Plan for user authentication in an EPM/Office SharePoint Server 2007 extranet environment

This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.


Topic Last Modified: 2010-02-23

This article describes how to plan for user authentication in an Enterprise Project Management (EPM)/ Microsoft Office SharePoint Server 2007 extranet environment. For an overview of this chapter about how to plan for EPM extranets, see Plan an EPM/Office SharePoint Server 2007 extranet environment.

Plan for user authentication

Authentication is validating a user's identity. After a user's identity is validated, the authorization process determines which sites, content, and other features the user can access. With an EPM Focused Microsoft Office SharePoint Server 2007 Extranet Farm we have to implement appropriate authentication mechanisms for all shared Office Project Server 2007 and Microsoft Office SharePoint Server 2007 components.

In Microsoft Office SharePoint Server 2007, the authentication process is managed by Internet Information Services (IIS). After IIS performs authentication of users, the security features in Office SharePoint Server 2007 perform the authorization process.

Microsoft Office SharePoint Server 2007 provides a flexible and extensible authentication system, which supports authentication for identity management systems that are based or are not based on the Microsoft Windows operating system. By integrating with ASP.NET pluggable authentication, Microsoft Office SharePoint Server 2007 supports various forms-based authentication schemes. Authentication support in Microsoft Office SharePoint Server 2007 enables various authentication scenarios, including the following:

  • Using standard Windows authentication methods.

  • Using a simple database of user names and passwords.

  • Connecting directly to an organization's identity management system.

  • Using two or more methods of authentication for accessing partner applications (for example, connecting to your partner company's identity management system for authenticating partner employees while you are using Windows authentication methods to authenticate your internal employees).

  • Participating in federated identity management systems.

The Office Project Server 2007 security model is based on the Windows security model, by which users and groups (security principals) are granted permission to access security objects. Office Project Server 2007 supports both Windows and Forms authentication. Windows authentication uses the standard Windows SharePoint Services authentication component for Microsoft Single Sign-On (SSO). A successful logon to Office Project Server 2007, for example, can also authenticate the user for Microsoft Office SharePoint Server 2007 and related applications.

Forms authentication resembles the Office Project Server 2007 authentication mechanism provided in Office Project Server 2003 in that a user enters a user name and password. The main difference is that the forms-based authentication users and their passwords are stored in membership stores instead of in the Office Project Server database.

For additional details about planning authentication methods that are available for Office Project Server 2007 and Office SharePoint Server 2007 applications review, see:

Plan Project Server 2007 authentication method

Plan authentication methods (Office SharePoint Server)

The SSO feature in Microsoft Office SharePoint Server 2007 maps user credentials to back-end data systems. By using SSO, you can access data from server computers and services that are external to Microsoft Office SharePoint Server 2007. From within Microsoft Office SharePoint Server 2007 Web Parts, you can view, create, and configure this data.

SSO requires Windows credentials for user accounts. In environments where Web SSO is used to authenticate user accounts, SSO can be used only if the current thread that is invoking SSO application programming interfaces (APIs) has a Windows identity associated with it.

For additional details about SSO review, see Plan for single sign-on