Introduction
There is a lot of hype about claims based authentication, and unfortunately a lot of confusing jargon. Our goal in this post is to explain what claims based authentication means in plain English. This includes what it enables, and what it doesn’t enable. We are going to try our hardest not to use any technical terminology beyond the bare minimum.
ASPHostCentral.com, as the premier Sharepoint Foundation 2010 Hosting provider, proudly provides this article to any Sharepoint users and certainly we hope it can help you digest the new feature in Sharepoint 2010 Services. For those of you who are looking to host Sharepoint 2010, you can always start with ASPHostCentral.com as the cost is as low as $9.99/month only!
What is authentication?
Authentication is the process of determining if someone is who they claim to be. It answers the question “Who is this guy really?”
In the Microsoft world, authentication is usually performed by Active Directory. Foe example: I claim to be Tristan, and I prove this to Active Directory by providing my password. Other systems don’t trust me, they trust Active Directory. Active Directory gives systems a bit of data that says “yeah, I personally vouch for this guy. It really is Tristan.”
Now, if everyone used the same Active Directory installation in the same environment, then that’s all we would need. Claims based authentication is not needed in a simple environment like that
But in the real world, things are different. We face three big challenges:
- Privacy regulations and other pieces of legislation are impacting what kind of information we are allowed to capture and store about users, so in some cases we can’t just demand that people give us all of their personal details
- Businesses want to interoperate with other businesses, and government organisations want to provide more integrated services to citizens. However, different systems use different authentication systems (not everyone uses Active Directory, and even when they do, they have different instances.), and businesses want to integrate in a secure, legally compliant manner
What does claims based authentication do?
Claims based authentication is designed to address the two challenges mentioned above
Claims based authentication addresses privacy and other compliance concerns by requesting less specific, less personal information about people, and by trusting other parties or systems to do the “proof of identity” check
Imagine you have a “sell alcohol to public” ecommerce website, and you are in a country where there are only two laws, called Fantasyland. One of these laws says “alcohol may not be sold to people under 18”, and the other law says “people have a right to privacy and web sites aren’t allowed to track individual people”. (If the law was this simple in real life we wouldn’t need lawyers!)
We’ve got two competing concerns here. Firstly we need to ensure that a user is of legal age, while at the same time we’re not allowed to know who that user is! (Again, I blame the lawyers of Fantasyland).
It turns out that in Fantasyland, the Government has set up a web service that users log on to, which authenticates them based on their citizenId and citizenPassword. It then is able to tell other systems that a user is above 18 or not, without revealing who that user is
So we implement our “sell alcohol to public” website by building a claims-aware system. Instead of building the standard “username and password” login mechanisms, we simply ask the Government’s web service to tell us if the user browsing our site is over 18. The claim that our system uses is a “userIsOver18” claim, and the claim value is either yes or no. We simply don’t build any authentication system at all beyond a simple “if (userIsOver18) then..“ statement
By doing this, we address privacy concerns – we don’t know or keep personally identifiable information – while at the same time ensuring that we don’t sell alcohol to someone under 18
Claims based authentication addresses integration of different systems by allowing communications using open standards, and by providing a platform for developing more specialised ‘identity connectors’ between systems
What won’t it do for me?
Claims based authentication won’t address the lifecycle management of identity information. You’ll need a broader solution to that, but your solution may integrate with claims based authentication systems. How do you deal with new staff? How do you handle staff who are on long service leave? How do you handle fake accounts? Microsoft would like you to use their Identity Lifecycle Management application for this kind of thing
We are going to be a little controversial here, and point out what we believe the biggest limitation of claims based authentication. We believe that what enterprise customers really need is claims based authorization. Claims based authentication may let our system know that a user is a contractor from a partner company, but it alone won’t let me specify a rule that says “all of my company’s financial spreadsheets must not be seen by contractors”. Not only does claims based authentication not provide this capability, but neither do the role-based access controls provided by SharePoint. In fact SharePoint’s role-based access control model itself is too limited to address this. It still needs substantial improvements
The way industry is addressing this is by producing “entitlement management” systems, for specifying access control rules. Microsoft’s current solution, in my opinion, is strongly deficient in this regard. Yes, you can specify per item permissions for each individual financial spreadsheet. But this imposes such a high maintenance overhead that it is unworkable in practice. In my opinion companies like Oracle are well ahead of Microsoft in this field, but by no means does anyone have a complete turn-key solution
How is it implemented?
The claims-based authentication implementation has a number of components. In simplified terms here’s how the pieces of technology fit together
- From a developer’s point of view, the platform that Microsoft is providing is called the Windows Identity Foundation. This used to be called the Geneva framework. It provides a programming library suitable for building claims-aware applications. This library is also used by SharePoint 2010
- Active Directory Federation Services implements services to create, accept, and transform tokens that contain claims
- Cardspace provides a user interface for users to select which “identity card” they wish to use for a particular system
f184bd4c-b7c2-4388-b656-1c36d7329f9f|0|.0
It can be a little daunting if you're new to SharePoint and tasked with doing something you've never done before. Can it be done in SharePoint? Will doing it break your site or the entire installation? Is doing it so difficult it's not worth doing? Configuring anonymous access is one of those tasks because you're dealing with SharePoint (and ASP.NET indirectly), your site collection (and potentially your database indirectly), IIS, and occasionally the file system.
At the time of writing there are a number of sites and blog posts out there offering instructions on how to configure anonymous access. Some are extremely detailed--and depending on what you're trying to accomplish, unnecessarily so. Others are a bit vague. ASPHostCentral.com presents this article to any Sharepoint users and we certainly hope it can help the community, particularly to those who are using Sharepoint 2010 services. In case you are looking to host your Sharepoint 2010 site, you can always start from as low as $9.99/month only!
What you'll find below is a detailed step-by-step set of instructions for setting up anonymous access for a fully branded web site like http://www.westernaustralia.com/. The anonymous access site gives internet users the ability to browse the site without having to log in and another site allows content editors to post content updates using their domain accounts.
A bit of background information
In brief, the steps below involve 'extending an existing web application' (that's a SharePoint concept) by creating a sister web app from an existing web app. The extended web app will use the same content database as the original and will be configured to support anonymous access. The top-level site of the database will also be configured to support anonymous access. As a final option, I'll show you how to disable all other types of non-anonymous access
The following tasks should be completed by a server administrator and assume you have already created a web application the normal way (it might be a good idea to ensure it's working before you begin...)
1. Extend an existing web application
- Open the Central Administration console and select the Application Management tab
- Select Create or extend Web application from the SharePoint Web Application Management section
- Select Extend an existing Web application on the next screen
- Select an existing web application to extend
- Modify the description and configure the port and, optionally, the host header
- Set Allow Anonymous to Yes
- Set the Load Balanced URL Zone to Internet (you may choose another zone here if you like but Internet generally means anonymous so it's the best option).
Once you've extended a web application, the new (i.e. extended) application seems to disapper from the Central Administration screens: it won't be listed as a web application and it doesn't appear as an option when selecting a web app. You will, however, get a new directory for the extended web app under inetpub\wwwroot\wss\virtualdirectories\ and a new IIS site; you can also remove the extended site from SharePoint if required
2. Enable anonymous access on the site's corresponding site collection
Although the site collection will be shared by the existing web application and the anonymous web application, the following steps must be completed via the anonymous web application
- Browse to the home page of the extended web application
- Select Site Settings --> Modify All Site Settings from the Site Actions drop-down menu
- Under Users and Permissions, select the Advanced permissions link
- Select Anonymous Access from the Settings menu
- Set Anonymous Access to Entire Web site
Sites inherit the permissions of their parent by default so if you have any problems with a specific site you can ensure it's set to inherit permission from here as well (browse to the site settings screen for the relevant site first).
If you can’t see the Anonymous Access menu item, either the web app hasn’t been configured for anonymous access (see above or below) or you’re accessing the site via the default zone instead of the internet zone—you must access the site via the internet zone (at the extended URL).
3. Test
- Browse to the anonymous site in Firefox (or turn off integrated windows authentication if you're using IE); the site should be rendered without the Site Actions menu and other SharePoint controls
- Browse to a SharePoint administration screen (eg. /_layouts/settings.aspx) and you should be prompted to supply login credentials
At this point your site is set up to allow anonymous access but will also prompt you to log in as an administrator if you hit any of the SharePoint screens. This may be desirable but alternatively you may want to lock down external access to your public site; if that's the case, read on...
4. Remove integrated authentication from the anonymous web application (optional)
- Open the Central Administration console and select the Application Management tab
- Select Authentication providers from the Application Security section
- Select the Internet zone (this is the zone specified when the anonymous application was extended).
- Deselect Integrated Windows authentication
- Set Enable Client Integration to No
5. Test
- Browse to the anonymous site in Firefox (restart any open browser windows if you receive a 401 error immediately after completing step 4). The home page should appear as it did previously.
- Browse to a SharePoint administration screen (eg. /_layouts/settings.aspx); you should receive a 401 UNAUTHORIZED HTTP error (which, in this case, is appropriate).
6. Troubleshooting
If you run into difficulties (mainly with 401s and 403s popping up where they shouldn't), these ideas may help
- Make sure the page you're trying to access is published. It's easy to forget this simple step in all the excitement but if a page (or image, etc) doesn't have at least one published version MOSS won't serve it up
- Reset IIS--it's quick an easy
- Grant the Read & Execute permission to the Authenticated Users group on the anonymous site's web.config and /bin directory (both can be found below Inetpub\wwwroot\wss\VirtualDirectories); do the same again for the authenticated site. Permissions on these files are reset every time the authentication method is changed in SharePoint
- Recognise extending a web app creates a new site in IIS and corresponding directory under wwwroot with its own web.config. Ensure the newly-created web.config in the extended site contains everything it needs to; ensure any virtual directories and applications are properly configured
- Redeploy any solutions, features, etc to make sure everything’s where it needs to be (custom private assemblies in particular)
- It's possible your custom code is doing something that requires elevated permissions. The Visual Studio debugger will help you locate the culprit. If you can't remove the offending code, you can wrap it using a delegate:
SPSecurity.CodeToRunElevated elevatedAction =
new SPSecurity.CodeToRunElevated(delegate() { /* dodgy stuff */ });
SPSecurity.RunWithElevatedPrivileges(elevatedAction);
- If necessary, remove the extended web application using the Central Administration console (also remove the IIS site) and start again
Top Reasons to trust your SharePoint 2010 website to ASPHostCentral.com
What we think makes ASPHostCentral.com so compelling is how deeply integrated all the pieces are. We integrate and centralize everything--from the systems to the control panel software to the process of buying a domain name. For us, that means we can innovate literally everywhere. We've put the guys who develop the software and the admins who watch over the server right next to the 24-hour Fanatical Support team, so we all learn from each other:
- 24/7-based Support - We never fall asleep and we run a service that is operating 24/7 a year. Even everyone is on holiday during Easter or Christmas/New Year, we are always behind our desk serving our customers
- Excellent Uptime Rate - Our key strength in delivering the service to you is to maintain our server uptime rate. We never ever happy to see your site goes down and we truly understand that it will hurt your onlines business. If your service is down, it will certainly become our pain and we will certainly look for the right pill to kill the pain ASAP
- High Performance and Reliable Server - We never ever overload our server with tons of clients. We always load balance our server to make sure we can deliver an excellent service, coupling with the high performance and reliable server
- Experts in SharePoint 2010 Hosting - Given the scale of our environment, we have recruited and developed some of the best talent in the hosting technology that you are using. Our team is strong because of the experience and talents of the individuals who make up ASPHostCentral
- Daily Backup Service - We realise that your website is very important to your business and hence, we never ever forget to create a daily backup. Your database and website are backup every night into a permanent remote tape drive to ensure that they are always safe and secure. The backup is always ready and available anytime you need it
- Easy Site Administration - With our powerful control panel, you can always administer most of your site features easily without even needing to contact for our Support Team. Additionally, you can also install more than 100 FREE applications directly via our Control Panel in 1 minute!
Happy hosting!
0f0ace17-584e-402b-a595-fdc1e218e8df|0|.0
SharePoint server has become a very popular enterprise application to enhanced collaboration. As the quantity and value of data stored on SharePoint platform rises, backup and recovery becomes critical and it proves to be a challenge for administrators
ASPHostCentral.com, as the premier reliable and the most affordable Sharepoint 2010 hosting provider, proudly presents this article to anyone who are starting to use Sharepoint 2010 service and hopefully, it can truly help the Sharepoint Community. In case you are looking to host your Sharepoint 2010 site, you can always start from as low as $9.99/month only!
SharePoint offers full farm backup options out of the box: First, the web-based Central Administration backup and restore. Secondly, command-line backup tool stsadm.exe. Third option is SharePoint Designer
Unfortunately, these three options have some limitations: no true item level restore option (if a single item needs to be recovered, the entire site must be restored), manually front end backup necessarily , high restore time, frustrating command-line utilities, no back up directly to tape, no custom solution files backup, no IIS backup, no alternate access mappings backup
Because of the intricate nature of SharePoint server and its vital mission, companies investing in the platform should look for reliable backup and recovery solution able to provide complete range of protection. And since out of the box solution does not offer that level of protection, a third-party solution would be a good investment. This article presents most notable third-party backup and recovery solutions available on the market. Did I miss anything? What is your choice for SharePoint backup and recovery?
Microsoft has listened to its customers and has delivered a complete solution with System Center Data Protection Manager (DPM).
Data Protection Manager (DPM)
System Center Data Protection Manager delivers unified data protection for Windows servers and clients as a best-of-breed backup & recovery solution from Microsoft, for Windows environments. DPM 2010 provides the best protection and most supportable restore scenarios from disk, tape and cloud — in a scalable, manageable and cost-effective way
Key Benefits of Data Protection Manager (DPM):
- Recover site collections, individual sites, or an individual document in minutes
- Easy browse and restore of individual sites, documents, lists, ASPX pages, templates, contacts and entire SharePoint databases and systems
- Restore the entire configuration of SharePoint farm including the configuration database, administration content database, and the content databases
- Copy to a network folder or tape for archival purposes
- Restore a single content database to the SharePoint farm
Top Reasons to trust your SharePoint 2010 website to ASPHostCentral.com
What we think makes ASPHostCentral.com so compelling is how deeply integrated all the pieces are. We integrate and centralize everything--from the systems to the control panel software to the process of buying a domain name. For us, that means we can innovate literally everywhere. We've put the guys who develop the software and the admins who watch over the server right next to the 24-hour Fanatical Support team, so we all learn from each other:
- 24/7-based Support - We never fall asleep and we run a service that is operating 24/7 a year. Even everyone is on holiday during Easter or Christmas/New Year, we are always behind our desk serving our customers
- Excellent Uptime Rate - Our key strength in delivering the service to you is to maintain our server uptime rate. We never ever happy to see your site goes down and we truly understand that it will hurt your onlines business. If your service is down, it will certainly become our pain and we will certainly look for the right pill to kill the pain ASAP
- High Performance and Reliable Server - We never ever overload our server with tons of clients. We always load balance our server to make sure we can deliver an excellent service, coupling with the high performance and reliable server
- Experts in SharePoint 2010 Hosting - Given the scale of our environment, we have recruited and developed some of the best talent in the hosting technology that you are using. Our team is strong because of the experience and talents of the individuals who make up ASPHostCentral
- Daily Backup Service - We realise that your website is very important to your business and hence, we never ever forget to create a daily backup. Your database and website are backup every night into a permanent remote tape drive to ensure that they are always safe and secure. The backup is always ready and available anytime you need it
- Easy Site Administration - With our powerful control panel, you can always administer most of your site features easily without even needing to contact for our Support Team. Additionally, you can also install more than 100 FREE applications directly via our Control Panel in 1 minute!
Happy hosting!
1feb844d-118e-4721-a8ae-6ddf72a908ad|0|.0