OTP Server Integration Module

OTP Server Integration Module Microsoft SharePoint 2010 Version 1.0.1

Table of Contents Table of Contents 1 Overview 1.1 Integration Overview 1.1.1 Deciding to use Forms Authentication 1.1.2 Nordic Edge OTP Integration Module for SharePoint 2 Requirements 2.1 Minimum Requirements 2.1.1 SharePoint 2.1.2 Nordic Edge One Time Password Server 2.1.2 Integration Module Files 3 Prerequisites SharePoint 2010 3.1 Create a New Web Application 3.2 Create a New Site Collection 4 Installing the Integration Module 4.1 Copy files to the SharePoint Website 4.2 Register DLL Files into the Global Assembly Cache 5 Configuration 5.1 Edit web.config Files 5.2 Setting the Login Token Expiration Correctly for SharePoint 2010 SAML Claims Users 6 Restarting the IIS Web Server 6.1 Restarting IIS 7 Configure SharePoint Permissions 7.1 Granting Permissions to Users and Groups (Roles) - Via Central Configuration 7.2 Granting Permissions to Users and Groups (Roles) - Via My Site 8 Testing the Web Application 8.1 Running SharePoint with the Nordic Edge OTP Integration Module 9 Appendix 9.1 Troubleshooting 9.1.1 Troubleshooting & Support 10 Document History

1 Overview Nordic Edge One Time Password Server adds an extra security layer to protect your applications. When the user id and password is successfully verified, a One-Time Password is sent to the user s mailbox or mobile phone through SMS (Short Message Services). This One-Time Password will be verified and only then will the user be authenticated to the application. 1.1 Integration Overview SharePoint 2010 integration module for Nordic Edge One Time Password Server enables strong authentication for SharePoint 2010. The FormsAuthentication class that was used used in the integration module for SharePoint 2007 is not used anymore. The reason for that is because in SharePoint 2010, FBA users are actually claims users. Because of that, the integration module now uses SharePoint claims classes to work through the FBA login process.

1. The user enters the login page and types in username/password. 2. Logon to AD with username/password via the OTP Server. 3. On a successful username/password authentication, the Nordic Edge SharePoint integration module requests the OTP Server for an OTP. 4. The user enter the OTP and if it's valid, the Nordic Edge Membership/Role provider determines the SharePoint permissions (Groups in AD that corresponds to permission groups in SharePoint) of the current user. 5. The user is logged in to the system with appropriate permissions. 1.1.1 Deciding to use Forms Authentication This section is a part of a Microsoft document: http://msdn.microsoft.com/en-us/library/ bb975136.aspx Some organizations want to use Windows users and groups in SharePoint Products and Technologies, but enter credentials via forms authentication. Before using forms authentication, determine why to use forms authentication in the first place: What is the business driver? If user accounts are stored in

a location other than an Active Directory domain controller, or if Active Directory is not available in a particular environment, using forms authentication with a membership provider is a good choice. But if you want to force logon only via forms authentication, but still use Windows and all of the integrated features it provides, you should consider an alternative such as publishing the SharePoint site with Microsoft Internet Security and Acceleration (ISA) Server 2006 and later versions. ISA Server 2006 and later versions allows users to log on by using a forms authentication Web form, but treats them like Windows users after authentication. This implementation provides a more consistent and compelling experience for end users. Important: When you use forms authentication, client integration is disabled by default because client integration does not natively support forms authentication. You might be able to use many client integration features with forms authentication, and there are workarounds available to implement varying levels of client integration functionality with forms authentication. However, if published workarounds are inadequate, or if you find unexpected issues when you use workarounds, Microsoft does not provide support and there are no product changes to address these issues. If you plan to use client integration with forms authentication, you must fully test any available solutions or workarounds to determine whether the performance and functionality are acceptable in your environment. Microsoft Customer Support can provide commercially reasonable support to help you troubleshoot published workarounds. 1.1.2 Nordic Edge OTP Integration Module for SharePoint Two custom aspx pages are required to use Nordic Edge AD Membership Provider. The pages are called CustomLogin.aspx and OTPLogin.aspx and will be accessed and handled by the Nordic Edge AD Membership Provider. The provider itself contains of three dll files which remains on the server. Nordic Edge Membership Provider includes a Role Provider which supports Microsoft Active Directory. Follow these steps to complete the installation: 1. Copy files to the Web site 2. Register DLL files into the Global Assembly Cache 3. Configure Nordic Edge AD Membership Provider in web.config file(s) 4. Restart the IIS 5. Granting permissions to users/roles

2 Requirements 2.1 Minimum Requirements This section describes the installation of the Nordic Edge SharePoint 2010 integration module. The integration module requires a Microsoft directory, either Active Directory or Active Directory Lightweight Directory Services (AD-LDS). 2.1.1 SharePoint SharePoint 2010. 2.1.2 Nordic Edge One Time Password Server OTP Server 2.0 or later. (OTP Server 3.0 is required if the setting nativeclientname is used for the Membership Provider.) OTP Server must be configured before the integration module can be used. See OTP Server Administration Manual for more information on how to configure this. 2.1.2 Integration Module Files Download OTP_Server_SharePoint_2010_ADMembershipProvider_1.0.zip The OTP Server must be configured before the integration module can be used. See the OTP Server administration manual for more information and how to configure this.

3 Prerequisites SharePoint 2010 This chapter is just a brief description how to create a new web SharePoint configured for Claims authentication. There are plenty of good blogs out there on the net describing this. 3.1 Create a New Web Application 1. Start the Central Administration web site. 2. Click on Manage web applications, then click on the New button in the ribbon to create a new web application. 3. In the Create New Web Application dialog we re going to select the following settings (keep the default settings for the other ones): Authentication: Claims Based Authentication Claims Authentication Types: Check the Enable Windows Authentication box or you won t be able to crawl the site Check the Enable Form Based Authentication checkbox (it is checked as default) In the ASP.NET Membership provider name edit box, type NordicEdgeMembershipProvider In the ASP.NET Role manager name edit boxy, type NordicEdgeRoleProvider

When you re all done click the OK button to create the new web application. Next step: Create a new site collection. 3.2 Create a New Site Collection When the web application is created, create a new Site Collection in it. In Central Administration: 1. Application Management > Site Collections > Create site collection 2. Select your web application 3. Enter Title, Description and specify Primary Site Collection Administrator 4. Press Ok

4 Installing the Integration Module This chapter describes what s required for the installation. These are the steps you have to go through: 1. Copy files to the web site 2. Register DLL files into Global Assembly Cache 3. Configure Nordic Edge Membership Provider in the web.config file 4. Restart IIS 5. Granting permissions to users/roles 4.1 Copy files to the SharePoint Website Unzip the the OTP_Server_SharePoint_2010_ADMembershipProvider_1.0.zip to a temporary directory. Copy the included MySite\NE_SharePoint_2010\IDENTITYMODEL directory to your SharePoint file structure (merge with the existing IDENTITYMODEL directory), probably C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\TEMPLATE\IDENTITYMODEL, or copy the files to right place according to the table below. Copy the MySite\bin directory to the SharePoint web site root directory (have a look at the Explorer image below) Files and required for the SharePoint integration: Files CustomLogin.aspx OTPLogin.aspx (from the folder \NE_SharePoint_2010\IDENTITYMODEL\LOGIN) ne_images (folder containing css file and some images) NordicEdge.OTP.ADMembershipProvider.dll NordicEdge.OTP.STFormsAuthentication.dll NordicEdgeOTP.dll Destination Folder C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\TEMPLATE\IDENTITYMODEL\LOGIN C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\TEMPLATE\IDENTITYMODEL\LOGIN\i mages\ ne_images..\bin

Central Administration_web.config_Example.txt Central Adminstration_web.config_Configuration.tx t IDENTITYMODEL folder path.txt MySite_web.config_Configuration.txt MySite_web.config_Example.txt SecurityToken_web.config_Configuration.tx t SecurityToken_web.config_Example.txt \NE_SharePoint_2010 Figure: SharePoint file structure

4.2 Register DLL Files into the Global Assembly Cache The DLL files are signed with Strong Names. You have to add these files to the GAC. Register the dll files below in GAC (.NET Global Assembly Cache): NordicEdge.OTP.ADMembershipProvider.dll NordicEdge.OTP.STFormsAuthentication.dll NordicEdgeOTP.dll This can be done with the Explorer by drag'n drop the dll files to the assembly in c:\%windir%\assembly

5 Configuration 5.1 Edit web.config Files Edit the following web.config files: Central Administration Security Token Your SharePoint Site (My'Site) NOTE: There are files called ~\ NE_SharePoint_2010\ [site]_web.config_configuration.txt from which you can copy and paste the desired settings into your web.config file. In the same folder you will find a configured web.config sample files called [site] _web.config_example.txt which might be useful as examples. Before you make any changes: Make copies of the current web.config files. Please follow the instructions in: 1. SecurityToken_web.config_Configuration.txt 2. CentralAdministration_web.config_Configuration.txt 3. MySite_web.config_Configuration.txt 5.2 Setting the Login Token Expiration Correctly for SharePoint 2010 SAML Claims Users Read Steve Peschkas blog about login token expiration: http://blogs.technet.com/b/speschka/archive/2010/08/09/setting-the-login-token-expirationcorrectly-for-sharepoint-2010-saml-claims-users.aspx

6 Restarting the IIS Web Server Before you can use the Web Interface, you have to restart the IIS. 6.1 Restarting IIS Open a command prompt and type iisreset to restart the Internet Information System. Figure 10: Restarting IIS

7 Configure SharePoint Permissions Before you can use the Nordic Edge OTP integration, permissions has to be granted to users/roles. This is done either from the SharePoint Central Administration Web Site OR from the site that is enabled with OTP two-factor authentication. 7.1 Granting Permissions to Users and Groups (Roles) - Via Central Configuration 1. Open your browser and navigate to SharePoint 2010 Central Administration 2. Click Application Management > Manage web applications 3. Select your SharePoint site 4. Click User Policy 5. Click Add Users 6. Select the Default zone and click Next > 7. Click the address book button (Browse) to open the People Picker dialog box. 8. You can use the picker to grant individual permissions to users or groups/roles. Type the username (or just the first letters in the user name, email address or the full name) in the Find box, select Forms Auth in the lower left pane and then click the search button. Search should find the user named username that has an account name of NordicEdgeMembershipProvider:username. If the user dbowie is added to membership database, the account is named dbowie (i:0#.f nordicedgemembershipprovider dbowie) NOTE: When you re searching for Roles (AD groups) you have to write the complete AD group name. If you don t, the AD group won t show up. - Pick the role which is found by the NordicEdgeRoleProvider.

igure: Roles in the People Picker. F - Click OK to close the People Picker dialog box. - Grant permissions to the user/group and click OK to save your changes.

Figure: Configure permissions to create My Sites 9. The group/role SharePointUsers will be named sharepointusers (c:0-.f nordicedgeroleprovider sharepointusers) in permissions list.

Figure: Permissions 7.2 Granting Permissions to Users and Groups (Roles) - Via My Site If you already has enabled the authentication mechanism and if there are no users or groups (roles) in the membership database defined by the Nordic Edge Membership Provider, you have to log on to the system and grant permissions to at least an adminstrator. This may be done by edit the web.config for your SharePoint site in <Authentication> tag. Change "Forms" to "Windows" and log on to the site <authentication mode="windows"> <forms loginurl="_login/customlogin.aspx" timeout="30" /> </authentication> After the permissions have been granted: Change "Windows" to "Forms" 1. Open your browser and navigate to the SSP Web site. 2. Under Site Actions > Click Site Permissions 3. Click Grant Permissions 4. Click the address book button to open the People Picker dialog box. 5. You can use the picker to grant individual users the right to create My Sites. Type the username (or just the first letters in the user name, email address or the full

name) in the Find box, select Forms Auth in the lower left pane and then click the search button. Search should find the user named username that has an account name of NordicEdgeMembershipProvider:username. If the user dbowie is added to membership database, the account is named dbowie (i:0#.f nordicedgemembershipprovider dbowie) NOTE: When you re searching for Roles (AD groups) you have to write the complete AD group name. If you don t, the AD group won t show up. Pick the role which is found by the NordicEdgeRoleProvider.

Figure: Roles in the People Picker. 6. Click OK to close the People Picker dialog box. 7. Grant permissions to the user/group and click OK to save your changes. Figure: Configure permissions to create My Sites 8. The group/role SharePointUsers will be named sharepointusers (c:0-.f nordicedgeroleprovider sharepointusers) in permissions list.

8 Testing the Web Application 8.1 Running SharePoint with the Nordic Edge OTP Integration Module Enter the SharePoint URL: http://server:portnr/sitepages/home.aspx

Figure 1: The Login page. After entering user name and password, the user will get authenticated and receives the OTP.

Figure 2: The user is asked for the OTP After entering the received OTP, Nordic Edge OTP Server will validate this OTP. If it is valid, the user will be authenticated to SharePoint.

Figure 3: The SharePoint web site

9 Appendix 9.1 Troubleshooting 9.1.1 Troubleshooting & Support For troubleshooting and support, please go to http://support.nordicedge.se or send an email to support@nordicedge.se 10 Document History Revision Date Description 0.1 2011-02-07 Initial version 1.0 2011-02-09 Approved 1.0 2011-09-07 Release version 1.0 2011-09-13 Rewritten 7. Granting Permissions to User and Groups (Roles) 1.0.1 2012-11-01 Added support for AD-LDS