Monday, June 3, 2013

Converting a SharePoint 2010 NTLM Web Application to Claims--Soup to Nuts

  1. If you haven't already done so, apply an SSL certificate to the SharePoint site(s) that will be configured for Claims Based Authentication.  You can use a Self-Signed Certificate such as one that might be generated by SelfSSL7 or apply one from a Certificate Authority.
  2. Run the PowerShell script to convert the application from NTLM to Claims Based Authentication 
     function Convert-NTLMToClaimsAuth  
     {  
          param([string]$webAppUrl)  
          $ConvertApp = Get-SPWebApplication $webAppUrl  
          $ConvertApp.UseClaimsAuthentication = $true  
          $ConvertApp.Update()  
     }#function  
    
  3. Run the PowerShell script to configure the TrustedIdentityTokenIssuer and specify the Claim Mappings
     function Import-TokenSigningCert  
     {  
          param([string]$certFilePath)  
          #Import the Token Signing Certificate  
          $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certFilePath)  
          New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert  
          return $cert  
     }#function  
     function Add-ClaimTypeMapping  
     {  
          param ([string]$claimType, [string]$claimDisplayName)  
          #Add the Claim Mappings  
          $map = New-SPClaimTypeMapping -IncomingClaimType $claimType -IncomingClaimTypeDisplayName $claimDisplayName -SameAsIncoming  
          return $map  
     }#function  
     function Add-TrustedIdP  
     {  
          param([string]$IdPName, [string]$IdPDescription, [string]$realm, [string]$trustedCert, [array]$claimMappings,  
          [string]$signInUrl, [string]$identifyingClaim)  
     #     Write-Host $claimMappings.Count  
     #     [string]$claimString = ""  
     #       
     #     for ($i=0; $i -lt $claimMappings.Count; $i++)  
     #     {  
     #          $claimString = [System.String]::Format("{0},", $claimMappings[$i])  
     #          Write-Host $claimString  
     #     }#for  
          #$ap = New-SPTrustedIdentityTokenIssuer -Name $IdPName -Description $IdPDescription -Realm $realm -ImportTrustCertificate $trustedCert -ClaimsMappings $claimMappings -SignInUrl $signInUrl -IdentifierClaim $identifyingClaim  
     }#function  
     function Add-CustomClaimsProvider  
     {  
          param([string]$spSolutionPath, [string]$spSolutionName, [string]$trustedIdPName, [string]$claimProviderName)  
          #Remove-SPSolution -Identity $spSolutionName  
     #     Add-SPSolution -LiteralPath $spSolutionPath  
     #     Install-SPSolution -Identity $spSolutionName -GACDeployment  
          #Update-SPSolution -LiteralPath $spSolutionPath  
          $trust = Get-SPTrustedIdentityTokenIssuer $trustedIdPName  
          $trust.ClaimProviderName = $claimProviderName  
          $trust.Update()  
     }#function  
     Clear-Host  
     #Import the Token Signing Certificate  
     $certFilePath = "C:\Scripts\ADFSTokenSigning.cer"  
     $cert = [System.Security.Cryptography.X509Certificates.X509Certificate2] (Import-TokenSigningCert $certFilePath)  
     #  
     ##Add the Claim Type Mappings  
     $emailAddrClaimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"  
     $roleClaimType = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"  
     $upnClaimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"  
     $claimMap1 = Add-ClaimTypeMapping $emailAddrClaimType "EmailAddress"  
     $claimMap2 = Add-ClaimTypeMapping $roleClaimType "Role"  
     $claimMap3 = Add-ClaimTypeMapping $upnClaimType "UPN"  
     $adfsServerUrl = "https://win2k12adfs.sharepoint.local/adfs/ls"  
     #$claimMappings = @($claimMap1, $claimMap2)  
     $trustedIdPName = "SAML Provider"  
     Add-TrustedIdP -IdPName "ADFS Provider" -IdPDescription "ADFS SAML Claims Provider" -realm "urn:sp2010ent:sharepoint" -trustedCert $cert -claimMappings $claimMappings -signInUrl $adfsServerUrl -identifyingClaim $emailAddrClaimType  
     $ap = New-SPTrustedIdentityTokenIssuer -Name $trustedIdPName -Description "ADFS SAML Claims Provider" -Realm "urn:sp2010claims:sharepoint" -ImportTrustCertificate $cert -ClaimsMappings $claimMap1, $claimMap2, $claimMap3 -SignInUrl $adfsServerUrl -IdentifierClaim $upnClaimType  
    
  4. Open up the Web Application in Central Administration and click on Authentication Providers
  5. Enable the Trusted Identity Provider that you just configured in PowerShell
  6. Open up User Policy for the Web Application
  7. Search for an Administrative user for your Web Application
  8. Grant the Administrative user Full Control on your Web Application
  9. Verify that you can log into the Web Application/Site Collection with the user you just configured in User Policy.
  10. If you are able to successfully log into the system, you have successfully converted an NTLM Web Application to a Claims-based Web Application using Claims Authentication!

No comments:

Post a Comment