SharePoint 2010中 - 两个Web应用程序 - 单点登录 - >我需要根据要求身份验证? [英] SharePoint 2010 - two web applications - single sign on --> do I need claims based auth.?
问题描述
我们正在计划创建使用SharePoint 2010企业版两个SharePoint Web应用程序。 所有用户可以访问Web应用程序1,也应该能够访问Web应用程序2。 该认证由Server 2003活动目录进行供电。
We are planning to create two sharepoint web applications using SharePoint 2010 Enterprise Edition. All Users that have access to web app 1, should also be able to access web app 2. This authentication shall be powered by server 2003 active directory.
- >我需要使用基于声明的身份验证? 如果是这样 - >我可以使用基于Windows的身份验证使用NTLM为
--> do I need to use claims based authentication? If so --> can I use Windows Based Authentication with NTLM for that?
我唯一真正想要的是用户从Web应用程序1导航到Web应用程序2(反之亦然)不必进行身份验证的两倍。
The only thing I really want is that users navigating from web app 1 to web app 2 (and vice versa) do not have to authenticate twice.
我不希望到配置Kerberos,如果它不是绝对necessare虽然...
I do NOT want to configure Kerberos if it is not absolutely necessare though...
你能不能给我任何提示? 谢谢!
Can you give me any hints? Thanks!
编辑:
确定 - 我会尝试更precise:
ok - I'll try to be more precise:
在我们的SharePoint 2010环境中,我们已经有了运行的两个Web应用程序
In our SharePoint 2010 environment, we've got two web applications running
HTTP(S)://humanresources.domain.com HTTP(S)://sales.domain.com 两者都是在同一个IIS运行,并且配置了主机头(带通配符域证书的HTTPS)。
http(s)://humanresources.domain.com http(s)://sales.domain.com Both are running on the same IIS and have host headers configured (with wildcard domain certificate for HTTPS).
这两个应用程序提供一个链接到其他Web应用程序(销售 - > humanresources和humanresources - >销售)
Both apps provide a link to the other web application (sales -> humanresources and humanresources -> sales)
现在,每当有人登录到销售导航到humaresources,我不希望这样的人需要重新登录。因此,我以为我会需要基于声明的身份验证??? ...
Now whenever someone logged in to sales navigates to humaresources, I do not want that that person needs to login again. Therefore I thought I would need claims based authentication???...
请微启我的大脑! :D
Please enlight my brain! :D
编辑2:
感谢您的解答!
@Panagiotis Kanavos - 是的,我们有用户访问我们的环境以外的部位:1)用户具有一个AD accound,并正在研究他们的笔记本电脑我们的建筑外(如:他们整天在客户和有在家里,其余时间工作)2)我们计划让用户无需AD Accound - >基于表单的身份验证:(例如:客户访问我们的TFS 2010项目protals拿到项目的概述)。据我所知,如果你想FBA和WIN-验证,你需要配置基于声明的身份验证...
@Panagiotis Kanavos - yes we have Users accessing the site from outside our environment: 1) Users which have an AD accound and are working on their laptops outside of our building (e.g.: they have been all day at a customer and are working at home for the remaining hours) 2) We plan to have users without an AD Accound --> Forms Based Authentication: (e.g.: customers accessing our TFS 2010 project protals to get an overview of the project). As far as I know, if you want FBA and WIN-Auth you need to configure Claims Based Authentication...
不过配置有基于声明的身份验证的Web应用程序无法正常工作。我选择了启用Windows身份验证以及集成Windows身份验证 - > NTLM因为我们没有配置的Kerberos。(我很想把它像什么; - ))
However configuring a Web Application with Claims Based Authentication did not work. I chose "Enable Windows Authentication" together with "Integrated Windows authentication -> NTLM" as we do not have Kerberos configured (and I'd love to leave it like that ;-)).
然而,用户无法登录到该应用程序有时,五分钟以后,它的工作。此外,当我添加权限到AD用户的SharePoint似乎保存令牌,而不是集团 - /帐户ID: 例如:与其MYDOMAIN \ USER1它保存的东西,如0 | = MYDOMAIN \ user1和团体甚至只保存怪异的字符串022-12.3
However the Users could not login to that application sometimes, and five minutes afterwards it worked. Additionally, when I added permissions to an AD user, SharePoint seemed to save the Token instead of the Group-/Account Id: e.g.: Instead of MyDomain\user1 it saved something like "0|=MyDomain\user1" and for groups it even only saved weird character strings "022-12.3"
难道是情况下,我在2003年的Windows AD不支持?
Could it be the case, that my 2003 windows AD does not support that?
推荐答案
如果您正在使用Active Directory和运行域中的这两个网站时,用户会被定位到网站,你不应该被质疑。它只是变得关于谁访问了什么一个执行问题,可以通过广告组或SharePoint组。
IF you are using Active Directory and running both sites within your domain you should not be challenged when users go to either site. It just becomes an implementation issue about who has access to what, either via AD Groups or SharePoint groups.
基于声明的身份验证是有点不同的动物。你需要有一个包含一些索赔有关用户的安全令牌,例如用户A是人力资源的成员,用户B是销售中的一员。根据这些要求,你就可以有你的网站/应用程序相应地作出反应。索赔基于身份验证是相对较新的SharePoint和微软有点陡峭的学习曲线。它可能会更有意义,如果你有一个混合模式的环境中,既AD和基于表单的用户获得访问权限。然而,随着你的描述的异构环境中,它似乎并不像它的需要。
Claims based authentication is a bit of a different animal. You need to have a security token which contains a number of "claims" about the user, for example UserA is a member of HR and UserB is a member of Sales. Based on these claims you can then have your site/application respond correspondingly. Claims based auth is relatively new for SharePoint and Microsoft and is a bit of steeper learning curve. It may make more sense if you have a mixed mode environment, with both AD and Forms Based Users getting access. However with your described heterogeneous environment it doesn't seem like it's needed.
在SharePoint 2010的更多信息认证是href="http://technet.microsoft.com/en-us/library/cc262350.aspx" rel="nofollow">此处提供
More info on SharePoint 2010 Authentication is available here.
约翰·
这篇关于SharePoint 2010中 - 两个Web应用程序 - 单点登录 - >我需要根据要求身份验证?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
