none
Sharepoint Services 3.0: Permission for login from internet

    Question

  • hi,

      I want to share my sharepoint services in internet for our customers. I want to add restriction for internal users that they can't login to sharepoint from internet. They have to login to terminal server via VPN and the can login to sharepoint. It possible to setup permission like this for users group?

    Kuba

    Thursday, March 15, 2012 11:27 AM

Answers

  • Give your internal users one URL and you external users another. You then need to set up the appropriate Alternate Access Mappings as well as define the network routing to satisfy all of your requirements.

    http://technet.microsoft.com/en-us/library/cc263208(v=office.12).aspx

    Hope this helps,

    Dan


    http://wssguy.com/blogs/dan

    Thursday, March 15, 2012 12:43 PM
  • Dan is correct in setting up the Alternate Access mapping, but I don't think that will solve the issue of denying your internal users from logging in using the external address. 

    Two things I can think of to get around that

    • Use a separate authentication store for the external customers. Then extend your web application and configure the external zone to use this auth store. Your internal users won't be able to log in. You could setup FBA to use a different AD or a .Net membership provider. Check out my blog for details on both http://davidlozzi.com/tag/fba/. One thing I have not tried is to setup FBA with AD and point it to a specific OU in AD, which you could load with your customers.
    • Setup the alternate access mapping, and on login, redirect the user. if they're an internal user (determined by a member of a group or user profile property) redirect them to a static page explaining how they can access the site.

    Let me know if you need further explanation.


    @DavidLozzi
    DavidLozzi.com
    About.me

    Thursday, March 15, 2012 12:51 PM
  • I always try to solve problems with a mix of dev and policy. Need to balance. David is correct in saying that it will not "solve" the problem of internal users logging in to the external site, but, a strictly enforced policy can certainly help. (perhaps a nice threatening message on your custom login page) :) Unless of course you have infinite budget and time to write all the custom code/providers/controls/handlers/modules you want, then go for it.

    Hope this helps,

    Dan


    http://wssguy.com/blogs/dan

    Thursday, March 15, 2012 2:24 PM

All replies

  • Give your internal users one URL and you external users another. You then need to set up the appropriate Alternate Access Mappings as well as define the network routing to satisfy all of your requirements.

    http://technet.microsoft.com/en-us/library/cc263208(v=office.12).aspx

    Hope this helps,

    Dan


    http://wssguy.com/blogs/dan

    Thursday, March 15, 2012 12:43 PM
  • Dan is correct in setting up the Alternate Access mapping, but I don't think that will solve the issue of denying your internal users from logging in using the external address. 

    Two things I can think of to get around that

    • Use a separate authentication store for the external customers. Then extend your web application and configure the external zone to use this auth store. Your internal users won't be able to log in. You could setup FBA to use a different AD or a .Net membership provider. Check out my blog for details on both http://davidlozzi.com/tag/fba/. One thing I have not tried is to setup FBA with AD and point it to a specific OU in AD, which you could load with your customers.
    • Setup the alternate access mapping, and on login, redirect the user. if they're an internal user (determined by a member of a group or user profile property) redirect them to a static page explaining how they can access the site.

    Let me know if you need further explanation.


    @DavidLozzi
    DavidLozzi.com
    About.me

    Thursday, March 15, 2012 12:51 PM
  • I always try to solve problems with a mix of dev and policy. Need to balance. David is correct in saying that it will not "solve" the problem of internal users logging in to the external site, but, a strictly enforced policy can certainly help. (perhaps a nice threatening message on your custom login page) :) Unless of course you have infinite budget and time to write all the custom code/providers/controls/handlers/modules you want, then go for it.

    Hope this helps,

    Dan


    http://wssguy.com/blogs/dan

    Thursday, March 15, 2012 2:24 PM