Step 09: Configuring Basic SharePoint Authentication and Permissions

Step 14: Configuring Basic SharePoint Authentication and Permissions

Sharepoint users in a LAN (local area network) or WAN (wide area network) environment will not be able to access and use SharePoint site resources unless they are given permissions to do so.

This can be accomplished in many different ways, at the very least by adding individuals user-by-user, if you only have a few of them. But since we are running an Active Directory (AD) in our example , we will use that to authenticate users to sites, such that when users log on to the site domain by providing their user names and passwords, since they are part of users or group of that domain, they will be authenticated automatically to the Sharepoint site, and will not have to enter their credentials repeatedly.

Here’s how to accomplish that:

• To begin, from the Start Menu, go to the SharePoint site administration side of things by selecting Start > Programs > Microsoft Office Server > Sharepoint 3.0 Central Administration.
• With the Central Administration page open, click on the Application Management tab, then under Application Security click on the link for Policy for Web application:
  
• You should now be at the Policy for Web Application page. The goal here is to create a permissions policy for an individual user or a group of users, so that the permissions policy can be applied to one or many Active Directory zones. Or not, depending on what you want to do. In any event, on the right side of the window, make sure the correct Web Application is selected (in this example, http://gsa.tfplocal.net/) and then Add Users, on the left:
  
• Once the Add Users page displays, select Default if you do not want to apply this policy to all zones. Then click Next:
  
• A brief pause to explain what we are doing at this juncture: For this example, we want to give access to any user who is able to authenticate either from a local area network or a wide area network (for example, from a remote office location with a VPN setup). For this to work, we have to give access to network authenticated users. Sharepoint comes with a built-in account called “NT AUTHORITY\authenticated users” that is the account that will allow any user logged on to any domain controller in any of our LANs or VPNs. As such, this is probably an ideal solution if you have an open policy in term of permissions, but it may be that you want to restrict permissions more strictly, and Sharepoint comes with all kinds of permissions and strict policies to achieve your security goal. It’s your network and it’s your call how you want to proceed.
  
  Getting back to the example here, on the next screen, in the Users text box, type in “domain users” and then test it against active directory by clicking on the small user icon underneath the text box, to the right. In the example below, we add the “NT AUTHORITY\authenticated users” account by checking the box for Full Control – Has full control, effectively giving permission to users to contribute, add, update and delete site content. Absent that control, users will not be able to write or do more than viewing and reading content. Again it all depends on what kind of policy you want to apply, and you may want to select one of the other options to restrict purposefully what users can do with content:
  
• Make sure you select the correct web application (in this example, http://gsa.tfplocal.net). In the users zone, type in exactly the account “NT AUTHORITY\authenticated users”. (Be careful: this is case sensitive, the first part is all upper case, there is space between “NT” and “AUTHORITY”, and there is a space between “authenticated” and “users”.) As you did before, test this built-in setting against active directory by clicking on the small user icon on the right,under the text field. Be sure you have selected your permissions setting, and then click the Finish button:
  
• At the Policy for Web Application page, we can now see the newly added account:
  

Now not only can you be authenticated as a user to Sharepoint site from your local area network, but you will be able to do so from anywhere in your virtual private network, provided you have added the SharePoint site to the Internet Explorer security zone.

Next » Step 10: How Authentication Works from a Remote Location

Return to Step-by-Step TOC