2. About Presenters Ameet Phadnis MCTS President, e Tek Global Inc. e-Mail:aaphadnis@etekglobalinc.com LinkedIn: www.linkedin.com/in/aaphadnis Ambar Nirgudkar MCSD Sr. SharePoint Consultant, e Tek Global Inc. e-Mail: ambar.nirgudkar@etekglobalinc.com LinkedIn: http://www.linkedin.com/in/ambarnirgudkar 8/10/2010
3. About e Tek Global Inc. Microsoft Gold Partners. Microsoft Certified SharePoint Deployment Planning Services Provider. SharePoint 2010 services provided – Intranet, Extranet, Internet Sites and Features Development. Migrating sites from 2007 to 2010. Upcoming Add-ons for SharePoint AD Password Reset AD Users Management and Profiles Management. News Ticker and News Display. Site Map Authentication registration and Login. User Profiles. 8/10/2010
4. Agenda Overview Authentication Methods Authentication for SharePoint Web applications. Setting up FBA in 8 Steps. LDAP with FBA SecurityToken Web Configuration Central Administration Web Configuration. User Policies and Security. SQL Authentication with FBA. Question and Answer Useful Links 8/10/2010
5. Overview SharePoint is logically divided into three tiers: Front-end Web Server The application tier Back-end database tier. Authentication is required for access to any of the above tiers. To access each tiers we need Authentication providers. SharePoint 2010 supports – Classic-mode authentication. Claims-based authentication. 8/10/2010
6. Authentication Methods Classic-mode Authentication Method – Windows: Standard IIS Windows Authentication methods. Claims-based Authentication Methods – Windows Forms-based authentication SAML token-based authentication (Security Assertion Markup Language) 8/10/2010
7. Authentication Methods- Classic Windows Authentication Anonymous Basic Digest Client-Certificates NTLM Negotiate (Kerberos or NTLM) 8/10/2010
8. Authentication Methods – Forms-based Lightweight Directory Access Protocol (LDAP) SQL Database or other database. Custom or third-party membership or role providers. 8/10/2010
9. Forms-based (Contd.) Identity Management System is based on ASP.NET membership and role provider authentication. For non-windows or external systems you must register the membership provider in Web.Config file. Also can register a role manager in addition to membership provider. SharePoint 2010 uses ASP.NET role manager interface to gather group information about the current user. 8/10/2010
10. Forms-based (Contd.) For managing membership users and roles in Central administration, we need to register the membership provider in Central Administration’s Web.Config file. 8/10/2010
11. Forms-based (Contd.) – Watch out The Membership provider name and Role provider name needs to be the same name on Central Admin config file as Web application’s config file. If different, then the default provider specified in machine.config is used instead. 8/10/2010
12. Custom Authentication Provider Requirements HTTP Module must be programmed to interact with SharePoint 2010 and ASP.NET methods for the following Membership Provider – GetUser(String) GetUserNameByEmail FindUsersByName and FindUsersByEmail Role Manager – RoleExists GetRolesByUser GetAllRoles 8/10/2010
13. Setting up FBA in 8 Steps Create new Web Application Select Claims Based Authentication under Authentication Provide suitable name to Create a new IIS web site Name. Under Claims Authentication Types Check Forms Based Authentication (FBA). Enter appropriate Name for ASP.NET Membership Provider Name Enter appropriate name for ASP.NET Role Manager Name. 8/10/2010
14. Setting up FBA in 8 Steps – Contd. Under Application Pool Category: Provide Name for Application Pool. Select the Security account for the application pool. Under the Database Name and Authentication Category Enter the Database Server Name. Enter the Database Name. Enter the Database authentication information as appropriate. Click Ok. Create Site Collection for the above Web Application. THE SITE IS READY 8/10/2010
15. Setting up FBA in 8 Steps DEMO For Creating Claims based Website. 8/10/2010
16. LDAP with FBA Open the Web Application Web.Config File. Enter the following LDAP Authentication provider information. <add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="etekglobalinc.local" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="DC=ETEKGLOBALINC,DC=LOCAL" userObjectClass="person" userFilter="(ObjectClass=person)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn,displayName" /> 8/10/2010
17. LDAP Authentication Attributes Name: Name for your LDAP Membership. Server: Name of the Computer hosting LDAP Service. Port: Port that LDAP is listening on. UseSSL: Specifies that SSL is not being used to communicate to the LDAP data store. userDNAttribute: Attribute for the Users Distinguished Name. userNameAttribute: Attribute of the user name object. userContainer: Defines the full distinguished name of the container for users. userObjectClass: Class of the user object. userFilter: The userFilter is a standard filter for LDAP Queries. Scope: Sets the search scope of the selection. otherRequiredUserAttributes: Other attributes to return. 8/10/2010
18. LDAP with FBA Enter the following LDAP Role provider information. <add name="LdapRole" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="etekglobalinc.local" port="389" useSSL="false" groupContainer="DC=ETEKGLOBALINC,DC=LOCAL" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" userFilter="(ObjectClass=person)" scope="Subtree" /> 8/10/2010
19. LDAP with FBA DEMO For People Picker for Site Permissions. 8/10/2010
20. SecurityToken Web Configuration In order for successful login we need to enter the Membership and Role Provider in SecurityToken Web.Config. The path to the SecurityToken Web.Config is C:rogram Filesommon Filesicrosoft Sharedeb Server Extensions4ebServicesecurityToken Enter the following for MembershipProvider <add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="etekglobalinc.local" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="DC=ETEKGLOBALINC,DC=LOCAL" userObjectClass="person" userFilter="(ObjectClass=person)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" /> 8/10/2010
21. SecurityToken Web Configuration Enter the following for Role Provider <add name="LDAPRole" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="etekglobalinc.local" port="389" useSSL="false" groupContainer="DC=ETEKGLOBALINC,DC=LOCAL" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" userFilter="(ObjectClass=person)" scope="Subtree" /> 8/10/2010
23. Central Administration Web Configuration. If User needs to work on Web Application administration from Central Administration then the Membership Provider and Role Provider needs to be added to the Web.Config file. Copy the same Membership Provider and Role Provider information to the Central Administration Web.Config file. 8/10/2010
24. User Policies and Security User Policy under Central Administration should be used rarely. These should be used for the overall site permissions. Permissions that can be assigned for users are – Full Control. Full Read Deny Write Deny All. Customized Permission Policies can be added through Permission Policy. 8/10/2010
25. User Policies and Security Demo For Central Administration Web.Config changes and User Policies 8/10/2010
26. Making SQL Authentication Work with FBA. Follow the same steps as LDAP Authentication changes in web.config file. Following are the SQL Authentication Membership provider and Role Membership provider web.config changes Membership Provider <add name="SQLMembership" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" applicationName="/" connectionStringName="ApplicationServices" enablePasswordReset="false" enablePasswordRetrieval="false" passwordFormat="Clear" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" /> 8/10/2010
27. Making SQL Authentication Work with FBA. Role Provider <add name="SQLRoles" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" applicationName="/" connectionStringName="ApplicationServices" /> 8/10/2010
28. SQL Authentication with FBA. Make the Connection String entries to the Web Application, SecurityToken, Central Administration (if needed) Web.Config files. You can add the Connectionstring before the end Configuration tag. <connectionStrings> <add connectionString="Data Source=ETEKSPS2010OWERPIVOT;Initial Catalog=aspnetdb;User ID=<UserName>;Password=<Password>;" name="ApplicationServices" /> </connectionStrings> 8/10/2010
31. Useful Links Examples of Web.Config for LDAP Authentication - http://technet.microsoft.com/en-us/library/cc197251(office.12).aspx 8/10/2010
Hinweis der Redaktion
Anonymous: Enables users to find resources in the public areas of web sites without having to provide authentication credentials.Basic: This authentication requires previously assigned Windows Account credentials for user access. Basic authentication enables a browser to provide credentials when making a request during an HTTP transaction. Because user credentials are not encrypted for network transmission, but are sent over the network in plaintext, using basic authentication over an unsecured HTTP connection is not recommended. If this authentication is chosen, then you should enable the Secure Sockets Layer encryption.Digest: This authentication provides the same functionality as Basic authentication but with increased security. User credentials are encrypted instead of being sent over the network as plaintext. User Credentials are sent as an MD5 message digest in which the original user name and password cannot be deciphered. Client certificates: This authentication supports the exchange of public key certificates using Secure Sockets Layer (SSL) encryption over HTTP. Client certificates are issued by a Certificate Authority(CA) and they must confirm to the Public Key Infrastructure (PKI).NTLM: NTLM authentication is for Windows Servers that are not running Active Directory on a domain controller. NTLM authentication is required for networks that receive authentication requests from client computers that do not support Kerberos authentication. NTLM is a secure protocol that supports user credential encryption and transmission over a network. Negotiate (Kerberos or NTLM): Negotiate enables clients to select between Kerberos authentication or NTLM authentication. Negotiate tries to use Kerberos authentication unless Kerberos authentication is not supported in the decrypted environment, or if the calling application does not provide sufficient information to implement Kerberos authentication.