Post on 22-Apr-2015
description
SharePoint Authentications
Ameet Phadnis President
Ambar NirgudkarSharePoint Consultant
About Presenters
Ameet Phadnis MCTS◦President, e Tek Global Inc.◦e-Mail:aaphadnis@etekglobalinc.com◦LinkedIn: www.linkedin.com/in/aaphadnis
Ambar Nirgudkar MCSD◦Sr. SharePoint Consultant, e Tek Global Inc.◦e-Mail: ambar.nirgudkar@etekglobalinc.com◦LinkedIn:
http://www.linkedin.com/in/ambarnirgudkar
04/11/2023
About e Tek Global Inc.
Microsoft Gold Partners.Microsoft Certified SharePoint Deployment Planning
Services Provider.SharePoint 2010 services provided –
◦Intranet, Extranet, Internet Sites and Features Development.◦Migrating sites from 2007 to 2010.
Upcoming Add-ons for SharePoint◦AD Password Reset◦AD Users Management and Profiles Management.◦News Ticker and News Display.◦Site Map◦Authentication registration and Login.◦User Profiles.
04/11/2023
Agenda
OverviewAuthentication MethodsAuthentication for SharePoint Web applications.Setting up FBA in 8 Steps.LDAP with FBASecurityToken Web ConfigurationCentral Administration Web Configuration.User Policies and Security.SQL Authentication with FBA.Question and AnswerUseful Links
04/11/2023
Overview
SharePoint is logically divided into three tiers:◦Front-end Web Server◦The application tier◦Back-end database tier.
Authentication is required for access to any of the above tiers.
To access each tiers we need Authentication providers.
SharePoint 2010 supports –◦Classic-mode authentication.◦Claims-based authentication.
04/11/2023
Authentication Methods
Classic-mode Authentication Method –◦Windows: Standard IIS Windows Authentication
methods.Claims-based Authentication Methods –
◦Windows◦Forms-based authentication◦SAML token-based authentication (Security
Assertion Markup Language)
04/11/2023
Authentication Methods- Classic
Windows Authentication◦Anonymous◦Basic◦Digest◦Client-Certificates◦NTLM◦Negotiate (Kerberos or NTLM)
04/11/2023
Authentication Methods – Forms-based
Lightweight Directory Access Protocol (LDAP)
SQL Database or other database.Custom or third-party membership or role
providers.
04/11/2023
Forms-based (Contd.)
Identity Management System is based on ASP.NET membership and role provider authentication.
For non-windows or external systems you must register the membership provider in Web.Config file.
Also can register a role manager in addition to membership provider.
SharePoint 2010 uses ASP.NET role manager interface to gather group information about the current user.
04/11/2023
Forms-based (Contd.)
For managing membership users and roles in Central administration, we need to register the membership provider in Central Administration’s Web.Config file.
04/11/2023
Forms-based (Contd.) – Watch out
The Membership provider name and Role provider name needs to be the same name on Central Admin config file as Web application’s config file. If different, then the default provider specified in machine.config is used instead.
04/11/2023
Custom Authentication Provider Requirements
HTTP Module must be programmed to interact with SharePoint 2010 and ASP.NET methods for the following
Membership Provider –◦GetUser(String)◦GetUserNameByEmail◦FindUsersByName and FindUsersByEmail
Role Manager –◦RoleExists◦GetRolesByUser◦GetAllRoles
04/11/2023
Setting up FBA in 8 Steps
Create new Web ApplicationSelect Claims Based Authentication under
AuthenticationProvide suitable name to Create a new IIS web
site Name.Under Claims Authentication Types
◦Check Forms Based Authentication (FBA).◦Enter appropriate Name for ASP.NET Membership
Provider Name◦Enter appropriate name for ASP.NET Role Manager
Name.
04/11/2023
Setting up FBA in 8 Steps – Contd.
Under Application Pool Category:◦ Provide Name for Application Pool.◦ Select the Security account for the application pool.
Under the Database Name and Authentication Category◦ Enter the Database Server Name.◦ Enter the Database Name.◦ Enter the Database authentication information as appropriate.
Click Ok. Create Site Collection for the above Web Application.
THE SITE IS READY
04/11/2023
Setting up FBA in 8 Steps
DEMOFor
Creating Claims based Website.
04/11/2023
LDAP with FBA
Open the Web Application Web.Config File. Enter the following LDAP Authentication provider information.<add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="etekglobalinc.local" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="DC=ETEKGLOBALINC,DC=LOCAL" userObjectClass="person" userFilter="(ObjectClass=person)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn,displayName" />
04/11/2023
LDAP Authentication Attributes
Name: Name for your LDAP Membership. Server: Name of the Computer hosting LDAP Service. Port: Port that LDAP is listening on. UseSSL: Specifies that SSL is not being used to communicate
to the LDAP data store. userDNAttribute: Attribute for the Users Distinguished Name. userNameAttribute: Attribute of the user name object. userContainer: Defines the full distinguished name of the
container for users. userObjectClass: Class of the user object. userFilter: The userFilter is a standard filter for LDAP Queries. Scope: Sets the search scope of the selection. otherRequiredUserAttributes: Other attributes to return.
04/11/2023
LDAP with FBA
Enter the following LDAP Role provider information.<add name="LdapRole"
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="etekglobalinc.local" port="389" useSSL="false" groupContainer="DC=ETEKGLOBALINC,DC=LOCAL" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" userFilter="(ObjectClass=person)" scope="Subtree" />
04/11/2023
LDAP with FBA
DEMOFor
People Picker for Site Permissions.
04/11/2023
SecurityToken Web Configuration
In order for successful login we need to enter the Membership and Role Provider in SecurityToken Web.Config.
The path to the SecurityToken Web.Config is C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\WebServices\SecurityToken
Enter the following for MembershipProvider<add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="etekglobalinc.local" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="DC=ETEKGLOBALINC,DC=LOCAL" userObjectClass="person" userFilter="(ObjectClass=person)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />
04/11/2023
SecurityToken Web Configuration
Enter the following for Role Provider<add name="LDAPRole" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="etekglobalinc.local" port="389" useSSL="false" groupContainer="DC=ETEKGLOBALINC,DC=LOCAL" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" userFilter="(ObjectClass=person)" scope="Subtree" />
04/11/2023
SecurityToken Web Configuration
DemoFor
SecurityToken Web.Config changes and Login with FBA
04/11/2023
Central Administration Web Configuration.
If User needs to work on Web Application administration from Central Administration then the Membership Provider and Role Provider needs to be added to the Web.Config file.
Copy the same Membership Provider and Role Provider information to the Central Administration Web.Config file.
04/11/2023
User Policies and Security
User Policy under Central Administration should be used rarely.
These should be used for the overall site permissions.
Permissions that can be assigned for users are –◦Full Control.◦Full Read◦Deny Write◦Deny All.
Customized Permission Policies can be added through Permission Policy.
04/11/2023
User Policies and Security
Demo For
Central Administration Web.Config changes and User
Policies
04/11/2023
Making SQL Authentication Work with FBA.
Follow the same steps as LDAP Authentication changes in web.config file. Following are the SQL Authentication Membership provider and Role Membership provider web.config changes
Membership Provider<add name="SQLMembership" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" applicationName="/" connectionStringName="ApplicationServices" enablePasswordReset="false" enablePasswordRetrieval="false" passwordFormat="Clear" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" />
04/11/2023
Making SQL Authentication Work with FBA.
Role Provider<add name="SQLRoles" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" applicationName="/" connectionStringName="ApplicationServices" />
04/11/2023
SQL Authentication with FBA.
Make the Connection String entries to the Web Application, SecurityToken, Central Administration (if needed) Web.Config files. You can add the Connectionstring before the end Configuration tag.
<connectionStrings> <add connectionString="Data Source=ETEKSPS2010\POWERPIVOT;Initial Catalog=aspnetdb;User ID=<UserName>;Password=<Password>;" name="ApplicationServices" /> </connectionStrings>
04/11/2023
SQL Authentication with FBA.
Demo For
SQL Authentication
04/11/2023
Question and Answer
????
04/11/2023
Useful Links
Examples of Web.Config for LDAP Authentication - http://technet.microsoft.com/en-us/library/cc197251(office.12).aspx
04/11/2023