Presentation on theme: "Welcome to SharePoint Saturday—The Conference"— Presentation transcript:
1Welcome to SharePoint Saturday—The Conference Real World Claims in ADFS and SharePoint 2010 (Sat-S2C-104) Architect – Level 500Thomas “Doc” CarpeLiquid Mercury Solutions(Colossus Consulting)
2Welcome to SharePoint Saturday—The Conference Thank you for being a part of the first SharePoint Saturday conferencePlease turn off all electronic devices or set them to vibrate.If you must take a phone call, please do so in the hall so as not to disturb others.Open wireless access is available at SSID: SPSTC2011Feel free to “tweet and blog” during the sessionThanks to our Diamond and Platinum Sponsors:
3Introduction About Me My Company 15 years with MS products: Commerce Server, Site Server, Office Web Services, CMS, BizTalk, and SharePointMCPD SharePoint 2010, MCTS MOSS 2007@thomascarpe on TwitterMy CompanyEst. 2005, Baltimore, MDMS Gold Partner (since 2010)SharePoint specialists, dev focus10 staff, 6 technical, growing
4What do I mean by “Real World Claims”? Claims Based AuthenticationI’m not talking about just a development boxPractical application, not just theoryRefers to promises made, not just the technical definition
5Goals Deepen your awareness and understanding What’s possible?What to beware?Whatever it may seem, I don’t want to scare you away from ADFS or Claims Based Auth.Despite obstacles, there is much to be gainedWhat are the opportunities?Let’s Share and Have Some Fun!
6What I’m Not Covering Ground well covered elsewhere What’s Claims, what’s it for?How to configure ADFS and SharePointI have 120+ pages of walkthroughs and docs(!)If you want details, buy my book read my blogPure AD to AD federationThings too complicated for just an hourWe’re not gonna develop code “live” here todayConfiguring ADFS for Office 365 or AzureADFS farm configuration
7SP+ADFS: Major Pain Points Setup is complex and prone to human errorEven a simple ADFS / SharePoint setup is 60+ manual stepsMany assumptions that underlying infrastructure is correctClient requirements drive every install to be uniqueTools are not very well developedSome community tools, all very newCode solutions and PowerShell existerrors, caveats, limitsbest code would combine good from several sources
8SP+ADFS: Major Pain Points Many configuration patterns are still unprovenSo far, [mostly] only adopted by very large organizationsHas yet to catch on in mainstreamLess variety + less testing = less supportTroubleshooting is difficultOne symptom can have myriad causesError messages aren't very informativeEven when you get it working, you’re not doneFunctional shortcomingsBusiness challenges
9Common PROBLEMS & APPROACHES Real World Claims in ADFS and SharePoint 2010Common PROBLEMS & APPROACHES
10The Essential Checklist Checked that SharePoint is SP1 with June CU Refresh? Previous versions of SharePoint had various issues.Certificates in ADFS incorrect/unsupported settings? Just because it let you add them in ADFS does not make them valid. Restart ADFS service and check the event log for event 133.All your certificates in good order – not expired? If you don't have good PKI, ADFS and claims aren't going to work.
11The Essential Checklist Does ADFS service account have access to private keys? Restart ADFS service and check the event log. This one also causes event 133. Check the ACLs using certificate manager.Accounted for all AAMs - even in extended web apps? Each one represents a possible Relying Party – or at least a realm identifier – that’s needed.Does every Provider Realm identifier and URL – including the default realm identifier – have a corresponding RP in ADFS with matching realm identifier and endpoint URL? This is fertile ground for typos or just plain missing entries. Map them out and be certain.
12Famous Last Words…“Klaatu Barada Nnn.. Necktie, Neckturn, Nickel. It's an "N" word, it's definitely an "N" word!Klaatu... Barada... N*cough*rrmmffnnmm”"Well maybe I didn't say every single tiny little syllable, but yeah, I said them.Basically.“-Bruce Campbell as Ash
13Trouble on the Road Ahead? When the user logs in, does the DNS name for SharePoint match the DNS name of the RP endpoint URL exactly? Some (though not all) configurations where the RP returns the user to a different URL than they left from can result in cookie looping or other problems.Do your ADFS and SharePoint live in different DNS domains? Done properly this shouldn’t be a problem, but complex configurations like this often lead to issues.
14Trouble on the Road Ahead? Is Kerberos working on the ADFS web site? Chances are if Kerberos isn’t working, ADFS will likely give you issues – if not now then eventually.Load balancer in front of SharePoint or ADFS? A load balanced configuration increases the chances that the user will return to a different SharePoint machine than they left, or that when one machine goes down they’ll be redirected to another one. Improper load balancer configuration can cause intermittent authentication problems, and absolutely makes troubleshooting anything an order of magnitude more difficult.
15Specific Configuration Issues / Solutions For “TrustedMissingIdentityClaimSource”:Does the RP pass through all 3 required claims?If you have an IdP besides AD, is ADFS configured to pass the 3 claims *out* of it as well?Is the Trusted ID Provider in SharePoint configured to accept them by the same names?For “The root of the certificate chain is not a trusted root authority”:Did you add the whole chain of authority as Trusted Root Authority in SharePoint?Can you confirm that the cert used by the SharePoint’s Trusted Identity Provider is one of the ones you added to Trusted Root Authority collection?
16Specific Configuration Issues / Solutions For error ID4014:Does the RP’s encryption setting match the settings in the SharePoint web application’s configuration file?For error ID1024 & ID1039:Did you give the SharePoint application pool rights to *SharePoint’s* token encryption certificate private key?If you’re sure you did, you may need to give IIS_IUSRS rights to “C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys” folder - or hack ACLs for certificates.
17Custom WIF Provider Code Problems Wrong .NET Framework version (WIF should usually be 4.0)CryptographicExceptionincorrect “Load User Profile” application pool setting (should be true)insufficient file system ACLs; use auditing or filemonFailure to provide all required claimsOptional claim that’s actually required by SharePointwhere the provider does not give you anRoles when the user is not in any groups; set a defaultCalling a claim by the wrong schema URLMalformed or incorrect response URLHTTP 503: Failed to translate/map the Issuer URIHTTP 405: Missing a solidus (/) at the end
18Gotcha #1 Incompatible Certificate Requests Limited configuration choicesOnly use “MS DH SChannel” and “MS RSA SChannel” crypto providersSHA-1 and SHA-256 hashes supported – not SHA-384 or SHA-512Private keys must be exportableOn Windows Certificate AuthorityBest to use only Windows 2003 Server compatible templatesSpecific Windows Server 2008 templates *may* work, too much chance they won’tBest Practice: Test certs ASAP by restarting ADFS serviceAny issues will produce event 133 right awayRush ahead without testing at your own risk!
19Gotcha #2 The Dreaded Cookie Looping Issue = Can't Log In Lots of causes, few are easy to rule outThings you *can* checkSharePoint is old - SP1 + June CU RefreshThe AAM URL that matches your RP realm identifier is not your Public URL for that zoneRP realm identifiers missing or wrong in either SP or ADFSEnsure TokenLifetime in ADFS >= LogonTokenCacheExpirationWindow in SharePoint STSThere’s an underscore in the SharePoint URL O Rly? Yea Rly.
20Gotcha #2 The Dreaded Cookie Looping Issue (cont.) Things that are more difficult to proveSSO and cookie handler settings: should domain attribute be added to ADFS or SP?Improperly configured NLB on multi-server ADFS and/or SharePointDNS or IP address shifts happening behind the scenesAre we returning to a different SharePoint server than the one that sent us to ADFS?Spooky behaviorsWhen user add/drops VPN, NIC-to-Wifi, or switches from internal to public IPs - even on single server configurationsWhen ADFS and SharePoint live in different DNS domainsAnd more...
21Gotcha #3 Performance Anxiety “Your SharePoint’s not slow! It’s taking a much needed repose.”
22Gotcha #3 Performance Anxiety ADFS and SharePoint are both IIS applications that can fall asleep for various reasonsTo keep everything awake you have to hit every ADFS server and every SharePoint WFESome solutions don’t yet support claim based web sitesDelays caused by Certificate AuthorityLong chain of authorityCertificate Revocation ListsUnusual or new configurationCA Web ServicesLoad balanced CA farmsMultiple firewalls
23Gotcha #3 Performance Anxiety (cont.) 3rd party claim provider delaysIn-House Custom QueriesAD might be fast, but what about that custom PeopleSoft Query to Oracle that your junior programmer wrote?If you're hitting a service on your network, performance may vary widely depending on server loads and overall network trafficIs it “The Cloud” – or just “The Fog”?There's lots of “stuff” between you and the cloud. (Air? Angry Birds?) When using a service over the Internet, don’t expect it to be consistently fast.There may be obstacles between your users and the claim provider that don't exist between you and the claim provider.
24Real World Claims in ADFS and SharePoint 2010 EVEN IF YOU WIN, YOU LOSE!
25Shortcomings that Annoy Users Can't log outCan’t switch usersIt makes adding new users a painDouble realm selector = annoyingSome SharePoint features aren’t claims compatibleWebDAV (Explorer View)A variety of third party productsOthers?
26Shortcomings that Annoy Admins & Security Folks Headaches migrating existing usersSome tools aren’t claims compatibleCertain PowerShell commandsThird-party management productsReliance on cookiesReplay based attacks force using SSLShoulder surfing attacks – did I mention you can’t log out?Session based cookies just suckThey break the Office clientThanks to ADFS cookies, they do no good anyway
27Shortcomings that Annoy Developers Some ID providers don't provide all 3 required claimsGoogle doesn't (generally) give anMany require you to code your own default groupLots of old non-claims-aware web service codeSingin’ the Custom Claim Picker bluesHard to learn / implementLaaaaaaaaaag“Exceptional circumstances”
28“When Life Gives You Lemons… …don't make lemonade. Make life take the lemons back! Get mad! I don't want your damn lemons, what am I supposed to do with these? Demand to see life's manager! Make life rue the day it thought it could give Cave Johnson lemons! Do you know who I am? I'm the man who's gonna burn your house down! With the lemons! I'm gonna get my engineers to invent a combustible lemon that burns your house down!”-Cave Johnson
29So if it’s So Bad, Why Use It? Using ADFS / STS with SharePoint does resolve some long standing challenges.For users, fewer accounts just makes the world a better placeCan shift user account management [costs] onto othersADFS as a broker means less code, less reliance on PowerShellIt also means less [re]configuration of SharePointADFS Proxy more secure for extranet / public facing web sitesSometimes the easiest / only way to integrate with user DBOthers I haven’t even thought of…
30Why Use It (cont.)Many of the problems I described have been partially or fully resolved.Migrating users – we’ve got a PowerShell for that!Can’t log out of SharePoint? We fixed that too!Proper architecture preserves access for non-claims-aware applications and toolsToo many realm pickers: multiple solutionsHave only 1 realm in ADFS + WinAuth or Move entirely to ADFS (no WinAuth) = get by with only 1 realm pickerUse a custom solution to dynamically pick the realm
31Why Use It (cont.) Development of custom claims pickers Pickers greatly simplify adding users to SharePointStandard sources can be used by many clients and ruggedized: AD/LDAP, ASP.net SQL, PeopleSoftTruly custom pickers should receive the strongest possible reliability and performance testingMany security concerns have been mitigatedSSL is not as expensive as it used to beAbility to delete cookies by logging out: user trainingLimit risks through proper network & server configuration
32Why Use It (cont.) New capabilities are emerging rapidly: Liquid Mercury Code SolutionsLog out, Realm auto-select, and Self-service cookie deleteOpen ID Secure Token Service – Log in to SharePoint with GoogleSelf registration – new user profile page (in progress)Standard claims pickers (in progress)Open Source Projects on CodeplexFederation Metadata Editorthinktecture StarterSTS and IdentityServerClaims Based Identity & Access Control GuideTools / Web Parts for FBA user managementAnd more arriving everyday!
33THANKS FOR COMING! If you liked my presentation, visit our web site at to read the multi-part companion blog series or followReal World Claims in SharePoint 2010QUESTIONS… …or DEMO???
34Thanks to Our Other Sponsors! Thanks to our SponsorsThanks to Our Other Sponsors!
35Session Evaluation Presenter: Thomas Carpe Please complete and turn in your Session Evaluation Form so we can improve future events. Survey can be filled out at:Presenter: Thomas CarpeSession Name: Real World ClaimsSession No.: Sat-S2C-104