The document discusses authentication approaches in SharePoint, including integrated Windows authentication, forms-based authentication, Active Directory Federation Services, and smart card authentication. It compares the different approaches in terms of user experience, performance, and extending authentication to external users. The document also covers common issues that can prevent access such as misconfigurations of SharePoint policies, accounts, and infrastructure as well as development and branding problems. It emphasizes the importance of documentation, testing, and configuration management to avoid access issues.

1. Why can’t I access the portal?SharePoint Authentication 101 Dan Usher 25 July 2009

2. Agenda Introductions A brief primer on A&A history Approaches to Authentication with SharePoint Extending into the Extranet What works best and where? Pain Points Worst Practices to Avoid Conclusions

3. Who am I? Dan Usher Booz Allen Hamilton, Associate SharePoint Architect & Implementation Engineer MCP, Security+, MCTS

4. Introductions What environments have I worked in? What have I seen? What is this talk about? Who are you all? 

5. A very brief primer on A&A Identification (n) - process of establishing who someone or something claims to be Authentication (n) - certification, validating the authenticity of something or someone Authorization (n) - a document giving an official instruction or command What’s the confusion?

6. Basics of SharePoint Authentication Out of the box IIS basics Authentication is handled by IIS and ASP.NET Checks user against Active Directory, Local Machine accounts, or other auth provider Passes verification to IIS to proceed Source: http://go.spdan.com/iisauth ASP.NET Authentication

7. Approaches to Auth with SharePoint Integrated Windows Authentication Forms Based Authentication Custom Membership Provider ADFS and Geneva Third Party SSO/RSO Smart Card

8. Integrated Windows Authentication NTLM Challenge Response Default SharePoint authentication schema Kerberos (Negotiate) Symmetric key cryptography Requires a little more configuration Server Delegation Account Delegation Security Principle Names

9. SharePint Anyone?

10. Two SharePoint Consultants enter a bar… NTLM - hand your ID every time you want a drink Kerberos - hand your ID the first time at the door and it’s passed transparently in the background for you Anonymous Access - equivalent of an open bar at a wedding, no one really asks…

11. So what’s this mean to my end user? Performance Caching Large Environments Security Client-Server || Server-Client Delegation RSS Feeds Excel Calculation Services Double Hops Smartcards

12. Forms Based Authentication MOSS LDAP V3 Membership Provider SQL Membership Provider ASP.net v2 Membership Providers Smartcard and SQL Hybrid

13. How’s FBA Effect me? Client Integration Content Crawling SP2 + Hotfixes http://go.spdan.com/fba-issues

14. Active Directory Federated Services Provides for Web-SSO Allows for federation between Forests / Domains Requires a policy file between Web-SSO servers Disables Client Integration by default

15. Thoughts on ADFS and Client Integration SharePoint becomes an island Bring in users from other organizations FBA Updates Requires hotfixes on the server Requires an additional HTTP handler Requires hotfixes on XP, or SP2 on Vista

16. Geneva and Claims Based Authentication Geneva Framework -> Windows Identity Foundation Geneva Server -> Active Directory Federation Services Windows Cardspace Geneva -> Windows Cardspace Utilizes WS-* and SAML 2.0 protocols Provides for security token service (STS)

17. Geneva and End Users Beta is available from Connect Will solve client integration issues Will allow for greater federation

18. Third Party SSO/RSO CA SiteMinder Tivoli Ping Federate Version 3 Enhanced Authentication

19. SmartCard Authentication Simplicity… Source: http://go.spdan.com/pki

20. Smart Card Authentication and IIS

21. So why SmartCards? Simplicity… to the end user Provides a secure tamper resistant storage physical token Enables portability of credentials and private information similar to other Federated Identity… …like OpenID, Facebook Connect, Google OpenSocial, Microsoft Hailstorm A PIN is used …Security

22. User Experience Pitfalls of SmartCard Auth OCSP or CRL checking could cause authentication to fail if CRL is not available Depending on number of requests, CRL checking could cause server load Puts server in DMZ, increases attack surface area – wfetch will show your SharePoint Version User’s account must be linked to their SmartCard user principal name User selecting certificate that does not contain UPN

23. Extending into the Extranet ISA Server 2006 Intelligent Application Gateway Separate Domains and Trusts User Experience Complexity Increases

24. Microsoft External Collaboration Toolkit for SharePoint http://go.spdan.com/setc Planning Guide Deployment and Operations Guide Information Materials Solutions Accelerator AD & ADAM

25. Microsoft ISA Server 2006 Soon to be Forefront Threat Management Gateway Integrated network edge security gateway to defend against: Web based threats Securely Publish Content for Remote Access Securely Connect Branch Offices Provides: Constrained Kerberos Delegation URL Masking of web servers Smart Card Authentication SSL Termination

26. Microsoft Intelligent Application Gateway Soon to be Forefront Unified Application Gateway Remote Access Gateway that provides secure access to applications Provides: SSL VPN access capabilities Similar to a regular VPN without a client Web Application firewall Endpoint Security Compliance Checking Persistent User Caching Smartcard Authentication ISA 2006 Capabilities

27. Third Party Extranet Applications Epok Edition for Microsoft SharePoint SharePoint Solutions - Extranet Collaboration Manager Version 3 Enhanced Authentication

28. What works best and where? NTLM Authentication via IP Address Authentication to server within a different Forest or domain No Active Directory exists Limited Firewall Ports Kerberos Authentication within a network boundary Timing of servers is closely coupled Authentication to servers within a single Forest or domain

29. But I still can’t get in, what gives?

30. SharePoint Policy Issues Web Application Policy set to deny all Web Application All Authenticated Users Removed SharePoint Groups removed

31. Account Issues SmartCard Enabled Accounts Account aging Smart Card UPN does not match User Account UPN Smart Card Choosing the wrong certificate Local User Groups and Accounts Used

32. Infrastructure Group Policy and effects on service accounts Active Directory Offline Server time > 5 minutes difference Domains and Database Migrations SharePoint Groups Inheritance Domains, Trusts, Root Suffixes…

33. Development and Branding Branding Issues User Permissions (IIS_WPG) Reference files in other sites Master page tokens Development Issues Impersonation / Elevated Privileges Web Services

34. Avoiding Catastrophe Documentation, documentation, documentation… Staging and Testing Procedures for new features, solutions, etc. Configuration Management Policies and Procedures Tools installed (SPAdminToolkit, etc.) Planned Service Accounts

35. Conclusions It’s not always that SharePoint is down Sometimes SharePoint is misconfigured More often than not, it’s user awareness and site configuration

36. Questions?

37. Follow me on Twitter – twitter.com/usher Follow my blog – http://www.sharepointdan.com IM? gTalk danusher79 Live danusher@live.com E-mail: dan@spdan.com And that’s a wrap…