BlogPost

The official blog of the Microsoft SharePoint Product Group

2010

August 16

What every SharePoint administrator needs to know about Alternate Access Mappings (Part 3 of 3)

System Account on 8/16/2010 11:02 AM

Category: Deployment IT Pros Administration Extranet

In Part 1 of my blog series on Alternate Access Mappings, I gave a brief introduction to the feature and an example of how it can be used. In Part 2, I described some of the common AAM-related problems people run into when deploying SharePoint and how to avoid them. For the final article in our series, I'll discuss how AAM integrates with some other features in SharePoint.

Authentication Providers

As I mentioned in Part 1 of this blog series, AAM allows you to expose a web application in as many as 5 different AAM zones, with a different IIS Web site backing each zone. (As an aside, some people accidentally refer to this as having up to 5 different web applications sharing the same content database(s). In reality, there is just one web application.) Not only do these zones allow you to use multiple URLs to access the same web application, they allow you to use multiple authentication providers to access the same web application as well.

When extending a web application into a zone, SharePoint only offers you the choice of using Windows authentication provided by Internet Information Services. Once the web application has been extended into the zone, you can modify that zone to use a different type of authentication. To do this, browse to the SharePoint 3.0 Central Administration site and click Application Management --> Authentication providers. Next, select your web application from the Web Application selector on the right side of the page. Finally, select the zone that you wish to modify. Now you change your authentication settings for that zone.

The power of this feature is that it allows you to configure completely independent authentication settings to access the very same content. For example, you might configure some content to be anonymously accessible while other content requires credentials. You could configure one zone to have anonymous access enabled and all other forms of authentication disabled, guaranteeing that only the anonymous content will be accessible. At the same time, another zone can have anonymous access disabled while NTLM authentication is enabled, guaranteeing that only authenticated access will be allowed. Plus, you can even have different types of accounts to access the same content - one zone can be configured to use Windows Active Directory (AD) accounts while another zone can be configured to use non-AD accounts via ASP.NET Forms authentication.

Web Application Policies

Web application policies allow administrators to grant or deny access to accounts and security groups for all sites exposed through a zone. This can be useful for a variety of scenarios.

For example, the SharePoint search crawler must go through the same authorization infrastructure as everyone else - it can only crawl content that it has access to. However, users would still like search to crawl restricted content so that authorized users can find that content in search results. The search service uses a "Full Read" policy on the web applications to give its crawler permission to read all content on that web application. That way, it can crawl and index all existing and future content, even content that the site administrator hasn't explicitly given it access to.

Another example would be help desk personnel who need administrative access to SharePoint sites so that they can assist users. To do this, you can create a web application policy that grants the help desk staff accounts "Full Control" permission so that they have full administrative access to all current and future sites on the web application.

Because policies are tied to both web applications and their zones, you can ensure that the policy you've applied to one zone doesn't affect other zones. This can be useful if you have content exposed both on the corporate network and to the Internet. For example, suppose you've given a help desk staff account Full Control permission over a web application's zone that has been assigned to the corporate network. If someone were to try and use that account to access the site over the Internet, that Full Control policy wouldn't apply because it would recognize that the URL is in a different zone. Therefore, the account wouldn't automatically be given administrative access to the site.

External Resource Mappings

On the Alternate Access Mappings page, you may have noticed a button on the toolbar called "Map to External Resource." It allows you to extend the AAM functionality to content that is not hosted within the SharePoint farm. When you click on this button, you will be asked to create an entry for an external resource, which you could conceptually think of as another web application. Once you have an external resource, you can assign different URLs and zones to it in the same way that you do for SharePoint web applications. This feature isn't utilized in Windows SharePoint Services 3.0, but third party products that build on top of WSS can make use of it.

For example, Office SharePoint Server 2007's search technology is able to crawl content external to the SharePoint farm such as file shares and Web sites. If that content is available at different URLs on different networks, then you would want search to return search results using the appropriate URLs for the user's current network. By using AAM's external resource mapping technology, search can remap the external URLs in its search results to match the user's zone.

I hope you've found this series on AAM helpful. As always, feel free to ask any questions via the blog comments.

Troy Starr

27 Comment(s)

Comments

re: What every SharePoint administrator needs to know about Alternate Access Mappings (Part 3 of 3)

Hi Bob,
Could you please post the revised screencast URL as the below one seems to be expired or similar.
Thanks
VC

Commented by <empty> on 6/16/2010 9:09:52 AM

System Account

on 6/16/2010 9:09 AM

Useful Sharepoint Links

Useful Links · MOSS Video Demos (Total 14 Modules) · Before You Begin with SharePoint Server 2007 · MOSS

Commented by <empty> on 6/16/2009 10:46:21 AM

System Account

on 6/16/2009 10:46 AM

Understanding extranet setup for MOSS 2007

Links: Design extranet farm topology (Office SharePoint Server) Downloadable book: Planning an Extranet

Commented by <empty> on 3/4/2009 12:08:53 PM

System Account

on 3/4/2009 12:08 PM

MOSS Form Based Authentications

MOSS Form Based Authentications Part 1 - http://msdn2.microsoft.com/en-us/library/bb975136.aspx Part 2 - http://msdn2.microsoft.com/en-us/library/bb975135.aspx Part 3 - http://msdn2.microsoft.com/en-us/library/bb977430.aspx MOSS Alternate Access Mappings

Commented by <empty> on 5/21/2008 12:36:20 AM

System Account

on 5/21/2008 12:36 AM

re: Creating a document library with AAM faile

Hello Matthew,
I have exactly the same problem.
I'm publishing sharepoint with an https url on the default ssl port (443).
I have an internal url like:
http://server1:8002
and public url like:
https://portal.domain.com
When i try to create a new doc. library through the reverse proxy, sharepoint sends me to a link made by http + public url + internal url port (8002):
http://portal.domain.com:8002
So IE cannot find the page.
Was you able to solve it?
Commented by <empty> on 4/27/2008 5:28:11 AM

System Account

on 4/27/2008 5:28 AM

Microsoft SharePoint Products and Technologies Team Blog : What every SharePoint administrator needs to know about Alternate Access Mappings

A series of three posts regarding configuring and understanding one of the top reasons that SharePoint

Commented by <empty> on 4/9/2008 9:15:07 AM

System Account

on 4/9/2008 9:15 AM

re: What every SharePoint administrator needs to know about Alternate Access Mappings (Part 3 of 3)

I read part 1, 2, & 3 and they are all a well of great information. Thanks. However I have a question. I think it may be considered an asymmetrical path conditiona but I need to confirm it.
My internal site url is: http://MyPortal.
The external url that i can use is https://www.mycompany.com/myportal.
Is this allowed if yes what is the right combination of checkboxes??
Right now when i try to access the external url i get the default web site.
Thank you, Alex
Commented by <empty> on 4/2/2008 9:57:44 PM

System Account

on 4/2/2008 9:57 PM

No search results for one AAM

I have a single WSS site that has Default and Intranet AAMs. After installing KB941422, only the default one gives search results. I have deleted and recreated the search index to no avail.
Commented by <empty> on 3/6/2008 1:02:13 PM

System Account

on 3/6/2008 1:02 PM

re: What every SharePoint administrator needs to know about Alternate Access Mappings (Part 3 of 3)

Nice tutorial helped me for one part of my task. I have to PUT somehow a web site on a different server than Sharepoint and i did that via the page viewer web part. On the intranet side it works but when i access from internet like https://www.contoso.com it is not displayed, and i can see it is searching for the intranet dns of the web server where the web site is published. I also would like to implement OWA site into the sharepoint as a user clicks on a menu link and the actual OWA is opened as iframe or with the web page viewer. This works when i am using the intranet computer but from internet doesn't show. I don't know what do i have to do to enable this, i guess it is connected with the Map to External Resource options in AAM. Any help?
Regards,
Commented by <empty> on 3/4/2008 9:16:03 AM

System Account

on 3/4/2008 9:16 AM

re: What every SharePoint administrator needs to know about Alternate Access Mappings (Part 3 of 3)

Hi:
I am attempting to get AAM working and have attempted to follow all of the posts and comments here (excellent by the way) and stillno cigar.
Here is what I have:
server 1 = s1.mydomain.local (internal)
server 2 = s2.mydomian.local WSS 3
URL is static ip like 16.16.16.16
I can run everything fine locally in the lan.
Set a rule up in the Firewall to map port 447 to the internal ip of the S2 server (WSS).
Extended the web application and left the port at 80 and use the s2.mydomian.local for the host header and the 16.16.16.16 for the public url.
AAM has these entries:
Internal zone public
http://s2   default http://s2
http://s2.mydomain.local extranet
   https://16.16.16.15
https://16.16.16.16  extranet https://16.16.116.16
When I type the following in https://16.16.16.16:447
I get the Internet Explorer cannot display the page error.
Any ideas on what might be wrong?
Thanks
Commented by <empty> on 2/5/2008 4:28:57 PM

System Account

on 2/5/2008 4:28 PM

1 - 10

View in Web Browser

/blog/_layouts/VisioWebAccess/VisioWebAccess.aspx?listguid={ListId}&itemid={ItemId}&DefaultItemOpen=1

0x0

0x1

FileType

vdw

255

Compliance Details

javascript:commonShowModalDialog('{SiteUrl}/_layouts/itemexpiration.aspx?ID={ItemId}&List={ListId}', 'center:1;dialogHeight:500px;dialogWidth:500px;resizable:yes;status:no;location:no;menubar:no;help:no', function GotoPageAfterClose(pageid){if(pageid == 'hold') {STSNavigate(unescape(decodeURI('{SiteUrl}'))+'/_layouts/hold.aspx?ID={ItemId}&List={ListId}'); return false;} if(pageid == 'audit') {STSNavigate(unescape(decodeURI('{SiteUrl}'))+'/_layouts/Reporting.aspx?Category=Auditing&backtype=item&ID={ItemId}&List={ListId}'); return false;} if(pageid == 'config') {STSNavigate(unescape(decodeURI('{SiteUrl}'))+'/_layouts/expirationconfig.aspx?ID={ItemId}&List={ListId}'); return false;}}, null); return false;

0x0

0x1

ContentType

0x01

898

Edit in Browser

/_layouts/images/icxddoc.gif

/blog/_layouts/formserver.aspx?XsnLocation={ItemUrl}&OpenIn=Browser&Source={Source}

0x0

0x1

FileType

xsn

255

Edit in Browser

/_layouts/images/icxddoc.gif

/blog/_layouts/formserver.aspx?XmlLocation={ItemUrl}&OpenIn=Browser&Source={Source}

0x0

0x1

ProgId

InfoPath.Document

255

Edit in Browser

/_layouts/images/icxddoc.gif

/blog/_layouts/formserver.aspx?XmlLocation={ItemUrl}&OpenIn=Browser&Source={Source}

0x0

0x1

ProgId

InfoPath.Document.2

255

Edit in Browser

/_layouts/images/icxddoc.gif

/blog/_layouts/formserver.aspx?XmlLocation={ItemUrl}&OpenIn=Browser&Source={Source}

0x0

0x1

ProgId

InfoPath.Document.3

255

Edit in Browser

/_layouts/images/icxddoc.gif

/blog/_layouts/formserver.aspx?XmlLocation={ItemUrl}&OpenIn=Browser&Source={Source}

0x0

0x1

ProgId

InfoPath.Document.4

255

View in Browser

/blog/_layouts/xlviewer.aspx?id={ItemUrl}&DefaultItemOpen=1

0x0

0x1

FileType

xlsx

255

View in Browser

/blog/_layouts/xlviewer.aspx?id={ItemUrl}&DefaultItemOpen=1

0x0

0x1

FileType

xlsm

255

View in Browser

/blog/_layouts/xlviewer.aspx?id={ItemUrl}&DefaultItemOpen=1

0x0

0x1

FileType

xlsb

255

View in Browser

/blog/_layouts/xlviewer.aspx?id={ItemUrl}&DefaultItemOpen=1

0x0

0x1

FileType

ods

255

Add Comment

Items on this list require content approval. Your submission will not appear in public views until approved by someone with proper rights. More information on content approval.

Title

Body *

Captcha

Please verify the text shown in the image

‭(Hidden)‬ Content Editor

Comments

re: What every SharePoint administrator needs to know about Alternate Access Mappings (Part 3 of 3)

Useful Sharepoint Links

Understanding extranet setup for MOSS 2007

MOSS Form Based Authentications

re: Creating a document library with AAM faile

Microsoft SharePoint Products and Technologies Team Blog : What every SharePoint administrator needs to know about Alternate Access Mappings

re: What every SharePoint administrator needs to know about Alternate Access Mappings (Part 3 of 3)

No search results for one AAM

re: What every SharePoint administrator needs to know about Alternate Access Mappings (Part 3 of 3)

re: What every SharePoint administrator needs to know about Alternate Access Mappings (Part 3 of 3)

Add Comment

Title

Body *

Captcha

Commented By

Migrated Source URL

Commentator Name

Commentator Email

Attachments