How will SharePoint 2010 allow organizations to collaborate and share knowledge with clients and partners? SharePoint empowers organization to build extranet sites and partner portals inexpensively and securely. Learn what exactly is Claims Based Authentication and how can to use it. Learn about the new multi-authentication mode in SharePoint 2010. Learn how SharePoint 2010 can help your organization open its doors to its clients and partners securely.
2. Welcome to SharePoint SaturdayâThe Conference
Thank you for being a part of the first
SharePoint Saturday conference
⢠Please turn off all electronic devices or set them to vibrate.
⢠If you must take a phone call, please do so in the hall so as not
to disturb others.
⢠Open wireless access is available at SSID: SPSTC2011
⢠Feel free to âtweet and blogâ during the session
⢠Thanks to our Diamond and Platinum Sponsors:
3. About Brian Culver
â SharePoint Solutions Architect for Expert Point Solutions
â Based in Houston, TX
â Author
⢠SharePoint 2010 Unleashed
⢠Various White Papers
â Speaker and Blogger
4. Session Agenda
⢠Extranet Definition
⢠Common Extranet Scenarios
⢠Extranet Design Considerations & Challenges
⢠Claims Based Authentication and other
Authentication Scenarios
⢠Mixed Mode vs. Multi-Authentication
5. Extranet - Definition
⢠A web application that is shared with external
users, such as partners, vendors, and
customers
⢠Common attributes for an extranet:
⢠Sharing a private network or secured network
⢠Requires authenticated access, but the identity of
the consumer is not always known
⢠Has better security controls than an Internet Web
application but usually less secure than the Intranet
⢠Web application
6. Common Extranet Scenarios
Line of Business Applications
Remote Collaboration
Employees Static Content or Publishing
Isolate and segregate internal data.
Authorize to use only sites and data that are necessary for
Partners their contributions.
Restrict partners from viewing other partnersâ data.
Target Content
Vendors & Segment content
Customers Limit content access and search results based on audience.
7. Extranet Design Considerations &
Challenges
⢠Network Topology and Access
⢠Identity Management
â Seamless Single Sign-on Experience
⢠Content Security and Access
⢠Antivirus
â Client
â Server
⢠Rich Client Experience (Office Integration)
11. Security Terms
⢠Authentication is the mechanism whereby
systems may securely identify their users
â Creates an identity for security principal
â Who am I?
⢠Authorization is the mechanism by which a
system determines what level of access a
particular authenticated user should have
to secured resources controlled by the
system.
â Determines what resources an identity has access to
â What can I access?
12. SharePoint Authentication
⢠SharePoint does not authenticate
â Windows authentication via Windows server and IIS
(Kerberos/NTLM)
â FBA via ASP. NET and authentication providers (SQL, LDAP, etc.)
â Web SSO via Active Directory Federation Services (ADFS) and
other Identity Management Systems
⢠SharePoint creates user profiles
â SPUser object represents security principal
â User Profile List in Site Collections track user profiles
13. SharePoint 2010 Security
⢠SharePoint 2010 changes authentication
â Uses classic mode and claims based authentication
â Classic mode is SharePoint 2007 style legacy mode
â Claims-based authentication is the new security model
⢠What are the benefits?
â Claims decouples SharePoint from the authentication provider
â Allows SharePoint to support multiple authentication providers per URL
â Identities can be passed without Kerberos delegation
â Allows federation between organizations
â ACLs can be configured with
â DLs, Audiences and OUs
15. Claims-Based Terminology
⢠Identity: security principal used to
configure the security policy
⢠Claim (Assertion): attribute of an identity
(such as Login Name, AD Group, etc.)
⢠Security Token: serialized set of claims
(assertions) about an authenticated user.
16. Claim-based Authentication
⢠Security Token Service (STS): builds,
signs and issues security tokens. It
can receive and submit tokens.
⢠Issuing Authority: identity
management system(s) that
âknowsâ the claims (AD, ASP.NET,
LiveID, etc.)
⢠Identity Provider: trusted party that
creates and submits claims
⢠Relying Party: application that
makes authorization decisions
based on received claims
19. Mixed Mode Authentication vs Multi-
Authentication
Mixed Authentication Multi-Authentication
SharePoint SharePoint
Farm Farm
Web Application Web Application
Windows Windows Authentication
Zone: Default Authentication Zone: Default
Regular label-callout text FBA Authentication
Extended Web Application Extended Web Application
Zone: Extranet FBA Zone: Extranet SAML Based Authentication
Authentication FBA Authentication
Extended Web Application Extended Web Application
Zone: Intranet ... Zone: Intranet Windows Authentication
Extended Web Application Extended Web Application
Zone: Internet ... Zone: Internet ...
Extended Web Application Extended Web Application
Zone: Custom ... Zone: Custom ...
25. FBA Claims Configuration
1. Run
C:WindowsMicrosoft.NETFrameworkv2.0.50727
aspnet_regsql.exe
2. Enable Claims Authentication on Web Application via
Central Administration
3. Modify web.config for the FBA Web Application
4. Modify web.config for Central Administration
26. FBA Claims Configuration
5. Modify web.config for Security Token Service
â %programfiles%common filesMicrosoft Sharedweb server
extensions14WebServicesSecurityToken
â Changes need to be made to the Security Token Service virtual directory
on each server hosting CA or the claims-based web application
6. Configure FBA Provider in Central Administration
7. Create Web Application Policy to give SQL Auth
User(s) access to site
36. Issues using Claims Authentication
⢠"Search Alerts only work with Windows Classic
Authenticationâ
â http://technet.microsoft.com/en-us/library/cc288475.aspx
⢠Performance Point Dashboard Designer doesn't work
directly against a web application with multiple
authentication providers
â http://technet.microsoft.com/en-us/library/ee748637.aspx
37. Issues using Claims Authentication
⢠Some issues have been reported with Infopath Forms
Services, PowerPivot and Performance Point Services
⢠Project Server won't create new sites on a claims-
based authentication web app but don't see a
reference for it
38. Welcome to SharePoint SaturdayâThe Conference
Thanks to our Sponsors
Thanks to Our Other Sponsors!
41. Welcome to SharePoint SaturdayâThe Conference
Session Evaluation
Please complete and turn in your Session Evaluation
Form so we can improve future events. Survey can
be filled out at:
http://app.fluidsurveys.com/surveys/spstc2011-
and add the Session number to the URL
Presenter: Brian Culver
Session Name: SharePoint 2010 Extranets and
Authentication: How will SharePoint Connect you to
your Partners?
Session No.: Sat-S5A-101
42. Useful Links
⢠SharePoint 2010 FBA User Management
⢠SharePoint 2010 Forms Based Authentication Configuration Manager
http://blogs.technet.com/b/speschka/archive/2010/07/28/sharepoint-2010-
forms-based-authentication-configuration-manager.aspx
SharePoint 2010: transparent login with mixed authentication
http://www.orbitone.com/en/blog/archive/2010/06/23/sharepoint-2010-mixed-
authentication-automatic-login.aspx
Steve Peschka articleâs on Forms Authentication
Âť Forms Authentication in SharePoint Products and Technologies (Part 1): Introduction
Âť Forms Authentication in SharePoint Products and Technologies (Part 2): Membership and
Role Provider Samples
Âť Forms Authentication in SharePoint Products and Technologies (Part 3): Forms Authentication
vs. Windows Authentication