HOWTO: Configure a MOSS 2007 Publishing Site with Dual Authentication Providers and Anonymous Access

Office SharePoint Server (MOSS) 2007 has an added capability to host content-centric Internet facing sites. These sites, called Publishing Sites, are part of the Web Content Management (WCM) piece to the Enterprise Content Management (ECM) strategy within MOSS 2007. Businesses can now use SharePoint not only for collaboration, but also to host their corporate Internet-facing content-centric Web sites.

One of common, if not the most common, implementations of an Internet-facing content-centric Web site is to have the content owners & authors (typically corporate employees who login to the corporate Active Directory) use their corporate credentials to authenticate against the site using Windows Authentication. The Web site also needs to be available to anonymous users who browse the site from the Internet... not requiring a login. However, at times companies would like to have a way to require some users to authenticate in order to reach restricted areas of the site. Because these Internet users won't have accounts in the corporate Active Directory, presenting them with the typical login dialog pop-up box is not ideal or preferred... instead companies prefer to use Forms Authentication where users can login using an easy to remember username & password.

Thankfully Windows SharePoint Services (WSS) v3, which MOSS 2007 is built on top of, fully supports this type of authentication mechanism. It involves creating two entry paths into the site, called Alternate Access Mappings (AAM), which utilize the ASP.NET 2.0 pluggable authentication provider model to support various authentication mechanisms.

I've written an article (link below) that describes how you can create and configure a MOSS 2007 Publishing Site that will satisfy the following requirements:

Allow content owners/authors to authenticate on the site using their corporate Active Directory credentials in order to manage the Web site's content.
Allow unauthenticated, anonymous users, to browse the unrestricted areas of the Web site.
Require anonymous user to provide a friendly Web-based form to login in order to consume restricted content.

While the article explains how to do it for a MOSS 2007 Publishing Site, this technique will work for any site based off WSS v3. It walks you through the steps of:

Setting up and configuring a data store to keep the Internet user's credentials
Creating two Web applications, one for each authentication mechanism
Configuring the Web applications to communicate with the data store
Enabling Forms Authentication on one Web application
Enabling anonymous access
Configuring a section of the site for authenticated users only

» HOWTO: Configuring a Office SharePoint Server 2007 Publishing Site with Dual Authentication Providers and Anonymous Access

Technorati: moss, wcm, authentication providers

posted on Saturday, October 21, 2006 1:47 PM

Feedback

# re: HOWTO: Configure a MOSS 2007 Publishing Site with Dual Authentication Providers and Anonymous Access 10/23/2006 3:56 AM Emmanuel Desigaud

Good article as usual ! Might be very usefull in the next month for the migration :)

Thanks Andrew !

# re: HOWTO: Configure a MOSS 2007 Publishing Site with Dual Authentication Providers and Anonymous Access 10/31/2006 6:01 PM Craig Porter

Hi Andrew,
Fantastic document, very clearly set out and easy to follow. Any chance of an update to deal with SQL remotely located ?!?

# re: HOWTO: Configure a MOSS 2007 Publishing Site with Dual Authentication Providers and Anonymous Access 11/1/2006 12:16 AM AC [MVP MCMS]

Craig - I don't see how anything would be different by changing the location of the SQL Server. I simply used a SQL install on the same server as that's a simplistic development environment. As long as your SharePoint installation can connect to your remote SQL, it should work.

# re: HOWTO: Configure a MOSS 2007 Publishing Site with Dual Authentication Providers and Anonymous Access 11/9/2006 7:11 AM Alex V. Burov

Thanks a lot.

# re: HOWTO: Configure a MOSS 2007 Publishing Site with Dual Authentication Providers and Anonymous Access 11/10/2006 10:10 AM Alex V. Burov

Thanks a lot, Andrew.

# re: HOWTO: Configure a MOSS 2007 Publishing Site with Dual Authentication Providers and Anonymous Access 12/28/2006 4:41 PM William Rust

Andrew, Great article. We are actually using this configuration and it is working great. The only thing we are still having problems with is the "mysite" link. It is still available and working on the Windows authentication site but the link is not even available on the Forms authentication site. Is there any way to get the SSP running the mysite to work with both authentication providers...?

Thanks in advance.

# re: HOWTO: Configure a MOSS 2007 Publishing Site with Dual Authentication Providers and Anonymous Access 12/29/2006 12:38 AM AC [MVP MCMS]

William - Many people are asking this question... including me. I haven't heard of a single instance where someone has been able to get MySites to work with something other than Windows Auth & AD. However, I (along with many others) are trying to track down ~if~ MySites will work with any auth provider and if not, ~why~... what's the critical thing AD provides?

# re: HOWTO: Configure a MOSS 2007 Publishing Site with Dual Authentication Providers and Anonymous Access 12/29/2006 9:32 AM William Rust

Thanks Andrew. I may try to open a ticket with Microsoft to see if they have anything that will help.

Thanks again...

# re: HOWTO: Configure a MOSS 2007 Publishing Site with Dual Authentication Providers and Anonymous Access 2/18/2007 11:14 PM Gilles Urena

Andrew,

Great post. It saved me a few headaches.

Here is something that was a little bit overlooked and took me a while to figure out:
It is specially important in a Web farm environment as domain service accounts are likely to be used for application pools (instead of local network service account).

After the local SQL ASPNet database is created (e.g. the database that that will store all user accounts), the application pool identity account used for the "Internet" web application should be added as a "dbo" user (make sure a SQL login is created!). This will ensure the "Sign In" page can actually connect to the AspNet database.

Users can always check the Application log to check for any errors.

Thanks again for a great post!

# re: HOWTO: Configure a MOSS 2007 Publishing Site with Dual Authentication Providers and Anonymous Access 2/19/2007 4:15 PM Rob

Andrew,

Thanks a bunch for this.

Question: How do you manage the SQL Membership database if you don't want to install VS 2005 on your server? I tried wiring up the Web App Administration app in IIS and it doesn't work. I followed these instructions (more or less) https://blogs.msdn.com/rahulso/archive/2006/03/09/how-to-use-web-site-administration-tool-without-installing-vs-2005.aspx but to no avail. I get an error.

Do you know of another way to manage users in this database?

# re: HOWTO: Configure a MOSS 2007 Publishing Site with Dual Authentication Providers and Anonymous Access 2/21/2007 8:12 AM AC [MVP MOSS]

Rob-
I suspect you've got something wrong if using the Web App Admin app in IIS or the instructions on the MSDN blog didn't work. I think there are some free utilities out there on sites such as GotDotNet.com and Codeproject.com.

# re: HOWTO: Configure a MOSS 2007 Publishing Site with Dual Authentication Providers and Anonymous Access 9/5/2007 3:50 PM Les

Question for you. We are trying to show one piece of content to authenticated users and a different content to anonymous users. Situation in point: Trying to have a FAQ section shown for anonymous users that is just a list of items. However, if you are authenticated, this list should be a Help Desk item, where the user can submit a question to the Help Desk. Would like the two to be interchangeable, meaning anonymous never sees the Help Desk and authenticated never sees the FAQ. It's targeted content based on whether you are authenticated or not. Problem is I cannot figure out how to 'hide' the FAQ from the authenticated users. Any help would be much appreciated.

# re: HOWTO: Configure a MOSS 2007 Publishing Site with Dual Authentication Providers and Anonymous Access 12/27/2007 11:59 AM Yehiel

If I have Publishing web under Publishing site, anonymous works great for father (site) and still brings auth dialog for son (web). For other templates, like Team, it works without issues

# re: HOWTO: Configure a MOSS 2007 Publishing Site with Dual Authentication Providers and Anonymous Access 1/1/2008 6:43 AM Yehiel

Breaking the inheritance and explicit defining of anonymous acces on son site doesn't help.

# re: HOWTO: Configure a MOSS 2007 Publishing Site with Dual Authentication Providers and Anonymous Access 1/13/2008 4:30 AM Yehiel

Deactivating the lockdown mode and then create a new subsite also doesn't help

# re: HOWTO: Configure a MOSS 2007 Publishing Site with Dual Authentication Providers and Anonymous Access 6/26/2008 4:23 AM Herold van der Vegt

I just extended the original website en enabled anonymous access in 1 site and disabled it for the other.

The web application has 2 authentication providers.
The first one for the Internet (with anonymous access) and a second one for maintenance (without anonymous access)
It seem to work (in our test environment).

Am I missing something?
Why do I have to use a different membership provider?
Or is this just a necessity when internet users have abbility to create their own accounts (using forms authentication)

# re: HOWTO: Configure a MOSS 2007 Publishing Site with Dual Authentication Providers and Anonymous Access 6/27/2008 12:12 PM oyunlar

Thanks Andrew. IThanks

Post Feedback

Title:
Name:
Email:	(email will not be displayed)
Url:
Comments:
Please add 5 and 8 and type the answer here: Remember Me?

All Comments Are Filtered & Moderated
Unfortunately comment spammers are just too effecient and are constantly dirtying up blogs with irrelevant and unwanted comments trying to improve their standing on search engines. All comments on this blog are moderated. I do not censor comments, but I don't approve comments with vulger language or those soliciting products. Most of the time comments are approved within a few hours of being submitted with the only exception when I'm traveling.

Why are you asking for my email address?
The only reason I'm asking for your email address, which isn't required to submit a comment, is to provide a gravatar if you've created an account for yourself and associated your email address with a small image. If you have a gravatar created for the email address you submit, it will appear next to your comment. Otherwise nothing will appear.

What is a gravatar?
A gravatar is a "globally recognized avatar." You can get more information about gravatars, as well as create your own for free, at www.gravatar.com. You can also view my gravatar here.

This work is licensed under a Creative Commons License
Site design by Heather Solomon.