CA SiteMinder Web Access Manager. Configuring SiteMinder Single Sign On for Microsoft SharePoint 2007 Using Forms-based Authentication

Transcription

1 CA SiteMinder Web Access Manager Configuring SiteMinder Single Sign On for Microsoft SharePoint 2007 Using Forms-based Authentication

2 This documentation and any related computer software help programs (hereinafter referred to as the Documentation ) is for the end user s informational purposes only and is subject to change or withdrawal by CA at any time. This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. This Documentation is confidential and proprietary information of CA and protected by the copyright laws of the United States and international treaties. Notwithstanding the foregoing, licensed users may print a reasonable number of copies of the Documentation for their own internal use, and may make one copy of the related software as reasonably required for back-up and disaster recovery purposes, provided that all CA copyright notices and legends are affixed to each reproduced copy. Only authorized employees, consultants, or agents of the user who are bound by the provisions of the license for the Product are permitted to have access to such copies. The right to print copies of the Documentation and to make a copy of the related software is limited to the period during which the applicable license for the Product remains in full force and effect. Should the license terminate for any reason, it shall be the user s responsibility to certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed. EXCEPT AS OTHERWISE STATED IN THE APPLICABLE LICENSE AGREEMENT, TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION AS IS WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO THE END USER OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED OF SUCH LOSS OR DAMAGE. The use of any product referenced in the Documentation is governed by the end user s applicable license agreement. The manufacturer of this Documentation is CA. Provided with Restricted Rights. Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections , , and (c)(1) - (2) and DFARS Section (b)(3), as applicable, or their successors. Microsoft SharePoint is a registered trademark of Microsoft Corporation. Microsoft product screen shots reprinted with permission from Microsoft Corporation. Microsoft and Windows are registered trademarks of Microsoft Corporation in the United States and other countries. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. Copyright 2009 CA. All rights reserved.

3 CA Product References This document references the following CA products: CA SiteMinder Web Access Manager Contact CA Contact Technical Support For your convenience, CA provides one site where you can access the information you need for your Home Office, Small Business, and Enterprise CA products. At you can access the following: Online and telephone contact information for technical assistance and customer services Information about user communities and forums Product and documentation downloads CA Support policies and guidelines Other helpful resources appropriate for your product Provide Feedback If you have comments or questions about CA product documentation, you can send a message to techpubs@ca.com. If you would like to provide feedback about CA product documentation, complete our short customer survey, which is also available on the CA support website, found at

4

5 Contents Chapter 1: SiteMinder and Microsoft SharePoint 9 Documents Replaced by this Version... 9 Purpose and Audience Microsoft Internet Information Services (IIS) Microsoft SharePoint Use Case Diagram Chapter 2: Prerequisites and Limitations 13 Microsoft Prerequisites SiteMinder Prerequisites SiteMinder and SharePoint Limitations Chapter 3: Configure Your SiteMinder Policy Server 15 How to Configure a SiteMinder r6.x SP5 Policy to Protect SharePoint Resources Open the r6.x SP5 Policy Server User Interface Create a Host Configuration Object for your SharePoint Resources (r6.x SP5) Create a Web Agent Object for your SharePoint Resources (r6.x SP5) Create an Agent Configuration Object for your SharePoint Resources (r6.x SP5) Create a User Directory Entry for your LDAP Directory Server Instance Create a Domain for your SharePoint Resources (r6.x SP5) Select a New Port Number for your IIS Default Web Site (r6.x SP5) Create an Authentication Scheme for your SharePoint Resources (r6.x SP5) Create Realms for your SharePoint Resources (r6.x SP5) Create a Rule Under your SharePoint Realm (r6.x SP5) Create a Policy for your SharePoint Resources (r6.x SP5) Test Your Policy with the SiteMinder Test Tool (r6.x SP5) How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources Open the r12 SP1 Administrative UI Create a Host Configuration Object for your SharePoint Resources (r12 SP1) Create a Web Agent Object for your SharePoint Resources (r12 SP1) Create an Agent Configuration Object for your SharePoint Resources (r12 SP1) Select a New Port Number for your IIS Default Web Site (r12 SP1) Create an Authentication Scheme for your SharePoint Resources (r12 SP1) Create a User Directory Object for your Directory Server Instance (r12 SP1) Create an Application to protect your SharePoint Resources (r12 SP1) Leave the SharePoint Virtual Directories Unprotected (r12 SP1) Contents 5

6 Add Resources to your Application (r12 SP1) Add Roles to your Application (r12 SP1) Create a Policy for your Application (r12 SP1) Chapter 4: Configure SharePoint How to Create a SharePoint 2007 Test Site Create a New SharePoint Site Add the New SharePoint Site to a Site Collection Create a Document Library How to Configure Your SharePoint Forms Based Authentication Back Up Your Existing web.config Files Add the Membership Provider to the SharePoint Central Configuration Web Site Add the Membership Provider and Authentication Method to Each SharePoint Web Site you want to protect How to Encrypt the Sensitive Information in your web.config Files Enable SharePoint FBA Add Users to Your SharePoint Web Site Update the Site Collection Administrator Account to Use FBA Test Your SharePoint FBA Chapter 5: Configure SiteMinder Web Agent and Related SharePoint Web Sites 59 How to Add SiteMinder to your SharePoint Environment Install the SiteMinder Web Agent for IIS How to Install the SiteMinder DLL to the Global Assembly Cache Add the SiteMinder.ASPX Files to the SharePoint Web Site Use a Fully-Qualified Domain Name in your SharePoint Sites How to Configure an IIS Web Agent to Protect SharePoint Resources Assign Read Permissions to Samples and Error Files Directories Allow IIS to Execute the Agent ISAPI and CGI Extensions Change the Port Number of the Default IIS Web Site Gather Web Agent Information Run the Agent Configuration Wizard Increase the Agent's Size Limit for Uploaded Files Put the Agent Filter and Extension before Other Third-Party Filters Add the ISAPI Extension to the Protected SharePoint Web Sites How to Configure your SharePoint Web Sites for SiteMinder Use the SiteMinder Signout Page Back Up your Existing web.config Files Change the Form Type and Add the HTTP Module to Each SharePoint Web Site you want to protect with SiteMinder Configuring SiteMinder Single Sign On for Microsoft SharePoint 2007 Using Forms-based Authentication

7 Start the Web Agent Chapter 6: Test your SiteMinder and SharePoint Implementation 81 Access a Protected SharePoint Site Using SiteMinder Modify a Document Stored on SharePoint Access a Protected SharePoint Site as another User SiteMinder Logs Appendix A: Troubleshooting 85 Disable the SiteMinder Authentication Appendix B: Platform Support 87 Locate the Platform Support Matrix Contents 7

8

9 Chapter 1: SiteMinder and Microsoft SharePoint This section contains the following topics: Documents Replaced by this Version (see page 9) Purpose and Audience (see page 10) Microsoft Internet Information Services (IIS) (see page 10) Microsoft SharePoint 2007 (see page 11) Use Case Diagram (see page 12) Documents Replaced by this Version The content of this document supersedes the existing content in the following publications: CA SiteMinder Web Access Manager Microsoft SharePoint 2007 Integration Guide First, Second, and Third Editions CA SiteMinder Policy Server Policy Design Guide, r6.x SP5 CR 15 (DIDs: H E, H E) Appendix A: Protecting SharePoint 2007 Resources CA SiteMinder Web Agent Guide, r6.x SP5 CR15 (DIDs: H E, H E) Appendix D: Protecting SharePoint 2007 Resources Chapter 1: SiteMinder and Microsoft SharePoint 9

10 Purpose and Audience Purpose and Audience This guide describes an example of how you can integrate SharePoint with CA SiteMinder to accomplish the following: Use SiteMinder to authenticate and authorize your users instead of SharePoint Use an existing LDAP Directory server with CA SiteMinder Replace the SharePoint forms-based authentication (FBA) mechanism with CA SiteMinder This guide is intended for IT personnel who are familiar with the enterprise network, as well as access management concepts and technologies. This guide assumes familiarity with the following: Web Servers Directory Servers SharePoint Basic architecture of CA SiteMinder components Microsoft Internet Information Services (IIS) Microsoft IIS is a web server that runs on several Windows operating environments. Only one instance of IIS can run on a single computer, but many virtual web sites can exist within an IIS instance. Note: For more information about creating virtual web sites on IIS, go to the Microsoft Support web site, and then search for "virtual web site IIS". 10 Configuring SiteMinder Single Sign On for Microsoft SharePoint 2007 Using Forms-based Authentication

11 Microsoft SharePoint 2007 Microsoft SharePoint 2007 Microsoft SharePoint 2007 runs on top of a Microsoft IIS instance. The SharePoint 2007 Server makes the following changes to the IIS instance when it is installed: Disables the IIS Default Web Site on port 80, and adds a Share Point -80 web site in its place Creates virtual web sites for the following: Office Server Web Services SharePoint Central Administration A single SharePoint web site for the user who installed the SharePoint Server 2007 Note: The phrase "web application" has special meaning in the Microsoft documentation; it defines a SharePoint web application as a web site and its related database instance, which stores the content for the web site, on the SharePoint server. This SiteMinder guide uses the term web site to indicate a SharePoint resource unless otherwise indicated. Chapter 1: SiteMinder and Microsoft SharePoint 11

12 Use Case Diagram Use Case Diagram The following illustration shows a use case where partners authenticate using a SiteMinder form, and internal employees authenticate using SiteMinder or Windows authentication methods: 12 Configuring SiteMinder Single Sign On for Microsoft SharePoint 2007 Using Forms-based Authentication

13 Chapter 2: Prerequisites and Limitations This section contains the following topics: Microsoft Prerequisites (see page 13) SiteMinder Prerequisites (see page 14) SiteMinder and SharePoint Limitations (see page 14) Microsoft Prerequisites To protect your SharePoint 2007 resources with SiteMinder you need the following Microsoft components: Microsoft IIS 6.0 Microsoft SharePoint 2007 SP1 Microsoft.NET 2.0 Microsoft.NET 2.0 SDK (for installing the SiteMinder file into the Global Assembly Cache) Microsoft.NET 3.0 More information: How to Install the SiteMinder DLL to the Global Assembly Cache (see page 61) Chapter 2: Prerequisites and Limitations 13

14 SiteMinder Prerequisites SiteMinder Prerequisites To protect your SharePoint 2007 resources with SiteMinder you need to install the appropriate components for your SiteMinder version shown in the following list: SiteMinder r6.x SP5 Requires a r6.x SP5 Policy Server (at least CR 14) with one of the following Web Agents: SiteMinder Web Agent, 6.x SP5 (at least) CR22 (32-bit only) SiteMinder Web Agent, 6.x SP5 (at least) CR23 (32-bit or 64-bit) SiteMinder r12 SP1 Requires the following components: SiteMinder Web Agent, r12 SP1 (at least) CR2 SiteMinder Policy Server, r12 SP1 (at least) CR2 SiteMinder Web Access Manager Administrative Interface, r12 SP1 (at least) CR2 More information: Locate the Platform Support Matrix (see page 87) SiteMinder and SharePoint Limitations This document shows how to integrate SiteMinder with SharePoint 2007 using the forms-based authentication (FBA) feature of SharePoint. Understand and accept the following limitations caused by FBA before you start your integration: The welcome message in SharePoint displays the login id of the user, not the full name of the user. SharePoint features that rely on an identity provided by a Microsoft Windows operating system are not supported (for example, Excel Services). User profiles that were supported while SharePoint was configured for Windows authentication will not be available after SharePoint is configured for FBA authentication. No migration utility exists. As a result, this documentation is intended for deployments that are not using an Active Directory user store. The SharePoint People Picker does not support wildcard searches or searches for Groups. 14 Configuring SiteMinder Single Sign On for Microsoft SharePoint 2007 Using Forms-based Authentication

15 Chapter 3: Configure Your SiteMinder Policy Server This section contains the following topics: How to Configure a SiteMinder r6.x SP5 Policy to Protect SharePoint Resources (see page 15) How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources (see page 28) How to Configure a SiteMinder r6.x SP5 Policy to Protect SharePoint Resources To configure a SiteMinder r6.x SP5 Policy to protect resources on a SharePoint web site, use the following process: 1. Login to the Policy Server User Interface (see page 16). 2. Create a Host Configuration object (see page 17). 3. Create a Web Agent (see page 18). 4. Create an Agent Configuration object (see page 19). 5. Create a user directory (see page 21). 6. Create a Domain for the SharePoint web site (see page 22). 7. Select a new port number for your IIS default web site (see page 22). 8. Create an authentication scheme (see page 23). 9. Create realms under the domain (see page 23). 10. Create rules under the realm (see page 26). 11. Create a policy under the domain (see page 27). Chapter 3: Configure Your SiteMinder Policy Server 15

16 How to Configure a SiteMinder r6.x SP5 Policy to Protect SharePoint Resources Open the r6.x SP5 Policy Server User Interface The Policy Server User Interface lets you create and manage Policy Server objects. To open the Policy Server User Interface 1. Open your web browser. 2. Enter the following URL in the Address bar: Note: The policy_server_host_name is the name of the machine on which the Policy Server is installed. You must use a fully-qualified domain name, such as example.com, in the URL. If the Policy Server does not use the default HTTP port (80), you must specify a port number. Your browser displays the Policy Server start page. 3. Click Administer Policy Server. A status bar appears while the Policy Server User Interface loads. The SiteMinder Administration Login window opens. 4. Enter your user name and password in the appropriate fields. If you are accessing the Policy Server for the first time, use the default super user administrator account, which you created during Policy Server installation. 5. Click Login. The Policy Server User Interface opens. The contents of this window depend on the privileges of the administrator account you use to login to the Policy Server. Note: For more information on the Policy Server User Interface, see the SiteMinder Policy Design guide. 16 Configuring SiteMinder Single Sign On for Microsoft SharePoint 2007 Using Forms-based Authentication

17 How to Configure a SiteMinder r6.x SP5 Policy to Protect SharePoint Resources Create a Host Configuration Object for your SharePoint Resources (r6.x SP5) The Web Agent uses a Host Configuration object to connect with the Policy Server. You will need the name of a Host Configuration object that is stored on the Policy Server to configure a SiteMinder web agent on a web server that protects your resources. To create a host configuration object 1. In the System tab, click Host Conf objects. The Host Conf Object list appears. 2. Right-click the DefaultHostSettings object, and then select Duplicate configuration object. The Host Configuration Object Properties dialog appears with the object's name selected. 3. Enter a distinctive name, and (optional) description. 4. In the Configuration Values list, double-click #Policy Server. The Edit Parameter dialog appears. 5. Click the *Parameter Name field, and then remove the # symbol. 6. In the *Value field, select the following text: <IPAddress> 7. Replace selected text with the IP address, or DNS name, of your Policy Server. 8. Click OK. The Edit Parameter dialog closes. The IP address you entered appears in the list. 9. Click OK. The Host Configuration Object Properties dialog closes and the new Host Configuration object appears in the list. Chapter 3: Configure Your SiteMinder Policy Server 17

18 How to Configure a SiteMinder r6.x SP5 Policy to Protect SharePoint Resources Create a Web Agent Object for your SharePoint Resources (r6.x SP5) The Web Agent runs on the web server to protect resources, but each web agent must be associated with a Web Agent object on the Policy Server. You will need the name of this Web Agent object when you configure a SiteMinder web agent on a web server. To create a web agent 1. In the System tab, right-click Agents, and then select Create Agent. The Agent dialog appears. 2. Enter a distinctive name, and (optional) description. Note: Web Agent names have the following limits: Agent names must contain 7-bit ASCII characters in the range of , including one or more printable characters. Agent names must not contain the ampersand (&) and asterisk (*) characters. Agent names are not case-sensitive. For example, you cannot create one Agent named MyAgent and another Agent named myagent. 3. Click OK. The dialog closes and the new Agent appears in the list. 18 Configuring SiteMinder Single Sign On for Microsoft SharePoint 2007 Using Forms-based Authentication

19 How to Configure a SiteMinder r6.x SP5 Policy to Protect SharePoint Resources Create an Agent Configuration Object for your SharePoint Resources (r6.x SP5) An Agent Configuration Object lets you specify parameter settings on the Policy Server that control how one or more web agents operate. You will need the name of an Agent Configuration Object stored on the Policy Server to configure a SiteMinder web agent on your web server. This Agent Configuration object must also contain certain parameters and settings to protect resources on a SharePoint web site with SiteMinder. To create an Agent Configuration object 1. In the System tab, click Agent Conf Objects. The Agent Conf Object list appears. 2. Right-click the IISDefaultSettings Agent Configuration object, and then click Duplicate Configuration Object. The Agent Configuration Object properties dialog appears with the object's name selected. 3. Enter a distinctive name, and (optional) description. 4. Scroll down the configuration values list, and then double-click the following parameter: BadUrlChars Note: The list is sorted by special characters (such as those starting with #), numbers, uppercase letters and lowercase letters respectively. The Edit Parameter dialog appears. 5. Remove any characters from this list that are found in the URLs of any resources you want to protect. For example, if the URL of a protected resource contains <>, delete <, and >, from the list. 6. Click OK. 7. Double-click the following parameter: LogOffUri The Edit Parameter dialog appears. 8. Uncomment the parameter name (by removing the #), click the Value field and then type the following: /_siteminder/redirector.aspx Chapter 3: Configure Your SiteMinder Policy Server 19

20 How to Configure a SiteMinder r6.x SP5 Policy to Protect SharePoint Resources 9. Click OK. 10. Double-click the following parameter: IgnoreExt The Edit Parameter dialog appears. 11. Remove the extensions of any image files used in your protected resources from the list, and then click OK. For example, if you use.png files, remove the.png extension from the list of values. 12. Double-click the following parameter: DefaultAgentName The Edit Parameter dialog appears. 13. Uncomment the parameter name (by removing the #), click the *Value field and then enter a default agent name. This name must match the name of the web agent you previously created with the Policy Server User Interface for your SharePoint implementation (see page 18). 14. Click OK. The Edit parameter dialog closes. 15. Click Add, and then type the following in the Parameter Name field: autoauthorizeoptions 16. Click the *Value field, and then type the following: Yes 17. Click OK to Close the Edit parameter dialog, and then click OK again to close the Agent Configuration Object dialog. The Agent Configuration dialog closes and the new Web Agent Configuration object is saved. 20 Configuring SiteMinder Single Sign On for Microsoft SharePoint 2007 Using Forms-based Authentication

21 How to Configure a SiteMinder r6.x SP5 Policy to Protect SharePoint Resources Create a User Directory Entry for your LDAP Directory Server Instance For SiteMinder to protect resources on SharePoint, you must add information about your user directory server instance to the SiteMinder Policy Server. You will also need this information when you add the LDAP Provider to the web.config files of your SharePoint server. To create a user directory entry for your directory server instance 1. In the system tab, right-click User Directories, and select Create User Directory. The User Directory Properties dialog appears. 2. Enter a distinctive name, and (optional) description. 3. Make sure LDAP: appears in the Namespace drop-down list. 4. Click the Server field, and then type the fully-qualified domain name of your Directory server. 5. In the LDAP Search section, click the Root field, and then type the following: dc=your_domain_name,dc=your_domain_extension Example: dc=example,dc=com 6. In the DN LDAP User Lookup section, click the Start field, and then type the following: uid= 7. Click the End field and type the following: dc=your_domain_name,dc=your_domain_extension Example: dc=example,dc=com 8. Click the Credentials and Connection tab, and then do the following: a. Select the Require credentials check box. b. Enter the name of an authorized user for the directory. Use the following example as a guide: cn=directory Mangager c. Enter the password for the authorized user and confirm it. d. Make sure the Run in Authenticated Users Context check box is clear. 9. Click the User Attributes tab, click the Universal ID (R) field, and then enter the following: uid 10. Click OK. The User Directory Properties dialog closes and the user directory entry is saved. Chapter 3: Configure Your SiteMinder Policy Server 21

22 How to Configure a SiteMinder r6.x SP5 Policy to Protect SharePoint Resources Create a Domain for your SharePoint Resources (r6.x SP5) The SharePoint resources you want to protect with SiteMinder must be placed in a separate domain on the SiteMinder Policy Server. To create a domain for your SharePoint resources 1. Click the Domains tab. A list of domains appears. 2. Right-click Domains, and select Create Domain. The Domain Properties dialog appears. 3. Enter a distinctive name, and (optional) description. 4. Click the drop-down list, select the LDAP Directory server instance from the list, and then click Add. The LDAP Directory server instance appears in the User Directories field. 5. Click OK. The Domain Properties dialog closes and the domain is saved. Select a New Port Number for your IIS Default Web Site (r6.x SP5) When a user requests a protected SharePoint web site, the SiteMinder Web Agent redirects the user to the default IIS web site and displays a login form (FCC). After the user's credentials are received and verified, the SiteMinder Web Agent redirects the user back to the protected SharePoint web site they originally requested. Since the SharePoint server takes over the default IIS port (80), and disables any existing web sites already running on that port, you may find it helpful to re-activate the Default IIS Web site on a different port. This lets you separate your SiteMinder IIS traffic from your SharePoint traffic and may help with logging or troubleshooting. You must also specify this updated port number in the SiteMinder Authentication scheme you create to protect your SharePoint resources. More information: Change the Port Number of the Default IIS Web Site (see page 67) 22 Configuring SiteMinder Single Sign On for Microsoft SharePoint 2007 Using Forms-based Authentication

23 How to Configure a SiteMinder r6.x SP5 Policy to Protect SharePoint Resources Create an Authentication Scheme for your SharePoint Resources (r6.x SP5) You need to create a separate SiteMinder authentication scheme for your SharePoint resources. This authentication scheme replaces the SharePoint FBA with a SiteMinder FCC. To create an authentication scheme for your SharePoint resources 1. In the System tab, right-click Authentication Schemes, and select Create Authentication Scheme. The Authentication Scheme dialog appears. 2. Enter a distinctive name, and (optional) description. 3. Click the Authentication Scheme Type drop-down list, and select HTML Form Template. 4. Click the Web Server Name field, and then type the fully-qualified domain name and the updated port number of your IIS Default Web site, as shown in the following example: iis_web_server_name.example.com:5500 Note: Ensure the *Target field contains the following URL: /siteminderagent/forms/login.fcc 5. Click OK. The Authentication Scheme Dialog closes and your authentication scheme is saved. More information: Select a New Port Number for your IIS Default Web Site (r6.x SP5) (see page 22) Create Realms for your SharePoint Resources (r6.x SP5) You must create several realms in SiteMinder for each SharePoint web site you want to protect. The root, or top-level, realm protects the SharePoint resource. You must also create several sub-realms inside the top level realm that leave certain sub-folders of each SharePoint resource unprotected, as shown in the following illustration: Chapter 3: Configure Your SiteMinder Policy Server 23

24 How to Configure a SiteMinder r6.x SP5 Policy to Protect SharePoint Resources To create realms for your SharePoint resources 1. Click the Domains tab, and then expand the domain of your SharePoint resources. A list of domain objects appears. 2. Right-click Realms and select Create Realm. The Realm Properties dialog appears, showing the Resource tab. 3. Enter a distinctive name, and (optional) description. 4. Do the following: Click Lookup, click the name of the Web Agent that will protect your SharePoint resources, and then click OK. Click the Authentication Scheme drop-down list, and select the Authentication scheme for your SharePoint resources. Under Default Resource Protection, make sure the Protected radio button is selected. Click Apply. The resource settings are saved. 5. Click the Session tab, and then make sure that the No Persistent Session radio button is selected. 6. Click OK. The root (top-level) realm is created, and it appears in the list. 7. Right-click the root realm in the list, and select Create Realm Under Realm. The Realm Properties dialog appears, showing the Resource tab. 8. Enter a distinctive name, and (optional) description. 9. Do the following: Click the Resource filter field, and type the following: _vti_bin Click the Authentication Scheme drop-down list, and select the Authentication scheme for your SharePoint resources. Under Default Resource Protection, click the Unprotected radio button. Click Apply. The resource settings for the sub-realm are saved. 10. Click the Session tab, and then make sure that the No Persistent Session radio button is selected. 11. Click OK. The sub-realm is created, and it appears in the list. 12. Repeat Steps 7 and 8, and then do the following: 24 Configuring SiteMinder Single Sign On for Microsoft SharePoint 2007 Using Forms-based Authentication

25 How to Configure a SiteMinder r6.x SP5 Policy to Protect SharePoint Resources Click the Resource filter field, and type the following: _vti_inf Click the Authentication Scheme drop-down list, and select the Authentication scheme for your SharePoint resources. Under Default Resource Protection, click the Unprotected radio button. Click Apply. The resource settings for the sub-realm are saved. 13. Click the Session tab, and then make sure that the No Persistent Session radio button is selected. 14. Click OK. The sub-realm is created, and it appears in the list. 15. Repeat Steps 7 and 8, and then do the following: Click the Resource filter field, and type the following: _layouts Click the Authentication Scheme drop-down list, and select the Authentication scheme for your SharePoint resources. Under Default Resource Protection, click the Unprotected radio button. Click Apply. The resource settings for the sub-realm are saved. 16. Click the Session tab, and then make sure that the No Persistent Session radio button is selected. 17. Click OK. The sub-realm is created, and it appears in the list. All of the realms and sub-realms for your SharePoint integration are created. Chapter 3: Configure Your SiteMinder Policy Server 25

26 How to Configure a SiteMinder r6.x SP5 Policy to Protect SharePoint Resources Create a Rule Under your SharePoint Realm (r6.x SP5) Your top-level SharePoint realm needs a rule which fires when a user requests access to a protected SharePoint resource. To create a rule under your SharePoint realm 1. Click the Domains tab, and expand the following items: Your SharePoint domain. The realms under that domain. 2. Right-click the top-level SharePoint realm, and select Create Rule Under Realm. The Rule Properties dialog appears. 3. Enter a distinctive name, and (optional) description. 4. In the Action field, Control-click Post and Put. All three web agent actions, Get, Post and Put are selected. 5. Verify the following: The Resource field contains an asterisk (*). The Allow Access radio button is selected. The Enabled check box is selected. 6. Click OK. The Rule Properties Dialog closes and the new rule appears in the list. 26 Configuring SiteMinder Single Sign On for Microsoft SharePoint 2007 Using Forms-based Authentication

27 How to Configure a SiteMinder r6.x SP5 Policy to Protect SharePoint Resources Create a Policy for your SharePoint Resources (r6.x SP5) You need a SiteMinder policy associated with your SharePoint domain that defines relationships between the users, the SharePoint resources and access rights in your organization. To create a policy for your SharePoint resources 1. Click the Domains tab, and then expand your SharePoint domain. A list of objects appears. 2. Right-click Policies, and select Create Policy. The Policy Properties dialog appears showing the Users tab. 3. Enter a distinctive name, and (optional) description. 4. Click Add/Remove. The Users/Groups dialog appears. 5. Move the groups, users (or any combination of either) that you want to add from the Available Members list to the Current Members list, and then click OK. The users or groups are added to the policy. 6. Click the Rules tab, and then click Add/Remove Rules. The Available Rules dialog appears. 7. Move your SharePoint rule from the Available Members list to the Current Members list, and then click OK. The rule is added to the policy. 8. Click OK. The Policy Properties dialog closes and the policy is saved. Test Your Policy with the SiteMinder Test Tool (r6.x SP5) The SiteMinder test tool imitates the behavior of a SiteMinder Web Agent so you can test your policies after creating them. This helps you make sure that your resources are properly protected. This tool is included in your SiteMinder Policy Server installation. Note: For more information, see the CA SiteMinder Policy Design guide. Chapter 3: Configure Your SiteMinder Policy Server 27

28 How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources To configure a SiteMinder Application to protect resources on a SharePoint web site, use the following process: 1. Open the Administrative UI (see page 29). 2. Create a Host Configuration object (see page 30). 3. Create a Web Agent object (see page 31). 4. Create an Agent Configuration object (see page 32). 5. Select a new port number for your IIS default web site (see page 34). 6. Create an Authentication scheme (see page 35). 7. Create a User Directory object (see page 36). 8. Create an Application (see page 37). 9. Leave the SharePoint Virtual sub-directories unprotected (see page 38). 10. Add Resources (see page 40). 11. Add Roles (see page 41). 12. Create a Policy (see page 42). 28 Configuring SiteMinder Single Sign On for Microsoft SharePoint 2007 Using Forms-based Authentication

29 How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources Open the r12 SP1 Administrative UI The browser-based CA SiteMinder Web Access Manager Administrative User Interface primarily enables management of Policy Server objects, but also provides some system management functionality. To access the Administrative UI 1. Do one of the following: From the computer hosting the Administrative UI, click Start, Programs, CA, IAM Suite, siteminderwam, SiteMinder Administrative User Interface Open the following URL in your browser: The host_name is the name of the computer on which the Administrative UI runs. You must use a fully-qualified domain name. If the Administrative UI is not using the default HTTP port (80), you must add the port number as shown in the following example: The login page for the Administrative UI appears. 2. Enter a valid user name and password in the appropriate fields. If you are accessing the Policy Server for the first time, use the default super user administrator account, which you created during Policy Server installation. 3. Click Log In. The Administrative UI opens. The contents of the window depend on the privileges of the administrator account you used to login. You will only see the items to which your account has access. Chapter 3: Configure Your SiteMinder Policy Server 29

30 How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources Create a Host Configuration Object for your SharePoint Resources (r12 SP1) The Web Agent uses a Host Configuration object to connect with the Policy Server. You will need the name of a Host Configuration object that is stored on the Policy Server to configure a SiteMinder web agent on a web server that protects your resources. To create a host configuration object 1. Click Infrastructure, Hosts, Host Configuration, Create Host Configuration. The Create Host Configuration: Host Configuration Search pane appears. 2. Click Create a copy of an object of type Host Configuration, and then click OK. Create Host Configuration: Name pane appears. 3. Enter a distinctive name, and (optional) description. 4. Click Add, and then click the Host field. 5. Enter the IP Address of your Policy Server in the Host field. 6. Change any of the other configuration settings you want, and then click Submit. The Create Host Configuration task is submitted for processing. 30 Configuring SiteMinder Single Sign On for Microsoft SharePoint 2007 Using Forms-based Authentication

31 How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources Create a Web Agent Object for your SharePoint Resources (r12 SP1) The Web Agent runs on the web server to protect resources, but each web agent must be associated with a Web Agent object on the Policy Server. You will need the name of this Web Agent object when you configure a SiteMinder web agent on a web server. To create a web agent object for your SharePoint resources 1. Click Infrastructure, Agent, Create Agent. The Create Agent pane appears, and the Create a new object of type Agent button is selected. 2. Click OK. The Create Agent: pane appears. 3. Enter a distinctive name, and (optional) description. Note: Web Agent names have the following limits: Agent names must contain 7-bit ASCII characters in the range of , including one or more printable characters. Agent names must not contain the ampersand (&) and asterisk (*) characters. Agent names are not case-sensitive. For example, you cannot create one Agent named MyAgent and another Agent named myagent. 4. Click Submit. The Create Agent task is submitted for processing. Chapter 3: Configure Your SiteMinder Policy Server 31

32 How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources Create an Agent Configuration Object for your SharePoint Resources (r12 SP1) An Agent Configuration Object lets you specify parameter settings on the Policy Server that control how one or more web agents operate. You will need the name of an Agent Configuration Object stored on the Policy Server to configure a SiteMinder web agent on your web server. This Agent Configuration object must also contain certain parameters and settings to protect resources on a SharePoint web site with SiteMinder. To create an Agent Configuration object for your SharePoint resources 1. Click Infrastructure, Agent Configuration, Create Agent Configuration. Create Agent Configuration: Agent Configuration Search Screen pane appears. 2. Click Create a copy of an object of type Agent Configuration radio button. 3. Click IISDefaultSettings, and then click OK. The Create Agent Configuration: Name pane appears. 4. Enter a distinctive name, and (optional) description. 5. In the Parameters list, locate the #DefaultAgentName parameter and then click the Edit arrow (on the left). The Edit Parameter pane appears. 6. Do the following: a. Activate the parameter by removing the comment symbol (#) from the Name field. b. Click the Value field and type the name of the Agent Object you previously created with the Policy Server User Interface for your SharePoint implementation. Note: Web Agent names have the following limits: Agent names must contain 7-bit ASCII characters in the range of , including one or more printable characters. Agent names must not contain the ampersand (&) and asterisk (*) characters. Agent names are not case-sensitive. For example, you cannot create one Agent named MyAgent and another Agent named myagent. c. Click OK. The Edit Parameter pane closes and your changes are applied. 7. In the Parameters list, locate the #LogoffUri parameter and then click the Edit arrow. The Edit Parameter pane appears. 32 Configuring SiteMinder Single Sign On for Microsoft SharePoint 2007 Using Forms-based Authentication

33 How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources 8. Do the following: a. Activate the parameter by removing the comment symbol (#) from the Name field. b. Click the Value field and type the following: /_siteminder/redirector.aspx c. Click OK. The Edit Parameter pane closes and your changes are applied. 9. In the parameters list, locate the BadURLChars parameter and click the Edit arrow. The Edit Parameter pane appears. 10. Do the following: a. Click the Value field and then remove any characters from the list that are found in the URLs of any resources you want to protect. For example, if the URL of a protected resource contains the < and > characters, then delete <, >, from the list. b. Click OK. The Edit Parameter pane closes and your changes are applied. 11. In the parameters list, locate the IgnoreExt parameter and click the Edit arrow. The Edit Parameter pane appears. 12. Do the following: a. Click the Value field and then remove the extensions of any image file types used in your protected resources from the list. For example, if you use.png files, then delete.png from the list. b. Click OK. The Edit Parameter pane closes and your changes are applied. 13. Click Add. The Create Parameter pane appears. 14. Click the Name field, and then type the following: autoauthorizeoptions 15. Click the Value field and then type the following: yes 16. Click OK. The Create Parameter pane closes. 17. Click Submit. The Create Agent Configuration Object task is submitted for processing. Chapter 3: Configure Your SiteMinder Policy Server 33

34 How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources Select a New Port Number for your IIS Default Web Site (r12 SP1) When a user requests a protected SharePoint web site, the SiteMinder Web Agent redirects the user to the default IIS web site and displays a login form (FCC). After the user's credentials are received and verified, the SiteMinder Web Agent redirects the user back to the protected SharePoint web site they originally requested. Since the SharePoint server takes over the default IIS port (80), and disables any existing web sites already running on that port, you may find it helpful to re-activate the Default IIS Web site on a different port. This lets you separate your SiteMinder IIS traffic from your SharePoint traffic and may help with logging or troubleshooting. You must also specify this updated port number in the SiteMinder Authentication scheme you create to protect your SharePoint resources. More information: Change the Port Number of the Default IIS Web Site (see page 67) 34 Configuring SiteMinder Single Sign On for Microsoft SharePoint 2007 Using Forms-based Authentication

35 How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources Create an Authentication Scheme for your SharePoint Resources (r12 SP1) You need to create a separate SiteMinder authentication scheme for your SharePoint resources. This authentication scheme replaces the SharePoint FBA with a SiteMinder FCC. To create an authentication scheme for your SharePoint resources 1. Click Infrastructure, Authentication, Authentication Scheme, Create New Authentication Scheme. The Create Authentication Scheme pane appears. 2. Make sure the Create a new object of type Authentication Scheme radio button is selected, and then click OK. The Crete Authentication Scheme: pane appears. 3. Enter a distinctive name, and (optional) description. 4. Click the Authentication Scheme Type: drop-down list, and then select HTML Form Template. The Scheme Setup and Advanced group boxes appear. 5. Click the Web Server name field and type the fully-qualified domain name of your IIS Default Web site, as shown in the following example: iis_web_server_name.example.com 6. Click the Port field, and then enter the port number of your IIS default Web site. 7. Click Submit. The Create Authentication Scheme task is submitted for processing. Chapter 3: Configure Your SiteMinder Policy Server 35

36 How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources Create a User Directory Object for your Directory Server Instance (r12 SP1) For SiteMinder to protect resources on SharePoint, you must add information about your user directory server instance to the SiteMinder Policy Server. You will also need this information when you add the LDAP Provider to the web.config files of your SharePoint server. To create a user directory object for your directory server instance 1. Click Infrastructure, Directory, User Directory, Create User Directory. The Create User Directory: pane appears. 2. Enter a distinctive name, and (optional) description. 3. Click the Server field, and then enter the fully-qualified domain name of your directory server. For example, my_directory_server@example.com is a fully-qualified domain name. 4. Make sure all of the following check boxes are clear: Use authenticated user's security context Secure Connection 5. Select the Require Credentials check box, and then complete the following fields: Username Password Confirm Password 6. Click the Root field, and then type the following: dc=your_domain_name,dc=your_domain_extension Example: dc=example,dc=com 7. In the DN LDAP User Lookup section, click the Start field, and then type the following: uid= 8. Click the End field and type the following:,dc=your_domain_name,dc=your_domain_extension 9. Click the Universal ID (R) field, and then type the following: uid 10. Click Submit. The Create User Directory task is submitted for processing. 36 Configuring SiteMinder Single Sign On for Microsoft SharePoint 2007 Using Forms-based Authentication

37 How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources Create an Application to protect your SharePoint Resources (r12 SP1) To protect your SharePoint resources with SiteMinder, you need to create a SiteMinder Application using the Administrative UI. To create an application to protect your SharePoint resources 1. Click Policies, Applications, Application, Create Application. The Create Application: pane appears. 2. Enter a distinctive name, and (optional) description. 3. Make sure that Web Agent appears in the Agent Type drop-down list. 4. Click the ellipsis button next to the Agent field. The Select Agent or Agent Group pane appears. 5. Click the button next to the Web Agent Object you created for your SharePoint resources, and then click OK. The Create Application: Name pane reappears showing the name of your Web Agent object. 6. Click the Authentication Scheme drop-down list and select the authentication scheme for your SharePoint resources. 7. In the User Directories Group Box, click Add/Remove. The Choose user directories dialog appears. 8. In the Available Members list, click the name of your SharePoint directory, and then click the right arrow. Your SharePoint user directory object appears in the Selected Members list. 9. Click OK. The Create Application: Name pane reappears showing the name of your Directory object. 10. Click Submit. The Create Application task is submitted for processing. Chapter 3: Configure Your SiteMinder Policy Server 37

38 How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources Leave the SharePoint Virtual Directories Unprotected (r12 SP1) Each SharePoint web site contains several virtual directories that must remain unprotected by SiteMinder. For example, if you are protecting a SharePoint web site in the following location of your IIS server: C:\Inetpub\wwwroot\wss\VirtualDirectories\10855 Then you must leave all of the following virtual subdirectories unprotected: _vti_bin _vti_inf _layouts To leave the SharePoint virtual directories unprotected 1. Open the Application you created to protect your SharePoint resources by doing the following: a. Click Policies, Applications, Application, Modify Application. The Modify Application pane appears. b. Click the button next to your SharePoint application, and then click Select. The Modify Application: Name pane appears. 2. Add components for the virtual directories by doing the following: a. In the components section, click Create. The Create Component dialog appears. b. Click the Name field and then enter a distinctive name. c. Click the Browse button next to the Agent field, and then select the name of the Web Agent you created to protect your SharePoint resources. The Agent name appears in the field. d. Click the Resource Filter field, and then type the following: _vti_bin e. Click the Unprotected radio button, and then click the Authentication Scheme drop-down list and select the Authentication Scheme you created for your SharePoint resources. f. Click OK. The virtual directory you created appears in the components list. g. Repeat Steps a through c. h. Click the Resource Filter field, and then type the following: _vti_inf 38 Configuring SiteMinder Single Sign On for Microsoft SharePoint 2007 Using Forms-based Authentication

39 How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources i. Repeat steps e and f. j. Repeat Steps a through c. k. Click the Resource Filter field, and then type the following: _layouts l. Repeat steps e and f. The list of components appears. Your settings should match those shown in the Resource Filter and Default Resource Protection columns in the following illustration: Note: The sort order of the items may be different. It does not affect their operation. 3. Click Submit. The Modify Application task is submitted for processing and unprotected settings for the virtual directories are saved. Chapter 3: Configure Your SiteMinder Policy Server 39

40 How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources Add Resources to your Application (r12 SP1) To protect your SharePoint resources with SiteMinder, you must define application resources which specify the protected items and which actions the SiteMinder web agent will intercept. To add resources to your application 1. Open the Application you created to protect your SharePoint resources by doing the following: a. Click Policies, Applications, Application, Modify Application. The Modify Application pane appears. b. Click the button next to your SharePoint application, and then click Select. The Modify Application: Name pane appears. 2. Add Resources to the application by doing the following: a. Click the Resource tab, and then click Create. The Create Application Resource: pane appears. b. Enter a distinctive name for the resource. c. Click the Resource field and enter the following: * The effective resource displays /* d. Under the Action group box, make sure that the Web Agent Actions radio button is selected, and then click the following actions: Get Post Put e. Click OK. The Create Application Resource: pane closes, and the Modify Application: Name pane appears. 3. Click Submit. 4. The Modify Application task is submitted for processing. 40 Configuring SiteMinder Single Sign On for Microsoft SharePoint 2007 Using Forms-based Authentication

41 How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources Add Roles to your Application (r12 SP1) To protect your SharePoint resources with SiteMinder, the SiteMinder application you create must define application roles that define who can access the protected directory. To add roles to your application 1. Open the Application you created to protect your SharePoint resources by doing the following: a. Click Policies, Applications, Application, Modify Application. The Modify Application pane appears. b. Click the button next to your SharePoint application, and then click Select. The Modify Application: Name pane appears. 2. Add a Role to your Application by doing the following: a. Click the Roles Tab, and then click Create. The Create Role tab appears. b. Make sure the Create a new object of type Role radio button is selected, and then click OK. The Create Role: pane appears. c. Enter a distinctive name, and (optional) description. d. Click the Expression field, and then type the following: (TRUE) e. Click OK. The Modify Application: Name pane appears. 3. Click Submit. The Modify Application task is submitted for processing. Chapter 3: Configure Your SiteMinder Policy Server 41

42 How to Configure a SiteMinder r12 SP1 Application to Protect SharePoint Resources Create a Policy for your Application (r12 SP1) The last step in configuring a SiteMinder r12 SP1 Policy to protect your SharePoint resources involves creating a policy which combines access rights to the resources and roles. To create a policy for your application 1. Open the Application you created to protect your SharePoint resources by doing the following: a. Click Policies, Applications, Application, Modify Application. The Modify Application pane appears. b. Click the button next to your SharePoint application, and then click Select. The Modify Application: Name pane appears. 2. Click the Policies tab. The Policies group box appears. 3. Verify the following: The Select a context root drop-down list shows the root level (/). The Name radio button is selected. 4. Locate the table that shows your SharePoint resources and roles, and then select the check box to grant access to the resources, as shown in the following illustration: 5. Click Submit. The Modify Application task is submitted for processing. 42 Configuring SiteMinder Single Sign On for Microsoft SharePoint 2007 Using Forms-based Authentication

43 Chapter 4: Configure SharePoint 2007 This section contains the following topics: How to Create a SharePoint 2007 Test Site (see page 43) How to Configure Your SharePoint Forms Based Authentication (see page 47) How to Create a SharePoint 2007 Test Site Creating a SharePoint test site will help you learn more about how SharePoint works and give you a chance to test your SharePoint and SiteMinder implementation in a staging environment before making changes on your production systems. To create a SharePoint test environment, use the following process: 1. Create a new SharePoint site (see page 44). 2. Add the new SharePoint site to a site collection (see page 45). 3. On your new SharePoint site, create a document library (see page 46). Chapter 4: Configure SharePoint

44 How to Create a SharePoint 2007 Test Site Create a New SharePoint Site Creating a new SharePoint site gives you a fixed reference point you can use as a guide as you prepare for your SiteMinder integration. To create a new SharePoint site 1. From your SharePoint host computer, click Start, Programs, Microsoft Office Server, SharePoint 3.0 Central Administration. The Central Administration home page appears. 2. Click the Application Management tab, and then click Create or extend Web application. The Create or Extend Web Application page appears. 3. Click Create a new Web application. The Create New Web Application page appears. 4. Select the options you want for the new site. Note the port number for future reference (if you are using different ports to distinguish your sites), and then click OK. The progress indicator appears. When your changes are saved, the Application Created page appears. 5. Follow any additional instructions on the screen to finish creating your new SharePoint site. The new SharePoint site is created. 44 Configuring SiteMinder Single Sign On for Microsoft SharePoint 2007 Using Forms-based Authentication

45 How to Create a SharePoint 2007 Test Site Add the New SharePoint Site to a Site Collection After the new SharePoint site is created, you must add it to a Site Collection. To add the new SharePoint site to a site collection 1. Do either of the following: From the Application Created screen, click the Create Site Collection link. Open the SharePoint Central Administration site, click the Application Management tab, and then click Create Site Collection. The Create Site Collection page appears. 2. Make sure the URL for your new site appears in the drop-down list, as shown in the following example: 3. Complete the form to create your site collection, and then click OK. The progress indicator appears. When your changes are saved, the Top-Level Site Successfully Created page appears. Chapter 4: Configure SharePoint

46 How to Create a SharePoint 2007 Test Site Create a Document Library A document collection lets you test the version-control and change management features of the documents hosted on your SharePoint site. SiteMinder can control access to these SharePoint resources as well. To create a document library 1. Open your new SharePoint site in a browser. The Home page for your site appears. 2. Click the Site Actions, drop-down list, and then select Create. The Create page appears. 3. Under the Libraries column, click Document Library. The New Page Appears. 4. Complete the form, and then click Create. The page of your document library appears. The list of documents is empty. 5. Add documents to the collection by clicking New or Upload and following the instructions on the screen. Your document library is created. 46 Configuring SiteMinder Single Sign On for Microsoft SharePoint 2007 Using Forms-based Authentication

47 How to Configure Your SharePoint Forms Based Authentication How to Configure Your SharePoint Forms Based Authentication If you want to use SiteMinder Forms-based authentication (FCC) with SharePoint, we recommend configuring your SharePoint forms-based authentication (FBA) first. This helps you verify that the SharePoint authentication works correctly before making the additional configuration changes that SiteMinder requires. If your SharePoint FBA is not already configured, use the following process: 1. Save copies of the current web.config files for all of the following SharePoint web sites under a different name (see page 48): The SharePoint Central Configuration site Each SharePoint web site you want to protect with SiteMinder 2. Add the following setting to the SharePoint Central Configuration web site (see page 49): Membership provider 3. Add the following settings to each SharePoint web site you want to protect (see page 51): Membership provider Authentication method 4. (Optional) Encrypt the sensitive information in the web.config files (see page 53). 5. Use the SharePoint Central Configuration web site to do the following: a. Change the authentication provider of each SharePoint site you want to protect (see page 54). b. Add users to each SharePoint site you want to protect (see page 55). c. Update the site administrator accounts to use FBA (see page 56). 6. Test your SharePoint FBA configuration (see page 57). Chapter 4: Configure SharePoint

48 How to Configure Your SharePoint Forms Based Authentication Back Up Your Existing web.config Files To configure SharePoint to operate with SiteMinder you need to modify the web.config file of your SharePoint Central Administration web site, and the web.config file of any SharePoint site you want to protect. Since a single IIS server may contain many virtual SharePoint sites, identifying the correct files to modify is critical. To locate and backup the existing web.config files 1. Open the IIS 6.0 Manager on your web server. 2. In the left pane, expand the web server, and then expand Web Sites. A list of web sites appears. 3. Right-click the SharePoint Central Administration site, and then select Open. Windows Explorer opens the directory for the Central Administration web site. 4. Open the web.config file and save a copy of the original using a different name. 5. Close the Windows Explorer window. 6. Go back to the IIS Manager window, and right-click the folder of a SharePoint site you want to protect, and then select Open. Windows Explorer opens the directory for the SharePoint web site. 7. Open the web.config file and save a copy of the original using a different name. We recommend using a name that will help you remember the point at which you changed the file. For example, if you are saving a copy of your FBA web.config file before adding the SiteMinder information, you might want to name the backup copy of the file fba_web.config. 8. Close the Windows Explorer window. 9. Repeat Steps 6 through 8 for each SharePoint site you want to protect. All of the existing web.config files have been backed up. 48 Configuring SiteMinder Single Sign On for Microsoft SharePoint 2007 Using Forms-based Authentication

49 How to Configure Your SharePoint Forms Based Authentication Add the Membership Provider to the SharePoint Central Configuration Web Site To integrate Microsoft SharePoint with SiteMinder, you must update the web.config file of the central SharePoint web site with the following information: Membership Provider Defines the following information in the web.config file: Default Membership Provider Name Membership Provider Name and Type Directory Attributes User Name and password of account authorized to connect to the directory. (We recommend binding with an account for better security, but you can omit these attributes if you want to bind anonymously to the directory) Example: <membership defaultprovider="ldapmembership"> <providers> <add name="ldapmembership" type="microsoft.office.server.security.ldapmembershipprovider, Microsoft.Office.Server, Version= , Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="directory_server_name_or_ip_address" port="directory_server_instance_port_number" usessl="false" userdnattribute="entrydn" usernameattribute="cn" usercontainer="dc=server_domain,dc=domain_extension" userobjectclass="inetorgperson" userfilter="(objectclass=inetorgperson)" scope="subtree" otherrequireduserattributes="sn,givenname,cn" connectionusername="cn=user_name" connectionpassword="password" /> </providers> </membership> Chapter 4: Configure SharePoint

50 How to Configure Your SharePoint Forms Based Authentication To edit the web.config file of the SharePoint central administration web site 1. Open a copy of the original web.config file with an XML editor. Important! Do not use Notepad, Wordpad, (or any other text editor with line-length limitations) to edit the XML file. A text editor designed for writing programming source code will not generally have such line-length limitations. For more information, see the documentation or online help for your respective editor. 2. Locate the following tags: <system.web> <securitypolicy> 3. Insert the following sections between the tags, and then replace the variables shown with your values: <membership defaultprovider="ldapmembership"> <providers> <add name="ldapmembership" type="microsoft.office.server.security.ldapmembershipprovider, Microsoft.Office.Server, Version= , Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="directory_server_name_or_ip_address" port="directory_server_instance_port_number" usessl="false" userdnattribute="entrydn" usernameattribute="cn" usercontainer="dc=server_domain,dc=domain_extension" userobjectclass="inetorgperson" userfilter="(objectclass=inetorgperson)" scope="subtree" otherrequireduserattributes="sn,givenname,cn" connectionusername="cn=user_name" connectionpassword="password" /> </providers> </membership> 4. Save the web.config file and close the XML editor. The SharePoint Central Administration server contains a membership provider. 50 Configuring SiteMinder Single Sign On for Microsoft SharePoint 2007 Using Forms-based Authentication

51 How to Configure Your SharePoint Forms Based Authentication Add the Membership Provider and Authentication Method to Each SharePoint Web Site you want to protect To integrate Microsoft SharePoint with SiteMinder, you must update the Web.Config file of each SharePoint web site that you want to protect using SiteMinder with the following information: Membership Provider Defines the following information in the web.config file: Default Membership Provider Name Membership Provider Name and Type Directory Attributes User Name and password of account authorized to connect to the directory. (We recommend binding with an account for better security, but you can omit these attributes if you want to bind anonymously to the directory) Example: <membership defaultprovider="ldapmembership"> <providers> <add name="ldapmembership" type="microsoft.office.server.security.ldapmembershipprovider, Microsoft.Office.Server, Version= , Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="directory_server_name_or_ip_address" port="directory_server_instance_port_number" usessl="false" userdnattribute="entrydn" usernameattribute="cn" usercontainer="dc=server_domain,dc=domain_extension" userobjectclass="inetorgperson" userfilter="(objectclass=inetorgperson)" scope="subtree" otherrequireduserattributes="sn,givenname,cn" connectionusername="cn=user_name" connectionpassword="password" /> </providers> </membership> Chapter 4: Configure SharePoint

52 How to Configure Your SharePoint Forms Based Authentication Authentication Mode Defines the following information in the web.config file: Which type of authentication is used by SharePoint. Any parameters required to use the specified type of authentication. For example, if Forms authentication is used, this section must contain the URL of the form where the user enters credentials. Default: "Windows" Example (FBA): <forms loginurl="/_layouts/login.aspx" /> Example (SiteMinder): <forms loginurl="/_siteminder/siteminderlogin.aspx" /> To edit the web.config file of each SharePoint web site you want to protect 1. Open the web.config file with an XML editor. Important! Do not use Notepad, Wordpad, (or any other text editor with line-length limitations) to edit the XML file. A text editor designed for writing programming source code will not generally have such line-length limitations. For more information, see the documentation or online help for your respective editor. 2. Locate the following tags: <system.web> <securitypolicy> 3. Insert the following sections between the tags, and then replace the variables shown (italicized) with your values: <membership defaultprovider="ldapmembership"> <providers> <add name="ldapmembership" type="microsoft.office.server.security.ldapmembershipprovider, Microsoft.Office.Server, Version= , Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="directory_server_name_or_ip_address" port="directory_server_instance_port_number" usessl="false" userdnattribute="entrydn" usernameattribute="cn" usercontainer="dc=server_domain,dc=domain_extension" userobjectclass="inetorgperson" userfilter="(objectclass=inetorgperson)" scope="subtree" otherrequireduserattributes="sn,givenname,cn" connectionusername="cn=user_name" connectionpassword="password" /> </providers> </membership> 4. Locate the following tag: <authentication mode="windows" /> 5. In the previous line do the following: Replace the word "Windows" with the word "Forms". Delete the closing slash and the extra white space. 52 Configuring SiteMinder Single Sign On for Microsoft SharePoint 2007 Using Forms-based Authentication

53 How to Configure Your SharePoint Forms Based Authentication 6. Add the FBA lines shown in the following example: <forms loginurl="/_layouts/login.aspx" /> </authentication> The authentication section should match the following example: <authentication mode="forms"> <forms loginurl="/_layouts/login.aspx" /> </authentication> 7. Save the web.config file. The membership providers, and forms authentication settings are added. Repeat Steps 1 through 7 for each SharePoint web site you want to protect with SiteMinder. How to Encrypt the Sensitive Information in your web.config Files The web.config files for your SharePoint Central Administration site and any sites you want to protect with the Microsoft FBA or CA SiteMinder may contain sensitive information that you want to protect, such as the following: Directory server URLs User names Passwords For more information about encrypting the sensitive areas of your web.config file, go to the Microsoft Developer Network web site and search for one of the following phrases: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI Encrypt Configuration Sections in ASP.NET 2.0 Using RSA Chapter 4: Configure SharePoint

54 How to Configure Your SharePoint Forms Based Authentication Enable SharePoint FBA After the web.config files for both the SharePoint Central Administration site and the other web sites you want to protect have been modified, you need to enable the SharePoint FBA authentication. To enable SharePoint FBA 1. Click Start, Programs, Microsoft Office Server, SharePoint 3.0 Central Administration. The SharePoint Central Administration home page appears. 2. Click the Application Management Tab. The Application Management page appears. 3. In the Application Security section, click the Authentication Providers link. The Authentication Providers Page appears. 4. Make sure the SharePoint web site that you want to protect with FBA appears in the pull-down menu in the upper-right corner of the screen, as shown in the following illustration: 5. Click the Zone of your web site in the left column. The Edit authentication page appears. 6. Do the following: In the Authentication Type section, click the Forms button. In the Membership Provider Name field, type the name of your membership provider (this must match the name defined in your SharePont web.config files). In the Client Integration section, click the Yes button. 7. Click Save. The Authentication Providers page appears. 54 Configuring SiteMinder Single Sign On for Microsoft SharePoint 2007 Using Forms-based Authentication

55 How to Configure Your SharePoint Forms Based Authentication Add Users to Your SharePoint Web Site After SharePoint FBA is enabled, you need to add users to your SharePoint web site. To add users to your SharePoint web site 1. Click the Application Management tab. The Application Management screen appears. 2. Under the Application Security section, click Policy for Web Application. The Policy for Web Application screen appears. 3. Click Add Users. The Add Users screen appears. 4. Make sure the SharePoint web site to which you want to add users appears in the pull-down menu in the upper-right corner of the screen, as shown in the following illustration: 5. (Optional) Select the Zone from the drop-down list. 6. Click Next. 7. In the Users field, do any of the following: Type the name of a user. Use the Check Names button to verify user names. Use the Browse button to locate users. Important! You must enter the User ID (uid) when adding or searching for users (searches using wildcards are also allowed). Searches using other attributes may not return results. 8. Select the check boxes of the permissions you want. 9. Click Finish. Users are added to your SharePoint web site. Chapter 4: Configure SharePoint

56 How to Configure Your SharePoint Forms Based Authentication Update the Site Collection Administrator Account to Use FBA The original Windows accounts that have site-collection-administrator privileges need to be authorized to use FBA. To update the site collection administrator accounts to use FBA 1. Click the Application Management tab. The application management page appears. 2. In the SharePoint Site Management section, click Site Collection Administrators. The Site Collection Administrators page appears. 3. Make sure the site collection that contains the resources you want to protect with FBA appears in the drop-down list, as shown in the following illustration: 4. Click the Primary Site Collection Administrator field, and then enter the name of the person you want to designate as an administrator, as shown in the following example: Site Collection Administrator Specifies a user who can create, maintain, or remove content from group of resources hosted on a SharePoint web site. If you are using SharePoint FBA, this user must exist in the directory of the membership provider, and the user name must have the following format: membership_provider_name:user_name Example: LDAPMembershipProvider:user01 Important! You must enter the User ID (uid) when adding or searching for users (searches using wildcards are also allowed). Searches using other attributes may not return results. 5. (Optional) Click the Secondary Site Collection Administrator Field, and enter the name of a person you want, as shown in Step Click OK. The Site Collection Administrators page closes and the Application Management page appears. The Administrators have been added. 56 Configuring SiteMinder Single Sign On for Microsoft SharePoint 2007 Using Forms-based Authentication

57 How to Configure Your SharePoint Forms Based Authentication Test Your SharePoint FBA You should test your SharePoint FBA configuration by making sure the Site Collection Administrators can access their respective site collections. To test your SharePoint FBA 1. Open a web browser. 2. Enter the URL of the protected site collection. The Sign In form appears. 3. Type their user name and password of the fields on the form, and then click Sign In. The Home page of the site collection appears. Note: The Welcome message shown in the upper right after you sign into SharePoint displays your User ID. Chapter 4: Configure SharePoint

58

59 Chapter 5: Configure SiteMinder Web Agent and Related SharePoint Web Sites This section contains the following topics: How to Add SiteMinder to your SharePoint Environment (see page 59) How to Configure an IIS Web Agent to Protect SharePoint Resources (see page 64) How to Configure your SharePoint Web Sites for SiteMinder (see page 75) How to Add SiteMinder to your SharePoint Environment To replace the SharePoint FBA with the CA SiteMinder FCC authentication scheme, use the following process: 1. Install the SiteMinder Web Agent for IIS on the web server. 2. Add the SiteMinder.ASPX Files to the SharePoint web site. 3. Install the SiteMinder DLL file in the Global Assembly Cache. 4. Use a fully qualified-domain name in any SharePoint web sites. Chapter 5: Configure SiteMinder Web Agent and Related SharePoint Web Sites 59

60 How to Add SiteMinder to your SharePoint Environment Install the SiteMinder Web Agent for IIS The SiteMinder Web Agent for IIS must be installed on the computer that runs IIS and SharePoint To install the SiteMinder Web Agent for IIS 1. Download and extract the following file from the support site: smwa-version-crnumber-winarchitecture.zip Example: smwa-6qmr5-cr021-win32.zip 2. Double-click the.exe file. The installation wizard starts. 3. Use the wizard to install the SiteMinder web Agent. Note: The following directories are the default locations for the Windows operating system: (r6.x SP5): C:\Program Files\netegrity\webagent\ (r12 SP1): C:\Program Files\CA\webagent\ After installing the software, the wizard prompts you to restart your system. 4. Click the radio button you want, and then click Done. The wizard closes, and the web agent is installed. If you chose to restart your system in Step 4, then your computer restarts automatically. 60 Configuring SiteMinder Single Sign On for Microsoft SharePoint 2007 Using Forms-based Authentication

61 How to Add SiteMinder to your SharePoint Environment How to Install the SiteMinder DLL to the Global Assembly Cache The SiteMinder Web Agent software contains a DLL file specifically for SharePoint integration. The SiteMinder installer places this file in the following location: web_agent_home\sharepoint\sitemindernet.dll Note: The default value of the web_agent_home variable is either of the following directories: (r6.x SP5): C:\Program Files\netegrity\webagent (r12 SP1): C:\Program Files\CA\webagent This DLL file must be installed in the Global Assembly Cache of the computer that hosts your Web Server. To install the DLL file, use one of the following methods: Drag and drop the DLL file from its installed location to the Global Assembly Cache Note: The Global Assembly Cache is located in the following directory: C:\WINDOWS\assembly Use the gacutil.exe tool (which is included with the.net Framework SDK 2.0). Note: For more information, see your Microsoft documentation, or go to More information: Microsoft Prerequisites (see page 13) Chapter 5: Configure SiteMinder Web Agent and Related SharePoint Web Sites 61

62 How to Add SiteMinder to your SharePoint Environment Add the SiteMinder.ASPX Files to the SharePoint Web Site SiteMinder uses several.aspx files when it protects Microsoft SharePoint web sites. These files need to be installed in a virtual directory for each SharePoint web site you want to protect. To add the SiteMinder.ASPX files to the SharePoint web site 1. Click Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager. The IIS Manager opens. 2. Expand the IIS Web Server in the left column. 3. Expand the Web Sites folder in the left column. 4. Right-click the SharePoint web site instance you want to protect, and then select New, Virtual Directory. The Virtual Directory Creation Wizard starts. Do the following steps: a. Click Next. The Virtual Directory Alias screen appears. b. In the Alias field, type the following, and then click Next. _siteminder c. Click the Browse button and navigate to the following directory: web_agent_home\sharepoint Note: The default value of the web_agent_home variable is either of the following directories: (r6.x SP5): C:\Program Files\netegrity\webagent (r12 SP1): C:\Program Files\CA\webagent d. Click OK. The path to the directory appears in the dialog. e. Click Next. f. Select the Run Scripts (such as ASP) check box, and then click Next. g. Click Finish. The wizard closes and the new directory appears in the IIS Manager. 5. Repeat Step 4 for each SharePoint web site you want to protect with SiteMinder. 62 Configuring SiteMinder Single Sign On for Microsoft SharePoint 2007 Using Forms-based Authentication

63 How to Add SiteMinder to your SharePoint Environment Use a Fully-Qualified Domain Name in your SharePoint Sites The SharePoint sites must use a fully-qualified domain name to integrate with the SiteMinder web agent. To set your SharePoint site to use a fully-qualified domain name 1. Click Start, Programs, Microsoft Office Server, SharePoint 3.0 Central Administration. The Central Administration page appears. 2. Click the Operations tab. A list of tasks appears. 3. In the Global Configuration section, click Alternate Access Mappings. A list of web sites appears. 4. Locate your SharePoint site. Examine the URL listed in the Public URL for Zone column on the right and verify that it uses a fully-qualified domain name. Note: my_web_site.example.com is an example of a fully-qualified domain name. 5. If the URL in Step 3 does not use a fully-qualified domain name, do the following: a. Click the Alternate Access Mapping Collection drop-down list, and then select Change Alternate Access Mapping Collection. A list of Alternate Access Mapping Collections appears. b. Click the link for your SharePoint site. The Alternate Access Mappings screen shows only those sites in your collection. c. Make sure the name of the SharePoint site you want to protect appears in the drop-down list, as shown in the following example: Chapter 5: Configure SiteMinder Web Agent and Related SharePoint Web Sites 63