Archive

Archive for December, 2015

SharePoint 2010: Get List of All Relative and Absolute URL’s in a Web Application using PowerShell

December 23, 2015 Leave a comment

In the process of configuring SharePoint 2010 to use ADFS Authentication I needed to extend the Web Application so that our external partners who are federated can access the portal with ADFS claims in a different zone, while our internal / non-federated users can still access the portal using Windows Auth with Kerberos.  When doing this you have to make sure there are no Absolute URL’s that might break the user experience.  Below is a PowerShell script I generated to search a Web Application for Relative and Absolute URLs so clean up can be performed before switching over to ADFS.

#GET WEB APPLICATION
$webApp = Get-SPWebApplication https://portal.com

#URL SEARCH STRING FOR ABSOLUTE URL
$searchURL = “*http*”

#CREATE .CSV FILE WITH HEADINGS FOR HYPERLINKS
“siteURL `t” + “Heading `t” + “hyperlink `t” + “Path” >> HYPERLINKS.csv

#FOREACH LOOP – LOOPS THROUGH ALL WEBS AND SUBSITES OF WEB APPLICATION
foreach ($web in $webApp | Get-SPSite -Limit All | Get-SPWeb -Limit All)

{
#GET PUBLISHING WEB FOR ALL WEBS IN WEB APPLICATION

$pubWeb = [Microsoft.SharePoint.Publishing.PublishingWeb]::GetPublishingWeb($web)
#GET GLOBAL NAVIGATION NODES
$nav = $pubWeb.Navigation.GlobalNavigationNodes
#GET QUICK LAUNCH NAVIGATION NODES

$nodes = $web.Navigation.QuickLaunch

#FOREACH LOOP – LOOPS THROUGH ALL GLOBAL NAVIGATION HEADINGS.
foreach ($qlHeading in $nav)

{
#GET GLOBAL NAVIGATION HEADING CHILDREN.

$qlLibraries = $qlHeading.Children

#FOREACH LOOP – LOOPS THROUGH ALL CHILDREN (LINKS) IN GLOBAL NAVIGATION HEADINGS.
foreach ($lib in $qlLibraries)

{
#IF STATEMENT TO CHECK IF HYPERLINK IS NOT NULL.

if ($lib.Url -ne $null)
{
write-host $qlHeading.Title
write-host $lib.Url
#IF STATEMENT TO CHECK HYPERLINK TO SEE IF IT MATCHES searchURL string.
if ($lib.Url -like $searchURL)

{
#IF HYPERLINK MATCHES THE $searchURL STRING THEN STORE “AbsoluteURL” STRING IN $path VARIABLE.

$path = “AbsoluteURL”
}
else
#IF HYPERLINK DOES NOT MATCH THE $searchURL  STRING THEN STORE “RelativeURL” STRING IN $path VARIABLE.

{
$path = “RelativeURL”
}
#WRITE GLOBAL NAVIGATION NODE RESULTS TO HYPERLINKS.csv FILE.

$web.Url + “`t” + $qlHeading.Title + “`t” + $lib.Url + “`t” + $path >> HYPERLINKS.csv
}
}
}
#FOREACH LOOP – LOOPS THROUGH ALL QUICK LAUNCH NAVIGATION NODES

foreach ($node in $nodes)
{
write-host $node.Title
write-host $node.Url
#IF STATEMENT TO CHECK HYPERLINK TO SEE IF IT MATCHES searchURL string.
if ($node.Url -like $searchURL)
{
#IF HYPERLINK MATCHES THE $searchURL STRING THEN STORE “AbsoluteURL” STRING IN $path VARIABLE.

$path = “AbsoluteURL”
}
else
{
#IF HYPERLINK DOES NOT MATCH THE $searchURL  STRING THEN STORE “RelativeURL” STRING IN $path VARIABLE.

$path = “RelativeURL”
}
#WRITE QUICK LAUNCH NAVIGATION NODE RESULTS TO HYPERLINKS.csv FILE.

$web.Url + “`t” + $qlHeading.Title + “`t” + $lib.Url + “`t” + $path >> HYPERLINKS.csv
}
}

Configure SharePoint 2010 with Active Directory Federation Services (ADFS)

December 11, 2015 Leave a comment

In my SharePoint environment I had a requirement to configure SharePoint 2010 to be able to federate with other external partners with the use of Active Directory Federation Services (ADFS).  For those that are not familiar with ADFS it allows for federation between multiple customers / partners that eliminates the hassle of having to continuously provide credentials when trying to access files / locations that are shared.  It passes a claims token that is trusted on both sides that provides the access, which eliminates the need for Windows Authentication or PKI CAC Auth.

In this blog I will explain how to set up and configure SharePoint 2010 to work with ADFS.  I will not explain how to configure the ADFS Server, and assume that the ADFS server has already been configured and ready for use.

SharePoint 2010 Configuration

  1. First you will need to obtain a CER copy of the Root Certificate(s) from the hosted Central Administration Server.
    1. Log onto the Central Administration Server.
    2. Bring up the Certificate Store | Click Start | Run
    3. Type MMC and Enter
    4. Press Ctrl + M
    5. Select Certificate | Add | Computer Account | Next
    6. Select Local Computer | Finish
    7. Click Ok
    8. Expand Certificates | Expand Trusted Root Certificate Authority
    9. Select the Root CA.  (In my case I selected NSS Root CA 1)
    10. Right click the Root CA and choose All Tasks | Export
    11. Click Next
    12. Select No, do not export the private key | Next
    13. Select the format you want to use | DER Encoded Binary X.509 (.CER) | Next
    14. Choose a file name and location to export the certificate to | Next | Finish
  2. Import Root Certificate into SharePoint 2010 Certificate Store
    1. On the SharePoint Central Administration Server open up SharePoint 2010 Management Shell
    2. Type the following command and press enter:
      1. $rootCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“<Path to certificate file”>)
    3. Add the root certificate to SharePoint Trusted Root Authority Store, type the following command:
      1. New-SPTrustedRootAuthority – Name “<Identifying Name>” -Certificate $rootCert.  (in my case I used “NSS Root CA 1″ as the <Identifying Name>”
  3. Create SharePoint Trusted Identity Token Issuer.
    *This step is important as it tells ADFS what claims will be passed into SharePoint.  You would likely have discussions with your external partners on what claims they would like to pass through with AFDS.”  Once there is an agreement between both or all parties then you can proceed with creating the mappings*
    **In my case we agreed to pass E-Mail, Role, UPN, and Name as claims to SharePoint**

    1. Type the following to add E-Mail, Role, UPN, and Name as accepted claims to SharePoint:
      1. $map1 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/role” -IncomingClaimTypeDisplayName “role” -SameAsIncoming
      2. $map2 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress” -IncomingClaimTypeDisplayName “EmailAddress” -SameAsIncoming
      3. $map3 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn” -IncomingClaimTypeDisplayName “UPN” -SameAsIncoming
        **Since Name is a reserved word in SharePoint you have to map “Name” to a unique claim** 
      4. $map4 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name” -IncomingClaimTypeDisplayName “Name” -LocalClaimType “http://schemas.<mappedclaimtype>/identity/claims/name
    2. Locate the token signed certificate that is used in ADFS 3.0
      1.   Log into ADFS Server | Open ADFS 3.0 Management | Select Certificates Under Services | Export Certificate
      2.  Copy exported ADFS Signed Certificate to a location on the SharePoint 2010 Central Administration Server
      3.  Type the following to add the ADFS Signed Certificate
        1. $tokenCert = New-Object System.Security.Cryptography.X509Certificatesw.X509Certificate2(“<location of token signed certificate”)
    3. Create SharePoint Trusted Claim Issuer:
      1. Type the following:
        1. New-SPTrustedIdentityTokenIssuer -Name “NAME OF ADFS TOKEN ISSUER” -Description “ADFS 3.0” -Realm “urn:eusharepoint:<name of portal>” -SignInUrl “https://<URL OF FEDERATION LOGIN SCREEN/adfs/ls>” -ImportTrustCertificate $tokenCert -ClaimMappings $map1, $map2, $map3, $map4 -IdentifierClaim $map4.InputClaimType
  4. Update SharePoint Web Application to use Trusted Claims Identifier
    1. Browse to Central Administration | Application Management | Select Web Application | Select Authentication Providers from Ribbon | Select Default Zone
    2. Scroll down to the “Claims Authentication Types” section.  The option to now select the Trusted Identity Provider is available.
      1. Select Trusted Identify Provider checkbox | Select “<NAME OF ADFS TOKEN ISSUER>” checkbox
      2. Click Save

After completing the 4 steps above the configuration for ADFS federation is complete.

Now when you browse to your portal site you will now see the Forms Based Authentication option.  Here you will have the option to choose either Windows Authentication or ADFS Authentication from a dropdown.  If ADFS Authentication is selected the user will be redirected to the ADFS Federation Login Screen where they will authenticate to their domain and then be redirected back to the portal after receiving their claim token.  If the federated user has the correct claim token permission granted in SharePoint they will have access.  If they do not they will be denied access.

Rollback Steps

If you want to remove the ADFS Federation with SharePoint.

  1. Browse to Central Administration | Application Management | Select Web Application | Select Authentication Providers from Ribbon | Select Default Zone
  2. Scroll down to the “Claims Authentication Types” section.
    1. Deselect “<NAME OF ADFS TOKEN ISSUER>” checkbox | Deselect Trusted Identify Provider checkox
    2. Click Save
  3. Log into Central Administration Server
    1. Bring up SharePoint 2010 Management Shell
      1. Type: Remove-SPTrustedIdentityTokenIssuer “<NAME OF ADFS TOKEN ISSUER>”