SharePoint Authentications

Ameet Phadnis President

Ambar NirgudkarSharePoint Consultant

About Presenters

Ameet Phadnis MCTS◦President, e Tek Global Inc.◦e-Mail:aaphadnis@etekglobalinc.com◦LinkedIn: www.linkedin.com/in/aaphadnis

Ambar Nirgudkar MCSD◦Sr. SharePoint Consultant, e Tek Global Inc.◦e-Mail: ambar.nirgudkar@etekglobalinc.com◦LinkedIn:

http://www.linkedin.com/in/ambarnirgudkar

04/11/2023

About e Tek Global Inc.

Microsoft Gold Partners.Microsoft Certified SharePoint Deployment Planning

Services Provider.SharePoint 2010 services provided –

◦Intranet, Extranet, Internet Sites and Features Development.◦Migrating sites from 2007 to 2010.

Upcoming Add-ons for SharePoint◦AD Password Reset◦AD Users Management and Profiles Management.◦News Ticker and News Display.◦Site Map◦Authentication registration and Login.◦User Profiles.

04/11/2023

Agenda

OverviewAuthentication MethodsAuthentication for SharePoint Web applications.Setting up FBA in 8 Steps.LDAP with FBASecurityToken Web ConfigurationCentral Administration Web Configuration.User Policies and Security.SQL Authentication with FBA.Question and AnswerUseful Links

04/11/2023

Overview

SharePoint is logically divided into three tiers:◦Front-end Web Server◦The application tier◦Back-end database tier.

Authentication is required for access to any of the above tiers.

To access each tiers we need Authentication providers.

SharePoint 2010 supports –◦Classic-mode authentication.◦Claims-based authentication.

04/11/2023

Authentication Methods

Classic-mode Authentication Method –◦Windows: Standard IIS Windows Authentication

methods.Claims-based Authentication Methods –

◦Windows◦Forms-based authentication◦SAML token-based authentication (Security

Assertion Markup Language)

04/11/2023

Authentication Methods- Classic

Windows Authentication◦Anonymous◦Basic◦Digest◦Client-Certificates◦NTLM◦Negotiate (Kerberos or NTLM)

04/11/2023

Authentication Methods – Forms-based

Lightweight Directory Access Protocol (LDAP)

SQL Database or other database.Custom or third-party membership or role

providers.

04/11/2023

Forms-based (Contd.)

Identity Management System is based on ASP.NET membership and role provider authentication.

For non-windows or external systems you must register the membership provider in Web.Config file.

Also can register a role manager in addition to membership provider.

SharePoint 2010 uses ASP.NET role manager interface to gather group information about the current user.

04/11/2023

Forms-based (Contd.)

For managing membership users and roles in Central administration, we need to register the membership provider in Central Administration’s Web.Config file.

04/11/2023

Forms-based (Contd.) – Watch out

The Membership provider name and Role provider name needs to be the same name on Central Admin config file as Web application’s config file. If different, then the default provider specified in machine.config is used instead.

04/11/2023

Custom Authentication Provider Requirements

HTTP Module must be programmed to interact with SharePoint 2010 and ASP.NET methods for the following

Membership Provider –◦GetUser(String)◦GetUserNameByEmail◦FindUsersByName and FindUsersByEmail

Role Manager –◦RoleExists◦GetRolesByUser◦GetAllRoles

04/11/2023

Setting up FBA in 8 Steps

Create new Web ApplicationSelect Claims Based Authentication under

AuthenticationProvide suitable name to Create a new IIS web

site Name.Under Claims Authentication Types

◦Check Forms Based Authentication (FBA).◦Enter appropriate Name for ASP.NET Membership

Provider Name◦Enter appropriate name for ASP.NET Role Manager

Name.

04/11/2023

Setting up FBA in 8 Steps – Contd.

Under Application Pool Category:◦ Provide Name for Application Pool.◦ Select the Security account for the application pool.

Under the Database Name and Authentication Category◦ Enter the Database Server Name.◦ Enter the Database Name.◦ Enter the Database authentication information as appropriate.

Click Ok. Create Site Collection for the above Web Application.

THE SITE IS READY

04/11/2023

Setting up FBA in 8 Steps

DEMOFor

Creating Claims based Website.

04/11/2023

LDAP with FBA

Open the Web Application Web.Config File. Enter the following LDAP Authentication provider information.<add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="etekglobalinc.local" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="DC=ETEKGLOBALINC,DC=LOCAL" userObjectClass="person" userFilter="(ObjectClass=person)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn,displayName" />

04/11/2023

LDAP Authentication Attributes

Name: Name for your LDAP Membership. Server: Name of the Computer hosting LDAP Service. Port: Port that LDAP is listening on. UseSSL: Specifies that SSL is not being used to communicate

to the LDAP data store. userDNAttribute: Attribute for the Users Distinguished Name. userNameAttribute: Attribute of the user name object. userContainer: Defines the full distinguished name of the

container for users. userObjectClass: Class of the user object. userFilter: The userFilter is a standard filter for LDAP Queries. Scope: Sets the search scope of the selection. otherRequiredUserAttributes: Other attributes to return.

04/11/2023

LDAP with FBA

Enter the following LDAP Role provider information.<add name="LdapRole"

type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="etekglobalinc.local" port="389" useSSL="false" groupContainer="DC=ETEKGLOBALINC,DC=LOCAL" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" userFilter="(ObjectClass=person)" scope="Subtree" />

04/11/2023

LDAP with FBA

DEMOFor

People Picker for Site Permissions.

04/11/2023

SecurityToken Web Configuration

In order for successful login we need to enter the Membership and Role Provider in SecurityToken Web.Config.

The path to the SecurityToken Web.Config is C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\WebServices\SecurityToken

Enter the following for MembershipProvider<add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="etekglobalinc.local" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="DC=ETEKGLOBALINC,DC=LOCAL" userObjectClass="person" userFilter="(ObjectClass=person)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />

04/11/2023

SecurityToken Web Configuration

Enter the following for Role Provider<add name="LDAPRole" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="etekglobalinc.local" port="389" useSSL="false" groupContainer="DC=ETEKGLOBALINC,DC=LOCAL" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" userFilter="(ObjectClass=person)" scope="Subtree" />

04/11/2023

SecurityToken Web Configuration

DemoFor

SecurityToken Web.Config changes and Login with FBA

04/11/2023

Central Administration Web Configuration.

If User needs to work on Web Application administration from Central Administration then the Membership Provider and Role Provider needs to be added to the Web.Config file.

Copy the same Membership Provider and Role Provider information to the Central Administration Web.Config file.

04/11/2023

User Policies and Security

User Policy under Central Administration should be used rarely.

These should be used for the overall site permissions.

Permissions that can be assigned for users are –◦Full Control.◦Full Read◦Deny Write◦Deny All.

Customized Permission Policies can be added through Permission Policy.

04/11/2023

User Policies and Security

Demo For

Central Administration Web.Config changes and User

Policies

04/11/2023

Making SQL Authentication Work with FBA.

Follow the same steps as LDAP Authentication changes in web.config file. Following are the SQL Authentication Membership provider and Role Membership provider web.config changes

Membership Provider<add name="SQLMembership" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" applicationName="/" connectionStringName="ApplicationServices" enablePasswordReset="false" enablePasswordRetrieval="false" passwordFormat="Clear" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" />

04/11/2023

Making SQL Authentication Work with FBA.

Role Provider<add name="SQLRoles" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" applicationName="/" connectionStringName="ApplicationServices" />

04/11/2023

SQL Authentication with FBA.

Make the Connection String entries to the Web Application, SecurityToken, Central Administration (if needed) Web.Config files. You can add the Connectionstring before the end Configuration tag.

<connectionStrings> <add connectionString="Data Source=ETEKSPS2010\POWERPIVOT;Initial Catalog=aspnetdb;User ID=<UserName>;Password=<Password>;" name="ApplicationServices" /> </connectionStrings>

04/11/2023

SQL Authentication with FBA.

Demo For

SQL Authentication

04/11/2023

Question and Answer

????

04/11/2023

Useful Links

Examples of Web.Config for LDAP Authentication - http://technet.microsoft.com/en-us/library/cc197251(office.12).aspx

04/11/2023