Saturday, June 02, 2012

Implementing SharePoint Extranet Collaboration Manager 2010 (ExCM) Advanced Features – Part 1 – Authentication Provider Mapping

By Matthew McBride

Overview of Authentication Provider Mapping
SharePoint Extranet Collaboration Manager 2010 (ExCM) can streamline the experience for users located inside your corporate network by implementing a feature called Authentication Provider Mapping (APM).  This simply maps an IP address to a specific authentication provider.  When APM is enabled and configured, it will determine whether the request for your ExCM page is coming from inside your network or from an external user.  This is achieved by specifying a range of IP addresses belonging to your internal network and then specifying the authentication provider that is to be used (Windows in this case).

By default, all requests to your ExCM site are sent to our custom sign in page (assuming you have configured it within Central Administration).  Notice the “Sign in using Windows Authentication” link near the bottom:


This can be useful if your corporate users want to access the ExCM site externally, but can be redundant for those users when inside the network since they have already logged on to their workstation using the same information.  However, by configuring APM and a couple of items within Internet Explorer (IE), your internal users will bypass this page and be sent straight to the top level site without providing any further information:

Configuring Authentication Provider Mapping

The first thing we need to do to configure APM is to enable the PowerShell service provided as part of ExCM 2010.  This service provides additional configuration options not available in the normal User Interface (UI).  To enable the service, open up the SharePoint Management Shell and type the following command:

Next, we need to add a mapping.  Note that you can add a single IP address or an entire subnet.  You can also break the IP range into smaller subnets using masks.  In this example, we will add the entire 192.168.0.* subnet.  To create a new mapping, type the following:

Then we will need to specify the subnet and the authentication provider to be used (Windows, or AD, as in this case):

We can verify the mapping by typing this command:

With APM configured, we also need to ensure that IE is set up to authenticate the user accordingly.  To do this, we need to first add the ExCM site to the “Trusted Sites” list:

Then we need to ensure that the “Automatic logon with current user name and password” setting is enabled for the Trusted Sites Zone security level:

With those settings in place, your internal users will never be presented with the ExCM Sign In page when accessing the site…they will simply be sent directly to the Top Level page.

Additional Considerations and Summary
There are a couple of things to keep in mind before and when you implement APM.  First, it is NOT recommended to use APM during your ExCM testing phase.  Doing so will make it difficult to test Forms Based Authentication user credentials.  Second, if you have a device inside your network performing any type of reverse proxy that may change the IP address of the original request (such as an F5), you would need to add the address or range of addresses the device is using.

In summary, Authentication Provider Mapping can greatly streamline the experience for your internal users when accessing a SharePoint Extranet Collaboration Manager 2010 (ExCM) site inside your corporate network.  When APM is configured, these users will be sent directly to the top level site without having to provide any further credentials.