Authentication in SharePoint 2010
SharePoint 2010 comes with a nice new feature that aims to solve this problem: Mixed Authentication. It allows for the configuration of multiple authentication providers (Windows authentication, forms authentication, trusted Identity providers) together using the same url, without having to extend the web application. Both external and internal users would access the web site on https://intranet.company.com for example. By default the user has to choose the authentication method when upon logging in.
While this is very nice, and a great improvement over the previous version, the downside is that there is no more transparent authentication in an intranet environment. With the correct browser settings is it possible to log on automatically when using windows authentication.
In Internet Explorer it can be configured in the security settings of the Local Intranet zone. These settings can also be pushed through group policies.
If the intranet is configured correctly, or “detected automatically”, all login attempts will transparently use the windows identity. Each time a user tries to access the intranet, each time he tries to open a document stored on the intranet, he gets the same login popup.
In an intranet environment, this is simply unacceptable.
The solution for SharePoint 2010
Looking to improve on this situation we found a great blog post by Bryan Porter. By using a custom login page and custom PowerShell snap-in he was able to automatically choose the authentication provider based on the IP address of the user logging in.
The solution consists of two parts
- A custom PowerShell snap-in that is used to manage the mappings between IP addresses and authentication providers. The mapping is stored in the Hierarchical Object Store, on the level of the Web Application.
- A custom sign-in page. When the custom sign-in page is loaded it will first check the IP address of the user. Then it will check if the address is mapped to an authentication provider. If it is mapped, the user will be redirected to the sign-in page of that provider. In other words, if the mapping is found the “Select the credentials you want to use to logon to the SharePoint site” step of the sign in process is automated.
We've added some features to Bryan's solution
- Wild card mapping. Authentication providers can now be mapped to wildcard IP range, for example 192.168.0.*
- IPv6 support.
- Fix the redirection to make “Sign in as a different user” work correctly
After installing the web application can be configured to automatically use Windows Authentication for a certain range of IP’s, and forms authentication for the others.