SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

42
SharePoint 2010 Extranets & Authentication

description

How will SharePoint 2010 allow organizations to collaborate and share knowledge with clients and partners? SharePoint empowers organization to build extranet sites and partner portals inexpensively and securely. Learn what exactly is Claims Based Authentication and how can to use it. Learn about the new multi-authentication mode in SharePoint 2010. Learn how SharePoint 2010 can help your organization open its doors to its clients and partners securely.

Transcript of SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

Page 1: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

SharePoint 2010 Extranets & Authentication

Page 2: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

Welcome to SharePoint Saturday—The Conference Welcome to SharePoint Saturday—The Conference

• Please turn off all electronic devices or set them to vibrate.

• If you must take a phone call, please do so in the hall so as not to disturb others.

• Open wireless access is available at SSID: SPSTC2011

• Feel free to “tweet and blog” during the session

• Thanks to our Diamond and Platinum Sponsors:

Thank you for being a part of the first SharePoint Saturday conference

Page 3: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

About Brian Culver

– SharePoint Solutions Architect for Expert Point Solutions

– Based in Houston, TX

– Author • SharePoint 2010 Unleashed

• Various White Papers

– Speaker and Blogger

Page 4: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

Session Agenda

• Extranet Definition

• Common Extranet Scenarios

• Extranet Design Considerations & Challenges

• Claims Based Authentication and other Authentication Scenarios

• Mixed Mode vs. Multi-Authentication

Page 5: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

Extranet - Definition • A web application that is shared with external

users, such as partners, vendors, and customers

• Common attributes for an extranet: • Sharing a private network or secured network

• Requires authenticated access, but the identity of the consumer is not always known

• Has better security controls than an Internet Web application but usually less secure than the Intranet

• Web application

Page 6: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

Common Extranet Scenarios

Line of Business Applications

Collaboration Static Content or Publishing

Remote Employees

Isolate and segregate internal data.

Authorize to use only sites and data that are necessary for their contributions.

Restrict partners from viewing other partners’ data.

Partners

Target Content

Segment content Limit content access and search results based on audience.

Vendors & Customers

Page 7: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

Extranet Design Considerations & Challenges

• Network Topology and Access

• Identity Management – Seamless Single Sign-on Experience

• Content Security and Access

• Antivirus – Client

– Server

• Rich Client Experience (Office Integration)

Page 8: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

Edge Firewall Topology

Page 9: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

Back-to-Back Perimeter Topology

Page 10: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

Split Back-to-Back Topology

Page 11: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

• Authentication is the mechanism whereby systems may securely identify their users – Creates an identity for security principal – Who am I?

• Authorization is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system. – Determines what resources an identity has access to – What can I access?

Security Terms

Page 12: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

• SharePoint does not authenticate – Windows authentication via Windows server and IIS

(Kerberos/NTLM)

– FBA via ASP. NET and authentication providers (SQL, LDAP, etc.)

– Web SSO via Active Directory Federation Services (ADFS) and other Identity Management Systems

• SharePoint creates user profiles – SPUser object represents security principal

– User Profile List in Site Collections track user profiles

SharePoint Authentication

Page 13: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

• SharePoint 2010 changes authentication – Uses classic mode and claims based authentication

– Classic mode is SharePoint 2007 style legacy mode

– Claims-based authentication is the new security model

• What are the benefits? – Claims decouples SharePoint from the authentication provider

– Allows SharePoint to support multiple authentication providers per URL

– Identities can be passed without Kerberos delegation

– Allows federation between organizations

– ACLs can be configured with

– DLs, Audiences and OUs

SharePoint 2010 Security

Page 14: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

Identity Normalization

Page 15: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

• Identity: security principal used to configure the security policy

• Claim (Assertion): attribute of an identity (such as Login Name, AD Group, etc.)

• Security Token: serialized set of claims (assertions) about an authenticated user.

Claims-Based Terminology

Page 16: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

Claim-based Authentication

• Security Token Service (STS): builds, signs and issues security tokens. It can receive and submit tokens.

• Issuing Authority: identity management system(s) that “knows” the claims (AD, ASP.NET, LiveID, etc.)

• Identity Provider: trusted party that creates and submits claims

• Relying Party: application that makes authorization decisions based on received claims

Page 17: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

Claim-based Authentication

Page 18: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

Claim-based Authentication

Page 19: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

Mixed Mode Authentication vs Multi-Authentication

Regular label-callout text

Multi-AuthenticationMixed Authentication

SharePoint

Farm

Web Application

Extended Web Application

Extended Web Application

Extended Web Application

Extended Web Application

Zone: Custom

Zone: Extranet

Zone: Intranet

Zone: Internet

Zone: DefaultWindows

Authentication

FBA

Authentication

...

...

...

SharePoint

Farm

Web Application

Extended Web Application

Extended Web Application

Extended Web Application

Extended Web Application

Zone: Custom

Zone: Extranet

Zone: Intranet

Zone: Internet

Zone: DefaultWindows Authentication

FBA Authentication

SAML Based Authentication

FBA Authentication

Windows Authentication

...

...

Page 20: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

Auth Scenarios - Mixed Mode

s

Page 21: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

Authentication Scenarios Mixed Mode: When to Use It

Page 22: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

Auth Scenarios - Multi Authentication

s

Page 23: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

Authentication Scenarios Multi Authentication: When to Use It

Page 24: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

Authentication Scenarios Multi Authentication & Mixed Mode

Page 25: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

FBA Claims Configuration

1. Run C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe

2. Enable Claims Authentication on Web Application via Central Administration

3. Modify web.config for the FBA Web Application

4. Modify web.config for Central Administration

Page 26: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

FBA Claims Configuration

5. Modify web.config for Security Token Service – %programfiles%\common files\Microsoft Shared\web server

extensions\14\WebServices\SecurityToken

– Changes need to be made to the Security Token Service virtual directory on each server hosting CA or the claims-based web application

6. Configure FBA Provider in Central Administration

7. Create Web Application Policy to give SQL Auth User(s) access to site

Page 27: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

Claims Configuration

Page 28: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

FBA Claims Configuration

Web Application web.config

<roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false"> <providers>

<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />

<add connectionStringName="SQLConnectionString" applicationName="/" description="Stores and retrieves roles from SQL Server" name="SQL-RoleManager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

</providers></roleManager> <membership defaultProvider="i“> <providers>

<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />

<add connectionStringName="SQLConnectionString" passwordAttemptWindow="5" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" description="Stores and Retrieves membership data from SQL Server" name="SQL-MembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

</providers> </membership> </system.web>

Page 29: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

FBA Claims Configuration

Central Admin Web.config

<roleManager defaultProvider="AspNetWindowsTokenRoleProvider" enabled="true" cacheRolesInCookie="false">

<providers>

<add connectionStringName="SQLConnectionString" applicationName="/" description="Stores and retrieves roles from SQL Server" name="SQL-RoleManager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

</providers>

</roleManager>

<membership defaultProvider="SQL-MembershipProvider">

<providers>

<add connectionStringName="SQLConnectionString" passwordAttemptWindow="5" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" description="Stores and Retrieves membership data from SQL Server" name="SQL-MembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

</providers>

</membership>

Page 30: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

FBA Claims Configuration

Secure Store Web Service web.config

<connectionStrings>

<add name="SQLConnectionString" connectionString="Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=aspnetdb;Data Source=.\sharepoint" />

</connectionStrings>

<system.web> <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false“> <providers>

<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />

<add connectionStringName="SQLConnectionString" applicationName="/" description="Stores and retrieves roles from SQL Server" name="SQL-RoleManager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

</providers> </roleManager> <membership defaultProvider="i"> <providers>

<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />

<add connectionStringName="SQLConnectionString" passwordAttemptWindow="5" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" description="Stores and Retrieves membership data from SQL Server" name="SQL-MembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

</providers> </membership> </system.web>

Page 31: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

Claims Configuration

Page 32: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

Claims Configuration

Page 33: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

Claims Configuration

Page 34: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

Claims Configuration

Page 35: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

Claims Configuration

Page 37: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

Issues using Claims Authentication

• Some issues have been reported with Infopath Forms Services, PowerPivot and Performance Point Services

• Project Server won't create new sites on a claims-based authentication web app but don't see a reference for it

Page 38: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

Welcome to SharePoint Saturday—The Conference

Thanks to Our Other Sponsors! Thanks to our Sponsors

Page 39: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

Questions

Page 40: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

Brian Culver, MCM

Twitter:

@spbrianculver

E-mail:

[email protected]

Blog:

spbrian.blogspot.com

Page 41: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

Welcome to SharePoint Saturday—The Conference

Session Evaluation Please complete and turn in your Session Evaluation Form so we can improve future events. Survey can

be filled out at:

http://app.fluidsurveys.com/surveys/spstc2011-

and add the Session number to the URL

Presenter: Brian Culver

Session Name: SharePoint 2010 Extranets and Authentication: How will SharePoint Connect you to your Partners?

Session No.: Sat-S5A-101

Page 42: SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication

Useful Links

• SharePoint 2010 FBA User Management

• SharePoint 2010 Forms Based Authentication Configuration Manager http://blogs.technet.com/b/speschka/archive/2010/07/28/sharepoint-2010-

forms-based-authentication-configuration-manager.aspx

SharePoint 2010: transparent login with mixed authentication http://www.orbitone.com/en/blog/archive/2010/06/23/sharepoint-2010-mixed-

authentication-automatic-login.aspx

Steve Peschka article’s on Forms Authentication » Forms Authentication in SharePoint Products and Technologies (Part 1): Introduction » Forms Authentication in SharePoint Products and Technologies (Part 2): Membership and Role Provider Samples » Forms Authentication in SharePoint Products and Technologies (Part 3): Forms Authentication vs. Windows Authentication