from n to z authentication and authorization in microsoft sharepoint server 2010
Skip this Video
Download Presentation
From N to Z: Authentication and Authorization in Microsoft SharePoint Server 2010

Loading in 2 Seconds...

play fullscreen
1 / 65

From N to Z: Authentication and Authorization in Microsoft SharePoint Server 2010 - PowerPoint PPT Presentation

  • Uploaded on

Required Slide. SESSION CODE: OSP311. From N to Z: Authentication and Authorization in Microsoft SharePoint Server 2010. Rick Taylor Senior Technical Architect Perficient, Inc. Who Am I?. Who am I??? Who am I ??????????. The Guardian of Lost Souls. Rick Taylor. The Powerful.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'From N to Z: Authentication and Authorization in Microsoft SharePoint Server 2010' - heinz

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
from n to z authentication and authorization in microsoft sharepoint server 2010
Required Slide


From N to Z: Authentication and Authorization in Microsoft SharePoint Server 2010

Rick Taylor

Senior Technical Architect

Perficient, Inc.

who am i
Who Am I?
  • Who am I???
  • Who am I ??????????

The Guardian of Lost Souls

Rick Taylor

The Powerful

Slick Rick – if you’re nasty

The Pleasurable

The Indestructible

  • Former Engineer with Platform Architecture Group in SharePoint Online
  • Contributing author on Microsoft Office SharePoint Server 2007 Administrator’s Guide
  • Connect w/ Rick on
    • Facebook
    • LinkedIn
    • Twitter
    • Spaces
    • TechNet
  • Overview of Identities and Claims
    • What is Claims-based Identity?
      • A primer
  • Problem Spaces and Examples
    • Why is it important?
      • What does it do for me?
      • Why do I need it?
  • Upgrade Scenarios
  • Support Statements
  • Claim
    • An assertion
      • Username
      • Email Address
      • Date of Birth
  • Security Token Service (STS)
    • A service that accepts requests and issues security tokens that contain claims
  • Identity Provider (IDP)
    • An issuer of a token
  • Relying Party (RP)
    • An application that uses Claims (Claims Aware)
claims primer
Claims Primer
  • What is Identity?
    • Set of attributes to describe a user such as name, e-mail, age, group membership, etc.
    • Traverses the network as an array of bytes – referred to as a token
    • In a Claims-based scenario, the array of bytes carry Claims
  • What is a Claim?
    • Some authority that claims to have the attribute and its value
what is a token
What is a Token?

CLAIM = Email Address


CLAIM = Role


CLAIM = Given Name

  • Claims carry pieces of information about the user





  • Tokens are issued by Security Token Service (STS) software
  • Identity providers can include Directory Services, Windows Live Id, etc.
claims primer continued
Claims Primer - continued
  • What is the difference between a “claim” and an “attribute?”
    • Both Facebook & eHarmony have the age attribute
    • Facebook claims that I am 45, while eHarmony claims I am 29.
    • Authorization decisions may depend on the age attribute, your app needs to decide which “claim” you will trust.
  • Trust depends on scenario not on technical capability
  • Applications can determine which Claims are required and which providers to trust
  • Provides multiple authentication scenarios on a single, unique namespace, i.e.
  • Enable automatic and secure identity delegation within SharePoint
  • Seamless integration with external systems, i.e. Web Service calls
problem space
Problem Space
  • Sign-in
    • Retrieving identities, i.e. who are they
  • Services
    • Passing identities across boundaries, i.e. machines, Line of Business applications, etc.
sign in scenarios
Scenarios
  • Sign-in to SharePoint with both Windows and LDAP directory Identity
  • Easily configure Intranet and Extranet users for Collaboration
  • Integrate with other customer identity systems (eg. ADFS, etc.)
  • Use Office Applications with non-Windows Authentication
normalizing identities
Normalizing Identities



NT TokenWindows Identity

NT TokenWindows Identity

SAML1.1+ADFS, etc.

ASP.Net (FBA)SAL, LDAP, Custom …

SAML Token

Claims Based Identity


forms based authentication in sharepoint server 2010

Forms-based Authentication in SharePoint Server 2010

Rick Taylor

Senior Technical Architect


demo…well…sorta..but not really

claim providers
Claim Providers
  • Augmentation of Claims
    • Used to add application specific claims
    • SharePoint will authorize over these claims
  • Search and Resolve Claims
    • Provides a way to enumerate and select claims
    • SharePoint will present the claims in the User Experience
office applications
Office Applications
  • Office Client applications now support non-Integrated Windows Authentication
  • Office 2007 with Service Pack 2 on
    • Windows XP with Internet Explorer 8
    • Windows Vista with Service Pack 2 or optionally with Internet Explorer 8
    • Windows 7
  • Office 2010 on
    • Windows XP with Internet Explorer 8
    • Windows Vista with Service Pack 2 or optionally with Internet Explorer 8
    • Windows 7
changes to forms based authentication
Changes to Forms-based Authentication
  • Forms-based Authentication users become Claims Identities
    • Claims identities are created as opposed to ASP.Net Generic identities
    • Secure Token Service calls the membership provider to validate user and issues a Claims token
    • ValidateUser() must be implemented by membership providers
    • Roles are converted to Claims and captured in the SAML token
services scenarios
Services Scenarios
  • Surface additional information about a person or object without challenge (Intranet-specific scenario)
  • Surface inventory information through an Enterprise portal (Extranet or Intranet-specific scenario)
  • Deploy secure SharePoint environments for user identity delegation
code snippet for claims viewer web part
Code Snippet for Claims Viewer Web part

using System;

using System.Web.UI;

using System.Web.UI.WebControls;

using System.Web.UI.WebControls.WebParts;

using Microsoft.IdentityModel.Claims;

namespace ClaimsViewerTest.VisualWebPart1


    public partial class VisualWebPart1UserControl : UserControl


        protected void Page_Load(object sender, EventArgs e)


            IClaimsPrincipal claimsPrincipal = Page.User as IClaimsPrincipal;

            IClaimsIdentity claimsIdentity = (IClaimsIdentity)claimsPrincipal.Identity;

            GridView1.DataSource = claimsIdentity.Claims;





$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\[name_of_cert].cer")

$map1 = New-SPClaimTypeMapping

-IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming$realm = "urn:" + $env:ComputerName + ":adfs"$signinurl = "https://[YOUR_SERVER_NAME]/adfs/ls/"$ap = New-SPTrustedIdentityTokenIssuer -Name "ADFS20Server" -Description "ADFS 2.0 Federated Server" -Realm

$realm -ImportTrustCertificate

$cert -ClaimsMappings

$map1 -SignInUrl

$signinurl -IdentifierClaim


upgrade scenarios
Upgrade Scenarios
  • Integrated Windows will not require rework
  • Forms-based Authentication and WebSSO scenarios will need Claims conversion
upgrade issues
Upgrade issues
  • When you upgrade from MOSS to SharePoint 2010:
  • Error:
    • “Forms Based Authentication on classic Web application has been deprecated.”
  • Fix:
    • Step 1

$w = Get-SPWebApplication "http://webappurl/"$w.UseClaimsAuthentication = $true;$w.Update()$w.ProvisionGlobally()

upgrade issues continued
Upgrade Issues - Continued
  • Step 2
    • Remove the element from the Membership and Role provider sections in the web.config of the {SharePoint Root}\WebServices\Root
      • (Only occurs in upgrade, not clean)
upgrade issues continued43
Upgrade Issues - Continued
  • Naming Convention Change
    • aspnetsqlmembershipprovider:username


    • i:0#.f|aspnetsqlmembershipprovider|username
    • Use PowerShell to change the names of all the users
upgrade issues44
Upgrade Issues
  • Any custom applications, web parts or utilities that used the SSO service in 2007 may require a rewrite or update to the code to reflect these changes to the Secure Store Service
    • Microsoft.Office.SecureStoreService.Serverassembly found here: C:\Program Files (x86)\MSECache\oserver2010\Global\Search\
other gotchas
Other “Gotchas”

Receive Error – “Root of Certificate Chain is Not Trusted Root Authority”

  • Must export the ADFS Token Signing Certificate
  • Must add the ADFS Token Signing Certificate Root Authority to List of Root Authorities in SharePoint
  • WS-Federation 1.1
  • WS-Trust 1.4
  • SAML Token 1.1
  • SharePoint 2010 provides new ways to think about identity
    • Forms-based Authentication has changed from Office SharePoint Server 2007
  • Office client support is available to non-Windows scenarios
additional resources
Additional Resources
  • Participate
    • Twitter > #SPIdentity
    • Download SharePoint Server 2010 Beta
  • Recommended Reading
    • Read more on Claims-based Authentication in the SharePoint Server 2010 IT Professional Evaluation Guide
    • Read the article Plan Authentication Methods (SharePoint Server 2010) on TechNet
    • Read the article Configure Forms-based Authentication for a Claims-based Web Application on TechNet (This article also provides some good upgrade material.)
    • Read the article Configure the Security Token Service on TechNet
    • Read about SharePoint and Claims-based Identity on MSDN
    • Download and read A Guide to Claims-Based Identity and Access Control
    • Download and read Claims-Based Identity for Windows
even more resources
Even MORE Resources!
  • Read Setting up a lab environment with ADFS on TechNet
  • Go to the ADFS Resource Center on TechNet
track resources
Required Slide

Track PMs will supply the content for this slide, which will be inserted during the final scrub.

Track Resources
  • For More Information –
  • SharePoint Developer Center –
  • SharePoint Tech Center –
  • Official SharePoint Team Blog –
related content
Required Slide

Speakers, please list the Breakout Sessions, Interactive Sessions, Labs and Demo Stations that are related to your session.

Related Content
  • Breakout Sessions – See Conference Guide for full list of OSP Track Sessions
  • Interactive Sessions – OSP Track has 10 Interactive Sessions – OSP01-INT – OSP10-INT
  • Hands-on Labs – OSP01-HOL – OSP20-HOL
  • Product Demo Stations – Yellow Section, OSP
    • Office 2010, SharePoint 2010, Project Server 2010, Visio 2010 have kiosks and demos
Required SlideResources


  • Sessions On-Demand & Community
  • Microsoft Certification & Training Resources

  • Resources for IT Professionals
  • Resources for Developers

Required Slide

Complete an evaluation on CommNet and enter to win!

Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st

You can also register at the North America 2011 kiosk located at registrationJoin us in Atlanta next year

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

  • Understanding the Encoded Id
  • Sample Windows PowerShell Scripts
frequently asked questions
Frequently Asked Questions
  • Does SharePoint Server 2010 support OpenId?
    • SharePoint Server 2010 does not support the OpenId protocol out of the box, but there is nothing preventing you from writing an identity provider that takes OpenId 2.0 and convert that into a SAML token and provide it to SharePoint.
  • Does SharePoint Server 2010 support CardSpace?
    • CardSpace is a method to select an identity on the client side. Form example when the IP-STS interacts with the client it expects a card for authentication which in response initiates CardSpace so it happens outside of SharePoint at the IP-STS-level which as a result could be implemented with SharePoint.
encoded id
Encoded Id
  • Example: i:0#.w|contoso\rickt287
    • i = Identity Claim all other claims will use “c” as opposed to “i”
    • : = Colon
    • 0 = Reserved to support future Claims
    • #/? = Claim Type Encoded Value. The out of the box claim types will have a hardcoded encoded value, this will enable parity across farms.
    •                E.g.        Key: ? Value:
    •                               Key: # Value:
    • ./0 = Claim Value Type. The out of the box claim value types will have a hardcoded encoded value, this will enable parity across farms.
    •                E.g.        Key: . Value: urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name
    •                               Key: 0 Value:
    • w/m/r/t/p/s = Original Issuer Type -> w = windows, m = membership, r = role, t = trusted STS, p = personal card, s= local sts claim
windows powershell sample 1
Windows PowerShell Sample 1

Create a SPAuthenticationProvider as ASP.NET Membership Provider and Web Application

$provider = New-SPAuthenticationProvider -ASPNETMembershipProvider "LdapMember" -ASPNETRoleProviderName "LdapRole“

$webApp= New-SPWebApplication -Name "Claims" -ApplicationPool "Claims Application Pool" -ApplicationPoolAccount "CONTOSO\administrator"

-Url -Port 80 -AuthenticationProvider$provider

windows powershell sample 2
Windows PowerShell Sample 2

Create a new SPClaimsPrinciple and Site Collection

$principal = New-SPClaimsPrincipal -Identity "membership:SiteOwner" -IdentityTypeFormsUser

$site = New-SPSite http://servername:port -OwnerAlias$principle.ToEncodedString() -Template "STS#0"