EPiServer Connect for SharePoint - Security and Delegation
Product version: |
EPiServer Connect for Sharepoint version 2.2 and 2.2 SP1 |
---|---|
Document version: |
1.0 |
Document last saved: |
09-04-2010 |
Introduction
This tech note describes the required steps that need to be performed in order to enable delegation between EPiServer CMS Virtual Path Provider for Microsoft SharePoint and Microsoft SharePoint server. The main purpose of delegation is to enable access for EPiServer CMS users to the SharePoint server libraries with SharePoint credentials. See the Microsoft tech note about delegation in Windows Server 2003 and protocol transition.
Prerequisites
The following conditions must be met to enable delegation:
Make sure that Microsoft SharePoint server and EPiServer CMS server belong to the same Windows domain.
Raise the domain functional level to Windows Server 2003 in the following way:
Note! This operation is irreversible.
- Log on to the PDC of the forest root domain with a user account that is a member of the Enterprise Administrators group.
- Open Active Directory Domains and Trusts, click Start, point to All Programs, point to Administrative Tools, and click Active Directory Domains and Trusts.
- In the console tree, right-click Active Directory Domains and Trusts and click Raise Forest Functional Level.
- Under Select an available forest functional level, click Windows Server 2003 and Raise.
Solution for Server Configuration
There are two solutions to configure delegation between EPiServer CMS and Microsoft SharePoint servers. Which to use depends on what account you use to run EPiServer CMS web application pool. For both solutions you have to complete post-solution action (see below).
Solution 1
The procedure outlined below assumes that you are running the EPiServer CMS Web application on a Network Service machine account.
-
Create an SPN for your EPiServer CMS Web server. Kerberos requires an SPN to support mutual authentication. For instructions on how to create an SPN for the domain account see 1a) and 1b) below:
a) Install the Windows Server 2003 Tools included in the the Windows Server 2003 CD.
b) From a command prompt, run the setspn tool twice from the C:\Program Files\Support Tools directory as below:
setspn -A HTTP/EPiServerWebServerName:Port EPiServerWebServerName
setspn -A HTTP/EPiServerWebServerName.FullyQualifiedDomainName:Port EPiServerWebServerName
Note that you are only able to have a single SPN associated with any HTTP service (DNS) name, due to this you cannot create SPNs for different service accounts mapped to the same HTTP server unless they are on different ports. The SPN can include a port number, see the example below.
Example: If the domain name is TESTDOMAIN.EP.SE and the EPiServer CMS Web site is installed on a server with the name CMSSERVER on port 17000, then the setspn commands should be as below:
setspn -A HTTP/CMSSERVER:17000 CMSSERVER
setspn -A HTTP/CMSSERVER.TESTDOMAIN.EP.SE:17000 CMSSERVER -
Log on to the domain controller server.
-
Start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in.
-
In the left pane of the MMC snap-in, click the Computers node
-
In the right pane, double-click the your EPiServer CMS Web server computer in order to display the Properties dialog box.
Note that if the Properties dialog box does not have a Delegation tab and there is a single checkbox called Trust Computer for Delegation on the General tab, your domain is operating as a Windows 2000 mixed domain. You must raise the domain functional level to Windows Server 2003 as described in the section Domain Functional Levels in this document. -
On the Delegation tab of the Properties window for the EPiServer CMS Web server computer, Do not trust the computer for delegation is selected by default, select Trust this computer for delegation to specified services only. Specify which service can be accessed in the bottom pane in the Window.
-
Beneath Trust this computer for delegation to specified services only, select Use any authentication protocol.
-
Click the Add button. This displays the Add Services dialog box
-
Click the Users or Computers button.
-
In the Select Users or Computers dialog, type the name of your Microsoft SharePoint server computer if you are running Microsoft SharePoint application pool as System or Network Service. Alternatively, if you are running Microsoft SharePoint application pool by using a custom domain account, enter that account name instead and click the OK button.
-
You will see all the service principal names configured for the selected user or computer account. To restrict access to Microsoft SharePoint, select the http service, and then click the OK button.
-
Click OK and then restart IIS (for example with the iisreset command).
Solution 2
This procedure assumes that you are running your EPiServer CMS Web application under a custom domain account.
- Create an SPN for your custom domain account. Kerberos requires an SPN to support mutual authentication. To create an SPN for the domain account see 1a) and 1b) below:
a) Install the Windows Server 2003 Tools from the Windows Server 2003 CD.
b) From a command prompt, run the setspn tool twice from the C:\Program Files\Support Tools directory as below:
setspn -A HTTP/EPiServerWebServerName:Port domain\customAccountName
setspn -A HTTP/EPiServerWebServerName.FullyQualifiedDomainName:Port domain\customAccountName
Note that can only have a single SPN associated with any HTTP service (DNS) name, which means you cannot create SPNs for different service accounts mapped to the same HTTP server unless they are on different ports. The SPN can include a port number.
Example: if we have domain named TESTDOMAIN.EP.SE, EPiServer CMS site installed on server with name CMSSERVER on port 17000 and CMS application pool is running under custom account TESTDOMAIN\EPiAPP than setspn commands see the example below:
setspn -A HTTP/CMSSERVER:17000 TESTDOMAIN\EPiApp
setspn -A HTTP/CMSSERVER.TESTDOMAIN.EP.SE:17000 TESTDOMAIN\EPiApp - Start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in.
- In the left pane of the MMC snap in, click the Users node.
- In the right pane, double-click the user account you are using to run the ASP.NET application. This displays the user account properties.
Note that if the Properties dialog box for your account does not have a Delegation tab, this indicates that a service principal name (SPN) does not exist for the user. Create an SPN as explained in step 1, above. - On the Delegation tab of the Properties window for your Web server computer, Do not trust the computer for delegation is selected by default. To use constrained delegation, select Trust this user for delegation to specified services only. You are able to specify precisely which service or services can be accessed in the bottom pane.
- Beneath Trust this user for delegation to specified services only, select Use any authentication protocol.
- Click the Add button. This displays the Add Services dialog.
- Click the Users or computers button
- In the Select Users or Computers dialog, type the name of your database server, and then click OK.
- You will now see all the available services on your Microsoft SharePoint server. To restrict access to Microsoft SharePoint Web application, select the http service, and then click OK.
Required Post Solution Actions
After performing either of the solution actions you also need to grant your account used to run EPiServer CMS Web application pool permissions to act as a part of operating system. This can be done in Local Security Policy – User Rights Assignment – Act as part of the operating system policy, click the Add User or Group button and select the user account used to run EPiServer CMS Web application pool.
Note that this places your process within the trusted computing base (TCB) of the Web server, which makes your Web server process very highly privileged. Where possible, you should avoid this approach due to security risks; an attack who manages to inject code and compromise your Web application will have unrestricted capabilities on the local computer.
Microsoft SharePoint configuration
To enable delegation in Microsoft SharePoint you need to check web application settings on Central Administration – Application Management - Authentication Providers – Default. See below for further instruction.
-
Select the Windows Authentication Type for the Web application (it’s default authentication type for Microsoft SharePoint)
-
Select the Integrated Windows authentication and Negotiate (Kerberos) in the IIS Authentication Settings.
-
Restart IIS after the changes have been made.
EPiServer Connect for Microsoft SharePoint 2.2 VPP configuration
Finally to enable delegation usage in the Virtual Path Provider for SharePoint you need to add a few attributes in the VPP configuration section in the web.config file: useImpersonation=”true” and wssDomainName = “YourDomainName”.
<add showInFileManager="true"
name="SharePointFiles"
virtualName="SharePoint"
virtualPath="~/SharePoint/"
bypassAccessCheck="false"
type="EPiServer.SharePointWssProvider.SharePointWssProvider,EPiServer.VirtualPathWssProvider"
wssSiteUrl="http://vm-kerbwss/"
wssLogin="Admin"
wssPassword="password"
wssDomainName="kerberosiev.ep.se"
useImpersonation="true"
useCache="True"
cacheExpirationTime="60"
cachedFilesTempFolder="C:\Temp" />