Microsoft Office Share Point Server 2007 Advanced Authentication - HOL412

7/31/2019 Microsoft Office Share Point Server 2007 Advanced Authentication - HOL412

1/22

Hands-on Lab Overview

1. Introduction

HOL412: Microsoft Office SharePoint Server 2007 Advanced Authentication

2. Technologies Highlighted

Microsoft Office SharePoint Server 2007

3. Audience

ITPro 400 level

4. Scenario

Learn more about the available authentication methods and protocols, including Form-based authentication, Kerberos, SharePoint Single

Sign-on, and configuration of additional ASP.Net authentication providers.

5. Purpose of Hands-on Lab

The objective of this lab is to provide a walkthrough of authentication methods and capabilities in Microsoft Windows SharePoint

Services 3.0 and Microsoft Office SharePoint Server 2007.

Authentication Provider Overview

Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007 can utilize ASP .NET membership providers for

authentication and user management purposes. This functionality allows administrators to easily configure their deployments to use non-Windows authentication. In addition to membership providers, role providers can also be defined. Roles allow users to be grouped andcan be used in the same manner as Windows domain groups within SharePoint Products and Technologies.

SqlMembershipProvider and SqlRoleProvider can be used to manage user and role data from a SQL server.ActiveDirectoryMembershipProvider and ActivateDirectoryRoleProvider are used in conjunction with Windows Activate Directory.

LDAPMembershipProvider and LDAPRoleProvider can be used with any Lightwieght Directory Access Protcol (LDAP) source includingActive Directory. The LDAP providers allow for a more precise definition of LDAP groups then the Active Directory providers allow.

The LDAP providers are defined in the Microsoft.Office.Server assembly, so they are only available with Office SharePoint Server 2007.

The SQL and Active Directory providers are defined in the .NET framework and can be used in both Windows SharePoint Services 3.0

1


2/22

and Office SharePoint Server 2007.

In addition to these and other pre-defined membership and role providers, you can create your own custom membership and role providers

using the .NET 2.0 membership framework API.

For more information about membership providers, visit http://msdn2.microsoft.com/en-us/library/tw292whz.aspx.

2
http://msdn2.microsoft.com/en-us/library/tw292whz.aspxhttp://msdn2.microsoft.com/en-us/library/tw292whz.aspx


3/22

Hands-on Lab

Discussion Points Actions taken

Exercise 1 Configuring SharePoint to use Kerberos Authentication

Windows Integrated Security (a.k.a. NTLM) user credentials are notautomatically passed between servers upon request. As a request the first

request between servers (i.e. a SharePoint front-end server to an Excel

Service server) fails. The requesting server will then resend the request with

user credentials. This results in a double hop for every request.

Kerberos protocol automatically sends user credentials with requests, thereby

avoiding the double hop and improving performance. When a user is

authenticated using Kerberos, the server sends a ticket to the user machine.

This ticket is then included with each subsequent request to the server.

Each client and server must be configured as trusted in Active Directory for

Kerberos to work properly.

In addition to performance benefits, Kerberos authentication or anonymous

access must be used in order for RSS Viewer Web Parts pulling from

SharePoint lists or libraries to work correctly.

For more information about using Kerberos in SharePoint, see

http://support.microsoft.com/kb/832769

After the server finishes warming up, we first verify that the RSS Viewer Web

Part does not work with NTLM authentication. We then add a Service Principle

Name (SPN) for the application pool (litwareinc\administrator) user with thesetspn.exe command line utility.

In a production environment, the server farms service (i.e. Excel Services,

Search, etc.) may be running under different domain accounts. In this

scenario, the SPN will need to be set on each additional domain account.

For more information about configuring SPNs consult this web-site:

http://msdn2.microsoft.com/en-us/library/ms942980.aspx

Login using the following credentials:

o Username: administrator

o Password: pass@word1o Log on to: LITWAREINC

Wait for the Warmup Script to complete and the popup window to close.

In Internet Explorer, navigate to the site: http://auth.litwareinc.com

o Notice the RSS Viewer web part is showing the error The RSS

webpart does not support authenticated feeds.

Open a command prompt by using Start -> Command Prompt

Switch directories to c:\Program Files\Support Tools by typing the following

o cd \Program Files\Support Tools

Add a Service Principal Name for the administrator user (which the app pool

is running as) for the auth.litwareinc.com web application.

o setspn A http/auth.litwareinc.com administrator

3
http://support.microsoft.com/kb/832769http://msdn2.microsoft.com/en-us/library/ms942980.aspxhttp://auth.litwareinc.com/http://support.microsoft.com/kb/832769http://msdn2.microsoft.com/en-us/library/ms942980.aspxhttp://auth.litwareinc.com/


4/22

o The usage for this command is

setspn A [protocol]/[fully qualified domain name]

[username]

We will now set the delegation trust for the administrator account. As with

adding SPNs, this step would need to be repeated for service account used

within the farm.

Note: If this SharePoint farm deployment consisted of multiple servers, wewould need to configure each server in the farm as trusted by doing the

following:

Open Active Directory Users and Computers using Start ->

Administrative Tools -> Active Directory Users and Computers

Select Computers in the left tree

Right click the name of the front-end IIS server in the computers list and

select Properties

Click the Delegation tab

Select Trust this computer for delegation to any service (Kerberos

only)

Click OK to close the Properties dialog

Repeat this process for each server in the farm (i.e. front-end IIS server,

SQL server, etc.)

Open Active Directory Users and Computers using Start ->

Administrative Tools -> Active Directory Users and Computers

Select Users in the left tree

Right click Administratorin the users list and select Properties

Click the Delegation tab Select Trust this user for delegation to any service (Kerberos only)

Click OK to close the Properties dialog

Configure the auth.litwareinc.com web application to use Kerberos

authentication within SharePoint Central Administration.

Open SharePoint Central Administration using Start -> SharePoint 3.0

Central Administration

Click on Application Management in the Quick Launch bar

UnderApplication Security click Authentication providers

4


5/22

If the Web Application is not set tohttp://auth.litwareinc.com, click on the name

of the currently select web application and select Change Web Application

In the Select Web Application window, click the auth.litwareinc.com link on

the left side

After the Web Application dialog closes, click on the Default link in the Zone

column

5
http://auth.litwareinc.com/http://auth.litwareinc.com/http://auth.litwareinc.com/


6/22

On the Edit Authentication page, in the IIS Authentication Settings section

select Negotiate (Kerberos) Click the OK button in prompt

6


7/22

Click the OK button to save settings

Validate that our changes to http://auth.litwareinc.com worked. In Internet Explorer, navigate to the http://auth.litwareinc.comsite.

The RSS View web part is now working properly.

7
http://auth.litwareinc.com/http://auth.litwareinc.com/http://auth.litwareinc.com/http://auth.litwareinc.com/http://auth.litwareinc.com/


8/22

Exercise 2 Forms Based Authentication

In the first portion of this exercise we will configure the auth.litwareinc.com web

application to use a SQL membership and role providers. Afterwards we will

configure the same web application to use LDAP membership and role

providers.

First we will configure a web application to use forms-based authentication with

a SQL provider.

Creating a SQL membership provider database is out of the scope of this lab

and will not be detailed. The SQL membership provider database used in this

lab was created using the aspnetdb database which can be created using the

aspnet_regsql command-line utility (http://msdn2.microsoft.com/en-

us/library/ms229862(vs.80).aspx). After the aspnetdb is created, you will need

to add users to the database (http://msdn2.microsoft.com/en-

us/library/879kf95c(VS.80).aspx).

Membership and role providers must added to a web application by manually

editing the web applications web.config file.

Note: While reading through the web.config node explanations in this

document, remember that SharePoint web application configurations work the

same as ASP.NET web application configurations in that configurations

defined in machine.config are automatically inherited into all web applications.

Start Visual Studio 2005 using Start -> Microsoft Visual Studio 2005

Open the Open File dialog by using File -> Open -> File Navigate to

C:\Inetpub\wwwroot\wss\VirtualDirectories\auth.litwareinc.com80

Select web.config and click the Open button

Add the connectionStrings node

o Hit CTRL+F, type

o Move the cursor to the end of the line and hit Enter

o Right click on the new line and select Insert Snippet

o Double click AdvAuth

o Double click SQL connectionStrings Node

connectionStrings node - The connectionStrings node specifies the database

connection strings available for a web application.

o add node - The inner add node adds a connection string to the

available connections strings.

name attribute The name attribute is used to reference

a connect string throughout the web application.

connectionString attribute The connectionString

attribute specifies the actual connectString for

connecting to the database. This example points to the

aspnetdb database within the MOSS SQL server and is

trusted.

Add the membership node

o After the connectionStrings closing tag (),

there is the system.web opening tag (). Move yourcursor to the end of the line with the opening system.web tag and

hit the Enter



o Double click SQL membership Node (auth.litwareinc.com)

The membership node should now be the last node in the system.web node

membership node The membership node defines all of the membership

providers available in the web application.

o defaultProvider attribute The default membership provider for

the web application in case there are multiple defined.

o providers node Contains the membership providers available

8
http://msdn2.microsoft.com/en-us/library/ms229862(vs.80).aspx)http://msdn2.microsoft.com/en-us/library/ms229862(vs.80).aspx)http://msdn2.microsoft.com/en-us/library/ms229862(vs.80).aspx)http://msdn2.microsoft.com/en-us/library/879kf95c(VS.80).aspx)http://msdn2.microsoft.com/en-us/library/879kf95c(VS.80).aspx)http://msdn2.microsoft.com/en-us/library/ms229862(vs.80).aspx)http://msdn2.microsoft.com/en-us/library/ms229862(vs.80).aspx)http://msdn2.microsoft.com/en-us/library/879kf95c(VS.80).aspx)http://msdn2.microsoft.com/en-us/library/879kf95c(VS.80).aspx)


9/22

for this web application.

remove node removes providers from the web

application. Providers must be removed before they are

added to ensure that they are not added multiple times.

name attribute the name of the membership

provider to remove. In this example, the

AspNetSqlMembershipProvider is removed.

The same provider that is added with the next

node. add node add provider to the web application.

name attribute the name attribute is used to

reference the provider throughout the

application.

connectionStringName attribute - sets what

connection string the membership provider will

use. The value of AspNetSqlProvider points to

the connection string added earlier.

type attribute the full class name of the .NET

membership provider.

For more information about the membership node and its child nodes consult

this website: http://msdn2.microsoft.com/en-us/library/1b9hw62f.aspx . Add the roleManager node

o Move the cursor after and hit Enter


o Double click AdvAutho Double click SQL roleManager Node (auth.litwareinc.com)

The roleManager node should now be the last node in the system.web node

roleManager node The roleManager node defines all of the role providers

available in the web application.

o defaultProvider attribute The default role provider for the web

application in case there are multiple defined.

o

providers node Contains the role providers available for thisweb application.

remove node removes providers from the web

application. Providers must be removed before they are

added to ensure that they are not added multiple times.

name attribute the name of the membership

provider to remove. In this example, the

AspNetSqlRoleProvider is removed. The same

provider that is added with the next node.

add node add provider to the web application.

name attribute the name attribute is used to

reference the provider throughout the

9
http://msdn2.microsoft.com/en-us/library/1b9hw62f.aspxhttp://msdn2.microsoft.com/en-us/library/1b9hw62f.aspx


10/22

application.

connectionStringName attribute - sets what

connection string the membership provider will

use. The value of AspNetSqlProvider points to

the connection string added earlier.

type attribute the full class name of the .NET

role provider.

For more information about the roleManager node and its child nodes consult

this website: http://msdn2.microsoft.com/en-us/library/ms164660.aspx . Save the file by using File | Save

Modify the web.config of the SharePoint Central Administration web application

so that it can use the SQL membership provider to resolve users within the

administration user interface.

In Visual Studio 2005 open the Open File dialog by using File -> Open File

Navigate to C:\Inetpub\wwwroot\wss\VirtualDirectories\27708

Select web.config and click the OK button

Add the connectionStrings node

o Hit CTRL+F, type

o Move the cursor to the end of the line and hit Enter



o Double click SQL connectionStrings Node

Replace the membership nodeo There is already an existing membership node defining another

membership provider for the Central Administration web

application, so will replace the existing node with a new one

containing both the existing one and the SQL membership

provider.

o Hit CTRL+F, type

o Select entire membership node

o Hit the Delete buttono Right click on the new line where the member node was and

select Insert Snippet


o Double click SQL membership Node (Central Administration)

You will notice that no defaultProvider attribute exists in this membership

node. We want to be able to resolve username for the SQL membership

provider but we still want to retain the Windows membership provider for

Central Administration web application. Defining no defaultProvider attribute

will default the web application to the Windows membership provider. A

remove node specifies to remove the membership provider with name

corresponding to the name attribute. It is important that you declare these to

10
http://msdn2.microsoft.com/en-us/library/ms164660.aspxhttp://msdn2.microsoft.com/en-us/library/ms164660.aspx


11/22

prevent duplication of membership providers and avoid errors. The Partners

membership provider will be discussed later in this exercise.

Replace the roleManager node

o Move the cursor after the new membership node there is an

existing roleManager node

o Select the entire roleManager node

o Right click on the new line where the member node was and



o Double click SQL roleManager Node (Central Administration)

The roleManager node follows the same logic as the membership node. We

want to resolve roles for the SQL role provider, but we want to retain the

Windows roles in the Central Administration web application. Again, defining

no defaultProvider attribute will default the web application to the Windows

role provider. The PartnerRoles role provider will be discussed later in this

exercise.

Save the file by using File | Save

Configure auth.litwareinc.com with forms-based authentication using the SQL

providers we defined in the web.config.

Open the SharePoint Central Administration web site in Internet Explorer

using Start -> SharePoint 3.0 Central Administration

Click the Application Management tab in the top navigation area

UnderApplication Security, click Authentication providers

If the Web Application is not set to http://auth.litwareinc.com, click on the

name of the currently select web application and select Change Web

Application

11
http://auth.litwareinc.com/http://auth.litwareinc.com/


12/22

In the Select Web Application window, click the auth.litwareinc.com link on

the left side

After the Web Application dialog closes, click on the Default link in the Zone

column

12


13/22

On the Edit Authentication page, enter the following

o Authentication Type: Formso Membership provider name: AspNetSqlMembershipProvider

This value corresponds to the name attribute defined in

the SQL membership node in the web.config of

auth.litwareinc.com and Central Administration.

o Role manager name: AspNetSqlRoleProvider

This value corresponds to the name attribute defined in

the SQL roleManager node in the web.config of

auth.litwareinc.com and Central Administration.

13


14/22

Click Save button

A user from the SQL membership provider must be set the primary site

administrator, so that the site can be accessed.


14


15/22

UnderSharePoint Site Management, click Site collection administrators

link

If Site collection is not set to http://auth.litwareinc.com

o Click on the site collection currently selected and select Change

Site Collectiono

Click on the name of currently selected web application andselect Change Web Application

o In the Select Web Application window, click on the

auth.litwareinc.com link in the left column

o After the Select Web Application window closes, click OK to

15


16/22

close the Select Site Collection window

After the Site Collection Administrator page refreshes with the values of

auth.litware.com, you will notice that the LITWAREINC\administrator can no

longer be resolved. It is no longer valid no since the membership provider of

the web application has been changed and the domain username is not

recognized.

In the Primary site collection administrator textbox click on

LITWAREINC\administrator and select Remove

In the Primary site collection administrator textbox, type sqladministrator

Click the Check Names button (image with person and check mark) toresolve the name, after the name is resolved it will be underlined. When

SharePoint resolves these names it looks for an exact match for the entered

username within the web applications available providers. When it does

resolve them it actually stores the username as provider name + : + user

name in case the web application has multiple providers. So in this example,

it would be AspNetSqlMembershipProvider:sqladministrator.

16


17/22

Click OK button

Reset IIS using Start -> Run, and typing iisreset

Login to the site In Internet Explorer, go to the addresshttp://auth.litwareinc.com

Fill out the Sign In page as follows

o User name sqladministrator

o Password pass@word1

Click Sign In

After you are authorized and redirected to the default page of site, notice the

ProtocolError message in the RSS Viewer web part now that the web

application no longer uses Kerberos authentication.

A role can be used in much the same manner as a domain group within

SharePoint. Adding a role to a site will add all the members of the role to the

site.

We will now add the group Suppliers to the site and then login as sql_brainc, a

member of the Suppliers group.

In the Quick Launch bar, click People and Groups

17
http://auth.litwareinc.com/http://auth.litwareinc.com/http://auth.litwareinc.com/


18/22

Click on the New menu and select Add Users

In the Users/Groups text area, type Suppliers and click the Check Names

button

18


19/22

After the name is resolved, leave the rest of the input controls with their

default values, and click the OK button to add the group and close the page

Click on the Welcome sqladministratormenu and select Sign in as

Different User

After the page refreshes to the Sign In page, enter the following values

o User name: sql_brianc

o Password: pass@word1

Click Sign In

When we opened the web.config of the Central Administration web application

earlier, there were existing membership and roleManager nodes which were

retained when we edited the file. Partners and PartnerRoles are LDAP

membership and role providers. Since we retained these definitions earlier we

will not have to edit the Central Administrations web.config this time.

We will now modify the web.config of auth.litwareinc.com to include the LDAP

providers.

In Visual Studio 2005 open

C:\Inetpub\wwwroot\wss\VirtualDirectories\auth.litwareinc.com80\web.c

onfig.

We are going to replace the existing membership and roleManager node and

not retain the SQL providers we added earlier as they are no longer needed.

We will not add or modify a connectionString for the LDAP provider because

they do not require a connection to SQL. The connectionStrings node added

earlier can be deleted from the file but leaving it will not affect the webapplication.

Replace the membership node

o There is already an existing membership node defining another

membership provider for the Central Administration web

application, so will replace the existing node with a new one

containing both the existing one and the SQL membership

provider.o Hit CTRL+F, type

o Select entire membership node

19


20/22

o Hit the Delete button


select Insert Snippeto Double click AdvAuth

o Double click LDAP membership Node (auth.litwareinc.com)

The child add node of the membership node has several different attributes

than the one used for the Sql provider earlier and are needed for the LDAP

provider.o server attribute name of the LDAP server

o port attribute port number that LDAP is running on, the default

is 389

o useSSL attribute whether to SSL (https) when accessing the

LDAP server

o userDNAttribute attribute the distinguished name property of

the user object class

o userNameAttribute attribute the username property of the user

object class

o userContainer attribute LDAP path to search for users

o userObjectClass attribute the type of LDAP class that

describes a usero userFilter attribute LDAP filter that is used to remove results

from a user query

o scope attribute the starting point of an LDAP query. There are

three options.

Base searches the specified base DN only.

One search entries one level below the specified base

DN. Does not include base DN.

Subtree searches all entries of the specified base DN

and all levels below

o otherRequiredUserAttributes attribute any other non specified

essential LDAP attributes

Replace the roleManager node

o Move the cursor after the new membership node there is an

existing roleManager node

o Select the entire roleManager node




o Double click LDAP roleManager Node (auth.litwareinc.com)

20


21/22

The child add node of the roleManager node also contains attributes that are

unique to the LDAP role provider.

o groupContainer attribute LDAP path to search for groups

o groupNameAttribute attribute the group name property of the

group object class

o groupMemberAttribute attribute value which specifies the

property of the group object that lists all of members in a group

o userNameAttribute attribute the username property of the

group object classo dnAttribute attribute the distinguished name property of the

group object class

o groupFilter attribute - LDAP filter that is used to remove results

from a group query

Save the file by using File | Save

We will change the authentication providers of auth.litwareinc.com in Central

Administration.

Open up Central Administration by using Start | SharePoint 3.0 Central

Administration


Under Application Security, click Authentication Providers

Change the Web Application to auth.litwareinc.com if it is not already set

Click Default link in the Zone column Enter the following values

o Membership provider name Partners

o Role manager name PartnerRoles

o Leave the default values in the rest of the forms controls

Click OK button

We will now set the administrator for the root site collection of

auth.litwareinc.com to a user of the LDAP directory that is specified the Partner

membership provider.


Under SharePoint Site Management, click Site collection administrators

Change the site collection to http://auth.litwareinc.com

In the Primary site collection administrator textbox, right click on

aspnetsqlmembershipprovider:sqladministrator and select Remove In the Primary site collection administrator textbox, type Administratorand

click the Check Names button

Click OK button

Reset IIS using Start -> Run, and typing iisreset

Now log in as the Administrator user of the Partners membership provider. In Internet Explorer navigate to http://auth.litwareinc.com

On the Sign In page, enter the following

o User name: Administrator

o Password: pass@word1

Click on the People and Groups link in the Quick Launch bar

On the People and Groups page, notice that the Suppliers group is still a

21
http://auth.litwareinc.com/http://auth.litwareinc.com/


22/22

member of the site, you must manually remove any site members that were

added using an old membership provider.

Conclusion

I. Conclusion

In this lab, you learned how to configure Kerberos authentication on a SharePoint web application. You also learned how to configure aweb application to use form authentication using two different types of authentication providers, SqlMembershipProvider and

LDAPMembershipProvider, and their corresponding role providers.

22

Documents

Microsoft Office Share Point Server 2007 Advanced Authentication - HOL412