232

CHAPTER 9 claims-Based aUtheNticatioN
Digest

Certificate

NTLM

Kerberos

Claims-Based
SharePoint Server 2010 CBA enables authentication using Windows Integrated security and
non-Windows systems. A key concept with CBA in SharePoint 2010 is that authentication is based
on an identity provider. Applications trust this provider because they are configured to utilize the
provider. The beauty of the system is that any provider that meets specific Internet security standards
can be used. These standards include WS-Security, WS-SecurityPolicy, WS-Trust and WS-Federation.
Therefore companies have the flexibility to choose their provider, and as long as it’s compliant with
these standards it will be supported by SharePoint. CBA supports three different authentication pro-
viders out of the box:
Windows Authentication

— This includes all the same authentication methods that CMA
supports, as listed above.
Forms-Based Authentication (FBA)

— These methods include LDAP, database or custom
membership, and role providers. Note that FBA is only available when you use claims-based
authentication.
SAML Token-Based Authentication


— These include ADFS 2.0, Windows Live ID, and
third-party providers.
CREATING CLAIMSBASED WEB APPLICATIONS
The following instructions walk you through the process of creating a claims-enabled web applica-
tion. You will also configure the application to allow anonymous access. Finally, you will add FBA
to the application so that you have a dual authentication configuration.
Configuring CBA with Windows Authentication
Begin by configuring CBA with Windows Authentication:

1. Create a new web application using CBA. The process for creating a new web application was
discussed in detail in Chapter 4, so it isn’t repeated here. Only the changes specific to enabling
CBA are discussed. You must first enable CBA in the Authentication section of the Create
New Web Application web page in Central Administration. The default is classic mode, so you
will need to select claims mode. Notice that the Claims-Based Authentication option has been
selected, as shown in Figure 9-1.
Creating Claims-Based Web Applications

233
FIGURE 91
2. Scroll down to the Claims Authentication Types section and review the options. This section
and the Sign In Page URL section are shown in Figure 9-2. Keep the default settings, which
are Windows Authentication enabled and NTLM. Note that you can enable the web applica-
tion to use a single URL for both Windows Authentication and Forms-Based Authentication
by enabling the checkbox for both methods. This is only possible with CBA. Without CBA,
you would have to create two different zones.

3. CBA may require users to log in; therefore, they may need to be redirected to a web page to
enter their credentials. Do not change the default settings, which should be to use the Default
Sign In Page option. Note the option to enter the URL of a custom sign in page, as shown in
Figure 9-2.

FIGURE 92
234

CHAPTER 9 claims-Based aUtheNticatioN
4. Ensure that all the other settings are configured according to your specific interests. When
finished, click OK. Once the web application has been created, the Application Created web
page will be displayed, as shown in Figure 9-3.
FIGURE 93
5. Verify the Authentication settings for the web application by browsing to the Web Applications
Management web page, clicking your specific claims-enabled web application, and then click-
ing the Authentication Providers button in the Ribbon. The Authentication Providers dialog,
shown in Figure 9-4, should be displayed.
FIGURE 94
6. Create a new site collection within this new web application using your own preferences.
You will be directed to the Top-Level Site Successfully Created web page once the process is
complete. Browse to your new site collection’s top-level site. This completes the process.
You may need to create a new DNS entry if you used host headers for your web application,
and you may need to issue the following command,
ipconfig /flushdns, after creating
the DNS entry.
Creating Claims-Based Web Applications

235
Configuring Anonymous Access
You can configure your CBA web application to allow anonymous access using the following steps.
These steps are similar to those used for SharePoint 2007:

1. Under Application Management in Central Administration, select Manage web applications.

2. Select the specific web application to be enabled and click the Authentication Providers but-

ton on the Ribbon.

3. Click the Default link in the Authentication Providers dialog. This should display the Edit
Authentication dialog, shown in Figure 9-5.
FIGURE 95
4. Enable anonymous access by clicking inside the Enable anonymous access checkbox in the
Anonymous Access section. Click the Save button. Close the Authentication Providers dialog.

5. Return to the Web Applications Management page. With your web application selected,
click the Anonymous Policy button in the Ribbon. This will take you to the Anonymous
Access Restrictions dialog, shown in Figure 9-6. In the Zones drop-down box, select (All
Zones); and in the Permissions section, select None - No Policy. These should be the default
conditions.
236

CHAPTER 9 claims-Based aUtheNticatioN
FIGURE 96
6. Browse to the site collection you created previously in the claims-enabled web application.
From the Site Settings page, click the Site Permissions link in the Users and Permissions section.
The Permissions page is shown in Figure 9-7.
FIGURE 97
7. Click the Anonymous Access button in the Ribbon to display the Anonymous Access dialog,
shown in Figure 9-8.

8. Select the Entire Web site option or the Lists and Libraries option, depending on what you
wish to provide access to. For this exercise, select Entire Web site. When finished, click OK.
Creating Claims-Based Web Applications

237
You should see Anonymous Users added to the list of users and groups on the Permissions

page, as shown in Figure 9-9. This completes the configuration.
FIGURE 98
FIGURE 99
Converting to CBA from CMA
You can convert a web application that has been configured to use CMA to use CBA, but only by
using PowerShell. Once you convert the web application to use CBA, you cannot return to CMA.
The following PowerShell commands will complete this conversion:
$ConvertApp = get-spwebapplication “http://<web application name>”
$ConvertApp.useclaimsauthentication = “True”
$ConvertApp.Update()
238

CHAPTER 9 claims-Based aUtheNticatioN
Configuring Forms-Based Authentication
Using the following instructions, you will enable FBA for your existing claims-enabled website so
that both Windows Integrated and FBA are being used.
Enable FBA
Follow these steps to enable FBA:

1. Navigate to the Web Applications Management page, select your claims-enabled web appli-
cation and click on the Authentication Providers button in the Ribbon.

2. Click the Default link in the Authentication Providers dialog window. Scroll down in Edit
Authentication dialog until you reach the Claims Authentication Types section. Enable FBA
and add names for the ASP.NET membership provider and the role manager. You can choose
your own names or use SQLMembershipProvider and SQLRoleManager. Click Save when
you are done and close the Authentication Providers dialog. Remember the names that you
have chosen because you will need to refer to them in the
web.config file. Also, keep in mind
that these names are case sensitive.

Install and Configure the SQL Server Database
The next step is to create and configure a SQL Server database that will be used for FBA:

1. Open Windows Explorer and navigate to C:\Windows\Microsoft .Net\Framework64\
v2.0.50727
. Locate the aspnet_regsql.exe application and execute it. This will open the
ASP.NET SQL Server Setup wizard, shown in Figure 9-10. Click the Next button.
FIGURE 910