Showing posts with label STS. Show all posts
Showing posts with label STS. Show all posts

Monday 12 September 2011

CBA for Developement

Problem: Claims Base Authentication (CBA) requires swapping certificates with each machine that will use CBA on a development domain, if you have 20 dev machines you will need to swap certs with ADFS and 20 developer machines. 

Note: This post assumes all dev machines are on a single domain however several approaches will work on a standalone machine however.  If ADFS is present on the local dev use it for CBA in your development environment.

Initial Hypothesis:
If your VM's are all on the same domain you can always use classic mode authentication and test the CBA on a build server.  This does not make the dev env mimic the test, QA & production servers that are using claims for authentication.
 
Resolution:You could setup your own STS server/Service (feeding off SQL or LDAP) or use the WIF toolkit to create a claims service.
Or use SelfSTS tool to generate claims that SharePoint can consume.

More info:
Setting up and testing your own STS Service
http://msdn.microsoft.com/en-us/library/ff955607.aspx
http://blogs.msdn.com/b/sharepointdev/archive/2011/09/12/claims-architecture-for-sharepoint-2010-developers.aspx
http://archive.msdn.microsoft.com/SelfSTS/
Simple channel 9 Video explain CBA & WIF

Tuesday 20 July 2010

SharePoint 2010 membership provider/Claims based authentication

What is Claims based authentication?
Allows SharePoint to communicate with external membership providers over open communication standards to authenticate a user. The membership provide determines if the user is valid. A token either saying the user is valid or invalid is returned. More info
Authorisation is handled by SharePoint or the logic can be applied by external membership providers.
Forms Based Authentication (FBA) works with your membership provider to give users access off a provide such as LDAP providers like Active Directory (AD).
You can also setup Windows Authentication in the "Identity Provider" where you use either NTLM or Kerbros as well as other ASP.NET providers.
The SecurityTokenService (STS) Application ensures claims tokens are being passed correctly between the provider and SharePoint (Our SPSite). STS allows for multiple providers plugged in our site. STS is setup in the web.config. More info.
Tip: Sign in Url - when setting up FBA, you can use a custom page to add business logic, for instance I assign rights/permissions when a user comes from a trusted 3rd party. More info.
Tip: FBA doesn't have to use claims based authentication as in MOSS. If you have AD but need to provide Internet access then Claims based adds no value. More info.
NTLM vs Kerbros: NTLM stands for NT Lan Manager. Microsoft's challenge response authentication protocol. Kerbros is an open standard authentication protocol, it is more secure in that it is encrypted and token are used to validate parties in the communication process. Kerbros requires ADFS.  Kerbros is therefore more secure however you do need to have a network that supports Kerbrose for it to work. Kerbros is more chatty and introduces more points of failure. NTML is more efficient. Depending on usage such as Internet it will determine the protocol.  I tend to lean towards Kerbros in larger SharePoint implementations if the network supports.  Internet scenarios don't expose ADFS to the Internet so Kerbros is not an option.

More Info:
Setting up SQL claims based FBA

Updated: 2014-02-27
Setting up ADFS2.0
Configure an Authentication Provider for a Web App to use ADFS

http://www.sharepointpals.com/post/Creating-an-ADFS20-TrustedIdentityTokenIssuer-using-PowerShell-in-SharePoint-2013
http://www.sharepointpals.com/post/How-to-Add-more-than-One-SharePoint-2013-WebApplication-to-a-SPTrustedIdentityTokenIssuer-on-ADFS-using-PowerShell