Claims Based Authentication with SharePoint 2010

Architecture

Overview
The claims-based identity model for Microsoft SharePoint Foundation 2010 and Microsoft SharePoint Server 2010 is built upon Windows Identity Foundation (WIF), formerly code-named "Geneva" Framework Beta. Claims-based identity is an identity model in SharePoint Foundation 2010 and SharePoint Server 2010 that includes features such as authentication across users of Windows-based systems and systems that are not Windows-based, multiple authentication types, stronger real-time authentication, a wider set of principal types, and delegation of user identity between applications.

When you build claims-aware applications, the user presents an identity to your application as a set of claims. One claim could be the user’s name, another might be an e-mail address. The idea is that an external identity system is configured to give your application all the information it needs about the user with each request, along with cryptographic assurance that the identity data you receive comes from a trusted source. Under this model, single sign-on is much easier to achieve.

Figure 1: Issuers, security tokens, and applications

Figure 2: ADFS functions

Steps

1. Create a local server instance with W2K8 R2, Sql Server and set it up as a domain controller
2. Install ADFS 2.0 RC
3. Open the command prompt and browse to the ADFS installation folder
   cd "%programfiles%\Active Directory Federation Services 2.0"
4. Configure ADFS with your database instance (instead of the default internal database). From the command prompt, type the following and fill in your details:
   

   FsConfigWizard.exe -sqlhost: -sqlinstance: -servacct: -servpass: [-dropdb]

   
   

   Parameter	Description
   -sqlhost	Sets the <SqlHostName> value.
   <SqlHostName>	Specifies the name of the computer that is running an instance of SQL Server for use with AD FS 2.0. For example, if the local computer is to be specified, type localhost here.
   -sqlinstance	Sets the <SqlInstName> value.
   <SqlInstName>	Specifies the name of the SQL Server database instance to be used as the database. For example, to specify that a default Structured Query Language (SQL) instance that AD FS 2.0 Setup creates is to be used, type SQLEXPRESS here.
   -servacct	Sets the <SvcAcctName> value.
   <SvcAcctName>	Specifies the name of the Active Directory service account to use for running the AD FS 2.0 service. For example, to specify that the Network Service account for the Contoso domain be used, type CONTOSO\NetworkService here.
   -servpass	Sets the <SvcAcctPwd> value.
   <SvcAcctPwd>	Specifies the password text for the account set using the -servacct parameter.
   -dropdb	(Optional.) If this parameter is specified, it deletes or overwrites any existing database if one is found to exist. If this parameter is omitted, and an existing AD FS 2.0 database is located it will be used. If no parameter is specified and no existing database is located, the database will be created as needed. To create the database, AD FS 2.0 uses the hosted SQL Server instance that is set using the -sqlhost and -sqlinstance parameters.

5. Create a claims-enabled SharePoint web application.
Click “Create new Web Application” in Central Administration and select the “Claims Based Authentication” radio-button in the Authentication section. Create the base site collection after this.

6. (Optional) Create and deploy the claims checker webpart.
You can download the WSP from here.
You can download the sourcecode from here.

7. Launch ADFS 2 and validate the certificate, which should be the same certificate bound to the default web site. Make any changes necessary to ensure the Service Communications certificate and SSL binding in IIS is fully operational.

8. As a test, you should be able to browse to https://<servername>/FederationMetadata/2007-06/federationmetadata.xml

9. Now, export your Token-Signing Certificate to the c:\ drive. The quickest way to do this is to right-click the certificate in the ADFS 2.0 Management Console and select “View Certificate…”. Then, navigate to the Details tab and click the button labeled Copy to File… This will launch the Certificate Export Wizard. Follow the wizard to export the certificate as a DER encoded binary X.509 (.CER) file. For simplicity, I recommend saving the certificate to the C:\ drive. You will need this file in the following PowerShell script.

10. Add ADFS 2.0 as a Federated Identity Provider in SharePoint
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\[YOUR_STS_SIGNING_CERT].cer")
$map1 = New-SPClaimTypeMapping "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
$realm = "urn:" + $env:ComputerName + ":adfs"
$signinurl = "https://[YOUR_SERVER_NAME]/adfs/ls/"
$ap = New-SPTrustedIdentityTokenIssuer -Name "ADFS20Server" -Description "ADFS 2.0 Federated Server" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1 -SignInUrl $signinurl -IdentifierClaim $map1.InputClaimType


Configure Role Powershell Script

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\[YOUR_STS_SIGNING_CERT].cer")
$map1 = New-SPClaimTypeMapping "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
$realm = "urn:" + $env:ComputerName + ":adfs"
$signinurl = "https://[YOUR_SERVER_NAME]/adfs/ls/"
$ap = New-SPTrustedIdentityTokenIssuer -Name "ADFS20Server" -Description "ADFS 2.0 Federated Server" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1 -SignInUrl $signinurl -IdentifierClaim $map1.InputClaimType 

HINT: You can copy and paste the above PowerShell commands into a text file. Save the text file with the .ps1 extension and you will be able to execute the file from within PowerShell. Be sure to launch “SharePoint 2010 Management Shell” as this will load all the SharePoint related extensions.

11. You should now be able add the Federated Identity Provider in Central Administration. Navigate to Web Applications Management, highlight the web application, and click the Authentication Providers button in the ribbon. You should now see your new provider in the Federated Identity Provider section of the Edit Authentication window

12. At this point, if you browse to your claims-enabled SharePoint site you’ll find a new screen where you need to specify what Identity Provider to use for access. This happens because we have both our Federated Identity Provider and Windows Authentication enabled for this zone. It should be noted that this screen can be customized with logic to automatically determine the correct provider based on the client IP address (for example). For now, we need to stick with Windows Authentication because ADFS 2.0 isn’t configured yet to work with SharePoint.

13. There appear to be issues getting claims-enabled web applications that have both a custom Federated Identity Provider and standard Windows Authentication provider enabled. Therefore delete and create the web application again.

14. Download SSL Diagnostics Version 1.1 and generate


References
ADFS 2 - http://www.microsoft.com/downloads/details.aspx?FamilyID=118c3588-9070-426a-b655-6cec0a92c10b&displaylang=en
Claims Based Authentication Guide on CodePlex - http://claimsid.codeplex.com/
Geneva WhitePapers - http://www.microsoft.com/downloads/details.aspx?FamilyID=9ca5c685-3172-4d8f-81cb-1a59bdc9f7e3&displaylang=en
http://msdn.microsoft.com/en-us/library/ee536164(v=office.14).aspx
http://blogs.pointbridge.com/Blogs/nielsen_travis/Pages/Post.aspx?_ID=33
http://lindstrom.nullsession.com/?p=236
http://technet.microsoft.com/en-us/library/dd727952(WS.10).aspx

Step by Step Instructions on Video

Source: http://blogs.southworks.net/mwoloski - double click for full-screen view.

SharePoint 2010 RC Installation

** Update **
There is a full guide for this on MSDN at http://msdn.microsoft.com/en-us/library/ee554869.aspx

Preparing to install SharePoint 2010 RC
Notes: This guide is for installing SharePoint RC on a single DEV machine
which is a Domain controller, database server and a web server. Installing SharePoint RC on a domain controller is not supported via the GUI so the workaround way is depicted.

• Install Windows Server 2008 R2
• Install ADDS (Active Directory Domain Services)[Optional]
• Install ADFS (Active Directory Federation Services) [Optional]

Active Directory Domain Services

• 
• 
• 
• 
• 
• 

Active Directory Federation Services

• 
• 
• 
• 
• 
• 
• 

Install Sql Server 2008
- Install Sql Server 2008 SP1
- Install the cumulative update 2 package
http://support.microsoft.com/kb/970315/


Installing SharePoint 2010 RC
Issues with Installation on Server with Domain Controller
The best way to install SharePoint 2010 RC on a domain controller is by using an scripted installation.

• Extract the installation file by executing
  

  <<installation filename>>

  /extract
• Open a Windows Explorer and create a file called config.xml.
• Open the config.xml file and paste in the part below
• Change the into your own product key and the install folder
• Save the file
• Start a command prompt and browse to the folder
• Run "setup /config config.xml"

SharePoint 2010 RC is now being installed as a Complete installation!

Config.xml

<configuration>
<package id="sts">
<setting id="LAUNCHEDFROMSETUPSTS" value="Yes">
</package>
<package id="spswfe">
<setting id="SETUPCALLED" value="1">
<setting id="OFFICESERVERPREMIUM" value="1">
</package>
<logging path="%temp%" template="SharePoint Server Setup(*).log" type="verbose">
<pidkey value="[[PID KEY&]]">
<setting id="SERVERROLE" value="APPLICATION">
<setting id="USINGUIINSTALLMODE" value="0">
<setting id="SETUP_REBOOT" value="Never">
<setting id="SETUPTYPE" value="CLEAN_INSTALL">
<installlocation value="C:\Program Files\Microsoft SharePoint">
<display accepteula="Yes" completionnotice="Yes" level="Basic">
</configuration>

Authentication in SharePoint 2010

SharePoint 2010 supports 3 types of authentication methods:

Authentication Method	Description	Examples
Claims	Claims authentication for SharePoint Server 2010 is built on the Windows Identity Foundation, which is a set of .NET Framework classes that are used to implement claims-based identity.	N/A
Windows	The standard IIS Windows authentication methods are supported	Anonymous Basic Digest Certificates Kerberos (Integrated Windows) NTLM (Integrated Windows)
Forms-based	SharePoint Server 2010 adds support for identity management systems that are not based on Windows by integrating with forms-based authentication. Forms-based authentication enables SharePoint Server 2010 to work with identity management systems that implement the MembershipProvider interface. You do not need to rewrite the security administration pages or manage shadow Active Directory directory service accounts.	Lightweight Directory Access Protocol (LDAP) SQL database or other database Other forms-based authentication solutions

SharePoint 2010 now supports claims-based authentication or classic mode authentication when you create a Web application.

Claims-based authentication


The claims-based authentication model for SharePoint Server 2010 is built on the Windows Identity Foundation (WIF). Claims-based authentication in SharePoint Server 2010 enables authentication across Windows-based systems and systems that are not Windows-based. Claims-based authentication supports delegation of user identity between applications. Using claims-based authentication, you can implement multiple forms of authentication on a single zone.

Classic-mode authentication

Classic-mode authentication refers to the Integrated Windows authentication model supported in Windows SharePoint Services 3.0. In classic-mode authentication, no claims augmentation is performed and the new claims authentication features are not supported. Using classic-mode authentication, you can implement all of the previously supported forms of authentication with a limit of one form of authentication for each zone.


The following diagram illustrates a Windows SharePoint Services server farm that is configured to host sites for multiple companies.

Connect to identity management systems that are external or not based on Windows


To use forms-based authentication to authenticate users against an identity management system that is not based on Windows or that is external, you must register the membership provider in the Web.config file. In addition to registering a membership provider, you can register a role manager. SharePoint Server 2010 uses the standard ASP.NET role manager interface to gather group information about the current user. Each ASP.NET role is treated like a domain group by the authorization process in SharePoint Server 2010. You register role managers in the Web.config file the same way you register membership providers for authentication.
If you want to manage membership user or roles from the Central Administration site, you can register the membership provider and the role manager in the Web.config file for the Central Administration site in addition to registering these in the Web.config file for the Web application that hosts the content.
Ensure that the membership provider name and role manager name that you registered in the Web.config file is the same as the name that you entered in Central Administration. If you do not enter the role manager in the Web.config file, the default provider specified in the machine.config file might be used instead.

For example, the following string in a Web.config file specifies a SQL membership provider:
<membership defaultprovider="AspNetSqlMembershipProvider">

Integrating with forms-based authentication places additional requirements on the authentication provider. In addition to registering the various elements in the Web.config file, the membership provider, role manager, and HTTP module must be programmed to interact with SharePoint Server 2010 and ASP.NET methods, as indicated in the following table.

Category	Description
Membership provider	To work with SharePoint Server 2010, the membership provider must implement the following methods: GetUser (String): SharePoint Server 2010 calls this method to resolve user names during invitations and to get the user's display name. GetUserNameByEmail: SharePoint Server 2010 calls this method to resolve user names in invitations. FindUsersByName and FindUsersByEmail: SharePoint Server 2010 calls these methods to populate the user picker control on the Add Users page. If the membership provider does not return any users, the picker will not function and administrators will need to type the user name or e-mail address in the Add User text box.
Role manager	The role manager must implement the following methods: RoleExists: SharePoint Server 2010 calls this method during invitations to verify that a role name exists. GetRolesForUser: SharePoint Server 2010 calls this method at access check to gather the roles for the current user. GetAllRoles: SharePoint Server 2010 calls this method to populate the group and role picker. If the role provider does not return any groups or roles, the SharePoint Server 2010 picker will not function and the administrator will need to type the name of the role in the Add User text box.

Enabling anonymous access

You can enable anonymous access for a Web application in addition to configuring a more secure authentication method. With this configuration, administrators of sites within the Web application can choose to allow anonymous access. If anonymous users want to gain access to secured resources and capabilities, they can click a logon button to submit their credentials.
Using different authentication methods to access a site

You can configure Web applications in SharePoint Server 2010 to be accessed by up to five different authentication methods or identity management systems. The following figure illustrates a partner application that is configured to be accessed by users from two different identity management systems. Internal employees are authenticated by using one of the standard Windows authentication methods. Employees of the partner company are authenticated against their own company's identity management system.



To configure a Web application to be accessed by two or more different authentication systems, you must configure additional zones for the Web application. Zones represent different logical paths of gaining access to the same physical application. With a typical partner application, employees of a partner company access the application through the Internet, while internal employees access the application directly through the intranet.

To create a new zone, extend the Web application. On the Extend Web Application to Another IIS Web Site page, in the Load Balanced URL section, specify the URL and zone type. The zone type is simply a category name applied to the zone and does not affect the configuration of the zone.

After extending the Web application, you can configure a separate authentication method for the new zone. The default zone is the zone used by internal employees. The Internet zone is configured for partner access and uses forms-based authentication to authenticate partner employees against the partner identity management system.

Editing TFS Templates

If the out-of-box TFS templates are not sufficient for your needs, it is possible to extend it by creating custom columns and laying them out in your forms.

Here is a list of steps to follow:

To Export an Existing Template

"C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\witadmin" exportwitd /collection:[Address to TFS url] /p:"[Project Name]" /f:[Filepath]\template.xml /n:[Template name for ex:
[User Story]


To Import Your Template into TFS

"C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\witadmin" importwitd /collection:[Address to TFS url] /p:"[Project Name]" /f:[Filepath]\Template.xml
To Validate Your Template
"C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\witadmin" importwitd /collection:[Address to TFS url] /p:"[Project Name]" /f:[Filepath]\Template.xml /v


Delete a Field

witadmin deletefield /collection:[Address to TFS url] /n:[Name of field to delete]


Overview of Template Structure