Sign in
Microsoft.com
 
SharePoint Products TechCenter
 
 
 
SharePoint Products TechCenter > SharePoint Products and Technologies Forums > SharePoint - Setup, Upgrade, Administration and Operation > Integrate Active Directory with Share Point 2007
Ask a questionAsk a question
Search Forums:
 

AnswerIntegrate Active Directory with Share Point 2007

  • Tuesday, November 03, 2009 12:28 PMRamandeep Baweja Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     Has Code
    Sign In to Vote
    0
    Sign In to Vote
    Hi, I am new to SharePoint. So i want to find out how can i integrate Active Directory to Share Point 2007. I want to have a web application to which active directory users can log in to. how can i do this end to end. I created a new Import connection through SSP -> User Profiles and Properties. And did a full import. So users are synched in, what's the way next ? Thanks, Raman

_
    _
     

Answers

  • Tuesday, November 03, 2009 12:52 PMBrian Bedard Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     Answer
    Sign In to Vote
    0
    Sign In to Vote
    If you've already setup User Profiles and it worked, all thats left for that is to pull in the properties you want to track in your User Profiles.  if you're happy with the defaults, then you're done there.

    SharePoint handles all the authorization for you.  As long as your users all have client CALs (a Windows OS on Active Directory), authentication is taken care of.  Out of the box, active directory authentication provider is on. To control what users can do in SharePoint, you have to add them to SharePoint security groups.  Four objects can be secured in SharePoint -SPSite, SPWeb, SPItem, SPList.   These are called securable objects and almost everything you see in SharePoint derives from one of these. Security in SharePoint is controlled at the item level not the field level.  SharePoint security groups use your authentication provider transparently.  They can use AD users and groups and SharePoint user profiles.

    When you create a list that uses the People and Group field, it generates a People Editor control on forms.  This ties directly into your authentication provider.  This People Editor control is everywhere you need to add users.  You can see it on the People and Groups New Form.

    Bottom line, when you installed SharePoint it detected active directory and set itself up to use that by default.

    Now if you have other systems you are connecting to SharePoint, you need to make some choices.  If you want to continue to use AD, you'll probably need to setup Kerberos to allow the web application (SharePoint services) to impersonate as the end user to these other systems - it can't do that with default NTLM.  Kerberos can be messy and hard to setup properly.  People sometimes take a different path.  They use a Single Sign-On (SSO) Provider.  This service stores credentials mapped to individuals or groups to external systems.  So instead of delegating and impersonating, the web app just logs in as a different user (a user the external system recognizes).  This problem with delegation is called the double hop issue.  There are other ways around the access denied errors but they are less secure and leave no audit trails.

    Hopefully this helps and we didn't scare you off from using SharePoint.  It's a wonderful product with many, many capabilities. 
     

All Replies

  • Tuesday, November 03, 2009 12:52 PMBrian Bedard Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     Answer
    Sign In to Vote
    0
    Sign In to Vote
    If you've already setup User Profiles and it worked, all thats left for that is to pull in the properties you want to track in your User Profiles.  if you're happy with the defaults, then you're done there.

    SharePoint handles all the authorization for you.  As long as your users all have client CALs (a Windows OS on Active Directory), authentication is taken care of.  Out of the box, active directory authentication provider is on. To control what users can do in SharePoint, you have to add them to SharePoint security groups.  Four objects can be secured in SharePoint -SPSite, SPWeb, SPItem, SPList.   These are called securable objects and almost everything you see in SharePoint derives from one of these. Security in SharePoint is controlled at the item level not the field level.  SharePoint security groups use your authentication provider transparently.  They can use AD users and groups and SharePoint user profiles.

    When you create a list that uses the People and Group field, it generates a People Editor control on forms.  This ties directly into your authentication provider.  This People Editor control is everywhere you need to add users.  You can see it on the People and Groups New Form.

    Bottom line, when you installed SharePoint it detected active directory and set itself up to use that by default.

    Now if you have other systems you are connecting to SharePoint, you need to make some choices.  If you want to continue to use AD, you'll probably need to setup Kerberos to allow the web application (SharePoint services) to impersonate as the end user to these other systems - it can't do that with default NTLM.  Kerberos can be messy and hard to setup properly.  People sometimes take a different path.  They use a Single Sign-On (SSO) Provider.  This service stores credentials mapped to individuals or groups to external systems.  So instead of delegating and impersonating, the web app just logs in as a different user (a user the external system recognizes).  This problem with delegation is called the double hop issue.  There are other ways around the access denied errors but they are less secure and leave no audit trails.

    Hopefully this helps and we didn't scare you off from using SharePoint.  It's a wonderful product with many, many capabilities. 
     
  • Wednesday, November 04, 2009 5:15 AMRamandeep Baweja Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote

    Hi Brain,
    Thanks for a quick reply.

    My system on which SharePoint was installed did not have the active directory. It is some other system that I am trying to connect.
    It appeared to me as the logical way that I synch the users to SharePoint by configuring the connection. And then may be i can provide these users rights to access the web application or site. But People editor is not able to locate these users who are visible in User Profiles. Looks like this was not the way to go about.

    Few questions:
    a. What use or purpose are these users visible in the USer Profile for ?
    b. For configuring the different Active Directory, you suggested two options. Where can i find the documentation for them ?
    c. There is an option in Web Application Management for Providing the default Authentication Provider for the Web App, how can that be used. Will it help to solve my purpose ?

    Thanks,
    Raman