Connecting SharePoint 2013/2016 and ADFS Server (Part 4)

by Robi 19. May 2017 15:22
In the previous articles about connecting SharePoint 2013/2016 and ADFS Server we mostly discussed the procedure for configuring the servers in order to successfully authenticate with them. In this article, I would like to highlight 2 problems that can arise when turning on the trusted identity provider authentication. They are: People picker. Search. People picker In this case, the people picker is problematic because SharePoint cannot verify people with the help of ADFS and further with Active Directory. SharePoint uses claims rules to try and figure out what kind of object is trying to access it. In the screenshot you can clearly see that the people picker successfully recognizes an object, whatever we enter into the people field. In the people picker, we can see thath SharePoint recognized 3 different entries: UPN. Role. Email. The number of entries we se here depends on the configuration of the TrustedTokenIssuer. $ap = New-SPTrustedIdentityTokenIssuer -Name "ADFS30" ` -Description "ADFS 3.0 Federated Server" ` -Realm $defaultRealm ` -ImportTrustCertificate $signingCert ` -ClaimsMappings $roleClaim, $EmailClaim, $upnClaimMap ` -SignInUrl $signinurl ` -IdentifierClaim $upnClaimMap.InputClaimType  In the claims mappings we can see that SharePoint gets data about »role claim«, »UPN claim« and »Email claim«. If we select one of the entries in the picker, SharePoint treats it as a completely legit entry, even though such an entry/object does not exist. Solution Luckily, solving this problem is simple. We install an extra solution to the server. Codeplex's website contains a lot of community solutions, including »LDAP/AD Claims Provider for SharePoint« (https://ldapcp.codeplex.com/). Installing this add-on to our server enables our TrustedIdentityTokenIssuer to recognize users from our Active Directory, even though authentication is still performed through ADFS. After installing the WSP packet to the SharePoint Server, it is important to successfully register the claims provider with our TrustedIdentityTokenIssuer. Of course, we must do it in PowerShell. $tp = Get-SPTrustedIdentityTokenIssuer –Identity "ADFS30" $tp.ClaimProviderName="LDAPCP" $tp.Update()  After configuring the TrustedTokenIssuer, entries in the people picker become different. In this case we see that when we enter »Robi«, only entries that are successfully resolved in Active Directory are displayed. This add-in therefore solves the problem of displaying entries that are not part of Active Directory. Search In any type of SharePoint configuration, that does not use Windows authentication as the default zone, or that use multiple authentication methods, indexing can be problematic. Search doesn't know how to properly authenticate to our SharePoint webpage. In this case we need to use some extra web application settings, namely, we need to "Extend". When we "extend" a web application, it is very important that "default" always stays with Windows authentication, while other instances can use other methods. This is because of the way that search works. If we don't do this and index content, that is not on default AAM, problems can arise when using search. In our case, I created a new instance of the web application, switched Windows authentication off and configured only "Trusted Identity Provider". When "Extending", a new website is created in IIS, which points to the same content database. After that, we still need to change the "default" zone, which currently allows two methods of authentication. We are going to turn off "Trusted Identity Provider" and leave only "Windows Authentication" turned on. But let's not forget about the ADFS Server configuration. The "Relying Party Trust" configuration contains the URL that the ADFS Server redirects us to after a successful authentication. If the configuration was successful, we now have a fully functional SharePoint site, which uses SAML authentication. From here on out, you have a lot of options. You can use two-factor authentication or MFA. This concludes this series of articles about connecting SharePoint and ADFS Server. There are of course certain scenarios we haven't covered, but you can always contact me here: robi@kompas-xnet.si Robi Vončina SharePoint Server MVP

Tags:

SharePoint

Connecting SharePoint 2013/2016 and ADFS Server (Part 3)

by Robi 19. May 2017 15:22
Previously, I described what needs to be done on the ADFS Server to successfully authenticate SharePoint Server. In this article, I will describe the process of configuring SharePoint Server. Establishing trust To successfully establish a trust between our ADFS Server and SharePoint Server, we must import the certificate, that ADFS uses to sign authentication tokens to our SharePoint Server. If we use certificates from a public certificate authority, we usually don't need to import the root certificate. If it is a self-signed certificate, however, we also need to import the root certificate. The following is a certificate importing script: $adfsLogon="https://sts.kompas-xnet.si/adfs/ls/" $signCertPath="C:\Users\sp13_farm_admin\Desktop\Certi\ADFS-TokenSigning.cer" $rootCertPath="c:\temp\rootCert.cer" $webAppName="adfslogin"    $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($rootCertPath) New-SPTrustedRootAuthority -Name "Token Signing Cert Parent" -Certificate $root  $signingCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($signCertPath)  Mapping claims When mapping claims, we need to take into account the configuration of our ADFS Server. It is important to check which claims the ADFS Server is going to send and specify them in our configuration. The only way to do this is, of course, with using PowerShell: # Claim type mapping $roleClaim = New-SPClaimTypeMapping "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" –SameAsIncoming  $EmailClaim = New-SPClaimTypeMapping "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "Email Address" –SameAsIncoming  $upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming  Creating a new trusted token issuer For SharePoint to know, that it can use another authentication method, we need to register the ADFS login. The script we will use is in many ways related to the previous commands we used: $defaultRealm = "urn:sharepoint:$webAppName" $signinurl = $adfsLogon $ap = New-SPTrustedIdentityTokenIssuer -Name "ADFS30" ` -Description "ADFS 3.0 Federated Server" ` -Realm $defaultRealm ` -ImportTrustCertificate $signingCert ` -ClaimsMappings $roleClaim, $EmailClaim, $upnClaimMap ` -SignInUrl $signinurl ` -IdentifierClaim $upnClaimMap.InputClaimType  When we run the command for creating a new trusted identity token issuer, we can also check the new configuration in PowerShell: Get-SPTrustedIdentityTokenIssuer  Get-SPTrustedTokenIssuer returns the configuration of our authentication provider. We can see which claims will be used to identify a user. In our case, these are UPN, Role and Email Address. On the screenshot we can see that we haven't registered any ProviderRealms, which means that we don't have any registered Web-Apps, that could use ADFS for authentication. In this case, every Web-Application that has ADFS authentication turned on presents itself as urn:sharepoint:adfslogin. If we would like to have more precise control over our Web-Applications, we can register each one of them separately. But be sure to create and configure appropriate rules on the ADFS Server. Registering a Web-Application To successfully register a web application, we need to run a few lines of PowerShell code. We must specify the address of our web application and how the web application will identify on the ADFS Server.  #Add URL and REALM to token issuer $tp = Get-SPTrustedIdentityTokenIssuer –Identity "ADFS30" $uri = new-object System.Uri("https://adfslogin.kompas-xnet.si") $tp.ProviderRealms.Add($uri, "urn:sharepoint:adfslogin") $tp.Update()  After running this command, we can run one the previous commands again: Get-SPTrustedIdentityTokenIssuer  This time, the result is as follows: Configuring the authentication provider In the central administration, we can now turn on the ADFS authentication for our web application. First, we select the web application and click »Authentication Providers« on the ribbon. In this case, the web application contains only the default zone. I will tell you more about what this means and what kind of restriction it represents in a future article. We select »Default« and turn on »Trusted Identity Provider« and »ADFS30«. Click OK to confirm. Testing if it works Because authentication is possible in two different ways, we are given the option to authenticate with the Windows System or with our ADFS30. If we pick ADFS30, SharePoint redirects us to the ADFS Server, where we can enter our credentials and authenticate. If we take a look at the URL, to which we were redirected, we will notice that realm is also defined as a parameter: »wtrealm=urn%3asharepoint%3aadfslogin«. We have successfully authenticated to SharePoint using our ADFS Server. Sadly, this is not everything we must configure in order to make everything work and make it user-friendly. We still need to fix the search settings and the people picker. Robi Vončina SharePoint Server MVP

Tags:

SharePoint

Script for creating SharePoint 2013 Search service application

by Robi 23. September 2015 12:07
Since a lot of people are asking me what is the best way to create seach service application in SharePoint 2013, I decided to share the script I use to create one.   The folowing script is used for the following Search Infrastructure: Server name Type Components WFE 1 Web front end Admin component Query processing component Index component WFE 2 Web front end Admin component Query processing component Index component Index server Application server Crawl component Content processing Admin component Analytics component   You can of course modify the script as needed. Add-PSSnapin Microsoft.SharePoint.PowerShell --EA 0   ## Change these per your environment ## $databaseServerName="dbserver"   ################ search servers in farm ################ $wfe1 = "wfe-1" $wfe2 = "wfe-2" $searchServerName = "index-1" ##########################################################     ################ Search information ################   $saAppPoolName = "Search_AppPool" $appPoolUserName = "" #Enter search service app pool $IndexLocation = "" #Enter location for search Index e.g. I:\Search $usagaDatabaseName="SP2013_SA_Usage" #Modify database name as needed $searchDatabaseName="SP2013_SA_Search" #Modify database name as needed $contactEmail="" #Enter Search contact email $defaultContenAccessAccount="" #Enter content access account $defaultContenAccessAccountPassword=ConvertTo-SecureString -AsPlainText -Force '' #Enter content access account password $windowsService=Get-SPManagedAccount "" #Enter managed account for search services account $windowsServicePassword=ConvertTo-SecureString -AsPlainText -Force '' #Enter password for search services account   ## Service Application Names ## ## Included Usage and Health, as it does get provisioned and if you want to define DB name ## ## Also Usage Proxy Status is stopped which cause Search Application Topology to not find Admin Service ## $searchSAName = "Search_SA" #Modify Search service application name $usageSAName = "UsageHealth_SA" #Modify Usage service application name   ##########################################################     #region Create folders   #Ustvarimo mapo za search index if(!(test-path $IndexLocation)){ New-Item -Path $IndexLocation -ItemType directory } else{ Remove-Item $IndexLocation -Recurse New-Item -Path $IndexLocation -ItemType directory }   #endregion     #region Application pool #Application pool objekt $saAppPool = Get-SPServiceApplicationPool -Identity $saAppPoolName -EA 0 if($saAppPool -eq $null) { Write-Host "Creating Service Application Pool..."   $appPoolAccount = Get-SPManagedAccount -Identity $appPoolUserName -EA 0 if($appPoolAccount -eq $null) { Write-Host "Please supply the password for the Service Account..." $appPoolCred = Get-Credential $appPoolUserName $appPoolAccount = New-SPManagedAccount -Credential $appPoolCred -EA 0 }   $appPoolAccount = Get-SPManagedAccount -Identity $appPoolUserName -EA 0   if($appPoolAccount -eq $null) { Write-Host "Cannot create or find the managed account $appPoolUserName, please ensure the account exists." Exit -1 }   New-SPServiceApplicationPool -Name $saAppPoolName -Account $appPoolAccount -EA 0 > $null      }   #endregion   # region Usage service application Write-Host "Creating Usage Service and Proxy..."   $serviceInstance = Get-SPUsageService   New-SPUsageApplication -Name $usageSAName -DatabaseServer $databaseServerName -DatabaseName $usagaDatabaseName -UsageService $serviceInstance > $null   $usa = Get-SPServiceApplicationProxy | where {$_.TypeName -like "Usage*"} $usa.Provision()   #endregion     #region Start services Create search service application   Write-Host "Creating Search Service and Proxy..."   Write-Host " Starting Services..."   Write-Host "Starting service on wfe1" -ForegroundColor Yellow Start-SPEnterpriseSearchServiceInstance $wfe1 Start-SPEnterpriseSearchQueryAndSiteSettingsServiceInstance $wfe1   Write-Host "Service on wfe1 started" -ForegroundColor green   Write-Host "Starting service on wfe2" -ForegroundColor Yellow Start-SPEnterpriseSearchServiceInstance $wfe2 Start-SPEnterpriseSearchQueryAndSiteSettingsServiceInstance $wfe2 Write-Host "Service on wfe2 started" -ForegroundColor green   Write-Host "Starting service on index server" -ForegroundColor Yellow Start-SPEnterpriseSearchServiceInstance $searchServerName Start-SPEnterpriseSearchQueryAndSiteSettingsServiceInstance $searchServerName Write-Host "Service on index started" -ForegroundColor green   Write-Host " Creating Search Application..." $searchApp = New-SPEnterpriseSearchServiceApplication -Name $searchSAName -ApplicationPool $saAppPoolName -DatabaseServer $databaseServerName -DatabaseName $searchDatabaseName Write-Host "Search Service Application Created"   #endregion   #region Get Initial topology and create clone   $searchInstancewfe1 = Get-SPEnterpriseSearchServiceInstance $wfe1 $searchInstancewfe2 = Get-SPEnterpriseSearchServiceInstance $wfe2 $searchInstanceIndex = Get-SPEnterpriseSearchServiceInstance $searchServerName   write-host "Getting initial topology" $InitialSearchTopology = $searchApp | Get-SPEnterpriseSearchTopology -Active   $ssa = Get-SPEnterpriseSearchServiceApplication   #gets the active search topology from search service application $ssa.ActiveTopology   Write-Host $ssa.ActiveTopology   #To clone the active topology   $clone = $ssa.ActiveTopology.Clone()   #endregion     #region Modify default topology and activate   ############################### Index Server ##################################################################### Write-Host "Starting to configure indexing server" -ForegroundColor Yellow write-host "Creating Admin Component" -ForegroundColor Yellow New-SPEnterpriseSearchAdminComponent –SearchTopology $clone -SearchServiceInstance $searchInstanceIndex write-host -ForegroundColor Green "Admin Component Created"   write-host "Creating Content Processing component" -ForegroundColor Yellow New-SPEnterpriseSearchContentProcessingComponent –SearchTopology $clone -SearchServiceInstance $searchInstanceIndex write-host -ForegroundColor Green "Content Processing component Created"   write-host "Creating Analyticis Processing Component" -ForegroundColor Yellow New-SPEnterpriseSearchAnalyticsProcessingComponent –SearchTopology $clone -SearchServiceInstance $searchInstanceIndex write-host -ForegroundColor Green "Analyticis Processing Component Created"   write-host "Creating Crawl Component" -ForegroundColor Yellow New-SPEnterpriseSearchCrawlComponent –SearchTopology $clone -SearchServiceInstance $searchInstanceIndex write-host -ForegroundColor Green "Crawl Component Created" Write-Host "Index server configured ###################################################################" -ForegroundColor Green   #=============================== Index Server ===================================================================       ############################### WFE1 ############################################################################   Write-Host "Configuring WFE1" -ForegroundColor Yellow New-SPEnterpriseSearchAdminComponent –SearchTopology $clone -SearchServiceInstance $searchInstancewfe1 write-host -ForegroundColor Green "Admin Component Created on WFE1" write-host "Creating Index on WFE1 Component" -ForegroundColor Yellow New-SPEnterpriseSearchIndexComponent –SearchTopology $clone -SearchServiceInstance $searchInstancewfe1 -RootDirectory $IndexLocation write-host -ForegroundColor Green "Index Component on WFE1 Created"   write-host "Creating Query Processing Component on WFE1" -ForegroundColor Yellow New-SPEnterpriseSearchQueryProcessingComponent –SearchTopology $clone -SearchServiceInstance $searchInstancewfe1 write-host -ForegroundColor Green "Query Processing Component on wfe 1 Created"   Write-Host "Search components on WFE1 Configured ###################################################################" -ForegroundColor Green #============================== WFE1 ============================================================================         ############################### WFE2 ############################################################################   Write-Host "Configuring WFE2" -ForegroundColor Yellow New-SPEnterpriseSearchAdminComponent –SearchTopology $clone -SearchServiceInstance $searchInstancewfe2 write-host -ForegroundColor Green "Admin Component Created on WFE1" write-host "Creating Index on WFE2 Component" -ForegroundColor Yellow New-SPEnterpriseSearchIndexComponent –SearchTopology $clone -SearchServiceInstance $searchInstancewfe2 -RootDirectory $IndexLocation write-host -ForegroundColor Green "Index Component on WFE2 Created"   write-host "Creating Query Processing Component on WFE2" -ForegroundColor Yellow New-SPEnterpriseSearchQueryProcessingComponent –SearchTopology $clone -SearchServiceInstance $searchInstancewfe2 write-host -ForegroundColor Green "Query Processing Component on wfe 2 Created"   Write-Host "Search components on WFE2 Configured ###################################################################" -ForegroundColor Green #============================== WFE2 ============================================================================   $clone.Activate()   #endregion     #region Set Active admin component $ssa | get-SPEnterpriseSearchAdministrationComponent | set-SPEnterpriseSearchAdministrationComponent -SearchServiceInstance $searchInstanceIndex   #endregion       #region Create search service proxy Write-Host " Creating Proxy..." $searchAppProxy = New-SPEnterpriseSearchServiceApplicationProxy -Name "$searchSAName Proxy" -SearchApplication $searchSAName > $null #endregion     #region Set default content access account write-host " Setting default content access account..." Set-SPEnterpriseSearchServiceApplication -Identity $searchSAName -DefaultContentAccessAccountName $defaultContenAccessAccount -DefaultContentAccessAccountPassword $defaultContenAccessAccountPassword #endregion     #region Set Windows services account Write-Host " Setting windows service account..." Set-SPEnterpriseSearchService -Identity $searchSAName -ServiceAccount $windowsService.Username -ServicePassword $windowsServicePassword -ContactEmail $contactEmail #endregion   Write-Host " Search Service Application Provisioned" -ForegroundColor Green   #region Delete default inactive topology Write-Host "Getting inactive topology..." $inactive=Get-SPEnterpriseSearchTopology -SearchApplication Search_Sa |Where {$_.state -eq "Inactive"}     Write-Host "Removing Inactive topology..." Remove-SPEnterpriseSearchTopology -Identity $inactive -Confirm:$false #endregion     write-host -foregroundcolor green "################################################################### Search completed ###################################################################"     08. SearchServiceApplication(2).ps1 (10.76 kb)

Tags:

PowerShell | SharePoint | SharePoint 2013

Export – import alerts

by Robi 9. November 2013 18:23
In my previous blog post I have explained how you can troubleshoot alerts. In this one, I'm just going to post scripts I used for exporting and importing all alerts in a site collection. Here is the script for exporting all alerts in a site collection to a csv file: $site = Get-SPSite "http://2013portal" $alertResultsCollection = @() foreach ($web in $site.AllWebs) { foreach ($alert in $web.Alerts){ $alertURL = $web.URL + "/" + $alert.ListUrl $alertResult = New-Object PSObject $alertResult |Add-Member -type NoteProperty -name "WebUrl" -Value $web.Url $alertResult | Add-Member -type NoteProperty -name "ListURL" -value $alertURL $alertResult | Add-Member -type NoteProperty -name "AlertTitle" -value $alert.Title $alertResult | Add-Member -type NoteProperty -name "ListUrl" -value $alert.ListUrl $alertResult | Add-Member -type NoteProperty -name "List" -value $alert.List $alertResult | Add-Member -type NoteProperty -name "DeliveryChannel" -value $alert.DeliveryChannels $alertResult | Add-Member -type NoteProperty -name "AlertType" -value $alert.AlertType $alertResult | Add-Member -type NoteProperty -name "EventType" -value $alert.EventType $alertResult | Add-Member -type NoteProperty -name "Frequency" -value $alert.AlertFrequency $alertResult | Add-Member -type NoteProperty -name "AlertTime" -value $alert.AlertTime $alertResult | Add-Member -type NoteProperty -name "SubscribedUser" -value $alert.User $alertResultsCollection += $alertResult } } $site.Dispose() $alertResultsCollection  #Export to CSV $alertResultsCollection | Export-CSV C:\Users\sp2013_farm_admin\Desktop\Alerts.csv  And here is the script you can use to import all alerts in one site collection from csv file:  Import-Csv C:\Users\sp2013_farm_admin\Desktop\Alerts.csv |ForEach-Object{ $webUrl=$_.WebUrl $listTitle=$_.List $alertTitle=$_.AlertTitle $subscribedUser=$_.SubscribedUser $alertType=$_.AlertType $deliveryChannel=$_.DeliveryChannel $eventType=$_.EventType $frequency=$_.Frequency   $web=Get-SPWeb $webUrl $list=$web.Lists.TryGetList($listTitle) $user = $web.EnsureUser($subscribedUser) $newAlert = $user.Alerts.Add() $newAlert.Title = $alertTitle $newAlert.AlertType=[Microsoft.SharePoint.SPAlertType]::$alertType $newAlert.List = $list $newAlert.DeliveryChannels = [Microsoft.SharePoint.SPAlertDeliveryChannels]::$deliveryChannel $newAlert.EventType = [Microsoft.SharePoint.SPEventType]::$eventType $newAlert.AlertFrequency = [Microsoft.SharePoint.SPAlertFrequency]::$frequency if($frequency -ne "Immediate"){ $AlertTime=$_.AlertTime $newAlert.AlertTime=$AlertTime } $newAlert.Update() }    Hope it helps. Robi Vončina

Tags:

SharePoint | SharePoint 2010 | SharePoint 2013

Upgrade Video

by Robi 27. August 2013 10:34
For the Ukrainian SharePoint Conference I recorded this video to present it at my session. I decided to make it public now so please, sit back, relax and enjoy it.    Upgrading to SharePoint 2013 Video

Tags:

SharePoint | PowerShell | SharePoint 2013 | SharePoint 2010

Calendar

<<  September 2017  >>
MonTueWedThuFriSatSun
28293031123
45678910
11121314151617
18192021222324
2526272829301
2345678

View posts in large calendar

Page List

Month List