232 CHAPTER 9 claims-Based aUtheNticatioN Digest Certificate NTLM Kerberos Claims-Based SharePoint Server 2010 CBA enables authentication using Windows Integrated security and non-Windows systems. A key concept with CBA in SharePoint 2010 is that authentication is based on an identity provider. Applications trust this provider because they are configured to utilize the provider. The beauty of the system is that any provider that meets specific Internet security standards can be used. These standards include WS-Security, WS-SecurityPolicy, WS-Trust and WS-Federation. Therefore companies have the flexibility to choose their provider, and as long as it’s compliant with these standards it will be supported by SharePoint. CBA supports three different authentication pro- viders out of the box: Windows Authentication — This includes all the same authentication methods that CMA supports, as listed above. Forms-Based Authentication (FBA) — These methods include LDAP, database or custom membership, and role providers. Note that FBA is only available when you use claims-based authentication. SAML Token-Based Authentication — These include ADFS 2.0, Windows Live ID, and third-party providers. CREATING CLAIMSBASED WEB APPLICATIONS The following instructions walk you through the process of creating a claims-enabled web applica- tion. You will also configure the application to allow anonymous access. Finally, you will add FBA to the application so that you have a dual authentication configuration. Configuring CBA with Windows Authentication Begin by configuring CBA with Windows Authentication: 1. Create a new web application using CBA. The process for creating a new web application was discussed in detail in Chapter 4, so it isn’t repeated here. Only the changes specific to enabling CBA are discussed. You must first enable CBA in the Authentication section of the Create New Web Application web page in Central Administration. The default is classic mode, so you will need to select claims mode. Notice that the Claims-Based Authentication option has been selected, as shown in Figure 9-1. Creating Claims-Based Web Applications 233 FIGURE 91 2. Scroll down to the Claims Authentication Types section and review the options. This section and the Sign In Page URL section are shown in Figure 9-2. Keep the default settings, which are Windows Authentication enabled and NTLM. Note that you can enable the web applica- tion to use a single URL for both Windows Authentication and Forms-Based Authentication by enabling the checkbox for both methods. This is only possible with CBA. Without CBA, you would have to create two different zones. 3. CBA may require users to log in; therefore, they may need to be redirected to a web page to enter their credentials. Do not change the default settings, which should be to use the Default Sign In Page option. Note the option to enter the URL of a custom sign in page, as shown in Figure 9-2. FIGURE 92 234 CHAPTER 9 claims-Based aUtheNticatioN 4. Ensure that all the other settings are configured according to your specific interests. When finished, click OK. Once the web application has been created, the Application Created web page will be displayed, as shown in Figure 9-3. FIGURE 93 5. Verify the Authentication settings for the web application by browsing to the Web Applications Management web page, clicking your specific claims-enabled web application, and then click- ing the Authentication Providers button in the Ribbon. The Authentication Providers dialog, shown in Figure 9-4, should be displayed. FIGURE 94 6. Create a new site collection within this new web application using your own preferences. You will be directed to the Top-Level Site Successfully Created web page once the process is complete. Browse to your new site collection’s top-level site. This completes the process. You may need to create a new DNS entry if you used host headers for your web application, and you may need to issue the following command, ipconfig /flushdns, after creating the DNS entry. Creating Claims-Based Web Applications 235 Configuring Anonymous Access You can configure your CBA web application to allow anonymous access using the following steps. These steps are similar to those used for SharePoint 2007: 1. Under Application Management in Central Administration, select Manage web applications. 2. Select the specific web application to be enabled and click the Authentication Providers but- ton on the Ribbon. 3. Click the Default link in the Authentication Providers dialog. This should display the Edit Authentication dialog, shown in Figure 9-5. FIGURE 95 4. Enable anonymous access by clicking inside the Enable anonymous access checkbox in the Anonymous Access section. Click the Save button. Close the Authentication Providers dialog. 5. Return to the Web Applications Management page. With your web application selected, click the Anonymous Policy button in the Ribbon. This will take you to the Anonymous Access Restrictions dialog, shown in Figure 9-6. In the Zones drop-down box, select (All Zones); and in the Permissions section, select None - No Policy. These should be the default conditions. 236 CHAPTER 9 claims-Based aUtheNticatioN FIGURE 96 6. Browse to the site collection you created previously in the claims-enabled web application. From the Site Settings page, click the Site Permissions link in the Users and Permissions section. The Permissions page is shown in Figure 9-7. FIGURE 97 7. Click the Anonymous Access button in the Ribbon to display the Anonymous Access dialog, shown in Figure 9-8. 8. Select the Entire Web site option or the Lists and Libraries option, depending on what you wish to provide access to. For this exercise, select Entire Web site. When finished, click OK. Creating Claims-Based Web Applications 237 You should see Anonymous Users added to the list of users and groups on the Permissions page, as shown in Figure 9-9. This completes the configuration. FIGURE 98 FIGURE 99 Converting to CBA from CMA You can convert a web application that has been configured to use CMA to use CBA, but only by using PowerShell. Once you convert the web application to use CBA, you cannot return to CMA. The following PowerShell commands will complete this conversion: $ConvertApp = get-spwebapplication “http://<web application name>” $ConvertApp.useclaimsauthentication = “True” $ConvertApp.Update() 238 CHAPTER 9 claims-Based aUtheNticatioN Configuring Forms-Based Authentication Using the following instructions, you will enable FBA for your existing claims-enabled website so that both Windows Integrated and FBA are being used. Enable FBA Follow these steps to enable FBA: 1. Navigate to the Web Applications Management page, select your claims-enabled web appli- cation and click on the Authentication Providers button in the Ribbon. 2. Click the Default link in the Authentication Providers dialog window. Scroll down in Edit Authentication dialog until you reach the Claims Authentication Types section. Enable FBA and add names for the ASP.NET membership provider and the role manager. You can choose your own names or use SQLMembershipProvider and SQLRoleManager. Click Save when you are done and close the Authentication Providers dialog. Remember the names that you have chosen because you will need to refer to them in the web.config file. Also, keep in mind that these names are case sensitive. Install and Configure the SQL Server Database The next step is to create and configure a SQL Server database that will be used for FBA: 1. Open Windows Explorer and navigate to C:\Windows\Microsoft .Net\Framework64\ v2.0.50727 . Locate the aspnet_regsql.exe application and execute it. This will open the ASP.NET SQL Server Setup wizard, shown in Figure 9-10. Click the Next button. FIGURE 910 . aUtheNticatioN Digest Certificate NTLM Kerberos Claims-Based SharePoint Server 2010 CBA enables authentication using Windows Integrated security and non-Windows systems. A key concept with CBA in SharePoint 2010 is that authentication. choose their provider, and as long as it’s compliant with these standards it will be supported by SharePoint. CBA supports three different authentication pro- viders out of the box: Windows Authentication. authentication. SAML Token-Based Authentication — These include ADFS 2.0, Windows Live ID, and third-party providers. CREATING CLAIMSBASED WEB APPLICATIONS The following instructions walk you through