- Accepts the users PKI identity certificate
- Checks the status of the user's account
- Logs the user into Active Directory without requiring a password
- Forwards the user to the SharePoint site
- The user can access and contribute within the site as a regular SharePoint user
We also included some nifty certificate type checking, and certain users are required to fill out a sponsorship form and getting approved before they are allowed to access the site.
I'll try to put some details of how we accomplished this up at some point. Suffice it to say, it was a long road and many people helped along the way.
Has anyone out there integrated PKI with SharePoint? I'm pretty sure we're not the only ones doing it, so I'm curious how others have accomplished this.
Hello Joel, we're in Brazil starting this integration process and we're looking for some references in the internet... If you could help us I apreciate very much... Huges (sharepoint@netzenos.com.br)
ReplyDeleteHi Carlos,
ReplyDeleteUnforutunately, I don't know of any online resources that document this exactly! However, this article touches on some of the things you can do if you are using an SSO to integrate PKI:
http://www.theserverside.net/tt/articles/showarticle.tss?id=ImplementingSSO
Check out the SharePoint community page, where there may be some more info: http://www.microsoft.com/sharepoint/community.mspx
There is access to newsgroups there, which are a great place to ask questions. Someone may have more detail readily available.
Joel
Hey Joel,
ReplyDeleteI am trying to get WSS3.0 to not use the default AD username/pwd check, but instead use a X.509 certificate stored on a dongle or in the windows cert store to access the Sharepoint environment.
The AD username is stored in the certificate as the DN.
Do you have any hints or tips, other then what you wrote to Carlos already, on the configuration of WSS3?
Thanks in advance (mike22april at hotmail.com)
Hi Mike,
ReplyDeleteUnfortunately, I haven't dealt with that yet with WSS V3.
My only suggestion is to check out the SharePoint community page and the newsgroups.
Joel
In response to anonymous, I would say that the work around would be to go the route of an alternative security provider module that you'd have to write and work through the asp.net 2.0 framework.
ReplyDeleteDid you ever get this solution finished? If so, where can I find details about this? cjnolen@gmail.com
ReplyDeleteHi Anonymous,
ReplyDeleteWe are about to rework this solution for MOSS. We want to forgo Active Directory and LDAP and use a ASP.NET Membership Provider instead.
If I can, I will post some high level info once we get going. In theory it should be "simple," but we all know that probably isn't the case.
Joel
BTW, have you seen these articles?
ReplyDeletehttp://blogs.msdn.com/sharepoint/archive/2006/08/16/configuring-multiple-authentication-providers-for-sharepoint-2007.aspx
http://blah.winsmarts.com/2006/05/19/sharepoint-2007--enabling-custom-authentication-using-a-custom-membership-provider.aspx
http://www.developer.com/net/asp/article.php/3622481
We are going to use that as a basis for building our PKI-enabled solution.
Hi Joel,
ReplyDeleteWe are also trying to implement a CAC card solution. Do you have any doucmentation about how you did that?
Thanks
VR
It depends on how you need to integrate smart cards/PKI/CAC. Do you use Active Directory or another means of authentication?
ReplyDeleteHi Joel,
ReplyDeleteI am trying to authenticate against the Active Directory. We have a seperate LDAP where the user is authenticated against their CAC card. Once they are authenticate the users are redirected to our website. All the information I get that from the authentication is their username. How can I authenticate the user against our Active Directory?
Hi Venkat,
ReplyDeleteI assume you're using WSS 3.0 or MOSS 2007, correct?
Why not use the LDAP as your directory in SharePoint? You could create a membership provider to use that user store instead of AD.
Alternately, if you still need to use AD for some reason, you could use a custom SharePoint login page, HTTP module, or ISAPI filter to do the login.
Joel
Hi,
ReplyDeleteYes I am using MOSS 2007. If I use LDAP as my directory in Sharepoint, Can the users access the Site withouth authentication?
I am trying to use a custom http module and and ISAPI filter. Can you point me in the right direction?
Thanks
I am using MOSS 2007. All I am trying to achieve is automatically login the user to the SP site with just the username. Our plan is to use the same password to all the users in AD.
ReplyDeleteIf I use the LDAP as my directory in Share point, can I achieve that?
Thanks
Hi Venkat,
ReplyDeleteIf you setup SharePoint to use your LDAP as a membership provider, in theory you could have users log in without a username and password using their LDAP account. If:
You use an HTTP module, ISAPI, or a custom ASP.NET login page through the SharePoint membership provider. That would read the PKI/CAC information, pass it through the membership provider to log the user on, and redirect them to SharePoint. Depending on how you write the code, you can forgo asking the user for any username or password. (Just make sure you trust the PKI information you are receiving.)
Using the ASP.NET Forms Based Autentication in SharePoint, you can get this require login info to pass through the membership provider and grant the user a logon session in SharePoint.
Joel
Joel,
ReplyDeleteIf we use FBA can we still use Excel Services and Forms Services?
Moving the discussion to a newer post here:
ReplyDeletehttp://joelsef.blogspot.com/2009/01/custom-pkicac-authentication-and.html