A guide to Alternate Access Mappings Basics in SharePoint 2013

December 3, 2012 Leave a comment Go to comments

LabCenter-stamp-v2

Alternate Access Mapping Basics in SharePoint 2013

(This post is in its entirety valid for SharePoint 2010 as well)

Explains how you should look at Alternate Access Mappings – left to right.
Alternate Access Mappings is something that most SharePoint engineers or administrators struggles with. More often than not, you get it right in the end but we are not really sure why it works or if it really works the way we want it to.
This, is my attempt to make it easy to understand.

IMG_0430smallframed

Note: This is part 1 in a series, the next part will show how to configure DNS and a simple scenario adding a new NetBIOS name as URL to a Web Application.
Note: For the complete guide, with DNS steps and 4 different scenarios including https, download the free Whitepaper from TechNet: The final guide to Alternate Access Mappings

In order to make AAMs simpler to understand, look at it a bit differently, start with this simple table:

Left area            Internal URL’s
Right area          Public URL’s with a zone
Middle area        Zones, is what connects Internal URL’s to Public URL’s, many to one.

Internal URL redirects or transforms to a Public URL, from left, to right. The URL on the left, is what you enter in the address field in your browser, the Public URL on the right is what you will see once there, this goes for visible and invisible links as well.
Internal URL format: Protocol + URL (+non default port)

Public URL is the address of the Web Application for one of the five zones available. The ‘Default’ must be filled out and has some special properties/uses, the other four are optional. You can only have five Public URL’s per Web Application.
This is the URL that the browser will be redirected to in the end.
Public URL format: Protocol + URL (+non default port)

Zone is a label representing a Public URL, the zone is used to ‘connect’ an Internal URL to a Public URL. The zone names has no relation what so ever with the four Internet Explorer security zones (Internet, Local Intranet, Trusted sites and Restricted sites) and could just as easily been named 1,2,3,4 and 5. A zone can also represent an authentication provider.
Zones: Default, Intranet, Internet, Custom, Extranet

Example:

AAMTable1

Note: Based on the Zone selected for every Internal URL, they will be connected to a Public URL.

From left – to right…
The zones might as well be represented by numbers:

AAMTable2

Note: Try to always use the most used URL as   the default Public URL. This is what will be used by other services, like   crawl and in certain other links.

Translated to SharePoint GUI, this same setup would look like this:

AAM1

AAM2

Note: Filtered on this Web Applications   Alternate Access Mapping Collection only.
Same Alternate Access Mappings as in the Example table above.

You will see that if you click on any of the ‘Internal URLs’ that you can select zone, and with the zone, the Public URL it will be connected to:

AAM3
In addition to the actual Alternate Access Mapping in SharePoint Central Administration, you also have to add a Binding in IIS, contrary to what many believe, except for the initial hostheader when you create the web application, SharePoint does not do that for you, so you have to do it manually.
The example above would show up in IIS Bindings like this:

AAM4

As you can see, in IIS 8.0 and Windows Server 2012, the https binding does show up as a hostname, in IIS 7.5 and Windows Server 2008 R2, the hostname is determined by the name configured in certificate used when adding that binding and hidden in this view.

That’s it! When you have configured your AAM’s and Bindings correctly, given that you have name resolution and IP addresses in order and connectivity from the client to the server(s) and all other aspects in order, you can now start to use the URL’s you want.


_________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

About these ads
  1. February 13, 2013 at 15:27 | #1

    Awesome, thanks clearing the muddy waters!

    • February 13, 2013 at 15:50 | #2

      Thanks for the feedback Jason.
      // Thomas

      • anil
        September 6, 2013 at 15:34 | #3

        dear sir , i installed sharepoint 2013 foundation, everything is working fine , but i have public ip , when i tried to open website from any other place , its asking for username and password , after giving that , its getting ünable to connect”, some one said mapping , i dont know how to map , please guide me step by step , much awaiting for your reply

      • September 6, 2013 at 17:15 | #4

        Hi Anil.
        Just wrote a long detailed answer and it got lost…
        I’ll try again.
        Ok, in order to get any Web application access and authentication to work, you need a few things. You need a DNS entry or use the iP address.
        http://www.mysharepoint.com/ alt. http:192.168.1.70
        The URL you use to access the web application from the Internet has to also have an Alternate Access Mapping and a IIS binding.
        The AAM entry has to be a Public URL and can easiest be added to the current Web Apllication ‘collection’ in Alternate Access Mapping as the Internet zone Public URL.
        Also, add the same URL or the IP as a binding in IIS.
        How you do that is described pretty good in step 4 and 5 in my Kerberos guide: http://wp.me/p1EuNv-lq
        If you also have the URL(or the domain part *.mysharepoint.com) added to your IE ‘Local Intranet’ zone, then you will also be logged on automatically with the current Windows credentials.

        I really hope that helps you? Please let me know how it goes.

        Best regards
        // Thomas

  2. John Doe
    April 3, 2013 at 14:33 | #5

    Very good article. I especially like the mentioning of the Site Bindings part since there always seems to be confusion about this.

  3. Jason
    May 14, 2013 at 04:53 | #7

    Great article. Though I am having trouble authenticating on my second default url. Any idea?

    • May 14, 2013 at 05:44 | #8

      Hi Jason.
      Second default meaning the second internal URL to the default zone?

      Are you on the server? If so, check my latest post on the loopbackcheck.
      Are the URL added as trusted or local intranet in your browser? (IE)

      Regards
      // Thomas

  4. July 28, 2013 at 12:14 | #9

    Hi Thomas
    Perfect job. Well done.
    I lost so much time to install our SharePoint 2013 and finally a reinstall from scratch including the SharePoint wizzard and your final guide made me able to achieve a fully equipped SSL secured internal and external sp website.
    Thank you very much!
    Werner

  5. Colin
    September 23, 2013 at 07:51 | #11

    Hi Thomas,

    Great article.
    Just a question, is it possible under Internal URL, have two address url the same, but each one belonging to a different zone and going to different Public URL, eg

    http://portal.com Default http://portal.com
    http://portal.com Extranet https://portal-ext.com

    So that when staff within the organisation enters http://portal.com they will go to http://portal.com. But for external partners, they still enter the same url http://portal.com, but they will be redirect to https://portal-ext.com.

    Thanks

    • September 25, 2013 at 15:46 | #12

      Hi.
      No, that’s the Quick answer to that one.
      If you try, what you will see is this: ‘The IncomingUrl is already present in the collection.’

      Imagine if you could, how will anyone or anything, know when to send the user to default and when to send it to Extranet? The users have entered the same url…
      What you could do, is use UAG(not sold anymore) or any other Product, to route extranet users coming in on the same adress outside the copnetwork, to one and internal users to one.
      You could then separate with exopended web app or just a different zone and public URL.

      Sorry, but its not that easy.
      Keep in mind this, the next link a user will click on, will take them to the public URL. Would that work in your suggestion? No, click two would not even reach the same web app.

      Hope that helps
      Regards
      // Thomas

    • September 25, 2013 at 15:48 | #13

      Or in simpler terms, Think of giving two people the same phonenumber…not good right?
      (except if one had the number internally only, and one externally, then got connected to a different number Before reaching the internal…make any sense?

      // Thomas

  6. Colin
    September 27, 2013 at 05:28 | #14

    Thanks Thomas, point taken.

  7. K. Sakolegi
    October 5, 2013 at 03:13 | #15

    Sharepoint engineers? LOL

  8. shobani
    February 4, 2014 at 18:54 | #17

    Thanks Thomas for the great post, I have one question..

    I have two websites in my SP farm with different URL domains, the following public URLs for example:
    - http://toys.com
    - http://parks.com

    The internal employees edit the website through: http://edit.toys.com

    I am having 1 WebApplication with 2 Host-Named SiteCollections,

    My question, is the following AAM correct?
    Internal -> Zone -> Public URL for Zone
    For Toys SiteCollection:
    -http://toys.com -> Default -> http://toys.com
    -https://edit.toys.com -> Internet -> http://edit.toys.com
    For Parks:
    -http://parks.com -> Default -> http://parks.com
    -https://edit.parks.com -> Internet -> https://edit.parks.com

    Thanks in advance :)

  9. April 23, 2014 at 05:48 | #20

    Hi.
    I would say no. You would want a separate web app or a site collection.
    Either choice allows you to use a extranet FQDN (extranet.domain.com), using a site collection would require Host Named Site Collections. Look that up.
    The only alternative, is to use a managed path like /sites/

    Regards
    // thomas

  1. February 22, 2013 at 18:10 | #1
  2. February 20, 2014 at 19:36 | #2

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 182 other followers

%d bloggers like this: