.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
Sign In
Win Surprise Gifts!!!

Top 5 Contributors of the Month
Gaurav Pal
Post New Web Links

Claims won't take Kerberos

Posted By:      Posted Date: September 03, 2010    Points: 0   Category :SharePoint
So, we want to use Claims authentication and Kerberos when creating web applications in SharePoint 2010. Now this is easy to set up in central admin, but we struggle doing it using powershell: New-SPWebApplication -Name Testing123 -ApplicationPool SharePointApplicationAppPool -AuthenticationProvider (New-SPAuthenticationProvider) -AuthenticationMethod Kerberos results in CLAIMS using NTLM. It seems like -AuthenticationProvider (New-SPAuthenticationProvider) is forcing NTLM, and -AuthenticationMethod Kerberos is not taken into consideration. And the New-SPAuthenticationProvider does not have an -AuthenticationMethod parameter, so how can we get Claims with Kerberos? Any tips appreciated!

View Complete Post

More Related Resource Links

Claims-Based Apps: Claims-Based Authorization with WIF


Over the past few years, federated security models and claims-based access control have become increasingly popular. Platform tools in this area have also come a long way. Windows Identity Foundation (WIF) is a rich identity model framework designed for building claims-based applications and services and for supporting active and passive federated security scenarios.

Michele Leroux Bustamante

MSDN Magazine November 2009

Geneva Framework: A Better Approach For Building Claims-Based WCF Services


Here we introduce Microsoft Code Name "Geneva," the new framework for building claims-based applications and services, and federated security scenarios.

Michele Leroux Bustamante

MSDN Magazine December 2008

Security Briefs: Exploring Claims-Based Identity


Keith Brown introduces you to the new identity model in the Microsoft .NET Framework 3.0.

Keith Brown

MSDN Magazine September 2007

Security Briefs: Exploring S4U Kerberos Extensions in Windows Server 2003


Building Web sites that provide services external to the corporate firewall is tricky. Usually it's not desirable to grant corporate domain accounts to external clients, and from a purely practical standpoint Kerberos does not work well over the Internet due to the typical configuration of client-side firewalls.

Keith Brown

MSDN Magazine April 2003

Kerberos between MOSS 2007 and SSAS 2005


I realize this is probably going to be one of those vague questions that I am not going to get much help on here, but I thought I'd give this a shot before we go the MS Incident route on monday.

We have tried to setup Kerberos between MOSS 2007 AND SSAS 2005 to no avail.  We have been through the knowledge base articles outlining the setup multiple times with all the experts on MOSS and Security here where I work.  We've used other materials we have on kerberos here.  But the end result is that the double hop is not happening.  We are trying to connect three ways: excel services, ssrs 2005 in integrated mode, and Sharepoint KPI's (using analysis services).  In every case the connection is not happening.

Other details are that the ssrs integrated mode seems to be setup right because I do get a report (albiet all it has is a connection error message).  Excel services works fine if I use the unattended service account, but when I switch the odc file to windows (should cause kerberos to kick in) it fails.  When I try to add a kpi to the kpi list it can't retrieve a list of kpi's from ssas.

In all cases I am the user trying to perform these operations, and I have total access to the cube -- I'm the developer.  I have no problems connecting to the cube directly through excel, so the security at that end passes t

Walkthrough: Writing a Claims Provider in SharePoint 2010

By using claims authentication, you can assign rights based on claims without knowing who a user is, or how they are authenticated. You have to know only the attributes of the user.

Sample: SharePoint 2010 Claims Provider

Download a code sample that shows how to write a claims provider in SharePoint 2010 to augment claims and provide name resolution.

Video: Introduction to Claims-based Security in SharePoint 2010

Learn how claims-based identity provides a common way for applications to acquire identity information from users inside their organization, in other organizations, and on the Internet. (Length: 23:46)

Trying to Configure Kerberos

Hello, I'm trying to configure Kerberos on a test environment. I have a Win2003 DC, a Win08 SQL 2008 machine, and a Win2003 client machine to test connectivity, with SSMS and ProClarity. Currently I have added the SPNs for MSSQLSVC and MSOLAP, and I'm trying to test connection using SSMS. From the client machine, I tried connecting to each server (DB Engine and OLAP), and checked the security log on the SQL machine to see the authentication method being used. The DB Engine connection seems to be working fine, having Kerberos all the time, yet for every time I connect to OLAP, I have two events entries first with NTLM, and then one with Kerberos. What does that mean? Is Kerberos not properly configured, or that's a normal behavior with SSAS? The Detailed Authentication Information for the events with NTLM, and the event with Kerberos are as follows: Logon Process: NTLMsp Authentication Package: NTLM Transited service: - Package Name (NTLM only): NTLM V1 Key Length: 128 -------------------------------------------- Detailed Authentication Information Logon Process: Kerberos Authentication Package: Kerberos Transited service: - Package Name (NTLM only): - Key Length: 0 -------------------------------------------- The SPNs added on the DC machine for the user used as service account for SSAS are as follows: MSOLAPSVC.4/BISQL08 MSOLAPSVC.4/BISQL08.BIDC.com   Thanks,

Kerberos issue with SQL Reporting Services 2005 on Server 2003 R2

Hi Guys,apologies if this is the incorrect forum, so moderators, feel free to move it to SQL/IIS/SharePoint as appropriate... [Windows Server Security moderator pushed me this direction]I have a test environment that I'm trying to get SQL Reporting Services 2005 SP3 working in integrated mode with SharePoint 2007 SP2.The environment is all in VMWare, running Server 2003 R2 x86 and is layed out like this:SERVER A:AD/DNS/DHCPSERVER B:SQL 2005 SP3 CU8SERVER C:SharePoint 2007 SP2 Dec 09 CU- Central admin on port 9000- SSP on port 9001- MySite on port 81- Main Content on port 80SQL Reporting Services 2005 SP3 CU8- Reporting Service website on port 82SERVER D:SharePoint 2007 SP2 Dec 09 CU- Central admin on port 9000- SSP on port 9001- MySite on port 81- Main Content on port 80SQL Reporting Services 2005 SP3 CU8- Reporting Service website on port 82Through the use of DNS and (SharePoint) Alternate Access Names, SERVER D is used to deliver the Main Content in SharePoint and the Reporting Service website.  SERVER C is used to deliver the Central Admin, SSP and MySite.I've set up SPN's for the SharePoint App Pools, using the following: [main content] setspn -S HTTP/SERVERA DOMAIN\AppPoolUserA setspn -S HTTP/SERVERA.FQDN DOMAIN\AppPoolUserA setspn -S HTTP/SERVERB DOMAIN\AppPoolUserA setspn -S HTTP/SERVERB.FQDN DOMAIN\AppPoolUserA [repor

Table-Layout attribute and MSDN claims re capabilities

I am developing a CompositeDataBoundControl that is basically a 'table' inside a 'div', in order to limit the size of the Control and use the scrolling capabilities of the 'div' tag ('RenderBeginTag("div"). So essentially the control is; <div style="overflow:auto;width:400px;height:300px;"> <table style="table-layout:fixed;">   My problem/question has to do with the capabilities claimed by MSDN of the CSS Attribute 'Table-Layout'. See; http://msdn.microsoft.com/en-us/library/ms531161(v=VS.85).aspx   One of the essential goals of my Control is to limit the width and height of 'Cells' (<td>'s) in the table and let the content be clipped.  MSDN says one can do this by setting the 'width' property of each Cell in the first row of the table. I have no problem with this and it works just fine.   My problem is that MSDN also claims that one can set the height property of each row and that any wrapping of text is 'clipped' and the row height is maintained. See Remarks section; "If the row height is specified, wrapped text is clipped when it exceeds the set height".  I can't make this happen. Any time whitespace occurs in the cell content, and the content exceeds the cell width, the content is wrapped to a new line and the row/cell height is adjusted automatically to fit all the content. In other words it appears that MSD

Claims Tips: Learning About Claims-Based Authentication in SharePoint 2010

Use these five tips for guidance in solving problems related to using and configuring claims.

Claims Walkthrough: Creating Trusted Login Providers (SAML Sign-in) for SharePoint 2010

Learn how to create a custom security token service (STS) and set up a trust relationship between a SharePoint 2010 farm and the custom STS

Sample: SharePoint Claims-Based Authentication

Explore the code as you learn how to create a custom security token service (STS) and set up a trust relationship between a SharePoint 2010 farm and the custom STS.

automatic logon using claims based FBA??

I have been using a IHttpModule that performs automatic logon on a forms based authentication using a custom membership provider. This has worked well using any .net asp.net application including SharePoint 2007. The IHttpModule listens for the AuthorizeRequest event of the application and if the user isn't logged in it uses the FormsAuthentication.SetAuthCookie(principal.Identity.Name, persistentCookie); to perform the "login". When I tried this on SharePoint 2010 using a claims based FBA, adding my custom membership provider as documented, I ran into some problems. First, the identity name that needed to be set in the SetAuthCookie was not the normal username, it seemed to be on a syntax like 0#.f|membershipProviderName|UserName If I used this instead (replacing membershipProviderName and UserName) with the actual ones, the login seemed to work (it felt like a hack tough and perhaps there is some better way to do this?) After a bit of testing the site the most seemed to work (a plain SharePoint 2010 site), but when I clicked on a list link (like calendar, events or announcements) I was given a servererror as below.   Has anyone any idéas? /Dan   Server Error in '/' Application. <nativehr>0x8107058a</nativehr><nativestack></nativestack>Operation is not valid due to the current state of the object. Description: An unhandle

Can not init SPSite for claims based authenticated site

Hi, trying to write a simple console application i was not able to init a claims based authenticated site with API nor with the Managed Client OM. Opening a site with only windows authentication is working. Running on a Windows Server 2008 R2 and SP 2010 server and logged in as the buildin Administrator account. Administrator is Site Collection Admin. static void Main(string[] args) {     ClientContext context = new ClientContext("http://mypc:300");     Web web = context.Web;     context.Load(web);     context.ExecuteQuery();     ... } throws "The remote server returned an error: (403) Forbidden.". Setting credentials for the context is also not working. or same problem with     static void Main(string[] args) {     using (SPSite spSite = new SPSite("http://mypc:300"))     {         ... throwing FileNotFound-Error. Any idea? Greetings Peter  
ASP.NetWindows Application  .NET Framework  C#  VB.Net  ADO.Net  
Sql Server  SharePoint  Silverlight  Others  All   

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend