Force Left Nav To at least 200 Pixels wide
Other Blogs
There are no items in this list.
Force Body To at least 500 Pixels high
SharePoint MindsharpBlogs > Paul Schaeflein > Categories

 Posts categorized as WSSv4
Sep 01
Published: September 01, 2010 23:09 PM by  Paul Schaeflein

Have you ever noticed the security paradox in computers? Most people will agree that managing Active Directory or LDAP directories is an administrative task. Not necessarily the password resets and account create (those tend to get pushed to the help desk), but the installation, configuration and general maintenance of these vital data stores is performed by the top-of-the-heap admin. (Rightly so!)

However, if the authentication provider is not one of these, say an ASP.NET Membership provider (FBA), then it usually falls to the developer to configure the solution. It seems short sighted to me that the person charged with monitoring the system would wash their hands of the technology used to secure it! But, I’m not here today to change this activity. No, I am writing about a wonderful little utility that developers and admins alike can use to get up to speed on the new claims-based identity world!

First, a little background. To setup claims authentication with SharePoint, you need to follow the directions on TechNet: Configure authentication using a SAML security token (SharePoint Server 2010). The big stumbling point for those just getting started – where do I find a Security Token Service Web application?  The answer is either ADFS2 or the WIF SDK. Well, now you have a third, and much easier option - SelfSTS.

SelfSTS is a security token service that is designed to issue tokens without a lot of configuration. For a full explanation, refer to Vittorio’s blog post. (If you are not subscribed to Vittorio’s blog, then you are not serious about claims auth!) To get SelfSTS working with SharePoint, there are a few little tweaks required outside of the steps laid out by TechNet and Vittorio. The steps below are copied and adjusted from the TechNet directions.

  1. Extract SelfSTS and run the executable from the bin\Release directory.
  2. Save the X509 Certificate that SelfSTS is using
    1. In the browser, navigate to the federation metadata page. (Be sure to start SelfSTS first. Otherwise, you will get a DNS error.) Hint: You can copy the url of the page from the SelfSTS UI. Click the "C" next to the link.
    2. In the metadata page, look for a tag named X509Certificate. Copy the inner text from any of these tags and paste it into Notepad.
    3. Save the file in Notepad. I put mine in the SelfSTS bin\Release folder with the name SelfSTS.cer
  3. In the SharePoint Management Console (PowerShell), read the certificate into a variable.
     $cert = New-Object
System.Security.Cryptography.X509Certificates.X509Certificate2("path to cert file")
  4. Map the claim that SelfSTS provides to one that is understood by SharePoint
     $map1 = New-SPClaimTypeMapping "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
  5. The Realm setting is used by the STS to identify the source of the authentication request. In ADFS2, there is a user interface for mapping this identifier with the url of the application. However, SelfSTS does not have such a UI. Instead, it will automatically redirect to the value provided as the realm. So, this must be the url of the SharePoint claim service.

     $realm = "http://[WebApplicationUrl]/_trust/"
  6. You will need to tell SharePoint the url of the identity provider. This is the endpoint in SelfSTS. (I’ve listed the default value below.)
    $signinurl = "http://localhost:8000/STS/Issue/"
  7. Now, the trusted login provider can be created as shown in the TechNet article.
    New-SPTrustedIdentityTokenIssuer -Name
"SelfSTS" -Description "SelfSTS sample" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1 -SignInUrl $signinurl -IdentifierClaim $map1.InputClaimType

Upon completion of these steps, the SelfSTS provider will be available for selection in the Trusted Identity Provider section when creating a new Web Application or modifying the Authentication Providers of an existing claims-based web application.

Before attempting to login to a site collection using SelfSTS, there are a few other items to address. The token signing certificate used by SelfSTS must be trusted by SharePoint. This is accomplished by the New-SPTrustedRootAuthority cmdlet in PowerShell, or via the Manage Trust link in the Security section of Central Administration. Also, be sure to grant permissions to the account provided by SelfSTS (or the all users account).

Again, the key differences when using SelfSTS is the Realm property, and that https is not required. (You are not leaving the box, so no need to incur that overhead.) Lastly, I want to point out that THIS IS FOR DEVELOPMENT PURPOSES ONLY. You should never use SelfSTS in production.

Update: Works fine under Windows 7.

Jul 08
Published: July 08, 2010 15:07 PM by  Paul Schaeflein

When VS2010 first came out in betas, one common complaint was that closing a lot of windows (for instance, after a debug session where you stepped into many different code files) required more work. The close button was moved from the right side of the tab well onto each individual tab.

I’m elated to see that the Visual Studio 2010 Power Tools lets us put the close button back to where it was!

Visual Studio Options - Document Tab Well

Mar 08

Are you interested in using the new claims-based authorization (Windows Identity Foundation) in SharePoint? I want to hear from you!

I’ve created a single-question survey that should take only a minute or two. It is anonymous. (If you want to start a dialog, contact me thru the blog or Twitter.)

Thanks in advance!

Mar 01
Published: March 01, 2010 13:03 PM by  Paul Schaeflein

Do you have tough technical questions regarding SharePoint for which you're seeking answers? Do you want to tap into the deep knowledge of the talented Microsoft Most Valuable Professionals? The SharePoint MVPs are the same people you see in the technical community as authors, speakers, user group leaders and answerers in the MSDN forums. This is the first time we have brought these experts together as a collective group to answer your questions live. So please join us and bring on the questions! This chat will cover WSS, MOSS and the SharePoint 2010 beta.  Topics include setup and administration, design, development and general questions.

Monday, March 15, 2010

9:00 – 10:00 A.M. Pacific Time

12:00 - 1:00 P.M. Eastern Time

16:00 - 17:00 GMT

Join the chat room on the day of the chat:

MSDN: msdn.microsoft.com/en-us/chats/default.aspx

Feb 15
Published: February 15, 2010 14:02 PM by  Paul Schaeflein

I am excited to announce that I am hosting a SharePoint 2010 Community Launch event in conjunction with The Chicago Microsoft SharePoint Business Strategies Group.

We will have a short overview of SharePoint 2010 followed by a presentation on Enterprise Content Management by SharePoint MVP Ben Curry.

Come see the new Enterprise Content Management functionality in SharePoint Server 2010. Have you ever wanted to replicate a content type across many site collections with the click of a button? Have you wanted a centralized taxonomy that was easy to manage? Do you want to save time & money managing your information architecture? In SharePoint Server 2010, Enterprise Content Types and Metadata provide much more robust methods of data classification, retention, retrieval, and consumption. The agenda will include Content Type Syndication, Creating and Managing a Term Store, and integrating these solutions into sites, libraries, and Office 2010 applications.
Ben Curry (SharePoint MVP, CISSP, MCT, MCP, MCTS) is an enterprise architect specializing in knowledge management and collaboration technologies. As a Managing Consultant for Summit 7 Systems, Ben draws on his years of experience to manage the most demanding projects and system architectures while delivering powerful customized solutions based on the Microsoft Information Worker platforms. He has authored or co-authored 4 books on SharePoint Server, including SharePoint Server 2007 Best Practices and the forthcoming SharePoint Server 2010 Administrators' Pocket Consultant, both by Microsoft Press.

Registration is now open.

Dec 09

I battled with this task for much too long. My solution is posted on the forums: Load javascript client object model (ClientOM) (sp.js) from web part

Jul 13
Published: July 13, 2009 09:07 AM by  Paul Schaeflein

A collection of “sneak peek” videos was posted by the product team. View them at http://sharepoint.microsoft.com/

Feb 22
Published: February 22, 2009 18:02 PM by  Paul Schaeflein

Microsoft SVP S. Somasegar, the guy in charge of the entire developer division, posted an update on Visual Studio 2010 and its support for SharePoint. This is a very exciting release for people doing SharePoint development. I encourage you to read Soma’s post and view the Channel 9 videos he references.