24 Sep 2011

Authentication and Authorization SharePoint

 

Supported authentication methods:

Windows Authentication
Providing support for NTML, Kerberos, Anonymous, Basic, and Digest authentication

Forms-Based Authentication (FBA)
There are providers for LDAP and SQL Server; however, you can develop custom providers of your own. FBA is based on the standard forms authentication provided by Microsoft ASP.NET

SAML token-based Authentication
Uses an external identity provider that supports SAML 1.1 and WS-Federation Passive profile, includes Active Directory Federation Services v. 2.0 (AD FS 2.0), LDAP, or custom third-party identity
providers.

About Authentication Types

NTLM-integrated authentication is easier to configure— but it is more limited in capabilities

NTLM is based on the user’s password hash and the front-end server does not have the user’s
password.

Kerberos-integrated authentication utilizes a ticketing infrastructure that is not
based on the user’s password.
Get tickets from a Key Distribution Center (KDC).

Authentication mode:

image

Classic mode

Supports only the Windows Authentication

Single-server deployment : local users’ repository of the server

Farm deployment: Active Directory repository,

Supported Windows Authentication methods: NTLM, Kerberos, Anonymous, Basic, and Digest

 

Claims-based mode

Supports all the three available authentication methods

Introduced with SharePoint 2010

With the new claims-based mode you can enable multiple authentication methods within the same zone

The Sign In page, in which end users select the authentication method when multiple authentication

It employs the concept of claims identity, representing each user’s identity as tokens made of claims

Claims are issued by a Claim Provider and packaged into a Security Token, which is emitted by a Security Token Service, also known as an Identity Provider

Claim :

    • ClaimType URI that uniquely defines the type of the claim
    • ClaimValue real content
    • ClaimValueType data type of the ClaimValue

 

 

Authentication engine of SharePoint normalizes all the users’ identities into SPUser instances, converting every identity into a set of claims

functional schema of the identity normalization process managed by SharePoint 2010

 

Windows Authentication

Under claims-based authentication mode, the Windows identities will be converted to a set of claims representing the current user.

User ID of the current user. For Windows Authentication, it assumes a value of “0#.w|[Username]”, where the string “0#.w|” is a trailer and [Username] is the user name of the user. The “w” stands for Windows Authentication.

Extracting claims from a current user’s identity.

ClaimsIdentity ci = this.Page.User.Identity as ClaimsIdentity;
if (ci != null) {
this.Controls.Add(new LiteralControl("<h2>Claims</h2>"));
foreach (Claim c in ci.Claims) {
this.Controls.Add(new LiteralControl(
String.Format(
"<div>ClaimType: {0} - ClaimValue: {1} - ClaimValueType: {2}</div>",
c.ClaimType, c.Value, c.ValueType)));
}
}



 


Forms-Based Authentication


Capability to authenticate your users against an external repository of users, which by default can be an LDAP or a Microsoft SQL Server


By default using the standard SQL Membership Provider of ASP.NET
You can also develop custom membership providers


UserID: “0#.f|[MembershipProvider]|[Username]”, where the string “0#.f|” is a trailer, [MembershipProvider] is the name of the configured Membership Provider, and [Username] is the
username of the user. The “f” stands for FBA.


Configuring the SQL Server Database:

You can invoke ASPNET_REGSQL.EXE within the Visual Studio Command Prompt and have it create a SQL Server database file


Web.config of the sample site for configuring FBA


<configuration>
<connectionStrings>
<add name="FBASP2010" connectionString="server=SP2010DEV\SQLEXPRESS;database=FBA_
ClaimsSP2010;integrated security=SSPI;"/>
</connectionStrings>
<system.web>
<membership defaultProvider="FBASQLMembershipProvider">
<providers>
<add connectionStringName="FBASP2010" applicationName="/"
passwordAttemptWindow="5" enablePasswordRetrieval="false"
enablePasswordReset="false" requiresQuestionAndAnswer="true"
requiresUniqueEmail="true" passwordFormat="Hashed"
name="FBASQLMembershipProvider"
type="System.Web.Security.SqlMembershipProvider, System.Web,
Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>



<roleManager enabled="true" defaultProvider="FBASQLRoleManager">
<providers>
<add connectionStringName="FBASP2010" applicationName="/"
name="FBASQLRoleManager"
type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0,
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
<authentication mode="Forms" />
<authorization>
<deny users="?"/>
</authorization>
<!-- Configuration omitted for the sake of brevity -->
</system.web>
</configuration>



 



Configuring SharePoint web.config Files


Web.config located in the C:\inetpub\wwwroot\wss\VirtualDirectories folder of every front-end server


Step1:


<connectionStrings>
<add name="FBASP2010" connectionString="server=SP2010DEV;database=FBA_
ClaimsSP2010;integrated security=SSPI;"/>
</connectionStrings>



 


<membership defaultProvider="i">
<providers>
<add name="i" type="Microsoft.SharePoint.Administration.Claims.
SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral,
PublicKeyToken=71e9bce111e9429c" />
<add connectionStringName="FBASP2010" applicationName="/"
passwordAttemptWindow="5" enablePasswordRetrieval="false"
enablePasswordReset="false" requiresQuestionAndAnswer="true"
requiresUniqueEmail="true" passwordFormat="Hashed"
name="FBASQLMembershipProvider"
type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0,
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>
<roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
<providers>
<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider,
Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add connectionStringName="FBASP2010" applicationName="/"
name="FBASQLRoleManager"
type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0,
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>



 


Following web.config needs to be configured:



  1. web.config of the target web application
    Location: C:\inetpub\wwwroot\wss\VirtualDirectories

  2. web.config of the SharePoint Central Administration web application 
    Location: C:\inetpub\wwwroot\wss\VirtualDirectories

  3. web.config of the internal Security Token Service (STS) of SharePoint
    Location: SharePoint14_Root\WebServices\SecurityToken folder.

Configuring SQL Server Permissions


Enable the Windows identities configured for:



  1. SharePoint Central Administration Application Pool

  2. Security Token Service Application Pool

  3. Target Web Application Application Pool

Set for following database role memberships:



  1. aspnet_Membership_FullAccess

  2. aspnet_Roles_FullAccess

Configure the FBA providers through the SharePoint Central Administration interface


Application Management-> Manage Web Applications –> choose the FBA target—>
on the Ribbon click the Authentication Providers command


Edit Authentication configuration page of the SharePoint Central Administration.
Edit Authentication configuration page of the SharePoint Central Administration.


Enabling FBA Users or Roles


Notice that if you now try to browse for users or roles, you will be able to browse both
Windows and FBA users within the same browsing windows


Select People And Groups dialog with multiple authentication providers configured.

No comments:

Post a Comment