I need to find out how I can allow our Sharepoint portal to support both windows authentication and form based authentication. The objective is to allow those users in our Active directory to sign into the portal using their active directory credentials, and at the same time we want to allow those users who don't belong to our active directory to register an account online and be able to access our sharepoint portal after their account is approved by an admin.
You need to enable the Dual Authentication for the SharePoint Site. Here one of the class article in the subject
Also you need to deploy the controls for enabling the user to register and create login refer this
Related
I needed to have Custom OU (long story, but to integrating a legacy app with Azure AD that uses LDAP to look for users in specific OU's).
So I added the Custom OU using Active Directory remote administrative Tools following the advice here Microsft document
I have added the custom OU's added users into them, so far so good.
Only issue is I can't login with any users added through the VM. When I try to login to Azure I get this error (This username may be incorrect. Make sure you typed it correctly. Otherwise, contact your admin.)
Any Ideas why this is the case, is this by design?
or maybe I am not entering something that is required. (Although the domain and all the details match the user is added to domain users group)
when you add custom OUs in azure ad Domain services ( AAD DS ) there are limitations to objects added to those custom OUs, such as.. exactly what you mentioned. those users are not available in azure ad. Only to the AAD DS connected devices. it's like a local domain user.
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/create-ou#custom-ou-considerations-and-limitations
User accounts, groups, service accounts, and computer objects that you
create under custom OUs aren't available in your Azure AD tenant.
These objects don't show up using the Microsoft Graph API or in the
Azure AD UI; they're only available in your managed domain.
I am currently developing a WebApi 2 service which is hosted in Azure. I now need to add Authentication and ideally Authorization to this service. I was expecting to be able to do this with Azure Active Directory but have a number of questions
Will my users have to login via the standard Azure sign in portal?
Will my users be forced to use specific email domains (ie microsoft) when creating an account?
Will I be able to programatically add a user into the directory along with Authorization info (aka rights management)?
Will I programatically be able to modify a users details such as forgotton password etc
Sorry for the general question, but I am stuck trying to find out if I am looking at the right technology to be able to meet these requirements. If not, would really appreciate any suggestions on what to use instead.
Will my users have to login via the standard Azure sign in portal?
Yes, but the branding of the portal can be changed in the basic and premium editions of Azure AD.
Will my users be forced to use specific email domains (ie microsoft) when creating an account?
No, you can register your own domain and associate it with a directory. Or you can sync on-premise accounts to an Azure AD directory and use those email addresses.
Will I be able to programatically add a user into the directory along with Authorization info (aka rights management)?
Yes, using the Graph API you can create and manage users. You can also assign them roles or make them part of a security group.
Will I programatically be able to modify a users details such as forgotton password etc
Yes, using the Graph API.
I'm customizing an ACS home realm discovery page and want to accommodate users who have either a "microsoft account" (aka LiveID/Passport) or a Office365/Azure Active Directory account.
In this situation, it's possible for the following workflow to happen (as far as I understand it)
User logs in using ACS custom page
User selects "Microsoft Account"
User types in their company / corporate ID
The HRD process at http://portal.microsoftonline.com redirects them to their ADFS server
Their ADFS server redirects them to their company.
Once sign-in passes (or fails) the login would cascade back to the ACS page.
What is the most efficient way (for the end user) to integrate Azure ACS, with Azure Active Directory / Office 365, with a custom HRD page that I create?
Or more plainly, is there a JSON web service that I can query to determine if a given domain or account exists within the "Microsoft Account/LiveID" world, and also check AzureAD for the same thing.
You cannot treat "microsoft accounts" (Windows Live ID / Outlook.com / hotmail / xbox /etc) the same as WAAD accounts when using ACS. When you set up your identity providers in ACS you will need to enable a Windows Live IDP and one IDP for each WAAD instance you are going to allow users to authenticate with. One thing that is not clear to me from your question is if you are needing for you users to be able to authenticate against a single WAAD tenant or from multiple. If one then you only need to configure one WAAD tenant in ACS. If you need to allow users to authenticate against multiple WAAD tenants then you will need to set up and IDP for each in ACS. For example if your web app is a SAAS application with users from companies "Contoso" and "Northwind" and you want them to be able to authenticate against their company's on-premise active directory then you will need two WAAD tenants setup. Each WAAD tenant will need to have federation configured with their given on-premise active directory. Each WAAD tenant in turn would need to be configured in ACS as an IDP. You could name those IDPs distinctly in ACS something like "Contoso WAAD" and "Northwind WAAD". Then in your custom implementation of the HRD page you can either just list all the IDPs and let the user choose, or if you want to be fancier you could parse the JSON results from the ACS endpoint that lists IDP and present them to the user (or just redirect them) based on some other selection they had made.
I've imported a bunch of users into my Active Directory with some custom fields. Then I did a profile import from Active Directory to Sharepoint with all the custom fields and regular fields. After this, I needed each user to be in a site collection with a MySite set up for them. I did that by writing some code that ensured the user existed and then checked the profile attribute "personalspace" to see if a MySite had been created. Everything worked great until some of the users needed to login from outside the network.
I'd like to get rid of the windows authentication pop-up that a user would get if they hit from outside the network (or haven't added the site to their trusted zone in IE). I've extended my web application to create an internet zone. Then I edited the web.config of the internet site to do active directory forms authentication, along with editing the Central Administrator's web.config so that it can see the data source. This is all well and good, the user can login through a nice interface. The only problem is that now the user is detached from their user profile. Essentially Sharepoint views a windows authentication user and a forms authenticated user as two separate users.
Is there a way to link the profiles? Do I have to write a custom membership provider to log a user in and then link them up to their windows account? Is there a way to log a user in from the internet web app and then spoof their windows credentials and pass it to the intranet? Do I need to recreate all the user profiles based on the forms authentication data source?
Is this what are you looking for .. http://grounding.co.za/blogs/brett/archive/2008/01/09/setting-up-dual-authentication-on-windows-sharepoint-services-3-0-forms-and-ntlm.aspx ?
See ya
I've been trying to accomplish the same thing, with exactly the same problem - the "forms-authenticated-me" is not the same as the "windows-authenticated-me" to sharepoint, and I can't see how to map the two.
After a lot of frustrating efforts, I think I've finally realized it's not possible. In retrospect, this isn't too surprising.
here's an excerpt from http://msdn.microsoft.com/en-us/library/bb975136.aspx (my emphasis added)...
Deciding to Use Forms Authentication
Some organizations want to use Windows
users and groups in SharePoint
Products and Technologies, but enter
credentials via forms authentication.
Before using forms authentication,
determine why to use forms
authentication in the first place:
What is the business driver? If user
accounts are stored in a location
other than an Active Directory domain
controller, or if Active Directory is
not available in a particular
environment, using forms
authentication with a membership
provider is a good choice. But if you
want to force logon only via forms
authentication, but still use Windows
and all of the integrated features it
provides, you should consider an
alternative such as publishing the
SharePoint site with Microsoft
Internet Security and Acceleration
(ISA) Server 2006. ISA Server 2006
allows users to log on by using a
forms authentication Web form, but
treats them like Windows users after
authentication. This implementation
provides a more consistent and
compelling experience for end users.
You can set up the Forms Authentication to use the Active Directory Forms Authentication provider. You'll get the best of both worlds.
The login prompt will be the Forms Authentication prompt that you want, but the profile and login info will come from Active Directory.
Follow these instructions to configure the provider:
How To: Use Forms Authentication with Active Directory
I want to use MOSS 2007's single sign-on feature, but read that the server needs to be in an Active Directory environment. This I understand, but does this mean all my users HAVE TO be Active Directory users? Can I not use MOSS2007 Single Sign-on if my users are authenticated using Forms Authentication (using a custom membership provider?).
You can, but you'd have to write your own SSO provider. The default one only works with Windows identities.
Edit: There's a walkthrough on MSDN for creating them, if you want to go that way.
when i connect SP server with CS server using SSO, does the roles and user permissions for SP users transfered with the user, so if i created new sp user with read role, then i accessed cs server, i will find that a role created for that user in the cs with read permissions?