SharePoint24x7 It's all about SharePoint.

9Jul/140

Article – Anonymous Crawl Configuration in SharePoint 2013

Posted by Joy

SharePoint 2013 introduces a new approach for passing credentials to Search Crawler for crawling public-facing sites with Anonymous authentication. SharePoint Search requires a user account for being able to crawl content. One of the bottlenecks we had to deal with SharePoint 2010 Search was difficulty of crawling public-facing sites with Anonymous authentication. SharePoint 2010 requires a user account for crawling content from sites, even if they are configured for Anonymous authentication. SharePoint 2013 resolves this issue by introducing a new approach – Anonymous which eliminate the need of passing an user account and trying to authenticate for crawling content for public-facing web sites with anonymous authentication.

Following are the ways we can configure SharePoint 2013 to pass credentials to SharePoint Search to crawl content:

  • Default Crawl Account
  • Specific Account
  • Client Certificate
  • Form credentials
  • Cookie
  • Anonymous

Following steps demonstrate how to configure SharePoint Crawler to use new Anonymous option to crawl public-facing web sites:

Task 1 – Configure public-facing web site Content Source

  • Open SharePoint 2013 Central Administration web site
  • Navigate to Manage service applications from Application Management group
  • Select Search Service Application instance and navigate to Search Administration page
  • Select Content Sources from the left hand side Search Administration linksSearch Administration links
  • Select New Content Source from Manage Content Sources page
  • Enter Name for the Content Source and select Web Sites option for Content Source Type.
  • Enter web site URL for the Start Address field and click OK.New Search Content Source

 

Task 2 – Create a Crawl Rule to use Anonymous option

  • Select Crawl Rules from the left hand side Search Administration links.Search Administration links
  • Select New Crawl Rule from the Manage Crawl Rules page
  • Enter Path and select Include all items in this path option from the Crawl Configuration section
  • Select Anonymous access option for the Specify Authentication sectionCrawl Rules

 

Task 3 – Crawl content

  • Select Content Sources from the left hand side Search Administration links
  • From the context menu for the new content source added, select Start Full Crawl to start crawling contentFull Crawl
17Jul/130

Article – Authentication Improvements in SharePoint 2013

Posted by Joy

Authentication is the process which verifies the identity of the user when accessing a web application. It tells web application "who you are". We need to specify the authentication process when we create a new web application. In SharePoint 2010, it was recommended to use Windows Classic-mode authentication when creating a new web application. It was not recommended to use Claims-based authentication since some of the features such as People Picker, SQL Server Reporting Services were not claims aware in SharePoint 2010.

In SharePoint 2013, Windows Classic-mode authentication is deprecated and no longer recommended to use. In SharePoint 2013, it is recommended to use Claims-based authentication when creating a new web application. Don't worry, this is the only option you will see in Central Administration site when creating a new web application. However, it still support creating a web application with Windows Classic-mode authentication using Windows PowerShell and keep it mind that it is NOT recommended.

Following Claims-based authentication modes are available in SharePoint 2013:

  • Windows claims
  • Security Assertion Markup Language (SAML)-based claims
  • Forms-based authentication claims

SharePoint 2013 introduces several enhancements into the authentication engine by extending SharePoint Claims-based authentication via OAuth 2.0 – Open Authorization 2.0. OAuth is an industry standard protocol that provides temporary redirection based authorization.

Following are the key improvements in the Claims Infrastructure in SharePoint 2013:

  • Easy migration to Windows-based claims – when migrating from SharePoint 2010 to SharePoint 2013, Convert-SPWebApplication PowerShell cmdlet help us to easily migrate SharePoint 2010 windows-based claims into SharePoint 2013
  • Login tokens cached in in the Distributed Cache Service
  • Better Logging Support – makes troubleshooting of authentication related much easier as it logs lot of authentication related events
10Oct/112

Article – Configuring Forms-based Authentication in SharePoint 2010

Posted by Joy

Configuring Form-based authentication has been always challenging in SharePoint products and technologies since its early releases. With the introduction of SharePoint 2010, it became simpler but little confusing to most of developers & administrators. I’m going to quickly go through how to configure forms-based authentication in SharePoint 2010 using a SQL Server based user store.

Note: Authentication in SharePoint can be configured only at the Web Application level. Web Application is the boundary for configuring authentication in SharePoint. Even before creating a new web application using CA, you need to decide what type of authentication you are planning to use within the web application. Changing authentication mode later might be difficult and error prone than expected.

Note: To configure form-based authentication, new claims-based authentication mode needs to be configured for the web application. In SharePoint 2010 form-based authentication is implemented using claims-based authentication and using classic mode authenticating to implement form-based authentication is not supported by Microsoft.

Configuring form-based authentication has several phases:

  1. Provisioning and configuring a custom user store
  2. Populating the user store with users and roles
  3. Creating a new Web Application
  4. Configuring STS, CA & FBA Web Application
  5. Test to see whether FBA works

Phase 1: Provisioning and configuring a user store

Task 1: Provisioning and configuring a custom user store

I’m going to use very simple script provided by Microsoft Visual Studio SDK to create a very simple user store to store all the users and roles information.

  1. Fire up Visual Studio Command Prompt (2010) by navigating to Start -> All Programs -> Microsoft Visual Studio 2010 -> Visual Studio Tools -> Visual Studio Command Prompt (2010).
  2. Enter aspnet_regsql and wait until it starts ASP.NET SQL Server Setup Wizard.
    Capture1
  3. Click Next in the Welcome to the ASP.NET SQL Server Setup Wizard page.
  4. Select Configure SQL Server for application services option from the Select a Setup Option page.
    Capture2
  5. In the Select the Server and Database page, enter name of the SQL Server for the Server: field. Select the appropriate authentication mode for the database server (In my case Windows authentication). And if you want to specify a database name, replace <default> with the name of your choice for the Database: field. Leaving Database: field with <default> will always create a database named aspnetdb. Click Next after you enter all the details.
    Capture3
  6. Click Next in the Confirm Your Settings page to start the configuration.
  7. After few seconds, you will get the “The database has been created or modified.” page. Click Finish to quit the wizard.
  8. Exit the Visual Studio Command Prompt (2010).

Task 2: Verify the existence of custom user store

  1. Fire up Microsoft SQL Server Management Studio by navigating to Start -> All Programs -> Microsoft SQL Server 2008 R2 -> SQL Server Management Studio.
  2. Connect to the correct SQL Server using Connect to Server dialog box.
  3. Expand Databases folder and verify the existence of the database aspnetdb.
    Capture4

Task 3: Configuring database access to CA and AppPool user accounts

In order to CA and Web Applications to being able to communicate with the custom user store (aspnetdb database), we need to grant access to SharePoint Farm account and AppPool account. In my environment, I have 02 accounts names SP_Farm and SP_AppPool which I have configured to run SharePoint Farm and AppPools respectively. You need to find out the name of the service accounts for SharePoint Farm Service Account and Application Pool Service Account you configured while you are setting up SharePoint. Once you identify them, perform following instructions to grant right permissions to the database:

  1. Expand Database folder in SQL Server Management Studio.
  2. Expand aspnetdb database.
  3. Expand Security folder and then Users folder.
  4. Right-click Users folder and select New User…
    Capture5
  5. In the Database User – New dialog box, enter name of the farm user for the User name: field and name of the login for the Login name: field.
  6. From the Database role membership: list select the following database Role Members:
  1. aspnet_Membership_FullAccess
  2. aspnet_Personalization_FullAccess
  3. aspnet_Profile_FullAccess
  4. aspnet_Roles_FullAccess
  5. aspnet_WebEvent_FullAccess
    Capture6
  • Select OK to add the user to the database.
  • Repeat steps 4 through 7 for granting SharePoint AppPool service account as well.

Phase 2: Populating the user store with users and roles

Next we need to get some sample users in to the new user store we created by using a role provider. Easiest way to do this is using a Visual Studio ASP.NET Web Site.

Task 1: Creating Users and Roles in custom user store

  1. Fire up Microsoft Visual Studio 2010 by navigating to Start -> All Programs -> Microsoft Visual Studio 2010 -> Microsoft Visual Studio 2010.
  2. Select File -> New -> Web Site…
  3. Select the language of your choice. Select ASP.NET Web Site project template. Provide a project name and click OK.
    Capture7
  4. Double-click web.config from the Solution Explorer and replace <connectionStrings /> with the following:
    <connectionStrings>
        <clear/>
        <add name="LocalSqlServer" connectionString="Data Source=(local);Initial Catalog=aspnetdb;Integrated Security=True"/>
    </connectionStrings>
  5. Make sure to change the highlighted connection string as per your environment to point to the new user store created.
  6. Save web.config file.
  7. Select the ASP.NET Configuration option from the Solution Explorer to open the ASP.NET Web Site Administration Tool.
    Capture8
    Capture9
  8. Go to Provider tab and click “Select a single provider for all site management data” link. Click the link “Test” in front of “AspNetSqlProvider” and make sure you receive a successful response message “Successfully established a connection to the database.”.
  9. Navigate to Security tab. Click “Select authentication type” link from Users section. Change the selection to “From the internet” and click Done.
  10. Select “Enable roles” link from the Roles section to enable role management.
  11. Select “Create user” link from Users section to create required number of users in the user store.
    Capture10
    Capture23
  12. Select “Create or Manage roles” link from Roles section to create roles. Enter Admins for the New role name: field and click Add Role. Add another role named Users following same steps.
    Capture12
  13. Select Manage for the Admins role and search for the Admin user and make sure he is a member of the Admins role. Repeat the same steps to include Sam and Joy users as a member of Users role.
    Capture13
    Capture14
    Capture15

Use steps 11 through 13 to setup the required users and groups in your user store depending on the requirement.

Phase 3: Creating a new Web Application

After we setup our custom user store with the required users and groups, we can start wiring it to the web application.

Task 1: Creating a Web Application to support FBA

  1. Fire up the SharePoint 2010 Central Administration site.
  2. Select Manage web applications from Application Management section.
  3. Click New from the Contribute group of the ribbon to create a new web application.
  4. In the Create New Web Application dialog, select Claims Based Authentication as the option for Authentication. Provide a meaningful name for the Name and provide a valid port for the Port in the IIS Web Site section.
    Capture16
    Capture17
  5. Move down to Claims Authentication Types section and select Enable Forms Based Authentication (FBA) and provide following for Membership and Role providers: (these information can be obtained from machine.config file).
  1. ASP.NET Membership provider name: AspNetSqlMembershipProvider
  2. ASP.NET Role manager name: AspNetSqlRoleProvider
    Capture18
  • Go down to section Sing In Page URL section and if you wish you can configure a custom Sign in page instead of using built-in sign in page. I will use the built-in sign in page for this demo.
    Capture19
  • Leave rest of the fields as it is and click OK to create the new web application.
  • After a few seconds/ minutes, you will get the Application Created dialog box confirming web application creation. Click the link “Create Site Collection” to create a new Site Collection in this new web application.
  • Give a Title and Description in the Title and Description section.
  • Select Team Site template from the Template Selection section.
  • Specify the Farm Administrator name for the Primary Site Collection Administrator field for being able to login using Windows Authentication. I provided my farm administrator account CONTOSO\Administrator for the same.
  • Click OK to create the Site Collection.
  • Click OK to navigate away from the Top-Level Site Successfully Created dialog box.

Task 2: Verify that the new Site Collection can be access using Windows Authentication

Before we proceed, let’s make sure that we can login and access the new site collection using Windows Authentication since we selected both the options while we were creating the Web Application.

  1. Enter the URL of the new Site Collection. In my case, http://teamserver:8080
  2. You will be taken to the default sign in page.
    Capture20
  3. Select Windows Authentication from the drop down and make sure you get access to the new site collection we just created.

Phase 4: Configuring Security Token Service, CA & FBA Web Application

We need to configure Membership provider for Security Token Service in order to FBA to work properly using Claims based authentication in SharePoint 2010.

Task 1: Configuring STS

  1. Fire up the IIS Manager by navigating to Start -> Administrative Tools -> Internet Information Services (IIS) Manager.
  2. Expand the IIS Server and expand the Sites folder.
  3. Expand SharePoint Web Services Web Site.
  4. Right-click SecurityTokenServiceApplication web site and select Explore.
    Capture21
  5. Open the web.config file.
  6. Go to the end of the file and locate the </system.net> element. Just after the </system.net> element, copy the following configuration elements:
    <system.web>
        <membership>
            <providers>
                <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="LocalSqlServer" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression=""/>
            </providers>
        </membership>
        <roleManager>
            <providers>
                <add name="AspNetSqlRoleProvider" connectionStringName="LocalSqlServer" applicationName="/" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
            </providers>
        </roleManager>
    </system.web>
    <connectionStrings>
        <clear/>
        <add name="LocalSqlServer" connectionString="Data Source=(local);Initial Catalog=aspnetdb;Integrated Security=True"/>
    </connectionStrings>
  7. Save the changes to web.config file.

Task 2: Configuring FBA Web Application

  1. Fire up the IIS Manager by navigating to Start -> Administrative Tools -> Internet Information Services (IIS) Manager.
  2. Expand the IIS Server and expand the Sites folder.
  3. Right-click FBA enabled web application you created earlier in Phase 3 and select Explore. In my example, FBA Web Site – 8080.
    Capture27
  4. Open the web.config file.
  5. Locate the <membership defaultProvider="i"> element and within <providers> </providers> add the following just below existing content:
    <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="LocalSqlServer" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression=""/>
  6. Just underneath the Membership provider, locate the <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false"> element and within <providers> </providers> add the following just below existing content:
    <add name="AspNetSqlRoleProvider" connectionStringName="LocalSqlServer" applicationName="/" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
  7. Finally, locate the </system.web> element and just underneath that, add the following:
    <connectionStrings>
        <clear/>
        <add name="LocalSqlServer" connectionString="Data Source=(local);Initial Catalog=aspnetdb;Integrated Security=True"/>
    </connectionStrings>
  8. Save the changes to the web.config file.

Task 3: Configure CA – Optional

  1. Fire up the IIS Manager by navigating to Start -> Administrative Tools -> Internet Information Services (IIS) Manager.
  2. Expand the IIS Server and expand the Sites folder.
  3. Right-click SharePoint Central Administration v4 site and select Explore.
  4. Open the web.config file.
  5. Search for <roleManager></roleManager> and <membership></membership> elements and you will typically see a set of empty elements for the same. Replace those empty elements with the following:
    <membership>
        <providers>
            <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="LocalSqlServer" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression=""/>
        </providers>
    </membership>
    <roleManager>
        <providers>
            <add name="AspNetSqlRoleProvider" connectionStringName="LocalSqlServer" applicationName="/" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
        </providers>
    </roleManager>
  6. And just underneath the </system.web> element, enter the following:
    <connectionStrings>
        <clear/>
        <add name="LocalSqlServer" connectionString="Data Source=(local);Initial Catalog=aspnetdb;Integrated Security=True"/>
    </connectionStrings>
  7. Save the changes to web.config file.

Phase 5: Test to see whether FBA works

Before we test to see whether FBA works, we need to make sure Windows Authentication works as earlier and grant access to one of the Forms based user account to site.

Task 1: Verify that the new Site Collection can be access using Windows Authentication

  1. Enter the URL of the new Site Collection. In my case, http://teamserver:8080
  2. You will be taken to the default sign in page.
  3. Select Windows Authentication from the drop down and make sure you get access to the new site collection we just created.

Task 2: Grand access to Forms based users

  1. While you are logged in as Administrator using Windows Authentication, select Site Actions -> Site Permissions.
  2. Select Grant Permissions from the Grant group in the ribbon.
  3. In the Grant Permissions dialog box, select the Browse button.
    Capture22
  4. In the Select People and Groups – Webpage Dialog, enter forms based user name in the Find field and click Search button. I’m searching for Joy user which I created earlier in Phase 2.
  5. You will see Joy user comes under User: Forms Auth category. Select the user and click Add -> button and click OK.
    Capture24
  6. Select the Contribute group from the Grant Permission dialog box and click OK.

Task 3: Test to see whether we can login using FBA

  1. Open a new browser window and enter the URL of the new Site Collection. In my case, http://teamserver:8080
  2. You will be taken to the default sign in page.
  3. Select Forms Authentication from the drop down and it will take you to a sign in page in which you can enter user name and password.
  4. Enter user name and password for the forms user and click Sign In button.
    Capture25
  5. Wow, you have now logged in as Joy who is a forms based user.
    Capture26

Closing Note: It’s going be bit difficult when you configure Forms-based Authentication for the first time but once you have experience doing it few times, you will not face any issues.