sharepoint 2010 extranets & authentication
TRANSCRIPT
![Page 1: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/1.jpg)
www.expertpointsolutions.com
SharePoint 2010 Extranets & Authentication
![Page 2: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/2.jpg)
About Brian Culver
• SharePoint Solutions Architect for Expert Point Solutions
• Based in Houston, TX
• Author • SharePoint 2010 Unleashed
• Various White Papers
• Speaker and Blogger
![Page 3: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/3.jpg)
Session Agenda
• Extranet Definition
• Common Extranet Scenarios
• Extranet Design Considerations & Challenges
• Claims Based Authentication and other Authentication Scenarios
• Mixed Mode vs. Multi-Authentication
![Page 4: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/4.jpg)
Extranet - Definition
• A web application that is shared with external users, such as partners,
vendors, and customers
• Common attributes for an extranet:
• Sharing a private network or secured network
• Requires authenticated access, but the identity of the consumer is
not always known
• Has better security controls than an Internet Web application but
usually less secure than the Intranet
• Web application
![Page 5: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/5.jpg)
Common Extranet Scenarios
Line of Business Applications Collaboration Static Content or Publishing
Remote Employees
Isolate and segregate internal data.
Authorize to use only sites and data that are necessary for their contributions.
Restrict partners from viewing other partners’ data.
Partners
Target Content Segment content Limit content access and search results based on audience.
Vendors & Customers
![Page 6: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/6.jpg)
Extranet Design Considerations & Challenges
• Network Topology and Access
• Identity Management
• Seamless Single Sign-on Experience
• Content Security and Access
• Antivirus
• Client
• Server
• Rich Client Experience (Office Integration)
![Page 7: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/7.jpg)
Edge Firewall Topology
![Page 8: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/8.jpg)
Back-to-Back Perimeter Topology
![Page 9: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/9.jpg)
Split Back-to-Back Topology
![Page 10: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/10.jpg)
Security Terms
• Authentication is the mechanism whereby systems may
securely identify their users
• Creates an identity for security principal
• Who am I?
• Authorization is the mechanism by which a system
determines what level of access a particular authenticated user
should have to secured resources controlled by the system.
• Determines what resources an identity has access to
• What can I access?
![Page 11: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/11.jpg)
SharePoint Authentication
• SharePoint does not authenticate
• Windows authentication via Windows server and IIS
(Kerberos/NTLM)
• FBA via ASP. NET and authentication providers (SQL, LDAP, etc.)
• Web SSO via Active Directory Federation Services (ADFS) and
other Identity Management Systems
• SharePoint creates user profiles
• SPUser object represents security principal
• User Profile List in Site Collections track user profiles
![Page 12: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/12.jpg)
SharePoint 2010 Security
• SharePoint 2010 changes authentication
• Uses classic mode and claims based authentication
• Classic mode is SharePoint 2007 style legacy mode
• Claims-based authentication is the new security model
• What are the benefits?
• Claims decouples SharePoint from the authentication provider
• Allows SharePoint to support multiple authentication providers per
URL
• Identities can be passed without Kerberos delegation
• Allows federation between organizations
• ACLs can be configured with
• DLs, Audiences and OUs
![Page 13: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/13.jpg)
SharePoint 2013 Security
• SharePoint 2013 authentication:
• Still supports classic mode and claims based authentication
• Claims-based authentication is the default security model
• Supported Authentication modes:
• Windows claims–mode sign-in (default)
• SAML passive sign-in mode
• ASP.NET membership and role passive sign-in
• Windows classic–mode sign-in (deprecated in SP2013)
• Claims authentication is the way to go!
![Page 14: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/14.jpg)
Identity Normalization
![Page 15: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/15.jpg)
Claims-Based Terminology
• Identity: security principal used to
configure the security policy
• Claim (Assertion): attribute of an
identity (such as Login Name, AD Group,
etc.)
• Security Token: serialized set of
claims (assertions) about an
authenticated user.
![Page 16: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/16.jpg)
Claim-based Authentication
• Security Token Service (STS):
builds, signs and issues security
tokens. It can receive and submit
tokens.
• Issuing Authority: identity
management system(s) that
“knows” the claims (AD, ASP.NET,
LiveID, etc.)
• Identity Provider: trusted party
that creates and submits claims
• Relying Party: application that
makes authorization decisions
based on received claims
![Page 17: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/17.jpg)
Claim-based Authentication
![Page 18: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/18.jpg)
Claim-based Authentication
![Page 19: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/19.jpg)
Mixed Mode Authentication vs Multi-Authentication
Regular label-callout text
Multi-AuthenticationMixed Authentication
SharePoint
Farm
Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Zone: Custom
Zone: Extranet
Zone: Intranet
Zone: Internet
Zone: DefaultWindows
Authentication
FBA
Authentication
...
...
...
SharePoint
Farm
Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Zone: Custom
Zone: Extranet
Zone: Intranet
Zone: Internet
Zone: DefaultWindows Authentication
FBA Authentication
SAML Based Authentication
FBA Authentication
Windows Authentication
...
...
![Page 20: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/20.jpg)
Auth Scenarios - Mixed Mode
s
![Page 21: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/21.jpg)
Authentication Scenarios
Mixed Mode: When to Use It
•
•
•
•
•
•
•
•
![Page 22: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/22.jpg)
Auth Scenarios - Multi Authentication
s
![Page 23: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/23.jpg)
Authentication Scenarios
Multi Authentication: When to Use It
•
•
•
•
•
![Page 24: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/24.jpg)
Authentication Scenarios
Multi Authentication & Mixed Mode
![Page 25: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/25.jpg)
FBA Claims Configuration in SP2010
1. Run C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe
2. Enable Claims Authentication on Web Application via Central Administration
3. Modify web.config for the FBA Web Application 4. Modify web.config for Central Administration
![Page 26: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/26.jpg)
FBA Claims Configuration in SP2010
5. Modify web.config for Security Token Service
• %programfiles%\common files\Microsoft Shared\web server
extensions\14\WebServices\SecurityToken
• Changes need to be made to the Security Token Service
virtual directory on each server hosting CA or the claims-
based web application
6. Configure FBA Provider in Central Administration
7. Create Web Application Policy to give SQL Auth User(s)
access to site
![Page 27: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/27.jpg)
Claims Configuration in SP2010
![Page 28: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/28.jpg)
FBA Claims Configuration in SP2010
Web Application web.config <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false"> <providers> <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" /> <add connectionStringName="SQLConnectionString" applicationName="/" description="Stores and retrieves roles from SQL Server" name="SQL-RoleManager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers></roleManager> <membership defaultProvider="i“> <providers> <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" /> <add connectionStringName="SQLConnectionString" passwordAttemptWindow="5" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" description="Stores and Retrieves membership data from SQL Server" name="SQL-MembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </membership> </system.web>
![Page 29: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/29.jpg)
FBA Claims Configuration in SP2010
Central Admin Web.config <roleManager defaultProvider="AspNetWindowsTokenRoleProvider" enabled="true" cacheRolesInCookie="false"> <providers> <add connectionStringName="SQLConnectionString" applicationName="/" description="Stores and retrieves roles from SQL Server" name="SQL-RoleManager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </roleManager> <membership defaultProvider="SQL-MembershipProvider"> <providers> <add connectionStringName="SQLConnectionString" passwordAttemptWindow="5" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" description="Stores and Retrieves membership data from SQL Server" name="SQL-MembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </membership>
![Page 30: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/30.jpg)
FBA Claims Configuration in SP2010
Secure Store Web Service web.config <connectionStrings> <add name="SQLConnectionString" connectionString="Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=aspnetdb;Data Source=.\sharepoint" /> </connectionStrings> <system.web> <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false“> <providers> <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" /> <add connectionStringName="SQLConnectionString" applicationName="/" description="Stores and retrieves roles from SQL Server" name="SQL-RoleManager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </roleManager> <membership defaultProvider="i"> <providers> <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" /> <add connectionStringName="SQLConnectionString" passwordAttemptWindow="5" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" description="Stores and Retrieves membership data from SQL Server" name="SQL-MembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </membership> </system.web>
![Page 31: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/31.jpg)
Claims Configuration
![Page 32: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/32.jpg)
Claims Configuration
![Page 33: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/33.jpg)
Claims Configuration
![Page 34: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/34.jpg)
Claims Configuration
![Page 35: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/35.jpg)
Claims Configuration
![Page 36: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/36.jpg)
Issues using Claims Authentication in SP2010
• "Search Alerts only work with Windows Classic Authentication“ • http://technet.microsoft.com/en-us/library/cc288475.aspx
• Performance Point Dashboard Designer doesn't work directly against a web application with multiple authentication providers
• http://technet.microsoft.com/en-us/library/ee748637.aspx
![Page 37: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/37.jpg)
Issues using Claims Authentication
• Some issues have been reported with Infopath Forms Services,
PowerPivot and Performance Point Services
• Project Server won't create new sites on a claims-based
authentication web app but don't see a reference for it
![Page 38: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/38.jpg)
Questions
? ?
?
?
![Page 39: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/39.jpg)
Constructive Feedback Is Appreciated
Great information,
but would like to
have learned more
about [Insert Topic] Brian – Your
presentation
was …
Good
Demos!
Thanks!
![Page 40: SharePoint 2010 Extranets & Authentication](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb335a2e268c58cd5b596d/html5/thumbnails/40.jpg)
Useful Links
• SharePoint 2010 FBA User Management
• SharePoint 2010 Forms Based Authentication Configuration Manager
http://blogs.technet.com/b/speschka/archive/2010/07/28/sharepoint-2010-forms-
based-authentication-configuration-manager.aspx
SharePoint 2010: transparent login with mixed authentication
http://www.orbitone.com/en/blog/archive/2010/06/23/sharepoint-2010-mixed-
authentication-automatic-login.aspx
Steve Peschka article’s on Forms Authentication
» Forms Authentication in SharePoint Products and Technologies (Part 1):
Introduction
» Forms Authentication in SharePoint Products and Technologies (Part 2):
Membership and Role Provider Samples
» Forms Authentication in SharePoint Products and Technologies (Part 3): Forms
Authentication vs. Windows Authentication