Authentication and Autherization in SharePoint 2007/2010: A Food for thought

Authentication and Authorization in Share Point

Authentication is process of challenging and approving user’s Identity, while Authorization comes after the authentication, where user based permissions, rights, and privileges are taken into account. Microsoft SharePoint Services 3.0, MOSS, and SharePoint Foundation supports security for user access at the Web site, list, library folder, and item levels2. This security is managed based on role based mechanisms where each user is able to perform specific operation and all levels based on his/her role, and this is achieved through Authorization process once the user is successfully authenticated by the underlying authentication mechanism.

Available Options

In SharePoint Services 3.0, MOSS and SharePoint Foundation, the Authentication is achieved mainly through following methods

1. Windows based Authentication, Including Active Directory Authentication (both Kerberos and NTLM protocols), anonymous and basic authentication. Authentication is done by underlying IIS.

2. Form based Authentication, which is implemented by the ASP.NET authentication provider model. SharePoint provides an LDAP membership provider which can talk to Active Directory, Active Directory Application mode (ADAM), Active Directory Lightweight Directory services (AD LDS). Forms-based authentication can also use the SQL Server provider included with ASP.NET. Forms authentication allows ASP.NET to perform the authentication for SharePoint Foundation, but In SharePoint Foundation, ASP.NET forms are supported only under claims authentication. A forms provider must be registered within a Web application that is configured for claims.

3. Claim based Authentication (SharePoint Foundation 2010), this new way of authentication facilitates by authenticating across widows based users, and non-windows based users, stronger real-time authentication, and delegating user identity between multiple applications. Claims based authentication addresses integration of different systems by allowing communications using open standards, and by providing a platform for developing more specialized ‘identity connectors’ between systems.

Above are the brief descriptions of available options for Authentication in SharePoint, to keep things simple and traceable I am omitting details because there could be a detailed discussion on each mentioned options.

How Windows Authentication works in SharePoint?

Now, let’s have a look how generally Authentication works in SharePoint.
1.  A client anonymously generates a request using his/her browser that initiates a connection to a SharePoint front-end server, which is handled by IIS with .NET through an HTTP GET request.
2.  If the zone is configured for anonymous access (such as for Internet scenarios), IIS continues to
process the request. Otherwise, IIS returns error 401.2 and requests authentication from the
client browser.
3.  The client browser receives the request and, depending on the zone and associated options,
authenticates the client. A common method is by prompting for a username/password, and
then passing an auth token back to SharePoint via IIS.
4.  IIS is waiting for a response in the HTTP conversation and accepts the auth token, and then
either authorizes or denies access. At this point, IIS passes the request to SharePoint through
.NET.
5. If the requested page has a Web Part that needs to access the back-end SQL databases,
SharePoint authenticates with the SQL Server and accesses the databases. The nature of the SQL authentication varies with the configuration options. For example, you can configure SQL Server authentication or Integrated Windows authentication using NTLM or Kerberos.

NTLM mode of Authentication

More specifically if NTLM mode of Authentication is configured then Step 3 and 4 would be as follows
3.1 IIS rejects the anonymous request with a 401.2 error and sends back a request to authenticate with NTLM.
3.2 The client browser receives the request, creates the Authentication token that includes domain and computer name, and then sends the authentication token to IIS.
3.3 IIS accepts the details and sends an NTLM challenge to the client.
3.4 The client responds with the response to the challenge (auth token again), encrypted with the
password of the user.
4.1 At this point, IIS needs to talk to the domain controller. It sends the client’s user name,
challenge, and challenge response.
4.2 The domain controller retrieves the password hash for the user and compares t to the challenge
response, which was encrypted using the user’s credentials. If there’s a match, the domain controller returns a successful authentication to IIS, and IIS can talk to the client browser.

Kerberos mode of Authentication

In case, where Kerberos mode (Kerberos uses a ticket system that authenticates once and then authorizes through delegation) of authentication is configured then Step 3 and 4 would be as follows

3.1 The client contacts the KDC (Key distribution center) on the domain controller and requests a ticket for the SPN (service principal name) based on what the browser client sent as the hostname.
3.2 If the KDC locates a matching SPN, it encrypts the ticket and returns it.
3.3 The browser client creates the authenticator and sends it with the service ticket to the IIS
server, which in turn decrypts the ticket, determines identity, and checks the permissions
(access control list) on the requested resource to see if access is permitted.
4 If access is permitted, IIS, through the Web Application service, contacts the SQL Server and the
service requests a ticket for the SQL Server from the KDC.

Generally, Windows based Authentication mode is selected whenever your application is running on windows, where Active directory is already configured, this is the easiest way of authenticating in SharePoint.

Anonymous Access

Anonymous Access is a way of providing unregistered users to interact with SharePoint sites. For internal deployments and Intranet sites Anonymous Access is always discouraged. The possible scenario in which anonymous authentication should be considered is on public-facing websites – so that people can browse sites without having to create accounts. Anonymous access does not provide item-level control, prevents document authoring, and does not provide access to remote interfaces.

Form Based Authentication in SharePoint

The Forms-based authentication option is generally selected when an environment does not use Active Directory, or needs to support external access. Form based Authentication basically builds on top of ASP.Net 2.0 Membership concepts, where there is Member Ship Provider which defines interfaces for identifying and authenticating individual users, and a Role Manager, which defines interfaces for grouping individual users into logical groups or roles4.
The authentication is authorization is done by redirecting to custom pages developed in asp.net using login controls and/or custom controls and after getting user credentials a user identity object is created which is used to authenticate users based on their roles against custom data base (SQL) or Active directory users.

General Practices

For internal sites, one should disable anonymous authentication as it may prevent compliance with business’s accountability requirements and business policies. Windows authentication with the Kerberos protocol is most proffered where this is possible, as it offers better integration and ease of use.

References
msdn.microsoft.com
Microsoft development kit for SharePoint

Is this Information helpful ? Please leave a Comment.

Implementation of Lazy Probabilistic Broadcasting.

The original algorithm is available at here.

The proposed algorithm as  follows:

Algorithm Lazy Probabilistic Broadcast (data dissemination)

Implements:

ProbabilisticBroadcast (pb).

Uses:

FairLossPointToPointLinks (flp2p);

UnreliableBroadcast (un).

upon event _ Init _ do

for all pi ∈ Π do

delivered[pi] := 0;

lsn := 0;

pending := stored := ∅;

procedure deliver-pending (s) is

while exists [Data, s, x, snx] ∈ pending such that

snx = delivered[s]+1 do

delivered[s] := delivered[s]+1;

pending := pending \ {[Data, s, x, snx]};

trigger (pbDeliver | s, x );

procedure gossip (msg) is

forall t ∈ pick-targets (fanout) do

trigger _(flp2pSend | t, msg );

upon event ( pbBroadcast | m )do

lsn := lsn+1;

trigger (unBroadcast | [Data, self, m, lsn] );

upon event (unDeliver | pi, [Data, sm, m, snm]) do

if (random() > store-threshold) then

stored := stored ∪ { [Data, sm, m, snm] };

if (snm = delivered[sm]+1) then

delivered[sm] := delivered[sm]+1;

trigger _ pbDeliver | sm,m _;

else if (snm > delivered[sm]+1) then

pending := pending ∪ { [Data, sm, m, snm] };

forall seqnb ∈ [delivered[sm] + 1, snm − 1] do

gossip ([Request, self, sm, seqnb, maxrounds−1]);

startTimer (TimeDelay, sn, snm);

end if

Algorithm Lazy Probabilistic Broadcast (recovery)

upon event (flp2pDeliver | pj, [Request, pi, sm, snm, r] )do

if ([Data, sm, m, snm] ∈ stored) then

trigger _ flp2pSend | pi, [Data, sm, m, snm] _;

else if (r > 0) then

gossip ([Request, pi, sm, snm, r − 1]);

upon event _ flp2pDeliver | pj, [Data, sm, m, snm] _ do

if (snm = delivered[sm]+1) then

delivered[sm] := delivered[sm]+1;

trigger _ pbDeliver | sm,m _;

deliver-pending (sm);

else if(snm > delivered[sm]+1) then

pending := pending ∪ { [Data, sm, m, snm] };

upon event (Timeout | s, sn ) do

forall seqnb ∈ [delivered[s] + 1, sn ] do

if exists [Data, s, x, sn] ∈ pending

delivered[s] := seqnb;

pending := pending \ {[Data, s, x, snx]};

trigger (pbDeliver | s, x );

end-if

else

{Msg is Lost}

end Algo

There are certain places where we changed the algorithm to increase the probability of the algorithm to broadcast messages to every node, and these are as follows

a)      There is a problem in “unDeliver” Event, we start and trigger our timer

it should start timer for the Current node, not for the missed node as depicted in algorithm.

b)      There is a new timer even in our proposed algorithm, that will take care of all missed messages from the last received sequence number up till the current one.

c)       In “flp2pDeliver”, we should only add those sequence numbers to our pending list, which are greater than Delivered[Sn]+1, not all.

As our “Lazy Probabilistic Broadcast (LPB)” uses Unreliable broadcast abstraction to transmit messages to the nearby nodes (Process) in the topology, so the successful transmission is based on the structure of topology. Furthermore, LPB uses fair-loss-point-to-point links, so it also effects the transmission of messages.

As the unreliable broadcast algorithm we use for LPB just broadcast a message to all nodes in the network regardless of either a message is successfully reached to all nodes in the network or not, so it is required for the successful transmission that the topology should be fully connected, otherwise even if there is no Link Loss, messages will not arrive to all nodes in the network, because there may be a case that some nodes are not directly connected with the sender or broadcaster.

Proposed Improvements

One way of implementing this algorithm just like “Eager Reliable Broadcast”, so that every node who will deliver a message will broadcast it to other nodes connected to it, so we may assume that the flp2pDeliver Event will also broadcast the message to all other nodes directly connected to it. This solution is just like the “Flooding Algorithm” where

  1. Each node acts as both a transmitter and a receiver.
  2. Each node tries to forward every message to every one of its neighbors except the source node.

[Ref: Flooding Algorithm]

There are certain problems with this technique, and the most critical is the wastages of network resources and message redundancy, so one step ahead could be to use the improved version of Flooding Algorithm that is “Selective Flooding Algorithm” where messages are forwarded to most likely same direction as the recipient.

Note: I have seen somewhere during finding solution for reliable broadcasting that, “Spanning tree” is a solution for successfully transmit messages over node, and I guess it would also work fine in our case if we use this in our LPB approach. [Advice comment]

Microsoft Second Shot is going to Expire

Get a second chance to pass your Microsoft Certification exam — free offer!

In the real world, you might need more than one chance at certification. With Second Shot, if you do not pass any IT professional, developer, or project manager certification exam on your first try, you can retake the exam without an additional cost.

Offer ends on June 30, 2009

Register for Second Shot and take advantage of our Career Assist Package—which means you can get any Microsoft E-Learning collection for just US$35.

Note Offer ends on June 30, 2009
Sign up for the Second Shot offer today

You have until June 30, 2009, to register, obtain an exam voucher, complete your first exam, retake your exam (if you did not pass on your first attempt), and complete any Microsoft E-Learning collections that you purchased.

When you register for this offer, you receive one free retake for each paid exam that you take and do not pass.

Register for Second Shot and obtain your US$35 Microsoft E-Learning collection

1. Register for Second Shot.
2. On the Thank You page that you receive, click the link to the Prometric Web site. You will receive a Second Shot voucher number and an e-learning promotion code.

Use your Second Shot voucher

Go to the Prometric Web site, call center, or test center. Use your Second Shot voucher number and schedule and pay for your initial exam.

Go to the Prometric Web site or visit the call center* or test center (Prometric.com)

Take your exam.

If you do not pass, return to the Prometric Web site or visit the call center or test center and use the same voucher number for your free retake exam.

Return to the Prometric Web site or visit the call center* or test center (Prometric.com)

Note: You must wait one day after taking your initial exam before you can register for your retake exam. This time is required to enter test results into the system.

qualify for this Second Shot offer?
Any Microsoft Learning IT professional, developer, or Microsoft Dynamics exam qualifies for this offer.

Royal Institute 0f Information and Technology

Hi,

I have received an admission letter from KTH, The Royal Institute of Information and Technology, Kista, Stockholm. I have admission in “Software Engineering of distributed Systems”, and I’m planning to go there by this August. I have applied for Sweden Visa, in fact Schengen States Visa. I’m from Lahore, Pakistan, and finding some prospective students at KTH this year for shared Accommodation, right now we are two students, both enrolled in KTH.

Interested should contact me at their earliest. You can get my contact information here

Good Luck all of you.

Regards,
Usman Afzal
+92 321 405 9065

C# 3.0 Language Features

While Talking about .Net Framework, there are lots of many new things in every version, but I normally keep an eye on mostly used features from the perspective of re usability and easy of Code.

While Exploring, I crossed through some really usable features of .Net 3.0 & 3.5, and for the discussion here I would be covering Automatic Properties, Object Initiation, Extraction Methods, and Automatic Type Casting.

Automatic Properties

Normally, In every sort of project, specifically in every class most the time is eaten by the writing the class members and their setter and getter (properties or Indexers). Although, many third party tools like Visual Assist come up with the power of .Net Extensibility ( I will be writing some useful tips about it Soon), and easy the developer by provider Intellisense to a greater extend, but what If I tell you something built in .Net framework without spending any extra money for any third party Add In. Following is one of my Code Snip that I will use to explain the power and re usability of Automatic Properties.
I’m Omitting any required using statements to make it simpler and shorter.

namespace MyBlogApplication
{
public class PersonClass
{
//Person Class’s Properties
private String _name;
public System.String Name
{
get { return _name; }
set { _name = value; }
}

private String _addess;
public System.String Addess
{
get { return _addess; }
set { _addess = value; }
}

private String _personId;
public System.String PersonId
{
get { return _personId; }
set { _personId = value; }
}
}
}

Although the above code may be generated using the Reflector tools of .net, but it still requires me to write Class members and then reflect them as Public Properties, and of course it requires more lines of code then the one I wrote in .Net c# 3.5 as below

namespace MyBlogApplication
{
public class PersonClass
{
//Person Class’s Properties
public String Name { get; set; }
public String _addess { get; set; }
public String _personId { get; set; }
}
}

What i did just wrote “prop” (this is also available in .net 2.0), and press tab twice, so what I came with is the above snip, now what I need to do is just to give name to my property, and compiler will automatically generate the data member and deals with adding and retrieving from memory.

It’s not a rocket science, but imagine if you have more than 20 properties per class and for each one you have to create and manipulate data members, it’s a hell of coding job, but the above technique reduces and manages you code with beauty.

In the above code, you may put your properties as Read-Only Or Write-Only as follows

//Person Class’s Properties
public int Name { get; set; }
public int _addess { private get; set; } //Write-Only
public int _personId { get; } //Read-Only

Happy Coding with .Net 3.5 🙂

Understanding the differences between SharePoint Portal Server and the Windows SharePoint Services

This is not a fresh post, I found goggling on this topic, just throwing here to give proper and more easy searched tags. You will find the original link below.

Lately, Microsoft has been placing a much heavier emphasis on its SharePoint line of products. SharePoint will eventually take over the public folder functionality currently found in Exchange Server and Microsoft is also pushing to make SharePoint the file server technology of choice. Unfortunately, many of the people that I have talked to say that they find SharePoint to be confusing. What makes SharePoint even more confusing though is that it comes in two different flavors; the Windows SharePoint Services and SharePoint Portal Server. In this article, I will discuss the differences and the similarities of these two products.
Costs

If you are shopping for SharePoint products, the first difference that you are likely to notice between the two versions of SharePoint is the cost. SharePoint Portal Server tends to be a bit pricey. The retail price of SharePoint Portal Server with five client access licenses is $5,619. This price is the tip of the iceberg though. You must also figure in the cost of a Windows Server 2003 license, the Windows Server client access licenses, and the cost of the hardware that SharePoint will run on. SharePoint Portal Server also requires SQL Server. The software comes with MSDE (Microsoft Database Engine), which is a watered down version of SQL Server, but most organizations will have to use a full blown SQL Server deployment.

Furthermore, if you need additional SharePoint client access licenses, those licenses cost $71 per device or user. Since SharePoint is a Web based technology, it is conceivable that some organizations may make a SharePoint site available to external users or non employees over the Internet. In order to do so, you must purchase an external connector license. An external connector license sells for $30,000 per server.

As you can see, SharePoint Portal Server can be very pricey to deploy. In contrast though, the Windows SharePoint Services are free! Actually, they aren’t completely free. You still need a Windows Server 2003 license and the Windows Server client access licenses. Even so, Microsoft offers the Windows SharePoint Services as a downloadable feature pack for Windows Server 2003.

To put it into prospective, both SharePoint products require you to buy a Windows Server 2003 license and the necessary Windows Server client access licenses. After doing so though, you could deploy the Windows SharePoint Services at no additional cost, whereas deploying SharePoint Portal Server will cost you thousands of additional dollars in software licenses.
Windows SharePoint Services

Since the Windows SharePoint Services are so much less expensive than SharePoint Portal Server, I will talk about it first. As I mentioned earlier, the Windows SharePoint Services are downloadable as a free feature pack for Windows Server 2003. You can download the Windows SharePoint Services at Microsoft’s Web site.

The Windows SharePoint Services are primarily focused around workgroup level collaboration. The idea is that the Windows SharePoint Services can be easily deployed in a matter of minutes. Once the Windows SharePoint Services are up and running, it is simple to set up a workspace for a small group of users, with minimal effort. This allows a group of users to share a small collection of documents among themselves.

Even though small seems to be the operative word here, don’t be fooled. The Windows SharePoint Services can be scaled to support thousands of users and multiple terabytes of data. In fact, SharePoint Portal Server (an enterprise class product) is built on top of the Windows SharePoint Services.

The truth is that even though the Windows SharePoint Services are free, the Windows SharePoint Services are no slouch by any stretch of the imagination. While it’s true that SharePoint Portal Server offers features and capabilities that the Windows SharePoint Services don’t offer, the Windows SharePoint Services is a very powerful application.

When you install the Windows SharePoint Services, there is next to no configuration that has to be done. I have to admit that when I installed the Windows SharePoint Services on my test server, I didn’t take notes regarding the installation process, but I honestly can’t remember having to do anything other than accepting an end user license agreement. Once the installation was complete, Windows opened Internet Explorer and displayed the Windows SharePoint Services Web site, shown in Figure A.

5975781_WSPSA
This is what the Windows SharePoint Services Web Site looks like.

As I mentioned earlier, SharePoint Portal Server costs thousands of dollars while the Windows SharePoint Services are free. In order to understand what you are really getting for your money if you decide to invest in SharePoint Portal Server, you need to have a good idea of what you can and can’t do with the Windows SharePoint Services. Unfortunately, there is no way that I can talk about all of the Windows SharePoint Service features in a single article, but I will give you a brief tour so that you can see how SharePoint Portal Server differs.

If you look at Figure A, you will see that the Home page contains a list of announcements, events, and links. Each of these sections is made up of a separate Web part. A Web part is nothing more than a block of HTML or ASP code. In a SharePoint environment, multiple Web parts can be joined together to create a Web page like the one that you see in Figure A. In fact, you will notice in Figure A that there is a Modify Shared Page link directly above the Windows SharePoint Services logo. You can use this link to add additional Web Parts, remove unwanted Web Parts, or to rearrange the position of the Web parts on the screen.

What this means is that the SharePoint Web site is completely customizable. The reason why this is important is because the default Web site is usually only used in the smallest organizations. As you will recall, earlier, I mentioned that the Windows SharePoint Services were designed to allow small groups of users to share small groups of documents.

If a user were to click the Create link, they would be able to create a dedicated Web site for the group or the project that they are working with. The fact that SharePoint sites are nothing more than a collection of pre-defined Web parts means that when users create dedicated Web sites, they can custom tailor the new site to fit their specific needs. Furthermore, they can accomplish this without having to do any coding.

That being the case, you might be wondering what users can use these Web sites for. Well, if you go back to Figure A, you can get a bit of a preview. If you look in the menu bar on the left portion of the screen, you will see links for shared documents, contacts, tasks, discussions, and surveys. There is actually a lot more that users can do with the Windows SharePoint Services, but I don’t really have the space to talk about everything, so let’s pretend that these were the only options available.

To see how these particular Web parts are useful, imagine that you are working as a part of a team that’s assigned to develop a new product for your company. In such a case, you could start out by creating a contacts list containing contact information for everyone on the team. You could then go on to add contact information for parts suppliers and other non-employees that you might interact with as a part of the project.

You could then use the task list to assign tasks related to the project to various members of the team. The Discussion area is basically a message board that can be used to discuss specific issues related to the project. You could use the Pictures library to store blueprints or design ideas, while the document library can be used to store text documents.

The document library is one of the key pieces of SharePoint and is worth discussing for a moment. The idea behind the document library is that users can check documents in and out of the library. Essentially, what this means is that a user can check out a document, make changes, and check the document back in. This prevents users from making simultaneous, possibly contradictory changes to a document, but it does something else too. The document library allows you to retain multiple versions of documents. This way you can see who has made changes to a document and when. If necessary, you can even revert to a previous version of the document.

Another thing that the document library does is that it allows users to be alerted to changes. Users can be alerted immediately if a new document is added to the library or if an existing document is modified. If users don’t want to be bothered by constant change notifications, they can receive a daily or a weekly change summary message.

In case you are wondering, the Windows SharePoint Services does have built in user management. You can easily specify which users are allowed to create Web sites. When a user does create a site, they can decide who can access the site, and what level of access various users should receive to the document library and to other areas of the site.
SharePoint Portal Server

It’s impossible for me to talk about all of the capabilities of the Windows SharePoint Services because the application is so intricate. Hopefully by now though, you have a pretty good idea of what the Windows SharePoint Services are and what they are used for. Now, I want to move on and talk about SharePoint Portal Server. As I mentioned earlier, SharePoint Portal Server was built on top of the Windows SharePoint Services. This means that anything that the Windows SharePoint Services can do, SharePoint Portal Server can also do.

The main difference between the two applications is their focus and intended usage. As I have said numerous times in this article, the Windows SharePoint Service’s primary focus is to create workspaces that small groups of users can use to collaborate on projects by sharing a small collection of documents and other data. Certainly, SharePoint Portal Server can be used for this as well, but why spend thousands to do something that you can do for free with the Windows SharePoint Services?

The main purpose for SharePoint Portal Server is to act as an enterprise level portal. One of the areas where this is the most obvious is in SharePoint Portal Server’s ability to manage documents. SharePoint Portal Server’s document library is very similar to the one found in the Windows SharePoint Services. The main difference is that SharePoint Portal Server is designed to index huge numbers of documents that exist across multiple locations.

For example, you could start out by indexing all of the documents that exist on your company’s file servers. You don’t have to stop there though. You could also index the public folders on your Exchange Servers. If there are Web sites that your company frequently references, you could even index pages on those sites. It doesn’t even matter if the Web page is in secured by SSL. SharePoint can use the HTTPS protocol to index secure Web content.

The point is that large companies typically have huge amounts of information on file, and that information often exists in many different formats (Microsoft Office documents, PDF files, public folders, HTML, text files, etc.). What SharePoint Portal Server does is to make it possible for users to use a single search engine to search for information regardless of where the information is located and what format the information is in.

SharePoint Portal Server also differs from the Windows SharePoint Services in its ability to search document indexes. SharePoint Portal Server offers some very rich search capabilities. For example, users can search for specific key words and tell the search engine that they only want to search for items that have been added since their last search. The results of the search can then be arranged by document author, site, date, and category. SharePoint Portal Server also offers hierarchical search scopes that allow users to perform searches from within specific topics, categories, or content sources.
Similar names, but different

As you can see, there are many similarities between the Windows SharePoint Services and SharePoint Portal Server. Where the two products really differ is in that SharePoint Portal Server allows you to index the contents of huge numbers of documents, in a variety of formats, both inside and outside of your company. SharePoint Portal Server also offers advanced query tools that make it easier to locate specific content within a vast store of indexed content.

Original Link:Understanding the differences between SharePoint Portal Server and the Windows SharePoint Services