EPiServer 7 Connect for SharePoint – Security and Delegation

This document describes steps needed to enable delegation between EPiServer CMS Virtual Path Provider for Microsoft SharePoint and Microsoft SharePoint Server. The main purpose of delegation is to enable access for EPiServer CMS users to the SharePoint server libraries with SharePoint credentials. For information about delegation in Windows Server 2003 and protocol transition, see the Microsoft tech note.

Prerequisites

The following conditions must be met to enable delegation:

  • Make sure that Microsoft SharePoint server and EPiServer CMS server belong to the same Windows domain.
  • DNS is properly configured, so both EPiServer CMS server and Microsoft SharePoint server can be resolved by name.

Configuring the Servers

There are two solutions to configure delegation between EPiServer CMS and Microsoft SharePoint servers. Which to use depends on what account you use to run EPiServer CMS web application pool. For both solutions you have to complete by Setting Account Permissions.

Solution 1

This procedure assumes that you are running your EPiServer CMS web application under the Network Service machine account.

  1. Create a SPN for your EPiServer CMS server as follows (as Kerberos requires an SPN to support mutual authentication) :
    a) Make sure you have setspn.exe tool on your domain controller server. If you don't have it, your can install the Windows Server 2003 Tools from the Windows Server 2003 CD. More information about setspn tool is available in Microsoft TechNet article.
    b) From a command prompt, run the setspn command twice from the C:\Program Files\Support Tools directory as shown here:
    setspn -A HTTP/EPiServerWebServerName:Port EPiServerWebServerName
    setspn -A HTTP/EPiServerWebServerName.FullyQualifiedDomainName:Port EPiServerWebServerName
    
    Note!   EPiServerWebServerName is the server name where the EPiServer website is installed.
    Note!   You can only have a single SPN associated with any HTTP service (DNS) name, which means you cannot create SPN for different service accounts mapped to the same HTTP server unless they are on different ports. The SPN can include a port number.
    Example: If you have domain named TESTDOMAIN.EP.SE, EPiServer CMS site installed on server with the name CMSSERVER on port 17000, the setspn commands will look as follows:
    setspn -A HTTP/CMSSERVER:17000 CMSSERVER
    setspn -A HTTP/CMSSERVER.TESTDOMAIN.EP.SE:17000 CMSSERVER
  2. Login to your domain controller server.
  3. Start the Microsoft Management Console (MMC) > Active Directory Users and Computers snap-in.
  4. Click the Computers node on the left.
  5. Double-click your EPiServer CMS web server computer to the right to display the properties.
    Note!  If Properties does not have a Delegation tab and there is a single checkbox called Trust Computer for Delegation on the General tab, your domain is operating as a Windows 2000 mixed domain. You must raise the domain functional level to Windows Server 2003 as described in Prerequisites in this document.
  6. On the Delegation tab of the Properties window for the EPiServer CMS Web server computer, select Trust this computer for delegation to specified services only. Specify which services that can be accessed in the bottom pane.
  7. Beneath Trust this computer for delegation to specified services only, select Use any authentication protocol.
  8. Click Add.
  9. In Add Services, click the Users or computers button.
  10. In the Select Users or Computers dialog, type the name of your Microsoft SharePoint server computer if you are running Microsoft SharePoint application pool as System or Network Service. Alternatively, if you are running Microsoft SharePoint application pool by using a custom domain account, enter that account name instead and click OK.
  11. You will see all the service principal names configured for the selected user or computer account. To restrict access to Microsoft SharePoint, select the http service, and then click OK.
  12. Click OK and restart IIS by using the iisreset command.

    EPiServer CMS server delegation tab  

Solution 2

This procedure assumes that you are running your EPiServer CMS Web application under a custom domain account.

  1. Create an SPN for your custom domain account as follows (as Kerberos requires an SPN to support mutual authentication) :
    a) Make sure you have setspn.exe tool on your domain controller server. If you don't have it, you can install the Windows Server 2003 Tools from the Windows Server 2003 CD. More information about setspn tool is available in Microsoft TechNet article.
    b) From a command prompt, run the setspn command twice from the C:\Program Files\Support Tools directory as shown here.
    setspn -A HTTP/EPiServerWebServerName:Port domain\customAccountName
    setspn -A HTTP/EPiServerWebServerName.FullyQualifiedDomainName:Port domain\customAccountName
    Note!   EPiServerWebServerName is the server name where the EPiServer website is installed.
    Note!   You can only have a single SPN associated with any HTTP service (DNS) name, which means you cannot create SPNs for different service accounts mapped to the same HTTP server unless they are on different ports. The SPN can include a port number.
    Example: If you have domain named TESTDOMAIN.EP.SE, EPiServer CMS site installed on server with the name CMSSERVER on port 17000 and CMS application pool is running under custom account TESTDOMAIN\EPiAPP, the setspn commands will look as follows:
    setspn -A HTTP/CMSSERVER:17000 TESTDOMAIN\EPiApp
    setspn -A HTTP/CMSSERVER.TESTDOMAIN.EP.SE:17000 TESTDOMAIN\EPiApp
  2. Start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in.
  3. In the left pane of the MMC snap in, click the Users node.
  4. In the right pane, double-click the user account you are using to run the ASP.NET application. This displays the user account properties.
    Note!   If the Properties dialog box for your account does not have a Delegation tab, this indicates that a service principal name (SPN) does not exist for the user. Create an SPN as explained in step 1, above.
  5. On the Delegation tab of the Properties window for your account, select Trust this user for delegation to specified services only > Use any authentication protocol. Specify which services that can be accessed in the bottom pane.
  6. Click Add.
  7. In Add Services, click the Users or computers button.
  8. In the Select Users or Computers dialog, type the name of your database server and click OK.
  9. You will now see all the available services on your Microsoft SharePoint server. To restrict access to Microsoft SharePoint Web application, select the http service and click OK.

    Account delegation tab  

Setting Account Permissions

Grant your account used to run EPiServer CMS web application pool permissions to act as a part of operating system on the EPiServer web server. Go to Administrative Tools > Local Security Policy > Local Policies > User Rights Assignment > Act as part of the operating system policy, click Add User or Group button and select user account used to run EPiServer CMS web application pool.

Note!   This places your process within the trusted computing base (TCB) of the web server, which makes your web server process very highly privileged. Where possible, you should avoid this approach because an attacker who manages to inject code and compromise your web application will have unrestricted capabilities on the local computer.

Configuring Microsoft SharePoint

To enable delegation in Microsoft SharePoint, you need check web application settings on Central Administration > Security > Specify authentication providers > Default in the following way:

  1. Check Enable Windows Authentication (default for Microsoft SharePoint).
  2. In Claims Authentication Types, select Integrated Windows Authentication > Negotiate (Kerberos).

    Configure SharePoint authentication providers
    Microsoft SharePoint authentication settings
  3. Restart IIS.

Configuring Virtual Path Provider for Microsoft SharePoint

To enable delegation usage in virtual path provider for SharePoint, add the following attributes in VPP configuration section in web.config:

  • bypassAccessCheck="True"
  • useImpersonation=”True”
  • wssDomainName = “YourDomainName”
<add showInFileManager="true"
         name="SharePointFiles"
         virtualName="SharePoint"
         virtualPath="~/SharePoint/"
         bypassAccessCheck="True"
         type="EPiServer.SharePointWssProvider.SharePointWssProvider,EPiServer.VirtualPathWssProvider"
         wssSiteUrl="http://[SharePointSiteUrl]/"
         wssLogin="Admin"
         wssPassword="[password]"
         wssDomainName="[testdomain.ep.se]"
         useImpersonation="True"
         useCache="True"
         cacheExpirationTime="60"
         cachedFilesTempFolder="C:\Temp" />

Important: SharePoint server is responsible for checking user access permissions when bypassAccessCheck="True" in delegation mode. It is highly NOT recommended to set bypassAccessCheck option to True if delegation is disabled.

Document last saved: February 27, 2013