ca siteminder web access manager · web access manager ca ... change the form type and add the http...

Configuring SiteMinder Single Sign On for

Microsoft® SharePoint® 2007 Using

Forms-based Authentication

CA SiteMinder® Web Access

Manager

This documentation and any related computer software help programs (hereinafter referred to as the

“Documentation”) is for the end user’s informational purposes only and is subject to change or withdrawal by CA at

any time.

This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in

part, without the prior written consent of CA. This Documentation is confidential and proprietary information of CA

and protected by the copyright laws of the United States and international treaties.

Notwithstanding the foregoing, licensed users may print a reasonable number of copies of the Documentation for

their own internal use, and may make one copy of the related software as reasonably required for back-up and

disaster recovery purposes, provided that all CA copyright notices and legends are affixed to each reproduced copy.

Only authorized employees, consultants, or agents of the user who are bound by the provisions of the license for

the Product are permitted to have access to such copies.

The right to print copies of the Documentation and to make a copy of the related software is limited to the period

during which the applicable license for the Product remains in full force and effect. Should the license terminate for

any reason, it shall be the user’s responsibility to certify in writing to CA that all copies and partial copies of the

Documentation have been returned to CA or destroyed.

EXCEPT AS OTHERWISE STATED IN THE APPLICABLE LICENSE AGREEMENT, TO THE EXTENT PERMITTED BY

APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING

WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE

OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO THE END USER OR ANY THIRD PARTY FOR ANY LOSS

OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT

LIMITATION, LOST PROFITS, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY

ADVISED OF SUCH LOSS OR DAMAGE.

The use of any product referenced in the Documentation is governed by the end user’s applicable license

agreement.

The manufacturer of this Documentation is CA.

Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the

restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section

252.227-7014(b)(3), as applicable, or their successors.

Microsoft® SharePoint® is a registered trademark of Microsoft Corporation. Microsoft product screen shots reprinted

with permission from Microsoft Corporation. Microsoft and Windows are registered trademarks of Microsoft

Corporation in the United States and other countries. All trademarks, trade names, service marks, and logos

referenced herein belong to their respective companies.

Copyright © 2009 CA. All rights reserved.

CA Product References

This document references the following CA products:

■ CA SiteMinder® Web Access Manager

Contact CA

Contact Technical Support

For your convenience, CA provides one site where you can access the

information you need for your Home Office, Small Business, and Enterprise CA

products. At http://ca.com/support, you can access the following:

■ Online and telephone contact information for technical assistance and

customer services

■ Information about user communities and forums

■ Product and documentation downloads

■ CA Support policies and guidelines

■ Other helpful resources appropriate for your product

Provide Feedback

If you have comments or questions about CA product documentation, you can

send a message to [email protected].

If you would like to provide feedback about CA product documentation,

complete our short customer survey, which is also available on the CA support

website, found at http://ca.com/support.

http://www.ca.com/support

mailto:[email protected]

http://www.casurveys.com/wsb.dll/166/TIPO_2008_Survey.htm



Contents 5

Contents

Chapter 1: SiteMinder and Microsoft SharePoint 9

Documents Replaced by this Version ............................................................ 9

Purpose and Audience ......................................................................... 10

Microsoft Internet Information Services (IIS) ................................................... 10

Microsoft SharePoint 2007 ..................................................................... 11

Use Case Diagram ............................................................................ 12

Chapter 2: Prerequisites and Limitations 13

Microsoft Prerequisites ........................................................................ 13

SiteMinder Prerequisites ....................................................................... 14

SiteMinder and SharePoint Limitations ......................................................... 14

Chapter 3: Configure Your SiteMinder Policy Server 15

How to Configure a SiteMinder r6.x SP5 Policy to Protect SharePoint Resources ................... 15

Open the r6.x SP5 Policy Server User Interface ............................................. 16

Create a Host Configuration Object for your SharePoint Resources (r6.x SP5) ................. 17

Create a Web Agent Object for your SharePoint Resources (r6.x SP5) ........................ 18

Create an Agent Configuration Object for your SharePoint Resources (r6.x SP5) ............... 19

Create a User Directory Entry for your LDAP Directory Server Instance ....................... 21

Create a Domain for your SharePoint Resources (r6.x SP5) .................................. 22

Select a New Port Number for your IIS Default Web Site (r6.x SP5) .......................... 22

Create an Authentication Scheme for your SharePoint Resources (r6.x SP5) .................. 23

Create Realms for your SharePoint Resources (r6.x SP5) .................................... 23

Create a Rule Under your SharePoint Realm (r6.x SP5) ...................................... 26

Create a Policy for your SharePoint Resources (r6.x SP5) .................................... 27

Test Your Policy with the SiteMinder Test Tool (r6.x SP5) .................................... 27

How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources ............... 28

Open the r12 SP1 Administrative UI ........................................................ 29

Create a Host Configuration Object for your SharePoint Resources (r12 SP1) .................. 30

Create a Web Agent Object for your SharePoint Resources (r12 SP1) ......................... 31

Create an Agent Configuration Object for your SharePoint Resources (r12 SP1) ............... 32

Select a New Port Number for your IIS Default Web Site (r12 SP1) ........................... 34

Create an Authentication Scheme for your SharePoint Resources (r12 SP1) ................... 35

Create a User Directory Object for your Directory Server Instance (r12 SP1) .................. 36

Create an Application to protect your SharePoint Resources (r12 SP1) ........................ 37

Leave the SharePoint Virtual Directories Unprotected (r12 SP1) .............................. 38

6 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based Authentication

Add Resources to your Application (r12 SP1) ................................................ 40

Add Roles to your Application (r12 SP1) .................................................... 41

Create a Policy for your Application (r12 SP1) ............................................... 42

Chapter 4: Configure SharePoint 2007 43

How to Create a SharePoint 2007 Test Site ..................................................... 43

Create a New SharePoint Site .............................................................. 44

Add the New SharePoint Site to a Site Collection ............................................ 45

Create a Document Library ................................................................ 46

How to Configure Your SharePoint Forms Based Authentication .................................. 47

Back Up Your Existing web.config Files ..................................................... 48

Add the Membership Provider to the SharePoint Central Configuration Web Site ............... 49

Add the Membership Provider and Authentication Method to Each SharePoint Web Site you

want to protect ........................................................................... 51

How to Encrypt the Sensitive Information in your web.config Files ............................ 53

Enable SharePoint FBA .................................................................... 54

Add Users to Your SharePoint Web Site ..................................................... 55

Update the Site Collection Administrator Account to Use FBA ................................. 56

Test Your SharePoint FBA .................................................................. 57

Chapter 5: Configure SiteMinder Web Agent and Related SharePoint Web

Sites 59

How to Add SiteMinder to your SharePoint Environment ......................................... 59

Install the SiteMinder Web Agent for IIS .................................................... 60

How to Install the SiteMinder DLL to the Global Assembly Cache ............................. 61

Add the SiteMinder .ASPX Files to the SharePoint Web Site .................................. 62

Use a Fully-Qualified Domain Name in your SharePoint Sites ................................. 63

How to Configure an IIS Web Agent to Protect SharePoint Resources ............................. 64

Assign Read Permissions to Samples and Error Files Directories .............................. 65

Allow IIS to Execute the Agent ISAPI and CGI Extensions .................................... 66

Change the Port Number of the Default IIS Web Site ........................................ 67

Gather Web Agent Information ............................................................. 68

Run the Agent Configuration Wizard ........................................................ 70

Increase the Agent's Size Limit for Uploaded Files ........................................... 71

Put the Agent Filter and Extension before Other Third-Party Filters ........................... 72

Add the ISAPI Extension to the Protected SharePoint Web Sites .............................. 74

How to Configure your SharePoint Web Sites for SiteMinder ..................................... 75

Use the SiteMinder Signout Page ........................................................... 76

Back Up your Existing web.config Files ..................................................... 77

Change the Form Type and Add the HTTP Module to Each SharePoint Web Site you want to

protect with SiteMinder .................................................................... 78

Contents 7

Start the Web Agent ...................................................................... 79

Chapter 6: Test your SiteMinder and SharePoint Implementation 81

Access a Protected SharePoint Site Using SiteMinder ............................................ 81

Modify a Document Stored on SharePoint ...................................................... 82

Access a Protected SharePoint Site as another User ............................................. 83

SiteMinder Logs .............................................................................. 83

Appendix A: Troubleshooting 85

Disable the SiteMinder Authentication .......................................................... 85

Appendix B: Platform Support 87

Locate the Platform Support Matrix ............................................................ 87


Chapter 1: SiteMinder and Microsoft

SharePoint

This section contains the following topics:

Documents Replaced by this Version (see page 9)

Purpose and Audience (see page 10)

Microsoft Internet Information Services (IIS) (see page 10)

Microsoft SharePoint 2007 (see page 11)

Use Case Diagram (see page 12)

Documents Replaced by this Version

The content of this document supersedes the existing content in the following

publications:

CA SiteMinder Web Access Manager Microsoft® SharePoint® 2007

Integration Guide

First, Second, and Third Editions

CA SiteMinder Policy Server Policy Design Guide, r6.x SP5 CR 15

(DIDs: H00486-2E, H00486-1E)

Appendix A: Protecting SharePoint 2007 Resources

CA SiteMinder Web Agent Guide, r6.x SP5 CR15 (DIDs: H00501-2E,

H00501-1E)

Appendix D: Protecting SharePoint 2007 Resources

Purpose and Audience

10 Configuring SiteMinder Single Sign On for Microsoft® SharePoint® 2007 Using Forms-based

Authentication

Purpose and Audience

This guide describes an example of how you can integrate SharePoint with CA

SiteMinder to accomplish the following:

■ Use SiteMinder to authenticate and authorize your users instead of

SharePoint

■ Use an existing LDAP Directory server with CA SiteMinder

■ Replace the SharePoint forms-based authentication (FBA) mechanism with

CA SiteMinder

This guide is intended for IT personnel who are familiar with the enterprise

network, as well as access management concepts and technologies.

This guide assumes familiarity with the following:

■ Web Servers

■ Directory Servers

■ SharePoint

■ Basic architecture of CA SiteMinder components

Microsoft Internet Information Services (IIS)

Microsoft IIS is a web server that runs on several Windows operating

environments. Only one instance of IIS can run on a single computer, but

many virtual web sites can exist within an IIS instance.

Note: For more information about creating virtual web sites on IIS, go to the

Microsoft Support web site, and then search for "virtual web site IIS".

http://support.microsoft.com/


Microsoft SharePoint 2007


Microsoft SharePoint 2007

Microsoft SharePoint 2007 runs on top of a Microsoft IIS instance. The

SharePoint 2007 Server makes the following changes to the IIS instance when

it is installed:

■ Disables the IIS Default Web Site on port 80, and adds a Share Point -80

web site in its place

■ Creates virtual web sites for the following:

– Office Server Web Services

– SharePoint Central Administration

– A single SharePoint web site for the user who installed the SharePoint

Server 2007

Note: The phrase "web application" has special meaning in the Microsoft

documentation; it defines a SharePoint web application as a web site and its

related database instance, which stores the content for the web site, on the

SharePoint server. This SiteMinder guide uses the term web site to indicate a

SharePoint resource unless otherwise indicated.

Use Case Diagram


Authentication

Use Case Diagram

The following illustration shows a use case where partners authenticate using a

SiteMinder form, and internal employees authenticate using SiteMinder or

Windows authentication methods:

Chapter 2: Prerequisites and Limitations 13

Chapter 2: Prerequisites and Limitations


Microsoft Prerequisites (see page 13)

SiteMinder Prerequisites (see page 14)

SiteMinder and SharePoint Limitations (see page 14)

Microsoft Prerequisites

To protect your SharePoint 2007 resources with SiteMinder you need the

following Microsoft components:

■ Microsoft IIS 6.0

■ Microsoft SharePoint 2007 SP1

■ Microsoft .NET 2.0

■ Microsoft .NET 2.0 SDK (for installing the SiteMinder file into the Global

Assembly Cache)

■ Microsoft .NET 3.0

More information:

How to Install the SiteMinder DLL to the Global Assembly Cache (see page 61)

SiteMinder Prerequisites


Authentication

SiteMinder Prerequisites

To protect your SharePoint 2007 resources with SiteMinder you need to install

the appropriate components for your SiteMinder version shown in the following

list:

SiteMinder r6.x SP5

Requires a r6.x SP5 Policy Server (at least CR 14) with one of the following

Web Agents:

■ SiteMinder Web Agent, 6.x SP5 (at least) CR22 (32-bit only)

■ SiteMinder Web Agent, 6.x SP5 (at least) CR23 (32-bit or 64-bit)

SiteMinder r12 SP1

Requires the following components:

■ SiteMinder Web Agent, r12 SP1 (at least) CR2

■ SiteMinder Policy Server, r12 SP1 (at least) CR2

■ SiteMinder Web Access Manager Administrative Interface, r12 SP1 (at

least) CR2

More information:

Locate the Platform Support Matrix (see page 87)

SiteMinder and SharePoint Limitations

This document shows how to integrate SiteMinder with SharePoint 2007 using

the forms-based authentication (FBA) feature of SharePoint. Understand and

accept the following limitations caused by FBA before you start your

integration:

■ The welcome message in SharePoint displays the login id of the user, not

the full name of the user.

■ SharePoint features that rely on an identity provided by a Microsoft

Windows operating system are not supported (for example, Excel

Services).

■ User profiles that were supported while SharePoint was configured for

Windows authentication will not be available after SharePoint is configured

for FBA authentication. No migration utility exists. As a result, this

documentation is intended for deployments that are not using an Active

Directory user store.

■ The SharePoint People Picker does not support wildcard searches or

searches for Groups.


Chapter 3: Configure Your SiteMinder

Policy Server


How to Configure a SiteMinder r6.x SP5 Policy to Protect SharePoint Resources

(see page 15)

How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint

Resources (see page 28)

How to Configure a SiteMinder r6.x SP5 Policy to Protect

SharePoint Resources

To configure a SiteMinder r6.x SP5 Policy to protect resources on a SharePoint

web site, use the following process:

1. Login to the Policy Server User Interface (see page 16).

2. Create a Host Configuration object (see page 17).

3. Create a Web Agent (see page 18).

4. Create an Agent Configuration object (see page 19).

5. Create a user directory (see page 21).

6. Create a Domain for the SharePoint web site (see page 22).

7. Select a new port number for your IIS default web site (see page 22).

8. Create an authentication scheme (see page 23).

9. Create realms under the domain (see page 23).

10. Create rules under the realm (see page 26).

11. Create a policy under the domain (see page 27).



Authentication

Open the r6.x SP5 Policy Server User Interface

The Policy Server User Interface lets you create and manage Policy Server

objects.

To open the Policy Server User Interface

1. Open your web browser.

2. Enter the following URL in the Address bar:

http://policy_server_host_name.domain:non_default_port_number/siteminder

Note: The policy_server_host_name is the name of the machine on

which the Policy Server is installed. You must use a fully-qualified domain

name, such as example.com, in the URL. If the Policy Server does not use

the default HTTP port (80), you must specify a port number.

Your browser displays the Policy Server start page.

3. Click Administer Policy Server.

A status bar appears while the Policy Server User Interface loads. The

SiteMinder Administration Login window opens.

4. Enter your user name and password in the appropriate fields.

If you are accessing the Policy Server for the first time, use the default

super user administrator account, which you created during Policy Server

installation.

5. Click Login.

The Policy Server User Interface opens.

The contents of this window depend on the privileges of the administrator

account you use to login to the Policy Server.

Note: For more information on the Policy Server User Interface, see the

SiteMinder Policy Design guide.



Create a Host Configuration Object for your SharePoint Resources (r6.x SP5)

The Web Agent uses a Host Configuration object to connect with the Policy

Server. You will need the name of a Host Configuration object that is stored on

the Policy Server to configure a SiteMinder web agent on a web server that

protects your resources.

To create a host configuration object

1. In the System tab, click Host Conf objects.

The Host Conf Object list appears.

2. Right-click the DefaultHostSettings object, and then select Duplicate

configuration object.

The Host Configuration Object Properties dialog appears with the object's

name selected.

3. Enter a distinctive name, and (optional) description.

4. In the Configuration Values list, double-click #Policy Server.

The Edit Parameter dialog appears.

5. Click the *Parameter Name field, and then remove the # symbol.

6. In the *Value field, select the following text:

<IPAddress>

7. Replace selected text with the IP address, or DNS name, of your Policy

Server.

8. Click OK.

The Edit Parameter dialog closes. The IP address you entered appears in

the list.

9. Click OK.

The Host Configuration Object Properties dialog closes and the new Host

Configuration object appears in the list.



Authentication

Create a Web Agent Object for your SharePoint Resources (r6.x SP5)

The Web Agent runs on the web server to protect resources, but each web

agent must be associated with a Web Agent object on the Policy Server. You

will need the name of this Web Agent object when you configure a SiteMinder

web agent on a web server.

To create a web agent

1. In the System tab, right-click Agents, and then select Create Agent.

The Agent dialog appears.


Note: Web Agent names have the following limits:

■ Agent names must contain 7-bit ASCII characters in the range of

32-127, including one or more printable characters.

■ Agent names must not contain the ampersand (&) and asterisk (*)

characters.

■ Agent names are not case-sensitive. For example, you cannot create

one Agent named MyAgent and another Agent named myagent.

3. Click OK.

The dialog closes and the new Agent appears in the list.



Create an Agent Configuration Object for your SharePoint Resources (r6.x SP5)

An Agent Configuration Object lets you specify parameter settings on the

Policy Server that control how one or more web agents operate. You will need

the name of an Agent Configuration Object stored on the Policy Server to

configure a SiteMinder web agent on your web server.

This Agent Configuration object must also contain certain parameters and

settings to protect resources on a SharePoint web site with SiteMinder.

To create an Agent Configuration object

1. In the System tab, click Agent Conf Objects.

The Agent Conf Object list appears.

2. Right-click the IISDefaultSettings Agent Configuration object, and then

click Duplicate Configuration Object.

The Agent Configuration Object properties dialog appears with the object's

name selected.


4. Scroll down the configuration values list, and then double-click the

following parameter:

BadUrlChars

Note: The list is sorted by special characters (such as those starting with

#), numbers, uppercase letters and lowercase letters respectively.


5. Remove any characters from this list that are found in the URLs of any

resources you want to protect. For example, if the URL of a protected

resource contains <>, delete <, and >, from the list.

6. Click OK.

7. Double-click the following parameter:

LogOffUri


8. Uncomment the parameter name (by removing the #), click the Value field

and then type the following:

/_siteminder/redirector.aspx



Authentication

9. Click OK.


IgnoreExt


11. Remove the extensions of any image files used in your protected resources

from the list, and then click OK. For example, if you use .png files, remove

the .png extension from the list of values.


DefaultAgentName


13. Uncomment the parameter name (by removing the #), click the *Value

field and then enter a default agent name. This name must match the

name of the web agent you previously created with the Policy Server User

Interface for your SharePoint implementation (see page 18).

14. Click OK.

The Edit parameter dialog closes.

15. Click Add, and then type the following in the Parameter Name field:

autoauthorizeoptions

16. Click the *Value field, and then type the following:

Yes

17. Click OK to Close the Edit parameter dialog, and then click OK again to

close the Agent Configuration Object dialog.

The Agent Configuration dialog closes and the new Web Agent

Configuration object is saved.



Create a User Directory Entry for your LDAP Directory Server Instance

For SiteMinder to protect resources on SharePoint, you must add information

about your user directory server instance to the SiteMinder Policy Server. You

will also need this information when you add the LDAP Provider to the

web.config files of your SharePoint server.

To create a user directory entry for your directory server instance

1. In the system tab, right-click User Directories, and select Create User

Directory.

The User Directory Properties dialog appears.


3. Make sure LDAP: appears in the Namespace drop-down list.

4. Click the Server field, and then type the fully-qualified domain name of

your Directory server.

5. In the LDAP Search section, click the Root field, and then type the

following:

dc=your_domain_name,dc=your_domain_extension

Example: dc=example,dc=com

6. In the DN LDAP User Lookup section, click the Start field, and then type

the following:

uid=

7. Click the End field and type the following:



8. Click the Credentials and Connection tab, and then do the following:

a. Select the Require credentials check box.

b. Enter the name of an authorized user for the directory. Use the

following example as a guide:

cn=Directory Mangager

c. Enter the password for the authorized user and confirm it.

d. Make sure the Run in Authenticated Users Context check box is clear.

9. Click the User Attributes tab, click the Universal ID (R) field, and then

enter the following:

uid

10. Click OK.

The User Directory Properties dialog closes and the user directory entry is

saved.



Authentication

Create a Domain for your SharePoint Resources (r6.x SP5)

The SharePoint resources you want to protect with SiteMinder must be placed

in a separate domain on the SiteMinder Policy Server.

To create a domain for your SharePoint resources

1. Click the Domains tab.

A list of domains appears.

2. Right-click Domains, and select Create Domain.

The Domain Properties dialog appears.


4. Click the drop-down list, select the LDAP Directory server instance from

the list, and then click Add.

The LDAP Directory server instance appears in the User Directories field.

5. Click OK.

The Domain Properties dialog closes and the domain is saved.

Select a New Port Number for your IIS Default Web Site (r6.x SP5)

When a user requests a protected SharePoint web site, the SiteMinder Web

Agent redirects the user to the default IIS web site and displays a login form

(FCC). After the user's credentials are received and verified, the SiteMinder

Web Agent redirects the user back to the protected SharePoint web site they

originally requested.

Since the SharePoint server takes over the default IIS port (80), and disables

any existing web sites already running on that port, you may find it helpful to

re-activate the Default IIS Web site on a different port. This lets you separate

your SiteMinder IIS traffic from your SharePoint traffic and may help with

logging or troubleshooting.

You must also specify this updated port number in the SiteMinder

Authentication scheme you create to protect your SharePoint resources.

More information:

Change the Port Number of the Default IIS Web Site (see page 67)



Create an Authentication Scheme for your SharePoint Resources (r6.x SP5)

You need to create a separate SiteMinder authentication scheme for your

SharePoint resources. This authentication scheme replaces the SharePoint FBA

with a SiteMinder FCC.

To create an authentication scheme for your SharePoint resources

1. In the System tab, right-click Authentication Schemes, and select Create

Authentication Scheme.

The Authentication Scheme dialog appears.


3. Click the Authentication Scheme Type drop-down list, and select HTML

Form Template.

4. Click the Web Server Name field, and then type the fully-qualified domain

name and the updated port number of your IIS Default Web site, as shown

in the following example:

iis_web_server_name.example.com:5500

Note: Ensure the *Target field contains the following URL:

/siteminderagent/forms/login.fcc

5. Click OK.

The Authentication Scheme Dialog closes and your authentication scheme

is saved.

More information:

Select a New Port Number for your IIS Default Web Site (r6.x SP5) (see page

22)

Create Realms for your SharePoint Resources (r6.x SP5)

You must create several realms in SiteMinder for each SharePoint web site you

want to protect. The root, or top-level, realm protects the SharePoint resource.

You must also create several sub-realms inside the top level realm that leave

certain sub-folders of each SharePoint resource unprotected, as shown in the

following illustration:



Authentication

To create realms for your SharePoint resources

1. Click the Domains tab, and then expand the domain of your SharePoint

resources.

A list of domain objects appears.

2. Right-click Realms and select Create Realm.

The Realm Properties dialog appears, showing the Resource tab.


4. Do the following:

■ Click Lookup, click the name of the Web Agent that will protect your

SharePoint resources, and then click OK.

■ Click the Authentication Scheme drop-down list, and select the

Authentication scheme for your SharePoint resources.

■ Under Default Resource Protection, make sure the Protected radio

button is selected.

■ Click Apply.

The resource settings are saved.

5. Click the Session tab, and then make sure that the No Persistent Session

radio button is selected.

6. Click OK.

The root (top-level) realm is created, and it appears in the list.

7. Right-click the root realm in the list, and select Create Realm Under Realm.

The Realm Properties dialog appears, showing the Resource tab.



■ Click the Resource filter field, and type the following:

_vti_bin



■ Under Default Resource Protection, click the Unprotected radio button.

■ Click Apply.

The resource settings for the sub-realm are saved.



11. Click OK.

The sub-realm is created, and it appears in the list.

12. Repeat Steps 7 and 8, and then do the following:




_vti_inf




■ Click Apply.




14. Click OK.

The sub-realm is created, and it appears in the list.

15. Repeat Steps 7 and 8, and then do the following:


_layouts




■ Click Apply.




17. Click OK.

The sub-realm is created, and it appears in the list. All of the realms and

sub-realms for your SharePoint integration are created.



Authentication

Create a Rule Under your SharePoint Realm (r6.x SP5)

Your top-level SharePoint realm needs a rule which fires when a user requests

access to a protected SharePoint resource.

To create a rule under your SharePoint realm

1. Click the Domains tab, and expand the following items:

■ Your SharePoint domain.

■ The realms under that domain.

2. Right-click the top-level SharePoint realm, and select Create Rule Under

Realm.

The Rule Properties dialog appears.


4. In the Action field, Control-click Post and Put.

All three web agent actions, Get, Post and Put are selected.

5. Verify the following:

■ The Resource field contains an asterisk (*).

■ The Allow Access radio button is selected.

■ The Enabled check box is selected.

6. Click OK.

The Rule Properties Dialog closes and the new rule appears in the list.



Create a Policy for your SharePoint Resources (r6.x SP5)

You need a SiteMinder policy associated with your SharePoint domain that

defines relationships between the users, the SharePoint resources and access

rights in your organization.

To create a policy for your SharePoint resources

1. Click the Domains tab, and then expand your SharePoint domain.

A list of objects appears.

2. Right-click Policies, and select Create Policy.

The Policy Properties dialog appears showing the Users tab.


4. Click Add/Remove.

The Users/Groups dialog appears.

5. Move the groups, users (or any combination of either) that you want to

add from the Available Members list to the Current Members list, and then

click OK.

The users or groups are added to the policy.

6. Click the Rules tab, and then click Add/Remove Rules.

The Available Rules dialog appears.

7. Move your SharePoint rule from the Available Members list to the Current

Members list, and then click OK.

The rule is added to the policy.

8. Click OK.

The Policy Properties dialog closes and the policy is saved.

Test Your Policy with the SiteMinder Test Tool (r6.x SP5)

The SiteMinder test tool imitates the behavior of a SiteMinder Web Agent so

you can test your policies after creating them. This helps you make sure that

your resources are properly protected. This tool is included in your SiteMinder

Policy Server installation.

Note: For more information, see the CA SiteMinder Policy Design guide.

How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources


Authentication

How to Configure a SiteMinder r12 SP1 Application to Protect

SharePoint Resources

To configure a SiteMinder Application to protect resources on a SharePoint web

site, use the following process:

1. Open the Administrative UI (see page 29).

2. Create a Host Configuration object (see page 30).

3. Create a Web Agent object (see page 31).

4. Create an Agent Configuration object (see page 32).

5. Select a new port number for your IIS default web site (see page 34).

6. Create an Authentication scheme (see page 35).

7. Create a User Directory object (see page 36).

8. Create an Application (see page 37).

9. Leave the SharePoint Virtual sub-directories unprotected (see page 38).

10. Add Resources (see page 40).

11. Add Roles (see page 41).

12. Create a Policy (see page 42).



Open the r12 SP1 Administrative UI

The browser-based CA SiteMinder Web Access Manager Administrative User

Interface primarily enables management of Policy Server objects, but also

provides some system management functionality.

To access the Administrative UI

1. Do one of the following:

■ From the computer hosting the Administrative UI, click Start,

Programs, CA, IAM Suite, siteminderWAM, SiteMinder Administrative

User Interface

■ Open the following URL in your browser:

http://host_name.domain:port_number/iam/siteminder

The host_name is the name of the computer on which the Administrative

UI runs. You must use a fully-qualified domain name. If the Administrative

UI is not using the default HTTP port (80), you must add the port number

as shown in the following example:

http://maincomputer.example.com:8080/iam/siteminder.

The login page for the Administrative UI appears.

2. Enter a valid user name and password in the appropriate fields.

If you are accessing the Policy Server for the first time, use the default

super user administrator account, which you created during Policy Server

installation.

3. Click Log In.

The Administrative UI opens.

The contents of the window depend on the privileges of the administrator

account you used to login. You will only see the items to which your

account has access.



Authentication

Create a Host Configuration Object for your SharePoint Resources (r12 SP1)

The Web Agent uses a Host Configuration object to connect with the Policy

Server. You will need the name of a Host Configuration object that is stored on

the Policy Server to configure a SiteMinder web agent on a web server that

protects your resources.

To create a host configuration object

1. Click Infrastructure, Hosts, Host Configuration, Create Host Configuration.

The Create Host Configuration: Host Configuration Search pane appears.

2. Click Create a copy of an object of type Host Configuration, and then click

OK.

Create Host Configuration: Name pane appears.


4. Click Add, and then click the Host field.

5. Enter the IP Address of your Policy Server in the Host field.

6. Change any of the other configuration settings you want, and then click

Submit.

The Create Host Configuration task is submitted for processing.



Create a Web Agent Object for your SharePoint Resources (r12 SP1)

The Web Agent runs on the web server to protect resources, but each web

agent must be associated with a Web Agent object on the Policy Server. You

will need the name of this Web Agent object when you configure a SiteMinder

web agent on a web server.

To create a web agent object for your SharePoint resources

1. Click Infrastructure, Agent, Create Agent.

The Create Agent pane appears, and the Create a new object of type Agent

button is selected.

2. Click OK.

The Create Agent: pane appears.






characters.

■ Agent names are not case-sensitive. For example, you cannot

create one Agent named MyAgent and another Agent named

myagent.

4. Click Submit.

The Create Agent task is submitted for processing.



Authentication

Create an Agent Configuration Object for your SharePoint Resources (r12 SP1)

An Agent Configuration Object lets you specify parameter settings on the

Policy Server that control how one or more web agents operate. You will need

the name of an Agent Configuration Object stored on the Policy Server to

configure a SiteMinder web agent on your web server.

This Agent Configuration object must also contain certain parameters and

settings to protect resources on a SharePoint web site with SiteMinder.

To create an Agent Configuration object for your SharePoint resources

1. Click Infrastructure, Agent Configuration, Create Agent Configuration.

Create Agent Configuration: Agent Configuration Search Screen pane

appears.

2. Click Create a copy of an object of type Agent Configuration radio button.

3. Click IISDefaultSettings, and then click OK.

The Create Agent Configuration: Name pane appears.


5. In the Parameters list, locate the #DefaultAgentName parameter and then

click the Edit arrow (on the left).

The Edit Parameter pane appears.


a. Activate the parameter by removing the comment symbol (#) from the

Name field.

b. Click the Value field and type the name of the Agent Object you

previously created with the Policy Server User Interface for your

SharePoint implementation.





characters.

■ Agent names are not case-sensitive. For example, you cannot

create one Agent named MyAgent and another Agent named

myagent.

c. Click OK.

The Edit Parameter pane closes and your changes are applied.

7. In the Parameters list, locate the #LogoffUri parameter and then click the

Edit arrow.





a. Activate the parameter by removing the comment symbol (#) from the

Name field.

b. Click the Value field and type the following:

/_siteminder/redirector.aspx

c. Click OK.


9. In the parameters list, locate the BadURLChars parameter and click the

Edit arrow.



a. Click the Value field and then remove any characters from the list that

are found in the URLs of any resources you want to protect. For

example, if the URL of a protected resource contains the < and >

characters, then delete <, >, from the list.

b. Click OK.


11. In the parameters list, locate the IgnoreExt parameter and click the Edit

arrow.



a. Click the Value field and then remove the extensions of any image file

types used in your protected resources from the list. For example, if

you use .png files, then delete .png from the list.

b. Click OK.


13. Click Add.

The Create Parameter pane appears.

14. Click the Name field, and then type the following:

autoauthorizeoptions

15. Click the Value field and then type the following:

yes

16. Click OK.

The Create Parameter pane closes.

17. Click Submit.

The Create Agent Configuration Object task is submitted for processing.



Authentication

Select a New Port Number for your IIS Default Web Site (r12 SP1)

When a user requests a protected SharePoint web site, the SiteMinder Web

Agent redirects the user to the default IIS web site and displays a login form

(FCC). After the user's credentials are received and verified, the SiteMinder

Web Agent redirects the user back to the protected SharePoint web site they

originally requested.

Since the SharePoint server takes over the default IIS port (80), and disables

any existing web sites already running on that port, you may find it helpful to

re-activate the Default IIS Web site on a different port. This lets you separate

your SiteMinder IIS traffic from your SharePoint traffic and may help with

logging or troubleshooting.

You must also specify this updated port number in the SiteMinder

Authentication scheme you create to protect your SharePoint resources.

More information:

Change the Port Number of the Default IIS Web Site (see page 67)



Create an Authentication Scheme for your SharePoint Resources (r12 SP1)

You need to create a separate SiteMinder authentication scheme for your

SharePoint resources. This authentication scheme replaces the SharePoint FBA

with a SiteMinder FCC.

To create an authentication scheme for your SharePoint resources

1. Click Infrastructure, Authentication, Authentication Scheme, Create New

Authentication Scheme.

The Create Authentication Scheme pane appears.

2. Make sure the Create a new object of type Authentication Scheme radio

button is selected, and then click OK.

The Crete Authentication Scheme: pane appears.


4. Click the Authentication Scheme Type: drop-down list, and then select

HTML Form Template.

The Scheme Setup and Advanced group boxes appear.

5. Click the Web Server name field and type the fully-qualified domain name

of your IIS Default Web site, as shown in the following example:

iis_web_server_name.example.com

6. Click the Port field, and then enter the port number of your IIS default

Web site.

7. Click Submit.

The Create Authentication Scheme task is submitted for processing.



Authentication

Create a User Directory Object for your Directory Server Instance (r12 SP1)

For SiteMinder to protect resources on SharePoint, you must add information

about your user directory server instance to the SiteMinder Policy Server. You

will also need this information when you add the LDAP Provider to the

web.config files of your SharePoint server.

To create a user directory object for your directory server instance

1. Click Infrastructure, Directory, User Directory, Create User Directory.

The Create User Directory: pane appears.


3. Click the Server field, and then enter the fully-qualified domain name of

your directory server. For example, [email protected] is

a fully-qualified domain name.

4. Make sure all of the following check boxes are clear:

■ Use authenticated user's security context

■ Secure Connection

5. Select the Require Credentials check box, and then complete the following

fields:

■ Username

■ Password

■ Confirm Password

6. Click the Root field, and then type the following:



7. In the DN LDAP User Lookup section, click the Start field, and then type

the following:

uid=

8. Click the End field and type the following:

,dc=your_domain_name,dc=your_domain_extension

9. Click the Universal ID (R) field, and then type the following:

uid

10. Click Submit.

The Create User Directory task is submitted for processing.



Create an Application to protect your SharePoint Resources (r12 SP1)

To protect your SharePoint resources with SiteMinder, you need to create a

SiteMinder Application using the Administrative UI.

To create an application to protect your SharePoint resources

1. Click Policies, Applications, Application, Create Application.

The Create Application: pane appears.


3. Make sure that Web Agent appears in the Agent Type drop-down list.

4. Click the ellipsis button next to the Agent field.

The Select Agent or Agent Group pane appears.

5. Click the button next to the Web Agent Object you created for your

SharePoint resources, and then click OK.

The Create Application: Name pane reappears showing the name of your

Web Agent object.

6. Click the Authentication Scheme drop-down list and select the

authentication scheme for your SharePoint resources.

7. In the User Directories Group Box, click Add/Remove.

The Choose user directories dialog appears.

8. In the Available Members list, click the name of your SharePoint directory,

and then click the right arrow.

Your SharePoint user directory object appears in the Selected Members

list.

9. Click OK.

The Create Application: Name pane reappears showing the name of your

Directory object.

10. Click Submit.

The Create Application task is submitted for processing.



Authentication

Leave the SharePoint Virtual Directories Unprotected (r12 SP1)

Each SharePoint web site contains several virtual directories that must remain

unprotected by SiteMinder. For example, if you are protecting a SharePoint

web site in the following location of your IIS server:

C:\Inetpub\wwwroot\wss\VirtualDirectories\10855

Then you must leave all of the following virtual subdirectories unprotected:

■ _vti_bin

■ _vti_inf

■ _layouts

To leave the SharePoint virtual directories unprotected

1. Open the Application you created to protect your SharePoint resources by

doing the following:

a. Click Policies, Applications, Application, Modify Application.

The Modify Application pane appears.

b. Click the button next to your SharePoint application, and then click

Select.

The Modify Application: Name pane appears.

2. Add components for the virtual directories by doing the following:

a. In the components section, click Create.

The Create Component dialog appears.

b. Click the Name field and then enter a distinctive name.

c. Click the Browse button next to the Agent field, and then select the

name of the Web Agent you created to protect your SharePoint

resources.

The Agent name appears in the field.

d. Click the Resource Filter field, and then type the following:

_vti_bin

e. Click the Unprotected radio button, and then click the Authentication

Scheme drop-down list and select the Authentication Scheme you

created for your SharePoint resources.

f. Click OK.

The virtual directory you created appears in the components list.

g. Repeat Steps a through c.

h. Click the Resource Filter field, and then type the following:

_vti_inf



i. Repeat steps e and f.

j. Repeat Steps a through c.

k. Click the Resource Filter field, and then type the following:

_layouts

l. Repeat steps e and f.

The list of components appears. Your settings should match those

shown in the Resource Filter and Default Resource Protection columns

in the following illustration:

Note: The sort order of the items may be different. It does not affect their

operation.

3. Click Submit.

The Modify Application task is submitted for processing and unprotected

settings for the virtual directories are saved.



Authentication

Add Resources to your Application (r12 SP1)

To protect your SharePoint resources with SiteMinder, you must define

application resources which specify the protected items and which actions the

SiteMinder web agent will intercept.

To add resources to your application






Select.


2. Add Resources to the application by doing the following:

a. Click the Resource tab, and then click Create.

The Create Application Resource: pane appears.

b. Enter a distinctive name for the resource.

c. Click the Resource field and enter the following:

*

The effective resource displays /*

d. Under the Action group box, make sure that the Web Agent Actions

radio button is selected, and then click the following actions:

■ Get

■ Post

■ Put

e. Click OK.

The Create Application Resource: pane closes, and the Modify

Application: Name pane appears.

3. Click Submit.

4. The Modify Application task is submitted for processing.



Add Roles to your Application (r12 SP1)

To protect your SharePoint resources with SiteMinder, the SiteMinder

application you create must define application roles that define who can access

the protected directory.

To add roles to your application






Select.


2. Add a Role to your Application by doing the following:

a. Click the Roles Tab, and then click Create.

The Create Role tab appears.

b. Make sure the Create a new object of type Role radio button is

selected, and then click OK.

The Create Role: pane appears.

c. Enter a distinctive name, and (optional) description.

d. Click the Expression field, and then type the following:

(TRUE)

e. Click OK.


3. Click Submit.

The Modify Application task is submitted for processing.



Authentication

Create a Policy for your Application (r12 SP1)

The last step in configuring a SiteMinder r12 SP1 Policy to protect your

SharePoint resources involves creating a policy which combines access rights

to the resources and roles.

To create a policy for your application






Select.


2. Click the Policies tab.

The Policies group box appears.

3. Verify the following:

■ The Select a context root drop-down list shows the root level (/).

■ The Name radio button is selected.

4. Locate the table that shows your SharePoint resources and roles, and then

select the check box to grant access to the resources, as shown in the

following illustration:

5. Click Submit.

The Modify Application task is submitted for processing.


Chapter 4: Configure SharePoint 2007


How to Create a SharePoint 2007 Test Site (see page 43)

How to Configure Your SharePoint Forms Based Authentication (see page 47)

How to Create a SharePoint 2007 Test Site

Creating a SharePoint test site will help you learn more about how SharePoint

works and give you a chance to test your SharePoint and SiteMinder

implementation in a staging environment before making changes on your

production systems. To create a SharePoint test environment, use the

following process:

1. Create a new SharePoint site (see page 44).

2. Add the new SharePoint site to a site collection (see page 45).

3. On your new SharePoint site, create a document library (see page 46).



Authentication

Create a New SharePoint Site

Creating a new SharePoint site gives you a fixed reference point you can use

as a guide as you prepare for your SiteMinder integration.

To create a new SharePoint site

1. From your SharePoint host computer, click Start, Programs, Microsoft

Office Server, SharePoint 3.0 Central Administration.

The Central Administration home page appears.

2. Click the Application Management tab, and then click Create or extend

Web application.

The Create or Extend Web Application page appears.

3. Click Create a new Web application.

The Create New Web Application page appears.

4. Select the options you want for the new site. Note the port number for

future reference (if you are using different ports to distinguish your sites),

and then click OK.

The progress indicator appears. When your changes are saved, the

Application Created page appears.

5. Follow any additional instructions on the screen to finish creating your new

SharePoint site.

The new SharePoint site is created.



Add the New SharePoint Site to a Site Collection

After the new SharePoint site is created, you must add it to a Site Collection.

To add the new SharePoint site to a site collection

1. Do either of the following:

■ From the Application Created screen, click the Create Site Collection

link.

■ Open the SharePoint Central Administration site, click the Application

Management tab, and then click Create Site Collection.

The Create Site Collection page appears.

2. Make sure the URL for your new site appears in the drop-down list, as

shown in the following example:

3. Complete the form to create your site collection, and then click OK.

The progress indicator appears. When your changes are saved, the

Top-Level Site Successfully Created page appears.



Authentication

Create a Document Library

A document collection lets you test the version-control and change

management features of the documents hosted on your SharePoint site.

SiteMinder can control access to these SharePoint resources as well.

To create a document library

1. Open your new SharePoint site in a browser.

The Home page for your site appears.

2. Click the Site Actions, drop-down list, and then select Create.

The Create page appears.

3. Under the Libraries column, click Document Library.

The New Page Appears.

4. Complete the form, and then click Create.

The page of your document library appears. The list of documents is

empty.

5. Add documents to the collection by clicking New or Upload and following

the instructions on the screen.

Your document library is created.

How to Configure Your SharePoint Forms Based Authentication


How to Configure Your SharePoint Forms Based

Authentication

If you want to use SiteMinder Forms-based authentication (FCC) with

SharePoint, we recommend configuring your SharePoint forms-based

authentication (FBA) first. This helps you verify that the SharePoint

authentication works correctly before making the additional configuration

changes that SiteMinder requires.

If your SharePoint FBA is not already configured, use the following process:

1. Save copies of the current web.config files for all of the following

SharePoint web sites under a different name (see page 48):

■ The SharePoint Central Configuration site

■ Each SharePoint web site you want to protect with SiteMinder

2. Add the following setting to the SharePoint Central Configuration web site

(see page 49):

■ Membership provider

3. Add the following settings to each SharePoint web site you want to protect

(see page 51):

■ Membership provider

■ Authentication method

4. (Optional) Encrypt the sensitive information in the web.config files (see

page 53).

5. Use the SharePoint Central Configuration web site to do the following:

a. Change the authentication provider of each SharePoint site you want to

protect (see page 54).

b. Add users to each SharePoint site you want to protect (see page 55).

c. Update the site administrator accounts to use FBA (see page 56).

6. Test your SharePoint FBA configuration (see page 57).



Authentication

Back Up Your Existing web.config Files

To configure SharePoint to operate with SiteMinder you need to modify the

web.config file of your SharePoint Central Administration web site, and the

web.config file of any SharePoint site you want to protect. Since a single IIS

server may contain many virtual SharePoint sites, identifying the correct files

to modify is critical.

To locate and backup the existing web.config files

1. Open the IIS 6.0 Manager on your web server.

2. In the left pane, expand the web server, and then expand Web Sites.

A list of web sites appears.

3. Right-click the SharePoint Central Administration site, and then select

Open.

Windows Explorer opens the directory for the Central Administration web

site.

4. Open the web.config file and save a copy of the original using a different

name.

5. Close the Windows Explorer window.

6. Go back to the IIS Manager window, and right-click the folder of a

SharePoint site you want to protect, and then select Open.

Windows Explorer opens the directory for the SharePoint web site.


name.

We recommend using a name that will help you remember the point at

which you changed the file. For example, if you are saving a copy of your

FBA web.config file before adding the SiteMinder information, you might

want to name the backup copy of the file fba_web.config.


9. Repeat Steps 6 through 8 for each SharePoint site you want to protect.

All of the existing web.config files have been backed up.



Add the Membership Provider to the SharePoint Central Configuration Web Site

To integrate Microsoft SharePoint with SiteMinder, you must update the

web.config file of the central SharePoint web site with the following

information:

Membership Provider

Defines the following information in the web.config file:

■ Default Membership Provider Name

■ Membership Provider Name and Type

■ Directory Attributes

■ User Name and password of account authorized to connect to the

directory. (We recommend binding with an account for better

security, but you can omit these attributes if you want to bind

anonymously to the directory)

Example: <membership defaultProvider="LdapMembership">

<providers>

<add name="LdapMembership"

type="Microsoft.Office.Server.Security.LDAPMembershipProvider,

Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral,

PublicKeyToken=71E9BCE111E9429C"

server="directory_server_name_or_IP_address"

port="directory_server_instance_port_number" useSSL="false"

userDNAttribute="entryDN" userNameAttribute="cn"

userContainer="dc=server_domain,dc=domain_extension"

userObjectClass="Inetorgperson"

userFilter="(ObjectClass=Inetorgperson)" scope="Subtree"

otherRequiredUserAttributes="sn,givenname,cn"

connectionUsername="cn=user_name"

connectionPassword="password" />

</providers>

</membership>



Authentication

To edit the web.config file of the SharePoint central administration

web site

1. Open a copy of the original web.config file with an XML editor.

Important! Do not use Notepad, Wordpad, (or any other text editor with

line-length limitations) to edit the XML file. A text editor designed for

writing programming source code will not generally have such line-length

limitations. For more information, see the documentation or online help for

your respective editor.

2. Locate the following tags:

<system.web>

<securityPolicy>

3. Insert the following sections between the tags, and then replace the

variables shown with your values:

<membership defaultProvider="LdapMembership">

<providers>

<add name="LdapMembership" type="Microsoft.Office.Server.Security.LDAPMembershipProvider,

Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"

server="directory_server_name_or_IP_address" port="directory_server_instance_port_number"

useSSL="false" userDNAttribute="entryDN" userNameAttribute="cn"

userContainer="dc=server_domain,dc=domain_extension" userObjectClass="Inetorgperson"

userFilter="(ObjectClass=Inetorgperson)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn"

connectionUsername="cn=user_name" connectionPassword="password" />

</providers>

</membership>

4. Save the web.config file and close the XML editor.

The SharePoint Central Administration server contains a membership

provider.



Add the Membership Provider and Authentication Method to Each SharePoint

Web Site you want to protect

To integrate Microsoft SharePoint with SiteMinder, you must update the

Web.Config file of each SharePoint web site that you want to protect using

SiteMinder with the following information:

Membership Provider


■ Default Membership Provider Name

■ Membership Provider Name and Type

■ Directory Attributes

■ User Name and password of account authorized to connect to the

directory. (We recommend binding with an account for better

security, but you can omit these attributes if you want to bind

anonymously to the directory)

Example: <membership defaultProvider="LdapMembership">

<providers>

<add name="LdapMembership"

type="Microsoft.Office.Server.Security.LDAPMembershipProvider,

Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral,

PublicKeyToken=71E9BCE111E9429C"

server="directory_server_name_or_IP_address"

port="directory_server_instance_port_number" useSSL="false"

userDNAttribute="entryDN" userNameAttribute="cn"

userContainer="dc=server_domain,dc=domain_extension"

userObjectClass="Inetorgperson"

userFilter="(ObjectClass=Inetorgperson)" scope="Subtree"

otherRequiredUserAttributes="sn,givenname,cn"

connectionUsername="cn=user_name"

connectionPassword="password" />

</providers>

</membership>



Authentication

Authentication Mode


■ Which type of authentication is used by SharePoint.

■ Any parameters required to use the specified type of

authentication. For example, if Forms authentication is used, this

section must contain the URL of the form where the user enters

credentials.

Default: "Windows"

Example (FBA): <forms loginUrl="/_layouts/login.aspx" />

Example (SiteMinder): <forms

loginUrl="/_siteminder/siteminderlogin.aspx" />

To edit the web.config file of each SharePoint web site you want to

protect

1. Open the web.config file with an XML editor.






2. Locate the following tags:

<system.web>

<securityPolicy>

3. Insert the following sections between the tags, and then replace the

variables shown (italicized) with your values:

<membership defaultProvider="LdapMembership">

<providers>

<add name="LdapMembership" type="Microsoft.Office.Server.Security.LDAPMembershipProvider,

Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"

server="directory_server_name_or_IP_address" port="directory_server_instance_port_number"

useSSL="false" userDNAttribute="entryDN" userNameAttribute="cn"

userContainer="dc=server_domain,dc=domain_extension" userObjectClass="Inetorgperson"

userFilter="(ObjectClass=Inetorgperson)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn"

connectionUsername="cn=user_name" connectionPassword="password" />

</providers>

</membership>

4. Locate the following tag:

<authentication mode="Windows" />

5. In the previous line do the following:

■ Replace the word "Windows" with the word "Forms".

■ Delete the closing slash and the extra white space.



6. Add the FBA lines shown in the following example:

<forms loginUrl="/_layouts/login.aspx" />

</authentication>

The authentication section should match the following example:

<authentication mode="Forms">


</authentication>

7. Save the web.config file.

The membership providers, and forms authentication settings are added.

Repeat Steps 1 through 7 for each SharePoint web site you want to protect

with SiteMinder.

How to Encrypt the Sensitive Information in your web.config Files

The web.config files for your SharePoint Central Administration site and any

sites you want to protect with the Microsoft FBA or CA SiteMinder may contain

sensitive information that you want to protect, such as the following:

■ Directory server URLs

■ User names

■ Passwords

For more information about encrypting the sensitive areas of your web.config

file, go to the Microsoft Developer Network web site and search for one of the

following phrases:

■ Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI

■ Encrypt Configuration Sections in ASP.NET 2.0 Using RSA

http://www.msdn.microsoft.com/

http://www.msdn.microsoft.com/



Authentication

Enable SharePoint FBA

After the web.config files for both the SharePoint Central Administration site

and the other web sites you want to protect have been modified, you need to

enable the SharePoint FBA authentication.

To enable SharePoint FBA

1. Click Start, Programs, Microsoft Office Server, SharePoint 3.0 Central

Administration.

The SharePoint Central Administration home page appears.

2. Click the Application Management Tab.

The Application Management page appears.

3. In the Application Security section, click the Authentication Providers link.

The Authentication Providers Page appears.

4. Make sure the SharePoint web site that you want to protect with FBA

appears in the pull-down menu in the upper-right corner of the screen, as

shown in the following illustration:

5. Click the Zone of your web site in the left column.

The Edit authentication page appears.


■ In the Authentication Type section, click the Forms button.

■ In the Membership Provider Name field, type the name of your

membership provider (this must match the name defined in your

SharePont web.config files).

■ In the Client Integration section, click the Yes button.

7. Click Save.

The Authentication Providers page appears.



Add Users to Your SharePoint Web Site

After SharePoint FBA is enabled, you need to add users to your SharePoint web

site.

To add users to your SharePoint web site

1. Click the Application Management tab.

The Application Management screen appears.

2. Under the Application Security section, click Policy for Web Application.

The Policy for Web Application screen appears.

3. Click Add Users.

The Add Users screen appears.

4. Make sure the SharePoint web site to which you want to add users appears

in the pull-down menu in the upper-right corner of the screen, as shown in

the following illustration:

5. (Optional) Select the Zone from the drop-down list.

6. Click Next.

7. In the Users field, do any of the following:

■ Type the name of a user.

■ Use the Check Names button to verify user names.

■ Use the Browse button to locate users.

Important! You must enter the User ID (uid) when adding or

searching for users (searches using wildcards are also allowed).

Searches using other attributes may not return results.

8. Select the check boxes of the permissions you want.

9. Click Finish.

Users are added to your SharePoint web site.



Authentication

Update the Site Collection Administrator Account to Use FBA

The original Windows accounts that have site-collection-administrator

privileges need to be authorized to use FBA.

To update the site collection administrator accounts to use FBA

1. Click the Application Management tab.

The application management page appears.

2. In the SharePoint Site Management section, click Site Collection

Administrators.

The Site Collection Administrators page appears.

3. Make sure the site collection that contains the resources you want to

protect with FBA appears in the drop-down list, as shown in the following

illustration:

4. Click the Primary Site Collection Administrator field, and then enter the

name of the person you want to designate as an administrator, as shown

in the following example:

Site Collection Administrator

Specifies a user who can create, maintain, or remove content from

group of resources hosted on a SharePoint web site. If you are using

SharePoint FBA, this user must exist in the directory of the

membership provider, and the user name must have the following

format:

membership_provider_name:user_name

Example: LDAPMembershipProvider:user01

Important! You must enter the User ID (uid) when adding or

searching for users (searches using wildcards are also allowed).

Searches using other attributes may not return results.

5. (Optional) Click the Secondary Site Collection Administrator Field, and

enter the name of a person you want, as shown in Step 4.

6. Click OK.

The Site Collection Administrators page closes and the Application

Management page appears. The Administrators have been added.



Test Your SharePoint FBA

You should test your SharePoint FBA configuration by making sure the Site

Collection Administrators can access their respective site collections.

To test your SharePoint FBA

1. Open a web browser.

2. Enter the URL of the protected site collection.

The Sign In form appears.

3. Type their user name and password of the fields on the form, and then

click Sign In.

The Home page of the site collection appears.

Note: The Welcome message shown in the upper right after you sign into

SharePoint displays your User ID.

Chapter 5: Configure SiteMinder Web Agent and Related SharePoint Web Sites 59

Chapter 5: Configure SiteMinder Web

Agent and Related SharePoint Web Sites


How to Add SiteMinder to your SharePoint Environment (see page 59)

How to Configure an IIS Web Agent to Protect SharePoint Resources (see page

64)

How to Configure your SharePoint Web Sites for SiteMinder (see page 75)

How to Add SiteMinder to your SharePoint Environment

To replace the SharePoint FBA with the CA SiteMinder FCC authentication

scheme, use the following process:

1. Install the SiteMinder Web Agent for IIS on the web server.

2. Add the SiteMinder .ASPX Files to the SharePoint web site.

3. Install the SiteMinder DLL file in the Global Assembly Cache.

4. Use a fully qualified-domain name in any SharePoint web sites.



Authentication

Install the SiteMinder Web Agent for IIS

The SiteMinder Web Agent for IIS must be installed on the computer that runs

IIS and SharePoint 2007.

To install the SiteMinder Web Agent for IIS

1. Download and extract the following file from the support site:

smwa-version-crnumber-winarchitecture.zip

Example: smwa-6qmr5-cr021-win32.zip

2. Double-click the .exe file.

The installation wizard starts.

3. Use the wizard to install the SiteMinder web Agent.

Note: The following directories are the default locations for the Windows

operating system:

■ (r6.x SP5): C:\Program Files\netegrity\webagent\

■ (r12 SP1): C:\Program Files\CA\webagent\

After installing the software, the wizard prompts you to restart your

system.

4. Click the radio button you want, and then click Done.

The wizard closes, and the web agent is installed. If you chose to restart

your system in Step 4, then your computer restarts automatically.



How to Install the SiteMinder DLL to the Global Assembly Cache

The SiteMinder Web Agent software contains a DLL file specifically for

SharePoint integration. The SiteMinder installer places this file in the following

location:

web_agent_home\sharepoint\SiteminderNET.dll

Note: The default value of the web_agent_home variable is either of

the following directories:

■ (r6.x SP5): C:\Program Files\netegrity\webagent

■ (r12 SP1): C:\Program Files\CA\webagent

This DLL file must be installed in the Global Assembly Cache of the computer

that hosts your Web Server.

To install the DLL file, use one of the following methods:

■ Drag and drop the DLL file from its installed location to the Global

Assembly Cache

Note: The Global Assembly Cache is located in the following directory:

C:\WINDOWS\assembly

■ Use the gacutil.exe tool (which is included with the .NET Framework SDK

2.0).

Note: For more information, see your Microsoft documentation, or go to


More information:

Microsoft Prerequisites (see page 13)




Authentication

Add the SiteMinder .ASPX Files to the SharePoint Web Site

SiteMinder uses several .aspx files when it protects Microsoft SharePoint web

sites. These files need to be installed in a virtual directory for each SharePoint

web site you want to protect.

To add the SiteMinder .ASPX files to the SharePoint web site

1. Click Start, Programs, Administrative Tools, Internet Information Services

(IIS) Manager.

The IIS Manager opens.

2. Expand the IIS Web Server in the left column.

3. Expand the Web Sites folder in the left column.

4. Right-click the SharePoint web site instance you want to protect, and then

select New, Virtual Directory.

The Virtual Directory Creation Wizard starts. Do the following steps:

a. Click Next.

The Virtual Directory Alias screen appears.

b. In the Alias field, type the following, and then click Next.

_siteminder

c. Click the Browse button and navigate to the following directory:

web_agent_home\sharepoint





d. Click OK.

The path to the directory appears in the dialog.

e. Click Next.

f. Select the Run Scripts (such as ASP) check box, and then click Next.

g. Click Finish.

The wizard closes and the new directory appears in the IIS Manager.

5. Repeat Step 4 for each SharePoint web site you want to protect with

SiteMinder.



Use a Fully-Qualified Domain Name in your SharePoint Sites

The SharePoint sites must use a fully-qualified domain name to integrate with

the SiteMinder web agent.

To set your SharePoint site to use a fully-qualified domain name

1. Click Start, Programs, Microsoft Office Server, SharePoint 3.0 Central

Administration.

The Central Administration page appears.

2. Click the Operations tab.

A list of tasks appears.

3. In the Global Configuration section, click Alternate Access Mappings.


4. Locate your SharePoint site. Examine the URL listed in the Public URL for

Zone column on the right and verify that it uses a fully-qualified domain

name.

Note: my_web_site.example.com is an example of a fully-qualified domain

name.

5. If the URL in Step 3 does not use a fully-qualified domain name, do the

following:

a. Click the Alternate Access Mapping Collection drop-down list, and then

select Change Alternate Access Mapping Collection.

A list of Alternate Access Mapping Collections appears.

b. Click the link for your SharePoint site.

The Alternate Access Mappings screen shows only those sites in your

collection.

c. Make sure the name of the SharePoint site you want to protect appears

in the drop-down list, as shown in the following example:

How to Configure an IIS Web Agent to Protect SharePoint Resources


Authentication

d. Click Edit Public URLs.

The Edit Public Zone URLs screen appears.

e. Edit the URLs to include a fully-qualified domain name.

f. Click Save.

The URL shown in the Public URL for Zone column appears with a

fully-qualified domain name.

6. Repeat Steps 2 thorough 5 for each SharePoint web site you want to

protect.

How to Configure an IIS Web Agent to Protect SharePoint

Resources

Before you can use the Web Agent on an IIS 6.0 web server to protect your

SharePoint web sites, you must complete these prerequisites using the

following process:

1. Assign read permissions to samples and error files directories (see

page 65).

2. Allow IIS to execute Web Agent ISAPI and CGI extensions (see page 66).

3. Change the port number of the Default IIS web site (see page 67).

4. Gather the Web Agent information (see page 68).

5. Run the IIS Web Agent Configuration Wizard (see page 70).

6. (Optional) Increase the Web Agent's size limit for uploaded files (see

page 71).

7. Put the Agent filter and extension before other third-party filters (see

page 72).

8. Add the ISAPI filter to each SharePoint web site you want to protect (see

page 74).



Assign Read Permissions to Samples and Error Files Directories

The Network Service account must have Read permissions to any directory

where the Web Agent reads forms credential collector (FCC) files and to any

directory where the Web Agent reads Web Agent custom error files.

To Assign Read Permissions to the Samples and Error Files Directories

1. Open Windows Explorer and go to the appropriate directory:

■ samples: web_agent_home/samples

■ custom error file: the location or your custom error files. There is no

default location.

2. Right-click the directory and select Sharing and Security.

3. Select the Security tab.

4. Click Add.

The Select Users, Computers, or Groups dialog box opens.


a. Accept the defaults for the Select this object type and From this

Location fields.

b. In the Enter the object names to select field, enter Network Service

and click OK.

You return to the Properties dialog box for the directory.

6. In the Permissions for Network Service scroll-box, allow Read permissions.

7. Click OK to finish.

Repeat this procedure for each directory.



Authentication

Allow IIS to Execute the Agent ISAPI and CGI Extensions

You must add certain ISAPI and CGI extentions to the IIS 6.0 web server and

grant the server permission to execute them before configuring the SiteMinder

Web Agent. These extensions will execute the Web Agent ISAPI and CGI

scripts and other files.

To add the extensions and permissions

1. Open the Internet Information Services (IIS) Manager, and then expand

the web server you are configuring for the Agent.

2. Double-click Web Service Extensions

The Web Service Extensions pane appears.

3. To add the ISAPI Web Agent extension, do the following:

a. Click the Add a new Web service extension link.

The New Web Service Extension dialog box opens.

b. In the Extension name field, enter ISAPI6WebAgentDLL, and then click

Add.

The Add File dialog box opens.

c. Click the Browse button, and then navigate to the ISAPI6WebAgent.dll

file in the web_agent_home/bin directory. If the proper file does not

appear, click the Files of type drop-down list and select either ISAPI dll

files (for the .dll files) or CGI exe files (for .exe files).





d. Click Open

The path to the file appears in the Add File dialog box.

e. Click OK.

You return to the New Web Service Extension dialog box.

f. Select the Set extension status to allowed check box.

g. Click OK.

The New Web Service Extension dialog box closes.

4. Repeat Step 3 and add each of the following Web Agent files. Even though

both files use the same name, you must add a separate extension for each

because they are in different directories.

■ web_agent_home/pw/smpwservicescgi.exe (suggested extension

name: Password Services CGI)



■ web_agent_home/pw_default/smpwservicescgi.exe (suggested

extension name: PW Default CGI)

Change the Port Number of the Default IIS Web Site

We recommend changing the port number of the default IIS web site.

To change the port number for the default IIS web site

1. Open the IIS Manager.

2. Expand the web server, and then expand Web Sites.


3. Right-click the default web site (at the top of the list), and select

Properties.

The Properties dialog appears.

4. Click the Web Site tab.

5. In the TCP port field, enter the number of an available port that you want

to use, and then click OK.

The Properties dialog closes and the changes are saved.

6. Start the default web site.

7. Verify the change by opening a browser window access a web page on the

new port.

The port number for the default IIS web site is changed.

More information:

Select a New Port Number for your IIS Default Web Site (r6.x SP5) (see page

22)

Select a New Port Number for your IIS Default Web Site (r12 SP1) (see page

34)



Authentication

Gather Web Agent Information

To configure a SiteMinder Web Agent, you need to collect information about

the following items on your SiteMinder Policy Server:

Admin User Name

Specifies the name of an administrator who is allowed to register the

host with the Policy Server. Before a trusted host can be registered,

this administrator must be defined in the Policy Server, and have

permission to register trusted hosts.

Default: siteminder

Admin Password

Specifies the password for the administrator who can register trusted

Hosts with the Policy Server.

Enable Shared Secret Rollover

Specifies if the shared secret that encrypts the communication

between the trusted host and the Policy Server will be changed

periodically.

The Key Rollover feature must already be enabled at the Policy Server.

To change this setting at a later time, you must do the following:

■ Re-register the trusted host with the Policy Server

■ Use the Policy Management API to change the setting.

Trusted Host Name

Specifies any unique name that represents your trusted host on the

Policy Server. This name does not have to match the name of physical

system you are registering.

Example: mytrustedhost

Limits: Must differ from any other existing trusted host name or

existing Web Agent name.

Host Configuration Object

Specifies the name of an object that contains connection settings used

between the trusted host and the Policy Server. This object must be

defined in the Policy Server before you can configure a Web Agent.

Default: DefaultHostSettings



Policy Server IP Address

Specifies the host name or IP address of the Policy Server with which

you are registering your trusted host. Specify a port number only if

you want to use a non-default port.

Example: 192.168.1.100:non_default_port_number

Agent Configuration Object

Specifies the name of an Agent Configuration object on the Policy

Server that contains the parameter settings that you want your web

agent to use.

Default: AgentObj

Example: IISDefaultSettings

Agent Registration Worksheet

You can print a copy of this work sheet and use it to gather the information

that you need to register the system hosing your web server and web agent as

a trusted host with the SiteMinder Policy Server:

Information Needed Your Value

Admin User Name

Admin Password

Shared Secret Rollover?

(yes/no)

Trusted Host Name

Host Configuration

Object

Policy Server IP

Address

Agent Configuration

Object



Authentication

Run the Agent Configuration Wizard

The Agent Configuration wizard does the following:

■ Registers the system that hosts the SiteMinder Web Agent and the

associated web server as a trusted host with the Policy Server.

■ Creates files on the web server that the Web Agent uses to start and

connect to the Policy Server.

Note: You only register a system as a trusted host once, not each time you

install and configure a Web Agent. If the Web Agent Configuration Wizard

detects that a trusted host has been registered on that system previously, a

warning appears.

To run the agent configuration wizard

1. Click Start, Programs, SiteMinder, Web Agent Configuration Wizard.

The Web Agent Configuration Wizard starts.


■ If you have not registered the system as a trusted host before, click

Yes, click Next. Complete the wizard using information you gathered

on the Registration Worksheet.

■ If the system has previously been registered as a trusted host, click

No, click Next, and complete the wizard.

3. Restart your web server.

The Web Agent is configured.



Increase the Agent's Size Limit for Uploaded Files

The Web Agent installed on an IIS 6.0 web server has a size limit of 2.5 MB for

uploading files. If you want to increase this size limit, you can add a new key

to the Windows registry on your web server.

To upload files that are larger than this limit

1. Open the registry editor.

Note: For more information, see your Microsoft documentation, or go to


2. Navigate to the following location:

HKEY_LOCAL_MACHINE\SOFTWARE\netegrity\SiteMinder Web Agent\Microsoft IIS

3. Create a new DWORD registry key in the previous location using the

following name:

MaxRequestAllowed

4. Set this value of the key to the number of bytes that corresponds to the

size limit you want.

The value of this key overrides the default limit. If the value of this key is

less than or equal to 0, than the default of 2.5 MB (2,500,000 B) is used.

This key accepts decimal values from 0 to 4294967295.

Note: The IIS 6.0 web server has its own size limit. Changing the Web

Agent’s limit will not affect the IIS 6.0 limit. If you want to change the IIS

6.0 server’s limit, see the Microsoft IIS 6.0 documentation or online help.

5. Close the registry editor.

The size limit is changed.





Authentication

Put the Agent Filter and Extension before Other Third-Party Filters

The IIS 6.0 Web Agent consists of an ISAPI filter and an ISAPI extension. The

majority of Web Agent processing occurs in the extension.

When the Web Agent is installed on an IIS 6.0 Web Server with other

third-party software, such as WebSphere or ServletExec, the Agent has the

following restrictions:

■ The Web Agent filter and Web Agent extension must be configured to run

before other third-party filters installed on the web server.

■ The Web Agent must be configured as the first wildcard application map if

it is going to protect applications running as or spawned by an ISAPI

extension.

■ The IIS 6.0 web server does not enforce how third-party filters and

extensions behave. IIS 6.0 processes ISAPI filters before calling ISAPI

extensions, including the Web Agent extension. Therefore, the SiteMinder

Web Agent for IIS 6.0 is unable to authenticate or authorize access to

applications implemented as pure ISAPI filters. This limitation impacts Web

Agent integration with other third-party offerings for the IIS 6.0 web

server, if those offerings are implemented as ISAPI filters that process

and/or redirect the request before ISAPI extensions are called.

When you install the Web Agent on an IIS 6.0 web server, the Agent’s filter is

automatically placed at the top of the ISAPI filters list. However, if you install

any other third-party plugins after installing the Web Agent, those filters may

take precedence.

After you install and configure an IIS 6.0 Web Agent, you must ensure that the

siteminderagent ISAPI filter and extension is listed before any third-party filter

or extension. This enables the Web Agent to process requests before a

third-party.

To put the agent filter and extension before other third-party filters

1. Check the ISAPI filter by doing the following steps:

a. Open the IIS Manager.

b. Select Web Sites then right-click and select Properties.

c. Select the ISAPI Filters tab.

d. Check the list of filters and ensure that siteminderagent is the first

entry in the list. If it is not, use the Move Up button to place it at the

top of the list.

e. Click OK.

f. Exit the IIS Manager.

2. Check the ISAPI extensions by doing the following steps:



a. Open the IIS Manager, and then expand the web server.

b. Right-click the Default Web Site folder, and select Properties.

c. Click the Home Directory tab, and then click Configuration.

d. The following file should be at the top of the Wildcard application maps

(order of implementation) field:

web_agent_home\bin\ISAPI6WebAgent.dll







Authentication

Add the ISAPI Extension to the Protected SharePoint Web Sites

You must add the SiteMinder ISAPI extension to each of the SharePoint web

sites that you want to protect with SiteMinder.

To add the ISAPI extension to each protected web site

1. Open the IIS Manager.

2. In the left pane, expand the web server, then expand the Web Sites folder.


3. Right click a web Site you want to protect with SiteMinder and select

Properties.

The Properties dialog for the web site appears.

4. Click the Home Directory tab, and then click Configuration.

The Application Configuration dialog appears. Check the Wildcard

Application Maps (order of implementation) list. The following file should

appear first in the list:






5. If the previous file does not appear in the list, do the following:

a. Click Insert.

The Add/Edit Application Extension Mapping dialog appears.

b. Click Browse, and then locate the following file:






c. Click Open.

The file appears in the Executable: field.

d. Clear Verify that file exists check box.

e. Click OK, and then use the Move Up or Move Down buttons to make

sure the ISAPI6WebAgent file appears at the top of the list.

f. Click OK.

The Inheritance Overrides dialog appears.

How to Configure your SharePoint Web Sites for SiteMinder


g. Click Select All, and then click OK.

The Inheritance Overrides dialog closes, and the Properties dialog

appears.

h. Click OK.

The Properties dialog appears.

6. Click OK.

The Properties dialog closes and the ISAPI extension is added to the web

site.

7. Repeat Steps 3 through 6 for each SharePoint web site you want to

protect.

8. Restart the IIS web server.


Your existing SharePoint web sites can be converted from Microsoft FBA to use

SiteMinder FCC by configuring them with the following process:

1. Use the SiteMinder sign out page (see page 76).

2. Back up your existing web.config files (see page 77).

3. Change the Form type and add the HTTP module to the web.config file of

each SharePoint web site you want to protect with SiteMinder (see

page 78).

4. Start your SiteMinder Web Agent (see page 79).



Authentication

Use the SiteMinder Signout Page

The SiteMinder Web Agent also comes with a sample signout page that

appears when a user logs out of a SharePoint web site. You can customize this

page to meet the needs of your organization. This page enhances security by

reminding users that they must close their browser to log out. To use this

page, you must manually copy it from its installed location, to the proper

location on your web server.

To use the SiteMinder signout page

1. On your web server, open the following directory:

C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\TEMPLATE\LAYOUTS\

2. Locate the following file:

signout.aspx

3. Make a backup copy of the previous file by renaming it. We recommend

using a name that will help you remember the point at which you changed

the file. For example, you may want to name the backup copy

original_signout.aspx.

4. Locate the SiteMinder signout page in the following directory:

web_agent_home\sharepoint

Note: The default value of the web_agent_home variable is C:\Program

Files\netegrity\webagent

5. Copy the SiteMinder signout page to the directory shown in Step 1.

6. (Optional) Modify the SiteMinder signout page according to your needs. For

example, you may want to add a graphic of your organization's logo or

customize the text that is displayed.


The SiteMinder signout page will be used.



Back Up your Existing web.config Files

To configure SharePoint to operate with SiteMinder you need to modify the

web.config file of your SharePoint Central Administration web site, and the

web.config file of any SharePoint site you want to protect. Since a single IIS

server may contain many virtual SharePoint sites, identifying the correct files

to modify is critical.

To locate and backup the existing web.config files

1. Open the IIS 6.0 Manager on your web server.

2. In the left pane, expand the web server, and then expand Web Sites.


3. Right-click the SharePoint Central Administration site, and then select

Open.

Windows Explorer opens the directory for the Central Administration web

site.


name.


6. Go back to the IIS Manager window, and right-click the folder of a

SharePoint site you want to protect, and then select Open.

Windows Explorer opens the directory for the SharePoint web site.


name.

We recommend using a name that will help you remember the point at

which you changed the file. For example, if you are saving a copy of your

FBA web.config file before adding the SiteMinder information, you might

want to name the backup copy of the file fba_web.config.


9. Repeat Steps 6 through 8 for each SharePoint site you want to protect.

All of the existing web.config files have been backed up.



Authentication

Change the Form Type and Add the HTTP Module to Each SharePoint Web Site

you want to protect with SiteMinder

To switch the authentication method from SharePoint FBA to SiteMinder FCC,

you need to make the following changes to the web.config file of each

SharePoint web site that you want to protect with SiteMinder:

■ Change the loginURL attribute of the authentication mode to specify the

SiteMinder FCC.

■ Add the following information:

HTTP Modules

Specifies the properties of the SiteminderNET.DLL file in the web.config

file of each SharePoint web site protected by SiteMinder. This DLL file

must be installed in the Global Assembly Cache of the computer

hosting the SiteMinder web agent for IIS.

Note: The Global Assembly Cache is located in the following directory:

C:\WINDOWS\assembly

To add the SiteMinder HTTP module to each SharePoint site

1. Stop the IIS Admin Service.

2. Open the web.config file for the web site with an XML editor.






3. Locate the following line:


4. Change the previous line to match the following line:

<forms loginUrl="/_siteminder/siteminderlogin.aspx" />

5. Locate the following section:

<httpModules>

<clear />

6. After the <clear /> tag, add the following section:

<add name="SessionMgmtModule" type="SiteminderNET.SessionMgmtModule, SiteminderNET,

Version=1.0.0.0, Culture=neutral, PublicKeyToken=d898b5619cf7eff3" />

7. Save your changes, and close your XML editor.



8. Repeat Steps 1 through 7 for each SharePoint web site you want to protect

with SiteMinder.

9. Start the IIS Admin Service.

The web sites are reconfigured for SiteMinder.

Start the Web Agent

After configuring your Web Agent parameters, you must enable the Web Agent

to protect the resources on the web server.

Note: No resources are protected until you define policies using either of the

folloiwng:

■ (r6.x SP5) Policy Server User Interface

■ (r12 SP1) Administrative UI

To start the web agent

1. Open the following file with a text editor:

web_agent_home\bin\IIS\WebAgent.conf





2. Locate the EnableWebAgent parameter, and then change its value to yes.

3. Save and close the WebAgent.conf file.


The web agent starts and the resources on the web server are protected.



Authentication

Stop the Web Agent

You may stop a web agent at any time.

To stop the web agent

1. Open the following file with a text editor:

web_agent_home\bin\IIS\WebAgent.conf





2. Locate the EnableWebAgent parameter, and then change its value to no.

3. Save and close the WebAgent.conf file.


The web agent stops.

More information:

Disable the SiteMinder Authentication (see page 85)


Chapter 6: Test your SiteMinder and

SharePoint Implementation


Access a Protected SharePoint Site Using SiteMinder (see page 81)

Modify a Document Stored on SharePoint (see page 82)

Access a Protected SharePoint Site as another User (see page 83)

SiteMinder Logs (see page 83)

Access a Protected SharePoint Site Using SiteMinder

You can test your SiteMinder implementation by trying to access a protected

resource on your SharePoint server.

To access a protected SharePoint resource using SiteMinder

1. Open a browser and enter the URL of a protected SharePoint web site for

which you are the Site Collection administrator.

The SiteMinder authentication form should appear.

2. Enter your credentials, and then click Login.

The home page for the SharePoint site collection should appear.



Modify a Document Stored on SharePoint


Authentication

Modify a Document Stored on SharePoint

You can verify that SiteMinder protects the documents stored on your

SharePoint sites by opening and modifying a protected document. If

SiteMinder is functioning properly, you will not be challenged for your

credentials when doing any of the following:

■ Checking out the document.

■ Opening or modifying the document.

■ Checking in the document.

To modify a document stored on SharePoint

1. Login to your protected SharePoint site.

The home page for your SharePoint site collection appears.



2. Click the link (on the left) of your document library.

The contents of your document library appear.

3. Click the document name to display a drop-down list, and then select

Check Out.

A check-out icon appears next to your document.

4. Modify the document, then click Upload, Upload Document.

The Upload document page appears.

5. Select the modified document using the Browse button, and then click OK.

A confirmation page appears.

6. Click Check In.

Your modified document is placed on the SharePoint web site.

Access a Protected SharePoint Site as another User


Access a Protected SharePoint Site as another User

You can verify that SiteMinder allows you to login to a resource as another

user.

Access a protected SharePoint site as another user

1. Login to your protected SharePoint site.

The home page for your SharePoint site collection appears.



2. Click the drop-down list next to the Welcome message, and then select

Sign in as Different User.

The SiteMinder login screen should appear.

SiteMinder Logs

To aid in diagnosing problems, you can enable logs for the following SiteMinder

components:

■ Policy Server

Note: For more information, see the CA SiteMinder Policy Server

Management Guide.

■ Web Agent

Note: For more information, see the CA SiteMinder Web Agent

Configuration Guide.

Appendix A: Troubleshooting 85

Appendix A: Troubleshooting


Disable the SiteMinder Authentication (see page 85)

Disable the SiteMinder Authentication

Symptom:

I'm having a problem and I want to disable SiteMinder so I can check my

SharePoint configuration.

Solution:

Do the following:

1. Stop the SiteMinder web agent

2. In the web.config file of a protected resource, change the value of the

loginUrl attribute to the following:

loginUrl="/_layouts/login.aspx"

3. Restart your IIS web server.

The SiteMinder authentication scheme is disabled and your SharePoint

resources are authenticated using SharePoint FBA instead.

More information:

Stop the Web Agent (see page 80)

Appendix B: Platform Support 87

Appendix B: Platform Support


Locate the Platform Support Matrix (see page 87)

Locate the Platform Support Matrix

The SiteMinder Platform Support Matrix contains the latest information about

supported platforms. CA maintains the Platform Support Matrix at

http://www.ca.com/support.

To locate the support matrix on the Support site

1. Click Technical Support.

2. Click Support By Product or Solution.

3. Select CA SiteMinder Web Access Manager from the Select a Product or

Solution Page list.

4. Click Platform Support Matrices in the Product Status group box.

More information:

SiteMinder Prerequisites (see page 14)
