If you’re running Windows SharePoint Services 3.0 or SharePoint Server 2007 and not quite ready to migrate to SharePoint 2010 to leverage the Claims Authentication Provider, take heart, there’s still hope.
Back in May 2010, Microsoft released several documents and extensions to assist with configuring the SharePoint v3 (or v12 depending on how you look at it) platform to federate with AD FS 2.0 – allowing for claims authentication federation.
- Windows Server 2008
- Windows Server 2008 R2
- Windows Identity Foundation
- Microsoft Federation Extensions for SharePoint 3.0
So how do I do this you ask? Microsoft used to have a document out on Connect for this, but it’s now gone RTW. The document is available here:
- Federated Document Collaboration Using Microsoft Office SharePoint Server 2007 with AD FS 2.0
- Configuring SharePoint 2007 AAM applications with AD FS 2.0 (TechNet)
- Microsoft Federation Extensions for SharePoint 3.0 – Windows Identity Foundation (MSDN)
Couple things to make note of…
- Don’t install AD FS 2.0 on the same server as SharePoint. This should be a no brainer similar to “do not use a basic install” of SharePoint on any server.
- To keep search and other capabilities operational, leave the default zone as Integrated/NTLM Auth. This allows your crawler to still operate in its regular fashion.
- The federation capability really should only be leveraged for extranet / internet situations and not for use for all zones of users. Sure it’s great that claims auth with WSS v3 is there and supported, but let’s not get too zealous just yet 🙂
- Get comfy with editing your web.config if you aren’t already so that you’re able to use the claims-based role and membership providers – if you’ve set this up for SharePoint 2010, then it should seem like old hat to you. Better yet, work with your developers to craft up a solution package that updates the web.config for you so that you’re not violating the laws of thermodynam… I mean good source control practices.
- Note that if you’re building this into a multi-server farm, the extension bits have to be installed across all servers – yes, that’s right, it’s not a solutions package and won’t copy across all the servers for you. That’s not to say that the web.config couldn’t be updated via solution package though per the previous bullet.
Just think of the applications though, you can keep your WSS v3 / MOSS 2007 farm operational and federate with the partner organizations that you’ve been looking to let into your system while building a transition path to move to SharePoint 2010 using Claims whole heartily.
Last thoughts… how cool is it that you can actually have a better client integration environment with the extensions that weren’t available with the ADFS v1 authentication provider with Windows Server 2003 R2.