Tuesday, October 28, 2014

Set Cache Super Reader e Super User Account for SharePoint with Claims and ADFS as Identity Provider

This script is the right one I've used to setup Cache Super User and Cache Super Reader for a web application with Authentication Settings Claims/ADFS as IDP.
These users are very important for SharePoint Web Application and if you don't setup them correctly, probably you'll be in an Access Denied condition for every user is accessing the web application.
Both users must also be part of "policy for web application" with Full Control and Full Read permissions.

Here's the script. Be carfull. Claims principal and super user string must match your IDP configuration. In my case windowsaccountname (samAccountName) was used as identity name identifier.

$mgr = Get-SPClaimProviderManager
$tp = Get-SPTrustedIdentityTokenIssuer -Identity "IDPName"

$superuser = "NewSPCacheSUser"
$superuserclaim = New-SPClaimsPrincipal –ClaimValue $superuser -ClaimType http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname -TrustedIdentityTokenIssuer $tp
$superuserclaimstring = $mgr.EncodeClaim($superuserclaim)

#set read user to windows account (claims based)
$readuser = "NewSPCacheSReader"
$readuserclaim = New-SPClaimsPrincipal –ClaimValue $readuser -ClaimType http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname -TrustedIdentityTokenIssuer $tp
$readuserclaimstring = $mgr.EncodeClaim($readuserclaim)

$webApp = Get-SPWebApplication $webappurl

#SuperUser
$policy = $webApp.Policies.Add($superuserclaimstring, $superuser)
$policyRole = $webApp.PolicyRoles.GetSpecialRole([Microsoft.SharePoint.Administration.SPPolicyRoleType]::FullControl)
$policy.PolicyRoleBindings.Add($policyRole)
$webApp.Update()

#ReadUser
$policy = $webApp.Policies.Add($readuserclaimstring, $readuser)
$policyRole = $webApp.PolicyRoles.GetSpecialRole([Microsoft.SharePoint.Administration.SPPolicyRoleType]::FullRead)
$policy.PolicyRoleBindings.Add($policyRole)
$webApp.Update()

#$webApp = Get-SPWebApplication webappurl
$webApp.Properties["portalsuperuseraccount"] = $superuserclaimstring
$webApp.Properties["portalsuperreaderaccount"] = $readuserclaimstring

$webApp.update() 

Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)