SharePoint 2010 automatic sign-in with mixed authentication

SharePoint 2010 comes with Claims based authentication and the option to have multiple authentication providers for the same url. Unfortunately this setup breaks transparent authentication in an intranet environment. This project aims to solve this issue.

Features

Instead of this
Select your credentials

You get automatic selection of the right authentication provider based on IP address mapping.
When using Windows Authentication for an intranet environment this brings back transparent authentication based on the Windows credentials.

  • Transparent sign-in with Windows Authentication, when using multiple authentication providers. No more '
  • Support for IPv6
  • Map IP addresses to an authentication provider
  • Wildcard mapping
  • Configuration through Powershell


The solution consists of two parts

  • A custom PowerShell snap-in that is used to manage the mappings between IP addresses and authentication providers. The mapping is stored in the Hierarchical Object Store, on the level of the Web Application.
  • A custom sign-in page. When the custom sign-in page is loaded it will first check the IP address of the user. Then it will check if the address is mapped to an authentication provider. If it is mapped, the user will be redirected to the sign-in page of that provider. In other words, if the mapping is found the “Select the credentials you want to use to logon to the SharePoint site” step of the sign in process is automated.

Additional information

More information can be in an in-depth blog post about the project on our website.

Background

SharePoint 2010 comes with a nice new feature that aims to solve this problem: Mixed Authentication. It allows for the configuration of multiple authentication providers (Windows authentication, forms authentication, trusted Identity providers) together using the same url, without having to extend the web application. Both external and internal users would access the web site on https://intranet.company.com for example.
By default the user has to choose the authentication method when upon logging in.

While this is very nice, and a great improvement over the previous version, the downside is that there is no more transparent authentication in an intranet environment.
With the correct browser settings is it possible to log on automatically when using windows authentication.

In Internet Explorer it can be configured in the security settings of the Local Intranet zone. These settings can also be pushed through group policies.

If the intranet is configured correctly, or “detected automatically”, all login attempts will transparently use the windows identity.
Each time a user tries to access the intranet, each time he tries to open a document stored on the intranet, he gets the same login popup.

In an intranet environment, this is simply unacceptable.

Special thanks

This project is based on sample project created by Bryan Porter. Full credits to him for developing this great solution. We had to extend it relatively little to make work in a live environment. The original sample and the blog post about it can be found here


Who are we?


Orbit One is a software development agency located in Ghent, Belgium.
We specialize in internet facing websites, intranet and extranet applications.
We use technologies such as ASP.Net, SharePoint, Umbraco and Microsoft Dynamics CRM.
http://www.orbitone.com

Last edited Jun 30 at 11:39 AM by OrbitOne, version 24