Search

Why Cant I Access The Portal

Loading...

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

1 comments

Comments 1 - 1 of 1 previous next Post a comment

Post a comment
Embed Video
Edit your comment Cancel

Notes on slide 1

Step by Step of how a user authenticates to a SharePoint site, mentioning the .NET virtual path provider and the content database relative tables with the associated GUIDs that are based off of a user’s AD SID + SAMAccountNameAuthentication with integrated authentication ADHow’s your browser setup for passing credentials… IE 6 vs. IE 7 (and 8), FirefoxThe diagram above shows ASP.NET authentication. Also seehttp://go.spdan.com/iisauth for NTLM/Kerberoshttp://go.spdan.com/formsauth for Forms Based Authentication

RSS Feeds for cross site authentication will failTo be able to utilize Excel Calculation Services

It’s so simple, isn’t it?For an individual to go and access a site that requires some sort of certificate authentication requires the user to register with a registration authority (RA) like Verisign, Thawte, Entrust, or one of several other certificate providers. Once the individual has been verified, a certificate authority provides the individual a certificate.In the process of providing that certificate, the certificate authority alerts the verification authority of the new user.When the user attempts to connect to the site requiring a certificate, they present their public key to the site which is then verified by the verification authority (VA) which in turn allows the individual access.

SmartCardauth with middleware, pass cert to IIS, UPN mapped to UPN user object, authenticated. IIS passes to virtual path provider and SharePoint and we’re on our way.Client certificate required through IISKerberos token through AD / Windows Networking InfrastructureClient certificate required through ISAReference: http://go.spdan.com/SmartCardConcepts

You’re not stove piped to a single system – how many different user names and passwords do you have within your organization? They probably vary from system to system in terms of what is required, how long the username can be, if it’s just your e-mail address, what the complexity of the password is. Call it an SSO if you like, though it’s not really, but it is at the same time, all your accounts are linked to one common identityAll you need is a token with a common identity…It’s linked to your account that resides within a windows networking infrastructure domain through the user principal name which is a property of the SmartCard and happens to be the same thing as your user account.It’s similar to Federated Identity, but different. It’s merely an identifier. There still has to be a user account on the system linked and then integrated with the other systems that are attempting to make use of it. It’s similar in that like OpenID, Facebook Connect, Google OpenSocial, of Microsoft Hailstorm, it’s a single identity that you carry with you everywhere.PIN or a passphrase – something short and sweet, but it requires that the token actually be there. No longer are you having to remember if it’s something that’s case sensitive or whether it changed last week or the day beforeSo what about the PIN being compromised, well, not to worry, typically there’s a policy set around this… a few strikes and the card is physically locked, you can’t use it anywhere else.A reader is required – again, you’ve already required that there be a token present, but now you’re also requiring additional hardware be there that’s standards based so that you’re able to authenticate. If some low lying scum steals your card and thinks that they’re going to cash in on it, more than likely they won’t have a card reader so they won’t necessarily be able to get into your identity, card locked, all is well.A trusted certificate – so on that card, there’s a little more than meets the eye. More than likely to associate the card with a particular organization there’s a certificate that’s linked to the organizations certificate establishing a community of trust.

Rather intensive work for the server to handle certificatesRequires Active DirectoryOCSP = Online Certificate Status ProtocolCRL = Certificate Revocation List

Favorites, Groups & Events

Why Cant I Access The Portal - Presentation Transcript

  1. Why can’t I access the portal?SharePoint Authentication 101
    Dan Usher
    25 July 2009
  2. Agenda
    Introductions
    A brief primer on A&A history
    Approaches to Authentication with SharePoint
    Extending into the Extranet
    What works best and where?
    Pain Points
    Worst Practices to Avoid
    Conclusions
  3. Who am I?
    Dan Usher
    Booz Allen Hamilton, Associate
    SharePoint Architect & Implementation Engineer
    MCP, Security+, MCTS
  4. Introductions
    What environments have I worked in?
    What have I seen?
    What is this talk about?
    Who are you all? 
  5. A very brief primer on A&A
    Identification (n) - process of establishing who someone or something claims to be
    Authentication (n) - certification, validating the authenticity of something or someone
    Authorization (n) - a document giving an official instruction or command
    What’s the confusion?
  6. Basics of SharePoint Authentication
    Out of the box IIS basics
    Authentication is handled by IIS and ASP.NET
    Checks user against Active Directory, Local Machine accounts, or other auth provider
    Passes verification to IIS to proceed
    Source: http://go.spdan.com/iisauth
    ASP.NET Authentication
  7. Approaches to Auth with SharePoint
    Integrated Windows Authentication
    Forms Based Authentication
    Custom Membership Provider
    ADFS and Geneva
    Third Party SSO/RSO
    Smart Card
  8. Integrated Windows Authentication
    NTLM
    Challenge Response
    Default SharePoint authentication schema
    Kerberos (Negotiate)
    Symmetric key cryptography
    Requires a little more configuration
    Server Delegation
    Account Delegation
    Security Principle Names
  9. SharePint Anyone?
  10. Two SharePoint Consultants enter a bar…
    NTLM - hand your ID every time you want a drink
    Kerberos - hand your ID the first time at the door and it’s passed transparently in the background for you
    Anonymous Access - equivalent of an open bar at a wedding, no one really asks…
  11. So what’s this mean to my end user?
    Performance
    Caching
    Large Environments
    Security
    Client-Server || Server-Client
    Delegation
    RSS Feeds
    Excel Calculation Services
    Double Hops
    Smartcards
  12. Forms Based Authentication
    MOSS
    LDAP V3 Membership Provider
    SQL Membership Provider
    ASP.net v2 Membership Providers
    Smartcard and SQL Hybrid
  13. How’s FBA Effect me?
    Client Integration
    Content Crawling
    SP2 + Hotfixes
    http://go.spdan.com/fba-issues
  14. Active Directory Federated Services
    Provides for Web-SSO
    Allows for federation between Forests / Domains
    Requires a policy file between Web-SSO servers
    Disables Client Integration by default
  15. Thoughts on ADFS and Client Integration
    SharePoint becomes an island
    Bring in users from other organizations
    FBA Updates
    Requires hotfixes on the server
    Requires an additional HTTP handler
    Requires hotfixes on XP, or SP2 on Vista
  16. Geneva and Claims Based Authentication
    Geneva Framework -> Windows Identity Foundation
    Geneva Server -> Active Directory Federation Services
    Windows Cardspace Geneva -> Windows Cardspace
    Utilizes WS-* and SAML 2.0 protocols
    Provides for security token service (STS)
  17. Geneva and End Users
    Beta is available from Connect
    Will solve client integration issues
    Will allow for greater federation
  18. Third Party SSO/RSO
    CA SiteMinder
    Tivoli
    Ping Federate
    Version 3 Enhanced Authentication
  19. SmartCard Authentication
    Simplicity…
    Source: http://go.spdan.com/pki
  20. Smart Card Authentication and IIS
  21. So why SmartCards?
    Simplicity… to the end user
    Provides a secure tamper resistant storage physical token
    Enables portability of credentials and private information similar to other Federated Identity…
    …like OpenID, Facebook Connect, Google OpenSocial, Microsoft Hailstorm
    A PIN is used
    …Security
  22. User Experience Pitfalls of SmartCard Auth
    OCSP or CRL checking could cause authentication to fail if CRL is not available
    Depending on number of requests, CRL checking could cause server load
    Puts server in DMZ, increases attack surface area – wfetch will show your SharePoint Version
    User’s account must be linked to their SmartCard user principal name
    User selecting certificate that does not contain UPN
  23. Extending into the Extranet
    ISA Server 2006
    Intelligent Application Gateway
    Separate Domains and Trusts
    User Experience Complexity Increases
  24. Microsoft External Collaboration Toolkit for SharePoint
    http://go.spdan.com/setc
    Planning Guide
    Deployment and Operations Guide
    Information Materials
    Solutions Accelerator
    AD & ADAM
  25. Microsoft ISA Server 2006
    Soon to be Forefront Threat Management Gateway
    Integrated network edge security gateway to defend against:
    Web based threats
    Securely Publish Content for Remote Access
    Securely Connect Branch Offices
    Provides:
    Constrained Kerberos Delegation
    URL Masking of web servers
    Smart Card Authentication
    SSL Termination
  26. Microsoft Intelligent Application Gateway
    Soon to be Forefront Unified Application Gateway
    Remote Access Gateway that provides secure access to applications
    Provides:
    SSL VPN access capabilities
    Similar to a regular VPN without a client
    Web Application firewall
    Endpoint Security
    Compliance Checking
    Persistent User Caching
    Smartcard Authentication
    ISA 2006 Capabilities
  27. Third Party Extranet Applications
    Epok Edition for Microsoft SharePoint
    SharePoint Solutions - Extranet Collaboration Manager
    Version 3 Enhanced Authentication
  28. What works best and where?
    NTLM
    Authentication via IP Address
    Authentication to server within a different Forest or domain
    No Active Directory exists
    Limited Firewall Ports
    Kerberos
    Authentication within a network boundary
    Timing of servers is closely coupled
    Authentication to servers within a single Forest or domain
  29. But I still can’t get in, what gives?
  30. SharePoint Policy Issues
    Web Application Policy set to deny all
    Web Application All Authenticated Users Removed
    SharePoint Groups removed
  31. Account Issues
    SmartCard Enabled Accounts
    Account aging
    Smart Card UPN does not match User Account UPN
    Smart Card Choosing the wrong certificate
    Local User Groups and Accounts Used
  32. Infrastructure
    Group Policy and effects on service accounts
    Active Directory Offline
    Server time > 5 minutes difference
    Domains and Database Migrations
    SharePoint Groups Inheritance
    Domains, Trusts, Root Suffixes…
  33. Development and Branding
    Branding Issues
    User Permissions (IIS_WPG)
    Reference files in other sites
    Master page tokens
    Development Issues
    Impersonation / Elevated Privileges
    Web Services
  34. Avoiding Catastrophe
    Documentation, documentation, documentation…
    Staging and Testing Procedures for new features, solutions, etc.
    Configuration Management Policies and Procedures
    Tools installed (SPAdminToolkit, etc.)
    Planned Service Accounts
  35. Conclusions
    It’s not always that SharePoint is down
    Sometimes SharePoint is misconfigured
    More often than not, it’s user awareness and site configuration
  36. Questions?
  37. Follow me on Twitter – twitter.com/usher
    Follow my blog – http://www.sharepointdan.com
    IM?
    gTalk danusher79
    Live danusher@live.com
    E-mail: dan@spdan.com
    And that’s a wrap…

+ Dan UsherDan Usher, 3 months ago

custom

281 views, 0 favs, 0 embeds more stats

More info about this document

© All Rights Reserved

Go to text version

  • Total Views 281
    • 281 on SlideShare
    • 0 from embeds
  • Comments 1
  • Favorites 0
  • Downloads 0
Most viewed embeds

more

All embeds

less

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate. If needed, use the feedback form to let us know more details.

Cancel
File a copyright complaint
Having problems? Go to our helpdesk?

Categories

Tags

-->
Search
RSS Feed
What's new?

© 2009 SlideShare Inc. All Rights Reserved