Create a claims-aware SharePoint web application

Now that SharePoint is set up to trust AD FS, it’s time to create a SharePoint Web Application for publishing your SharePoint content. This web application should be claims-aware, so that it can handle incoming claims from SURFconext tokens. In case you have an existing SharePoint web application that you would like to make claims-aware, consult the following information from Microsoft on how to convert your web application to claims-integrated mode:

http://technet.microsoft.com/en-us/library/gg251985.aspx

In order to configure your new web application, perform the following steps:

1) Navigate to the SharePoint 2010 Central Administration site: on the Windows Start Menu, click on SharePoint 2010 Central Administration.

42 2) In the Application Management list, click on Manage web applications.

43

3) Create a new web application by clicking New on the Ribbon.

4) Fill in the following settings in the Create New Web Application form:

1. In the Authentication section, Select the Claims Based Authentication radio button. Classic Mode Authentication is the traditional authentication mode – from SharePoint 2007 – which doesn’t support claims authentication.

2. In the IIS Web Site section, select Create a new IIS web site and give it a suitable name, e.g. sharepoint.myinstitute.nl.

Note: You can also leave the Name textbox as-is. If you do so, SharePoint will adjust the textbox automatically to generate a standardized name depending on the values you provide further on.

3. In the Port textbox, type 443, which is the default port for https traffic. Provide a host header that your website will listen to, e.g. sharepoint.myinstitute.nl. And provide a suitable Path where your IIS Web Site will be created: the default path that is supplied by SharePoint is perfectly fine for the purpose of this guide.

44 4. Decide whether you would like to allow anonymous access to your web

application. When you allow anonymous access, you can allow access to part of your web application to users without logging in. In this guide we choose not to allow anonymous access: in the Security Configuration section, under Allow Anonymous, select the No radio button.

5. In order to make the SharePoint portal available via https only, under Use Secure Sockets Layer (SSL), select Yes.

45

Note: SSL is required for secure communication between your client’s web browser and AD FS and SharePoint. You therefore must enable SSL in the security configuration section and also install a SSL certificate on the IIS server (see below) with a common name that matches the host header you provided above. Note also that you must register the host header that you provided above in DNS as a CName or A and/or AAAA entry that directs to the SharePoint server.

6. In the Claims Authentication Types section, which appears after you switched from Classic Mode Authentication to Claims Based Authentication above, leave the Enable Windows Authentication and Integrated Windows

authentication checkboxes checked. In addition, check the Trusted Identity provider checkbox and the sts.myinstitute.nl trusted identity provider that you added to SharePoint via the script above.

Note that by selecting two authentication types, you enable a selector screen in SharePoint where a user can select which authentication type he wishes to use. This is fine for now as it will allow you later to on to log in to the SharePoint site with your computer administrator account and to configure access rights for SURFconext users. In a production setup, you might decide later on to remove the Windows Authentication option to get rid of the selection screen. You can then decide to set up multiple zones for your web application and configure a Windows Authentication on a separate zone for administrative access and to allow for search crawling. All this is out-of-scope of this guide, however. For background information, see:

http://technet.microsoft.com/en-us/library/cc288475.aspx

7. In the Sign In Page URL section, leave the Default Sign In Page radio button selected. This will configure this web application to use the default sign in page you configured when setting up the trusted identity provider.

46 8. In the Public URL section, leave the default URL as provided. This setting would

allow you to configure a different external URL for your SharePoint site, for example when using a hardware load balancer or reverse proxy server in front of your set-up.

9. In the Application Pool section, leave the Create new application pool radio button selected. Also, there is no need to change the default Application pool name unless you prefer a different name for your reference. Switch the security account for your application pool from Configurable to Predefined and choose Network Service from the dropdown box.

Note: In a production environment, you should consider creating a separate service account user in you user store (Active Directory in a multiple server farm or Local SAM for a single server installation) and configuring that user as the security account for your application pool. For background information, see http://technet.microsoft.com/en-us/library/cc263445.aspx

10. In the remaining sections, leave all the default values. Press the OK button to create the web application.

47 11. After a while, you should get a dialog box confirming that the web application

has been created. After reading the confirmation details, close the dialog box to finish the creation of the web application.

Now that you have created the web application, you need to create a site collection with the initial content at the root of the web application. Use the following steps to create a site collection:

1. In SharePoint 2010 Central Administration, navigate to Application Management using the left navigation pane.

2. Under the Site Collections section in the center pane, click Create site collections.

3. Make sure you select the right web application for which to create a site collection. Click the Web Application selection box, and from the pop-up list of web applications, select the web

application you just created in the steps above.

4. In the Title and Description section, type a suitable Title and Description in the corresponding textboxes.

5. In the Web Site Address section, leave the / selected in the URL dropdown box.

6. In the Template Selection section, choose a suitable template for you site collection.

Note: The templates that are presented here depend on the version of SharePoint you have installed. In this guide, Windows SharePoint Foundation is installed. Therefore, only basic site templates are available.

7. In the Primary Site Collection Administrator section, type administrator to make your own administrator account site collection administrator. Leave the Secondary Site Collection Administrator section blank for now.

8. In the Quota Template section, leave the No Quota radio button selected.

9. Click OK to create the site collection.

48

Note: You will propably get a warning now that your administrator account could not be resolved. The reason for this is that there are multiple accounts that resolve to “administrator” since there are multiple authentication providers configured. To resolve the conflict, click on “administrator” in the textbox and choose the local server administrator account from the pop-up list. The local server administrator account can be recognized by the server name followed by a backslash before the administrator part of the account name. Click on OK again to start the creation of the site collection

49 Now that you have created a site collection at the root of the web application, there is one thing left to do before your installation is complete: you must create and configure a SSL certificate on the web application you just created.

In order to create the SSL certificate, follow the steps that you followed before in paragraph 9.2, step 2 to create a server certificate for AD FS. This time, use your SharePoint web application host header as common name for the certificate.

After you have created the certificate, you need to add it to the web site bindings. The following steps guide you through this process:

1. On the Start menu, click Internet Information Services (IIS) Manager to start the IIS management console.

2. In the Connections pane on the left, open the local IIS server node followed by the Sites node within. Then click on your web site node (e.g. sharepoint.myinstitute.nl) to select the web site SharePoint created for your web application.

3. In the Actions menu on the right, click Bindings....

4. In the Site Bindings dialog box, choose the default binding that is present already and press Edit….

5. In the Edit Site Binding dialog box, configure the bindings for your web site. Especially, choose the correct SSL certificate to have your site listen to SSL correctly.

After configuring the web site bindings correctly, you have completed the set-up of SURFconext for SharePoint!

50