Thursday, April 27, 2006

PKI and sponsorship with SharePoint

We've been working on some interesting solutions with PKI (public key infrastructure) and SharePoint sites. I can't go into a lot of detail now, but in a nutshell the system:
  • Accepts the users PKI identity certificate

  • Checks the status of the user's account

  • Logs the user into Active Directory without requiring a password

  • Forwards the user to the SharePoint site

  • The user can access and contribute within the site as a regular SharePoint user

We also included some nifty certificate type checking, and certain users are required to fill out a sponsorship form and getting approved before they are allowed to access the site.

I'll try to put some details of how we accomplished this up at some point. Suffice it to say, it was a long road and many people helped along the way.

Has anyone out there integrated PKI with SharePoint? I'm pretty sure we're not the only ones doing it, so I'm curious how others have accomplished this.

17 comments:

Carlos Roweder Nass said...

Hello Joel, we're in Brazil starting this integration process and we're looking for some references in the internet... If you could help us I apreciate very much... Huges (sharepoint@netzenos.com.br)

Joelsef said...

Hi Carlos,

Unforutunately, I don't know of any online resources that document this exactly! However, this article touches on some of the things you can do if you are using an SSO to integrate PKI:
http://www.theserverside.net/tt/articles/showarticle.tss?id=ImplementingSSO

Check out the SharePoint community page, where there may be some more info: http://www.microsoft.com/sharepoint/community.mspx

There is access to newsgroups there, which are a great place to ask questions. Someone may have more detail readily available.

Joel

Anonymous said...

Hey Joel,

I am trying to get WSS3.0 to not use the default AD username/pwd check, but instead use a X.509 certificate stored on a dongle or in the windows cert store to access the Sharepoint environment.
The AD username is stored in the certificate as the DN.

Do you have any hints or tips, other then what you wrote to Carlos already, on the configuration of WSS3?

Thanks in advance (mike22april at hotmail.com)

Joelsef said...

Hi Mike,

Unfortunately, I haven't dealt with that yet with WSS V3.

My only suggestion is to check out the SharePoint community page and the newsgroups.

Joel

-du- said...

In response to anonymous, I would say that the work around would be to go the route of an alternative security provider module that you'd have to write and work through the asp.net 2.0 framework.

Anonymous said...

Did you ever get this solution finished? If so, where can I find details about this? cjnolen@gmail.com

Joelsef said...

Hi Anonymous,

We are about to rework this solution for MOSS. We want to forgo Active Directory and LDAP and use a ASP.NET Membership Provider instead.

If I can, I will post some high level info once we get going. In theory it should be "simple," but we all know that probably isn't the case.

Joel

Joelsef said...

BTW, have you seen these articles?

http://blogs.msdn.com/sharepoint/archive/2006/08/16/configuring-multiple-authentication-providers-for-sharepoint-2007.aspx

http://blah.winsmarts.com/2006/05/19/sharepoint-2007--enabling-custom-authentication-using-a-custom-membership-provider.aspx

http://www.developer.com/net/asp/article.php/3622481

We are going to use that as a basis for building our PKI-enabled solution.

Venkat said...

Hi Joel,

We are also trying to implement a CAC card solution. Do you have any doucmentation about how you did that?

Thanks

VR

Joelsef said...

It depends on how you need to integrate smart cards/PKI/CAC. Do you use Active Directory or another means of authentication?

Venkat said...

Hi Joel,

I am trying to authenticate against the Active Directory. We have a seperate LDAP where the user is authenticated against their CAC card. Once they are authenticate the users are redirected to our website. All the information I get that from the authentication is their username. How can I authenticate the user against our Active Directory?

Joelsef said...

Hi Venkat,

I assume you're using WSS 3.0 or MOSS 2007, correct?

Why not use the LDAP as your directory in SharePoint? You could create a membership provider to use that user store instead of AD.

Alternately, if you still need to use AD for some reason, you could use a custom SharePoint login page, HTTP module, or ISAPI filter to do the login.

Joel

Venkat said...

Hi,

Yes I am using MOSS 2007. If I use LDAP as my directory in Sharepoint, Can the users access the Site withouth authentication?

I am trying to use a custom http module and and ISAPI filter. Can you point me in the right direction?

Thanks

Venkat said...

I am using MOSS 2007. All I am trying to achieve is automatically login the user to the SP site with just the username. Our plan is to use the same password to all the users in AD.

If I use the LDAP as my directory in Share point, can I achieve that?

Thanks

Joelsef said...

Hi Venkat,

If you setup SharePoint to use your LDAP as a membership provider, in theory you could have users log in without a username and password using their LDAP account. If:

You use an HTTP module, ISAPI, or a custom ASP.NET login page through the SharePoint membership provider. That would read the PKI/CAC information, pass it through the membership provider to log the user on, and redirect them to SharePoint. Depending on how you write the code, you can forgo asking the user for any username or password. (Just make sure you trust the PKI information you are receiving.)

Using the ASP.NET Forms Based Autentication in SharePoint, you can get this require login info to pass through the membership provider and grant the user a logon session in SharePoint.

Joel

Venkat said...

Joel,

If we use FBA can we still use Excel Services and Forms Services?

Joelsef said...

Moving the discussion to a newer post here:
http://joelsef.blogspot.com/2009/01/custom-pkicac-authentication-and.html