Step 10: Configure a SharePoint document library for stronger authentication

  • Article

Applies To: Active Directory Federation Services (AD FS) 2.0

Step 10: Configure a SharePoint Document Library for Stronger Authentication

In this step, we create a new SharePoint site that contains confidential information. We will set up this site so that users who access it must authenticate with their smart cards. To simulate authentication with smart cards we will use a software-based X.509 certificate protected by a PIN (1@234abcd). To achieve this scenario, we will integrate a sample library that handles requests for strong credentials built with Windows Identity Foundation. The library is built from the sample (https://go.microsoft.com/fwlink/?LinkId=179918).

To create a new SharePoint site

  1. Logon to CONTOSOSRV02 with domain administrator credentials.

  2. Browse to https://docs.contoso.com and authenticate as CONTOSO\Administrator with password “demo!23”.

  3. Click the Site Actions tab.

  4. Click the Create Site link.

  5. For site settings, enter the corresponding values for the following fields and leave rest of the settings as default:

    Title

    Confidential

    Description

    Contains confidential documents

    URL Name

    confidential

    Select a template

    Document Workspace

  6. Click the Create button.

  7. After creating the new site, close the browser.

Now we will integrate the sample claims authorization library located in “C:\StepUpAuthentication” with SharePoint.

Note

If you are using the VMs that were pre-created a sample dll has been created and placed in the folder.

  1. Open a Command Prompt window. On the Start menu, click Run, type cmd, and then click OK.

  2. At the command prompt, type cd “c:\Program Files\Microsoft.NET\SDK\v2.0 64bit\bin”, and press ENTER.

  3. Type gacutil.exe /i c:\ StepUpAuthentication\ClaimsAuthorization.dll /f. This adds the assembly into the GAC.

  4. Now we need to edit the web.config of docs.contoso.com SharePoint site. Type cd c:\inetpub\wwwroot\wss\VirtualDirectories\docs.contoso.com443 and press ENTER.

  5. Type notepad.exe web.config.

  6. Locate the element <assemblies> (it is located under <configuration>/<system.web>/<compilation>). Add the following line:

    <add assembly="ClaimsAuthorization, Version=1.0.0.0, Culture=neutral, PublicKeyToken=400a0b56d39a55eb"/>

  7. Locate the element <httpModules> (it is located under <configuration>/<system.web>). Add the following two lines immediately after all other <add> elements (just before the line with the end tag </httpModules>).
    <add name="ClaimsAuthorizationModule" type="Microsoft.IdentityModel.Web.ClaimsAuthorizationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

    <add name="StepUpAuthenticationModule" type="ClaimsAuthorization.StepUpAuthenticationModule, ClaimsAuthorization, Version=1.0.0.0, Culture=neutral, PublicKeyToken=400a0b56d39a55eb"/>

    Now, we will author the policy that would only grant access to Confidential site to users who have authenticated with the X.509 certificate.

  8. In Notepad, locate the element <service> under <configuration>/<microsoft.identityModel>. Add the following lines immediately after the line with the tag <service>.

    <claimsAuthorizationManager type="ClaimsAuthorization.CustomClaimsAuthorizationManager">
   <strongAuthenticationTypes>
      <authenticationType type="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient"/>
      <authenticationType type="https://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/tlsclient"/>
   </strongAuthenticationTypes>
   <authorization>
      <policy path="/confidential" >
         <allow claimType="*" strongAuthentication="true"/>
      </policy>
      <policy path="/" >
         <allow claimType="*"/>
      </policy>
   </authorization>
</claimsAuthorizationManager>

  9. Save the changes to web.config. In the menu of Notepad, click File, then click Save. Close Notepad.

To use the stronger authentication type to access the SharePoint site

  1. Log on to the FabrikamSrv02 computer as FABRIKAM\frankm with “demo!23” as the user’s password.

  2. Browse to https://docs.contoso.com.

  3. Select Fabrikam from the drop-down list at the Contoso sign-in page and click the Continue to Sign In button.

  4. At the Fabrikam sign in page, type the user name as fabrikam\frankm and the password as demo!23, and then click Sign In.

  5. Once logged into the site, click the Confidential tab to access the confidential site.

  6. Because you need to authenticate with a smart card you will see the PIN prompt dialog box. Select the radio button Grant Permission, and type 1@234abcd as the certificate’s PIN.

  7. You are now authenticated with a smart card and can log in to Confidential site.