Architecture Identity Management

Federation Extensions for SharePoint 3.0

If you’re running Windows SharePoint Services 3.0 or SharePoint Server 2007 and not quite ready to migrate to SharePoint 2010 to leverage the Claims Authentication Provider, take heart, there’s still hope.

Back in May 2010, Microsoft released several documents and extensions to assist with configuring the SharePoint v3 (or v12 depending on how you look at it) platform to federate with AD FS 2.0 – allowing for claims authentication federation.


So how do I do this you ask?  Microsoft used to have a document out on Connect for this, but it’s now gone RTW.  The document is available here:

Couple things to make note of…

  • Don’t install AD FS 2.0 on the same server as SharePoint.  This should be a no brainer similar to “do not use a basic install” of SharePoint on any server.
  • To keep search and other capabilities operational, leave the default zone as Integrated/NTLM Auth. This allows your crawler to still operate in its regular fashion.
  • The federation capability really should only be leveraged for extranet / internet situations and not for use for all zones of users. Sure it’s great that claims auth with WSS v3 is there and supported, but let’s not get too zealous just yet 🙂
  • Get comfy with editing your web.config if you aren’t already so that you’re able to use the claims-based role and membership providers – if you’ve set this up for SharePoint 2010, then it should seem like old hat to you. Better yet, work with your developers to craft up a solution package that updates the web.config for you so that you’re not violating the laws of thermodynam… I mean good source control practices.
  • Note that if you’re building this into a multi-server farm, the extension bits have to be installed across all servers – yes, that’s right, it’s not a solutions package and won’t copy across all the servers for you. That’s not to say that the web.config couldn’t be updated via solution package though per the previous bullet.

Just think of the applications though, you can keep your WSS v3 / MOSS 2007 farm operational and federate with the partner organizations that you’ve been looking to let into your system while building a transition path to move to SharePoint 2010 using Claims whole heartily. 

Last thoughts… how cool is it that you can actually have a better client integration environment with the extensions that weren’t available with the ADFS v1 authentication provider with Windows Server 2003 R2.

Identity Management

I’ll take a Claim to that…the SQL…

So you’re thinking that you might be interested in going down the path of Claims Authentication with SharePoint 2010 – I mean, it’s hip and new and a fun thing to do right?

In reality there are a lot of great things about claims and doors that it opens for federating with other applications around throughout the web that could not otherwise be done.

If you’re interested in Claims, definitely recommend Microsoft’s book – “A Guide to Claims-Based Identity and Access Control”.

But let’s say you’re already going down the path of Claims, but you’re done with Active Directory, and looking to just use SQL server? Not a problem, Microsoft has a handy document to help walk you through the configuration and setup titled, “Claims Walkthrough: Creating Forms-Based Authentication for Claims-Based Web Applications Using ASP.NET SQL Membership and Role Providers”.

Definitely a handy guide to digging deep into how to configure SQL for CBA and developing your solution to meet your needs.