Using Forms Authentication for SharePoint 2007

Jeff Schroeder — Thu, 08 Feb 2007 12:40:00 GMT

Recently I presented on Forms Authentication for SharePoint 2007 at a local event Southern California Code Camp and at a local user group San Diego .Net Developers User Group. Code Camp is a free community-based, twice a year event at two locations, Cal State Fullerton(January) and UC San Diego(June), click on the link above and check out the Code Camp Web page for more info and sign-up to receive information about the next event. The San Diego .Net Developers User Group is a free local user group that meets once a month on the first Tuesday of every month, click on their link above and check out a meeting. A link to my presentation and the web.config files shown in the presentation is below, following by some additional information on Authentication.

Download: Forms Authentication Presentation Materials

What is Authentication?

"Authentication is the process of obtaining identification credentials such as name and password from a user and validating those credentials against some authority. If the credentials are valid, the entity that submitted the credentials is considered an authenticated identity." (Quoted from MSDN)

What is Authorization?

"Authorization determines whether an identity should be granted access to a specific resource." (Quoted from MSDN)

What Authentication Types are Supported by SharePoint?

In SharePoint 2003, only Active Directory authentication was supported. New to SharePoint 2007 is the extensible ASP.Net 2.0 Provider Model. This allows a range of standard authentication types and the ability to create a custom provider. Listed below are the methods available to authenticate to SharePoint 2007. Another change from SharePoint 2003 to SharePoint 2007 are Zones.

Windows (Integrated)

NTLM (Local Users or Active Directory)
Kerberos (Requires Active Directory)

Forms

SQL Membership Provider
Lightweight Directory Access Protocol (LDAP) Provider
Active Directory Provider
Active Directory Application Mode (ADAM)
Custom Provider

Single Sign-On (SSO)

Active Directory Federation Services (ADFS)
Other Identity Management Systems (3rd party)

Here is a brief summary of each authentication type listed above.

Windows(Integrated)

NTLM - Is a challenge-response authentication protocol, which allows a client to prove its identity without sending a password to the server by creating a shared context between the two involved parties, and using a shared session key. This method is used with Active Directory or local accounts.

Kerberos - Requires a trusted third-party(Active Directory) in order to mediate between two entities that want to authenticate to one another, such as a User and a Resource. This is done through a ticketing system known as a Key Distribution Center(KDC) which in this case is Active Directory. By the way, Kerberos communications are encrypted using symmetric cryptography. Kerberos has some another advantage over NTLM, delegation, it can perform a double-hop which means Entity A can forward(delegate) a ticket to Entity B which can then use Entity A's ticket to authenticate to Entity C. Kerberos also scales better for large environments because one Entity 1 doesn't need to request authentication from another Entity to prove its identity, it just needs to send its ticket to the Entity.

Forms - Uses an authentication ticket created when the user logs on to a site. The ticket can be contained in a cookie or passed in a query string. Each time a request is received, after the initial authentication process, the authentication cookie is retrieved, decrypted and compared with its key. The user credentials are stored in one of the user stores listed above or a custom provider can be created to use another type.

SQL Membership - Accesses user credentials from a SQL Membership Database.

Lightweight Directory Access Protocol(LDAP) - Accesses user credentials from a non-Microsoft or Legacy user store.

Active Directory - Accesses user credentials from a Microsoft Active Directory user store. Can be used to access Active Directory in a different domain or in a hosting scenario.

Active Directory Application Mode(ADAM) - Accesses user credentials from a application specific lightweight version of Active Directory.

Custom - Accesses user credentials from a custom defined user store that is not supported by a method above or has specialized features.

Single Sign-On (SSO) - Provides access to resources across domains without the need to provide a credential every time. The simple answer is you login to your domain and through defined trusts you can be granted access to various resources outside of your own domain.

Active Directory Federation Services(ADFS) - Enables secure Single Sign-On between domains to allow Entities from one Domain to access Entities in another Domain. This can allow Company A to grant access to a resource on its Domain to Company B by creating a Trust Relationship between the companies and allow specific Entities access to specific resources.

Other Identity Management Systems(3rd Party) - Same concept as ADFS but a 3rd-party solution with a custom SSO module. This would provide support for systems such as those made by Novell, RSA Security, IBM, Sun MicroSystems, SAP and Computer Associates.

What is a Zone?

A zone serves several purposes which include Load Balancing and Authentication boundaries. SharePoint’s authentication model is specified at the Web Application level, which is associated with an IIS web site. Site Collections and sub-sites are expressed as part of the application tier and have no physical presence on the file system. If you choose to implement multiple authentication providers, you can extend the Web Application by extending additional Zones. Zones allow the site to implement additional authentication providers for the same Web Application. Zones available are Default, Intranet, Internet, Extranet and Custom; the default Zone is Default. A Web Application can use any single Zone or extend to any combination of them. When extending a Web Application to a new Zone, a new physical IIS web site is created.

An important thing to note about Zones and Authentication is that the Default Zone needs to use NTLM in order for the Search Index service to crawl content within a Site Collection. A Policy also needs to be created for the Web Application to allow the account for the Index to read all content for the Web Application.

We know the ways to authenticate to SharePoint 2007, so what do all these terms mean? Below are some links on planning your authentication for SharePoint and information about the different types of authentication.

Plan authentication methods for SharePoint 2007

http://technet2.microsoft.com/Office/en-us/library/40117fda-70a0-4e3d-8cd3-0def768da16c1033.mspx?mfr=true

Plan for user accounts and authentication - Authentication Samples

http://technet2.microsoft.com/Office/en-us/library/23b837d1-15d9-4621-aa0b-9ce3f1c7153e1033.mspx

About Microsoft NTLM Authentication

http://msdn2.microsoft.com/en-us/library/aa378749.aspx

About Microsoft Kerberos Authentication

http://msdn2.microsoft.com/en-us/library/aa378747.aspx

Understanding LDAP (Light Weight Directory Access Protocol)

http://search.technet.microsoft.com/search/Redirect.aspx?title=Understanding+LDAP+(Light+Weight+Directory+Access+Protocol)&url=http://www.microsoft.com/technet/community/events/network/tnq40004.mspx

LDAP Query Basics

http://search.technet.microsoft.com/search/Redirect.aspx?title=LDAP+Query+Basics&url=http://www.microsoft.com/technet/prodtechnol/exchange/2003/insider/ldapquery.mspx

Blog: Jeff Schroeder - Setting up ADFS for a Web Application (maybe even SharePoint 2007...)

http://blogs.interknowlogy.com/jeffschroeder/archive/2006/10/19/7053.aspx

Identity & Access Management: Create Custom Directories with ADAM

http://search.technet.microsoft.com/search/Redirect.aspx?title=Identity+%26+Access+Management%3a+Create+Custom+Directories+with+ADAM+...+&url=http://www.microsoft.com/technet/technetmag/issues/2006/07/CustomDir/default.aspx

ASP.NET 2.0 Provider Model: Introduction to the Provider Model

http://msdn2.microsoft.com/en-us/library/aa479030.aspx

ASP.Net 2.0 Provider Toolkit Samples

http://download.microsoft.com/download/a/b/3/ab3c284b-dc9a-473d-b7e3-33bacfcc8e98/ProviderToolkitSamples.msi

Setting up ADFS for a Web Application (maybe even SharePoint 2007...)

Jeff Schroeder — Thu, 19 Oct 2006 14:39:00 GMT

I ran across an article in MSDN Magazine yesterday afternoon that sounds like something to try in SharePoint 2007. The scenario in the article talked about using ADFS for a Web Application to allow for Single Sign-On and better user management. I can think of some projects this could apply to. Has anyone tried this yet? I going to setup a test environment and see if I can get SharePoint 2007 to work with this.

The problem this could potentially solve is Host A has a Web Application and they have multiple partners(Client B, C, D, E, etc..) who want to use their Web Application and they want to authenticate from their home domain. This means no additional logins, no extra user accounts, and a trust relationship between the domains of Host A and Clients B, C, D, E, etc. A simplified example is shown in this picture below.

Single Sign-On - A Developer's Introduction To Active Directory Federation Services

http://msdn.microsoft.com/msdnmag/issues/06/11/SingleSignOn/default.aspx

Identity & Access Management - Simplify Single Sign-on Using ADFS

http://www.microsoft.com/technet/technetmag/issues/2006/07/Simplify/

Setting Up ADFS - Constructing a Lab Environment with Virtual PC

http://pluralsight.com/wiki/default.aspx/Keith/SettingUpADFS.html

Look for an update to this one later...