Archive

Posts Tagged ‘Windows Claims’

SharePoint 2010: Adding SAML Claim permission for All Authenticated Users using PowerShell.

February 1, 2017 Leave a comment

I recently had to convert one of my SharePoint 2010 Web Applications from using Windows Claims/NTLM to use SAML Claims, removing the need for NTLM authentication by using a Claims Provider (ADFS) for authentication. When doing so permissions on the SALM Claims Web Application broke because it was still leveraging the Windows Claims Permissions. Since the NTLM permission was removed at the Web Application level, and to meet the DISA STIG requirement Anonymous Access permissions were also removed; this in return restricted access to users who used to have “read” rights to the Portal. To fix this problem I had to grant the “read” permissions for the SAML Claims ‘All Authenticated Users’ to all Site Collections / Sites so these users can once again gain access. Below is how I accomplished this using PowerShell.

————————————————————————–

$webApp = Get-SPWebApplication "[WEB APPLICATION URL]"
$sts = Get-SPTrustedIdentityTokenIssuer "[CLAIMS PROVIDER TOKEN ISSUER NAME]"

$PermLevels = @{}

"URL `t" + "userName `t" + "userLogin `t" + "userEmail `t" + "permissionLevel `t" + "SAMLClaim" >> User_Permissions_AllAuthenticatedUsers.csv

foreach ($web in $webApp | Get-SPSite -Limit All | Get-SPWeb -Limit All)
{

	foreach ($role in $web.Roles)
	{
		$permmask = $role.PermissionMask
		$permname = $role.Name
		$PermLevels.Add("$permmask", "$permname")
		trap [Exception] {continue}
	}
	foreach ($perm in $web.Permissions)
	{
		$permmaskcurrent = $perm.PermissionMask
		$level = $PermLevels.Get_Item("$permmaskcurrent")

		if ($perm.Member.Name -like "*All Authenticated Users*")
		{
				#CLAIM PRINCIPAL FOR ROLE
				$claimPrincipal = New-SPClaimsPrincipal -ClaimValue $perm.Member.Name -ClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -TrustedIdentityTokenIssuer $sts
				
				
				$newUser = New-SPUser -UserAlias $claimPrincipal.ToEncodedString() -Web $web

				$account = $web.EnsureUser($newUser)
			
				if ($level -eq "Limited Access")
				{
					$level = "Read"
					$role = $web.RoleDefinitions[$level]
					$assignment = New-Object Microsoft.SharePoint.SPRoleAssignment($account)
					$assignment.RoleDefinitionBindings.Add($role)
					$web.RoleAssignments.Add($assignment)
				}
				else
				{
					$role = $web.RoleDefinitions[$level]
					$assignment = New-Object Microsoft.SharePoint.SPRoleAssignment($account)
					$assignment.RoleDefinitionBindings.Add($role)
					$web.RoleAssignments.Add($assignment)
				}
				
				$web.Url + "`t" + $perm.Member.Name + "`t" + $perm.Member.UserLogin + "`t" + $perm.Member.Email + "`t" + $level + "`t" + $account >> User_Permissions_AllAuthenticatedUsers.csv

		}
	}
}

————————————————————————–

The above script loops through all the Site Collections and Sites to search for the Windows Claim for ‘All Authenticated Users’ once it finds an instance where the ‘All Authenticated Users’ permissions is used it adds the SAML Claim for ‘All Authenticated Users’

This script does not clean up/remove the old Windows Claims permission for the ‘All Authenticated Users’ I did that just incase the Web Application needs to be extended to once again support Windows Claims/NTLM authentication.

I will later blog about how to add the ‘All Authenticated Users’ SAML Claim to Groups, and also how to add indivdual SAML Claim permissions to users by granting their SAML Token for email.

Hopefully this is helpful for those that are struggling to reprovision their Windows Claims permissions to SAML Claims.