1.2. Using the Web Application Ribbon
In SharePoint 2010, you manage
Web applications by going to the Web Application page and using the Web
Application Ribbon, as shown in Figure 2.
The sections that follow will show how to create, delete, and configure
Web applications using the options you can select on this Ribbon.
1.3. Creating a Web Application
To create a new Web
application, select the New option on the left side of the Ribbon. This
opens the Create New Web Application page shown in Figure 3.
The first thing you must do when creating a new Web application is to select the authentication method. SharePoint 2010 introduces a new type of authentication called claims-based authentication, which can be used instead of the classic-mode authentication that is used in earlier versions of SharePoint.
The claims-based authentication model for SharePoint 2010 is built on the Windows Identity Foundation (WIF).
Claims-based authentication in SharePoint 2010 enables authentication
across Windows-based systems and systems that are not Windows-based by
supporting delegation of user identity between applications. Using claims-based authentication, you can implement multiple forms of authentication on a single zone.
The other authentication option available on the Create New Web Application page, classic-mode
authentication, refers to the Integrated Windows authentication model
supported in previous versions of SharePoint, such as Windows SharePoint
Services 3.0. In classic-mode authentication, no claims augmentation is
performed, and there is no support provided for the new claims
authentication features. Using classic-mode authentication allows you to
implement all of the previously supported forms of authentication with a
limit of one form of authentication for each zone.
When you create a Web
application, it will automatically be allocated a random port number, a
description field, and a folder location in the default local path. The
default path is C:\Inetpub\wwwroot\wss\VirtualDirectories\portnumber.
The application is not, by default, assigned a host header name.
Therefore, you must specify in the Host Header text box on the Create
New Web Application page shown in Figure 6-14 if you want to use a fully qualified domain name such as http://portal.contoso.com
to access your Web application. You must ensure that this host header
URL can be resolved by your users. Normally, this would be achieved by
adding an entry into DNS pointing the URL to the Web server.
Note:
Name your Web application
descriptions and paths with a consistent logical naming convention to
identify them easily in the folder structure and in IIS. For example,
instead of using SharePoint (9845) as the description, use Corporate
Portal (9845) and specify the same name for the path and the host
header. In addition, name your databases the same way that you name your
Web application names so that you have naming consistency across your
implementation. In this example, you could name the first database
Corporate_Portal_9845_1, then name the second database
Corporate_Portal_9845_2, and so forth. You should also name the folder
for the Web application files with the same name. Scroll to the end of
the path name in the Path text box (refer to Figure 6-14) and replace the default name of the folder with the Web application name.
Scrolling down the Create New Web Application page displays the Security Configurations section as shown in Figure 4.
There are two authentication providers available for a Web application—Kerberos and NTLM.
Web applications use these security mechanisms when they communicate
with other servers and applications in the network, such as when they
communicate with the Microsoft SQL server hosting the databases. By
default, the authentication provider is set to NTLM for maximum
compatibility with mixed domain models and user account permissions. Figure 6-15 shows the Security
Configuration section on the Create New Web Application page. Web
applications use these security mechanisms when they communicate with
other servers and applications in the network, such as when they
communicate with the Microsoft SQL server hosting the databases.
Kerberos is more secure than NTLM, but it requires a service principal name (SPN) for the domain account that SharePoint is using. This SPN must be added by a member of the domain administrators group, and it enables the SharePoint account to use Kerberos authentication.
When you choose NTLM, it
does not matter what your domain account is, because the application
pool will run as long as it has the required permissions to access the
SQL server and the Web server. The required SQL permissions for a Web
application account are as follows.
Database Creator Role
Security Administrator
Anonymous access can also be enabled on a Web application,
which would enable users to gain access to the sites hosted on the Web
application without authenticating. If you choose to do this, however,
you also must enable anonymous access on the site itself—enabling it on
the Web application only gets the users past IIS authentication.
Enabling anonymous access is a useful configuration for any
Internet-facing sites, such as a company website. For added security,
you could also enable SSL certificates on the Web application. You can
choose to use certificates from both your internal certificate
authority and from an authorized certificate authority such as
Verisign. However, you must install the SSL certificate on all servers
where users are accessing your Web application or their access attempt
will fail.