All users in multi tenant environment
https://sharepoint.stackexchange.com//questions/36099
-
09-12-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have a problem with authentication in a multi tenant environment. I have a couple of seperate customers which all have their own SharePoint environment within our hosted environment. In the AD, I created seperate OU's for each client. The subscriptions of each tenant are configured to map to those OU's. This works the way you would expect it to: the people picker only shows accounts from that single OU, other accounts are hidden from view.
But I noticed that this doesn't seem to apply for an "all users" claim. When I grant "All users" access to a site, an account from client A suddenly is able to log into a site of client B and vice versa. I think when logging in, SharePoint only checks if the username / password is correct and then issues a claim to the user. Since a user with a valid claim automatically belongs to "all users", it's granted access to the site. There seems to be no check there to see if the user actually belongs to the correct AD unit.
Now I'm wondering if this is a) expected behaviour b) a bug c) a configuration error on our side
A good solution would be to use a group instead of "all users", but that would require that the users being created from the admin site are also added to that group. And that's not something I want to bother the admins with, let alone myself.
Solution
I will go with a) expected behaviour
Authenticated Users or All Users Claims
In SharePoint Server 2010, there are some specific built-in claims providers that enable implementation support for concepts like authenticated users. This is also known as an All Users claim. This scenario enables you to grant rights to all users from a given authentication provider.
All users claim is NT AUTHORITY\Authenticated Users so you are giving access to all users that can authenticate against domain.
Who are NT AUTHORITY\Authenticated Users?
The user “NT AUTHORITY\Authenticated Users” represents every Domain user account that can successfully log on to the domain .
OTHER TIPS
You are confusing two different things, User Profiles and Authentication. User Profiles, which you setup using multi-tenant simply partition the users imported from the different OUs into the subscription created by that OU. This restricts the people picker and people search to those users for that particular tenant.
Authentication is a completely separate process and is handled using IIS or the ASP.NET pipeline and if a user has been granted access to the site (All users in this case) they will have access given the rights you provided.
