As requirements for a customer project, we need to migrate a SharePoint 2007 (MOSS 2007) from ADAM Authentication to ADSF 2.0 Authentication.
MOSS is configured to use Form Based Authentication (FBA) using ootb LDAP Authentication Provider.
Now, in order to use ADFS to authenticate MOSS users what we need is to install and configure "Microsoft Federation Extensions For SharePoint 3.0".
The setup install an assembly in GAC that is Microsoft.IdentityModel.SharePoint12.dll.
An utility is also provided in order to configure a specific zone of our Sharepoint Web Application.
This utility change the web.config of Central Administration and the web.config of our Web Application, adding information about this new Authentication Provider.
The name attribute is configured as "SharePointClaimsMembershipProvider".
This is the interessed session:
<membership defaultProvider="SharePointClaimsMembershipProvider">
<providers>
<add name="SharePointClaimsMembershipProvider" type="Microsoft.IdentityModel.SharePoint12.SharePointClaimsMembershipProvider, Microsoft.IdentityModel.SharePoint12, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</providers>
</membership>
So the point: in our environment users where configured using a different name as Authentication Provider and we do not want to migrate every users defined in the SharePoint web application. Simply change name attribute of the autnetication provider in both web.config and in the specific session of Central Administration and ... voilĂ ... Web App is broken.
The message is "Cannot Find Default Provider".
But my web.config is configured as follow:
<membership defaultProvider="externalusers">
<providers>
<add name="externalusers" type="Microsoft.IdentityModel.SharePoint12.SharePointClaimsMembershipProvider, Microsoft.IdentityModel.SharePoint12, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</providers>
</membership>
And for me the (only) provider is correctly defined.
So, where is the trick?
I've done rev-eng of the assembly and what I've found is that the Init Method of the class simply call the .base method of MembershipProvider base class using a constant.
This costant is "SharePointClaimsMembershipProvider". So this is the reason of the failure. The init method of the class ignore the name attribute we've defined in web.config and it use the above constant.
To be able to use our own membership provider name you need to change the init method of the Microsoft class to use the name that the .net framework use to inizialize the provider. So I've changed the method in this way.
public override void Initialize(string name, NameValueCollection config)
{
//base.Initialize("SharePointClaimsMembershipProvider", config);
base.Initialize(name, config);
}
There's also another method you need to change. It's "FindUsersByEmail" that also use the constant "SharePointClaimsMembershipProvider".
I've recompiled everything using a different signature file and changing the assembly version.
Finally I was able to use "default" .net framework behaviour whit ADFS and MOSS 2007 ;) and this save me from migrate every users ACL in Sharepoint.
Tuesday, July 30, 2013
HowTo List or Export Installed Windows Updates
In order to retrieve or export installed Windows Updates you need to execute this command using normal Command Prompt (with Admin privilege):
wmic qfe get /format:HTABLE >D:\Temp\InstalledUpdates.htm
All available export format are:
CSV; HFORM; HTABLE; LIST; MOF; RAWXML
Use the one you prefer.
The output should be something like this:
wmic qfe get /format:HTABLE >D:\Temp\InstalledUpdates.htm
All available export format are:
CSV; HFORM; HTABLE; LIST; MOF; RAWXML
Use the one you prefer.
The output should be something like this:
Thursday, July 25, 2013
HowTo Get Query String Parameters using Jscript Function
A simple function that give you ability to retrieve query string parameters client side using javascript.
function getQueryStringParameter( name )
{
name = name.replace(/[\[]/,"\\\[").replace(/[\]]/,"\\\]");
var regexS = "[\\?&]"+name+"=([^&#]*)";
var regex = new RegExp( regexS );
var results = regex.exec( window.location.href );
if( results == null )
return "";
else
return results[1];
}
So, in order to retrieve a parameter, just type:
var paramValue = getQueryStringParameter('parameterName');
function getQueryStringParameter( name )
{
name = name.replace(/[\[]/,"\\\[").replace(/[\]]/,"\\\]");
var regexS = "[\\?&]"+name+"=([^&#]*)";
var regex = new RegExp( regexS );
var results = regex.exec( window.location.href );
if( results == null )
return "";
else
return results[1];
}
So, in order to retrieve a parameter, just type:
var paramValue = getQueryStringParameter('parameterName');
Wednesday, July 24, 2013
HowTo Change FEDAUTH cookie to be In-Memory Session in SharePoint and Set Lifetime of STS
If you are implementing a Claims SharePoint WebApplication with Form Login and you want to force login after a specific period of time, what you need is to change behavior of Security Token Service (STS).
Changing attributes of <forms> tag inside webapp web.config does not affect because SharePoint manage FEDAUTH cookie internally, based on STS configuration.
By default, SharePoint store this authentication cookie on disk. So the behavior is that when a user close browser after authentication and re-open the same web app, no credential are required. This is due to default UseSessionCookies property value of STS that is $false.
To change this use following PS script:
$sts = Get-SPSecurityTokenServiceConfig
$sts.UseSessionCookies = $true
$sts.Update()
iisreset
This store FEDAUTH cookie in memory.
In order to control timespan for each session you can change STS property in this way.
$sts = Get-SPSecurityTokenServiceConfig
$sts.UseSessionCookies = $true
$sts.CookieLifetime = (New-TimeSpan -Minutes 5)
$sts.FormsTokenLifetime = (New-TimeSpan -Minutes 5)
$sts.ServiceTokenLifetime = (New-TimeSpan -Minutes 5)
$sts.Update()
iisreset
Changing attributes of <forms> tag inside webapp web.config does not affect because SharePoint manage FEDAUTH cookie internally, based on STS configuration.
By default, SharePoint store this authentication cookie on disk. So the behavior is that when a user close browser after authentication and re-open the same web app, no credential are required. This is due to default UseSessionCookies property value of STS that is $false.
To change this use following PS script:
$sts = Get-SPSecurityTokenServiceConfig
$sts.UseSessionCookies = $true
$sts.Update()
iisreset
This store FEDAUTH cookie in memory.
In order to control timespan for each session you can change STS property in this way.
$sts = Get-SPSecurityTokenServiceConfig
$sts.UseSessionCookies = $true
$sts.CookieLifetime = (New-TimeSpan -Minutes 5)
$sts.FormsTokenLifetime = (New-TimeSpan -Minutes 5)
$sts.ServiceTokenLifetime = (New-TimeSpan -Minutes 5)
$sts.Update()
iisreset
Monday, July 22, 2013
Create Self Service Certificate for Quality/Test Environment
In order to be able to create a Root Certification Authority and some kind of Child Certificate for test and development environment, you can use Makecert.exe.
These command create:
1- Root CA
makecert -n "CN=My Certificate Root" -a sha1 -r -sv My.pvk MyCA.cer -ss Root -sr localMachine
2 - SSL Binding for IIS
makecert -pe -n "CN=WIN2012VS" -sr LocalMachine -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.1 -iv My.pvk -ic MySSL.cer
3 - Client Cert for IIS Client Authentication
makecert -pe -n "CN=My User" -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.2 -iv My.pvk -ic MyUser.cer
You can then export pfx of generated Client Cert in order to be able to distribute both Root CA and Client Certificate used for authentication. To do this, use standard Windows Certificate Snap In of MMC.
More info about all available command and switch of Makecert.exe utility please read this article.
Certificate Creation Tool (MSDN)
These command create:
1- Root CA
makecert -n "CN=My Certificate Root" -a sha1 -r -sv My.pvk MyCA.cer -ss Root -sr localMachine
2 - SSL Binding for IIS
makecert -pe -n "CN=WIN2012VS" -sr LocalMachine -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.1 -iv My.pvk -ic MySSL.cer
3 - Client Cert for IIS Client Authentication
makecert -pe -n "CN=My User" -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.2 -iv My.pvk -ic MyUser.cer
You can then export pfx of generated Client Cert in order to be able to distribute both Root CA and Client Certificate used for authentication. To do this, use standard Windows Certificate Snap In of MMC.
More info about all available command and switch of Makecert.exe utility please read this article.
Certificate Creation Tool (MSDN)
Monday, July 8, 2013
How to Get SharePoint Farm Build Version with PowerShell
This is just a reminder for a PowerShell script that give you exactly Build Version of your SharePoint Farm.
This commandlet is valid for both 2010 and 2013 version of SharePoint.
It return non the level of installed SharePoint build, but the actual running SharePoint version.
This depends to the fact you have run SharePoint Configuration Wizard after a patch installation or not.
Review Database Status using the link in Central Administration:
http://sharepointCAUrl:port/_admin/DatabaseStatus.aspx
The command is (Open SharePoint Management Shell as Farm Admin):
(Get-spfarm).buildversion
The Output should be like this:
Major Minor Build Revision
----- ----- ----- --------
14 0 6134 5000
This commandlet is valid for both 2010 and 2013 version of SharePoint.
It return non the level of installed SharePoint build, but the actual running SharePoint version.
This depends to the fact you have run SharePoint Configuration Wizard after a patch installation or not.
Review Database Status using the link in Central Administration:
http://sharepointCAUrl:port/_admin/DatabaseStatus.aspx
The command is (Open SharePoint Management Shell as Farm Admin):
(Get-spfarm).buildversion
The Output should be like this:
Major Minor Build Revision
----- ----- ----- --------
14 0 6134 5000
Subscribe to:
Posts (Atom)