.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
Sign In
Win Surprise Gifts!!!

Top 5 Contributors of the Month
Gaurav Pal
Post New Web Links

Making Claims based authentication work with multi-tenant environment in SP 2010

Posted By:      Posted Date: October 07, 2010    Points: 0   Category :SharePoint

Does anybody know of a guide or reference for setting up hosting in a multi tenant where authentication happens in claims based mode?


We have a setup where our clients are hosted on a single web application under different site collections. And we use forms authentication where user of a particular site collection gets authentication using the respective database. We now want to use claims based authentication and out-of-the-box multi-tenancy of SP 2010. We can setup site collections and site groups, but how do we implement claims based authentication in an env like this?

View Complete Post

More Related Resource Links

Claims Tips: Learning About Claims-Based Authentication in SharePoint 2010

Use these five tips for guidance in solving problems related to using and configuring claims.

AutoLogin for authenticated user via LiveID in Sharepoint 2010 (Claims Based Authentication)

Hi,     Im working in integrating LiveID authentication in my Sharepoint site. Live id gives back a token of the user with which i created a dummy profile using MembershipProvider.CreateUser. Now i have to auto login the user with the profile i created, i mean i have to force login to my sharepoint site using the created dummy user details without asking the user to give username n password.Any suggestion will be a great help for me to proceed.   Thanks Saravanan Michael

Configuring SharePoint Foundation 2010 with ADFS 2.0 in a multi-tenant environment using subscripti

Hi, I am trying to configure SharePointFoundation 2010 and ADFS 2.0 in a multi-tenant environment, where I have one Web Application and two site collections, each one under one subscription.  At this point is still a very simple infrastructure with one single Domain, AD and ADFS.  My problem starts with the configuration of ADFS 2.0 as Identity Provider in SharePoint. Since I have only one web application, the directory for the incoming token is "_trust" is placed at the root level or the application. Is there a way to change the location where this directory is created, so I can have one distinct one for each one of my site collections ? Or in other words, is there a way to have on identity provider by site collection ?  Thank in you advance for any information on this.   --MD.      

SharePoint 2010 Claims Based Authentication - anonymous site is prompting for CBA auth when opening

Hi, I have CBA setup successfully on my sites.  One site is setup for anonymous access and I have disabled "client integration" on that web application. I have a list of MS Office documents on a wiki.  When I click on one I am asked to either save or open or cancel.  Saving works fine but when I choose open, it launches the associated MS Office app.  I am then prompted for a login from CBA.  I can click cancel and the logon screen appears again.  After clicking cancel the 2nd time the document appears in the MS Office app, Word in this case. My question is how do I prevent my users from being prompted for a CBA login when clicking on these files and opening them in the native app on their machine?      --TR

Claims Walkthrough: Creating Forms-Based Authentication for Claims-Based SharePont 2010 Web Applicat

Learn how to create forms-based authentication for claims-based web applications by using a custom membership and role provider.

InfoPath 2010 does not work in claims authentication mode on SharePoint 2010


Hi everyone,

I created an Infopath 2010 Forms published on a Claims-based authentication site collection. This form has an external datasource plugged on the _vti_bin/UserProfileService.asmx webservice (within the same site collection). This datasource is queried when the form opens. When I check this form with Infopath designer preview, everything works fine.

But once this forms is published, an error "Error while trying to contact Web Service" occured when opening a new form.

Here ere an extract of the logs:

The following query failed: GetUserProfileByName (User: DOMAIN\username, Form Name: library, IP: , Connection Target: , Request: http://server/_layouts/FormServer.aspx?xsnLocation=http://server/library/forms/template.xsn?DefaultItemOpen=1&Source=http://server/page.aspx, Form ID: urn:schemas-microsoft-com:office:infopath:library:-myXSD-2010-01-12T23-08-28 Type: DataAdapterException, Exception Message: The remote server returned an error: (500) Internal Server Error.
Server was unable to process request. ---> Attempted to perform an unauthorized operation.
The remote server returned an error: (500) Internal Server Error.)

Here is an extract of my IIS log:

2010-11-25 13:45:30 fe80::b9ab:23d9:ff9e:bb23%11 POST /_vti_bin/userprofileservice.asmx - 50

Claims Tips 3: Learning About Claims-Based Authentication in SharePoint 2010

Learn five tips that are related to claims-based authentication in SharePoint 2010, including information about packaging, retrieving REST data, adding policy, managing trusted root authorities, and resolving logon page issues.

Video: Introduction to Claims-based Security in SharePoint 2010

Learn how claims-based identity provides a common way for applications to acquire identity information from users inside their organization, in other organizations, and on the Internet. (Length: 23:46)

Sample: SharePoint Claims-Based Authentication

Explore the code as you learn how to create a custom security token service (STS) and set up a trust relationship between a SharePoint 2010 farm and the custom STS.

SQL Server and MapPoint: Making MapPoint 2010 and SQL Server Spatial Work Together

While SQL Server is a good repository for geospatial data, it doesn't communicate with MapPoint as well as it could. So our geo-data experts show you how to read point and polygon objects from SQL Server and render them in MapPoint and how to write points and polygons back to SQL Server using Entity Framework 4.0 included with Visual Studio 2010.Eric Frost, Richard MarsdenMSDN Magazine September 2010

How well does SharePoint REALLY work and play with an RODC-based AD environment?

We are running into a host of interesting little problems getting SharePoint Foundation 2010 to work and play well in a DMZ where its only access to Active Directory is through a read-only domain controller (RODC).  Our SharePoint server is on the DMZ, along with an RODC, while our database server is on our internal network, along with our main AD domain controllers. The SharePoint Configuration Wizard simply WOULD NOT complete successfully until we set up a temporary firewall rule that granted the SharePoint full access to AD.  At that point, we could successfully run the SharePoint and SharePoint Farm configuration wizards, and create a site collection, identifying two domain users as site collection admins.  After we turned off the firewall rule, once again restricting the server to AD access via the RODC, we could create and access SharePoint sites just fine, so long as the users involved were the two identified as site collection administrators. However, when I tried to create a new SharePoint site group and identify a third domain user as the group owner, or add a new user to one of the existing SP site groups, or even just grant site-level permissions directly to a domain user (other than the two site collection admins), the user name would not resolve.  I suspect that the site admins resolve okay because SharePoint already has them cached in it

Sharepoint 2010 Multi-Tenancy Access Denied on Tenant Administration Site

Hi, I am currently implementing a Sharepoint 2010 Multi-Tenancy solution. Multi-tenancy is the partitioning of service applications in 2010 to allow data to be separated between web applications or site collections. I am using multi-tenancy to separate data and user profiles between site collections hosted on a single web application. I have partitioned the User Profile Service Application and Proxy using Windows Powershell. The paritioned Proxy Application is then associated with the single web application. I am also using the Sharepoint Foundation Subscription Service Application to subscribe to different site collections within the web application. In this way data and user profiles can be separated. However, the tenant administration site, used to manage each collection, does not allow administrator access to manage the User Profile Service. I receive a standard Sharepoint 'Access Denied' error message. No other errors or details are provided. I have tried assigning different accounts to the tenant administration site but the error still appears. The issue arises when I issue the following SPSite Powershell cmdlet: NEW-SPSite -Owneralias DOMAIN\Username -Secondaryowneralias DOMAIN\Username. The attributes provided in the Cmdlet above are used to assign tenant site administrators however, the accounts cannot access the User Profile Service. Any ideas or recommendati

Should I use claims based authentication?

I'm about to setup a web application to host a public facing website. Internal staff will authenticate to the site via Active Directory and we may have a need to allow external users to access "authenticated" parts of the site. To authenticate them we plan to use Windows Live ID. With that in mind,: is it better to set the web application up to use claims based authentication from the start rather than having to change it later? is there anything available as of yet to setup SharePoint 2010 to authenticate against Windows Live ID using claims based authentication?

Migrate from Classic to Claims based authentication

So this is really an outside the normal question and I am hoping someone has some thoughts. I am going to be upgrading a MOSS 2007 farm to MSS2010. I have to move hardware so I will be using the content database attach method for upgrade. The site is current extended to a second IIS Application to support both window and Forms based authentication. Since this is an intranet, unique security is used at the site level (and occasionally at the doc lib level). I want to take advantage of Claims Based Authentication (and use one URL, plus other benefits). I am well aware that that claims based token is not the same as the windows token even though the NTLM user is really the same. Thus that is what presents the issue. I need to "migrate" all of my current NTLM-Classic users to claims based. My first thought is to read the users added to each site (actually role assignments), find all users that have the domain name at the beginning of the member name and add a new users (appending the i:0#.w| to the beginning of the loginname) to the site. This works beautifully and is succesful. The problem arises in the that the role assignments contains SharePoint groups (which we don't use much) and AD groups. the SharePoint groups are ok (yes, I have to migrate the users in them too, but no problem). The AD groups are added via SID when it is claims based. This presents the probl

How do I use PowerShell to configure Web.Config for forms-based authentication for a Claims Based we

This TechNet article does a great job describing how to Configure forms-based authentication for a claims-based Web application using PowerShell. However, it glosses over editing the web.config file by just saying "Find the <Configuration> <system.web> section and add the following entry:" Is it possible to edit the web.config file using PowerShell using the IIS PowerShell snapin or can I just edit the web.config file as a xml document? This succeeds in adding the element, but only with the name and type. It does not add the connectionStringName or the applicationName import-module webadministration Add-WebConfiguration /system.web/membership/providers "IIS:\sites\[site name]" -value @{name="FBAMembershipProvider";` type="System.Web.Security.SqlMembershipProvider, System.Web, Version=, Culture= neutral, PublicKeyToken= b03f5f7f11d50a3a";` connectionStringName="FBAconn";` applicationName="/"} Does anyone any suggestions on a direction to go to add the membership providers and role providers in the web.config using PowerShell? This is very frustrating because I can do it manually, I can do it through the UI in IIS Manager, I can do it using appcmd, but no matter what I do, I can't get it to work using PowerShell.  

SharePoint 2010 Claims Based Authenticaton site working but search is broken

Hi, I have SP 2010 sucessfully installed on a Windows 2008 R2 server with SQL Server 2008 R2.  I created local machine accounts for the following: MACHINE\mssqlservice MACHINE\sp_admin MACHINE\sp_search MACHINE\sp_farms I have setup 2 sites with public facing internet access as well as local sites. I have CBA working properly on both sites from both public and private access. My problem is that when I go to search, I am constantly redirected to an error page. I have checked all SP services on the server and they are all running as MACHINE\mssqlservice That account has proper access to all sites as well as all DB's. My search is crawling and I get one error from a long named PDF file in my site, which is OK.   My questions is if my CBA is working fine and my search is crawling, why I am not getting a results page when I search from the sites:   Here is the error I get:   Error Internal server error exception:   Troubleshoot issues with Microsoft SharePoint Foundation. Correlation ID: 5a03b730-42c2-48c9-a220-3b9d052481de Date and Time: 9/9/2010 4:45:07 PM   I am kind of stuck at this point and am not sure how to proceed.  Any help would be appreciated.        --TR

Regarding Claims Based Authentication in sharepoint2010

Hey, i have an web application which is in classic mode. now i want to extend same application as claims mode? can you please sugguest me a proper process Thanks in Advance!Share Knowledge and Spread Love!
ASP.NetWindows Application  .NET Framework  C#  VB.Net  ADO.Net  
Sql Server  SharePoint  Silverlight  Others  All   

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend