SharePoint Saturday Houston: SharePoint 2010 Extranets & Claims Authentication
SharePoint 2010 Extranets & Authentication · SharePoint 2010 Security • SharePoint 2010 changes...
Transcript of SharePoint 2010 Extranets & Authentication · SharePoint 2010 Security • SharePoint 2010 changes...
www.expertpointsolutions.com
SharePoint 2010 Extranets & Authentication
About Brian Culver
• SharePoint Solutions Architect for Expert Point Solutions
• Based in Houston, TX
• Author • SharePoint 2010 Unleashed
• Various White Papers
• Speaker and Blogger
Session Agenda
• Extranet Definition
• Common Extranet Scenarios
• Extranet Design Considerations & Challenges
• Claims Based Authentication and other Authentication Scenarios
• Mixed Mode vs. Multi-Authentication
Extranet - Definition
• A web application that is shared with external users, such as partners,
vendors, and customers
• Common attributes for an extranet:
• Sharing a private network or secured network
• Requires authenticated access, but the identity of the consumer is
not always known
• Has better security controls than an Internet Web application but
usually less secure than the Intranet
• Web application
Common Extranet Scenarios
Line of Business Applications Collaboration Static Content or Publishing
Remote Employees
Isolate and segregate internal data.
Authorize to use only sites and data that are necessary for their contributions.
Restrict partners from viewing other partners’ data.
Partners
Target Content Segment content Limit content access and search results based on audience.
Vendors & Customers
Extranet Design Considerations & Challenges
• Network Topology and Access
• Identity Management
• Seamless Single Sign-on Experience
• Content Security and Access
• Antivirus
• Client
• Server
• Rich Client Experience (Office Integration)
Edge Firewall Topology
Back-to-Back Perimeter Topology
Split Back-to-Back Topology
Security Terms
• Authentication is the mechanism whereby systems may
securely identify their users
• Creates an identity for security principal
• Who am I?
• Authorization is the mechanism by which a system
determines what level of access a particular authenticated user
should have to secured resources controlled by the system.
• Determines what resources an identity has access to
• What can I access?
SharePoint Authentication
• SharePoint does not authenticate
• Windows authentication via Windows server and IIS
(Kerberos/NTLM)
• FBA via ASP. NET and authentication providers (SQL, LDAP, etc.)
• Web SSO via Active Directory Federation Services (ADFS) and
other Identity Management Systems
• SharePoint creates user profiles
• SPUser object represents security principal
• User Profile List in Site Collections track user profiles
SharePoint 2010 Security
• SharePoint 2010 changes authentication
• Uses classic mode and claims based authentication
• Classic mode is SharePoint 2007 style legacy mode
• Claims-based authentication is the new security model
• What are the benefits?
• Claims decouples SharePoint from the authentication provider
• Allows SharePoint to support multiple authentication providers per
URL
• Identities can be passed without Kerberos delegation
• Allows federation between organizations
• ACLs can be configured with
• DLs, Audiences and OUs
SharePoint 2013 Security
• SharePoint 2013 authentication:
• Still supports classic mode and claims based authentication
• Claims-based authentication is the default security model
• Supported Authentication modes:
• Windows claims–mode sign-in (default)
• SAML passive sign-in mode
• ASP.NET membership and role passive sign-in
• Windows classic–mode sign-in (deprecated in SP2013)
• Claims authentication is the way to go!
Identity Normalization
Claims-Based Terminology
• Identity: security principal used to
configure the security policy
• Claim (Assertion): attribute of an
identity (such as Login Name, AD Group,
etc.)
• Security Token: serialized set of
claims (assertions) about an
authenticated user.
Claim-based Authentication
• Security Token Service (STS):
builds, signs and issues security
tokens. It can receive and submit
tokens.
• Issuing Authority: identity
management system(s) that
“knows” the claims (AD, ASP.NET,
LiveID, etc.)
• Identity Provider: trusted party
that creates and submits claims
• Relying Party: application that
makes authorization decisions
based on received claims
Claim-based Authentication
Claim-based Authentication
Mixed Mode Authentication vs Multi-Authentication
Regular label-callout text
Multi-AuthenticationMixed Authentication
SharePoint
Farm
Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Zone: Custom
Zone: Extranet
Zone: Intranet
Zone: Internet
Zone: DefaultWindows
Authentication
FBA
Authentication
...
...
...
SharePoint
Farm
Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Zone: Custom
Zone: Extranet
Zone: Intranet
Zone: Internet
Zone: DefaultWindows Authentication
FBA Authentication
SAML Based Authentication
FBA Authentication
Windows Authentication
...
...
Auth Scenarios - Mixed Mode
s
Authentication Scenarios
Mixed Mode: When to Use It
•
•
•
•
•
•
•
•
Auth Scenarios - Multi Authentication
s
Authentication Scenarios
Multi Authentication: When to Use It
•
•
•
•
•
Authentication Scenarios
Multi Authentication & Mixed Mode
FBA Claims Configuration in SP2010
1. Run C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe
2. Enable Claims Authentication on Web Application via Central Administration
3. Modify web.config for the FBA Web Application 4. Modify web.config for Central Administration
FBA Claims Configuration in SP2010
5. Modify web.config for Security Token Service
• %programfiles%\common files\Microsoft Shared\web server
extensions\14\WebServices\SecurityToken
• Changes need to be made to the Security Token Service
virtual directory on each server hosting CA or the claims-
based web application
6. Configure FBA Provider in Central Administration
7. Create Web Application Policy to give SQL Auth User(s)
access to site
Claims Configuration in SP2010
FBA Claims Configuration in SP2010
Web Application web.config <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false"> <providers> <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" /> <add connectionStringName="SQLConnectionString" applicationName="/" description="Stores and retrieves roles from SQL Server" name="SQL-RoleManager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers></roleManager> <membership defaultProvider="i“> <providers> <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" /> <add connectionStringName="SQLConnectionString" passwordAttemptWindow="5" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" description="Stores and Retrieves membership data from SQL Server" name="SQL-MembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </membership> </system.web>
FBA Claims Configuration in SP2010
Central Admin Web.config <roleManager defaultProvider="AspNetWindowsTokenRoleProvider" enabled="true" cacheRolesInCookie="false"> <providers> <add connectionStringName="SQLConnectionString" applicationName="/" description="Stores and retrieves roles from SQL Server" name="SQL-RoleManager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </roleManager> <membership defaultProvider="SQL-MembershipProvider"> <providers> <add connectionStringName="SQLConnectionString" passwordAttemptWindow="5" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" description="Stores and Retrieves membership data from SQL Server" name="SQL-MembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </membership>
FBA Claims Configuration in SP2010
Secure Store Web Service web.config <connectionStrings> <add name="SQLConnectionString" connectionString="Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=aspnetdb;Data Source=.\sharepoint" /> </connectionStrings> <system.web> <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false“> <providers> <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" /> <add connectionStringName="SQLConnectionString" applicationName="/" description="Stores and retrieves roles from SQL Server" name="SQL-RoleManager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </roleManager> <membership defaultProvider="i"> <providers> <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" /> <add connectionStringName="SQLConnectionString" passwordAttemptWindow="5" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" description="Stores and Retrieves membership data from SQL Server" name="SQL-MembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </membership> </system.web>
Claims Configuration
Claims Configuration
Claims Configuration
Claims Configuration
Claims Configuration
Issues using Claims Authentication in SP2010
• "Search Alerts only work with Windows Classic Authentication“ • http://technet.microsoft.com/en-us/library/cc288475.aspx
• Performance Point Dashboard Designer doesn't work directly against a web application with multiple authentication providers
• http://technet.microsoft.com/en-us/library/ee748637.aspx
Issues using Claims Authentication
• Some issues have been reported with Infopath Forms Services,
PowerPivot and Performance Point Services
• Project Server won't create new sites on a claims-based
authentication web app but don't see a reference for it
Questions
? ?
?
?
Constructive Feedback Is Appreciated
Great information,
but would like to
have learned more
about [Insert Topic] Brian – Your
presentation
was …
Good
Demos!
Thanks!
Useful Links
• SharePoint 2010 FBA User Management
• SharePoint 2010 Forms Based Authentication Configuration Manager
http://blogs.technet.com/b/speschka/archive/2010/07/28/sharepoint-2010-forms-
based-authentication-configuration-manager.aspx
SharePoint 2010: transparent login with mixed authentication
http://www.orbitone.com/en/blog/archive/2010/06/23/sharepoint-2010-mixed-
authentication-automatic-login.aspx
Steve Peschka article’s on Forms Authentication
» Forms Authentication in SharePoint Products and Technologies (Part 1):
Introduction
» Forms Authentication in SharePoint Products and Technologies (Part 2):
Membership and Role Provider Samples
» Forms Authentication in SharePoint Products and Technologies (Part 3): Forms
Authentication vs. Windows Authentication