Pluggable Authentication Provider

SharePoint 2007

Specifies a pluggable authentication module used by ASP.NET 2.0 and the current version of SharePoint Products and Technologies to replace a built-in authentication provider.

Real World Example

A portal site is planned for external partner access, but partners will not have Active Directory domain controller accounts. The portal development team decides to create a pluggable forms authentication module that will provide a feature-rich authentication provider to access both the Active Directory domain controller and a separate authentication database. The pluggable authentication provider is installed on the SharePoint Web application that is exposed to the external partners.

Technical Details

An authentication provider is an HTTP module that provides authentication services to an ASP.NET application.

Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007 support the following types of authentication:

  • Windows: All Internet Information Services (IIS) and Windows authentication integration options, including Basic, Digest, Certificates, Windows NT LAN Manager (NTLM), and Kerberos. Windows authentication allows IIS to perform the authentication for SharePoint Products and Technologies.

  • ASP.NET Forms: An identity management system not based on Windows that uses the pluggable ASP.NET forms authentication system. This mode allows SharePoint Products and Technologies to work with a variety of identity management systems, including externally defined groups or roles such as Lightweight Directory Access Protocol (LDAP) and light-weight database identity management systems. Forms authentication allows ASP.NET to perform the authentication for SharePoint Products and Technologies, often involving redirection to a logon page.

  • Delegated: A system for delegating end-user credentials from a trusted system to Windows SharePoint Services. This allows trusted services to pass user identities to Windows SharePoint Services for authorization, conveying who the current user is without requiring that SharePoint Products and Technologies have that user's credentials. ADFS is a form of delegated authentication in SharePoint Products and Technologies.

More detailed technical information on ASP.NET 2.0 authentication and pluggable forms authentication can be found in the ASP.NET SDK and in the books Developing More-Secure Microsoft ASP.NET 2.0 Applications (Baier, 2006) and Programming Microsoft ASP.NET 2.0 Core Reference (Esposito, 2006).

Support Details

A custom authentication provider is used as a core component of the security system, so it has a higher than normal requirement for security testing and review. This becomes even more important if it is used to expose the SharePoint content to the Internet because of the larger potential threat base.

Custom authentication providers can increase the support burden on a SharePoint environment due to its nonstandard authentication, making it more difficult to debug issues that might not at first appear to be authentication-related.

Only one authentication provider can be enabled on a given Web application instance within IIS. To enable a site to be accessed by using two different authentication provider types (for example, both Windows and forms), one instance of the Web application must be set up to use the first authentication method in one zone, and another instance extended from the first must be set up with a different zone and authentication method.

Additionally, the identifier used to uniquely identify users for site user profile and access management depends on the authentication provider used. A user who can be authenticated by, for example, both Windows and ADFS authentication would have two distinct user profiles and could have differing site group membership and access rights.

Addition and configuration of any providers other than Windows authentication providers normally requires modifications to the web.config file and potentially additions of new DLLs.

Community Additions