Sanity check, authentication methods [Project 2007, PWA]

[Doug_F]

I'm just starting into this and want to make sure I understand what I think
I'm seeing.

Setup:
We have a Project 2007 server sitting in our DMZ. We have employees hitting
the server with Project 2007 and authenticating against AD. They may also
access PWA via a browser, also AD. All good there.

We want to provide clients/customers/collaborators access from the web and
for now we'll consider this PWA access only. We may eventually want them to
come in via the rich Project 2007 client but that's futures.

Options - this is what I want to make sure I understand:
"Outsiders" (users hitting the server from the web side) can authenticate
against:
A) Our AD if we add them as valid AD users.
B) Any LDAP store we set up on the server (ADAM for instance)
C) A SQL data store.

We can implement multiple authentication methods:
A) Employees authenticate via AD
B) Non-employees authenticate via LDAP or SQL

You could set up all three methods and have different users authenticate
against AD, LDAP, or SQL as you wish. On the other hand, why would you do
this? I think you'd pick two of the three.

If that's all correct, does anybody have particular feelings about which non
AD method is easiest to set up and maintain? Any advantages/disadvantages to
either method?

TIA.

Doug

 

[James Fraser]

I'm just starting into this and want to make sure I understand what I think
I'm seeing.

Setup:
We have a Project 2007 server sitting in our DMZ. We have employees hitting
the server with Project 2007 and authenticating against AD. They may also
access PWA via a browser, also AD. All good there.

We want to provide clients/customers/collaborators access from the web and
for now we'll consider this PWA access only. We may eventually want them to
come in via the rich Project 2007 client but that's futures.

Options - this is what I want to make sure I understand:
"Outsiders" (users hitting the server from the web side) can authenticate
against:
A) Our AD if we add them as valid AD users.
B) Any LDAP store we set up on the server (ADAM for instance)
C) A SQL data store.

We can implement multiple authentication methods:
A) Employees authenticate via AD
B) Non-employees authenticate via LDAP or SQL

You could set up all three methods and have different users authenticate
against AD, LDAP, or SQL as you wish. On the other hand, why would you do
this? I think you'd pick two of the three.

If that's all correct, does anybody have particular feelings about which non
AD method is easiest to set up and maintain? Any advantages/disadvantages to
either method?

TIA.

Doug

You could set up all three methods and have different users authenticate
against AD, LDAP, or SQL as you wish. On the other hand, why would you do
this? I think you'd pick two of the three.

Yes, I doubt there are very many setups using all three. Both LDAP and
SQL are handled through "Forms Authentication," which is provided by
SharePoint. I haven't set up LDAP, only SQL db based. From what I saw,
there was no decent interface for adding users, and the setup was a
little tricky. Not too bad, but not less than a couple of hours.

If that's all correct, does anybody have particular feelings about which non
AD method is easiest to set up and maintain? Any advantages/disadvantages to
either method?

If you go with a forms authentication method, plan on some development
to get a decent user add interface, at least for the SQL db user
store. LDAP would avoid this, I suppose, as you will already have that
interface in your LDAP structure.

If you are not sure about which method, it is definitely worth the
time to set these up in a test/virtual environment before getting very
far with either.

If you want the easy solution, go with AD for all users.


James Fraser

 

[Doug_F]

James,

Thanks. I'll need to talk to our IT folks and see how they feel about
adding non-employees to the AD. If they'll go for that option, we may be
done!

Doug