SharePoint Security And Authentication Part 2 – User Management

The proper management of user identity information is very important for any organization deploying SharePoint. SharePoint Server 2010 makes it very easy to process user credentials and identifiers. This can also naturally help you to decide which method of authentication is best for your purposes. User identity information is processed in several ways based on category. They include:

  • Binary ID’s This is where ID’s are created in SharePoint Server 2010. A unique binary ID can be created with the provider name and the user name.
  • Cache This is the process of storing the identity of a user for a period of time. By doing so the process of authentication each time they make a request can be avoided. A cookie that is encrypted will keep the credentials for the user during a given session.
  • Role membership There can be different roles or groups that a given user belongs to. That information is also important during the authorization process. It is used to determine which actions a user is allows to access and perform. Both ASP.NET and Active Directory groups are considers to be the same in SharePoint Server 2010.

SharePoint Server 2010 provides a majority of the tooling or relevant API hooks to handle user accounts and to successfully manage them. The way you select for that management to occur can be influential for your authentication method decision. When users are members of a zone, their accounts can still be managed across all zones with the right permissions being granted. It is important to keep in mind all of these elements of user account management apply with SharePoint Server 2010. It doesn’t matter which is the authentication methods you select.

You can add new users from any zone for any authentication method that you have configured. However, the membership provider and role manager must first be registered with web.config file. SharePoint 2010 resolves the user name against sources:

  • UserInfoList table If a user has already been added to another site they will be found here.
  • Authentication Provider The configuration is for a current zone. That is where SharePoint Server 2010 will check for a membership provider first.
  • All other Authentication Providers If SharePoint Sever 2010 doesn’t find the membership in that current zone, it will look at all of the other authentication providers.

When any account is marked as deleted by the SharePoint Sever 2010 database they will be considered deleted. However, their record isn’t removed. Consider the fancy picture I have made below (select for an automagically larger image):

SharePoint Security Membership Provider

There are many instances when a user account behavior will change within SharePoint Server 2010. It will depend on what type of authentication the provider has in place what the appropriate response is. Understanding how those account tasks can be different with various authentication methods in place is important. They include:

  • Adding new users The user identity is validated using AD DS. SharePoint Server 2010 calls the membership provider and the role manager for verification of that both the user and the roles exist.
  • Changing Logon names When such updates are made they should be immediately recognized by SharePoint Server 2010. However, for this to occur you must delete the old account name and then add a new one.
  • Logging on A user doesn’t have to manually long on to SharePoint sites as long as Kerberos or NTLM is used. The browser also has to be configured for an automated log on to occur. When logging on is required, the user will need to enter a user name and password. This is a standard format for SharePoint Server 2010. Once the log on information is validated a cookie will be issued.

Next we will be talking about claims based authentication. For a refresher, there are about 20 claims articles already written for you review on the site:

Share

TFS Proxy Server Unexpected Shutdowns

TFS Proxy Servers are essential for my current client’s TFSenvironment because they allow the disparate SharePoint development environment to experience improved network performance by caching copies of VC files. Since this particular environment is geo-distributed, this is a necessary architectural requirement in order to maintain appropriate developer efficiency.

Recently, a strange issue was occurring with my clients geo-environment where the proxy servers would start shutting down repetitively. The exact error you may run into is:

The VSTF Proxy Server stopped at [server]. The application is being shutdown for the following reason: HostingEnvironment. For more information …..”

Now this can happen for a variety of reasons, but first thing is you should enable proxy server tracing to get some more relevant error information by opening the web.config in the VersionControlProxy folder by setting the traceDirectoryName to a familiar storage location and changing traceWriter to true. For this particular error, one of the error returns can be:

Detailed Message: TF53002: Unable to obtain registration data for application VersionControl.
TF30055: Visual Studio could not find or read the Team Foundation Server server name in the configuration file. Contact your Team Foundation Server administrator. (type VstfNotConfiguredException)

If you get this error, the TfsNameUrl appsetting is not configured in the web.config file for the proxy server. Locate the:
[xml]

[/xml]

element and change it. After, check your IIS app pool setting and check that the recycle interval or memory limit. After, you should be good to go!

Share

Return IIS Settings For A SP Zone

There was a question in the SharePoint development newsgroups as to how someone might go about getting specific IIS settings when wanting to target an arbitrary SharePoint zone from which to query those settings. Fortunately, within the SharePoint object model, this is feasible using the GetIisSettingsWithFallBack method out of SPWebApplication. For example, this method is helpful when you want to retrieve something like a file that exists at the root of your SharePoint web application. For example, let’s write a small example method that will allow us to harness the web.config file for an arbitrary zone, which we will specify using the SPUrlZone enumeration. The SPUrlZone enumeration contains all the neccesary member values for working with the zones as they exist within your SharePoint instance, including custom, default, extranet, internet, and intranet. In this case, let’s start with something simple, namely the default member. Let’s start off this method by declaring a simple field, just an empty string, and within the parameters of the method, lets pass in a SPWebApplication object so that we can call the required methods.

[csharp]

private void UsingGetIisSettingsWithFallBack(SPWebApplication myWebApplication)
{
string filename = string.Empty;
}

[/csharp]

Now that we have a small string field setup to hold the value, we can use the GetIisSettingWithFallback in order to harness the web.config by specifying the default zone, and then getting the full path to the required file.
[csharp]

private void UsingGetIisSettingsWithFallBack(SPWebApplication myWebApplication)
{
string myReturn = string.Empty;
myReturn = myWebApplication.GetIisSettingsWithFallback(SPUrlZone.Default).GetPath().FullName + @”\web.config”;
}

[/csharp]

And that’s it! If you wanted to take it a step further, you can declare a new XmlDocument object in order to hold the string value. You can do this by simply instantiating said object, and then use the load method out of XmlDocument (in combination with an SPWebConfigModification object, which you should just pass in as a parameter), like this:

[csharp]

private void UsingGetIisSettingsWithFallBack(SPWebApplication myWebApplication)
{
string myReturn = string.Empty;
XmlDocument myDocument = new XmlDocument();

myReturn = myWebApplication.GetIisSettingsWithFallback(SPUrlZone.Default).GetPath().FullName + @”\web.config”;
document.Load(myReturn);

}

[/csharp]

Which will really let you start with the fun stuff!

Share