ca siteminder web access manager · web access manager ca ... change the form type and add the http...
TRANSCRIPT
Configuring SiteMinder Single Sign On for
Microsoft® SharePoint® 2007 Using
Forms-based Authentication
CA SiteMinder® Web Access
Manager
This documentation and any related computer software help programs (hereinafter referred to as the
“Documentation”) is for the end user’s informational purposes only and is subject to change or withdrawal by CA at
any time.
This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in
part, without the prior written consent of CA. This Documentation is confidential and proprietary information of CA
and protected by the copyright laws of the United States and international treaties.
Notwithstanding the foregoing, licensed users may print a reasonable number of copies of the Documentation for
their own internal use, and may make one copy of the related software as reasonably required for back-up and
disaster recovery purposes, provided that all CA copyright notices and legends are affixed to each reproduced copy.
Only authorized employees, consultants, or agents of the user who are bound by the provisions of the license for
the Product are permitted to have access to such copies.
The right to print copies of the Documentation and to make a copy of the related software is limited to the period
during which the applicable license for the Product remains in full force and effect. Should the license terminate for
any reason, it shall be the user’s responsibility to certify in writing to CA that all copies and partial copies of the
Documentation have been returned to CA or destroyed.
EXCEPT AS OTHERWISE STATED IN THE APPLICABLE LICENSE AGREEMENT, TO THE EXTENT PERMITTED BY
APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING
WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO THE END USER OR ANY THIRD PARTY FOR ANY LOSS
OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT
LIMITATION, LOST PROFITS, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY
ADVISED OF SUCH LOSS OR DAMAGE.
The use of any product referenced in the Documentation is governed by the end user’s applicable license
agreement.
The manufacturer of this Documentation is CA.
Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the
restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section
252.227-7014(b)(3), as applicable, or their successors.
Microsoft® SharePoint® is a registered trademark of Microsoft Corporation. Microsoft product screen shots reprinted
with permission from Microsoft Corporation. Microsoft and Windows are registered trademarks of Microsoft
Corporation in the United States and other countries. All trademarks, trade names, service marks, and logos
referenced herein belong to their respective companies.
Copyright © 2009 CA. All rights reserved.
CA Product References
This document references the following CA products:
■ CA SiteMinder® Web Access Manager
Contact CA
Contact Technical Support
For your convenience, CA provides one site where you can access the
information you need for your Home Office, Small Business, and Enterprise CA
products. At http://ca.com/support, you can access the following:
■ Online and telephone contact information for technical assistance and
customer services
■ Information about user communities and forums
■ Product and documentation downloads
■ CA Support policies and guidelines
■ Other helpful resources appropriate for your product
Provide Feedback
If you have comments or questions about CA product documentation, you can
send a message to [email protected].
If you would like to provide feedback about CA product documentation,
complete our short customer survey, which is also available on the CA support
website, found at http://ca.com/support.
Contents 5
Contents
Chapter 1: SiteMinder and Microsoft SharePoint 9
Documents Replaced by this Version ............................................................ 9
Purpose and Audience ......................................................................... 10
Microsoft Internet Information Services (IIS) ................................................... 10
Microsoft SharePoint 2007 ..................................................................... 11
Use Case Diagram ............................................................................ 12
Chapter 2: Prerequisites and Limitations 13
Microsoft Prerequisites ........................................................................ 13
SiteMinder Prerequisites ....................................................................... 14
SiteMinder and SharePoint Limitations ......................................................... 14
Chapter 3: Configure Your SiteMinder Policy Server 15
How to Configure a SiteMinder r6.x SP5 Policy to Protect SharePoint Resources ................... 15
Open the r6.x SP5 Policy Server User Interface ............................................. 16
Create a Host Configuration Object for your SharePoint Resources (r6.x SP5) ................. 17
Create a Web Agent Object for your SharePoint Resources (r6.x SP5) ........................ 18
Create an Agent Configuration Object for your SharePoint Resources (r6.x SP5) ............... 19
Create a User Directory Entry for your LDAP Directory Server Instance ....................... 21
Create a Domain for your SharePoint Resources (r6.x SP5) .................................. 22
Select a New Port Number for your IIS Default Web Site (r6.x SP5) .......................... 22
Create an Authentication Scheme for your SharePoint Resources (r6.x SP5) .................. 23
Create Realms for your SharePoint Resources (r6.x SP5) .................................... 23
Create a Rule Under your SharePoint Realm (r6.x SP5) ...................................... 26
Create a Policy for your SharePoint Resources (r6.x SP5) .................................... 27
Test Your Policy with the SiteMinder Test Tool (r6.x SP5) .................................... 27
How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources ............... 28
Open the r12 SP1 Administrative UI ........................................................ 29
Create a Host Configuration Object for your SharePoint Resources (r12 SP1) .................. 30
Create a Web Agent Object for your SharePoint Resources (r12 SP1) ......................... 31
Create an Agent Configuration Object for your SharePoint Resources (r12 SP1) ............... 32
Select a New Port Number for your IIS Default Web Site (r12 SP1) ........................... 34
Create an Authentication Scheme for your SharePoint Resources (r12 SP1) ................... 35
Create a User Directory Object for your Directory Server Instance (r12 SP1) .................. 36
Create an Application to protect your SharePoint Resources (r12 SP1) ........................ 37
Leave the SharePoint Virtual Directories Unprotected (r12 SP1) .............................. 38
6 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based Authentication
Add Resources to your Application (r12 SP1) ................................................ 40
Add Roles to your Application (r12 SP1) .................................................... 41
Create a Policy for your Application (r12 SP1) ............................................... 42
Chapter 4: Configure SharePoint 2007 43
How to Create a SharePoint 2007 Test Site ..................................................... 43
Create a New SharePoint Site .............................................................. 44
Add the New SharePoint Site to a Site Collection ............................................ 45
Create a Document Library ................................................................ 46
How to Configure Your SharePoint Forms Based Authentication .................................. 47
Back Up Your Existing web.config Files ..................................................... 48
Add the Membership Provider to the SharePoint Central Configuration Web Site ............... 49
Add the Membership Provider and Authentication Method to Each SharePoint Web Site you
want to protect ........................................................................... 51
How to Encrypt the Sensitive Information in your web.config Files ............................ 53
Enable SharePoint FBA .................................................................... 54
Add Users to Your SharePoint Web Site ..................................................... 55
Update the Site Collection Administrator Account to Use FBA ................................. 56
Test Your SharePoint FBA .................................................................. 57
Chapter 5: Configure SiteMinder Web Agent and Related SharePoint Web
Sites 59
How to Add SiteMinder to your SharePoint Environment ......................................... 59
Install the SiteMinder Web Agent for IIS .................................................... 60
How to Install the SiteMinder DLL to the Global Assembly Cache ............................. 61
Add the SiteMinder .ASPX Files to the SharePoint Web Site .................................. 62
Use a Fully-Qualified Domain Name in your SharePoint Sites ................................. 63
How to Configure an IIS Web Agent to Protect SharePoint Resources ............................. 64
Assign Read Permissions to Samples and Error Files Directories .............................. 65
Allow IIS to Execute the Agent ISAPI and CGI Extensions .................................... 66
Change the Port Number of the Default IIS Web Site ........................................ 67
Gather Web Agent Information ............................................................. 68
Run the Agent Configuration Wizard ........................................................ 70
Increase the Agent's Size Limit for Uploaded Files ........................................... 71
Put the Agent Filter and Extension before Other Third-Party Filters ........................... 72
Add the ISAPI Extension to the Protected SharePoint Web Sites .............................. 74
How to Configure your SharePoint Web Sites for SiteMinder ..................................... 75
Use the SiteMinder Signout Page ........................................................... 76
Back Up your Existing web.config Files ..................................................... 77
Change the Form Type and Add the HTTP Module to Each SharePoint Web Site you want to
protect with SiteMinder .................................................................... 78
Contents 7
Start the Web Agent ...................................................................... 79
Chapter 6: Test your SiteMinder and SharePoint Implementation 81
Access a Protected SharePoint Site Using SiteMinder ............................................ 81
Modify a Document Stored on SharePoint ...................................................... 82
Access a Protected SharePoint Site as another User ............................................. 83
SiteMinder Logs .............................................................................. 83
Appendix A: Troubleshooting 85
Disable the SiteMinder Authentication .......................................................... 85
Appendix B: Platform Support 87
Locate the Platform Support Matrix ............................................................ 87
Chapter 1: SiteMinder and Microsoft SharePoint 9
Chapter 1: SiteMinder and Microsoft
SharePoint
This section contains the following topics:
Documents Replaced by this Version (see page 9)
Purpose and Audience (see page 10)
Microsoft Internet Information Services (IIS) (see page 10)
Microsoft SharePoint 2007 (see page 11)
Use Case Diagram (see page 12)
Documents Replaced by this Version
The content of this document supersedes the existing content in the following
publications:
CA SiteMinder Web Access Manager Microsoft® SharePoint® 2007
Integration Guide
First, Second, and Third Editions
CA SiteMinder Policy Server Policy Design Guide, r6.x SP5 CR 15
(DIDs: H00486-2E, H00486-1E)
Appendix A: Protecting SharePoint 2007 Resources
CA SiteMinder Web Agent Guide, r6.x SP5 CR15 (DIDs: H00501-2E,
H00501-1E)
Appendix D: Protecting SharePoint 2007 Resources
Purpose and Audience
10 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
Purpose and Audience
This guide describes an example of how you can integrate SharePoint with CA
SiteMinder to accomplish the following:
■ Use SiteMinder to authenticate and authorize your users instead of
SharePoint
■ Use an existing LDAP Directory server with CA SiteMinder
■ Replace the SharePoint forms-based authentication (FBA) mechanism with
CA SiteMinder
This guide is intended for IT personnel who are familiar with the enterprise
network, as well as access management concepts and technologies.
This guide assumes familiarity with the following:
■ Web Servers
■ Directory Servers
■ SharePoint
■ Basic architecture of CA SiteMinder components
Microsoft Internet Information Services (IIS)
Microsoft IIS is a web server that runs on several Windows operating
environments. Only one instance of IIS can run on a single computer, but
many virtual web sites can exist within an IIS instance.
Note: For more information about creating virtual web sites on IIS, go to the
Microsoft Support web site, and then search for "virtual web site IIS".
Microsoft SharePoint 2007
Chapter 1: SiteMinder and Microsoft SharePoint 11
Microsoft SharePoint 2007
Microsoft SharePoint 2007 runs on top of a Microsoft IIS instance. The
SharePoint 2007 Server makes the following changes to the IIS instance when
it is installed:
■ Disables the IIS Default Web Site on port 80, and adds a Share Point -80
web site in its place
■ Creates virtual web sites for the following:
– Office Server Web Services
– SharePoint Central Administration
– A single SharePoint web site for the user who installed the SharePoint
Server 2007
Note: The phrase "web application" has special meaning in the Microsoft
documentation; it defines a SharePoint web application as a web site and its
related database instance, which stores the content for the web site, on the
SharePoint server. This SiteMinder guide uses the term web site to indicate a
SharePoint resource unless otherwise indicated.
Use Case Diagram
12 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
Use Case Diagram
The following illustration shows a use case where partners authenticate using a
SiteMinder form, and internal employees authenticate using SiteMinder or
Windows authentication methods:
Chapter 2: Prerequisites and Limitations 13
Chapter 2: Prerequisites and Limitations
This section contains the following topics:
Microsoft Prerequisites (see page 13)
SiteMinder Prerequisites (see page 14)
SiteMinder and SharePoint Limitations (see page 14)
Microsoft Prerequisites
To protect your SharePoint 2007 resources with SiteMinder you need the
following Microsoft components:
■ Microsoft IIS 6.0
■ Microsoft SharePoint 2007 SP1
■ Microsoft .NET 2.0
■ Microsoft .NET 2.0 SDK (for installing the SiteMinder file into the Global
Assembly Cache)
■ Microsoft .NET 3.0
More information:
How to Install the SiteMinder DLL to the Global Assembly Cache (see page 61)
SiteMinder Prerequisites
14 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
SiteMinder Prerequisites
To protect your SharePoint 2007 resources with SiteMinder you need to install
the appropriate components for your SiteMinder version shown in the following
list:
SiteMinder r6.x SP5
Requires a r6.x SP5 Policy Server (at least CR 14) with one of the following
Web Agents:
■ SiteMinder Web Agent, 6.x SP5 (at least) CR22 (32-bit only)
■ SiteMinder Web Agent, 6.x SP5 (at least) CR23 (32-bit or 64-bit)
SiteMinder r12 SP1
Requires the following components:
■ SiteMinder Web Agent, r12 SP1 (at least) CR2
■ SiteMinder Policy Server, r12 SP1 (at least) CR2
■ SiteMinder Web Access Manager Administrative Interface, r12 SP1 (at
least) CR2
More information:
Locate the Platform Support Matrix (see page 87)
SiteMinder and SharePoint Limitations
This document shows how to integrate SiteMinder with SharePoint 2007 using
the forms-based authentication (FBA) feature of SharePoint. Understand and
accept the following limitations caused by FBA before you start your
integration:
■ The welcome message in SharePoint displays the login id of the user, not
the full name of the user.
■ SharePoint features that rely on an identity provided by a Microsoft
Windows operating system are not supported (for example, Excel
Services).
■ User profiles that were supported while SharePoint was configured for
Windows authentication will not be available after SharePoint is configured
for FBA authentication. No migration utility exists. As a result, this
documentation is intended for deployments that are not using an Active
Directory user store.
■ The SharePoint People Picker does not support wildcard searches or
searches for Groups.
Chapter 3: Configure Your SiteMinder Policy Server 15
Chapter 3: Configure Your SiteMinder
Policy Server
This section contains the following topics:
How to Configure a SiteMinder r6.x SP5 Policy to Protect SharePoint Resources
(see page 15)
How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint
Resources (see page 28)
How to Configure a SiteMinder r6.x SP5 Policy to Protect
SharePoint Resources
To configure a SiteMinder r6.x SP5 Policy to protect resources on a SharePoint
web site, use the following process:
1. Login to the Policy Server User Interface (see page 16).
2. Create a Host Configuration object (see page 17).
3. Create a Web Agent (see page 18).
4. Create an Agent Configuration object (see page 19).
5. Create a user directory (see page 21).
6. Create a Domain for the SharePoint web site (see page 22).
7. Select a new port number for your IIS default web site (see page 22).
8. Create an authentication scheme (see page 23).
9. Create realms under the domain (see page 23).
10. Create rules under the realm (see page 26).
11. Create a policy under the domain (see page 27).
How to Configure a SiteMinder r6.x SP5 Policy to Protect SharePoint Resources
16 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
Open the r6.x SP5 Policy Server User Interface
The Policy Server User Interface lets you create and manage Policy Server
objects.
To open the Policy Server User Interface
1. Open your web browser.
2. Enter the following URL in the Address bar:
http://policy_server_host_name.domain:non_default_port_number/siteminder
Note: The policy_server_host_name is the name of the machine on
which the Policy Server is installed. You must use a fully-qualified domain
name, such as example.com, in the URL. If the Policy Server does not use
the default HTTP port (80), you must specify a port number.
Your browser displays the Policy Server start page.
3. Click Administer Policy Server.
A status bar appears while the Policy Server User Interface loads. The
SiteMinder Administration Login window opens.
4. Enter your user name and password in the appropriate fields.
If you are accessing the Policy Server for the first time, use the default
super user administrator account, which you created during Policy Server
installation.
5. Click Login.
The Policy Server User Interface opens.
The contents of this window depend on the privileges of the administrator
account you use to login to the Policy Server.
Note: For more information on the Policy Server User Interface, see the
SiteMinder Policy Design guide.
How to Configure a SiteMinder r6.x SP5 Policy to Protect SharePoint Resources
Chapter 3: Configure Your SiteMinder Policy Server 17
Create a Host Configuration Object for your SharePoint Resources (r6.x SP5)
The Web Agent uses a Host Configuration object to connect with the Policy
Server. You will need the name of a Host Configuration object that is stored on
the Policy Server to configure a SiteMinder web agent on a web server that
protects your resources.
To create a host configuration object
1. In the System tab, click Host Conf objects.
The Host Conf Object list appears.
2. Right-click the DefaultHostSettings object, and then select Duplicate
configuration object.
The Host Configuration Object Properties dialog appears with the object's
name selected.
3. Enter a distinctive name, and (optional) description.
4. In the Configuration Values list, double-click #Policy Server.
The Edit Parameter dialog appears.
5. Click the *Parameter Name field, and then remove the # symbol.
6. In the *Value field, select the following text:
<IPAddress>
7. Replace selected text with the IP address, or DNS name, of your Policy
Server.
8. Click OK.
The Edit Parameter dialog closes. The IP address you entered appears in
the list.
9. Click OK.
The Host Configuration Object Properties dialog closes and the new Host
Configuration object appears in the list.
How to Configure a SiteMinder r6.x SP5 Policy to Protect SharePoint Resources
18 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
Create a Web Agent Object for your SharePoint Resources (r6.x SP5)
The Web Agent runs on the web server to protect resources, but each web
agent must be associated with a Web Agent object on the Policy Server. You
will need the name of this Web Agent object when you configure a SiteMinder
web agent on a web server.
To create a web agent
1. In the System tab, right-click Agents, and then select Create Agent.
The Agent dialog appears.
2. Enter a distinctive name, and (optional) description.
Note: Web Agent names have the following limits:
■ Agent names must contain 7-bit ASCII characters in the range of
32-127, including one or more printable characters.
■ Agent names must not contain the ampersand (&) and asterisk (*)
characters.
■ Agent names are not case-sensitive. For example, you cannot create
one Agent named MyAgent and another Agent named myagent.
3. Click OK.
The dialog closes and the new Agent appears in the list.
How to Configure a SiteMinder r6.x SP5 Policy to Protect SharePoint Resources
Chapter 3: Configure Your SiteMinder Policy Server 19
Create an Agent Configuration Object for your SharePoint Resources (r6.x SP5)
An Agent Configuration Object lets you specify parameter settings on the
Policy Server that control how one or more web agents operate. You will need
the name of an Agent Configuration Object stored on the Policy Server to
configure a SiteMinder web agent on your web server.
This Agent Configuration object must also contain certain parameters and
settings to protect resources on a SharePoint web site with SiteMinder.
To create an Agent Configuration object
1. In the System tab, click Agent Conf Objects.
The Agent Conf Object list appears.
2. Right-click the IISDefaultSettings Agent Configuration object, and then
click Duplicate Configuration Object.
The Agent Configuration Object properties dialog appears with the object's
name selected.
3. Enter a distinctive name, and (optional) description.
4. Scroll down the configuration values list, and then double-click the
following parameter:
BadUrlChars
Note: The list is sorted by special characters (such as those starting with
#), numbers, uppercase letters and lowercase letters respectively.
The Edit Parameter dialog appears.
5. Remove any characters from this list that are found in the URLs of any
resources you want to protect. For example, if the URL of a protected
resource contains <>, delete <, and >, from the list.
6. Click OK.
7. Double-click the following parameter:
LogOffUri
The Edit Parameter dialog appears.
8. Uncomment the parameter name (by removing the #), click the Value field
and then type the following:
/_siteminder/redirector.aspx
How to Configure a SiteMinder r6.x SP5 Policy to Protect SharePoint Resources
20 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
9. Click OK.
10. Double-click the following parameter:
IgnoreExt
The Edit Parameter dialog appears.
11. Remove the extensions of any image files used in your protected resources
from the list, and then click OK. For example, if you use .png files, remove
the .png extension from the list of values.
12. Double-click the following parameter:
DefaultAgentName
The Edit Parameter dialog appears.
13. Uncomment the parameter name (by removing the #), click the *Value
field and then enter a default agent name. This name must match the
name of the web agent you previously created with the Policy Server User
Interface for your SharePoint implementation (see page 18).
14. Click OK.
The Edit parameter dialog closes.
15. Click Add, and then type the following in the Parameter Name field:
autoauthorizeoptions
16. Click the *Value field, and then type the following:
Yes
17. Click OK to Close the Edit parameter dialog, and then click OK again to
close the Agent Configuration Object dialog.
The Agent Configuration dialog closes and the new Web Agent
Configuration object is saved.
How to Configure a SiteMinder r6.x SP5 Policy to Protect SharePoint Resources
Chapter 3: Configure Your SiteMinder Policy Server 21
Create a User Directory Entry for your LDAP Directory Server Instance
For SiteMinder to protect resources on SharePoint, you must add information
about your user directory server instance to the SiteMinder Policy Server. You
will also need this information when you add the LDAP Provider to the
web.config files of your SharePoint server.
To create a user directory entry for your directory server instance
1. In the system tab, right-click User Directories, and select Create User
Directory.
The User Directory Properties dialog appears.
2. Enter a distinctive name, and (optional) description.
3. Make sure LDAP: appears in the Namespace drop-down list.
4. Click the Server field, and then type the fully-qualified domain name of
your Directory server.
5. In the LDAP Search section, click the Root field, and then type the
following:
dc=your_domain_name,dc=your_domain_extension
Example: dc=example,dc=com
6. In the DN LDAP User Lookup section, click the Start field, and then type
the following:
uid=
7. Click the End field and type the following:
dc=your_domain_name,dc=your_domain_extension
Example: dc=example,dc=com
8. Click the Credentials and Connection tab, and then do the following:
a. Select the Require credentials check box.
b. Enter the name of an authorized user for the directory. Use the
following example as a guide:
cn=Directory Mangager
c. Enter the password for the authorized user and confirm it.
d. Make sure the Run in Authenticated Users Context check box is clear.
9. Click the User Attributes tab, click the Universal ID (R) field, and then
enter the following:
uid
10. Click OK.
The User Directory Properties dialog closes and the user directory entry is
saved.
How to Configure a SiteMinder r6.x SP5 Policy to Protect SharePoint Resources
22 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
Create a Domain for your SharePoint Resources (r6.x SP5)
The SharePoint resources you want to protect with SiteMinder must be placed
in a separate domain on the SiteMinder Policy Server.
To create a domain for your SharePoint resources
1. Click the Domains tab.
A list of domains appears.
2. Right-click Domains, and select Create Domain.
The Domain Properties dialog appears.
3. Enter a distinctive name, and (optional) description.
4. Click the drop-down list, select the LDAP Directory server instance from
the list, and then click Add.
The LDAP Directory server instance appears in the User Directories field.
5. Click OK.
The Domain Properties dialog closes and the domain is saved.
Select a New Port Number for your IIS Default Web Site (r6.x SP5)
When a user requests a protected SharePoint web site, the SiteMinder Web
Agent redirects the user to the default IIS web site and displays a login form
(FCC). After the user's credentials are received and verified, the SiteMinder
Web Agent redirects the user back to the protected SharePoint web site they
originally requested.
Since the SharePoint server takes over the default IIS port (80), and disables
any existing web sites already running on that port, you may find it helpful to
re-activate the Default IIS Web site on a different port. This lets you separate
your SiteMinder IIS traffic from your SharePoint traffic and may help with
logging or troubleshooting.
You must also specify this updated port number in the SiteMinder
Authentication scheme you create to protect your SharePoint resources.
More information:
Change the Port Number of the Default IIS Web Site (see page 67)
How to Configure a SiteMinder r6.x SP5 Policy to Protect SharePoint Resources
Chapter 3: Configure Your SiteMinder Policy Server 23
Create an Authentication Scheme for your SharePoint Resources (r6.x SP5)
You need to create a separate SiteMinder authentication scheme for your
SharePoint resources. This authentication scheme replaces the SharePoint FBA
with a SiteMinder FCC.
To create an authentication scheme for your SharePoint resources
1. In the System tab, right-click Authentication Schemes, and select Create
Authentication Scheme.
The Authentication Scheme dialog appears.
2. Enter a distinctive name, and (optional) description.
3. Click the Authentication Scheme Type drop-down list, and select HTML
Form Template.
4. Click the Web Server Name field, and then type the fully-qualified domain
name and the updated port number of your IIS Default Web site, as shown
in the following example:
iis_web_server_name.example.com:5500
Note: Ensure the *Target field contains the following URL:
/siteminderagent/forms/login.fcc
5. Click OK.
The Authentication Scheme Dialog closes and your authentication scheme
is saved.
More information:
Select a New Port Number for your IIS Default Web Site (r6.x SP5) (see page
22)
Create Realms for your SharePoint Resources (r6.x SP5)
You must create several realms in SiteMinder for each SharePoint web site you
want to protect. The root, or top-level, realm protects the SharePoint resource.
You must also create several sub-realms inside the top level realm that leave
certain sub-folders of each SharePoint resource unprotected, as shown in the
following illustration:
How to Configure a SiteMinder r6.x SP5 Policy to Protect SharePoint Resources
24 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
To create realms for your SharePoint resources
1. Click the Domains tab, and then expand the domain of your SharePoint
resources.
A list of domain objects appears.
2. Right-click Realms and select Create Realm.
The Realm Properties dialog appears, showing the Resource tab.
3. Enter a distinctive name, and (optional) description.
4. Do the following:
■ Click Lookup, click the name of the Web Agent that will protect your
SharePoint resources, and then click OK.
■ Click the Authentication Scheme drop-down list, and select the
Authentication scheme for your SharePoint resources.
■ Under Default Resource Protection, make sure the Protected radio
button is selected.
■ Click Apply.
The resource settings are saved.
5. Click the Session tab, and then make sure that the No Persistent Session
radio button is selected.
6. Click OK.
The root (top-level) realm is created, and it appears in the list.
7. Right-click the root realm in the list, and select Create Realm Under Realm.
The Realm Properties dialog appears, showing the Resource tab.
8. Enter a distinctive name, and (optional) description.
9. Do the following:
■ Click the Resource filter field, and type the following:
_vti_bin
■ Click the Authentication Scheme drop-down list, and select the
Authentication scheme for your SharePoint resources.
■ Under Default Resource Protection, click the Unprotected radio button.
■ Click Apply.
The resource settings for the sub-realm are saved.
10. Click the Session tab, and then make sure that the No Persistent Session
radio button is selected.
11. Click OK.
The sub-realm is created, and it appears in the list.
12. Repeat Steps 7 and 8, and then do the following:
How to Configure a SiteMinder r6.x SP5 Policy to Protect SharePoint Resources
Chapter 3: Configure Your SiteMinder Policy Server 25
■ Click the Resource filter field, and type the following:
_vti_inf
■ Click the Authentication Scheme drop-down list, and select the
Authentication scheme for your SharePoint resources.
■ Under Default Resource Protection, click the Unprotected radio button.
■ Click Apply.
The resource settings for the sub-realm are saved.
13. Click the Session tab, and then make sure that the No Persistent Session
radio button is selected.
14. Click OK.
The sub-realm is created, and it appears in the list.
15. Repeat Steps 7 and 8, and then do the following:
■ Click the Resource filter field, and type the following:
_layouts
■ Click the Authentication Scheme drop-down list, and select the
Authentication scheme for your SharePoint resources.
■ Under Default Resource Protection, click the Unprotected radio button.
■ Click Apply.
The resource settings for the sub-realm are saved.
16. Click the Session tab, and then make sure that the No Persistent Session
radio button is selected.
17. Click OK.
The sub-realm is created, and it appears in the list. All of the realms and
sub-realms for your SharePoint integration are created.
How to Configure a SiteMinder r6.x SP5 Policy to Protect SharePoint Resources
26 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
Create a Rule Under your SharePoint Realm (r6.x SP5)
Your top-level SharePoint realm needs a rule which fires when a user requests
access to a protected SharePoint resource.
To create a rule under your SharePoint realm
1. Click the Domains tab, and expand the following items:
■ Your SharePoint domain.
■ The realms under that domain.
2. Right-click the top-level SharePoint realm, and select Create Rule Under
Realm.
The Rule Properties dialog appears.
3. Enter a distinctive name, and (optional) description.
4. In the Action field, Control-click Post and Put.
All three web agent actions, Get, Post and Put are selected.
5. Verify the following:
■ The Resource field contains an asterisk (*).
■ The Allow Access radio button is selected.
■ The Enabled check box is selected.
6. Click OK.
The Rule Properties Dialog closes and the new rule appears in the list.
How to Configure a SiteMinder r6.x SP5 Policy to Protect SharePoint Resources
Chapter 3: Configure Your SiteMinder Policy Server 27
Create a Policy for your SharePoint Resources (r6.x SP5)
You need a SiteMinder policy associated with your SharePoint domain that
defines relationships between the users, the SharePoint resources and access
rights in your organization.
To create a policy for your SharePoint resources
1. Click the Domains tab, and then expand your SharePoint domain.
A list of objects appears.
2. Right-click Policies, and select Create Policy.
The Policy Properties dialog appears showing the Users tab.
3. Enter a distinctive name, and (optional) description.
4. Click Add/Remove.
The Users/Groups dialog appears.
5. Move the groups, users (or any combination of either) that you want to
add from the Available Members list to the Current Members list, and then
click OK.
The users or groups are added to the policy.
6. Click the Rules tab, and then click Add/Remove Rules.
The Available Rules dialog appears.
7. Move your SharePoint rule from the Available Members list to the Current
Members list, and then click OK.
The rule is added to the policy.
8. Click OK.
The Policy Properties dialog closes and the policy is saved.
Test Your Policy with the SiteMinder Test Tool (r6.x SP5)
The SiteMinder test tool imitates the behavior of a SiteMinder Web Agent so
you can test your policies after creating them. This helps you make sure that
your resources are properly protected. This tool is included in your SiteMinder
Policy Server installation.
Note: For more information, see the CA SiteMinder Policy Design guide.
How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources
28 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
How to Configure a SiteMinder r12 SP1 Application to Protect
SharePoint Resources
To configure a SiteMinder Application to protect resources on a SharePoint web
site, use the following process:
1. Open the Administrative UI (see page 29).
2. Create a Host Configuration object (see page 30).
3. Create a Web Agent object (see page 31).
4. Create an Agent Configuration object (see page 32).
5. Select a new port number for your IIS default web site (see page 34).
6. Create an Authentication scheme (see page 35).
7. Create a User Directory object (see page 36).
8. Create an Application (see page 37).
9. Leave the SharePoint Virtual sub-directories unprotected (see page 38).
10. Add Resources (see page 40).
11. Add Roles (see page 41).
12. Create a Policy (see page 42).
How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources
Chapter 3: Configure Your SiteMinder Policy Server 29
Open the r12 SP1 Administrative UI
The browser-based CA SiteMinder Web Access Manager Administrative User
Interface primarily enables management of Policy Server objects, but also
provides some system management functionality.
To access the Administrative UI
1. Do one of the following:
■ From the computer hosting the Administrative UI, click Start,
Programs, CA, IAM Suite, siteminderWAM, SiteMinder Administrative
User Interface
■ Open the following URL in your browser:
http://host_name.domain:port_number/iam/siteminder
The host_name is the name of the computer on which the Administrative
UI runs. You must use a fully-qualified domain name. If the Administrative
UI is not using the default HTTP port (80), you must add the port number
as shown in the following example:
http://maincomputer.example.com:8080/iam/siteminder.
The login page for the Administrative UI appears.
2. Enter a valid user name and password in the appropriate fields.
If you are accessing the Policy Server for the first time, use the default
super user administrator account, which you created during Policy Server
installation.
3. Click Log In.
The Administrative UI opens.
The contents of the window depend on the privileges of the administrator
account you used to login. You will only see the items to which your
account has access.
How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources
30 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
Create a Host Configuration Object for your SharePoint Resources (r12 SP1)
The Web Agent uses a Host Configuration object to connect with the Policy
Server. You will need the name of a Host Configuration object that is stored on
the Policy Server to configure a SiteMinder web agent on a web server that
protects your resources.
To create a host configuration object
1. Click Infrastructure, Hosts, Host Configuration, Create Host Configuration.
The Create Host Configuration: Host Configuration Search pane appears.
2. Click Create a copy of an object of type Host Configuration, and then click
OK.
Create Host Configuration: Name pane appears.
3. Enter a distinctive name, and (optional) description.
4. Click Add, and then click the Host field.
5. Enter the IP Address of your Policy Server in the Host field.
6. Change any of the other configuration settings you want, and then click
Submit.
The Create Host Configuration task is submitted for processing.
How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources
Chapter 3: Configure Your SiteMinder Policy Server 31
Create a Web Agent Object for your SharePoint Resources (r12 SP1)
The Web Agent runs on the web server to protect resources, but each web
agent must be associated with a Web Agent object on the Policy Server. You
will need the name of this Web Agent object when you configure a SiteMinder
web agent on a web server.
To create a web agent object for your SharePoint resources
1. Click Infrastructure, Agent, Create Agent.
The Create Agent pane appears, and the Create a new object of type Agent
button is selected.
2. Click OK.
The Create Agent: pane appears.
3. Enter a distinctive name, and (optional) description.
Note: Web Agent names have the following limits:
■ Agent names must contain 7-bit ASCII characters in the range of
32-127, including one or more printable characters.
■ Agent names must not contain the ampersand (&) and asterisk (*)
characters.
■ Agent names are not case-sensitive. For example, you cannot
create one Agent named MyAgent and another Agent named
myagent.
4. Click Submit.
The Create Agent task is submitted for processing.
How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources
32 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
Create an Agent Configuration Object for your SharePoint Resources (r12 SP1)
An Agent Configuration Object lets you specify parameter settings on the
Policy Server that control how one or more web agents operate. You will need
the name of an Agent Configuration Object stored on the Policy Server to
configure a SiteMinder web agent on your web server.
This Agent Configuration object must also contain certain parameters and
settings to protect resources on a SharePoint web site with SiteMinder.
To create an Agent Configuration object for your SharePoint resources
1. Click Infrastructure, Agent Configuration, Create Agent Configuration.
Create Agent Configuration: Agent Configuration Search Screen pane
appears.
2. Click Create a copy of an object of type Agent Configuration radio button.
3. Click IISDefaultSettings, and then click OK.
The Create Agent Configuration: Name pane appears.
4. Enter a distinctive name, and (optional) description.
5. In the Parameters list, locate the #DefaultAgentName parameter and then
click the Edit arrow (on the left).
The Edit Parameter pane appears.
6. Do the following:
a. Activate the parameter by removing the comment symbol (#) from the
Name field.
b. Click the Value field and type the name of the Agent Object you
previously created with the Policy Server User Interface for your
SharePoint implementation.
Note: Web Agent names have the following limits:
■ Agent names must contain 7-bit ASCII characters in the range of
32-127, including one or more printable characters.
■ Agent names must not contain the ampersand (&) and asterisk (*)
characters.
■ Agent names are not case-sensitive. For example, you cannot
create one Agent named MyAgent and another Agent named
myagent.
c. Click OK.
The Edit Parameter pane closes and your changes are applied.
7. In the Parameters list, locate the #LogoffUri parameter and then click the
Edit arrow.
The Edit Parameter pane appears.
How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources
Chapter 3: Configure Your SiteMinder Policy Server 33
8. Do the following:
a. Activate the parameter by removing the comment symbol (#) from the
Name field.
b. Click the Value field and type the following:
/_siteminder/redirector.aspx
c. Click OK.
The Edit Parameter pane closes and your changes are applied.
9. In the parameters list, locate the BadURLChars parameter and click the
Edit arrow.
The Edit Parameter pane appears.
10. Do the following:
a. Click the Value field and then remove any characters from the list that
are found in the URLs of any resources you want to protect. For
example, if the URL of a protected resource contains the < and >
characters, then delete <, >, from the list.
b. Click OK.
The Edit Parameter pane closes and your changes are applied.
11. In the parameters list, locate the IgnoreExt parameter and click the Edit
arrow.
The Edit Parameter pane appears.
12. Do the following:
a. Click the Value field and then remove the extensions of any image file
types used in your protected resources from the list. For example, if
you use .png files, then delete .png from the list.
b. Click OK.
The Edit Parameter pane closes and your changes are applied.
13. Click Add.
The Create Parameter pane appears.
14. Click the Name field, and then type the following:
autoauthorizeoptions
15. Click the Value field and then type the following:
yes
16. Click OK.
The Create Parameter pane closes.
17. Click Submit.
The Create Agent Configuration Object task is submitted for processing.
How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources
34 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
Select a New Port Number for your IIS Default Web Site (r12 SP1)
When a user requests a protected SharePoint web site, the SiteMinder Web
Agent redirects the user to the default IIS web site and displays a login form
(FCC). After the user's credentials are received and verified, the SiteMinder
Web Agent redirects the user back to the protected SharePoint web site they
originally requested.
Since the SharePoint server takes over the default IIS port (80), and disables
any existing web sites already running on that port, you may find it helpful to
re-activate the Default IIS Web site on a different port. This lets you separate
your SiteMinder IIS traffic from your SharePoint traffic and may help with
logging or troubleshooting.
You must also specify this updated port number in the SiteMinder
Authentication scheme you create to protect your SharePoint resources.
More information:
Change the Port Number of the Default IIS Web Site (see page 67)
How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources
Chapter 3: Configure Your SiteMinder Policy Server 35
Create an Authentication Scheme for your SharePoint Resources (r12 SP1)
You need to create a separate SiteMinder authentication scheme for your
SharePoint resources. This authentication scheme replaces the SharePoint FBA
with a SiteMinder FCC.
To create an authentication scheme for your SharePoint resources
1. Click Infrastructure, Authentication, Authentication Scheme, Create New
Authentication Scheme.
The Create Authentication Scheme pane appears.
2. Make sure the Create a new object of type Authentication Scheme radio
button is selected, and then click OK.
The Crete Authentication Scheme: pane appears.
3. Enter a distinctive name, and (optional) description.
4. Click the Authentication Scheme Type: drop-down list, and then select
HTML Form Template.
The Scheme Setup and Advanced group boxes appear.
5. Click the Web Server name field and type the fully-qualified domain name
of your IIS Default Web site, as shown in the following example:
iis_web_server_name.example.com
6. Click the Port field, and then enter the port number of your IIS default
Web site.
7. Click Submit.
The Create Authentication Scheme task is submitted for processing.
How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources
36 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
Create a User Directory Object for your Directory Server Instance (r12 SP1)
For SiteMinder to protect resources on SharePoint, you must add information
about your user directory server instance to the SiteMinder Policy Server. You
will also need this information when you add the LDAP Provider to the
web.config files of your SharePoint server.
To create a user directory object for your directory server instance
1. Click Infrastructure, Directory, User Directory, Create User Directory.
The Create User Directory: pane appears.
2. Enter a distinctive name, and (optional) description.
3. Click the Server field, and then enter the fully-qualified domain name of
your directory server. For example, [email protected] is
a fully-qualified domain name.
4. Make sure all of the following check boxes are clear:
■ Use authenticated user's security context
■ Secure Connection
5. Select the Require Credentials check box, and then complete the following
fields:
■ Username
■ Password
■ Confirm Password
6. Click the Root field, and then type the following:
dc=your_domain_name,dc=your_domain_extension
Example: dc=example,dc=com
7. In the DN LDAP User Lookup section, click the Start field, and then type
the following:
uid=
8. Click the End field and type the following:
,dc=your_domain_name,dc=your_domain_extension
9. Click the Universal ID (R) field, and then type the following:
uid
10. Click Submit.
The Create User Directory task is submitted for processing.
How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources
Chapter 3: Configure Your SiteMinder Policy Server 37
Create an Application to protect your SharePoint Resources (r12 SP1)
To protect your SharePoint resources with SiteMinder, you need to create a
SiteMinder Application using the Administrative UI.
To create an application to protect your SharePoint resources
1. Click Policies, Applications, Application, Create Application.
The Create Application: pane appears.
2. Enter a distinctive name, and (optional) description.
3. Make sure that Web Agent appears in the Agent Type drop-down list.
4. Click the ellipsis button next to the Agent field.
The Select Agent or Agent Group pane appears.
5. Click the button next to the Web Agent Object you created for your
SharePoint resources, and then click OK.
The Create Application: Name pane reappears showing the name of your
Web Agent object.
6. Click the Authentication Scheme drop-down list and select the
authentication scheme for your SharePoint resources.
7. In the User Directories Group Box, click Add/Remove.
The Choose user directories dialog appears.
8. In the Available Members list, click the name of your SharePoint directory,
and then click the right arrow.
Your SharePoint user directory object appears in the Selected Members
list.
9. Click OK.
The Create Application: Name pane reappears showing the name of your
Directory object.
10. Click Submit.
The Create Application task is submitted for processing.
How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources
38 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
Leave the SharePoint Virtual Directories Unprotected (r12 SP1)
Each SharePoint web site contains several virtual directories that must remain
unprotected by SiteMinder. For example, if you are protecting a SharePoint
web site in the following location of your IIS server:
C:\Inetpub\wwwroot\wss\VirtualDirectories\10855
Then you must leave all of the following virtual subdirectories unprotected:
■ _vti_bin
■ _vti_inf
■ _layouts
To leave the SharePoint virtual directories unprotected
1. Open the Application you created to protect your SharePoint resources by
doing the following:
a. Click Policies, Applications, Application, Modify Application.
The Modify Application pane appears.
b. Click the button next to your SharePoint application, and then click
Select.
The Modify Application: Name pane appears.
2. Add components for the virtual directories by doing the following:
a. In the components section, click Create.
The Create Component dialog appears.
b. Click the Name field and then enter a distinctive name.
c. Click the Browse button next to the Agent field, and then select the
name of the Web Agent you created to protect your SharePoint
resources.
The Agent name appears in the field.
d. Click the Resource Filter field, and then type the following:
_vti_bin
e. Click the Unprotected radio button, and then click the Authentication
Scheme drop-down list and select the Authentication Scheme you
created for your SharePoint resources.
f. Click OK.
The virtual directory you created appears in the components list.
g. Repeat Steps a through c.
h. Click the Resource Filter field, and then type the following:
_vti_inf
How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources
Chapter 3: Configure Your SiteMinder Policy Server 39
i. Repeat steps e and f.
j. Repeat Steps a through c.
k. Click the Resource Filter field, and then type the following:
_layouts
l. Repeat steps e and f.
The list of components appears. Your settings should match those
shown in the Resource Filter and Default Resource Protection columns
in the following illustration:
Note: The sort order of the items may be different. It does not affect their
operation.
3. Click Submit.
The Modify Application task is submitted for processing and unprotected
settings for the virtual directories are saved.
How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources
40 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
Add Resources to your Application (r12 SP1)
To protect your SharePoint resources with SiteMinder, you must define
application resources which specify the protected items and which actions the
SiteMinder web agent will intercept.
To add resources to your application
1. Open the Application you created to protect your SharePoint resources by
doing the following:
a. Click Policies, Applications, Application, Modify Application.
The Modify Application pane appears.
b. Click the button next to your SharePoint application, and then click
Select.
The Modify Application: Name pane appears.
2. Add Resources to the application by doing the following:
a. Click the Resource tab, and then click Create.
The Create Application Resource: pane appears.
b. Enter a distinctive name for the resource.
c. Click the Resource field and enter the following:
*
The effective resource displays /*
d. Under the Action group box, make sure that the Web Agent Actions
radio button is selected, and then click the following actions:
■ Get
■ Post
■ Put
e. Click OK.
The Create Application Resource: pane closes, and the Modify
Application: Name pane appears.
3. Click Submit.
4. The Modify Application task is submitted for processing.
How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources
Chapter 3: Configure Your SiteMinder Policy Server 41
Add Roles to your Application (r12 SP1)
To protect your SharePoint resources with SiteMinder, the SiteMinder
application you create must define application roles that define who can access
the protected directory.
To add roles to your application
1. Open the Application you created to protect your SharePoint resources by
doing the following:
a. Click Policies, Applications, Application, Modify Application.
The Modify Application pane appears.
b. Click the button next to your SharePoint application, and then click
Select.
The Modify Application: Name pane appears.
2. Add a Role to your Application by doing the following:
a. Click the Roles Tab, and then click Create.
The Create Role tab appears.
b. Make sure the Create a new object of type Role radio button is
selected, and then click OK.
The Create Role: pane appears.
c. Enter a distinctive name, and (optional) description.
d. Click the Expression field, and then type the following:
(TRUE)
e. Click OK.
The Modify Application: Name pane appears.
3. Click Submit.
The Modify Application task is submitted for processing.
How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources
42 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
Create a Policy for your Application (r12 SP1)
The last step in configuring a SiteMinder r12 SP1 Policy to protect your
SharePoint resources involves creating a policy which combines access rights
to the resources and roles.
To create a policy for your application
1. Open the Application you created to protect your SharePoint resources by
doing the following:
a. Click Policies, Applications, Application, Modify Application.
The Modify Application pane appears.
b. Click the button next to your SharePoint application, and then click
Select.
The Modify Application: Name pane appears.
2. Click the Policies tab.
The Policies group box appears.
3. Verify the following:
■ The Select a context root drop-down list shows the root level (/).
■ The Name radio button is selected.
4. Locate the table that shows your SharePoint resources and roles, and then
select the check box to grant access to the resources, as shown in the
following illustration:
5. Click Submit.
The Modify Application task is submitted for processing.
Chapter 4: Configure SharePoint 2007 43
Chapter 4: Configure SharePoint 2007
This section contains the following topics:
How to Create a SharePoint 2007 Test Site (see page 43)
How to Configure Your SharePoint Forms Based Authentication (see page 47)
How to Create a SharePoint 2007 Test Site
Creating a SharePoint test site will help you learn more about how SharePoint
works and give you a chance to test your SharePoint and SiteMinder
implementation in a staging environment before making changes on your
production systems. To create a SharePoint test environment, use the
following process:
1. Create a new SharePoint site (see page 44).
2. Add the new SharePoint site to a site collection (see page 45).
3. On your new SharePoint site, create a document library (see page 46).
How to Create a SharePoint 2007 Test Site
44 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
Create a New SharePoint Site
Creating a new SharePoint site gives you a fixed reference point you can use
as a guide as you prepare for your SiteMinder integration.
To create a new SharePoint site
1. From your SharePoint host computer, click Start, Programs, Microsoft
Office Server, SharePoint 3.0 Central Administration.
The Central Administration home page appears.
2. Click the Application Management tab, and then click Create or extend
Web application.
The Create or Extend Web Application page appears.
3. Click Create a new Web application.
The Create New Web Application page appears.
4. Select the options you want for the new site. Note the port number for
future reference (if you are using different ports to distinguish your sites),
and then click OK.
The progress indicator appears. When your changes are saved, the
Application Created page appears.
5. Follow any additional instructions on the screen to finish creating your new
SharePoint site.
The new SharePoint site is created.
How to Create a SharePoint 2007 Test Site
Chapter 4: Configure SharePoint 2007 45
Add the New SharePoint Site to a Site Collection
After the new SharePoint site is created, you must add it to a Site Collection.
To add the new SharePoint site to a site collection
1. Do either of the following:
■ From the Application Created screen, click the Create Site Collection
link.
■ Open the SharePoint Central Administration site, click the Application
Management tab, and then click Create Site Collection.
The Create Site Collection page appears.
2. Make sure the URL for your new site appears in the drop-down list, as
shown in the following example:
3. Complete the form to create your site collection, and then click OK.
The progress indicator appears. When your changes are saved, the
Top-Level Site Successfully Created page appears.
How to Create a SharePoint 2007 Test Site
46 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
Create a Document Library
A document collection lets you test the version-control and change
management features of the documents hosted on your SharePoint site.
SiteMinder can control access to these SharePoint resources as well.
To create a document library
1. Open your new SharePoint site in a browser.
The Home page for your site appears.
2. Click the Site Actions, drop-down list, and then select Create.
The Create page appears.
3. Under the Libraries column, click Document Library.
The New Page Appears.
4. Complete the form, and then click Create.
The page of your document library appears. The list of documents is
empty.
5. Add documents to the collection by clicking New or Upload and following
the instructions on the screen.
Your document library is created.
How to Configure Your SharePoint Forms Based Authentication
Chapter 4: Configure SharePoint 2007 47
How to Configure Your SharePoint Forms Based
Authentication
If you want to use SiteMinder Forms-based authentication (FCC) with
SharePoint, we recommend configuring your SharePoint forms-based
authentication (FBA) first. This helps you verify that the SharePoint
authentication works correctly before making the additional configuration
changes that SiteMinder requires.
If your SharePoint FBA is not already configured, use the following process:
1. Save copies of the current web.config files for all of the following
SharePoint web sites under a different name (see page 48):
■ The SharePoint Central Configuration site
■ Each SharePoint web site you want to protect with SiteMinder
2. Add the following setting to the SharePoint Central Configuration web site
(see page 49):
■ Membership provider
3. Add the following settings to each SharePoint web site you want to protect
(see page 51):
■ Membership provider
■ Authentication method
4. (Optional) Encrypt the sensitive information in the web.config files (see
page 53).
5. Use the SharePoint Central Configuration web site to do the following:
a. Change the authentication provider of each SharePoint site you want to
protect (see page 54).
b. Add users to each SharePoint site you want to protect (see page 55).
c. Update the site administrator accounts to use FBA (see page 56).
6. Test your SharePoint FBA configuration (see page 57).
How to Configure Your SharePoint Forms Based Authentication
48 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
Back Up Your Existing web.config Files
To configure SharePoint to operate with SiteMinder you need to modify the
web.config file of your SharePoint Central Administration web site, and the
web.config file of any SharePoint site you want to protect. Since a single IIS
server may contain many virtual SharePoint sites, identifying the correct files
to modify is critical.
To locate and backup the existing web.config files
1. Open the IIS 6.0 Manager on your web server.
2. In the left pane, expand the web server, and then expand Web Sites.
A list of web sites appears.
3. Right-click the SharePoint Central Administration site, and then select
Open.
Windows Explorer opens the directory for the Central Administration web
site.
4. Open the web.config file and save a copy of the original using a different
name.
5. Close the Windows Explorer window.
6. Go back to the IIS Manager window, and right-click the folder of a
SharePoint site you want to protect, and then select Open.
Windows Explorer opens the directory for the SharePoint web site.
7. Open the web.config file and save a copy of the original using a different
name.
We recommend using a name that will help you remember the point at
which you changed the file. For example, if you are saving a copy of your
FBA web.config file before adding the SiteMinder information, you might
want to name the backup copy of the file fba_web.config.
8. Close the Windows Explorer window.
9. Repeat Steps 6 through 8 for each SharePoint site you want to protect.
All of the existing web.config files have been backed up.
How to Configure Your SharePoint Forms Based Authentication
Chapter 4: Configure SharePoint 2007 49
Add the Membership Provider to the SharePoint Central Configuration Web Site
To integrate Microsoft SharePoint with SiteMinder, you must update the
web.config file of the central SharePoint web site with the following
information:
Membership Provider
Defines the following information in the web.config file:
■ Default Membership Provider Name
■ Membership Provider Name and Type
■ Directory Attributes
■ User Name and password of account authorized to connect to the
directory. (We recommend binding with an account for better
security, but you can omit these attributes if you want to bind
anonymously to the directory)
Example: <membership defaultProvider="LdapMembership">
<providers>
<add name="LdapMembership"
type="Microsoft.Office.Server.Security.LDAPMembershipProvider,
Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral,
PublicKeyToken=71E9BCE111E9429C"
server="directory_server_name_or_IP_address"
port="directory_server_instance_port_number" useSSL="false"
userDNAttribute="entryDN" userNameAttribute="cn"
userContainer="dc=server_domain,dc=domain_extension"
userObjectClass="Inetorgperson"
userFilter="(ObjectClass=Inetorgperson)" scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn"
connectionUsername="cn=user_name"
connectionPassword="password" />
</providers>
</membership>
How to Configure Your SharePoint Forms Based Authentication
50 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
To edit the web.config file of the SharePoint central administration
web site
1. Open a copy of the original web.config file with an XML editor.
Important! Do not use Notepad, Wordpad, (or any other text editor with
line-length limitations) to edit the XML file. A text editor designed for
writing programming source code will not generally have such line-length
limitations. For more information, see the documentation or online help for
your respective editor.
2. Locate the following tags:
<system.web>
<securityPolicy>
3. Insert the following sections between the tags, and then replace the
variables shown with your values:
<membership defaultProvider="LdapMembership">
<providers>
<add name="LdapMembership" type="Microsoft.Office.Server.Security.LDAPMembershipProvider,
Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
server="directory_server_name_or_IP_address" port="directory_server_instance_port_number"
useSSL="false" userDNAttribute="entryDN" userNameAttribute="cn"
userContainer="dc=server_domain,dc=domain_extension" userObjectClass="Inetorgperson"
userFilter="(ObjectClass=Inetorgperson)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn"
connectionUsername="cn=user_name" connectionPassword="password" />
</providers>
</membership>
4. Save the web.config file and close the XML editor.
The SharePoint Central Administration server contains a membership
provider.
How to Configure Your SharePoint Forms Based Authentication
Chapter 4: Configure SharePoint 2007 51
Add the Membership Provider and Authentication Method to Each SharePoint
Web Site you want to protect
To integrate Microsoft SharePoint with SiteMinder, you must update the
Web.Config file of each SharePoint web site that you want to protect using
SiteMinder with the following information:
Membership Provider
Defines the following information in the web.config file:
■ Default Membership Provider Name
■ Membership Provider Name and Type
■ Directory Attributes
■ User Name and password of account authorized to connect to the
directory. (We recommend binding with an account for better
security, but you can omit these attributes if you want to bind
anonymously to the directory)
Example: <membership defaultProvider="LdapMembership">
<providers>
<add name="LdapMembership"
type="Microsoft.Office.Server.Security.LDAPMembershipProvider,
Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral,
PublicKeyToken=71E9BCE111E9429C"
server="directory_server_name_or_IP_address"
port="directory_server_instance_port_number" useSSL="false"
userDNAttribute="entryDN" userNameAttribute="cn"
userContainer="dc=server_domain,dc=domain_extension"
userObjectClass="Inetorgperson"
userFilter="(ObjectClass=Inetorgperson)" scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn"
connectionUsername="cn=user_name"
connectionPassword="password" />
</providers>
</membership>
How to Configure Your SharePoint Forms Based Authentication
52 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
Authentication Mode
Defines the following information in the web.config file:
■ Which type of authentication is used by SharePoint.
■ Any parameters required to use the specified type of
authentication. For example, if Forms authentication is used, this
section must contain the URL of the form where the user enters
credentials.
Default: "Windows"
Example (FBA): <forms loginUrl="/_layouts/login.aspx" />
Example (SiteMinder): <forms
loginUrl="/_siteminder/siteminderlogin.aspx" />
To edit the web.config file of each SharePoint web site you want to
protect
1. Open the web.config file with an XML editor.
Important! Do not use Notepad, Wordpad, (or any other text editor with
line-length limitations) to edit the XML file. A text editor designed for
writing programming source code will not generally have such line-length
limitations. For more information, see the documentation or online help for
your respective editor.
2. Locate the following tags:
<system.web>
<securityPolicy>
3. Insert the following sections between the tags, and then replace the
variables shown (italicized) with your values:
<membership defaultProvider="LdapMembership">
<providers>
<add name="LdapMembership" type="Microsoft.Office.Server.Security.LDAPMembershipProvider,
Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
server="directory_server_name_or_IP_address" port="directory_server_instance_port_number"
useSSL="false" userDNAttribute="entryDN" userNameAttribute="cn"
userContainer="dc=server_domain,dc=domain_extension" userObjectClass="Inetorgperson"
userFilter="(ObjectClass=Inetorgperson)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn"
connectionUsername="cn=user_name" connectionPassword="password" />
</providers>
</membership>
4. Locate the following tag:
<authentication mode="Windows" />
5. In the previous line do the following:
■ Replace the word "Windows" with the word "Forms".
■ Delete the closing slash and the extra white space.
How to Configure Your SharePoint Forms Based Authentication
Chapter 4: Configure SharePoint 2007 53
6. Add the FBA lines shown in the following example:
<forms loginUrl="/_layouts/login.aspx" />
</authentication>
The authentication section should match the following example:
<authentication mode="Forms">
<forms loginUrl="/_layouts/login.aspx" />
</authentication>
7. Save the web.config file.
The membership providers, and forms authentication settings are added.
Repeat Steps 1 through 7 for each SharePoint web site you want to protect
with SiteMinder.
How to Encrypt the Sensitive Information in your web.config Files
The web.config files for your SharePoint Central Administration site and any
sites you want to protect with the Microsoft FBA or CA SiteMinder may contain
sensitive information that you want to protect, such as the following:
■ Directory server URLs
■ User names
■ Passwords
For more information about encrypting the sensitive areas of your web.config
file, go to the Microsoft Developer Network web site and search for one of the
following phrases:
■ Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
■ Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
How to Configure Your SharePoint Forms Based Authentication
54 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
Enable SharePoint FBA
After the web.config files for both the SharePoint Central Administration site
and the other web sites you want to protect have been modified, you need to
enable the SharePoint FBA authentication.
To enable SharePoint FBA
1. Click Start, Programs, Microsoft Office Server, SharePoint 3.0 Central
Administration.
The SharePoint Central Administration home page appears.
2. Click the Application Management Tab.
The Application Management page appears.
3. In the Application Security section, click the Authentication Providers link.
The Authentication Providers Page appears.
4. Make sure the SharePoint web site that you want to protect with FBA
appears in the pull-down menu in the upper-right corner of the screen, as
shown in the following illustration:
5. Click the Zone of your web site in the left column.
The Edit authentication page appears.
6. Do the following:
■ In the Authentication Type section, click the Forms button.
■ In the Membership Provider Name field, type the name of your
membership provider (this must match the name defined in your
SharePont web.config files).
■ In the Client Integration section, click the Yes button.
7. Click Save.
The Authentication Providers page appears.
How to Configure Your SharePoint Forms Based Authentication
Chapter 4: Configure SharePoint 2007 55
Add Users to Your SharePoint Web Site
After SharePoint FBA is enabled, you need to add users to your SharePoint web
site.
To add users to your SharePoint web site
1. Click the Application Management tab.
The Application Management screen appears.
2. Under the Application Security section, click Policy for Web Application.
The Policy for Web Application screen appears.
3. Click Add Users.
The Add Users screen appears.
4. Make sure the SharePoint web site to which you want to add users appears
in the pull-down menu in the upper-right corner of the screen, as shown in
the following illustration:
5. (Optional) Select the Zone from the drop-down list.
6. Click Next.
7. In the Users field, do any of the following:
■ Type the name of a user.
■ Use the Check Names button to verify user names.
■ Use the Browse button to locate users.
Important! You must enter the User ID (uid) when adding or
searching for users (searches using wildcards are also allowed).
Searches using other attributes may not return results.
8. Select the check boxes of the permissions you want.
9. Click Finish.
Users are added to your SharePoint web site.
How to Configure Your SharePoint Forms Based Authentication
56 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
Update the Site Collection Administrator Account to Use FBA
The original Windows accounts that have site-collection-administrator
privileges need to be authorized to use FBA.
To update the site collection administrator accounts to use FBA
1. Click the Application Management tab.
The application management page appears.
2. In the SharePoint Site Management section, click Site Collection
Administrators.
The Site Collection Administrators page appears.
3. Make sure the site collection that contains the resources you want to
protect with FBA appears in the drop-down list, as shown in the following
illustration:
4. Click the Primary Site Collection Administrator field, and then enter the
name of the person you want to designate as an administrator, as shown
in the following example:
Site Collection Administrator
Specifies a user who can create, maintain, or remove content from
group of resources hosted on a SharePoint web site. If you are using
SharePoint FBA, this user must exist in the directory of the
membership provider, and the user name must have the following
format:
membership_provider_name:user_name
Example: LDAPMembershipProvider:user01
Important! You must enter the User ID (uid) when adding or
searching for users (searches using wildcards are also allowed).
Searches using other attributes may not return results.
5. (Optional) Click the Secondary Site Collection Administrator Field, and
enter the name of a person you want, as shown in Step 4.
6. Click OK.
The Site Collection Administrators page closes and the Application
Management page appears. The Administrators have been added.
How to Configure Your SharePoint Forms Based Authentication
Chapter 4: Configure SharePoint 2007 57
Test Your SharePoint FBA
You should test your SharePoint FBA configuration by making sure the Site
Collection Administrators can access their respective site collections.
To test your SharePoint FBA
1. Open a web browser.
2. Enter the URL of the protected site collection.
The Sign In form appears.
3. Type their user name and password of the fields on the form, and then
click Sign In.
The Home page of the site collection appears.
Note: The Welcome message shown in the upper right after you sign into
SharePoint displays your User ID.
Chapter 5: Configure SiteMinder Web Agent and Related SharePoint Web Sites 59
Chapter 5: Configure SiteMinder Web
Agent and Related SharePoint Web Sites
This section contains the following topics:
How to Add SiteMinder to your SharePoint Environment (see page 59)
How to Configure an IIS Web Agent to Protect SharePoint Resources (see page
64)
How to Configure your SharePoint Web Sites for SiteMinder (see page 75)
How to Add SiteMinder to your SharePoint Environment
To replace the SharePoint FBA with the CA SiteMinder FCC authentication
scheme, use the following process:
1. Install the SiteMinder Web Agent for IIS on the web server.
2. Add the SiteMinder .ASPX Files to the SharePoint web site.
3. Install the SiteMinder DLL file in the Global Assembly Cache.
4. Use a fully qualified-domain name in any SharePoint web sites.
How to Add SiteMinder to your SharePoint Environment
60 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
Install the SiteMinder Web Agent for IIS
The SiteMinder Web Agent for IIS must be installed on the computer that runs
IIS and SharePoint 2007.
To install the SiteMinder Web Agent for IIS
1. Download and extract the following file from the support site:
smwa-version-crnumber-winarchitecture.zip
Example: smwa-6qmr5-cr021-win32.zip
2. Double-click the .exe file.
The installation wizard starts.
3. Use the wizard to install the SiteMinder web Agent.
Note: The following directories are the default locations for the Windows
operating system:
■ (r6.x SP5): C:\Program Files\netegrity\webagent\
■ (r12 SP1): C:\Program Files\CA\webagent\
After installing the software, the wizard prompts you to restart your
system.
4. Click the radio button you want, and then click Done.
The wizard closes, and the web agent is installed. If you chose to restart
your system in Step 4, then your computer restarts automatically.
How to Add SiteMinder to your SharePoint Environment
Chapter 5: Configure SiteMinder Web Agent and Related SharePoint Web Sites 61
How to Install the SiteMinder DLL to the Global Assembly Cache
The SiteMinder Web Agent software contains a DLL file specifically for
SharePoint integration. The SiteMinder installer places this file in the following
location:
web_agent_home\sharepoint\SiteminderNET.dll
Note: The default value of the web_agent_home variable is either of
the following directories:
■ (r6.x SP5): C:\Program Files\netegrity\webagent
■ (r12 SP1): C:\Program Files\CA\webagent
This DLL file must be installed in the Global Assembly Cache of the computer
that hosts your Web Server.
To install the DLL file, use one of the following methods:
■ Drag and drop the DLL file from its installed location to the Global
Assembly Cache
Note: The Global Assembly Cache is located in the following directory:
C:\WINDOWS\assembly
■ Use the gacutil.exe tool (which is included with the .NET Framework SDK
2.0).
Note: For more information, see your Microsoft documentation, or go to
http://support.microsoft.com/
More information:
Microsoft Prerequisites (see page 13)
How to Add SiteMinder to your SharePoint Environment
62 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
Add the SiteMinder .ASPX Files to the SharePoint Web Site
SiteMinder uses several .aspx files when it protects Microsoft SharePoint web
sites. These files need to be installed in a virtual directory for each SharePoint
web site you want to protect.
To add the SiteMinder .ASPX files to the SharePoint web site
1. Click Start, Programs, Administrative Tools, Internet Information Services
(IIS) Manager.
The IIS Manager opens.
2. Expand the IIS Web Server in the left column.
3. Expand the Web Sites folder in the left column.
4. Right-click the SharePoint web site instance you want to protect, and then
select New, Virtual Directory.
The Virtual Directory Creation Wizard starts. Do the following steps:
a. Click Next.
The Virtual Directory Alias screen appears.
b. In the Alias field, type the following, and then click Next.
_siteminder
c. Click the Browse button and navigate to the following directory:
web_agent_home\sharepoint
Note: The default value of the web_agent_home variable is either of
the following directories:
■ (r6.x SP5): C:\Program Files\netegrity\webagent
■ (r12 SP1): C:\Program Files\CA\webagent
d. Click OK.
The path to the directory appears in the dialog.
e. Click Next.
f. Select the Run Scripts (such as ASP) check box, and then click Next.
g. Click Finish.
The wizard closes and the new directory appears in the IIS Manager.
5. Repeat Step 4 for each SharePoint web site you want to protect with
SiteMinder.
How to Add SiteMinder to your SharePoint Environment
Chapter 5: Configure SiteMinder Web Agent and Related SharePoint Web Sites 63
Use a Fully-Qualified Domain Name in your SharePoint Sites
The SharePoint sites must use a fully-qualified domain name to integrate with
the SiteMinder web agent.
To set your SharePoint site to use a fully-qualified domain name
1. Click Start, Programs, Microsoft Office Server, SharePoint 3.0 Central
Administration.
The Central Administration page appears.
2. Click the Operations tab.
A list of tasks appears.
3. In the Global Configuration section, click Alternate Access Mappings.
A list of web sites appears.
4. Locate your SharePoint site. Examine the URL listed in the Public URL for
Zone column on the right and verify that it uses a fully-qualified domain
name.
Note: my_web_site.example.com is an example of a fully-qualified domain
name.
5. If the URL in Step 3 does not use a fully-qualified domain name, do the
following:
a. Click the Alternate Access Mapping Collection drop-down list, and then
select Change Alternate Access Mapping Collection.
A list of Alternate Access Mapping Collections appears.
b. Click the link for your SharePoint site.
The Alternate Access Mappings screen shows only those sites in your
collection.
c. Make sure the name of the SharePoint site you want to protect appears
in the drop-down list, as shown in the following example:
How to Configure an IIS Web Agent to Protect SharePoint Resources
64 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
d. Click Edit Public URLs.
The Edit Public Zone URLs screen appears.
e. Edit the URLs to include a fully-qualified domain name.
f. Click Save.
The URL shown in the Public URL for Zone column appears with a
fully-qualified domain name.
6. Repeat Steps 2 thorough 5 for each SharePoint web site you want to
protect.
How to Configure an IIS Web Agent to Protect SharePoint
Resources
Before you can use the Web Agent on an IIS 6.0 web server to protect your
SharePoint web sites, you must complete these prerequisites using the
following process:
1. Assign read permissions to samples and error files directories (see
page 65).
2. Allow IIS to execute Web Agent ISAPI and CGI extensions (see page 66).
3. Change the port number of the Default IIS web site (see page 67).
4. Gather the Web Agent information (see page 68).
5. Run the IIS Web Agent Configuration Wizard (see page 70).
6. (Optional) Increase the Web Agent's size limit for uploaded files (see
page 71).
7. Put the Agent filter and extension before other third-party filters (see
page 72).
8. Add the ISAPI filter to each SharePoint web site you want to protect (see
page 74).
How to Configure an IIS Web Agent to Protect SharePoint Resources
Chapter 5: Configure SiteMinder Web Agent and Related SharePoint Web Sites 65
Assign Read Permissions to Samples and Error Files Directories
The Network Service account must have Read permissions to any directory
where the Web Agent reads forms credential collector (FCC) files and to any
directory where the Web Agent reads Web Agent custom error files.
To Assign Read Permissions to the Samples and Error Files Directories
1. Open Windows Explorer and go to the appropriate directory:
■ samples: web_agent_home/samples
■ custom error file: the location or your custom error files. There is no
default location.
2. Right-click the directory and select Sharing and Security.
3. Select the Security tab.
4. Click Add.
The Select Users, Computers, or Groups dialog box opens.
5. Do one of the following:
a. Accept the defaults for the Select this object type and From this
Location fields.
b. In the Enter the object names to select field, enter Network Service
and click OK.
You return to the Properties dialog box for the directory.
6. In the Permissions for Network Service scroll-box, allow Read permissions.
7. Click OK to finish.
Repeat this procedure for each directory.
How to Configure an IIS Web Agent to Protect SharePoint Resources
66 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
Allow IIS to Execute the Agent ISAPI and CGI Extensions
You must add certain ISAPI and CGI extentions to the IIS 6.0 web server and
grant the server permission to execute them before configuring the SiteMinder
Web Agent. These extensions will execute the Web Agent ISAPI and CGI
scripts and other files.
To add the extensions and permissions
1. Open the Internet Information Services (IIS) Manager, and then expand
the web server you are configuring for the Agent.
2. Double-click Web Service Extensions
The Web Service Extensions pane appears.
3. To add the ISAPI Web Agent extension, do the following:
a. Click the Add a new Web service extension link.
The New Web Service Extension dialog box opens.
b. In the Extension name field, enter ISAPI6WebAgentDLL, and then click
Add.
The Add File dialog box opens.
c. Click the Browse button, and then navigate to the ISAPI6WebAgent.dll
file in the web_agent_home/bin directory. If the proper file does not
appear, click the Files of type drop-down list and select either ISAPI dll
files (for the .dll files) or CGI exe files (for .exe files).
Note: The default value of the web_agent_home variable is either of
the following directories:
■ (r6.x SP5): C:\Program Files\netegrity\webagent
■ (r12 SP1): C:\Program Files\CA\webagent
d. Click Open
The path to the file appears in the Add File dialog box.
e. Click OK.
You return to the New Web Service Extension dialog box.
f. Select the Set extension status to allowed check box.
g. Click OK.
The New Web Service Extension dialog box closes.
4. Repeat Step 3 and add each of the following Web Agent files. Even though
both files use the same name, you must add a separate extension for each
because they are in different directories.
■ web_agent_home/pw/smpwservicescgi.exe (suggested extension
name: Password Services CGI)
How to Configure an IIS Web Agent to Protect SharePoint Resources
Chapter 5: Configure SiteMinder Web Agent and Related SharePoint Web Sites 67
■ web_agent_home/pw_default/smpwservicescgi.exe (suggested
extension name: PW Default CGI)
Change the Port Number of the Default IIS Web Site
We recommend changing the port number of the default IIS web site.
To change the port number for the default IIS web site
1. Open the IIS Manager.
2. Expand the web server, and then expand Web Sites.
A list of web sites appears.
3. Right-click the default web site (at the top of the list), and select
Properties.
The Properties dialog appears.
4. Click the Web Site tab.
5. In the TCP port field, enter the number of an available port that you want
to use, and then click OK.
The Properties dialog closes and the changes are saved.
6. Start the default web site.
7. Verify the change by opening a browser window access a web page on the
new port.
The port number for the default IIS web site is changed.
More information:
Select a New Port Number for your IIS Default Web Site (r6.x SP5) (see page
22)
Select a New Port Number for your IIS Default Web Site (r12 SP1) (see page
34)
How to Configure an IIS Web Agent to Protect SharePoint Resources
68 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
Gather Web Agent Information
To configure a SiteMinder Web Agent, you need to collect information about
the following items on your SiteMinder Policy Server:
Admin User Name
Specifies the name of an administrator who is allowed to register the
host with the Policy Server. Before a trusted host can be registered,
this administrator must be defined in the Policy Server, and have
permission to register trusted hosts.
Default: siteminder
Admin Password
Specifies the password for the administrator who can register trusted
Hosts with the Policy Server.
Enable Shared Secret Rollover
Specifies if the shared secret that encrypts the communication
between the trusted host and the Policy Server will be changed
periodically.
The Key Rollover feature must already be enabled at the Policy Server.
To change this setting at a later time, you must do the following:
■ Re-register the trusted host with the Policy Server
■ Use the Policy Management API to change the setting.
Trusted Host Name
Specifies any unique name that represents your trusted host on the
Policy Server. This name does not have to match the name of physical
system you are registering.
Example: mytrustedhost
Limits: Must differ from any other existing trusted host name or
existing Web Agent name.
Host Configuration Object
Specifies the name of an object that contains connection settings used
between the trusted host and the Policy Server. This object must be
defined in the Policy Server before you can configure a Web Agent.
Default: DefaultHostSettings
How to Configure an IIS Web Agent to Protect SharePoint Resources
Chapter 5: Configure SiteMinder Web Agent and Related SharePoint Web Sites 69
Policy Server IP Address
Specifies the host name or IP address of the Policy Server with which
you are registering your trusted host. Specify a port number only if
you want to use a non-default port.
Example: 192.168.1.100:non_default_port_number
Agent Configuration Object
Specifies the name of an Agent Configuration object on the Policy
Server that contains the parameter settings that you want your web
agent to use.
Default: AgentObj
Example: IISDefaultSettings
Agent Registration Worksheet
You can print a copy of this work sheet and use it to gather the information
that you need to register the system hosing your web server and web agent as
a trusted host with the SiteMinder Policy Server:
Information Needed Your Value
Admin User Name
Admin Password
Shared Secret Rollover?
(yes/no)
Trusted Host Name
Host Configuration
Object
Policy Server IP
Address
Agent Configuration
Object
How to Configure an IIS Web Agent to Protect SharePoint Resources
70 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
Run the Agent Configuration Wizard
The Agent Configuration wizard does the following:
■ Registers the system that hosts the SiteMinder Web Agent and the
associated web server as a trusted host with the Policy Server.
■ Creates files on the web server that the Web Agent uses to start and
connect to the Policy Server.
Note: You only register a system as a trusted host once, not each time you
install and configure a Web Agent. If the Web Agent Configuration Wizard
detects that a trusted host has been registered on that system previously, a
warning appears.
To run the agent configuration wizard
1. Click Start, Programs, SiteMinder, Web Agent Configuration Wizard.
The Web Agent Configuration Wizard starts.
2. Do one of the following:
■ If you have not registered the system as a trusted host before, click
Yes, click Next. Complete the wizard using information you gathered
on the Registration Worksheet.
■ If the system has previously been registered as a trusted host, click
No, click Next, and complete the wizard.
3. Restart your web server.
The Web Agent is configured.
How to Configure an IIS Web Agent to Protect SharePoint Resources
Chapter 5: Configure SiteMinder Web Agent and Related SharePoint Web Sites 71
Increase the Agent's Size Limit for Uploaded Files
The Web Agent installed on an IIS 6.0 web server has a size limit of 2.5 MB for
uploading files. If you want to increase this size limit, you can add a new key
to the Windows registry on your web server.
To upload files that are larger than this limit
1. Open the registry editor.
Note: For more information, see your Microsoft documentation, or go to
http://support.microsoft.com/
2. Navigate to the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\netegrity\SiteMinder Web Agent\Microsoft IIS
3. Create a new DWORD registry key in the previous location using the
following name:
MaxRequestAllowed
4. Set this value of the key to the number of bytes that corresponds to the
size limit you want.
The value of this key overrides the default limit. If the value of this key is
less than or equal to 0, than the default of 2.5 MB (2,500,000 B) is used.
This key accepts decimal values from 0 to 4294967295.
Note: The IIS 6.0 web server has its own size limit. Changing the Web
Agent’s limit will not affect the IIS 6.0 limit. If you want to change the IIS
6.0 server’s limit, see the Microsoft IIS 6.0 documentation or online help.
5. Close the registry editor.
The size limit is changed.
How to Configure an IIS Web Agent to Protect SharePoint Resources
72 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
Put the Agent Filter and Extension before Other Third-Party Filters
The IIS 6.0 Web Agent consists of an ISAPI filter and an ISAPI extension. The
majority of Web Agent processing occurs in the extension.
When the Web Agent is installed on an IIS 6.0 Web Server with other
third-party software, such as WebSphere or ServletExec, the Agent has the
following restrictions:
■ The Web Agent filter and Web Agent extension must be configured to run
before other third-party filters installed on the web server.
■ The Web Agent must be configured as the first wildcard application map if
it is going to protect applications running as or spawned by an ISAPI
extension.
■ The IIS 6.0 web server does not enforce how third-party filters and
extensions behave. IIS 6.0 processes ISAPI filters before calling ISAPI
extensions, including the Web Agent extension. Therefore, the SiteMinder
Web Agent for IIS 6.0 is unable to authenticate or authorize access to
applications implemented as pure ISAPI filters. This limitation impacts Web
Agent integration with other third-party offerings for the IIS 6.0 web
server, if those offerings are implemented as ISAPI filters that process
and/or redirect the request before ISAPI extensions are called.
When you install the Web Agent on an IIS 6.0 web server, the Agent’s filter is
automatically placed at the top of the ISAPI filters list. However, if you install
any other third-party plugins after installing the Web Agent, those filters may
take precedence.
After you install and configure an IIS 6.0 Web Agent, you must ensure that the
siteminderagent ISAPI filter and extension is listed before any third-party filter
or extension. This enables the Web Agent to process requests before a
third-party.
To put the agent filter and extension before other third-party filters
1. Check the ISAPI filter by doing the following steps:
a. Open the IIS Manager.
b. Select Web Sites then right-click and select Properties.
c. Select the ISAPI Filters tab.
d. Check the list of filters and ensure that siteminderagent is the first
entry in the list. If it is not, use the Move Up button to place it at the
top of the list.
e. Click OK.
f. Exit the IIS Manager.
2. Check the ISAPI extensions by doing the following steps:
How to Configure an IIS Web Agent to Protect SharePoint Resources
Chapter 5: Configure SiteMinder Web Agent and Related SharePoint Web Sites 73
a. Open the IIS Manager, and then expand the web server.
b. Right-click the Default Web Site folder, and select Properties.
c. Click the Home Directory tab, and then click Configuration.
d. The following file should be at the top of the Wildcard application maps
(order of implementation) field:
web_agent_home\bin\ISAPI6WebAgent.dll
Note: The default value of the web_agent_home variable is either of
the following directories:
■ (r6.x SP5): C:\Program Files\netegrity\webagent
■ (r12 SP1): C:\Program Files\CA\webagent
How to Configure an IIS Web Agent to Protect SharePoint Resources
74 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
Add the ISAPI Extension to the Protected SharePoint Web Sites
You must add the SiteMinder ISAPI extension to each of the SharePoint web
sites that you want to protect with SiteMinder.
To add the ISAPI extension to each protected web site
1. Open the IIS Manager.
2. In the left pane, expand the web server, then expand the Web Sites folder.
A list of web sites appears.
3. Right click a web Site you want to protect with SiteMinder and select
Properties.
The Properties dialog for the web site appears.
4. Click the Home Directory tab, and then click Configuration.
The Application Configuration dialog appears. Check the Wildcard
Application Maps (order of implementation) list. The following file should
appear first in the list:
web_agent_home\bin\ISAPI6WebAgent.dll
Note: The default value of the web_agent_home variable is either of
the following directories:
■ (r6.x SP5): C:\Program Files\netegrity\webagent
■ (r12 SP1): C:\Program Files\CA\webagent
5. If the previous file does not appear in the list, do the following:
a. Click Insert.
The Add/Edit Application Extension Mapping dialog appears.
b. Click Browse, and then locate the following file:
web_agent_home\bin\ISAPI6WebAgent.dll
Note: The default value of the web_agent_home variable is either of
the following directories:
■ (r6.x SP5): C:\Program Files\netegrity\webagent
■ (r12 SP1): C:\Program Files\CA\webagent
c. Click Open.
The file appears in the Executable: field.
d. Clear Verify that file exists check box.
e. Click OK, and then use the Move Up or Move Down buttons to make
sure the ISAPI6WebAgent file appears at the top of the list.
f. Click OK.
The Inheritance Overrides dialog appears.
How to Configure your SharePoint Web Sites for SiteMinder
Chapter 5: Configure SiteMinder Web Agent and Related SharePoint Web Sites 75
g. Click Select All, and then click OK.
The Inheritance Overrides dialog closes, and the Properties dialog
appears.
h. Click OK.
The Properties dialog appears.
6. Click OK.
The Properties dialog closes and the ISAPI extension is added to the web
site.
7. Repeat Steps 3 through 6 for each SharePoint web site you want to
protect.
8. Restart the IIS web server.
How to Configure your SharePoint Web Sites for SiteMinder
Your existing SharePoint web sites can be converted from Microsoft FBA to use
SiteMinder FCC by configuring them with the following process:
1. Use the SiteMinder sign out page (see page 76).
2. Back up your existing web.config files (see page 77).
3. Change the Form type and add the HTTP module to the web.config file of
each SharePoint web site you want to protect with SiteMinder (see
page 78).
4. Start your SiteMinder Web Agent (see page 79).
How to Configure your SharePoint Web Sites for SiteMinder
76 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
Use the SiteMinder Signout Page
The SiteMinder Web Agent also comes with a sample signout page that
appears when a user logs out of a SharePoint web site. You can customize this
page to meet the needs of your organization. This page enhances security by
reminding users that they must close their browser to log out. To use this
page, you must manually copy it from its installed location, to the proper
location on your web server.
To use the SiteMinder signout page
1. On your web server, open the following directory:
C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\TEMPLATE\LAYOUTS\
2. Locate the following file:
signout.aspx
3. Make a backup copy of the previous file by renaming it. We recommend
using a name that will help you remember the point at which you changed
the file. For example, you may want to name the backup copy
original_signout.aspx.
4. Locate the SiteMinder signout page in the following directory:
web_agent_home\sharepoint
Note: The default value of the web_agent_home variable is C:\Program
Files\netegrity\webagent
5. Copy the SiteMinder signout page to the directory shown in Step 1.
6. (Optional) Modify the SiteMinder signout page according to your needs. For
example, you may want to add a graphic of your organization's logo or
customize the text that is displayed.
7. Restart the IIS web server.
The SiteMinder signout page will be used.
How to Configure your SharePoint Web Sites for SiteMinder
Chapter 5: Configure SiteMinder Web Agent and Related SharePoint Web Sites 77
Back Up your Existing web.config Files
To configure SharePoint to operate with SiteMinder you need to modify the
web.config file of your SharePoint Central Administration web site, and the
web.config file of any SharePoint site you want to protect. Since a single IIS
server may contain many virtual SharePoint sites, identifying the correct files
to modify is critical.
To locate and backup the existing web.config files
1. Open the IIS 6.0 Manager on your web server.
2. In the left pane, expand the web server, and then expand Web Sites.
A list of web sites appears.
3. Right-click the SharePoint Central Administration site, and then select
Open.
Windows Explorer opens the directory for the Central Administration web
site.
4. Open the web.config file and save a copy of the original using a different
name.
5. Close the Windows Explorer window.
6. Go back to the IIS Manager window, and right-click the folder of a
SharePoint site you want to protect, and then select Open.
Windows Explorer opens the directory for the SharePoint web site.
7. Open the web.config file and save a copy of the original using a different
name.
We recommend using a name that will help you remember the point at
which you changed the file. For example, if you are saving a copy of your
FBA web.config file before adding the SiteMinder information, you might
want to name the backup copy of the file fba_web.config.
8. Close the Windows Explorer window.
9. Repeat Steps 6 through 8 for each SharePoint site you want to protect.
All of the existing web.config files have been backed up.
How to Configure your SharePoint Web Sites for SiteMinder
78 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
Change the Form Type and Add the HTTP Module to Each SharePoint Web Site
you want to protect with SiteMinder
To switch the authentication method from SharePoint FBA to SiteMinder FCC,
you need to make the following changes to the web.config file of each
SharePoint web site that you want to protect with SiteMinder:
■ Change the loginURL attribute of the authentication mode to specify the
SiteMinder FCC.
■ Add the following information:
HTTP Modules
Specifies the properties of the SiteminderNET.DLL file in the web.config
file of each SharePoint web site protected by SiteMinder. This DLL file
must be installed in the Global Assembly Cache of the computer
hosting the SiteMinder web agent for IIS.
Note: The Global Assembly Cache is located in the following directory:
C:\WINDOWS\assembly
To add the SiteMinder HTTP module to each SharePoint site
1. Stop the IIS Admin Service.
2. Open the web.config file for the web site with an XML editor.
Important! Do not use Notepad, Wordpad, (or any other text editor with
line-length limitations) to edit the XML file. A text editor designed for
writing programming source code will not generally have such line-length
limitations. For more information, see the documentation or online help for
your respective editor.
3. Locate the following line:
<forms loginUrl="/_layouts/login.aspx" />
4. Change the previous line to match the following line:
<forms loginUrl="/_siteminder/siteminderlogin.aspx" />
5. Locate the following section:
<httpModules>
<clear />
6. After the <clear /> tag, add the following section:
<add name="SessionMgmtModule" type="SiteminderNET.SessionMgmtModule, SiteminderNET,
Version=1.0.0.0, Culture=neutral, PublicKeyToken=d898b5619cf7eff3" />
7. Save your changes, and close your XML editor.
How to Configure your SharePoint Web Sites for SiteMinder
Chapter 5: Configure SiteMinder Web Agent and Related SharePoint Web Sites 79
8. Repeat Steps 1 through 7 for each SharePoint web site you want to protect
with SiteMinder.
9. Start the IIS Admin Service.
The web sites are reconfigured for SiteMinder.
Start the Web Agent
After configuring your Web Agent parameters, you must enable the Web Agent
to protect the resources on the web server.
Note: No resources are protected until you define policies using either of the
folloiwng:
■ (r6.x SP5) Policy Server User Interface
■ (r12 SP1) Administrative UI
To start the web agent
1. Open the following file with a text editor:
web_agent_home\bin\IIS\WebAgent.conf
Note: The default value of the web_agent_home variable is either of
the following directories:
■ (r6.x SP5): C:\Program Files\netegrity\webagent
■ (r12 SP1): C:\Program Files\CA\webagent
2. Locate the EnableWebAgent parameter, and then change its value to yes.
3. Save and close the WebAgent.conf file.
4. Restart the IIS web server.
The web agent starts and the resources on the web server are protected.
How to Configure your SharePoint Web Sites for SiteMinder
80 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
Stop the Web Agent
You may stop a web agent at any time.
To stop the web agent
1. Open the following file with a text editor:
web_agent_home\bin\IIS\WebAgent.conf
Note: The default value of the web_agent_home variable is either of
the following directories:
■ (r6.x SP5): C:\Program Files\netegrity\webagent
■ (r12 SP1): C:\Program Files\CA\webagent
2. Locate the EnableWebAgent parameter, and then change its value to no.
3. Save and close the WebAgent.conf file.
4. Restart the IIS web server.
The web agent stops.
More information:
Disable the SiteMinder Authentication (see page 85)
Chapter 6: Test your SiteMinder and SharePoint Implementation 81
Chapter 6: Test your SiteMinder and
SharePoint Implementation
This section contains the following topics:
Access a Protected SharePoint Site Using SiteMinder (see page 81)
Modify a Document Stored on SharePoint (see page 82)
Access a Protected SharePoint Site as another User (see page 83)
SiteMinder Logs (see page 83)
Access a Protected SharePoint Site Using SiteMinder
You can test your SiteMinder implementation by trying to access a protected
resource on your SharePoint server.
To access a protected SharePoint resource using SiteMinder
1. Open a browser and enter the URL of a protected SharePoint web site for
which you are the Site Collection administrator.
The SiteMinder authentication form should appear.
2. Enter your credentials, and then click Login.
The home page for the SharePoint site collection should appear.
Note: The Welcome message shown in the upper right after you sign into
SharePoint displays your User ID.
Modify a Document Stored on SharePoint
82 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based
Authentication
Modify a Document Stored on SharePoint
You can verify that SiteMinder protects the documents stored on your
SharePoint sites by opening and modifying a protected document. If
SiteMinder is functioning properly, you will not be challenged for your
credentials when doing any of the following:
■ Checking out the document.
■ Opening or modifying the document.
■ Checking in the document.
To modify a document stored on SharePoint
1. Login to your protected SharePoint site.
The home page for your SharePoint site collection appears.
Note: The Welcome message shown in the upper right after you sign into
SharePoint displays your User ID.
2. Click the link (on the left) of your document library.
The contents of your document library appear.
3. Click the document name to display a drop-down list, and then select
Check Out.
A check-out icon appears next to your document.
4. Modify the document, then click Upload, Upload Document.
The Upload document page appears.
5. Select the modified document using the Browse button, and then click OK.
A confirmation page appears.
6. Click Check In.
Your modified document is placed on the SharePoint web site.
Access a Protected SharePoint Site as another User
Chapter 6: Test your SiteMinder and SharePoint Implementation 83
Access a Protected SharePoint Site as another User
You can verify that SiteMinder allows you to login to a resource as another
user.
Access a protected SharePoint site as another user
1. Login to your protected SharePoint site.
The home page for your SharePoint site collection appears.
Note: The Welcome message shown in the upper right after you sign into
SharePoint displays your User ID.
2. Click the drop-down list next to the Welcome message, and then select
Sign in as Different User.
The SiteMinder login screen should appear.
SiteMinder Logs
To aid in diagnosing problems, you can enable logs for the following SiteMinder
components:
■ Policy Server
Note: For more information, see the CA SiteMinder Policy Server
Management Guide.
■ Web Agent
Note: For more information, see the CA SiteMinder Web Agent
Configuration Guide.
Appendix A: Troubleshooting 85
Appendix A: Troubleshooting
This section contains the following topics:
Disable the SiteMinder Authentication (see page 85)
Disable the SiteMinder Authentication
Symptom:
I'm having a problem and I want to disable SiteMinder so I can check my
SharePoint configuration.
Solution:
Do the following:
1. Stop the SiteMinder web agent
2. In the web.config file of a protected resource, change the value of the
loginUrl attribute to the following:
loginUrl="/_layouts/login.aspx"
3. Restart your IIS web server.
The SiteMinder authentication scheme is disabled and your SharePoint
resources are authenticated using SharePoint FBA instead.
More information:
Stop the Web Agent (see page 80)
Appendix B: Platform Support 87
Appendix B: Platform Support
This section contains the following topics:
Locate the Platform Support Matrix (see page 87)
Locate the Platform Support Matrix
The SiteMinder Platform Support Matrix contains the latest information about
supported platforms. CA maintains the Platform Support Matrix at
http://www.ca.com/support.
To locate the support matrix on the Support site
1. Click Technical Support.
2. Click Support By Product or Solution.
3. Select CA SiteMinder Web Access Manager from the Select a Product or
Solution Page list.
4. Click Platform Support Matrices in the Product Status group box.
More information:
SiteMinder Prerequisites (see page 14)