We have to HNSC https://division1.corp.com https://division2.corp.com on the same SPWebApplication using Claims and Forms Authentication. When logging in to https://division1.corp.com we should have access to https://division2.corp, but we get the logon dialog box again. The UserInformationList are synchronized between this HNSC. By looking at the cookie, they are different.
How shall we solve this?
SharePoint 2010 out of the box does not provide a way to share authentication between its own web applications. This is primarily because each application authenticates users independently and the cookies that it issues are marked with the HTTP Only flag. This means the cookie cannot be accessed by other applications on different DNS names (even if they are part of the same SharePoint farm).
The most common resolution to this is to set up an external federated trusted identity provider (such as ADFS) and have each of your web applications trust it. Then you can configure your federated identity provider to authenticate against your forms provider.
Here's some more detailed info about how the authentication structure in SharePoint works and how you can develop against it: http://msdn.microsoft.com/en-us/library/gg430136.aspx
is it possible to configure federated trust without using ADFS. This article "Claims-Based Single Sign-On for Microsoft SharePoint 2010" link walks you through an example of integrating two web applications into a sso environment for intranet and extranet web users. The article describes how to configure a New-SPTrustedIdentityTokenIssuer where you can add ProviderRealms to SPTrustedIdentityTokenIssuer. In our scenario we set -SignInUrl https://division.corp.com/_layouts/fba/fbalogin.aspx. But I cant find out how to configure the section federatedAuthentication.
Related
I need help in authorization using ADFS claims, I have done with ADFS configuration on my windows server 2012 R2.
i have no idea what to do next.
My requirement is :
I have 2 sites which share resources I need if the user sign-in using one site then if he/she goes to the second site then the user needs to enter the credentials again but I want to skip this step
You need to configure both applications as Relying Parties in ADFS.
Both applications need to have a client side stack supporting either WS-Fed (WIF) or SAML 2.0.
If you used ADFS 2016, you could also use OpenID Connect.
That gives you SSO across both applications.
I am wondering if anyone has faced a similar issue. We are working on enterprise client portal that would be sitting on the internet. We also would like to add managements/client services portal that would be sitting on the local network and would use the same core libraries. For the external clients we would like to use forms authentication and for the internal application we would like to use windows authentication. Right now we are leaning to use sql membership provider on the external site and active directory membership provider on the internal site. We are working with mvc 4 so we use claims principal throughout the app.
The questions are:
1. Is there a way to combine users so we can enforce username uniqueness using existing providers?
2. We are considering using user email as the key. Is this a security issue. Can I get user email from AD membership provider?
I have looked into simplemembership provider. I thought that I could utilize webpages_OAuthMembership table to store "LDAP" users. But there is no oauth provider for that so I would have to write our own.
On another hand it seems that simplemembership is just a temporary solution until ASPNET.Identity come out in Nov.
Do you have any suggestions?
Have you looked into Windows Identity Federation (WIF), ASP.NET Identity, MVC5?
All your cases can be implemented using above.
how can I let non-domain users username/password login my sharepoint site (is on internet)? I am using Sharepoint 2010 foundation. can I authentic them via Active Directory?
If you want to continue to use Active Directory, you will need to give an AD account to these users. Otherwise, SharePoint also supports Forms Based Authentication and SAML token-based authentication.
Note that these authentication methods are not mutually exclusive. You can use any combination of authentication methods supported by the authentication mode of the Web Application (SAML token-based authentication is only supported when your Web Application is in Claims Based mode).
For more information, see Plan authentication methods.
You can use Form Base Authentication.
Reference: http://blog.morg.nl/2011/08/step-by-step-forms-based-authentication-fba-on-sharepoint-2010/
I have a custom Windows App (needs to be windows as it runs on a users machine and interfaces with TWAIN devices) which needs to communicate to a Claims Based Authenticated site.
What is the best way to achieve this? Each user already has an account on the site which I want to use to authenticate with on the windows app.
Note: the site is actually a CRM2011 IF Deployment.
CRM 2011 setup
Cloud Hosted
Claims Based Authentication for IFD users
Windows (AD) Based Authentication for services (i.e. running on the same box) and workflows
STS setup is out of our control
Is CRM 2011 already configured to use a STS such as ADFS?
If so, you just need to add your app. to the STS as a Relying Party.
There's a white paper.
Also, this gives a good overview of configuring ADFS and WIF in general.
I've imported a bunch of users into my Active Directory with some custom fields. Then I did a profile import from Active Directory to Sharepoint with all the custom fields and regular fields. After this, I needed each user to be in a site collection with a MySite set up for them. I did that by writing some code that ensured the user existed and then checked the profile attribute "personalspace" to see if a MySite had been created. Everything worked great until some of the users needed to login from outside the network.
I'd like to get rid of the windows authentication pop-up that a user would get if they hit from outside the network (or haven't added the site to their trusted zone in IE). I've extended my web application to create an internet zone. Then I edited the web.config of the internet site to do active directory forms authentication, along with editing the Central Administrator's web.config so that it can see the data source. This is all well and good, the user can login through a nice interface. The only problem is that now the user is detached from their user profile. Essentially Sharepoint views a windows authentication user and a forms authenticated user as two separate users.
Is there a way to link the profiles? Do I have to write a custom membership provider to log a user in and then link them up to their windows account? Is there a way to log a user in from the internet web app and then spoof their windows credentials and pass it to the intranet? Do I need to recreate all the user profiles based on the forms authentication data source?
Is this what are you looking for .. http://grounding.co.za/blogs/brett/archive/2008/01/09/setting-up-dual-authentication-on-windows-sharepoint-services-3-0-forms-and-ntlm.aspx ?
See ya
I've been trying to accomplish the same thing, with exactly the same problem - the "forms-authenticated-me" is not the same as the "windows-authenticated-me" to sharepoint, and I can't see how to map the two.
After a lot of frustrating efforts, I think I've finally realized it's not possible. In retrospect, this isn't too surprising.
here's an excerpt from http://msdn.microsoft.com/en-us/library/bb975136.aspx (my emphasis added)...
Deciding to Use Forms Authentication
Some organizations want to use Windows
users and groups in SharePoint
Products and Technologies, but enter
credentials via forms authentication.
Before using forms authentication,
determine why to use forms
authentication in the first place:
What is the business driver? If user
accounts are stored in a location
other than an Active Directory domain
controller, or if Active Directory is
not available in a particular
environment, using forms
authentication with a membership
provider is a good choice. But if you
want to force logon only via forms
authentication, but still use Windows
and all of the integrated features it
provides, you should consider an
alternative such as publishing the
SharePoint site with Microsoft
Internet Security and Acceleration
(ISA) Server 2006. ISA Server 2006
allows users to log on by using a
forms authentication Web form, but
treats them like Windows users after
authentication. This implementation
provides a more consistent and
compelling experience for end users.
You can set up the Forms Authentication to use the Active Directory Forms Authentication provider. You'll get the best of both worlds.
The login prompt will be the Forms Authentication prompt that you want, but the profile and login info will come from Active Directory.
Follow these instructions to configure the provider:
How To: Use Forms Authentication with Active Directory