Tuesday, August 26, 2014

Installing and Configuring ADFS Integration with SharePoint 2013 - Step by Step Guide

Introduction:
Active directory federation services is the solution for extending enterprise identity beyond corporate firewall. It simplifies sharing identities between trusted partners across organizations. Its a common requirement in a typical business scenario, users in one organization wants to access a secured application/website from an another organization. Without ADFS, we'd end-up re-creating user logins for the partner company in our AD. But that introduces the problem of maintaining and managing two separate identities for the partner company users. Here is where ADFS comes to the picture. It solves the problem by federating identities and establishing single sign-on capability. SharePoint 2013 - ADFS integration is seamless as its natively supported.

Generally, in SharePoint world, ADFS is used in these three scenarios:
  1. Domains which are not part of your AD forest  (Such as acquired companies without trusts established, with network connectivity between them in place): User in one organization accesses an application in another organization, so that you can collaborate across organizational boundaries. Say for E.g. Your company is running an internal SharePoint site/application and your partner company/acquired company wants to make use of the same.  across organizational boundaries without duplicating user logins.
  2. Extranet setups for partners/customers - Accessing SharePoint application via the Internet, which extends the first scenario to include remote Internet access who are outside the organization. The external domain is still responsible for validate provided credentials and pass it on the SharePoint.
  3. Office 365/Cloud - You are running a SharePoint farm either in Cloud or in Office 365 and want to provide access to the users of your company without re-creating their identities in the cloud.
How the ADFS - SharePoint authentication process works?
  • User types SharePoint site URL and picks the relevant authentication provider from the sign-in page
  • SharePoint redirects to the respective ADFS server configured already, User promoted for credentials.
  • ADFS handles the authentication by Verifying the provided user name and password from the identity provider - AD
  • ADFS creates a Token, Signs and puts it in a cookie. Redirects to SharePoint with that cookie
  • SharePoint STS validates and extracts the claims from the token
  • SharePoint performs authorization and connects the user to the web application.

There are Three steps involved in integrating ADFS with SharePoint 2013:
  1. Install ADFS Server
  2. Create a trusted relying party for SharePoint 2013 in ADFS
  3. Configure SharePoint 2013 to trust ADFS

Prerequisites:
There are certain prerequisites to be addressed for ADFS SharePoint 2013 configuration.
  1. SSL Certificates: Obtain SSL certificates for your SharePoint 2013 web application, and at least two certificates for ADFS Service communication and for ADFS token signing of 2048-bits.
  2. Default Web Site in IIS - Make sure, in your ADFS Server, the default web site is running in IIS. This site to be SSL enabled with ADFS communication certificate.
  3. SharePoint Web Application requirements: Your web app must be SSL enabled and  authentication mode must be "Claims Based" - which is default in SharePoint 2013. Security Token Service must be up and running.
  4. DNS Entries: Make sure DNS entries (or host file entries, at least!) are created for both SharePoint and ADFS servers, So that both ADFS and SharePoint can identify and communicate between them selves.
  5. Service account - Have a dedicated service account for ADFS service - Must be a Local Admin account and SPN to be set on the service account: setspn -a host/adfs.crescent.com crescent\AdfsSvc
Here is our environment setup:
In production environments, ADFS infrastructure is created as a separate farm with ADFS Proxy server. For evaluation purpose, I'm using below configurations:
  • ADFS Server - ADFS.Crescent.com
  • SharePoint Farm - Web Application: Intranet.Crescent.com  
  • Certificates 
    • Intranet.Crescent.com - SharePoint web application certificate
    • ADFS.Crescent.com - Certificate for ADFS server to communicate securely.
    • TokenSigning.Crescent.com - ADFS Token signing certificate.

 

Step 1: Install ADFS Server Instance

In windows server 2008 R2, ADFS 2.0 was available as a separate download, But windows Server 2012 is built-in with ADFS capability. So, all you have to do is: Add AD FS server role by running the "Add server role wizard!". ADFS Server can be installed as a standalone or as a ADFS farm with multiple servers.  if standalone, it uses "Windows Internal database", SQL Server is used otherwise.
Although its possible to have the ADFS server in Same SharePoint box, Microsoft doesn't recommends it.

Lets begin installing ADFS Server role.
  1. Login to your proposed ADFS server. Make sure its already joined to the AD Domain. Open Server Manager
  2. Click on "Add roles and features" link from Dashboard section of the Server Manager.
  3. You'll be presented with "Add Roles and Features Wizard" . Click "Next" to start
  4. Choose "Role-based or feature-based installation" on installation Type and click "Next"
  5. Select the appropriate Server in server selection
  6. Check "Active Directory Federation Services" Server Roles and click "Next"
  7. In Features page, Make sure ".Net Framework 3.5" is already installed. if not, Select that check box.
  8. Click "Next" on AD FS page
  9. Choose "Federation Service" under Role Services section
  10. Click on "Install" button to start installing ADFS Server role.
  11. Wait for the installation to complete. Click on "Close" button to exit from the wizard.
Configure ADFS Server:
  1.  Go to Server Manager, Click on "AD FS" tab. There will be a notification at the top saying "Configuration required for Federation service". Click on "More" link, that pops up a message.
  2. Click on "Run the AD FS Management snap-in" link to run Post-deployment configuration wizard.
  3.  Now, we got into ADFS snap-in. Click on "AD FS Federation Server configuration Wizard" link to start configuring ADFS.
  4. Choose "Create a new Federation Service" option in welcome screen.
  5. Select the deployment type as "Stand-alone Federation Server"
  6. Choose the appropriate SSL Certificate for ADFS communication
  7. Click "Next" on the summary page
  8. Wait for the AD FS configuration to complete.
Verify ADFS installation:
Try navigating to any of the below URL. You should get a XML file.
  • https://YourADFS-Server.com/adfs/ls/IdpInitiatedSignon.aspx
  • https://<<servername>>/FederationMetadata/2007-06/federationmetadata.xml

 

Step 2: Create trusted relying party in ADFS 

Now, the next step is to add new trusted relying party (in our case, its our SharePoint site URL). We'll have to set up ADSFS to allow our SharePoint web sites as a Relying Parties so that SharePoint will consume claims from ADFS server.

Configure ADFS for SharePoint 2013:
Lets Add SharePoint Web Application URL as a Trusted Relying Party:
  1. Go to Server Manager, Click on "AD FS Management" from tools menu.
  2. From AD FS snap-in, Click on "Required: Add a trusted replying party" link. You can also click on "Add Relying party Trust" to get the same.
  3. Click "Start" button to initiate relying party trust wizard.
  4. In "Select Data Source" tab, choose "Enter data about the relying party manually" and click "Next"
  5. Give a display name to the relying party.
  6. Choose profile as "AD FS Profile"
  7. Token signing certificate is optional. So, we can skip it by pressing "Next" button
  8. Here is an important step: Configure URL! Select "Enable support for the WS-Federation Passive protocol" check-box. Enter the relying party WS-Federation passive protocol URL by appending : /_trust/ with your SharePoint web application. In my case, My web application is: https://intranet.crescent.com. So, I'm entering:  https://intranet.crescent.com/_trust/
  9. Configure identifiers: Enter the relying party trust identifier. It uses the naming convention of : URN:Your-Web-App. Lets enter "urn:intranet:crescent" and click on "Add" button
  10. For issuance authorization rules, choose "Permit all users to access this relying party" and click Next.
  11. Click "Next" on the summary page.
  12. Enable "Open the Edit Claim Rules dialog for this relying party trust when the wizard closes" check box, and click on "Close" button.
Edit Claims Rule:
SharePoint Claims-based authentication - authenticates users based on these set of claims, such as User principle name, E-Mail address, etc.
  1. Click on "Add Rules" button in Edit Claim Rules window.
  2. Choose the Claim rule template as: "Send LDAP Attributes as Claims"
  3. Give a Name to your claim rule, Choose the attribute store as "Active Directory", Map the attributes to be sent to SharePoint from Active Directory via ADFS. I've selected "Email-Addresses" with "E-Mail Address" and "User-Princila-Name" with "UPN". Click "Finish" button once done.
Repeat the relying party wizard for all of your web applications.

Change the Token Signing Certificate in ADFS Server
We must have different SSL certificates for "ADFS communication certificate" , "ADFS token signing certificate". we have to disable the AD FS automatic certificate rollover feature to add a token signing certificate.
Open PowerShell on the Federation Server (VSrvFs) and run the following command:
Set-ADFSProperties -AutocertificateRollover $false
Now, from the ADFS console Service >> Certificates >> Add Token-Signing Certificate >> You'll be prompted with a menu to choose a certificate >> Select the "TokenSigning.crescent.com" certificate and mark it as primary.

Remember, You must export this ADFS token signing certificate to all SharePoint servers to establish trust.

Private Key Permissions:
The service account needs to have "Read" permissions at least on the private key of the Token signing certificate. From the certificates snap-in, Browse to personal >> certificates. Right click Your token signing certificate > All Tasks > Manage Private Keys >> Grant "Read" permission to the service account 

Export this ADFS token signing certificate to all SharePoint server(s)

ADFS Token signing certificate must be exported from ADFS server and used while creating trust in  SharePoint Server. Here is how:
  1. From ADFS console, Expand "Certificates" folder, Right Click on your ADFS token signing certificate and choose "View Certificate".
  2. Under the "Details" tab, Click on "Copy to file" button. 
  3. For Export Private key section, choose "No, do not export the private key"
  4. Click "Next". Choose export file format as "DER Encoded binary x.509 (.CER)"
  5. This will export the certificate from ADFS. 

 

Step 3: Configure SharePoint 2013 to Trust ADFS

As a final step, Lets create a trusted identity token issuer pointing to ADFS as the claims provider, using PowerShell

Add-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue

#Register the Token Signing certificate from ADFS Server to establish Trust between SharePoint and ADFS server
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\ADFS.TokenSigning.cer") 
New-SPTrustedRootAuthority -Name "ADFS Token Signing Certificate" -Certificate $cert

#Map the claims attributes
$EmailMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming

$UPNMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming
 
$realm = "urn:intranet:crescent"

#Sign-in URL will be ADFS Server instance
$signInURL="https://adfs.crescent.com/adfs/ls"

#Create new trusted identity token issuer
$TrustedIdentity = New-SPTrustedIdentityTokenIssuer -Name "Crescent.com" -Description "ADFS Trusted users from Crescent.com Domain" -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $EmailMap,$upnMap -SignInUrl $signInURL -IdentifierClaim $Emailmap.InputClaimType
The first two lines of the above code, registers the certificate in SharePoint certificate store. Moreover, You may have to do this for Root Certificate Authority as well. You can see them under "Manage Trusts" link in security section of central administration.

Realm - is a identifier which helps ADFS to load respective configuration for a particular profile. which uses the convention of: urn:yourwebapp:yourdomain (can be anything, technically. It just uniquely identifies between multiple web applications)

IdentifierClaim - is the unique ID that identifies users in SharePoint. So,when users logged in via ADFS, they'll be identified by Email id in this case. Also, when granting access to SharePoint sites from ADFS, we'll have to use this identifier as user names. Make sure that the mapped claims exists in the source. E.g. If E-mail is mapped as Identifierclaim, then It must be exists in AD. In other worlds, E-mail field must contain a value, shouldn't be null!

SharePoint 2013 ADFS with multiple web applications 
So, You have established trusted identity provider for your primary web applications, and all other  web apps as well, say for e.g. My sites. Now, You'll have to add them in your trusted identity provider with this PowerShell code:
Add-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue

$TrustedIdentifyProvider = Get-SPTrustedIdentityTokenIssuer "Crescent.com"

$uri = New-Object System.Uri("https://mysites.crescent.com/")

$TrustedIdentifyProvider.ProviderRealms.Add($uri, "urn:mysite:crescent")

$TrustedIdentifyProvider.Update()

Configure SharePoint Web Application:
Next step is to enable ADFS claims in SharePoint. 
  • Go to Central Administration > Application Management > Manage Web Applications.
  • Click on "Authentication Providers" button from the ribbon
  • Select the "Default" link from the list
  • Scroll down and pick the authentication provider we just created.
  • Click "Ok" to save your changes.

Grant ADFS users Permission to the SharePoint web application
When you add permission for the user in SharePoint you have to add it as the IdentifierClaim (for example if the identifier is the email - you should add the user as user@contoso.com from SharePoint side and login with Domain\userName format.). If you skip this step, users from ADFS will get: access denied!

and when users hit SharePoint URL, They'll be presented with the default sign-in page
Troubleshooting?
Errors? Event log is the best place to start debugging!.

You might also like:
SharePoint Usage Reports
Usage reports, collaboration and audit for SharePoint.
Five Challenges in SharePoint Security
...And How to Solve Them. Free White Paper
*Sponsored


Tuesday, July 15, 2014

How to Integrate Twitter with SharePoint to Get Twitter Feeds

Although there are Twitter-SharePoint web parts in codeplex, we can integrate twitter with SharePoint with Out-of-the-box script editor/content editor web parts in few steps.

Simply, follow these steps for adding twitter to SharePoint to get twitter feeds.

Step 1: Go to https://www.twitter.com and Log-in to your Twitter account.(You need to have a twitter account!)

Step 2: Navigate to Settings >> Widgets (https://twitter.com/settings/widgets)
twitter feed web part sharepoint 2010

Step 3: In the widgets tab, Click on "Create New" button
twitter feed in sharepoint 2013

Step 4:  Under "User Timeline" tab, Click on “Create Widget” button to generate Twitter embed code. You can further customize look and feel by following developer API references.
twitter sharepoint 2010 web part

Step 5: Wait for the “Your Widget has been created.” Message from twitter. Now Copy the twitter embed code to clipboard

twitter and sharepoint integration
Here is my twitter widget script generated:
<a class="twitter-timeline"  href="https://twitter.com/SharePointDiary"  data-widget-id="489002092749549570">Tweets by @SharePointDiary</a>
    <script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?'http':'https';if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=p+"://platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script>

Step 6: Navigate to your SharePoint site. Add a content Editor web part wherever required (Edit Page >> Add Web Part) . Paste the code copied from twitter into Content Editor’s “Source Editor”, Save and close! This will display twitter feeds in SharePoint sites.

Here is the end Result of Twitter SharePoint integration:
twitter integration sharepoint 2013


The above method works on SharePoint 2007, SharePoint 2010 and even in SharePoint 2013! compared with methods to show twitter RSS feed using XML Web parts, XSL in SharePoint, I consider the above method is relatively simple!
adding twitter to sharepoint 2007



You might also like:
SharePoint Usage Reports
Usage reports, collaboration and audit for SharePoint.
Five Challenges in SharePoint Security
...And How to Solve Them. Free White Paper
*Sponsored


Thursday, July 10, 2014

Download All Document Versions using Web Services - PowerShell

Requirement:
Wanted to extract and download each version of the document stored in a SharePoint library. Well, PowerShell can do it from client side using web services. Here is the PowerShell script to download each version to the local folder programmatically.
# ******* Variables Section ******************
#Define these variables 
$WebURL="http://sharepoint.crescent.com/sites/Operations/"
$FilePath ="http://sharepoint.crescent.com/sites/Operations/docs/designDoc.docx"
$TargetFolder = "C:\Downloads"
# *********************************************

#Web Service URL
$WebServiceURL =$WebURL+"_vti_bin/Versions.asmx"
$WebService = New-WebServiceProxy -Uri $WebServiceURL -UseDefaultCredential
$WebService.URL=$WebServiceURL

#Get File name from file path
$FileName = $FilePath.Substring($FilePath.LastIndexOf("/")+1,($FilePath.Length-$FilePath.LastIndexOf("/")-1))

#Create the Target Library if it doesn't exists
    if (!(Test-Path -path $TargetFolder))
       {   
             #If it doesn't exists, Create
             $TargetFolder = New-Item $TargetFolder -type directory
       }


#Call web service method "GetVersions" to retrieve versions collection
$FileVersions = $WebService.GetVersions($FilePath).Result
 foreach($File in $FileVersions)
 { 
  #Frame the File name : E.g. 1.0_Filename.ext
  $VersionFileName = "$($TargetFolder)\$($File.version)_$($FileName)"
  write-host $VersionFileName
  $webclient = New-Object System.Net.WebClient
     $webclient.UseDefaultCredentials = $true
  write-host $File.url
     $webclient.DownloadFile($File.url,$VersionFileName)
  Write-Host "Downloaded version: $($File.Version)"
 }


You might also like:
SharePoint Usage Reports
Usage reports, collaboration and audit for SharePoint.
Five Challenges in SharePoint Security
...And How to Solve Them. Free White Paper
*Sponsored


Expand-Collapse All Groups in SharePoint 2013 List Views using jQuery

SharePoint doesn't has the ability to expand/collapse all groups in grouped list views. However, with jQuery we can bring Expand All-Collapse All buttons in SharePoint 2013 grouped list views. Just edit the grouped view page (Site Actions Gear >> Edit Page), add a "Script Editor" Web part and then place the below code in it.

jQuery for Expand-Collapse all items in grouped views in SharePoint 2013:
<script type="text/javascript" src="http://code.jquery.com/jquery-1.2.6.min.js"></script>

<script type="text/javascript">
  
    function expandAll() {
        $("img.ms-commentexpand-icon").click();
    }

    function collapseAll() {
        $("img.ms-commentcollapse-icon").click();
    }

    var expandButton = "<a href='#' onClick="

    +'"' + "this.href='javascript:expandAll()'"

    + '">&nbsp;<img title="expand all groups" style="border:none;" alt="expand all" src="/_layouts/images/collapseplus.gif"></a>';

    var collapseButton = "<a href='#' onClick="

    +'"' + "this.href='javascript:collapseAll()'"

    + '">&nbsp;<img title="expand all groups" style="border:none;" alt="collapse all" src="/_layouts/images/collapseminus.gif"></a>';

    $(document).ready(function () {
        $(".ms-pivotControl-container").append(expandButton).append(collapseButton);
    });
</script>
and here is the result:
Thanks to: https://www.nothingbutsharepoint.com/sites/eusp/pages/jquery-for-everyone-expandcollapse-all-groups.aspx for the idea!

You might also like:
SharePoint Usage Reports
Usage reports, collaboration and audit for SharePoint.
Five Challenges in SharePoint Security
...And How to Solve Them. Free White Paper
*Sponsored


Tuesday, July 8, 2014

How to Change Logo in SharePoint 2013

As a branding initiative, The first thing people do to customize SharePoint site is: changing logos to their company logo. Here is how to change logo in SharePoint 2013:
  1. Navigate to the Site Settings Page by clicking "Site Settings" link from settings gear.
    sharepoint site logo change
  2. Under the "Look and Feel" section, click on "Title, description, and icon" link. 
    sharepoint 2013 custom logo
  3. Select the logo either from your computer ( When insert from computer, the logo will be upload to "Site Assets" library.) or from any SharePoint library.
    sharepoint 2013 insert logo from computer
  4. Optionally, You can enter Logo description. Click OK to apply your new logo. You can copy the logo file to your each WFE, so that the logo will be retrieved from file system rather from a SharePoint library of a site collection
and the result of SharePoint 2013 change logo URL:
sharepoint 2010 add logo to site
Tips: Keep the logo background transparent so that it can match on any color theme!
That's all!

FAQS on SharePoint Logo:


SharePoint 2010 logo change
The same procedure applies to SharePoint 2010 also to set site logo.
sharepoint 2010 change logo

SharePoint 2013 change site logo programmatically
You can set: SiteLogoUrl property of the SPWeb Object to change site logo programmatically in SharePoint. Here is how:
SPSite.RootWeb.SiteLogoUrl = "Logo-URL"; //such as:"/_layouts/15/images/CustomLogo.png" or "/sites/operations/siteassets/CustomLogo.png"
We are setting the Root Web's logo property to inherit site logo on all of its sub sites.

SharePoint 2010/2013 change logo for all sites
Out-of-the-box there is no shortcut, But these tricks will do: SharePoint 2013 default site logo URL is: "/_layouts/15/images/siteIcon.png", for SharePoint 2010, SharePoint 2013 logo location at: "/_layouts/images/siteIcon.png". The "Images" folder is a virtual folder mapped to "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\TEMPLATE\IMAGES" in the SharePoint web front end servers.
sharepoint 2013 logo location
So, the trick is: Take a backup of the logo file "SiteIcon.png" and replace your logo with the same name! Much cleaner approach will be: Set logo using PowerShell.


Set SharePoint 2010 Logo URL using PowerShell
Lets change logo for all sites in the entire farm - which includes all sub-sites from all web applications.
Get-SPWebApplication | Get-SPSite | Get-SPWeb |  foreach { " Changing Logo for:" $_.Url; $_.SiteLogoUrl="/_layouts/images/your-logo.png" }
Read more at: SharePoint 2013 Change Site Logo Programmatically with PowerShell

SharePoint 2010 add logo to feature:
You can pack and deploy your custom logo as part of SharePoint solution package.

I changed the logo, but still getting the old logo. This could be because of the browser cache. Try hitting Control+F5 keys. Quick fix: Change the logo image file name in 12/14/15 hive and run the PowerShell code to apply new logo image!

Getting repeated authentication prompt after changing logo: Your logo file in 15 hive or library is not inheriting permissions. Go to the properties of the file and inherit permissions to fix this issue. This could also happens when Logo file is stored in SharePoint libraries - Make sure users have read access at least! and it should be approved (if content approvals is enabled!), checked-in and published!

Web part Pages doesn't display New Logo:
Well, its a known issue and find the solution at: Fix Custom SharePoint 2010 Logo Missing in Web Part Pages

SharePoint 2010 logo not displaying
SharePoint site logo not displaying, instead it gives red x in the place of logo. This happens when SharePoint site logo path is not valid!  Right click on the broken site logo image, Copy-Paste the URL of the image, verify that the logo path is correct.
sharepoint 2013 logo not displaying red x

Make SharePoint 2010 logo link root site
By default, on clicking the site logo, it takes us to the root of the current site. Its possible to change the logo hyperlink. Here is how: Make SharePoint Site Logo Link Point to Root Site Collection

SharePoint 2010 master page logo
You can change logo from SharePoint 2013 master page level also. Locate the element: <SharePoint:SiteLogoImage> and you can change the Logo Image URL attribute of it.

 SharePoint2013 hide logo
To remove logo from SharePoint 2013 sites, we can make it hidden with this style:
.s4-titlelogo > a > img{
visibility: hidden;
}
To remove any custom logo, simply clear the logo URL already set!

SharePoint logo size
The default size of the SharePoint 2013 logo is: 180x64 pixels. But SharePoint 2013 changes this size according to your logo size. To increase logo size simply resize your SharePoint 2013 logo with Photoshop or any other relevant tool. To change logo size (width and height) in CSS, use this styles:
.s4-titlelogo > img, .s4-titlelogo > a > img { width: 150px;height: 150px;}


You might also like:
SharePoint Usage Reports
Usage reports, collaboration and audit for SharePoint.
Five Challenges in SharePoint Security
...And How to Solve Them. Free White Paper
*Sponsored


You might also like:

Related Posts Plugin for WordPress, Blogger...