Embed Size (px)
Citation preview
#SPSVB
Authentication, Authorization and Identity…it’s more than meets the eye
Dan Usher
#SPSVB
Gold Sponsors
Platinum Sponsors
Silver Sponsors
7:30 - 8:30 - Registration(Lobby) Breakfast (Sponsor Hall)8:30 - 8:45 - Welcome 9:00 - 10:15 – 1st Sessions10:30 - 11:45 – 2nd Sessions11:45 - 12:30 – Lunch (Sponsor Hall)12:30 - 1:45 - 3rd Sessions2:00 - 3:15 – 4th Sessions3:30 - 4:45 – 5th Sessions5:00 - 5:30 - Closing & Giveaways
Welcome to SharePoint Saturday
Virginia BeachJan 11, 2014
#SPSVB
#SPSVB
housekeeping Phones silenced, phasers set to stun Ask questions Please remember to turn in your filled out
bingo cards and event evaluations for prizes.
Follow SharePoint Events Virginia Beach on Twitter @spsevents and hashtag #spsvb
Ask questions
#SPSVB
Things to Cover Security in General Security with SharePoint Authentication vs. Authorization Claims Authentication / Authorization Available Options
Membership & Role Providers Identity Provider Cloud Based Services
Art of Authorization Things to Remember
#SPSVB
What won’t be covered NTLM
Multi-hop issues Multi-prompt issues
Keberos 2010? There’s a docx for that -
http://go.spdan.com/kerberos2010 2013? There’s TechNet for that -
http://go.spdan.com/kerberos2013 CredSSP
For connecting to a VM not SharePoint directly… For when you can’t use Kerberos delegation Multi-Hop Support in WinRM -
http://go.spdan.com/multihopwinrm Rosebud module not in Windows XP / Office 2007
#SPSVB
Security
#SPSVB
Spoiler Alert!!! Planning is required… It’s not the end all be
all… It can require integration
with other systems… Sometimes security is
like quantum mechanics…
http://xkcd.com/1240/
#SPSVB
Security in General
Dictionary Definition:
• Freedom from danger, risk, etc.; safety. • Freedom from care, anxiety, or doubt; well-
founded confidence. • Something that secures or makes safe;
protection; defense. • Freedom from financial cares or from want:
The insurance policy gave the family security.
• Precautions taken to guard against crime, attack, sabotage, espionage
#SPSVB
Security Concerns in today’s world Cyber Security Identity Theft Phishing Information Assurance Privacy Controls (PII, HealthIT, etc.)
#SPSVB
Identification – What is? Dictionary Definition:
The action or process of identifying someone or something or the fact of being identified: "tagged with a number for identification".
A means of proving a person's identity, esp. in the form of official papers: "I asked to see his identification".
#SPSVB
Identification – Types of… Hardware token (TPM) Authentication token
USB token Cryptographic token Client certificate Machine certificate
Virtual Token Conference badge / Name tag Driver’s License
#SPSVB
How do we protect Identity? Strong Passwords Web of Trust Multi Factor Authentication Biometrics
3L33tH@x0r0h
7c@Nd13M@n777M
@Ku
hr00
ns
#SPSVB
Authentication – What is? Dictionary Definition:
To establish as genuine.
To establish the authorship or origin of conclusively or unquestionably, chiefly by the techniques of scholarship: to authenticate a painting.
To make authoritative or valid.
Sometimes we call it AuthN.
#SPSVB
Authorization – What is? Dictionary Definition:
The act of authorizing.
Permission or power granted by an authority; sanction.
To give authority or official power to. To give authority for; formally sanction (an
act or proceeding). To establish by authority or usage. Sometimes we call it AuthZ.
#SPSVB
Security with SharePoint
#SPSVB
Security with SharePoint How does security come into play with
SharePoint? Same questions as the previous security
How, Who, When, What and often Why Content specific security Role based as well is individual security Collaboration security
Cross Team Cross Organizational Cross Company
Specific permission sets for types of access and functionality
#SPSVB
AuthN – Types of…
Windows NTLM/
Kerberos Basic Anonymous Digest Client
Certificate
Forms-based Authentication Lightweight
Directory Access Protocol (LDAP)
Microsoft SQL Server
ASP.NET Membership and Role Providers
#SPSVB
AuthN – Still More Types of…
SAML Token-based Authentication Active Directory Federated Services 3rd Party Identity Provider Lightweight Directory Access Protocol
(LDAP) Third Party Tools
Identity Translations Forms to Kerberos SAML to Kerberos
#SPSVB
Authentication vs. Authorization Misunderstood Terminology
Users, IT and Developers AuthN = Verification of Claim
I am Dan… AuthZ = Verification of Permission
Dan has access to… Authentication Precedes Authorization
Correct ID shown to Bank Teller You are Asking to be Authenticated on the
Account Once accepted you become Authorized on the
Account
#SPSVB
AuthN vs. AuthZ (continued) Exception to the rule
Anonymous Access can leave comments on Blog site
Anonymous users are already Authorized but not Authenticated
Too often we focus on Authentication and not Authorization
We expect our users, clients etc. to just inherently know what they are to do
We often forget that Authentication can be broken, but Authorization is slightly more complicated
#SPSVB
Authentication – Claim Terminology Identity
Info about a Person or Object (AD, Google, Windows Live, Facebook etc.)
Claim Attributes of the
Identity (User ID, Email, Age etc.)
Token Binary
Representation of Identity
Set of Claims and the Signature
Relying Party (aka RP) Users Token
Secure Token Service (STS) Issuer of Tokens for
Users SharePoint 2010
Introduced Claims Authentication What is this?
http://go.spdan.com/cba
#SPSVB
Authentication – Claims SharePoint 2010 Introduced Claims
Authentication What is this? http://go.spdan.com/cba
#SPSVB
Authentication - Claims Why introduce Claims Authentication? Standards Based
WS-Federation 1.1/WS-Trust 1.4/SAML Token 1.1 AuthN
Single Sign On Federation
Already many providers, Live, Google, Facebook etc
Microsoft standard approach Fed up custom coding everything, every
time Gets round (some) Office Integration
problems Easy to configure with little effort
#SPSVB
Authentication - Claims AD FS - It’s what gives you Single Sign on
with Office 365 through WAAD Windows Server 2012 - It’s what gives you
Dynamic Access Control SharePoint 2013 - It’s your default web
application authentication mechanism SharePoint 2010 - It requires a bit of work
to get service applications working… Even just simple IWA claims
#SPSVB
What about Claims in Windows? Similar but
different… Used for Dynamic
Access Control File Classification
rules Attribute based
policies Requires Windows
Server 2012 Not in SharePoint
2010 or 2013 Titus SharePoint
Security
#SPSVB
What does Claims encoding look like?
htt
p:/
/go.s
pdan.c
om
/cla
imse
nco
din
g
#SPSVB
Basics of SharePoint Classic AuthN Out of the box IIS basics Authentication is handled by IIS and
ASP.NET Checks user against Active Directory,
Local Machine accounts, or other auth provider
Passes verification to IIS to proceed
Sourc
e:
htt
p:/
/go.s
pdan.c
om
/iis
auth
ASP.
NET A
uth
enti
cati
on
#SPSVB
Basics of SharePoint Claims AuthN
1. Resource Requested2. AuthN Request / Redirect3. AuthN Request4. Security Token5. Security Token Request6. Service Token7. Resource Request w/Service Token8. Resource Sent
Identity Provider Security Token Service
aka IP-STS
SharePoint 2010aka RP
#SPSVB
Side Story
#SPSVB
A SharePoint Consultants enter a bar… NTLM - hand your ID every time you want
a drink Kerberos - hand your ID the first time at
the door and it’s passed transparently in the background for you
TIP Claims - look to the bartender who points you back to the bartender he trusts who takes your ID and gives a token that you hand back to the bartender
Anonymous Access - equivalent of an open bar at a wedding, no one really asks…
#SPSVB
AuthN - Membership & Role Providers Classic .NET approach
Support Local Authentication Store Support Remote Authentication Stores
Web Services, Remote Database Calls
No inherent Single Sign On Custom Code to Achieve this, namely cookie
based Full support for base .NET Providers Membership Provider – User Accounts and
Authentication Role Provider – Equivalent of Groups,
Authorization Element
#SPSVB
AuthN - Membership & Role Providers Specific Configuration needed for each
Web Application Central Administration Secure Token Service Web Application
Extensive “web.config” entries needed Custom Components in SharePoint will
needed Welcome Control, Login Control etc.
#SPSVB
AuthN – Custom Identity Provider No need for Membership and Role Provider
Can still be used – NOTE: Membership User Approach
Single Sign Built in – Web Application needs to be set to require Authentication not Anonymous
Central Managed and Entry point for all Authentication Support Local Authentication Store Support Remote Authentication Stores
Web Services, Remote Database Calls
#SPSVB
AuthN – Custom Identity Provider Utilizes Windows Identity Framework
Can use .NET 3.5 / 4.0 PowerShell configuration to implement Requires Trusted Certificate for
Communication Custom Components in SharePoint will
needed Welcome Control, Login Control etc.
#SPSVB
AuthN - Proxy Server Microsoft ISA or Threat Management
Gateway Microsoft Unified Access Gateway Microsoft Remote Access Role Web App
Proxy (2012 R2) with non-claims replying party Constrained Kerberos Delegation
Cisco, BigIP F5, Juniper or some other hardware appliance
#SPSVB
AuthN - Direct Access Windows Server 2008 R2 or 2012
Vastly Simplified in 2012 Requires machine be domain joined Requires client certificate in 2008 R2
Machine certificate in 2012 allowable It’s like you’re already on your network…
Because you are… through IPv6 Available other operating systems (Mac
OSX, Unix, Linux) through 3rd Party Solutions (e.g. Centrify)
#SPSVB
Windows Azure Active Directory Also known as WAAD Formerly known as Azure Control Service Microsoft AD FS Type Cloud Based Service
Central Point for offloading Authentication Supports SAML 1.1 / SAML 2.0 Support (Facebook, Google, Windows Live ID,
Yahoo, Custom IdP, OpenID) Support for 3rd Party Integration Claim Mapping through configuration Created in Azure as
useraccount.onmicrosoft.com Runs in the background of Office 365
#SPSVB
Identity Providers Deployment into separate Web Site
https://sts.domain.com Use SSL for all communication Ensure SharePoint 2010/2013 trusts the
certificate being used by the Provider Create User Class – methods to get values
from backend into claims Create Claim Types class Create custom login methods and
validation
#SPSVB
AuthZ SharePoint does this after Authentication
Is user member of group? Is user account added to ACL of object? Does user have required attribute?
SharePoint only understands what it is told e.g. Just because user logged in at? Does not
authorize Best Approach to Authorize
Active Directory Groups Roles from Membership and Role Provider Claims associated to user
SharePoint default “DENY”
#SPSVB
SharePoint AuthZ
Anonymous
Authentication
Is In Site Group?
Does user have claim attribute?
Web Application / Site Collection
Secured Site / Site Collection / Content
Content Repository
Content
#SPSVB
Expect the Unexpected
#SPSVB
Real World
#SPSVB
What do I do where? Inside the network…
Stick with Claims Integrated Windows AuthN Outside the network…
Unified Access Gateway, TMG or WS2012 WAP KCD
Your favorite Reverse Proxy Appliance Cisco, BigIP, Juniper, etc.
AD FS with client certificate authN AD FS with a partner organization
In the cloud… Windows Azure Active Directory with a
connector
#SPSVB
Security in the Real World Expect the
unexpected People will find a
way to circumvent your security
Give users minimal permission Starting with Less is
good Add functionality
through permission as needed
Be prepared to secure at all levels Web Application Site Collection Site List or Library Item
Use roles from Provider Active Directory Groups Membership and Role
Provider Roles Claims
#SPSVB
questions
#SPSVB
Gold Sponsors
Platinum Sponsors
Silver Sponsors
7:30 - 8:30 - Registration(Lobby) Breakfast (Sponsor Hall)8:30 - 8:45 - Welcome 9:00 - 10:15 – 1st Sessions10:30 - 11:45 – 2nd Sessions11:45 - 12:30 – Lunch (Sponsor Hall)12:30 - 1:45 - 3rd Sessions2:00 - 3:15 – 4th Sessions3:30 - 4:45 – 5th Sessions5:00 - 5:30 - Closing & Giveaways
Welcome to SharePoint Saturday
Virginia BeachJan 11, 2014
