This presentation explains about SharePoint 2010 Authentication with LDAP and SQL Server

1. SharePoint Authentications Ameet Phadnis President Ambar Nirgudkar SharePoint Consultant

2. About Presenters Ameet Phadnis MCTS President, e Tek Global Inc. e-Mail:aaphadnis@etekglobalinc.com LinkedIn: www.linkedin.com/in/aaphadnis Ambar Nirgudkar MCSD Sr. SharePoint Consultant, e Tek Global Inc. e-Mail: ambar.nirgudkar@etekglobalinc.com LinkedIn: http://www.linkedin.com/in/ambarnirgudkar 8/10/2010

3. About e Tek Global Inc. Microsoft Gold Partners. Microsoft Certified SharePoint Deployment Planning Services Provider. SharePoint 2010 services provided – Intranet, Extranet, Internet Sites and Features Development. Migrating sites from 2007 to 2010. Upcoming Add-ons for SharePoint AD Password Reset AD Users Management and Profiles Management. News Ticker and News Display. Site Map Authentication registration and Login. User Profiles. 8/10/2010

4. Agenda Overview Authentication Methods Authentication for SharePoint Web applications. Setting up FBA in 8 Steps. LDAP with FBA SecurityToken Web Configuration Central Administration Web Configuration. User Policies and Security. SQL Authentication with FBA. Question and Answer Useful Links 8/10/2010

5. Overview SharePoint is logically divided into three tiers: Front-end Web Server The application tier Back-end database tier. Authentication is required for access to any of the above tiers. To access each tiers we need Authentication providers. SharePoint 2010 supports – Classic-mode authentication. Claims-based authentication. 8/10/2010

6. Authentication Methods Classic-mode Authentication Method – Windows: Standard IIS Windows Authentication methods. Claims-based Authentication Methods – Windows Forms-based authentication SAML token-based authentication (Security Assertion Markup Language) 8/10/2010

7. Authentication Methods- Classic Windows Authentication Anonymous Basic Digest Client-Certificates NTLM Negotiate (Kerberos or NTLM) 8/10/2010

8. Authentication Methods – Forms-based Lightweight Directory Access Protocol (LDAP) SQL Database or other database. Custom or third-party membership or role providers. 8/10/2010

9. Forms-based (Contd.) Identity Management System is based on ASP.NET membership and role provider authentication. For non-windows or external systems you must register the membership provider in Web.Config file. Also can register a role manager in addition to membership provider. SharePoint 2010 uses ASP.NET role manager interface to gather group information about the current user. 8/10/2010

10. Forms-based (Contd.) For managing membership users and roles in Central administration, we need to register the membership provider in Central Administration’s Web.Config file. 8/10/2010

11. Forms-based (Contd.) – Watch out The Membership provider name and Role provider name needs to be the same name on Central Admin config file as Web application’s config file. If different, then the default provider specified in machine.config is used instead. 8/10/2010

12. Custom Authentication Provider Requirements HTTP Module must be programmed to interact with SharePoint 2010 and ASP.NET methods for the following Membership Provider – GetUser(String) GetUserNameByEmail FindUsersByName and FindUsersByEmail Role Manager – RoleExists GetRolesByUser GetAllRoles 8/10/2010

13. Setting up FBA in 8 Steps Create new Web Application Select Claims Based Authentication under Authentication Provide suitable name to Create a new IIS web site Name. Under Claims Authentication Types Check Forms Based Authentication (FBA). Enter appropriate Name for ASP.NET Membership Provider Name Enter appropriate name for ASP.NET Role Manager Name. 8/10/2010

14. Setting up FBA in 8 Steps – Contd. Under Application Pool Category: Provide Name for Application Pool. Select the Security account for the application pool. Under the Database Name and Authentication Category Enter the Database Server Name. Enter the Database Name. Enter the Database authentication information as appropriate. Click Ok. Create Site Collection for the above Web Application. THE SITE IS READY 8/10/2010

15. Setting up FBA in 8 Steps DEMO For Creating Claims based Website. 8/10/2010

16. LDAP with FBA Open the Web Application Web.Config File. Enter the following LDAP Authentication provider information. <add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="etekglobalinc.local" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="DC=ETEKGLOBALINC,DC=LOCAL" userObjectClass="person" userFilter="(ObjectClass=person)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn,displayName" /> 8/10/2010

17. LDAP Authentication Attributes Name: Name for your LDAP Membership. Server: Name of the Computer hosting LDAP Service. Port: Port that LDAP is listening on. UseSSL: Specifies that SSL is not being used to communicate to the LDAP data store. userDNAttribute: Attribute for the Users Distinguished Name. userNameAttribute: Attribute of the user name object. userContainer: Defines the full distinguished name of the container for users. userObjectClass: Class of the user object. userFilter: The userFilter is a standard filter for LDAP Queries. Scope: Sets the search scope of the selection. otherRequiredUserAttributes: Other attributes to return. 8/10/2010

18. LDAP with FBA Enter the following LDAP Role provider information. <add name="LdapRole" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="etekglobalinc.local" port="389" useSSL="false" groupContainer="DC=ETEKGLOBALINC,DC=LOCAL" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" userFilter="(ObjectClass=person)" scope="Subtree" /> 8/10/2010

19. LDAP with FBA DEMO For People Picker for Site Permissions. 8/10/2010

20. SecurityToken Web Configuration In order for successful login we need to enter the Membership and Role Provider in SecurityToken Web.Config. The path to the SecurityToken Web.Config is C:rogram Filesommon Filesicrosoft Sharedeb Server Extensions4ebServicesecurityToken Enter the following for MembershipProvider <add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="etekglobalinc.local" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="DC=ETEKGLOBALINC,DC=LOCAL" userObjectClass="person" userFilter="(ObjectClass=person)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" /> 8/10/2010

21. SecurityToken Web Configuration Enter the following for Role Provider <add name="LDAPRole" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="etekglobalinc.local" port="389" useSSL="false" groupContainer="DC=ETEKGLOBALINC,DC=LOCAL" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" userFilter="(ObjectClass=person)" scope="Subtree" /> 8/10/2010

22. SecurityToken Web Configuration Demo For SecurityToken Web.Config changes and Login with FBA 8/10/2010

23. Central Administration Web Configuration. If User needs to work on Web Application administration from Central Administration then the Membership Provider and Role Provider needs to be added to the Web.Config file. Copy the same Membership Provider and Role Provider information to the Central Administration Web.Config file. 8/10/2010

24. User Policies and Security User Policy under Central Administration should be used rarely. These should be used for the overall site permissions. Permissions that can be assigned for users are – Full Control. Full Read Deny Write Deny All. Customized Permission Policies can be added through Permission Policy. 8/10/2010

25. User Policies and Security Demo For Central Administration Web.Config changes and User Policies 8/10/2010

26. Making SQL Authentication Work with FBA. Follow the same steps as LDAP Authentication changes in web.config file. Following are the SQL Authentication Membership provider and Role Membership provider web.config changes Membership Provider <add name="SQLMembership" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" applicationName="/" connectionStringName="ApplicationServices" enablePasswordReset="false" enablePasswordRetrieval="false" passwordFormat="Clear" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" /> 8/10/2010

27. Making SQL Authentication Work with FBA. Role Provider <add name="SQLRoles" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" applicationName="/" connectionStringName="ApplicationServices" /> 8/10/2010

28. SQL Authentication with FBA. Make the Connection String entries to the Web Application, SecurityToken, Central Administration (if needed) Web.Config files. You can add the Connectionstring before the end Configuration tag. <connectionStrings> <add connectionString="Data Source=ETEKSPS2010OWERPIVOT;Initial Catalog=aspnetdb;User ID=<UserName>;Password=<Password>;" name="ApplicationServices" /> </connectionStrings> 8/10/2010

29. SQL Authentication with FBA. Demo For SQL Authentication 8/10/2010

30. Question and Answer ???? 8/10/2010

31. Useful Links Examples of Web.Config for LDAP Authentication - http://technet.microsoft.com/en-us/library/cc197251(office.12).aspx 8/10/2010