• No results found

Single sign-on for ASP.Net and SharePoint

N/A
N/A
Protected

Academic year: 2021

Share "Single sign-on for ASP.Net and SharePoint"

Copied!
11
0
0

Loading.... (view fulltext now)

Full text

(1)

Single sign-on for ASP.Net and SharePoint

Author: Abhinav Maheshwari, 3Pillar Labs

Introduction

In most organizations using Microsoft platform, there are more than one ASP.Net applications for internal or external purposes. With the growing popularity of SharePoint, many organizations also have one or more SharePoint sites for

collaboration. So single sign-on becomes an obvious requirement, i.e. the users should be able to access all the systems using the same credentials. Usually a single sign-on solution in such an environment will need to satisfy the following conditions:

a) Works across different browsers

b) Uses known and proven security mechanisms c) Ease of implementation and maintenance

d) Minimal modification in the source code of applications

Fortunately Microsoft provides several solutions to solve this problem. Two of the approaches are outlined in this paper. First approach leverages forms authentication using a common machine key across all ASP.Net applications and SharePoint. Second approach uses the Active Directory Federation Services (ADFS 2.0) to ensure that all applications use a central token service to do the claim based security.

Since Active Directory is a user credentials store, we have used it as an example throughout this paper, though the approach can be easily modified to include your custom authentication solution.

Forms authentication using same machine key

The usual flow for forms authentication is as follows. The web browser displays the Login.aspx page to the user. When the user is authenticated (say using Active Directory), a forms authentication cookie is sent to the browser. This cookie is included by the browser for all subsequent requests.

As we know, ASP.Net uses <machineKey> element in the web.config file to configure the keys to use for encryption and decryption of Forms authentication cookie data and

(2)

view-state data and for verification of out-of-process session state identification. This leads us to the following approach.

http://aspnet1.fabrikam.com http://sharepoint1.fabrikam.com Active Directory 1: GE T /de fault.a spx 2. Lo gin.as px 3: PO ST us ernam e/pas sword 4: A uthen ticate 6. Co okie 7: G ET /defa ult.aspx Cookie 5: Create encrypted cookie 8: Decrypt cookie, validate 9. d efau lt.aspx

If in each of our web applications, we set the same machineKey, those applications can read Forms authentication cookies set by other applications. So after the users have been authenticated and a cookie saved on its computer, the other applications with the same <machineKey>, can accept this cookie as a valid authentication ticket. So there would be no need to re-login in other applications with the same <machineKey> in their web.config file, provided the following conditions are met:

a) applications are authenticating the same users

b) applications are hosted on the same domain so that browser sends the cookies c) cookies are valid for all the subdomains in the entire domain

The flow is as follows:

Step 1-3 The user browses to app1.fabrikam.com. This site opens up an authentication form where the user enters the credentials.

Step 4-6 The user is authenticated by app1.fabrikam.com using Active Directory membership provider. Forms authentication cookie containing the username is generated and sent back to the browser. This cookie is valid for all sub-domains

(3)

authentication cookie from the previous step to this application as well.

Step 8-9 The application is able to decrypt the forms authentication cookie because it has the same machine key. Since the username is valid, the application allows the user to view the default page without displaying the login page.

Similar configuration with a SharePoint web application will result in the user being able to login to SharePoint without providing the credentials again.

Implementation of same machine key approach

Prerequisites

 Active Directory installed on your domain

 ASP.Net application should be hosted on a sub-domain, for example, aspnet1.fabrikam.com

 SharePoint installation should be hosted on the sub-domain, for example, sharepoint1.fabrikam.com

Let us first take up the configuration of a simple ASP.Net application using same machine key approach.

1. Configure the application to use forms authentication. This is necessary because this approach relies on cookie based authentication.

<system.web>

<authenticationmode="Forms">

<formsloginUrl="~/Login.aspx"timeout="2880"domain=".fabrikam.com"/> </authentication>

</system.web>

2. Add the Active Directory connecting string. This element is placed outside the system.web element. The connection string should be similar to the following, but you may need to figure out the exact string for your organization.

<connectionStrings> <!--Change this-->

<addname="ADConnectionString"

connectionString="LDAP://192.168.0.1/OU=Engineering,DC=fabrikam"/> </connectionStrings>

3. Add a membership provider to authenticate against your active directory. Make sure that you provide a username and password which has permissions to access

(4)

the Active Directory users. In our case, it was the domain administrator username and password. Another important point is that you need to check the correct version of the membership provider present in your installation of .Net framework.

<membershipdefaultProvider="MyADMembershipProvider"> <providers>

<!--Change this-->

<addname="MyADMembershipProvider"

type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"

connectionStringName="ADConnectionString" connectionUsername="domain-admin" connectionPassword="domain-admin-password" connectionProtection="None"/> </providers> </membership>

4. Configure the value of machine key manually inside the system.web element. This would be same across all ASP.Net applications that use single sign on.

<machineKey

validationKey="282487E295028E59B8F411ACB689CCD6F39DDD21E6055A3EE480424315994760ADF21B58 0D8587DB675FA02F79167413044E25309CCCDB647174D5B3D0DD9141"

decryptionKey="8B6697227CBCA902B1A0925D40FAA00B353F2DF4359D2099"validation="SHA1"/> 5. Verify that you are able to login to the application using your Active Directory

credentials. You may need to provide the username in the username@domain format.

Now we apply the same approach to a SharePoint hosted on another sub-domain. The approach remains essentially the same, but the configuration required in case of

SharePoint has many more steps.

1. The very first step is to create a web application AND create that with claims authentication mode. Once we select the authentication mode to be claims, Windows Authentication is also plugged in as one of the provider. Check the “Enable Windows Authentication” check box if you’d like Windows Authentication ALSO enabled for this web application.

(5)
(6)

You can choose the other values as you’d normally would and create the new web application. Once the web application is created, we’ll first configure this web

application for claims authentication using Active Directory Membership Provider and then create a site collection.

There are 3 web.config files we need to edit for enabling claims: a) The config file of the Central Administration site.

b) The config file of the Web Application.

c) The config file of the STS (Security Token Service) Application. This is important because it is this service that will ensure claims tokens are being passed correctly between the provider (in our case Active Directory) and the consumer (Central Administration site and our Web Application). STS Application manages all of these interactions for us.

2. Open the web.config file of your SharePoint 2010 Central Administration site and add the following entries. The entries would be same as those added for the ASP.Net application.

<connectionStrings> <!--Change this-->

<addname="ADConnectionString"connectionString="LDAP://192.168.0.1/DC=fabrikam"/> </connectionStrings>

3. Also add the membership provider just like the ASP.Net application. <membershipdefaultProvider="MyADMembershipProvider">

<providers> <clear/>

<!--Change this-->

<addname="MyADMembershipProvider"

type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"

connectionStringName="ADConnectionString" connectionUsername="domain-admin" connectionPassword="domain-admin-password" connectionProtection="None" enableSearchMethods="true" attributeMapUsername="userPrincipalName" /> </providers> </membership>

(7)

4. The next step is to configure the web application. Open the web.config file of the web application you just created and add the following entries for connection string. The entries would be same as those added for the ASP.Net application. <connectionStrings>

<!--Change this-->

<addname="ADConnectionString"connectionString="LDAP://192.168.0.1/DC=fabrikam"/> </connectionStrings>

5. Search for the membership provider and add the Active Directory membership provider similar to what we did for the Central Administration. The difference in this case is that the SharePoint provider is already plugged in and it will continue being the default provider.

6. Configure the domain in the forms authentication <authenticationmode="Forms">

<formsloginUrl="~/Account/Login.aspx"timeout="2880"domain=".fabrikam.com"/> </authentication>

7. Configure the machine key in the config file <machineKey

validationKey="282487E295028E59B8F411ACB689CCD6F39DDD21E6055A3EE480424315994760ADF21 B580D8587DB675FA02F79167413044E25309CCCDB647174D5B3D0DD9141"

decryptionKey="8B6697227CBCA902B1A0925D40FAA00B353F2DF4359D2099"validation="SHA1"/> 8. The next thing to do is to get your provider entry in the STS application’s

(8)

SharePoint 2010 box and find the STS application (shown in Image7). Now right-click to Explore and open the web.config file.

9. Add the following entries for connection string in the config file. The entries would be same as those added for the ASP.Net application.

<connectionStrings> <!--Change this-->

<addname="ADConnectionString"connectionString="LDAP://192.168.0.1/DC=fabrikam"/> </connectionStrings>

10. Add a system.web element if not already present in the file and add the ASP.Net membership provider just like the previous steps.

<membershipdefaultProvider="MyADMembershipProvider"> <providers>

<clear/>

<!--Change this-->

<addname="MyADMembershipProvider"

type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"

connectionStringName="ADConnectionString" connectionUsername="domain-admin" connectionPassword="domain-admin-password" connectionProtection="None" enableSearchMethods="true" attributeMapUsername="userPrincipalName" /> </providers> </membership>

(9)

11. Restart IIS using the IIS Management Console.

12. First, go to the Web Applications Management page in Central Administration site, click the web application you want to enable Form based Authentication claims on and choose Authentication Providers from the ribbon. From the

Authentication Providers dialog, choose Default. Scroll a bit down to find Identity Providers section. Check Enable ASP.NET Membership and Role Provider (NOTE: You can also do this at the time of creating this web application) and type in the name of your provider). The name “MyADMembershipProvider” has been used in the examples.

13. Now, hit User Policy ribbon option in the Web Applications Management page having selected your web application. Hit Add Users in the Policy for Web Application dialog. Hit Next in Add Users dialog. Use the Browse button in the Choose Users people picker control. Notice the Select People and Groups dialog that comes up is changed. Choose the section Forms Auth search for a user to add.

(10)

Testing the same machine key approach

Now we can test the single sign-on. Try to browse the ASP.Net application. It will open up a form for authentication. Once you are authenticated and browse to the SharePoint, you would automatically be signed in.

The machine key needs to be encrypted by an authorized user and then configured in an encrypted section in the web.config file by the administrator. This way no one gains access to the machine key. Neither is the key transmitted over the wire.

Active Directory Federation Services

ADFS is the Microsoft implementation of the WS-Federation passive protocol in which the client interacts with the application and the Token service using cookies and

redirects. In the AD FS 2.0 setup, the application becomes a trusted relying party of the token service provided by AD FS 2.0 and is configured to authenticate using the trusts tokens issued by AD FS 2.0.

It follows that if several applications are configured to use the same token service and the user has successfully logged into one application, as soon as the user browses to another application, browser would send the same token to second application. Since the second application would be able to validate that token with the token service, it will allow the user to login without asking for credentials again.

Step 1-3 The user browses to app1.fabrikam.com. This site opens up an authentication form where the user enters the credentials.

(11)

Step 4-6 The user is authenticated by app1.fabrikam.com using Active Directory membership provider. Forms authentication cookie containing the username is generated and sent back to the browser. This cookie is valid for all sub-domains

Step 7 The user browses to sharepoint1.fabrikam.com. The browser sends the forms authentication cookie from the previous step to this application as well.

Step 8-9 The application is able to decrypt the forms authentication cookie because it has the same machine key. Since the username is valid, the application allows the user to view the default page without displaying the login page.

References

Related documents

In this first whole population birth cohort study linking childhood intelligence test scores to cause of death, in a follow-up spanning age 11-79, we found inverse associa- tions

application pool essentially create a ssl certificates for apps run the bundle which allows one directory may make one of mvc web form that.. Successes message asking you see it

Css code first start building and mvc asp net core and services using asp net application using specialized reporting using cookies, you can be returned. Where asp mvc as

RMT, resting motor threshold; MSO, maximum stimulator output; mV, millivolts; CV, coefficient of variation; MEP, motor evoked potential. Table 2: AMT, MEP amplitude and onset

Climate matching is based on the premise that natu- ral forest stands are locally adapted to current local climates (Savolainen et al. 2013a), and for a given species and

This text an objective source online video tutorial that provides free order to all users so that they can god learn ASP.. NET application, calls

We need to dashboard application running with the applications development process of flooding events with the ui are a bar seems like the dashboard.. Adding a

My core competency lies in the world complex desktop applications using WPF and Winform technologies and web applications using Node JS, then doctor need simply create a