Month: March 2014

SharePoint with Azure Access Control Service

This article describes the installation process of using Azure Access Control Service (ACS) as an identity provider for SharePoint. This article uses Windows Live-ID as test.

This article uses ACS as the first federator after the consuming application with reference to the below architecture.

IdentityFederation

Prerequisites:
1: Administrative access to the Azure ACS. (https://manage.windowsazure.com/)
2: Access from SharePoint solution to Azure ACS url. (Internet browsing available)
3: Access to public URL of SharePoint solution. (SharePoint exposed to the internet)

Installation SharePoint with Azure Access Control Service

Advertisements

Identity Federation Infrastructure – Overview

The below should give a simple overview to the infrastructure of identity federation. The approach is generic, however my experience is vastly within the Microsoft portfolio of identity federation products. The following description is from an infrastructure perspective and does not cover the solution specific elements like the claim specification e.g.

Illustrated
IdentityFederation
Directory Services: Active Directory, eDirectory, Red Hat Directory Server
Consumer: SharePoint, CRM
Federator: Active Directoy Federation Services, Azure Account Control Service, Novell Access Manager

Explained
A federator(Identity Provider) can federate its own organization identities to either another federator or to a consumer.
The relying party is created from either the consumer or another federator, to the federator providing the identities.
A federator can federate one or more organizational identities to the same consumer.

Installation SharePoint 2013 with Web Application Proxy and ADFS – Kerberos

Installation of SharePoint 2013 with Web Application Proxy and ADFS – Kerberos
Had some issues trying to piece together all the parts of the puzzle in order to get Web Application Proxy, ADFS and Kerberos to work together with a SharePoint 2013 Web Application hosting a Business Intelligence site, the linked guide should outline the most relevant points required. The rest should be read from references.

Link to doc:
Installation SharePoint 2013 with Web Application Proxy and ADFS – Kerberos guide (Location on Google Drive)

References
Step 3: Publish Applications using AD FS Preauthentication
http://technet.microsoft.com/en-us/library/dn383640.aspx

SharePoint and the Web Application Proxy Role
http://thesharepointfarm.com/2014/02/sharepoint-and-the-web-application-proxy-role/

Understanding the AD FS 2.0 Proxy
http://blogs.technet.com/b/askds/archive/2012/01/05/understanding-the-ad-fs-2-0-proxy.aspx

Certificates – Simple explanation

I’ve encountered quite a few people not quite sure on how certificates work. I posted a rather simplified explenation on the matter on Technet and just wanted to add it here.

Trusts and Certificates
Certificates consists of certificate chains. Look at each link in the chain as a certificate. When ever you browse a https site(SSL), you are requesting the certificate information.
For a certificate to be trusted, you need to trust the top level of the chain(Certificate Authority Root) and sometimes the Intermediate Certificate Authority. If you open a certificate and look at the Certificate Path, you will see this full chain of certificates.

When you buy a certificate from a public provider, the Root and Intermediate certificates are already located in the computers Certificate Store. (Trusted Root Certification Authorities)
This means that you computer already trusts the provider of the certificate and therefore your certificate is also trusted. This also applies to any other Windows computer.

With a self-signed certificate, no one has the provider located in the Trusted Root Certificate Authorities by default. Why should I trust you as a certificate provider anyway? 🙂

Names and certificates
When certificates are created, they are bound to a specific name. This can be either explicitly defined: ‘jesper.contoso.com’ or wildcard: ‘*.contoso.com’
The difference between those two is, jesper.contoso.com will only work for jesper.contoso.com. *.contoso.com will work for James.contoso.com, John.contoso.com or Jesper.contoso.com

The certificate name does not affect what comes after the domain. ‘jesper.contoso.com/rum’ is absolutely the same as ‘jesper.contoso.com/whisky’ in terms of certificates.
A certificate can contain multiple names, called SAN(Subject Alternative Name) – But thats another story, which is not relevant right now.

Keys and Certificates
Not all applications requires the private key. Usually an application in the Microsoft universe will request either .cer (Which is without the private key) or a .pfx (Which is including the private key)
The .cer certificate is used against anything public facing. The .cer can be downloaded from your sites if you view the certificate available. This will not include the private key. A .pfx is obtainable from the server itself by exporting the certificate including the private key. If you cannot export with private key, the certificate either does not include the private key or the private key is not marked for export.

Original post:
http://social.technet.microsoft.com/Forums/en-US/ed9206e9-f5fc-4d85-94c8-bf07c4e08a0d/ssl-certificate-question-minor-issue?forum=winserverTS

PerformancePoint – Designer – SharePoint 2013 – Cumulative Update October 2013

Just a heads up warning if your planning to use PerformancePoint Designer ClickOnce application, then you should not apply Cumulative Update October 2013 to your SharePoint 2013 farm. The files has been signed by a MS person and not by MS cooperation, which will cause the installation to fail.

Files are located in:
\15\TEMPLATE\LAYOUTS\ppsma\1033\DesignerInstall

You can open the manifest file(Designer.exe.manifest) using Notepad and have a look at it. It should look like:
<publisherIdentity name="CN=Microsoft Corporation, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"

However after update it will look like:
<publisherIdentity name="CN=REDMOND\brenwil"

You can replace the files from a previous version, as long as all hash values matches.

Note: Applying SP1 does not resolve the above.

Warmup Script – SharePoint

Got tired of implementing huge warmup scripts, so decided to put together the simplest form. This will hit all site objects within the sharepoint farm.

the $ie.Visible = $true, should only be used in the development phase. It can be set to $false or completely omitted. With false or omitted, it will only spawn a process and not display the GUI of internet explorer.

add-pssnapin microsoft.sharepoint.powershell
$sites=get-spsite -Limit All
foreach ($site in $sites)
	{
	$ie = New-Object -ComObject "InternetExplorer.Application"
	$url = $site.url
	$ie.Navigate($url)
	$ie.Visible = $false
	#wait for page to load
	while ($ie.ReadyState -ne 4)
		{
		sleep -Milliseconds 100
		}
		$ie.Quit()
	}

Edit 27-July-2016: Changed from single site to all SP sites.