How to: Expose a SharePoint Application to the Extranet and Use Forms-Based Authentication

If you want to share information between users who are within the corporate domain and external users, you must extend the SharePoint Web application to create an extranet-facing access point. Extending an existing SharePoint Web application provides a separate Internet Information Services (IIS) Web site. This Web site exposes the same content to all users, even if they are within different security domains. For example, extending the Partner Portal Web application provides access to the same collaboration areas, Contoso product catalog, and pricing information to extranet partners as to intranet employees.

Extending the Web application


When organizations create extranet solutions, they often group external users into a different security domain than internal users. This separation makes it easier to manage different groups of users and to maintain security. SharePoint supports this approach through zones. Each zone can support a different authentication method. Companies often use forms-based authentication (FBA) with Internet-facing zones because it is straightforward to set up and does not require additional hardware. FBA relies on the ASP.NET forms-based authentication framework. By using the ASP.NET 2.0 pluggable authentication provider model, SharePoint can support authentication for user identities that are stored in a Microsoft SQL Server database, in Active Directory (using Active Directory Application Mode, or ADAM), in an LDAP (Lightweight Directory Access Protocol) directory, or in any other source that implements an ASP.NET 2.0 membership provider.

The Partner Portal application uses the standard Microsoft SQL Server provider to store user credentials. Partners of Contoso authenticate to the extranet zone through FBA, while corporate users in the default zone rely on their existing accounts, which are contained in the corporate Active Directory store. For more information about the Partner Portal application's security approach, see Security Decisions. For more information about choosing and implementing authentication on SharePoint, see Plan authentication methods on TechNet.

The following procedure is a brief overview of how to enable forms-based authentication. It includes references to more detailed procedures.

To enable forms-based authentication

  1. Extend the SharePoint Web application. For information, see Create or extend Web applications on TechNet**.** The Partner Portal application uses the default security settings: NTLM, Allow Anonymous set to No and Use Secure Sockets Layer (SSL) set to No. In the Load Balanced URL section, set Zone to Extranet.
  2. Configure the application to use forms-based authentication. For information, see Configure forms-based authentication on TechNet. Under Application security for the Web application, set the authentication provider to Forms.
  3. Edit the Web.config file to register the authentication provider for the SharePoint Web application, the role provider for the SharePoint application and the membership provider (PeoplePicker) for the Central Administration site. For information about the Web.config modifications, see Forms Authentication in SharePoint Products and Technologies on MSDN.


When you install the Contoso Web application, the installation script creates the extended Web site, but it seems to extend the application to the Intranet zone. This is misleading, but it is only a labeling issue. The SharePoint STSADM Extendvsinwebfarm command extends Web applications in the following order: Intranet zone, Internet zone, Custom zone, Extranet zone. To create the correct extranet label, every zone in between would have to be created, which significantly extends the installation time.

More Information

For more information about forms-based authentication and extending SharePoint Web applications, see the following articles on MSDN and TechNet:

Home page on MSDN | Community site