Microsoft Identity and Access Management Series

Extranet Access Management

Chapter 1: Introduction to the Extranet Access Management Paper

Published: May 11, 2004 | Updated: June 26, 2006

Executive Summary

This paper introduces several techniques for managing secure Web access while addressing business-to-employee (B2E), business-to-customer (B2C), and business-to-business (B2B) extranet requirements. The paper also includes prescriptive implementation details for B2E Web single sign on (Web SSO) using certificates and B2C Web SSO using Microsoft® Passport.

For the purposes of this paper, extranet is defined as follows according to the entry for the term in the Microsoft Computer Dictionary, Fifth Edition:

Extranet — An extension of a corporate intranet using World Wide Web (WWW) technology to facilitate communication with the corporation’s suppliers and customers. An extranet allows customers and suppliers to gain limited access to a company’s intranet in order to enhance the speed and efficiency of their business relationship.

This paper is part of the Microsoft Identity and Access Management Series.

Business Challenge

As demand for access to business resources continues to increase, organizations require internal applications and information to be accessible in a secure fashion to an increasing number of employees, customers, and partners. The challenge of managing extranets that provide such access increases with the levels of access granted. At the same time, the requirements for controlling the levels of access granted to users grow more complex.

In addition to securing sessions over the Web, organizations need a robust authentication and access control mechanism that allows users to gain easy entry to business resources they need to do their work. However, these same organizations need to restrict user access to proprietary business resources without imposing complex and costly management requirements that call for separate entitlement and authentication services.

Many organizations also need to apply a common security model that includes authentication, Web SSO, authorization, and personalization for both existing and planned applications. In addition, many organizations today have multiple applications for employees, partners, and customers. Forcing any of these users to repeatedly log on to access multiple applications within a single browser session creates frustration and a less-enjoyable user experience.

The Business Benefits

In order to realize your return on the investment made in extranet applications, it is essential that users have a secure, seamless, and transparent experience when browsing to multiple applications within a single browser session. This capability protects extranet assets while encouraging additional partners, customers, and employees to participate in automated processes that will either save money or increase revenue for your organization.

This user experience can be provided by consolidating application identity stores and standardizing authentication and authorization, using platform services that require less management while improving security. The business benefits that an organization might achieve with a well thought-out extranet strategy include:

•	Reduced administration costs. Identity life-cycle management costs can be shifted to other services, partners, or reduced by automated synchronization processes.
•	Increased revenue. Attracting and retaining customers by providing an efficient and secure way of interacting with the organization's business processes.
•	Improved business processes. Allowing employees, partners and customers to collaborate securely in near real-time can increase the chance of "closing the deal."
•	Improved security for critical business information. A secure and manageable extranet infrastructure combined with an application development platform that leverages the power of the infrastructure makes it possible to have information more accessible, while ensuring that only individuals who should have access do have access to critical business information.

Who Should Read This Paper

The intended audience for this paper includes architects, IT professionals and managers, technical decision makers, and consultants involved in identity and access management efforts.

Reader Prerequisites

This paper assumes the reader has a moderate knowledge of identity and access management concepts and technologies, as described in the "Fundamental Concepts" paper in this series. Optional additional reading on related topics can be found in the "Intranet Access Management" paper in this series.

To implement the solutions in this paper, readers should have an understanding of the infrastructure described and implemented in the "Platform and Infrastructure" paper in this series, plus the following areas and technologies:

•	Familiarity with configuring Microsoft Internet Information Services (IIS) 6.0.
•	A basic knowledge of certificate services and public key infrastructure (PKI).

Feedback

Please direct questions and comments about this guide to secwish@microsoft.com.

Top of page

Paper Overview

This paper includes seven chapters. It focuses on the following issues and concepts that are essential to an effective external-facing access management strategy:

•	Web SSO.
•	Strong authentication over the Internet.
•	Roles-based authorization.
•	Securing data sent over the Internet.
•	Employee access management with extranet directory services.
•	Partner access management with extranet directory services.
•	Customer access management with extranet directory services.

Chapter 1: Introduction

This chapter provides an executive summary, defines the recommended audience for the paper, and provides reader prerequisites and an overview of the chapters in the paper.

Chapter 2: Approaches to Extranet Access Management

This chapter builds on the information provided in the "Fundamental Concepts" paper. There are many approaches to developing an extranet with strong authentication, SSO services, roles-based authorization, and personalization to meet the needs of your organization. The chapter discusses how you can apply these approaches to extranet scenarios.

Chapter 3: Issues and Requirements

This chapter defines the background, issues and requirements for the B2E and B2C scenarios for Contoso Pharmaceuticals, a fictitious company.

Chapter 4: Designing the Solution

This chapter focuses on identifying and highlighting key elements that address the initial requirements for a sound design. The Contoso requirements for the B2E and B2C extranet access scenarios are used to specify the solution architecture.

Chapter 5: Implementing the Solution

This chapter focuses on implementing the B2C and B2E solutions for Contoso. The chapter includes step-by-step instructions to configure the Contoso extranet to support both B2E and B2C applications.

Chapter 6: Testing the Solution

This chapter provides guidance on how to troubleshoot and validate the Contoso solution scenarios implemented in the previous chapter.

Chapter 7: Operational Considerations

The final chapter of the paper provides an overview of some core operational procedures required for day-to-day management of the extranet access management solutions.

Solution Scenarios

In addition to a general discussion of extranet access management approaches, this paper also provides detailed prescriptive guidance for implementing an extranet identity and access management solution for organizations operating B2E and B2C scenarios. The prescriptive guidance builds on the Contoso Pharmaceuticals scenario introduced in the "Platform and Infrastructure" paper in this series.

The scenarios in this paper have been developed by Microsoft to illustrate the typical challenges organizations face in providing extranet access management and SSO services. The guidance includes information about how Microsoft technologies can address them. Chapters 3 through 7 of this paper focus entirely on these two solution scenarios.

Business to Employee Extranet Access

B2E extranet scenarios are driven by the requirements for a mobile workforce to access data and applications while not connected to the internal network.

This scenario is designed to provide you with the information you need to implement secure and scalable extranet access based on x.509 certificates, and the following Microsoft products and technologies:

•	The Microsoft Active Directory® directory service.
•	Microsoft Certificate Services for public key infrastructure (PKI).
•	IIS 6.0.
•	Microsoft Authorization Manager for role-based access control.

Business to Customer Extranet Access

Contoso has aggressive plans to provide Web applications in its extranet that will provide important information and services for specific customers beyond those on the company's Internet site. Chief among these planned applications is an over-the-counter (OTC) drug trial feedback application that will provide Contoso with a very efficient way of gathering critical customer feedback about upcoming products.

The application must improve customer satisfaction through a better user experience; while improving administration processes and reducing customer support costs associated with public access to their data and applications. This scenario will demonstrate the use of:

•	Self registration for new accounts in Active Directory.
•	Passport Services for customer authentication and SSO.
•	Active Directory and Microsoft Windows Authorization Manager for role-based access control.

Web SSO through Passport Services meets the organizational challenge of reducing support costs for customer remote access to your environment.

Note For a B2B solution scenario that implements Forms-based authentication using sample code, see the "Developing Identity-Aware ASP.NET Applications" paper in this series.