www.expertpointsolutions.com

SharePoint 2010 Extranets & Authentication

About Brian Culver

• SharePoint Solutions Architect for Expert Point Solutions

• Based in Houston, TX

• Author • SharePoint 2010 Unleashed

• Various White Papers

• Speaker and Blogger

Session Agenda

• Extranet Definition

• Common Extranet Scenarios

• Extranet Design Considerations & Challenges

• Claims Based Authentication and other Authentication Scenarios

• Mixed Mode vs. Multi-Authentication

Extranet - Definition

• A web application that is shared with external users, such as partners,

vendors, and customers

• Common attributes for an extranet:

• Sharing a private network or secured network

• Requires authenticated access, but the identity of the consumer is

not always known

• Has better security controls than an Internet Web application but

usually less secure than the Intranet

• Web application

Common Extranet Scenarios

Line of Business Applications Collaboration Static Content or Publishing

Remote Employees

Isolate and segregate internal data.

Authorize to use only sites and data that are necessary for their contributions.

Restrict partners from viewing other partners’ data.

Partners

Target Content Segment content Limit content access and search results based on audience.

Vendors & Customers

Extranet Design Considerations & Challenges

• Network Topology and Access

• Identity Management

• Seamless Single Sign-on Experience

• Content Security and Access

• Antivirus

• Client

• Server

• Rich Client Experience (Office Integration)

Edge Firewall Topology

Back-to-Back Perimeter Topology

Split Back-to-Back Topology

Security Terms

• Authentication is the mechanism whereby systems may

securely identify their users

• Creates an identity for security principal

• Who am I?

• Authorization is the mechanism by which a system

determines what level of access a particular authenticated user

should have to secured resources controlled by the system.

• Determines what resources an identity has access to

• What can I access?

SharePoint Authentication

• SharePoint does not authenticate

• Windows authentication via Windows server and IIS

(Kerberos/NTLM)

• FBA via ASP. NET and authentication providers (SQL, LDAP, etc.)

• Web SSO via Active Directory Federation Services (ADFS) and

other Identity Management Systems

• SharePoint creates user profiles

• SPUser object represents security principal

• User Profile List in Site Collections track user profiles

SharePoint 2010 Security

• SharePoint 2010 changes authentication

• Uses classic mode and claims based authentication

• Classic mode is SharePoint 2007 style legacy mode

• Claims-based authentication is the new security model

• What are the benefits?

• Claims decouples SharePoint from the authentication provider

• Allows SharePoint to support multiple authentication providers per

URL

• Identities can be passed without Kerberos delegation

• Allows federation between organizations

• ACLs can be configured with

• DLs, Audiences and OUs

SharePoint 2013 Security

• SharePoint 2013 authentication:

• Still supports classic mode and claims based authentication

• Claims-based authentication is the default security model

• Supported Authentication modes:

• Windows claims–mode sign-in (default)

• SAML passive sign-in mode

• ASP.NET membership and role passive sign-in

• Windows classic–mode sign-in (deprecated in SP2013)

• Claims authentication is the way to go!

Identity Normalization

Claims-Based Terminology

• Identity: security principal used to

configure the security policy

• Claim (Assertion): attribute of an

identity (such as Login Name, AD Group,

etc.)

• Security Token: serialized set of

claims (assertions) about an

authenticated user.

Claim-based Authentication

• Security Token Service (STS):

builds, signs and issues security

tokens. It can receive and submit

tokens.

• Issuing Authority: identity

management system(s) that

“knows” the claims (AD, ASP.NET,

LiveID, etc.)

• Identity Provider: trusted party

that creates and submits claims

• Relying Party: application that

makes authorization decisions

based on received claims

Claim-based Authentication

Claim-based Authentication

Mixed Mode Authentication vs Multi-Authentication

Regular label-callout text

Multi-AuthenticationMixed Authentication

SharePoint

Farm

Web Application

Extended Web Application

Extended Web Application

Extended Web Application

Extended Web Application

Zone: Custom

Zone: Extranet

Zone: Intranet

Zone: Internet

Zone: DefaultWindows

Authentication

FBA

Authentication

...

...

...

SharePoint

Farm

Web Application

Extended Web Application

Extended Web Application

Extended Web Application

Extended Web Application

Zone: Custom

Zone: Extranet

Zone: Intranet

Zone: Internet

Zone: DefaultWindows Authentication

FBA Authentication

SAML Based Authentication

FBA Authentication

Windows Authentication

...

...

Auth Scenarios - Mixed Mode

s

Authentication Scenarios

Mixed Mode: When to Use It

•

•

•

•

•

•

•

•

Auth Scenarios - Multi Authentication

s

Authentication Scenarios

Multi Authentication: When to Use It

•

•

•

•

•

Authentication Scenarios

Multi Authentication & Mixed Mode

FBA Claims Configuration in SP2010

1. Run C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe

2. Enable Claims Authentication on Web Application via Central Administration

3. Modify web.config for the FBA Web Application 4. Modify web.config for Central Administration

FBA Claims Configuration in SP2010

5. Modify web.config for Security Token Service

• %programfiles%\common files\Microsoft Shared\web server

extensions\14\WebServices\SecurityToken

• Changes need to be made to the Security Token Service

virtual directory on each server hosting CA or the claims-

based web application

6. Configure FBA Provider in Central Administration

7. Create Web Application Policy to give SQL Auth User(s)

access to site

Claims Configuration in SP2010

FBA Claims Configuration in SP2010

Web Application web.config <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false"> <providers> <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" /> <add connectionStringName="SQLConnectionString" applicationName="/" description="Stores and retrieves roles from SQL Server" name="SQL-RoleManager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers></roleManager> <membership defaultProvider="i“> <providers> <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" /> <add connectionStringName="SQLConnectionString" passwordAttemptWindow="5" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" description="Stores and Retrieves membership data from SQL Server" name="SQL-MembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </membership> </system.web>

FBA Claims Configuration in SP2010

Central Admin Web.config <roleManager defaultProvider="AspNetWindowsTokenRoleProvider" enabled="true" cacheRolesInCookie="false"> <providers> <add connectionStringName="SQLConnectionString" applicationName="/" description="Stores and retrieves roles from SQL Server" name="SQL-RoleManager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </roleManager> <membership defaultProvider="SQL-MembershipProvider"> <providers> <add connectionStringName="SQLConnectionString" passwordAttemptWindow="5" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" description="Stores and Retrieves membership data from SQL Server" name="SQL-MembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </membership>

FBA Claims Configuration in SP2010

Secure Store Web Service web.config <connectionStrings> <add name="SQLConnectionString" connectionString="Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=aspnetdb;Data Source=.\sharepoint" /> </connectionStrings> <system.web> <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false“> <providers> <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" /> <add connectionStringName="SQLConnectionString" applicationName="/" description="Stores and retrieves roles from SQL Server" name="SQL-RoleManager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </roleManager> <membership defaultProvider="i"> <providers> <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" /> <add connectionStringName="SQLConnectionString" passwordAttemptWindow="5" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" description="Stores and Retrieves membership data from SQL Server" name="SQL-MembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </membership> </system.web>

Claims Configuration

Claims Configuration

Claims Configuration

Claims Configuration

Claims Configuration

Issues using Claims Authentication in SP2010

• "Search Alerts only work with Windows Classic Authentication“ • http://technet.microsoft.com/en-us/library/cc288475.aspx

• Performance Point Dashboard Designer doesn't work directly against a web application with multiple authentication providers

• http://technet.microsoft.com/en-us/library/ee748637.aspx

Issues using Claims Authentication

• Some issues have been reported with Infopath Forms Services,

PowerPivot and Performance Point Services

• Project Server won't create new sites on a claims-based

authentication web app but don't see a reference for it

Questions

? ?

?

?

Constructive Feedback Is Appreciated

Great information,

but would like to

have learned more

about [Insert Topic] Brian – Your

presentation

was …

Good

Demos!

Thanks!

Useful Links

• SharePoint 2010 FBA User Management

• SharePoint 2010 Forms Based Authentication Configuration Manager

http://blogs.technet.com/b/speschka/archive/2010/07/28/sharepoint-2010-forms-

based-authentication-configuration-manager.aspx

SharePoint 2010: transparent login with mixed authentication

http://www.orbitone.com/en/blog/archive/2010/06/23/sharepoint-2010-mixed-

authentication-automatic-login.aspx

Steve Peschka article’s on Forms Authentication

» Forms Authentication in SharePoint Products and Technologies (Part 1):

Introduction

» Forms Authentication in SharePoint Products and Technologies (Part 2):

Membership and Role Provider Samples

» Forms Authentication in SharePoint Products and Technologies (Part 3): Forms

Authentication vs. Windows Authentication