Authentication Method in Sharepoint 2013
Hello ,
I have migrate SharePoint 2010 site to SharePoint 2013 using DB Attach method. Content DB was 100 % mount with error. I have ignore all the errors .
But When Open SharePoint 2013 Site ,It is throwing access denied error .
Just wanted to know , before upgrading Content DB Is it required to upgrade Service Applications ?
How can I upgrade Service Application ??
Did you migrate your users from Classic mode to Claims mode?
Migrate from classic-mode to claims-based authentication in SharePoint 2013
You would also like to check the following thread with similar issue.
Error:
Access Denied on an upgraded content database from 2010 to sharepoint 2013 - claims based auth misery
Amit
Similar Messages
-
Getting Authentication Prompt in SharePoint 2013
Hi,
I am randomly get authentication prompts in SharePoint 2013 when performing a search. Please assist me what is causing this and how to resolve .
I am using IE -8(32 bit).
Please guide me on this.
Thanks in advanceHi,
Try below URL they might help you
http://www.sharepointdiary.com/2012/04/sharepoint-keeps-asking-for-password.html
http://blogs.c5insight.com/Home/tabid/40/entryid/245/Tips-to-Avoid-Login-Prompts-in-SharePoint.aspx
Regards
PT -
Windows authentication failure on SharePoint 2013 zone
I am attempting to set up a Windows authentication zone in a SharePoint 2013 installation for use by the search crawler. The zone has been configured to use NTLM in order to eliminate Kerberos from the equation. The result of my
attempts to access the Windows authentication zone is a 403 error. Central Administration is working on the same server, and of course is using Windows authentication.
I know about the issue of using Windows authentication to localhost, and have configured the backconnectionhostnames entry in the registry. To prove that I can use Windows authentication using the intended host name for the SharePoint zone, I have
set up a test IIS site that binds to the host name used by the zone, and successfully authenticated using Windows authentication.
From monitoring the ULS logs it's obvious that I'm actually successfully completing Windows authentication, and getting a SharePoint claim, but from that point I'm being denied by SharePoint. I do know that my Windows credentials has site collection
administrator privileges. The most interesting failure in the ULS log appears to be:
SPApplicationAuthenticationModule: Authorization header doesn't contain Bearer, can't try to perform application authentication.
Another odd thing is that after the ULS indicates I have failed authentication, I'm redirected to /_layouts/AccessDenied.aspx instead of the login page defined in web.config. I have tried many things, including enabling Kernel-mode authentication.
Below is an excerpt from my ULS logs:
SPApplicationAuthenticationModule: There is no Authorization header, can't try to perform application authentication.
Non-OAuth request. IsAuthenticated=False, UserIdentityName=, ClaimsCount=0
[Forced due to logging gap, cached @ 12/01/2014 15:48:32.53, Original Level: Verbose] Value for isAnonymousAllowed is : {0}
[Forced due to logging gap, Original Level: Verbose] Value for checkAuthenticationCookie is : {0}
Claims Windows Sign-In: Sending 401 for request 'https://crawler.my.host/' because the user is not authenticated and resource requires authentication.
[Forced due to logging gap, cached @ 12/01/2014 15:48:32.56, Original Level: VerboseEx] Sending HTTP response {0} - {1}:{2}.
[Forced due to logging gap, Original Level: Verbose] SPRequestModule.PreSendRequestHeaders
Leaving Monitored Scope (Request (GET:https://crawler.my.host:443/)). Execution Time=5320.19544383434
Name=Timer Job SchedulingApproval
Leaving Monitored Scope (Timer Job SchedulingApproval). Execution Time=16.4101862108173
Name=Timer Job SchedulingApproval
Leaving Monitored Scope (Timer Job SchedulingApproval). Execution Time=14.9021733209109
Name=Timer Job SchedulingApproval
[Forced due to logging gap, cached @ 12/01/2014 15:48:32.95, Original Level: Verbose] Completed deserializing the type named {0} and with id {1}.
[Forced due to logging gap, Original Level: VerboseEx] SPFederationAuthenticationModule.OnEndRequest: Start
SPFederationAuthenticationModule.OnEndRequest: User was being redirected to authenticate.
Leaving Monitored Scope (Timer Job SchedulingApproval). Execution Time=17.2175513927049
Claims Windows Sign-In: Sending 401 for request 'https://crawler.my.host/' because the user is not authenticated and resource requires authentication.
Name=Request (GET:https://crawler.my.host:443/)
Micro Trace Tags: 0 nasq
Leaving Monitored Scope (Request (GET:https://crawler.my.host:443/)). Execution Time=9.54646470431298
Name=Request (GET:https://crawler.my.host:443/)
SPTokenCache.ReadTokenXml: Successfully read token XML 'mydomain\myuser'.
Token Cache: Failed to get token from distributed cache for '0).w|s-0-0-0-0-0-0-1234'.(This is expected during the process warm up or if data cache Initialization is getting done by some other thread).
Token Cache: Reverting to local cache to get the token for '0).w|s-0-0-0-0-0-0-1234'.
Token Cache: Entry missing for user 'mydomain\myuser'.
Token Cache: Failed to get token from distributed cache for '0).w|s-0-0-0-0-0-0-1234'.(This is expected during the process warm up or if data cache Initialization is getting done by some other thread).
Token Cache: Reverting to local cache to get the token for '0).w|s-0-0-0-0-0-0-1234'.
Claims Windows Sign-In: User 'mydomain\myuser' for request url 'https://crawler.my.host/' does not have a cached SessionSecurityToken.
[Forced due to logging gap, cached @ 12/01/2014 15:48:33.24, Original Level: VerboseEx] We are in claims windows only mode for for request url '{0}'.
[Forced due to logging gap, Original Level: VerboseEx] Reverting to process identity
[Forced due to logging gap, cached @ 12/01/2014 15:48:33.71, Original Level: Verbose] Completed deserializing the type named {0} and with id {1}.
SPSecurityContext: Added JsonWebSecurityTokenHandler to trust channel factory
SPSecurityContext: Replaced WSTrustRequestSerializer with SPTrust13RequestSerializer
SPSecurityContext: The SecurityTokenServiceBehavior is attached to the TrustChannel.
SecurityTokenServiceSendRequest: RemoteAddress: 'http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc' Channel: 'Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustChannelContract' Action: 'http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue'
MessageId: 'urn:uuid:f175f6ef-a93d-4efe-9173-1fba74b1eed2'
SecurityTokenServiceReceiveRequest: LocalAddress: 'http://servername:32843/SecurityTokenServiceApplication/securitytoken.svc' Channel: 'System.ServiceModel.Channels.ServiceChannel' Action: 'http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue' MessageId:
'urn:uuid:f175f6ef-a93d-4efe-9173-1fba74b1eed2'
Entering monitored scope (ExecuteSecurityTokenServiceOperationServer). Parent No
STS Call: Issuing new security token.
SPSecurityTokenServiceManager!EnsureSharePointLogonRequestClaims: Found primary sid claim. Value: 's-0-0-0-0-0-0-1234'.
Using claim provider 'System' for operation because it is default and it is visible.
Excluding claim provider 'AD' for operation because it is not default and .
Using claim provider 'AllUsers' for operation because it is default and it is visible.
Excluding claim provider 'Forms' for operation because it is not default and .
Using claim provider 'User Profile Claim Provider' for operation because it is default and it is visible.
STS Call Claims Windows: Setting cookie lifetime to: Microsoft.IdentityModel.Protocols.WSTrust.Lifetime
STS Call Claims Windows: Successfully requested sign-in claim identity for user 'mydomain\myuser'.
STS Call: Successfully issued new security token.
Leaving Monitored Scope (ExecuteSecurityTokenServiceOperationServer). Execution Time=13.187150880908
[Forced due to logging gap, cached @ 12/01/2014 15:48:34.87, Original Level: Verbose] The SecurityTokenServiceHeaderInfo including the correlation ID was added.
Leaving Monitored Scope (ExecuteSecurityTokenServiceOperationCaller:http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue). Execution Time=719.713539011243
[Forced due to logging gap, cached @ 12/01/2014 15:48:35.60, Original Level: Verbose] ____{0}={1}
Claims Windows Sign-In: Siginging in the the user 'mydomain\myuser' for request url 'https://crawler.my.host/'.
Updating X.509 certificate validation policy
[Forced due to logging gap, cached @ 12/01/2014 15:48:36.26, Original Level: Verbose] Completed deserializing the type named {0} and with id {1}.
Adding X.509 certificate thumbprint '493E6806F4178EDD685BE5EA0AAF79ED30FB4A90' to root authority trust
SPLocalLoginProvider: Initializing and creating S2S Claim Mappings
SPLocalLoginProvider: Initialized S2S Claim Mappings.
[Forced due to logging gap, cached @ 12/01/2014 15:48:36.37, Original Level: Verbose] Completed deserializing the type named {0} and with id {1}.
[Forced due to logging gap, Original Level: Verbose] Deserializing the type named {0} and with id {1}.
[Forced due to logging gap, cached @ 12/01/2014 15:48:37.17, Original Level: Verbose] Completed deserializing the type named {0} and with id {1}.
[Forced due to logging gap, Original Level: Verbose] Deserializing the type named {0} and with id {1}.
[Forced due to logging gap, cached @ 12/01/2014 15:48:37.96, Original Level: Verbose] Completed deserializing the type named {0} and with id {1}.
[Forced due to logging gap, Original Level: VerboseEx] SPFederationAuthenticationModule.OnSessionSecurityTokenCreated: Start
[Forced due to logging gap, cached @ 12/01/2014 15:48:38.10, Original Level: VerboseEx] SPSam.SetPrincipalFromSessionToken: End
[Forced due to logging gap, Original Level: Verbose] Looking up {0} site {1} in the farm {2}
Token Cache: Failed to add token from distributed cache for '0).w|s-0-0-0-0-0-0-1234'.(This is expected during the process warm up or if data cache Initialization is getting done by some other thread).
Token Cache: Reverting to local cache to Add the token for '0).w|s-0-0-0-0-0-0-1234'.
Token Cache: Successfully added token to cache for '0).w|s-0-0-0-0-0-0-1234'.
SPTokenCache.ReadTokenXml: Successfully read token XML '0).w|s-0-0-0-0-0-0-1234,0#.w|mydomain\myuser,123456789012345,True,dpoRtB/hPcjVrEaJtqVWxhY8Pbfm++oHwWQ5TCB9jBlLx5n2Ky5OqGXM7ntfLB0kqIJNDUkeQrl4wL7xW2m4r0rV1TiOUf+e2mpHq8WOgN67puRViZbCxCkwmmxUpE/1OVNcDFXRCh26tvVFieK99LKZn8BJUtmP8RqxtwtwqBolNjCyZ3rfSSmtFyM3pdWjphdj312R9Lcp9/EhTpvvV1J2lFCig901ZGaPo7zOw3pFyXl1eDs+gF2Bcbc7/mMZw67/gEccsFaekBVH1TK0d9qqr6P/ISeEgzhlK4DChV94ntsw8m8Pb255yTL8WrbTykMFV3jC7R2MvqCmiKGK+g==,https://crawler.my.host/'.
Claims Windows Sign-In: Not writing a cookie for request 'https://crawler.my.host/'.
Claims Windows Sign-In: Successfully signed-in the the user 'mydomain\myuser' for request url 'https://crawler.my.host/'.
Updating header 'LOGON_USER' with value '0#.w|mydomain\myuser' for the request url 'https://crawler.my.host/'.
Leaving Monitored Scope (SPClaimsCounterScope). Execution Time=4957.74267399907
SPApplicationAuthenticationModule: Authorization header doesn't contain Bearer, can't try to perform application authentication.
Non-OAuth request. IsAuthenticated=True, UserIdentityName=0#.w|mydomain\myuser, ClaimsCount=27
Leaving Monitored Scope (PostAuthenticateRequestHandler). Execution Time=31.2877754016223
Micro Trace Tags: 0 nasq,69 air4a,1 air4b,22 air4a,0 air4b,1641 aeayb,732 b4ly,654 erv2,58 erv3,1814 air36,0 air37,42 b4ly,5 agb9s,39 b4ly
Leaving Monitored Scope (Request (GET:https://crawler.my.host:443/)). Execution Time=5101.04328902137
SPFederationAuthenticationModule.OnEndRequest: User was being redirected to authenticate.
[Forced due to logging gap, cached @ 12/01/2014 15:48:38.24, Original Level: Verbose] {0}
[Forced due to logging gap, Original Level: VerboseEx] SPRequestParameters: AppPrincipal={0}, UserName={1}, UserKye={2}, RoleCount={3}, Roles={4}
Site=/
[Forced due to logging gap, cached @ 12/01/2014 15:48:38.37, Original Level: Verbose] {0}
[Forced due to logging gap, Original Level: VerboseEx] Reverting to process identity
[Forced due to logging gap, cached @ 12/01/2014 15:48:38.40, Original Level: VerboseEx] No SPAggregateResourceTally associated with thread.
[Forced due to logging gap, Original Level: VerboseEx] Reverting to process identity
[Forced due to logging gap, cached @ 12/01/2014 15:48:38.48, Original Level: VerboseEx] No SPAggregateResourceTally associated with thread.
[Forced due to logging gap, Original Level: VerboseEx] Reverting to process identity
Access Denied for /. StackTrace: at Microsoft.SharePoint.Utilities.SPUtility.HandleAccessDenied(HttpContext context) at Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.OnEndRequest(Object sender,
EventArgs eventArgs) at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error) at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb) at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest
wr, HttpContext context) at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags) at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr
rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags) at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)
at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus) at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr
nativeRequestContext, IntPtr moduleData, Int32 flags) at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
Leaving Monitored Scope (SPFederationAuthenticationModule.OnEndRequest). Execution Time=351.625416079418
Entering monitored scope (Request (GET:https://crawler.my.host:443/_layouts/AccessDenied.aspx?Source=https%3A%2F%2Fcrawler%2Emy%2Ehost)). Parent No
I'm extending an existing claims based web application. The way I'm testing authentication is by attempting to log in to the Windows authentication zone using the browser and an account with site collection administrator privileges. I've also
tried using the intended crawler service account, but that also fails authentication.
With regard to the default zone issue, I've already experimented with using both the default zone and another zone, but neither works.
BTW, I already have this working in a SharePoint 2013 development environment, and a similar configuration has been in a SharePoint 2010 production environment for over a year, which makes this a particularly maddening problem.
I have enabled Failed Request Tracing, and get a 401.1, 401.2, then a 403 (which says it was caused by the 401.2). I'm not sure of the significance, but the 403 trace shows the module for the 401.2 to be UrlAuthorizationModule, while the module for
the 403 error is FederatedAuthentication.
Per my ULS trace included in my original post, it appears that I'm actually getting a SharePoint claim. -
Reset Authentication method to Exchange 2013 EAC and now I can't get in.
In trying to work through a list of issues related to Exchange upgrade I inadvertently have locked myself out of the EAC by changing the authentication method. Is there any way to change it back?
Hi,
According to my experience, the ECP login failure issue has many reasons. Thus, to narrow down the cause, we can try to confirm the following information and try the following troubleshooting:
1. Check the detail information about OWA and ECP virtual directory:
Get-owavirtualdirectory |fl
Get-ecpvirtualdirectory |fl
2. Clear or restart the MSExchangeOWAAppPool
Thanks,
If you have feedback for TechNet Subscriber Support, contact
[email protected]
Angela Shi
TechNet Community Support -
What is the best approach to setup intranet and internet sites in SharePoint 2013?
I am planning to setup a internet and intranet website for one of our client. What is the best approach to setup this kind of environment?
Some of the users (registered users) from the internet should be able to access information in the intranet site. I have created two web applications for intranet and internet. Is it the right way to go forward?
Thanks in advance! :)
LMHi Laemon,
Creating two separate web applications, one for Internet site and the other for Intranet is the right thing you have done.
1. To properly plan creation of your web application, site collection and website is of utmost important to ensure you build your site in a professional and most recommended way. Go through this article from Technet that would help you plan your site in
SharePoint 2013.
https://technet.microsoft.com/en-us/library/cc263267.aspx
2. Planning and choosing the right authentication type is also a very important decision. I recommend you to go through the below article if you have not already gone through.
Plan for user authentication methods in SharePoint 2013
3. Plan for licensing for your SharePoint 2013 Internet Facing Website.
Licensing Internet Sites Built on SharePoint 2013
SharePoint 2013 licensing for Internet facing sites
4. To grant access to registered users to Intranet site (as you mentioned in question), if you created both web applications in same farm (same domain) then that would be easy to grant access using Site Permission with Windows Authentication enabled for
both web application. If both web applications are created on different domains then If there is a two-way trust in place, and the SharePoint servers have the necessary port access to the remote domain's Domain Controller, then it is automatic. If it is a
one-way trust, then you need to follow these directions:
http://technet.microsoft.com/en-us/library/cc263460(v=office.12).aspx
If there is no domain trust in place, then you either need to create one, or look at alternative technologies,
such as ADFS.
Please remember to upvote if it helps you or
click 'Mark as Answer' if the reply answers your query. -
Sharepoint 2013 on premise external access
Hello,
We have single sharepoint on premise and we need to enable external access to the users from different companies. How to make this possible without ADFS configuration?Following links help you to start with
Plan for user authentication methods in SharePoint 2013
Authentication overview for SharePoint 2013
Configuring Forms Based Authentication
in SharePoint 2013
Please 'propose as answer' if it helped you, also 'vote helpful' if you like this reply. -
Hi
I configured forms based authentication mode in Sharepoint 2013 site. When i tried to log in with windows authentication prompt it throws the following error
The remote server returned an error: (500) Internal Server Error
[WebException: The remote server returned an error: (500) Internal Server Error.] System.Net.HttpWebRequest.GetResponse() +8548300 System.ServiceModel.Channels.HttpChannelRequest.WaitForReply(TimeSpan timeout) +111 [ProtocolException:
The content type text/html; charset=utf-8 of the response message does not match the content type of the binding (application/soap+msbin1). If using a custom encoder, be sure that the IsContentTypeSupported method is implemented properly. The first
1024 bytes of the response were: '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
How to fix this issue?
Regards,
SivaDid you create a new web application or modify an existing web application?
I would start by checking the ULS logs, maybe there is an incorrect setting within one of the web.config files, or SQL permissions.
Also, as suggested above, check application pools are running.
This blog post is a great guide for setting up FBA, check it through to make sure you haven't missed any steps:
http://blogs.technet.com/b/ptsblog/archive/2013/09/20/configuring-sharepoint-2013-forms-based-authentication-with-sqlmembershipprovider.aspx -
Excel Services Refresh method not working in Sharepoint 2013
Hi,
In our application, we open excel services workbook in sharepoint 2013. Using sessionid of the workbook, we called Refresh and CalculateWorkbook methods in that order. After Calculateworkbook method, I see time stamps in LastUpdatedTime for each connection
in 'Connections' tab of excel workbook. When Refresh method is called again after CalculateWorkbook method, the LastUpdatedTime for the connections becomes blank.
When I use sharepoint 2010, the temstamp is not becoming blank after refresh.
I think due to this reason we see blank data on our reports. Can somebody tell whether there is a problem with Refresh method in sharepoint 2013? Or is there somebody facing problem with excel services in sharepoint 2013? Any pointers can help.
Thanks,
PranavaHi,
For your issue, verify if Excel files are rendered by Office Web Apps:
When Office Web Apps is responsible for the rendering the URL will look something like this:
https://server/_layouts/15/WopiFrame.aspx?sourcedoc=/Documents/excel.xlsx&….
And when Excel Calc is rendering the document it should look like the following:
https://server/_layouts/15/xlviewer.aspx?id=/Documents/excel.xlsx&…
Here is an article about how to enable pdf preview with OWA:
http://www.wictorwilen.se/sharepoint-2013-enabling-pdf-previews-with-office-web-apps-2013-march-2013-update
Besides, refer to configure Office Web Apps for SharePoint 2013:
https://technet.microsoft.com/en-us/library/ff431687.aspx
Best Regards,
Lisa Chen
TechNet Community Support
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
[email protected] -
Single Signon from SharePoint 2010 to SharePoint 2013 application
Hello all,
We have two SharePoint applications,
1. SharePoint 2010 application which uses Classic mode of authentication
2. SharePoint 2013 application which uses claim based authentication + Form Based Authentication.
We have provided a link for SharePoint 2013 application in SharePoint 2010 application.
Once user logs into SharePoint 2010 application and clicks on the link of SharePoint 2013 application, user sholuld not be prompted for the credentials again and should be able to login to landing page.
How can we go about this, need an help. Any help is appreciated.
Thanks & Regards,
Sharath
Sharath BharadwajIs this an intranet application, in which you can add the sites to the trusted internet zone or intranet zone to allow your machine to automatically pass credentials.
That of course won't make the FBA work automatically, that isn't possible as far as i know. -
Hello,
I am having issues creating report datasource in "Windows authentication (integrated) or SharePoint user" in SharePoint 2013. I followed the steps mentioned in the link http://blogs.msdn.com/b/psssql/archive/2014/04/28/sharepoint-adventures-using-claims-with-reporting-services.aspx.
I am just stuck in the delegation piece here. I have a SSAS instance by name "XXXXAPPV01\Multidimensional". First thing is what is the procedure to set SPN for this instance? I need to add this service in the delegation tab so that C2WTS service
configured correctly.
Nothing but I should be able to access my SSAS 2012 cube from SSRS 2012 by "Windows authentication (integrated) or SharePoint user" as the authentication method.
PalashI used the below command to set SPN for analysis services.
setspn -S MSOLAPSvc.3/XXXXAPPV01APPV01.xxxxdmo.local:Multidimensional xxxxdmo\svcMyService
After setting the SPN for this service account I added this account(xxxxdmo\svcMyService) in the delegation tab of my domain account created earlier for claim service (xxxxdmo\svcC2WTS). Now in service type it shows -> MSOLAPSvc.3, User or Computer it shows
-> XXXXAPPV01APPV01.xxxxdmo.local and in Port it shows -> Multidimensional. This is in my svcC2WTS account delegation tab. Still I am not able to connect datasource by "Windows authentication(integrated) or SharePoint User". I am getting the
same error "Cannot convert claims identity to windows token".
I am not sure what am I missing in this configuration piece yet to get this working.
Palash -
Forms based authentication in sharepoint 2013 using custom membership provider
I am developing FBA for SP2013 using custom membership provider using the following link
http://benredl.wordpress.com/2012/10/03/creating-forms-based-authentication-and-user-profiles-in-sharepoint-2013-using-custom-membership-and-role-providers-and-a-custom-user-profile-synchronization-utility/
the feature i am trying to develop is that the user is created using a homegrown asp.net application which uses sql server
and then When that user goes to SP2013 he should be able to login with the username and password created using the homegrown asp.net application
my questions are following
If I follow the article in the link should i be taking the assembly(dll) and deploying it to GAC or will VS2013 automatically do it
Do I have to implement FindUserByEmail and FindUserByName methods ?
if the connectionstring for an asp.net application is in the web.config file where would the connection for the sqlserver go if this application is for SharePoint
TIAHi TIA,
try this it contains the code for you and it is ready
http://sharepoint2013fba.codeplex.com/
Kind Regards, John Naguib Technical Consultant/Architect MCITP, MCPD, MCTS, MCT, TOGAF 9 Foundation -
I would love some help with this issue. I have configured my SharePoint foundation 2010 site to use Claims Based Auth with Certificate authentication method with ADFS 2.0 I have a test account set up with lab.acme.com to use the ACS.
When I log into my site using Windows Auth, everything is great. However when I log in and select my ACS token issuer, I get sent, to the logon page of the ADFS, after selected the ADFS method. My browser prompt me which Certificate identity I want
to use to log in and after 3-5 second
and return me the logon page with error message “Authentication failed”
I base my setup on the technet article
http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx
I validated than all my certificate are valid and able to retrieve the crl
I got in eventlog id 300
The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request.
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Additional Data
Exception details:
Microsoft.IdentityModel.SecurityTokenService.FailedAuthenticationException: MSIS3019: Authentication failed. ---> System.IdentityModel.Tokens.SecurityTokenValidationException:
ID4070: The X.509 certificate 'CN=Me, OU=People, O=Acme., C=COM' chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed
correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext
serializationContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String
trustNamespace, AsyncCallback callback, Object state)
System.IdentityModel.Tokens.SecurityTokenValidationException: ID4070: The X.509 certificate 'CN=Me, OU=People, O=acme., C=com' chain building
failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
thx
Stef71This is perfectly correct on my case I was not adding the root properly you must add the CA and the ADFS as well, which is twice you can see below my results.
on my case was :
PS C:\Users\administrator.domain> $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ad0001.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "domain.ad0001" -Certificate $root
Certificate : [Subject]
CN=domain.AD0001CA, DC=domain, DC=com
[Issuer]
CN=domain.AD0001CA, DC=portal, DC=com
[Serial Number]
blablabla
[Not Before]
22/07/2014 11:32:05
[Not After]
22/07/2024 11:42:00
[Thumbprint]
blablabla
Name : domain.ad0001
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : domain.ad0001
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17164
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.domain> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ADFS_Signing.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
Certificate : [Subject]
CN=ADFS Signing - adfs.domain
[Issuer]
CN=ADFS Signing - adfs.domain
[Serial Number]
blablabla
[Not Before]
23/07/2014 07:14:03
[Not After]
23/07/2015 07:14:03
[Thumbprint]
blablabla
Name : Token Signing Cert
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : Token Signing Cert
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17184
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.PORTAL> -
I have set up SharePoint 2013 Foundation, SharePoint Reporting Services and SQL Server 2012 in a single server. I then created a Data Connection to Oracle 11g. Upon testing the connection, it throws the error “ORA-12638: Credential retrieval failed”.
Given below are the steps of installation and configuration.
Installation till basic authentication:
The installation has been done in a
single server.
Installed SQL Server 2012 (Developer version).
Selected only the following features:
Database Engine Services
Analysis Services
Reporting Services – SharePoint
Reporting Services Add-in for SharePoint Products
Management Tools – Basic
- Management Tools - Complete
2. Installed SQL Server 2012 SP1.
3. Installed SQL Server 2012 SP2.
4. Installed SharePoint Foundation 2013.
5. Created web application (without Kerberos; we did not even create the SPNs).
The application pool has been configured to use Reporting Services account since it is a single server installation. This account has been registered as a managed
account.
6. Created Site Collection.
7. Verified that Reporting Services is not installed.
8. Installed SharePoint Reporting Services from SharePoint 2013 Management Shell.
9. Verified that Reporting Services is installed.
10. Created a new SQL Server Reporting Services Service Application and associated the Web Application to the new SQL server Reporting Services Service Application.
11. Verified that SQL Server Reporting Services Service Application and its proxy have started. Reset IIS.
12. Created a Site.
13. Created a Data Connection library with “Report Data Source” content type.
14. Created a Report Model library with “Report Builder Model” content type.
15. Created a Report library with “Report Builder Report” content type.
16. Uploaded an SMDL to the Report Model library.
17. Added the top level site to Local Intranet instead of as a Trusted Site in the browser settings.
18. Able to create and save a report using Report Builder.
Hence, basic authentication is working and SSRS is able to connect to Oracle database.
Next we have to configure Kerberos settings between SharePoint and SQL Server.
Implementation of Kerberos authentication
In the Report Server machine, opened the file C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\WebServices\Reporting\rsreportserver.config and added the Authentication Types of RSWindowsNegotiate
and RSWindowsKerberos.
2. Set up the following SPNs.
a) SQL Server Database Engine service (sqlDbSrv2):
setspn -S MSSQLSvc/CER1110:1433 CERDEMO\sqlDbSrv2
setspn -S MSSQLSvc/CER1110.cer.demo.com:1433 CERDEMO\sqlDbSrv2
In the Delegation tab of the account, selected "Trust this user for delegation to any service (Kerberos only)".
b) Account: SharePoint Setup Admin account (spAdmin2)
setspn -S HTTP/CER1110:9999 CERDEMO\spAdmin2
setspn -S HTTP/CER1110.cer.demo.com:9999 CERDEMO\spAdmin2
In the Delegation tab of the account, selected "Trust this user for delegation to any service
(Kerberos only)".
c) Account: SQL Server Reporting Service account (sqlRepSrv2)
setspn -S HTTP/CER1110 CERDEMO\sqlRepSrv2
setspn -S HTTP/CER1110.cer.demo.com CERDEMO\sqlRepSrv2
In the Delegation tab of the account, selected "Trust this user for delegation to any service
(Kerberos only)".
3. Configure the Web Application to use “Negotiate (Kerberos)”.
4. Logged in as SharePoint Administrator to the SharePoint server and opened the top level site in the IE browser.
The Event Viewer logged the login process for the SharePoint Administration account as
Negotiate and not Kerberos.
5. Implemented Kerberos for Oracle database and client.
Able to connect to the Oracle database via Kerberos authentication using SQL Plus.
6. Turn on Windows Firewall.
7. While testing the site's data connection using Kerberos settings, got the error
“Can not convert claims identity to windows token. This may be due to user not logging in using windows credentials.”
Note: The Data Connection for basic authentication still worked.
8. Created a Claims to Windows Token Service account (spC2WTS2).
9. Started the Claims to Windows Token Service.
10. Registered the Claims to Windows Token Service account as a Managed Account.
11. Changed the Claims To Windows Token Service to use the above managed account.
12. Verified that the Claims to Windows Token Service account (spC2WTS2) is automatically added to the WSS_WPG local group on the SharePoint box.
Note: The Reporting Services service account is also a part of the WSS_WPG local group.
13. Added the Claims to Windows Token Service account (spC2WTS2) to the Local Admin Group on the machine having the SharePoint App Server.
14. In the SharePoint box, added the Claims to Windows Token Service account (spC2WTS2) in the Act as part of the operating system policy right.
15. The Claims to Windows Token Service account (spC2WTS2) has the WSS_WPG group configured.
When the C2WTS service was configured to use the managed account Claims to Windows Token Service account (spC2WTS2) earlier, the spC2WTS2 account was automatically
added to the WSS_WPG local group on the SharePoint box. The WSS_WPG group in turn is configured in c2wtshost.exe.config file.
16. Verified that the Reporting Services account is a managed account and part of the WSS_WPG group.
17. Earlier Service Application Pool - SQL Server Reporting Services App Pool service was associated with the SharePoint Admin account.
Changed this to associate the Reporting Service account with the Service Application Pool - SQL Server Reporting Services App Pool service.
18. Changed the delegation of the Reporting Service account to constrained delegation with Protocol Transitioning. This is because we are transitioning from one authentication scheme (Claims) to another (Windows Token).
For this, the delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use
any authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
Note: The Reporting Service account already had an HTTP SPN.
19. Next, the goal was to make the Claims To Windows Token Service account match the Reporting Service account.
For this, we created a fake SPN for the Claims To Windows Token Service account since the delegation tab was missing.
The delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use any
authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
20. Restarted the SharePoint server.
21. Tested the data connection with the Kerberos settings again.
Got the error
“ORA-12638: Credential retrieval failed”.
Can anyone tell me what is wrong with this setup?http://www.freeoraclehelp.com/2011/10/kerberos-authentication-for-oracle.html
Problem4: ORA-12638: Credential retrieval failed
Solution: Make sure that SQLNET.KERBEROS5_CC_NAME is set in sqlnet.ora and okinit has been run before attempting to connect to the database.
Do check
http://webcache.googleusercontent.com/search?q=cache:5a2Pf3FH7vkJ:externaltable.blogspot.com/2012/06/kerberos-authentication-and-proxy-users.html+&cd=5&hl=en&ct=clnk&gl=in
If this helped you resolve your issue, please mark it Answered. You can reach me through http://itfreesupport.com/ -
Publish Sharepoint 2013 via Web Application Proxy and Kerberos Authentication
This is similar to
http://social.technet.microsoft.com/Forums/windowsserver/en-US/66c23aae-8774-4257-b9f9-b796e69b0318/action?threadDisplayName=publishing-sharepoint-2010-using-web-application-proxy
However I have tried his resolution to no avail.
I am trying to publish a SharePoint 2013 website via web application proxy. SharePoint 2013 is using negotiate (Kerberos) as its authentication provider. When trying to browse to the site externally via the WAP I get an http error 500 internal server error.
In the web application proxy's event viewer I find the following two entries every time I try to browse the site.
event ID 13019
level: warning
Web Application Proxy cannot retrieve a Kerberos ticket on behalf of the user because of the following general API error: No credentials are available in the security package
(0x8009030e).
Details:
Transaction ID: {5672be45-a4b8-0005-58ff-7256b8a4cf01}
Session ID: {5672be45-a4b8-0000-3909-7356b8a4cf01}
Published Application Name: sharepoint
Published Application ID: ****
Published Application External URL: https://sharepoint.domain.com
Published Backend URL: https://sharepoint.domain.com
User: [email protected]
User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; NOKIA; Lumia 920) like Gecko
Device ID: <Not Applicable>
Token State: OK
Cookie State: NotFound
Client Request URL:
https://sharepoint.domain.com/home?authToken=****client-request-id=****
Backend Request URL: <Not Applicable>
Preauthentication Flow: PreAuthBrowser
Backend Server Authentication Mode: WIA
State Machine State: BackendRequestProcessing_Pending
Response Code to Client: <Not Applicable>
Response Message to Client: <Not Applicable>
Client Certificate Issuer: <Not Found>"
And
event ID 12027
level: error
Web Application Proxy encountered an unexpected error while processing the request.
Error: No credentials are available in the security package
(0x8009030e).
Details:
Transaction ID: ****
Session ID: ****
Published Application Name: Sharepoint
Published Application ID: ****
Published Application External URL: https://sharepoint.domain.com/
Published Backend URL: https://sharepoint.domain.com/
User: [email protected]
User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; NOKIA; Lumia 920) like Gecko
Device ID: <Not Applicable>
Token State: OK
Cookie State: NotFound
Client Request URL:
https://gateway.dcsch.co.uk/home?authToken=****client-request-id=****
Backend Request URL: <Not Applicable>
Preauthentication Flow: PreAuthBrowser
Backend Server Authentication Mode: WIA
State Machine State: OuOfOrderFEHeadersWriting
Response Code to Client: 500
Response Message to Client: <Not Applicable>
Client Certificate Issuer: <Not Found>"
I have tried everything I have seen in many posts and the one linked above but cannot get this working. It does work fine internally.And within the next 10 minutes I found this
http://technet.microsoft.com/en-us/library/dn308246.aspx#Kerberos
Needed to set up delegation to ANY service in the Web application proxy -
Hi,
We have Sharepoint 2013 search center site which is claim based with NTLM authentication set. we have Sharepoint 2010 farm also running which are FBA authenticated.
While crawling Sharepoint 2010 sites having FBA authentication from SP 2013 search center having NTLM auth. it does not give proper result.
Can you please help me what can be done here?
Thanks,
PrashantHi Prashant,
According to your description, my understanding is that the search cannot work correctly when crawling the SharePoint site which is form-based authentication.
Per my knowledge, the crawl component requires NTLM to access content. At least one zone must be configured to use NTLM authentication. If NTLM authentication is not configured on the default zone, the crawl component can use a different
zone that is configured to use NTLM authentication.
However, if crawling a non-default zone of the web application, URLs of results will always be relative to the non-default zone that was crawled for queries from any zone, and this can cause unexpected or problematic behavior.
I recommend to make sure that the default zone of the SharePoint 2010 web application to use NTLM authentication.
More references:
http://technet.microsoft.com/en-us/library/dn535606(v=office.15).aspx
http://technet.microsoft.com/en-us/library/cc262350.aspx#planzone
Best regards.
Thanks
Victoria Xia
TechNet Community Support
Maybe you are looking for
-
Multiple copies of same doc/pic in finder
I've updated to Leopard today and turned on time machine. I also use Super Duper so I have a bootable backup on my firewire drive. I have techtools 4 loaded as well so there is an edrive on the firewire drive as well. When I try to view docs or pictu
-
Birthdays + Outlook + Calendar = Macro Needed!
Would some wonderful soul out there write a quick little macro to get this job done? Outlook comes with a simple VB macro compiler, so all the macro would have to do would be to sort the calendar by annual events, then edit each of the listed contact
-
Reinstalling Photoshop CS6 on a Mac and Bridge does not install
I've been having trouble with Bridge CS6 not creating previews and thumbnails correctly, so i tried to reinstall the software and during the process it creates the Bridge folder and then when the install is complete the folder goes away. Befroe doing
-
Video out not working on ms-8866
the fine folks at msi have for some reason locked out any access to the TW.msi.com.TW site?!? can not find the bios update for my vid card the ms-8866 and can not get any reply from the so-called support team?!? the live update software is JUNK an
-
New feature: pressing alt while using the anchor point tool
Hello, New feature doesn't work at my side ==> pressing alt while using the anchor point tool would allow to pair the handles again while dragging a handle. But if i press alt or if i do not press it, it does not change the working of my anchor point