claims-based identity in sharepoint 2010
DESCRIPTION
An overview of Claims-Based Identity in SharePoint 2010 with a discussion of issues encountered during a migration from MOSS and recommendations for new implementations. Presented by Danny Jessee at the SUGDC meeting during SPSTCDC on August 11, 2011.TRANSCRIPT
![Page 1: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/1.jpg)
All It “Claims” to Be?
A real-world perspective on Claims-Based Identity in SharePoint 2010
Danny JesseeSharePoint User Group of Washington, DC – August 11, 2011
![Page 2: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/2.jpg)
Who Am I?
SharePoint Evangelist at Circinus Northern Virginia-based SDVOSB
Senior developer on SharePoint deployments for government and DoD customers since 2004 I get involved with administration when I have to…
MCTS – SharePoint 2010 Application Development
CloudShare Honorary MVP for 2011
Twitter: @dannyjessee Blog: http://dannyjessee.com/blog
![Page 3: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/3.jpg)
Agenda
Features of a Secure Application SharePoint 2010 Authentication Options Claims Terminology/Technology Overview Demos
SharePoint 2010 Web Application with FBA Adding Azure ACS-based Trusted Identity Providers
“Gotchas” General issues for all Claims implementations Migration issues from MOSS to SharePoint 2010 Claims Behaving Badly
Recommendations
![Page 4: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/4.jpg)
Features of aSecure Application
Authentication is the process of validating a user’s identity SharePoint never performs
authentication If the login prompt keeps appearing,
think authentication issue!
![Page 5: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/5.jpg)
Features of aSecure Application
Authorization is the process of determining the resources, features, etc. to which a user has access SPUser object – security principal
If you see “Access Denied” errors, think authorization issue!
![Page 6: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/6.jpg)
Authentication Options in SharePoint 2010
The single biggest decision of your life!
TechNet guidance: “For new implementations of SharePoint
Server 2010, you should consider claims-based authentication.”
![Page 7: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/7.jpg)
Authentication Options in SharePoint 2010
Claims Based Authentication (Tokens) Windows Authentication: NTLM/Kerberos, Basic Forms-Based Authentication (ASP.NET
Membership provider and Role manager) Trusted Identity providers Custom sign-in page
Classic Mode Authentication (“Old School”) Windows Authentication (NTLM/Kerberos) only
Both map authenticated users to SPUser objects (security principals)
![Page 8: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/8.jpg)
Claims-Based IdentityConcepts
What is a claim? A piece of information describing a user▪ Name▪ Email Address▪ Role/Group membership▪ Age▪ Hire Date
Whose claims do I trust, and which claims affect authorization decisions I make?
![Page 9: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/9.jpg)
Claims-Based IdentityTerminology
Token Serialized set of claims about an authenticated
user, digitally signed by the token’s issuer Identity Provider-Security Token Service (IP-
STS) Validates user credentials Builds, signs, and issues tokens containing claims
Relying party (RP) Applications that makes authorization decisions
based on claims (SharePoint 2010)
![Page 10: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/10.jpg)
The Claims Paradigm
Decoupling of authentication logic from authorization and personalization logic Applications no longer need to determine who
the user is, they receive claims identifying the user
Great for developers who rarely want to work with identity!
Provides a common way for applications to acquire the identity information they need about users
![Page 11: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/11.jpg)
The Claims Paradigm
1. “I’d like to access the budget document.”
2. “Not until you can prove to me that you are in the Finance group.”
3. “Here is my user ID and password.”
4. “Hi, Danny. I see you are in the Finance group. Here is a token you can use.”
5. “I’d like to access the budget document,and here’s proof I have access to it!”
SharePoint 2010
![Page 12: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/12.jpg)
Claims-Based IdentityTechnologies
WS-Trust, WS-Federation, SAML Requesting/receiving tokens XML representation of claims
These emerging technologies have been around for awhile Their use in Claims-Based Identity represents a
new approach for handling identity in applications Great potential in corporate environments▪ Active Directory Federation Services, external LDAP, etc.
Great potential as we move to the cloud▪ Azure ACS: Facebook, Google, Windows Live ID, etc.
![Page 13: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/13.jpg)
Almost Demo Time!
![Page 14: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/14.jpg)
Claims Viewer Web Part
Visual Web Part Code behind:
http://blogs.pointbridge.com/Blogs/nielsen_travis/Pages/Post.aspx?_ID=32
IClaimsPrincipal claimsPrincipal = Page.User as IClaimsPrincipal;IClaimsIdentity claimsIdentity = (IClaimsIdentity) claimsPrincipal.Identity;GridView1.DataSource = claimsIdentity.Claims;Page.DataBind();
![Page 15: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/15.jpg)
FBA in SharePoint 2010
Similar to FBA setup for MOSS, with some exceptions: Authentication provider does not need to
be mapped to a separate zone One additional Web.config to modify:▪ C:\Program Files\Common Files\Microsoft
Shared\Web Server Extensions\14\WebServices\SecurityToken▪ Add entries for connection string,
Membership provider, Role manager▪ Same modifications for Central Admin and
web app
![Page 16: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/16.jpg)
Sign-In Page
Allows users to choose how to authenticate when multiple providers are configured(Mixed Authentication)
Custom code opportunity http://
www.orbitone.com/en/blog/archive/2010/06/23/sharepoint-2010-mixed-authentication-automatic-login.aspx
![Page 17: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/17.jpg)
New SharePoint 2010 Web Application with Claims/FBADemo #1
![Page 18: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/18.jpg)
Adding Facebook Support http://www.7388.info/index.php/article/stu
dio/2011-07-29/20983.html Create an account on AppFabric Labs
https://portal.appfabriclabs.com/Default.aspx
Use the Facebook Developer application to create your own new application
![Page 19: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/19.jpg)
Adding Facebook Support
Note the App ID and App Secret values
Assign a “Privacy Policy” URL Grant Permissions to generate
Access Token Choose “Web” in left navigation,
enter values for Site URL and Site Domain Based on your AppFabric Labs account
![Page 20: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/20.jpg)
Adding Facebook Support
Generate self-signed certificate C:\Program Files\Microsoft Office Servers\
14.0\Tools>MakeCert.exe -r -pe -n "CN=com-dannyjessee.accesscontrol.appfabriclabs.com" -sky exchange -ss my
Development only! Do not do in production!
![Page 21: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/21.jpg)
Adding Facebook Support
Upload Token Signing Certificate
![Page 22: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/22.jpg)
Adding Facebook Support
From Azure ACS, choose Add Identity Provider, then choose Facebook application
Enter Application ID, Application secret, and Application permissions
![Page 23: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/23.jpg)
Adding Facebook Support
Configure Relying Party Application settings
![Page 24: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/24.jpg)
Adding Facebook Support
Configure Rule Groups
![Page 25: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/25.jpg)
Adding Azure ACSTrusted Identity ProvidersDemo #2
![Page 26: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/26.jpg)
Adding Facebook Support
In case the Internet didn’t work:
![Page 27: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/27.jpg)
Adding Facebook Support
In case the Internet didn’t work:
![Page 28: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/28.jpg)
Adding Facebook Support
In case the Internet didn’t work:
![Page 29: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/29.jpg)
Claims “Gotchas”
![Page 30: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/30.jpg)
Claims “Gotchas”
General issues for all Claims implementations Search crawler requires NTLM in the zone it
uses “People picker” is more of a Claims
“expression editor”▪ Custom code opportunity (Custom Claims Provider)
User Profiles▪ LDAP or BCS connection to authentication store
Office client integration (2007 SP2+, 2010)▪ IE 8+: Trusted Sites
![Page 31: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/31.jpg)
Real-Life Testimonial
“After migrating to Claims in SharePoint 2010, most of our users were able to log in some of the time.”
—A less-than-thrilled system administrator
![Page 32: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/32.jpg)
Claims “Gotchas”
Migration from MOSS to SharePoint 2010 Migrate FBA Users▪ $wa = get-SPWebApplication $WebAppName▪ $wa.MigrateUsers($true)
Portalsuperuser and Portalsuperreader properties need to be updated to reflect Claims-encoded format▪ $wa.Properties["portalsuperuseraccount"] = "i:0#.w|domain\
apppool"▪ $wa.Properties["portalsuperreaderaccount"] = "i:0#.w|
domain\apppool"▪ $wa.Update()
Must migrate all providers from MOSS to 2010▪ i.e., NTLM and FBA if both existed prior to migration
![Page 33: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/33.jpg)
Claims Behaving Badly
“Funky” display of usernames i:0#.w|SHRPNT\Administrator i:0#.f|CustomMembershipProvider|
username i:0#.t|selfsts|[email protected]▪ i: Microsoft.SharePoint.Administration.Claims.
SPClaimsAuthMembershipProvider (Web.config)▪ Windows, Forms, Trusted Identity Provider
![Page 34: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/34.jpg)
Claims Behaving Badly
Set DisplayName property of SPUser $user = Get-SPUser -Web
http://abc.shrpnt.loc -Identity "i:0#.f|CustomMembershipProvider|username"
$user.DisplayName = "John Doe" $user.Update()
![Page 35: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/35.jpg)
Claims Behaving Badly
Session expiration issues with SAML Claims Users can come back to the page hours later
without having to log in again SharePoint creates a FedAuth cookie (written to
disk) that is not a Session cookie by default▪ $sts = Get-SPSecurityTokenServiceConfig▪ $sts.UseSessionCookies = $true▪ $sts.Update()
Set/update TokenLifetime property (minutes)▪ Set-ADFSRelyingPartyTrust -TargetName "SPS 2010
ADFS" -TokenLifetime 5
![Page 36: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/36.jpg)
Claims Behaving Badly
Continuous redirection to/from login page This can happen when the TokenLifetime
is less than the LogonTokenCacheExpirationWindow▪ Default LogonTokenCacheExpirationWindow
in SharePoint 2010 STS is 10 minutes▪ $sts = Get-SPSecurityTokenServiceConfig▪ $sts.LogonTokenCacheExpirationWindow =
(New-TimeSpan -minutes 4)▪ $sts.Update()
![Page 37: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/37.jpg)
Claims Behaving Badly
Go to the login page, enter valid credentials, press the “Log In” button, and…get redirected back to the login page (once) Check the ULS logs!▪ Could be token expiration timeout▪ Could be something else
![Page 38: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/38.jpg)
Claims Behaving Badly
SPSecurityTokenService.Issue() failed:System.Runtime.InteropServices.COMException (0x800703FA): Retrieving theCOM class factory for component with CLSID{BDEADF26-C265-11D0-BCED-00A0C90AB50F} failed due to the following error: 800703FA. GPEdit: Computer Configuration >
Administrative Templates > System > User Profiles▪ Do not forcefully unload the users registry at user
logoff > Set to “Enabled”
![Page 39: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/39.jpg)
Claims Recommendations
![Page 40: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/40.jpg)
Claims Recommendations
Stick with Classic Mode Authentication if you are deploying SharePoint into a “simple” Active Directory environment Particularly if strict security controls are
in place that are beyond your control Especially if you are only migrating from
Windows authentication in MOSS Once you go to Claims, you can’t go
back!
![Page 41: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/41.jpg)
Claims Recommendations
If you must use Claims for your Extranet,try to minimize the number of zones/host headers used Default zone should be most secure
Have a good “troubleshooter’s toolbox” ULS Log Viewer Fiddler Claims Viewer web part
![Page 42: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/42.jpg)
Thanks for your time!
See me perform at “SharePoint Got Talent”tomorrow night at 8:30!
![Page 43: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/43.jpg)
References & Credits
Shane Young – my hero! http://sharepoint911.com
Plan Authentication Methods(SharePoint Server 2010) http://
technet.microsoft.com/en-us/library/cc262350.aspx
A Guide to Claims-Based Identity and Access Control (Microsoft Patterns and Practices) http://claimsid.codeplex.com/
![Page 44: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/44.jpg)
References & Credits (cont.)
Steve Peschka http://
blogs.technet.com/b/speschka/archive/2010/06/12/migrating-a-web-application-from-windows-classic-to-windows-claims-in-sharepoint-2010.aspx
http://msdn.microsoft.com/en-us/library/hh147183.aspx
Project Server Blog (GREAT tips for migrating to Claims here!!!) http://nearbaseline.com.au/blog/tag/clai
ms/
![Page 45: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/45.jpg)
References & Credits (cont.)
Azure ACS Integration http://
blogs.objectsharp.com/cs/blogs/steve/archive/2011/04/21/windows-azure-access-control-services-federation-with-facebook.aspx
http://www.7388.info/index.php/article/studio/2011-07-29/20983.html
Robert Bogue http://www.sharepointshepherd.com
![Page 46: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/46.jpg)
References & Credits (cont.)
SelfSTS and Vittorio Bertocci http://
archive.msdn.microsoft.com/SelfSTS http://
blogs.msdn.com/b/vbertocci/archive/2010/08/23/selfsts-when-you-need-a-saml-token-now-right-now.aspx
Paul Schaeflein http://
www.schaeflein.net/blog/Lists/Posts/Post.aspx?ID=4
![Page 47: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/47.jpg)
References & Credits (cont.)
Claims Viewer web part http://blogs.pointbridge.com/Blogs/nielse
n_travis/Pages/Post.aspx?_ID=32
Fiddler http://www.fiddler2.com/fiddler2/
SharePoint ULS Log Viewers http://sharepointlogviewer.codeplex.com
/ http://ulsviewer.codeplex.com/
![Page 48: Claims-Based Identity in SharePoint 2010](https://reader036.vdocument.in/reader036/viewer/2022081504/5558755cd8b42aaa7e8b53c7/html5/thumbnails/48.jpg)
References & Credits (cont.)
Transparent Login with Mixed Authentication http://
www.orbitone.com/en/blog/archive/2010/06/23/sharepoint-2010-mixed-authentication-automatic-login.aspx