CaseStudy for SSO between SharePoint and .Net Web App

INTRODUCTION

This CaseStudy will helps to implement singe-sign on between multiple asp.net web applications & share point web application based on form authentication.

This is been divided into three parts

Login Page Implementation
Web Applications

Open the Deployment Folder TechInvo.SSO

Creating the Virtual Directory of the Web Application

Go to Start -> Run -> Type inetmgr and Click Ok

Expand the Web Sites where you will find in the Left Navigation.

Right click on the Default Web Site , Go to New -> Virtual Directory

You will get the Virtual Directory Creation Wizard. Click on Next button.

Type the Alias Name as TechInvo.SSOWebApplication and Click on Next button

Now you have to give the Path of the Application Existing. Use Browse Button to go to the Deployment Folder and in that upto TechInvo.SSO\TechInvo.SSOWebApplication\

Now Check all the boxes and Click on Next

You will prompted by a Popup say Yes.

Now you will get the Successfully Completed Wizard as below, say Finish.

Now you will observe the Application in the IIS Manager

Open the Web.Config file of this Application

Logging Configuration Section

Add the below one in the Config Sections Tag

Logging Application Block

Add the below lines immediate after the Config Sections tag end

<loggingConfiguration name="Logging Application Block" tracingEnabled="false"

defaultCategory="General" logWarningsWhenNoCategoriesMatch="false">

<add source="Enterprise Library Logging" formatter="Text Formatter"

log="Application" machineName="SSP" listenerDataType="Microsoft.Practices.EnterpriseLibrary.Logging.Configuration.FormattedEventLogTraceListenerData, Microsoft.Practices.EnterpriseLibrary.Logging, Version=4.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"

traceOutputOptions="None" filter="All" type="Microsoft.Practices.EnterpriseLibrary.Logging.TraceListeners.FormattedEventLogTraceListener, Microsoft.Practices.EnterpriseLibrary.Logging, Version=4.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"

name="Formatted EventLog TraceListener" />

<add fileName="c:\Test\rolling.log" footer="----------------------------------------"

formatter="Text Formatter" header="----------------------------------------"

rollFileExistsBehavior="Overwrite" rollInterval="None" rollSizeKB="500"

timeStampPattern="yyyy-MM-dd" listenerDataType="Microsoft.Practices.EnterpriseLibrary.Logging.Configuration.RollingFlatFileTraceListenerData, Microsoft.Practices.EnterpriseLibrary.Logging, Version=4.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"

traceOutputOptions="None" filter="All" type="Microsoft.Practices.EnterpriseLibrary.Logging.TraceListeners.RollingFlatFileTraceListener, Microsoft.Practices.EnterpriseLibrary.Logging, Version=4.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"

name="Rolling Flat File Trace Listener" />

</listeners>

<add template="Timestamp: {timestamp}
Message: {message}
Category: {category}
Priority: {priority}
EventId: {eventid}
Severity: {severity}
Title:{title}
Machine: {machine}
Application Domain: {appDomain}
Process Id: {processId}
Process Name: {processName}
Win32 Thread Id: {win32ThreadId}
Thread Name: {threadName}
Extended Properties: {dictionary({key} - {value}
)}"

type="Microsoft.Practices.EnterpriseLibrary.Logging.Formatters.TextFormatter, Microsoft.Practices.EnterpriseLibrary.Logging, Version=4.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"

name="Text Formatter" />

</formatters>

</listeners>

</add>

</listeners>

</add>

</categorySources>

</listeners>

</errors>

</specialSources>

</loggingConfiguration>

appSettings Tag

Find the appSettings tag in the file and add the below lines in the appSettings Tag,

Change the DefaultURL value accordingly to the Environment

connectionStrings Tag

Find the “connectionStrings” tag and add the below lines in the “connectionStrings”

If the Users are in the Separate Organizational Unit, add as below

If the Users are in the Users Folder, add as below

srvssp.com is the domain name of the machine, LocalSqlServer is the name of the connection string that should be maintained acroos different tags in web.config like membership provider & role manager. Do the same for all the web applications.

Authentication Tag

Find the “authentication” tag and replace that tag with below lines

</authentication>

Authorization Tag

Find the “authorization” tag and replace that tag with below lines

</authorization>

Machine Key Tag

Add the machineKey tag, after the end of “httpModules” tag and before the end of “System.web” tag. [Take from SharePoint Web Application, where we are going to integrate with SSO]

Membership Tag

Add the “membership” tag after the “machinekey” tag

</providers>

</membership>

Change the Application Name, ConnectionUsername and ConnectionPassword accordingly to the Environment

roleManager Tag

Add the “roleManager” tag below the “membership” tag

</providers>

</roleManager>

Web Applications

Here we have the two sub parts as ASP.NET Web Applications and SharePoint Web Application

ASP.NET Web Application IMPLEMENTATION

Open the Respective ASP.NET Application

Open the Web.Config file of this Application

Logging Section Tag

Add the below one in the Config Sections Tag

Logging Application Block

Add the below lines immediate after the Config Sections tag end

<loggingConfiguration name="Logging Application Block" tracingEnabled="true"

defaultCategory="General" logWarningsWhenNoCategoriesMatch="true">

<add source="Enterprise Library Logging" formatter="Text Formatter"

log="Application" machineName="" listenerDataType="Microsoft.Practices.EnterpriseLibrary.Logging.Configuration.FormattedEventLogTraceListenerData, Microsoft.Practices.EnterpriseLibrary.Logging, Version=4.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"

name="Formatted EventLog TraceListener" />

<add fileName="c:\TechInvoLog\TechInvo.log" footer="----------------------------------------"

formatter="Text Formatter" header="----------------------------------------"

rollFileExistsBehavior="Overwrite" rollInterval="None" rollSizeKB="500"

name="Rolling Flat File Trace Listener" />

</listeners>

type="Microsoft.Practices.EnterpriseLibrary.Logging.Formatters.TextFormatter, Microsoft.Practices.EnterpriseLibrary.Logging, Version=4.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"

name="Text Formatter" />

</formatters>

</listeners>

</add>

</listeners>

</add>

</categorySources>

</listeners>

</errors>

</specialSources>

</loggingConfiguration>

appSettings Tag

Find the appSettings tag in the file and add the below lines in the appSettings Tag,

</appSettings>

Change the GroupName as the value accordingly to the Active Directory Role Name

connectionString Tag

Find the “connectionStrings” tag and add the below lines in the “connectionStrings”

If the Users are in the Separate Organizational Unit, add as below

If the Users are in the Users Folder, add as below

authentication Tag

Find the “authentication” tag and replace that tag with below lines

</authentication>

authorization Tag

Find the “authorization” tag and replace that tag with below lines

</authorization>

machineKey Tag

Add the machineKey tag, after the end of “httpModules” tag and before the end of “System.web” tag. [Take from SSO Web Application, where we are going to integrate]

membership Tag

Add the “membership” tag after the “machinekey” tag

</providers>

</membership>

Change the Application Name, ConnectionUsername and ConnectionPassword accordingly to the Environment

roleManager Tag

Add the “roleManager” tag below the “membership” tag

</providers>

</roleManager>

Change the groupsToUse value accordingly to the application using.

LOGOUT FUNCTIONALITY

The below will explains the Log Out functionality implemented in Forms Authentication.

LOGOUT IMPLEMENTATION

Open the respective .aspx Page and add the ASP Button as follows

<asp:Button runat="server" ID="btnLogOut" Text="Log Out"

onclick="btnLogOut_Click"></asp:Button>

Open the Code behind Page .aspx.cs file and add the below lines

protected void btnLogOut_Click(object sender, EventArgs e)

{

FormsAuthentication.SignOut();

FormsAuthentication.RedirectToLoginPage();

}

The RedirectToLoginPage redirect the user to the page that is given in LoginURL of the Forms tag in web.config.

Role Check

The following steps explain the Role Check functionality implemented in Forms Authentication.

Add Reference ADRoleProvider.dll

Get the ADRoleProvider.dll from the TechInvo.Roles/bin/debug folder

Add Global.asax to the Web Application
Add the below Code to Global.asax.cs

protected void Application_AuthorizeRequest(object sender, EventArgs e)

{

string UserName = System.Threading.Thread.CurrentPrincipal.Identity.Name;

if (!String.IsNullOrEmpty(UserName))

{

UserName = UserName.Split('@')[0];

bool test = Roles.IsUserInRole(UserName, ConfigurationManager.AppSettings["GroupName"]);

if (!test)

{

Response.Redirect(ConfigurationManager.AppSettings["AccessDeniedPage"]);

}

SharePoint Web Application IMPLEMENTATION

Open the SharePoint Web Application

Find the respective application in C:\Inetpub\wwwroot\wss\VirtualDirectories\[Port Number/Name]

Open the Web.Config file of this Application

Logging Section Tag

Add the below one in the Config Sections Tag

For reference

Logging Application Block Tag

Add the below lines immediate after the Config Sections tag end

<loggingConfiguration name="Logging Application Block" tracingEnabled="true"

defaultCategory="General" logWarningsWhenNoCategoriesMatch="true">

<add source="Enterprise Library Logging" formatter="Text Formatter"

name="Formatted EventLog TraceListener" />

<add fileName="c:\WebPart\TechInvoSystems.log" footer="----------------------------------------"

formatter="Text Formatter" header="----------------------------------------"

rollFileExistsBehavior="Overwrite" rollInterval="None" rollSizeKB="500"

name="Rolling Flat File Trace Listener" />

</listeners>

type="Microsoft.Practices.EnterpriseLibrary.Logging.Formatters.TextFormatter, Microsoft.Practices.EnterpriseLibrary.Logging, Version=4.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"

name="Text Formatter" />

</formatters>

</listeners>

</add>

</listeners>

</add>

</categorySources>

</listeners>

</errors>

</specialSources>

</loggingConfiguration>

appSettings Tag

Find the appSettings tag in the file and add the below lines in the appSettings Tag,

</appSettings>

Change the GroupName as the value accordingly to the Active Directory Role Name

connection Strings Tag

Find the “connectionStrings” tag and add the below lines in the “connectionStrings”

If the Users are in the Separate Organizational Unit, add as below

If the Users are in the Users Folder, add as below

authentication Tag

Find the “authentication” tag and replace that tag with below lines

</authentication>

authorization Tag

Find the “authorization” tag and replace that tag with below lines

</authorization>

membership Tag

Add the “membership” tag after the “machinekey” tag

</providers>

</membership>

Change the Application Name, ConnectionUsername and ConnectionPassword accordingly to the Environment

roleManager Tag

Add the “roleManager” tag below the “membership” tag

<add name="DemoRoleProvider" connectionStringName="LocalSqlServer" applicationName="/"

type="System.Web.Security.SqlRoleProvider,System.Web, Version=2.0.0.0, Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" />

<add applicationName="/" name="ActiveDirRP" type="TechInvo.Roles.ADRoleProvider, ADRoleProvider"

activeDirectoryConnectionString="LocalSqlServer" groupMode="Additive"

groupsToUse="TechInvo,OMSApp,PricingTool" />

</providers>

</roleManager>

Change the groupsToUse value accordingly to the Active Directory.

Encrypting the Membership and Rolemanager Tags

Configuration files such as the web.config file are often used to hold sensitive information, including user names, passwords, database connection strings, and encryption keys. If we do not protect this information, our application is vulnerable to attackers or malicious users obtaining sensitive information such as account user names and passwords, database names and server names.

Encrypting and decrypting data incurs performance overhead. To keep this overhead to a minimum, encrypt only the sections of your configuration file that store sensitive data.`

The Aspnet_regiis.exe utility tool is located in the following directory:

%WinDir%\Microsoft.NET\Framework\<versionNumber>

The -pe switch specifies the configuration section to encrypt.
The -pef switch specifies the configuration section to encrypt and allows you to supply the physical directory path for your configuration file.
The -app switch specifies your Web application's virtual path. If it is a nested application, you need to specify the nested path from the root directory; for example, "/test/aspnet/MachineDPAPI".
The -prov switch specifies the provider name.

If the command is successful, you will see the following output:

Encrypting configuration section...

Succeeded!

Note The DPAPI machine key is stored at the following location:

%windir%\system32\Microsoft\Protect\S-1-5-18

1. Use the aspnet_regiis tool for Encrypting the Membership and Rolemanager tags.

To find aspnet_regiis navigate to the following folder C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727, here you will find the aspnet_regiis.exe tool.

Open the Command Prompt and go to the above folder by typing the below command line.

cd C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727

Now type the below command

aspnet_regiis –pef “system.web/membership” “Web.config file path”

For Eg:- aspnet_regiis –pef “system.web/membership” “C:\Deliverable_25_03_2010\TechInvo.SSO\TechInvo.SSOWebApplication”

Change the Folder name to locate exactly the web.config file

Follow the same procedure for all the other Asp.Net Web applications and SharePoint Web Application where changing the Folder Path respective to the environment.

For Encrypting the roleManager tag

Use the same tool and type as below

aspnet_regiis –pef “system.web/roleManager” “Web.config file path”

For Eg:- aspnet_regiis –pef “system.web/roleManager” “C:\Deliverable_25_03_2010\TechInvo.SSO\TechInvo.SSOWebApplication”

Change the Folder name to locate exactly the web.config file

Follow the same procedure for all the other Asp.Net Web applications and SharePoint Web Application where changing the Folder Path respective to the environment.

If need for Decrypting the Tags Please do as below

Use the same aspnet_regiis tool and change the –pef to –pdf and the respective tag needed according to the requirement.

aspnet_regiis –pdf “system.web/roleManager” “Web.config file path”

For Eg:- aspnet_regiis –pdf “system.web/roleManager” “C:\Deliverable_25_03_2010\TechInvo.SSO\TechInvo.SSOWebApplication”

Follow the same procedure for all the other Asp.Net Web applications and SharePoint Web Application where changing the Folder Path respective to the environment.

Troubleshooting Points:-

Scenario:-

Not able to login with credentials created using ASP.NET application. [SQL membership Provider]

Event Type: Information

Event Source: ASP.NET 2.0.50727.0

Event Category: Web Event

Event ID: 1315

Date: 2/25/2010

Time: 6:36:45 PM

User: N/A

Computer: SSP

Description:

Event code: 4006

Event message: Membership credential verification failed.

Event time: 2/25/2010 6:36:45 PM

Event time (UTC): 2/25/2010 1:06:45 PM

Event ID: 49ac92e0e53d4803a5e6ce7ae7c67e39

Event sequence: 9

Event occurrence: 4

Event detail code: 0

Application information:

Application domain: /LM/W3SVC/1657492262/Root-1-129115762208906250

Trust level: WSS_Minimal

Application Virtual Path: /

Application Path: C:\Inetpub\wwwroot\wss\VirtualDirectories\3377\

Machine name: SSP

Process information:

Process ID: 4084

Process name: w3wp.exe

Account name: NT AUTHORITY\NETWORK SERVICE

Request information:

Request URL: http://ssp:3377/_layouts/login.aspx?ReturnUrl=/

Request path: /_layouts/login.aspx

User host address: 192.168.2.17

User:

Is authenticated: False

Authentication Type:

Thread account name: SRVSSP\IUSR_SSP

Name to authenticate: mossuser1

Custom event details:

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Error:-

Might be the connection string in the Membership tag is different from the Connection string tag which have the details of Active Directory
Might be different names of the providers in web.config and in Authentication providers of Central Administration
If we are using LDAP
- Might the mail id is not configured with domain name.

Action:-

Has to maintain the same key name for connection string across the web.config file
Has to maintain the same name of the Provider Names in all the areas.
If we are using LDAP,
- Open the User Profile in Active Directory, configure the mail to domain name for eg. mossadmin1@srvssp.com
- Use the domain name in the web.config as domainname.com.
- Give application name as /applicationname.
- In membership provider tag the definition & name should be the same as the name in active directory.

Scenario:-

Wrong Credentials. Please retype the UserName and Password

Event Type: Failure Audit

Event Source: MSSQLSERVER

Event Category: (4)

Event ID: 18456

Date: 2/24/2010

Time: 4:43:31 PM

User: NT AUTHORITY\NETWORK SERVICE

Computer: SSP

Description:

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Error:-

Might be the password incorrect

Action:- Has to give the passowrd correctly.

Scenario:- Appending the URL extracted from Active Directory to the exisiting URL, means http://srvssp.com/TechInvo/www.google.com

Error:- In the HomePage Attribute of the Active Directory might be given as www.google.com

Action:- The HomePage Attribute should has to give as http://www.google.com

Scenario:-

ASP.NET site with link to a SharePoint site, Both SharePoint and the ASP.NET application are running in the same domain. When a user starts ASP.NET application, they are presented with a logon dialog (windows authentication). When they click the link to the SharePoint, they are presented with the same dialog again.

Error:- :

May be the Machine Key tag is different in applications
Connection String may be different

Action:-

Has to maintain the same Machine Key, taken from forms authentication sharepoint site
Has to keep same name of Connection String

Scenario:- ASP.NET application and SharePoint site cannot share their credentials directly.

Error:- As you have enabled the Integrated Windows Authentication (IWA), I suggest you to check your IE configurations to enable automatically logon:

Action:-

Disable or uninstall Internet Explorer Enhanced Security.
Add the SharePoint site to your Intranet zone in IE.
Check automatically logon only in Intranet Zone or automatically logon with current user name and password in Internet properties > Security > Local Intranet > Security Setting.

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

CaseStudy for SSO between SharePoint and .Net Web App