit content.
So the question is, is there some sort of SharePoint web interface for (1) managing Active Directory users or (2) managing users through some external authentication provider? I'm also a bit green on setting up different authentication providers..have any of you done this before, or is there maybe something obvious that I'm overlooking?
@Edit: Thanks for all your responses, my conclusion for this scenario is to use either a Bamboo solutions web part or write some custom code to work against the existing Active Directory. The problem with using a separate authentication provider is it's a lot of extra work; it seems that this functionality was intended to enable integration with authentication infrastructure that's already in place rather than to build something from scratch. As webdes03 said, setting up a separate AD is a quick and elegant option if there are a lot of external users.
Solution
I've planned something similar, that we are testing now. We have SP deployed in its own network space with dedicated AD deployment with a one way trust back to the production AD. External users are added to the SharePoint AD while internal users are authenticated via production AD.
With this setup you only need one authentication provider, you can use native or claims with NTLM or Kerberos.
In addition you can then surface management interfaces into SharePoint for working with the external user accounts.
Bamboo has a collection of features that can assist with your administration needs as well. http://store.bamboosolutions.com/sharepoint-user-registration-solution-accelerator.aspx
OTHER TIPS
All of the responses previous to mine are good, but another (so far unmentioned) option is to utilize a separate AD for your external environment. I previously worked on a large-scale global environment that was configured this way. Granted, it was more than just SharePoint, our external AD was used for all non-badged users including contractors, vendors, customers, etc. and was used by multiple platforms and LOB systems in addition to SharePoint.
It may be overkill for what you're doing (there aren't any user numbers in your post), but it is another option. You'd need a trust in place between then external domain and the internal domain, but once it's all configured you'd have the option of authenticating with credentials from either AD environment.
You can mix authentication providers within a single SharePoint Web application. You could use Windows authentication for your intranet users and claims-based or forms-based authentication for your external users.
Here's a resource that describes claims-based authentication for SharePoint 2010: http://msdn.microsoft.com/en-us/SP2010DevTrainingCourse_IntroductiontoClaimsbasedSecurity
As Rob said, you can have dual authentication providers. You can enable Windows authentication for your internal AD users, and you can also set up forms authentication for external users, if you didn't want to mix external users in your AD.
You can setup a database with the basic asp_net membership tables. And that will be your forms authentication provider. You should be able to do a Google search to find a community tool, or perhaps implement Visual Studio's built-in tool for managing aspnet_membership tables/users, etc.
Edit: cerebraldisorder linked you to the type of tool I described above.
If you decide to leverage forms-based authentication via the new claims mechanism, you could then manage these forms-based logins with this 'Forms Based Authentication (FBA) User Management Tool' from CodePlex:
http://fbamanagementtool.codeplex.com/
If you need to provide the external users the ability to reset/change their passwords, and other functionality, you may need to roll your own extensions to SP 2010 using ASP.NET web forms that interface with the same Forms database/tables as the claims/forms provider.
