Upload
tu-minh
View
221
Download
0
Embed Size (px)
Citation preview
7/31/2019 Microsoft Office Share Point Server 2007 Advanced Authentication - HOL412
1/22
Hands-on Lab Overview
1. Introduction
HOL412: Microsoft Office SharePoint Server 2007 Advanced Authentication
2. Technologies Highlighted
Microsoft Office SharePoint Server 2007
3. Audience
ITPro 400 level
4. Scenario
Learn more about the available authentication methods and protocols, including Form-based authentication, Kerberos, SharePoint Single
Sign-on, and configuration of additional ASP.Net authentication providers.
5. Purpose of Hands-on Lab
The objective of this lab is to provide a walkthrough of authentication methods and capabilities in Microsoft Windows SharePoint
Services 3.0 and Microsoft Office SharePoint Server 2007.
Authentication Provider Overview
Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007 can utilize ASP .NET membership providers for
authentication and user management purposes. This functionality allows administrators to easily configure their deployments to use non-Windows authentication. In addition to membership providers, role providers can also be defined. Roles allow users to be grouped andcan be used in the same manner as Windows domain groups within SharePoint Products and Technologies.
SqlMembershipProvider and SqlRoleProvider can be used to manage user and role data from a SQL server.ActiveDirectoryMembershipProvider and ActivateDirectoryRoleProvider are used in conjunction with Windows Activate Directory.
LDAPMembershipProvider and LDAPRoleProvider can be used with any Lightwieght Directory Access Protcol (LDAP) source includingActive Directory. The LDAP providers allow for a more precise definition of LDAP groups then the Active Directory providers allow.
The LDAP providers are defined in the Microsoft.Office.Server assembly, so they are only available with Office SharePoint Server 2007.
The SQL and Active Directory providers are defined in the .NET framework and can be used in both Windows SharePoint Services 3.0
1
7/31/2019 Microsoft Office Share Point Server 2007 Advanced Authentication - HOL412
2/22
and Office SharePoint Server 2007.
In addition to these and other pre-defined membership and role providers, you can create your own custom membership and role providers
using the .NET 2.0 membership framework API.
For more information about membership providers, visit http://msdn2.microsoft.com/en-us/library/tw292whz.aspx.
2
http://msdn2.microsoft.com/en-us/library/tw292whz.aspxhttp://msdn2.microsoft.com/en-us/library/tw292whz.aspx7/31/2019 Microsoft Office Share Point Server 2007 Advanced Authentication - HOL412
3/22
Hands-on Lab
Discussion Points Actions taken
Exercise 1 Configuring SharePoint to use Kerberos Authentication
Windows Integrated Security (a.k.a. NTLM) user credentials are notautomatically passed between servers upon request. As a request the first
request between servers (i.e. a SharePoint front-end server to an Excel
Service server) fails. The requesting server will then resend the request with
user credentials. This results in a double hop for every request.
Kerberos protocol automatically sends user credentials with requests, thereby
avoiding the double hop and improving performance. When a user is
authenticated using Kerberos, the server sends a ticket to the user machine.
This ticket is then included with each subsequent request to the server.
Each client and server must be configured as trusted in Active Directory for
Kerberos to work properly.
In addition to performance benefits, Kerberos authentication or anonymous
access must be used in order for RSS Viewer Web Parts pulling from
SharePoint lists or libraries to work correctly.
For more information about using Kerberos in SharePoint, see
http://support.microsoft.com/kb/832769
After the server finishes warming up, we first verify that the RSS Viewer Web
Part does not work with NTLM authentication. We then add a Service Principle
Name (SPN) for the application pool (litwareinc\administrator) user with thesetspn.exe command line utility.
In a production environment, the server farms service (i.e. Excel Services,
Search, etc.) may be running under different domain accounts. In this
scenario, the SPN will need to be set on each additional domain account.
For more information about configuring SPNs consult this web-site:
http://msdn2.microsoft.com/en-us/library/ms942980.aspx
Login using the following credentials:
o Username: administrator
o Password: pass@word1o Log on to: LITWAREINC
Wait for the Warmup Script to complete and the popup window to close.
In Internet Explorer, navigate to the site: http://auth.litwareinc.com
o Notice the RSS Viewer web part is showing the error The RSS
webpart does not support authenticated feeds.
Open a command prompt by using Start -> Command Prompt
Switch directories to c:\Program Files\Support Tools by typing the following
o cd \Program Files\Support Tools
Add a Service Principal Name for the administrator user (which the app pool
is running as) for the auth.litwareinc.com web application.
o setspn A http/auth.litwareinc.com administrator
3
http://support.microsoft.com/kb/832769http://msdn2.microsoft.com/en-us/library/ms942980.aspxhttp://auth.litwareinc.com/http://support.microsoft.com/kb/832769http://msdn2.microsoft.com/en-us/library/ms942980.aspxhttp://auth.litwareinc.com/7/31/2019 Microsoft Office Share Point Server 2007 Advanced Authentication - HOL412
4/22
o The usage for this command is
setspn A [protocol]/[fully qualified domain name]
[username]
We will now set the delegation trust for the administrator account. As with
adding SPNs, this step would need to be repeated for service account used
within the farm.
Note: If this SharePoint farm deployment consisted of multiple servers, wewould need to configure each server in the farm as trusted by doing the
following:
Open Active Directory Users and Computers using Start ->
Administrative Tools -> Active Directory Users and Computers
Select Computers in the left tree
Right click the name of the front-end IIS server in the computers list and
select Properties
Click the Delegation tab
Select Trust this computer for delegation to any service (Kerberos
only)
Click OK to close the Properties dialog
Repeat this process for each server in the farm (i.e. front-end IIS server,
SQL server, etc.)
Open Active Directory Users and Computers using Start ->
Administrative Tools -> Active Directory Users and Computers
Select Users in the left tree
Right click Administratorin the users list and select Properties
Click the Delegation tab Select Trust this user for delegation to any service (Kerberos only)
Click OK to close the Properties dialog
Configure the auth.litwareinc.com web application to use Kerberos
authentication within SharePoint Central Administration.
Open SharePoint Central Administration using Start -> SharePoint 3.0
Central Administration
Click on Application Management in the Quick Launch bar
UnderApplication Security click Authentication providers
4
7/31/2019 Microsoft Office Share Point Server 2007 Advanced Authentication - HOL412
5/22
If the Web Application is not set tohttp://auth.litwareinc.com, click on the name
of the currently select web application and select Change Web Application
In the Select Web Application window, click the auth.litwareinc.com link on
the left side
After the Web Application dialog closes, click on the Default link in the Zone
column
5
http://auth.litwareinc.com/http://auth.litwareinc.com/http://auth.litwareinc.com/7/31/2019 Microsoft Office Share Point Server 2007 Advanced Authentication - HOL412
6/22
On the Edit Authentication page, in the IIS Authentication Settings section
select Negotiate (Kerberos) Click the OK button in prompt
6
7/31/2019 Microsoft Office Share Point Server 2007 Advanced Authentication - HOL412
7/22
Click the OK button to save settings
Validate that our changes to http://auth.litwareinc.com worked. In Internet Explorer, navigate to the http://auth.litwareinc.comsite.
The RSS View web part is now working properly.
7
http://auth.litwareinc.com/http://auth.litwareinc.com/http://auth.litwareinc.com/http://auth.litwareinc.com/http://auth.litwareinc.com/7/31/2019 Microsoft Office Share Point Server 2007 Advanced Authentication - HOL412
8/22
Exercise 2 Forms Based Authentication
In the first portion of this exercise we will configure the auth.litwareinc.com web
application to use a SQL membership and role providers. Afterwards we will
configure the same web application to use LDAP membership and role
providers.
First we will configure a web application to use forms-based authentication with
a SQL provider.
Creating a SQL membership provider database is out of the scope of this lab
and will not be detailed. The SQL membership provider database used in this
lab was created using the aspnetdb database which can be created using the
aspnet_regsql command-line utility (http://msdn2.microsoft.com/en-
us/library/ms229862(vs.80).aspx). After the aspnetdb is created, you will need
to add users to the database (http://msdn2.microsoft.com/en-
us/library/879kf95c(VS.80).aspx).
Membership and role providers must added to a web application by manually
editing the web applications web.config file.
Note: While reading through the web.config node explanations in this
document, remember that SharePoint web application configurations work the
same as ASP.NET web application configurations in that configurations
defined in machine.config are automatically inherited into all web applications.
Start Visual Studio 2005 using Start -> Microsoft Visual Studio 2005
Open the Open File dialog by using File -> Open -> File Navigate to
C:\Inetpub\wwwroot\wss\VirtualDirectories\auth.litwareinc.com80
Select web.config and click the Open button
Add the connectionStrings node
o Hit CTRL+F, type
o Move the cursor to the end of the line and hit Enter
o Right click on the new line and select Insert Snippet
o Double click AdvAuth
o Double click SQL connectionStrings Node
connectionStrings node - The connectionStrings node specifies the database
connection strings available for a web application.
o add node - The inner add node adds a connection string to the
available connections strings.
name attribute The name attribute is used to reference
a connect string throughout the web application.
connectionString attribute The connectionString
attribute specifies the actual connectString for
connecting to the database. This example points to the
aspnetdb database within the MOSS SQL server and is
trusted.
Add the membership node
o After the connectionStrings closing tag (),
there is the system.web opening tag (). Move yourcursor to the end of the line with the opening system.web tag and
hit the Enter
o Right click on the new line and select Insert Snippet
o Double click AdvAuth
o Double click SQL membership Node (auth.litwareinc.com)
The membership node should now be the last node in the system.web node
membership node The membership node defines all of the membership
providers available in the web application.
o defaultProvider attribute The default membership provider for
the web application in case there are multiple defined.
o providers node Contains the membership providers available
8
http://msdn2.microsoft.com/en-us/library/ms229862(vs.80).aspx)http://msdn2.microsoft.com/en-us/library/ms229862(vs.80).aspx)http://msdn2.microsoft.com/en-us/library/ms229862(vs.80).aspx)http://msdn2.microsoft.com/en-us/library/879kf95c(VS.80).aspx)http://msdn2.microsoft.com/en-us/library/879kf95c(VS.80).aspx)http://msdn2.microsoft.com/en-us/library/ms229862(vs.80).aspx)http://msdn2.microsoft.com/en-us/library/ms229862(vs.80).aspx)http://msdn2.microsoft.com/en-us/library/879kf95c(VS.80).aspx)http://msdn2.microsoft.com/en-us/library/879kf95c(VS.80).aspx)7/31/2019 Microsoft Office Share Point Server 2007 Advanced Authentication - HOL412
9/22
for this web application.
remove node removes providers from the web
application. Providers must be removed before they are
added to ensure that they are not added multiple times.
name attribute the name of the membership
provider to remove. In this example, the
AspNetSqlMembershipProvider is removed.
The same provider that is added with the next
node. add node add provider to the web application.
name attribute the name attribute is used to
reference the provider throughout the
application.
connectionStringName attribute - sets what
connection string the membership provider will
use. The value of AspNetSqlProvider points to
the connection string added earlier.
type attribute the full class name of the .NET
membership provider.
For more information about the membership node and its child nodes consult
this website: http://msdn2.microsoft.com/en-us/library/1b9hw62f.aspx . Add the roleManager node
o Move the cursor after and hit Enter
o Right click on the new line and select Insert Snippet
o Double click AdvAutho Double click SQL roleManager Node (auth.litwareinc.com)
The roleManager node should now be the last node in the system.web node
roleManager node The roleManager node defines all of the role providers
available in the web application.
o defaultProvider attribute The default role provider for the web
application in case there are multiple defined.
o
providers node Contains the role providers available for thisweb application.
remove node removes providers from the web
application. Providers must be removed before they are
added to ensure that they are not added multiple times.
name attribute the name of the membership
provider to remove. In this example, the
AspNetSqlRoleProvider is removed. The same
provider that is added with the next node.
add node add provider to the web application.
name attribute the name attribute is used to
reference the provider throughout the
9
http://msdn2.microsoft.com/en-us/library/1b9hw62f.aspxhttp://msdn2.microsoft.com/en-us/library/1b9hw62f.aspx7/31/2019 Microsoft Office Share Point Server 2007 Advanced Authentication - HOL412
10/22
application.
connectionStringName attribute - sets what
connection string the membership provider will
use. The value of AspNetSqlProvider points to
the connection string added earlier.
type attribute the full class name of the .NET
role provider.
For more information about the roleManager node and its child nodes consult
this website: http://msdn2.microsoft.com/en-us/library/ms164660.aspx . Save the file by using File | Save
Modify the web.config of the SharePoint Central Administration web application
so that it can use the SQL membership provider to resolve users within the
administration user interface.
In Visual Studio 2005 open the Open File dialog by using File -> Open File
Navigate to C:\Inetpub\wwwroot\wss\VirtualDirectories\27708
Select web.config and click the OK button
Add the connectionStrings node
o Hit CTRL+F, type
o Move the cursor to the end of the line and hit Enter
o Right click on the new line and select Insert Snippet
o Double click AdvAuth
o Double click SQL connectionStrings Node
Replace the membership nodeo There is already an existing membership node defining another
membership provider for the Central Administration web
application, so will replace the existing node with a new one
containing both the existing one and the SQL membership
provider.
o Hit CTRL+F, type
o Select entire membership node
o Hit the Delete buttono Right click on the new line where the member node was and
select Insert Snippet
o Double click AdvAuth
o Double click SQL membership Node (Central Administration)
You will notice that no defaultProvider attribute exists in this membership
node. We want to be able to resolve username for the SQL membership
provider but we still want to retain the Windows membership provider for
Central Administration web application. Defining no defaultProvider attribute
will default the web application to the Windows membership provider. A
remove node specifies to remove the membership provider with name
corresponding to the name attribute. It is important that you declare these to
10
http://msdn2.microsoft.com/en-us/library/ms164660.aspxhttp://msdn2.microsoft.com/en-us/library/ms164660.aspx7/31/2019 Microsoft Office Share Point Server 2007 Advanced Authentication - HOL412
11/22
prevent duplication of membership providers and avoid errors. The Partners
membership provider will be discussed later in this exercise.
Replace the roleManager node
o Move the cursor after the new membership node there is an
existing roleManager node
o Select the entire roleManager node
o Right click on the new line where the member node was and
select Insert Snippet
o Double click AdvAuth
o Double click SQL roleManager Node (Central Administration)
The roleManager node follows the same logic as the membership node. We
want to resolve roles for the SQL role provider, but we want to retain the
Windows roles in the Central Administration web application. Again, defining
no defaultProvider attribute will default the web application to the Windows
role provider. The PartnerRoles role provider will be discussed later in this
exercise.
Save the file by using File | Save
Configure auth.litwareinc.com with forms-based authentication using the SQL
providers we defined in the web.config.
Open the SharePoint Central Administration web site in Internet Explorer
using Start -> SharePoint 3.0 Central Administration
Click the Application Management tab in the top navigation area
UnderApplication Security, click Authentication providers
If the Web Application is not set to http://auth.litwareinc.com, click on the
name of the currently select web application and select Change Web
Application
11
http://auth.litwareinc.com/http://auth.litwareinc.com/7/31/2019 Microsoft Office Share Point Server 2007 Advanced Authentication - HOL412
12/22
In the Select Web Application window, click the auth.litwareinc.com link on
the left side
After the Web Application dialog closes, click on the Default link in the Zone
column
12
7/31/2019 Microsoft Office Share Point Server 2007 Advanced Authentication - HOL412
13/22
On the Edit Authentication page, enter the following
o Authentication Type: Formso Membership provider name: AspNetSqlMembershipProvider
This value corresponds to the name attribute defined in
the SQL membership node in the web.config of
auth.litwareinc.com and Central Administration.
o Role manager name: AspNetSqlRoleProvider
This value corresponds to the name attribute defined in
the SQL roleManager node in the web.config of
auth.litwareinc.com and Central Administration.
13
7/31/2019 Microsoft Office Share Point Server 2007 Advanced Authentication - HOL412
14/22
Click Save button
A user from the SQL membership provider must be set the primary site
administrator, so that the site can be accessed.
Click the Application Management tab in the top navigation area
14
7/31/2019 Microsoft Office Share Point Server 2007 Advanced Authentication - HOL412
15/22
UnderSharePoint Site Management, click Site collection administrators
link
If Site collection is not set to http://auth.litwareinc.com
o Click on the site collection currently selected and select Change
Site Collectiono
Click on the name of currently selected web application andselect Change Web Application
o In the Select Web Application window, click on the
auth.litwareinc.com link in the left column
o After the Select Web Application window closes, click OK to
15
7/31/2019 Microsoft Office Share Point Server 2007 Advanced Authentication - HOL412
16/22
close the Select Site Collection window
After the Site Collection Administrator page refreshes with the values of
auth.litware.com, you will notice that the LITWAREINC\administrator can no
longer be resolved. It is no longer valid no since the membership provider of
the web application has been changed and the domain username is not
recognized.
In the Primary site collection administrator textbox click on
LITWAREINC\administrator and select Remove
In the Primary site collection administrator textbox, type sqladministrator
Click the Check Names button (image with person and check mark) toresolve the name, after the name is resolved it will be underlined. When
SharePoint resolves these names it looks for an exact match for the entered
username within the web applications available providers. When it does
resolve them it actually stores the username as provider name + : + user
name in case the web application has multiple providers. So in this example,
it would be AspNetSqlMembershipProvider:sqladministrator.
16
7/31/2019 Microsoft Office Share Point Server 2007 Advanced Authentication - HOL412
17/22
Click OK button
Reset IIS using Start -> Run, and typing iisreset
Login to the site In Internet Explorer, go to the addresshttp://auth.litwareinc.com
Fill out the Sign In page as follows
o User name sqladministrator
o Password pass@word1
Click Sign In
After you are authorized and redirected to the default page of site, notice the
ProtocolError message in the RSS Viewer web part now that the web
application no longer uses Kerberos authentication.
A role can be used in much the same manner as a domain group within
SharePoint. Adding a role to a site will add all the members of the role to the
site.
We will now add the group Suppliers to the site and then login as sql_brainc, a
member of the Suppliers group.
In the Quick Launch bar, click People and Groups
17
http://auth.litwareinc.com/http://auth.litwareinc.com/http://auth.litwareinc.com/7/31/2019 Microsoft Office Share Point Server 2007 Advanced Authentication - HOL412
18/22
Click on the New menu and select Add Users
In the Users/Groups text area, type Suppliers and click the Check Names
button
18
7/31/2019 Microsoft Office Share Point Server 2007 Advanced Authentication - HOL412
19/22
After the name is resolved, leave the rest of the input controls with their
default values, and click the OK button to add the group and close the page
Click on the Welcome sqladministratormenu and select Sign in as
Different User
After the page refreshes to the Sign In page, enter the following values
o User name: sql_brianc
o Password: pass@word1
Click Sign In
When we opened the web.config of the Central Administration web application
earlier, there were existing membership and roleManager nodes which were
retained when we edited the file. Partners and PartnerRoles are LDAP
membership and role providers. Since we retained these definitions earlier we
will not have to edit the Central Administrations web.config this time.
We will now modify the web.config of auth.litwareinc.com to include the LDAP
providers.
In Visual Studio 2005 open
C:\Inetpub\wwwroot\wss\VirtualDirectories\auth.litwareinc.com80\web.c
onfig.
We are going to replace the existing membership and roleManager node and
not retain the SQL providers we added earlier as they are no longer needed.
We will not add or modify a connectionString for the LDAP provider because
they do not require a connection to SQL. The connectionStrings node added
earlier can be deleted from the file but leaving it will not affect the webapplication.
Replace the membership node
o There is already an existing membership node defining another
membership provider for the Central Administration web
application, so will replace the existing node with a new one
containing both the existing one and the SQL membership
provider.o Hit CTRL+F, type
o Select entire membership node
19
7/31/2019 Microsoft Office Share Point Server 2007 Advanced Authentication - HOL412
20/22
o Hit the Delete button
o Right click on the new line where the member node was and
select Insert Snippeto Double click AdvAuth
o Double click LDAP membership Node (auth.litwareinc.com)
The child add node of the membership node has several different attributes
than the one used for the Sql provider earlier and are needed for the LDAP
provider.o server attribute name of the LDAP server
o port attribute port number that LDAP is running on, the default
is 389
o useSSL attribute whether to SSL (https) when accessing the
LDAP server
o userDNAttribute attribute the distinguished name property of
the user object class
o userNameAttribute attribute the username property of the user
object class
o userContainer attribute LDAP path to search for users
o userObjectClass attribute the type of LDAP class that
describes a usero userFilter attribute LDAP filter that is used to remove results
from a user query
o scope attribute the starting point of an LDAP query. There are
three options.
Base searches the specified base DN only.
One search entries one level below the specified base
DN. Does not include base DN.
Subtree searches all entries of the specified base DN
and all levels below
o otherRequiredUserAttributes attribute any other non specified
essential LDAP attributes
Replace the roleManager node
o Move the cursor after the new membership node there is an
existing roleManager node
o Select the entire roleManager node
o Right click on the new line where the member node was and
select Insert Snippet
o Double click AdvAuth
o Double click LDAP roleManager Node (auth.litwareinc.com)
20
7/31/2019 Microsoft Office Share Point Server 2007 Advanced Authentication - HOL412
21/22
The child add node of the roleManager node also contains attributes that are
unique to the LDAP role provider.
o groupContainer attribute LDAP path to search for groups
o groupNameAttribute attribute the group name property of the
group object class
o groupMemberAttribute attribute value which specifies the
property of the group object that lists all of members in a group
o userNameAttribute attribute the username property of the
group object classo dnAttribute attribute the distinguished name property of the
group object class
o groupFilter attribute - LDAP filter that is used to remove results
from a group query
Save the file by using File | Save
We will change the authentication providers of auth.litwareinc.com in Central
Administration.
Open up Central Administration by using Start | SharePoint 3.0 Central
Administration
Click the Application Management tab in the top navigation area
Under Application Security, click Authentication Providers
Change the Web Application to auth.litwareinc.com if it is not already set
Click Default link in the Zone column Enter the following values
o Membership provider name Partners
o Role manager name PartnerRoles
o Leave the default values in the rest of the forms controls
Click OK button
We will now set the administrator for the root site collection of
auth.litwareinc.com to a user of the LDAP directory that is specified the Partner
membership provider.
Click the Application Management tab in the top navigation area
Under SharePoint Site Management, click Site collection administrators
Change the site collection to http://auth.litwareinc.com
In the Primary site collection administrator textbox, right click on
aspnetsqlmembershipprovider:sqladministrator and select Remove In the Primary site collection administrator textbox, type Administratorand
click the Check Names button
Click OK button
Reset IIS using Start -> Run, and typing iisreset
Now log in as the Administrator user of the Partners membership provider. In Internet Explorer navigate to http://auth.litwareinc.com
On the Sign In page, enter the following
o User name: Administrator
o Password: pass@word1
Click on the People and Groups link in the Quick Launch bar
On the People and Groups page, notice that the Suppliers group is still a
21
http://auth.litwareinc.com/http://auth.litwareinc.com/7/31/2019 Microsoft Office Share Point Server 2007 Advanced Authentication - HOL412
22/22
member of the site, you must manually remove any site members that were
added using an old membership provider.
Conclusion
I. Conclusion
In this lab, you learned how to configure Kerberos authentication on a SharePoint web application. You also learned how to configure aweb application to use form authentication using two different types of authentication providers, SqlMembershipProvider and
LDAPMembershipProvider, and their corresponding role providers.
22