ARB Security Solutions - SharePoint Security Integrators

SharePoint And ADFS: SecurityTokenException – The issuer of the token is not a trusted issuer

adam — Mon, 05 Mar 2012 17:54:19 +0000

This is a pretty common ADFS error, and there are all sorts of reasons that it could happen.

The stack trace will be this:

CODE:

Microsoft.SharePoint.IdentityModel.SPTrustedIssuerNameRegistry.GetIssuerName(SecurityToken securityToken)
at Microsoft.SharePoint.IdentityModel.SPPassiveIssuerNameRegistry.GetIssuerName(SecurityToken securityToken)
at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)
at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

At the end of the day though, don't sit around and fiddle with the SharePoint trusted authorities and yada yada yada, it boils down to a certificate problem. Basically the one that was specified as the signing certificate, when exported during the ADFS setup, is either malformed (the certificate chain is incomplete) or plainwrong wrong when the trusted issuer was being built up in SharePoint ala powershell. So to get around the error follow two pretty basic steps.

Verify the appropriate certificate chain is present on the SharePoint server in both the trusted root authorities as well as in the SharePoint folder within the Certificate MMC snap-in. Never ever, ever delete the self issued ones that SharePoint provisioned within that folder. You will cause a Micheal Bay-spolosion. To verify the chain, just popup open the certificate details within some interface (like, the MMC :) ) doesn't really matter what and verify that the chain is trusted and existent.
Next, verify that you actually used the right certificate when specifying the certificate path when building the System.Security.Cryptography.X509Certificates.X509Certificate2 object to pass into your SPTrustedIdentityTokenIssuer. This is pretty easy to mess up when troubleshooting if you are swapping certs all over the place.

Both of these are in place, then that error will go away. Not that another won't popup :)

ADFS Not Resolving Active Directory Security Groups In SharePoint

adam — Mon, 05 Mar 2012 16:20:35 +0000

I ran into this issue really recently working at a client with a new, pretty basic ADFS environment that was acting as the identity provider, through an ADFS proxy server relay. I couldn't wrap my head around why it wasn't working, the groups themselves were resolving correctly, and even showing up in the identity data sources in the people picker. However, members of the AD securitygroup, (NOT the SharePoint group) were still being denied access to the SharePoint site.

To fix this issue follow these steps:

Open the federation server box.
Open the ADFS management console.
Edit the claim rules for the relaying party trust
Select the tab Issuance Transform Rules
Edit the Send LDAP Attributes as Claims

This should have:
Claim Rule Name : Pass-through LDAP Claims
Attribute Store : Active Directory
Set: Token Groups unqualified names (Don't Use: Token Groups - Qualified by domain name) | Outgoing ClaimType: Role
Set: User-Principal-Name | Outgoing Claim Type : UPN

Open the SharePoint management shell, run the following PowerShell script to create the issuer. If you have an issuer already made, remove it or execute the coordinating update commands. Make sure you replace the $certPath, $realm, and any of the string literals within $ap.

PLAIN TEXT

CODE:

$certPath = “your certification path”
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("$certPath")
$map1 = New-SPClaimTypeMapping "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
$map2 = New-SPClaimTypeMapping "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" -IncomingClaimTypeDisplayName "Login" –SameAsIncoming
$map3 = New-SPClaimTypeMapping "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" –SameAsIncoming
$map4 = New-SPClaimTypeMapping "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "Account ID" –SameAsIncoming
$realm = "urn:" + $env:ComputerName + ":adfs"
$signinurl = "https://yoursigninurl"
$ap = New-SPTrustedIdentityTokenIssuer -Name "ADFS" -Description “ADFS 2.0” -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1, $map2, $map3, $map4 -SignInUrl $signinurl -IdentifierClaim $map1.InputClaimType

If you are curious about the way to update, rather than create a new issuer, you can use the following. In the above, you may or may not need all those assertion mappings depending on how your trusted relay issuance rule setup:

PLAIN TEXT

CODE:

$issuer = Get-SPTrustedIdentityTokenIssuer
$issuer.ClaimTypes.Add("http://schemas.microsoft.com/ws/2008/06/identity/claims/role")
$map=New-SPClaimTypeMapping "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" –SameAsIncoming
$issuer.AddClaimTypeInformation($map)
$issuer.Update()

Now you HAVE to apply KB hotfix 2536591 located here: http://support.microsoft.com/kb/2536591/en-us

Boom! Groups will work.

How To Wire A SharePoint List To A Telerik RadScheduler

adam — Thu, 23 Feb 2012 21:07:33 +0000

Wiring a List of SPListItems to a Telerik RadScheduler is pretty easy. The important thing to remember when working with a RadScheduler is that it expects a list of Appointment objects, how you hydrate an Appointment object is pretty much up to you. Were it gets kinda weird is when you have the collection, the RadScheduler.Provider expects a SchedulerProviderBase super class. Either way it’s not too bad.

So let’s assume I am building the RadScheduler object in something like CreateChildControls like so:

PLAIN TEXT

C#:

RadScheduler theScheduler = new RadScheduler();
theScheduler.TimelineView.UserSelectable = true;
theScheduler.OverflowBehavior = OverflowBehavior.Expand;
theScheduler.SelectedView = SchedulerViewType.MonthView;

In the above I am missing the RadScheduler.Provider property, so gotta populate that. In this example, I am converting the SPList to a dataset, but you could iterate the items and return the values accordingly taking into account type casting. So I end up in a dataset format with something like this:

PLAIN TEXT

C#:

tempCollection.AddRange(from DataRow row in masterTable.Rows
select new Appointment
{
Start = DateTime.Parse(row[startFieldName].ToString()), End = DateTime.Parse(row[endFieldName].ToString()), ID = Guid.NewGuid(), Subject = StripTagsRegex(row[subjectFieldName].ToString()), RecurrenceState = state
});
public static string StripTagsRegex(string source)
{
return Regex.Replace(source, "", string.Empty);
}

You could easily just do the SPListItems:

PLAIN TEXT

C#:

tempCollection.AddRange(from SPListItem row in list.Items
select new Appointment
{
Start = DateTime.Parse(row[startFieldName].ToString()), End = DateTime.Parse(row[endFieldName].ToString()), ID = Guid.NewGuid(), Subject = StripTagsRegex(row[subjectFieldName].ToString()), RecurrenceState = state
});

Once you have the collection of Appointments, you have to make the SchedulerProviderBase superclass. This looks like this:

PLAIN TEXT

C#:

public class ListSchedulerProvider : SchedulerProviderBase
{
private readonly List _listItemCollection;
public ListSchedulerProvider(List collection)
{
_listItemCollection = new List();
_listItemCollection = collection;
}
public override IEnumerable GetAppointments(RadScheduler owner)
{
return _listItemCollection;
}
public override IDictionary> GetResources(ISchedulerInfo schedulerInfo)
{
return new Dictionary>();
}
}

Then coordinate this class with scheduler Provider property:

PLAIN TEXT

C#:

RadScheduler.Provider = new ListSchedulerProvider(“Your Typed Appointment Collection”);

ADFS Timeouts – Keep Above 10 Minutes When Testing

adam — Thu, 23 Feb 2012 16:49:14 +0000

I ran into this issue very recently when helping with an ADFS environment setup that was using a federation proxy to an internal federation service farm. The timeout desire was to be 15 minutes, after a user would have to re-authenticate to the ADFS box. To expedite the testing, we were attempting to set short intervals of timeouts, 1-2 minutes…up to 5, however nothing was timing out fumbling the proof of concept. Over around 8 minutes was timing out though. Furthermore, there was never a concrete timeout; there was always some level of skew.

This behavior seemed erratic. The problem is ADFS has a Cache Scavenge interval, which is the process for purging out-of-date cache records from the client cache. If your timeouts are configured in a pretty orthodox way, for example a ten minute timeout:

On the SharePoint box:

PLAIN TEXT

CODE:

$sts = Get-SPSecurityTokenServiceConfig
$sts.LogonTokenCacheExpirationWindow = (New-TimeSpan –minutes 1)
$sts.Update()
Iisreset

And on the ADFS box:

PLAIN TEXT

CODE:

Set-ADFSRelyingPartyTrust -TargetName “Relying Party Common Name” -TokenLifeTime 10

But you have your TokenLifeTime set to a ridiculously low value (it always has to be above the LoginTokenCacheExpirationWindow btw) such as two, resulting in a difference of a one minute timeout; the Cache Scavenge will never fire. Thus the issued ticket will be considered valid.

Take away is always just test with something like 10 minutes and deal with the wait time for verification.

Adding A ProgressBar Column To A RadGrid In A SharePoint WebPart

adam — Thu, 16 Feb 2012 17:54:05 +0000

I really thought there would be a tutorial on this on the Telerik website but I couldn’t find anything relevant. In this post, I am going to show you how to add a progress bar column to a RadGrid or RadGridView. So, my goal is to have something like this:

I am just setting the value in a master/detail view in a straight forward TextBox. I am not using AJAX or anything so some of the wiring to maintain values is simply to deal with PostBacks. Just looks like this:

Firstly, I am going to use the one from CodeProject, which is used in a lot of apps, for example the SnapStream project. You can view the SVN version here:

http://source.snapstream.com/repos/WebAdministration/controls/ProgressBar.cs

Blah Blah blah here is the code.

The ITemplate to wire up to the custom column:

PLAIN TEXT

C#:

public void InstantiateIn(Control container)
{
UpdatePanel panel = new UpdatePanel();
ProgressBar bar = new ProgressBar();
bar.ID = "bar";
bar.ForeColor = Color.Black;
bar.Width = Unit.Pixel(150);
bar.FillImageUrl = string.Format("{0}/Supporting%20Images/bg.gif", SharePointHelpers.SiteUrl);
bar.BarImageUrl = string.Format("{0}/Supporting%20Images/indicator.gif", SharePointHelpers.SiteUrl);
bar.Visible = true;
bar.Enabled = true;
panel.ContentTemplateContainer.Controls.Add(bar);
container.Controls.Add(panel);
}
}

The template column to add to the grid:

PLAIN TEXT

C#:

var x = new GridTemplateColumn();
x.AllowFiltering = false;
x.HeaderText = "Percentage Complete";
x.ItemTemplate = new ProgressBarTemplate();
grid.MasterTableView.Columns.Add(x);

Wire up the data bound event:

PLAIN TEXT

C#:

public static void grid_ItemDataBound(object sender, GridItemEventArgs e)
{
var nestedItem = e.Item as GridNestedViewItem;
if (nestedItem != null)
{
Panel panel = (Panel) nestedItem.FindControl("InnerContainer");
TextBox tbPercentage = (TextBox) panel.FindControlRecursive("tbPercentage");
tbPercentage.Text = DataBinder.Eval(e.Item.DataItem, "Percentage") != null
? DataBinder.Eval(e.Item.DataItem, "Percentage").ToString() : "[None]";
TextBox tb = (TextBox) nestedItem.FindControlRecursive("tbPercentage");
GridDataItem parentItem = nestedItem.ParentItem;
ProgressBar bar = (ProgressBar) parentItem.FindControlRecursive("bar");
string x = tb.Text;
bar.Percentage = Convert.ToInt32(x);
}
}

Wire up this prerender event to the grid:

PLAIN TEXT

C#:

public void grid_PreRender(object sender, EventArgs e)
{
foreach (GridDataItem y in _grid.Items)
{
if (y.ChildItem != null)
{
GridNestedViewItem nestedItem = y.ChildItem;
TextBox tb = (TextBox) nestedItem.FindControlRecursive("tbPercentage");
ProgressBar bar = (ProgressBar) y.FindControlRecursive("bar");
string x = tb.Text;
bar.Percentage = Convert.ToInt32(x);
}
}
}

Wire up the item created event:

PLAIN TEXT

C#:

public static void grid_ItemCreated(object sender, GridItemEventArgs e)
{
var item = e.Item as GridDataItem;
if (item != null)
{
if (item.ChildItem != null)
{
GridNestedViewItem nestedItem = item.ChildItem;
TextBox tb = (TextBox) nestedItem.FindControlRecursive("tbPercentage");
ProgressBar bar = (ProgressBar) item.FindControlRecursive("bar");
string x = tb.Text;
bar.Percentage = Convert.ToInt32(x);
}
}
}

Like I said depending on the technology you are using you might not need like half of those events.