We would like to use Integrated Windows Authentication if a user accesses our SharePoint site from within our organization, and Basic Authentication (using SSL) when someone tries to authenticate from outside our organization.
Reading, it seems IE will try Windows Auth no matter what and ignore Basic Auth from outside our organization. This is undesirable because the user is required to enter in the DOMAIN into the login box (users are notorious for calling our helpdesk about this). Basic Auth allows us to specify a default domain. Windows auth does not do this. Hence the desire to use Basic Auth for outside, Windows Auth for inside.
What is the solution to enabling Windows Auth inside the network, and Basic Auth outside our network? Do I need to setup two separate sites inside IIS (one for windows auth, another for basic)? Would this require 2 different Host Names?
Is there a solution I am not thinking of here?
Thanks all.
Assumption: you want to have all users, both internal and external, authenticate against the same Active Directory domain.
If the main goal is for external users to be able to login without typing the domain name, you could use ISA server.
You can have internal users connect directly to your Sharepoint server by pointing your internal DNS directly to your sharepoint server. Thus, windows auth would work for them.
External users could then be pointed to your ISA server (via DNS), and ISA could be configured to show a login page for Sharepoint where no domain name is required. (It’s a web form that they are filling out, but the authentication happens against Active Directory).
Getting ISA to work in this way is a little tricky, because you have to get the AAM settings in Sharepoint just right. And if you’re doing SSL or SQL Reporting Services, it’s even more tricky. The main problem is that there are no meaningful error messages telling you what’s wrong. But it is possible. 🙂
We have this set up, and it works great, but it was definitely a pain to get working right.