Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2012-09-16) Claims Based Authorizations For Sharepoint Through ADFS (Part 3)

Posted by Jorge on 2012-09-16


For the previous part click on the following link: Claims Based Authorizations For Sharepoint Through ADFS (Part 2)

The federation related part of sharepoint is done! Let’s now create the Web Application/Site. First I’m going to collect the credentials of the AD user account that will be used by the application as the applicationpool account , then I’m going to create a managed account in SP2010 based upon the previously mentioned AD user account, which by the way must be enabled, and finally I will specify the URL and port port for the Web Application/Site.

# Define The Application Pool Account $account1 = $ENV:USERDOMAIN + "\SVC_R1_WebAppClaims1" Write-Host $account1 Start-Sleep -s 10 $cred1 = Get-Credential New-SPManagedAccount -Credential $cred1 # Define The Web Application URL $webappurl1 = "https://app-claims.adcorp.lab" $port1 = "446"

The output of that all can be seen in the picture below.

image301_thumb2_thumb1

Figure 1a: Defining And Creating A Managed Account Within Sharepoint 2010

image39_thumb2_thumb1

Figure 1b: Defining And Creating A Managed Account Within Sharepoint 2010 And Defining The URL And Port Of The Web Application

Now let’s go crazy and create a sharepoint 2010 web application and the site collection

# Create The Web Application - Claims Based $webapp1 = New-SPWebApplication -name "Claims Based Web Application" -SecureSocketsLayer -ApplicationPool "Sharepoint App Claims Based" -ApplicationPoolAccount $account1 -Url $webappurl1 -Port $port1 -AuthenticationProvider $AuthNProvider1 -DatabaseName "SharePoint_WebAppClaimsBased" $webapp1 # Create The Claim Object For The Site Collection Administrator $claim1 = New-SPClaimsPrincipal -TrustedIdentityTokenIssuer $AuthNProvider1 -Identity "$ENV:USERNAME@$ENV:USERDNSDOMAIN" $claim1 # Create The Site Collection $site1 = New-SPSite $webappurl1':'$port1 -Name "Claims Based Web Site" -OwnerAlias $claim1.ToEncodedString() -template "STS#0" $site1

The output of that all can be seen in the picture below.

image441_thumb3_thumb1

Figure 2: Creating The Web Application And The Site Collection Within Sharepoint 2010

Now let’s configure the correct SPN on the AD user account used within the Application Pool for the previously created Web Application.

image58_thumb2_thumb1

Figure 3: Configuring The SPN On The AD User Account Used Within The Application Pool

Before starting to go crazy and throw claims against SP2010 we still need to configure other stuff. To see which claims SP2010 has accepted/used I want to deploy a webpart into SP2010 for my Claims Based Web Application. The webpart I’m using is based upon the following blog post: How To Create a Claims Viewer Web Part for SharePoint 2010.

However, at this point ADFS is still not configured, so I cannot authenticate against the SP 2010 Web Application using claims to deploy the webpart. Because of that I’m going to reconfigure the web application to temporarily accept Windows Based Authentication leveraging the Kerberos protocol.

So, start the Sharepoint 2010 Central Administration Web Site and

  • Click on “Central Administration” –> “Manage Web Applications”
  • Click on the Web Application with name “Claims Based Web Application”
  • Click on “Authentication Providers”
  • Click on the “Default Zone”
  • Scroll to the “Claims Authentication Types” section
  • Check “Enable Windows Authentication”
  • Check “Integrated Windows Authentication”
  • Select “Negotiate (Kerberos)”
  • UNcheck “ADCORP ADFS v2 STS”
  • UNcheck “Trusted Identity Provider”
  • Scroll down and click SAVE and close the remaining window

image491_thumb2_thumb1

Figure 4: Temporarily Reconfiguring The Sharepoint 2010 Claims Based Web Application To Accept Windows Based Authentication

To be able to log on to the Web Application it is also important to temporarily change the site collection administration to a Windows AD account instead of the configured claims ID.

So, if not already started, start the Sharepoint 2010 Central Administration Web Site and

  • Click on “Application Management” –> “Change site collection administrators”
  • You will an error specifying: “This page contains one or more errors. Fix the following before continuing: No exact match was found. Click the item(s) that did not resolve for more options”
  • Make sure the site collection specifies: “https://app-claims.adcorp.lab:446/
  • Remove any value specified in the Primary Site Collection Administrators and click on the address book icon to the right of that field
  • Enter ADM.ROOT in the FIND field and click on the search button
  • Select the Active Directory node and the click on the user that was found and then click OK
  • Click OK

image62_thumb2_thumb1

Figure 5: Temporarily Reconfiguring Primary Site Collection Adinistrator To Be A Windows Based Account/ID

For the next part click on the following link: Claims Based Authorizations For Sharepoint Through ADFS (Part 4)

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

One Response to “(2012-09-16) Claims Based Authorizations For Sharepoint Through ADFS (Part 3)”

  1. […] Server Core (2) « (2012-09-16) Claims Based Authorizations For Sharepoint Through ADFS (Part 3) […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: