The Customer Requirement
Northamptonshire and Cambridgeshire County Councils have established a shared services partnership to provide common back-office services in an effort to reduce costs. To facilitate this working partnership, a collaboration solution was required that enabled employees from both organisations (and future partners) to work together securely. Having already built an internal collaboration solution using SharePoint for NCC, we advised them it would be relatively simple and cost effective to extend their SharePoint farm to an extranet topology.
NCC had been trialling an extranet SharePoint site, but initial access and authentication provided by Active Directory proved extremely difficult to implement and maintain for those LGSS members outside of NCC. The User Experience had been reported as poor, with login times being lengthy and often failing completely.
We diagnosed the problem as being with latency between the SharePoint servers in the extranet and the Active Directory servers inside the corporate network. Instead of Active Directory for authentication, we instead proposed using a SQL Server based membership provider, together with forms-based authentication for logins.
Forms-based authentication allows standard HTML pages to be used to capture user credentials, which can then be processed by SharePoint using any asp.net compatible membership provider. The membership provider can effectively use any membership store to be used for credentials. We chose SQL server as an existing provider and administration solution had already been developed and implemented on the NCC’s internet – for school logins. By re-purposing this existing solution, existing in-house knowledge could be used by the support staff.
Forms based authentication has a number of advantages over Active Directory logins when it comes to extranet deployments, many of which reduce helpdesk calls:
Email addresses are used as the username, ensuring uniqueness across multiple organisations, and making them easy to remember for users.
- Features such as password reminders via security questions, and password resets via email, were built into the solution.
Active Directory does not need to be populated with external accounts, which would otherwise cause management, licensing and security headaches.
Accounts can be self-created on demand by users, approved in a defined process by site managers, and security managed in groups at site level (using role-based security).
Other pertinent information can be captured at registration time, to populate user profiles for example. In this case, further security information was also captured so that a user’s password could be reset on their behalf by the helpdesk if required.