Module 5 Configuring Authentication
description
Transcript of Module 5 Configuring Authentication
![Page 1: Module 5 Configuring Authentication](https://reader035.fdocuments.us/reader035/viewer/2022062305/568148b8550346895db5d124/html5/thumbnails/1.jpg)
Module 5Configuring
Authentication
![Page 2: Module 5 Configuring Authentication](https://reader035.fdocuments.us/reader035/viewer/2022062305/568148b8550346895db5d124/html5/thumbnails/2.jpg)
Module Overview• Lesson 1: Understanding Classic SharePoint Authentication
Providers• Lesson 2: Understanding Federated Authentication
![Page 3: Module 5 Configuring Authentication](https://reader035.fdocuments.us/reader035/viewer/2022062305/568148b8550346895db5d124/html5/thumbnails/3.jpg)
Lesson 1: Understanding Classic SharePoint Authentication Providers• Identity and Authentication in SharePoint• Configure Classic-Mode Authentication• Integrated Windows Authentication• Configure Kerberos Authentication• Additional Windows Authentication Methods• Secure Store Service
![Page 4: Module 5 Configuring Authentication](https://reader035.fdocuments.us/reader035/viewer/2022062305/568148b8550346895db5d124/html5/thumbnails/4.jpg)
Identity and Authentication in SharePoint• SharePoint is a three-tier, distributed application
Front-end Web server Application server Back-end database server
• Authentication can be (and by default, is) required at each tier• Authentication types, providers, and methods
Types Provider MethodsClassic Windows Anonymous, Basic, Digest, Certificates,
NTLM, Negotiate (Kerberos or NTLM)Claims-based Windows Anonymous, Basic, Digest, Certificates,
NTLM, Negotiate (Kerberos or NTLM)FBA LDAP, SQL database, Other DB, CustomSAML ADFS 2.0, Windows Live ID, Third Party
![Page 5: Module 5 Configuring Authentication](https://reader035.fdocuments.us/reader035/viewer/2022062305/568148b8550346895db5d124/html5/thumbnails/5.jpg)
Configure Classic-Mode Authentication• Create a New Web Application• Edit Authentication
From the Web Applications Management page From the Authentication Providers page
![Page 6: Module 5 Configuring Authentication](https://reader035.fdocuments.us/reader035/viewer/2022062305/568148b8550346895db5d124/html5/thumbnails/6.jpg)
Integrated Windows Authentication• NTLM
Out of box default. Cannot authenticate user to other tiers and services.
• Kerberos More secure. More scalable. Supports delegation. Improves authentication performance. Can authenticate user to other tiers and services. Extra steps to configure.
• Negotiate (Kerberos or NTLM) Client selects authentication method. Kerberos is used unless it is not supported. Fallback to NTFS.
![Page 7: Module 5 Configuring Authentication](https://reader035.fdocuments.us/reader035/viewer/2022062305/568148b8550346895db5d124/html5/thumbnails/7.jpg)
Configure Kerberos Authentication• Configure service principal names (SPNs)
Represent the service class, name, and port of a service or web application A property of the computer or user account in Active Directory Must exist so that client can obtain a Kerberos session ticket
• Needed for every service and Web application using Kerberos
• Configure by using ADSI Edit or SetSPN.exe
Service or App Pool Account SPNhttp://intranet.contoso.com SP_Service HTTP/intranet.contoso.com
HTTP/intranethttp://sp2010-wfe1:9999 SP_Farm HTTP/sp2010-wfe1.contoso.com:9999
HTTP/sp2010-wfe1:9999SQL Server SVC_SQL MSSQLSvc/sqlserver01.contoso.com:1433
MSSQLSvc/sqlserver01:1433
![Page 8: Module 5 Configuring Authentication](https://reader035.fdocuments.us/reader035/viewer/2022062305/568148b8550346895db5d124/html5/thumbnails/8.jpg)
Additional Windows Authentication Methods• Anonymous access
Enables anonymous authentication but not permissions Grant anonymous access permissions at site, list, library
• Basic Plaintext password Use SSL
• Digest Configure in IIS
• Client certificates Configure in IIS
![Page 9: Module 5 Configuring Authentication](https://reader035.fdocuments.us/reader035/viewer/2022062305/568148b8550346895db5d124/html5/thumbnails/9.jpg)
Secure Store Service• Replacement to Microsoft Single Sign On• Simply stores username and passwords
NOT a Windows\Web Single Sign On Solution• Several Service Applications support it
Business Connectivity Services Excel Services Performance Point
• Maps users to credentials for named applications• Seamless integration with Security Token Service
Application ID Value in the authentication request forces lookup in Secure Store Service
![Page 10: Module 5 Configuring Authentication](https://reader035.fdocuments.us/reader035/viewer/2022062305/568148b8550346895db5d124/html5/thumbnails/10.jpg)
Lesson 2: Understanding Federated Authentication• Overview of Federated Identity• Active Directory Federated Services (ADFS)• Claims Authentication Process and Normalization• Forms-Based Authentication Changes• Claims to Windows Token Service
![Page 11: Module 5 Configuring Authentication](https://reader035.fdocuments.us/reader035/viewer/2022062305/568148b8550346895db5d124/html5/thumbnails/11.jpg)
Overview of Federated Identity• Federated Identity is the hosting of credentials somewhere
else (claims providers) LiveID OpenID Facebook
• Integration with one or many accomplished easily with Federation Gateways ADFS Azure ACS
![Page 12: Module 5 Configuring Authentication](https://reader035.fdocuments.us/reader035/viewer/2022062305/568148b8550346895db5d124/html5/thumbnails/12.jpg)
Active Directory Federated Services (ADFS)• ADFS is a service that allows for the creation of federated
relationships between organizations for Web application authentication Use their username and password AD; don’t create a new
one! Password resets and maintenance are responsibility of foreign
system• Allows you to trust other authentication mechanisms and
retrieve “claims” about the users in those systems• Implemented using WS-* standards• You can define authorization rules based on the claims
provided by external authentication systems
![Page 13: Module 5 Configuring Authentication](https://reader035.fdocuments.us/reader035/viewer/2022062305/568148b8550346895db5d124/html5/thumbnails/13.jpg)
Claims Authentication Process and Normalization• Identity validation process• Federated sign-in process• SharePoint identity normalization
![Page 14: Module 5 Configuring Authentication](https://reader035.fdocuments.us/reader035/viewer/2022062305/568148b8550346895db5d124/html5/thumbnails/14.jpg)
Forms-Based Authentication Changes• Forms-based authentication used to:
Create an ASP.NET Generic Identity• It now creates:
Claims Identity• Done through an STS provider
SecurityToken.svc• Implements
SPSecurityTokenServiceHostFactory• Multi-mode authentication
No longer requires you to “Extend” your Web applications. You can have multiple authentication types for a single Web application
![Page 15: Module 5 Configuring Authentication](https://reader035.fdocuments.us/reader035/viewer/2022062305/568148b8550346895db5d124/html5/thumbnails/15.jpg)
Claims to Windows Token Service• Since SharePoint is using Claims Identities, you need
something to translate to Windows Identities Claims to Windows Token Service (C2WTS) When making a request for Windows authenticated resource,
your claim is turned into a Windows Token• Example
User through Web Part wants to access BCS data which connects to Windows authenticated Web service
The Claim Identity won’t work here!
![Page 16: Module 5 Configuring Authentication](https://reader035.fdocuments.us/reader035/viewer/2022062305/568148b8550346895db5d124/html5/thumbnails/16.jpg)
Lab A: Configuring Custom Authentication• Exercise 1: Creating and Configuring an ASP.NET
Membership Database• Exercise 2: Creating a Web Application that Uses Claims-
Based Authentication
Logon information
Estimated time: 30 minutes
![Page 17: Module 5 Configuring Authentication](https://reader035.fdocuments.us/reader035/viewer/2022062305/568148b8550346895db5d124/html5/thumbnails/17.jpg)
Scenario• Your organizational IT policy states that only employees
shall have an Active Directory account. Because of this policy, custom authentication databases must be used to authenticate outside vendors. IT has set up an ASP.NET membership database to authenticate all outside vendors. You have been tasked with setting up SharePoint to use this database for authentication.
![Page 18: Module 5 Configuring Authentication](https://reader035.fdocuments.us/reader035/viewer/2022062305/568148b8550346895db5d124/html5/thumbnails/18.jpg)
Lab Review• Why must you remove the <clear/> elements from the
Web.config file?• If you are familiar with the configuration of forms-based
authentication on Microsoft Office SharePoint Server 2007, what is different about the number and type of Web applications required to support forms-based authentication in SharePoint Server 2010 in the client extranet scenario presented in this lab?
![Page 19: Module 5 Configuring Authentication](https://reader035.fdocuments.us/reader035/viewer/2022062305/568148b8550346895db5d124/html5/thumbnails/19.jpg)
Lab B: Configuring Secure Store• Exercise 1: Creating User Accounts for Access to External
Data• Exercise 2: Configuring Secure Store Services• Exercise 3: Configuring Secure Store Unattended Accounts
Logon information
Estimated time: 20 minutes
![Page 20: Module 5 Configuring Authentication](https://reader035.fdocuments.us/reader035/viewer/2022062305/568148b8550346895db5d124/html5/thumbnails/20.jpg)
Scenario• Organizational IT policy states that under no
circumstances should credentials be stored in an unencrypted manner in applications. However, information workers have started using the new intranet portal site and would also like to start using SharePoint Designer 2010 to add Business Connectivity Services applications to pages. Because of the policy, they will not be allowed to embed the credentials in the ASP.NET pages. You have been tasked with configuring Secure Store to facilitate the authentication for these information workers.
![Page 21: Module 5 Configuring Authentication](https://reader035.fdocuments.us/reader035/viewer/2022062305/568148b8550346895db5d124/html5/thumbnails/21.jpg)
Module Review and Takeaways• Review Questions