This post is migrated from previous hosting provider. There are still some issues with old posts. Please make a comment on this post with any issues.

Visual guide to Windows Live ID authentication with SharePoint 2010 - part 1

Tags: LiveID, SharePoint 2010

UPDATE 2012-02-01: A new and better approach to this is detailed in a new Visual Guide - Visual guide to Azure Access Control Services authentication with SharePoint 2010.

Using Windows Live ID as login provider for SharePoint is a really huge thing. It makes the scenario for public facing web sites, extranets etc. much more easier, for instance there is no need to maintain passwords and users in the same degree. For SharePoint 2007 there is no native support for this, so I built a custom Live ID login provider (available at http://spwla.codeplex.com), but SharePoint 2010 has native support for claims based access. And that is what's on the menu for tonight...

This post, and the subsequent ones, will show you how to enable Windows Live ID on a SharePoint 2010 farm (SPF or SPS). I will do a visual approach using a lot of screenshots. It has not been an easy path since there are no official guidance on this subject (at the time of this writing), so I'm going to throw in a couple of steps where you can fail miserably while setting it up. Big thanks to Paul Schaeflein who also walked the hard path and took some hits to get this to work! Although there are a couple of available blog posts out there on this issue, some of the are very sparse on the details (why?) and some even contains faulty instructions. Just to safe up on this - the instructions works on my machines and I've been able to reproduce these steps a number of times. If you have any suggestions or comments, just leave them here and I'll try to (get someone to) answer them...

So what are we waiting for, let's get the party started. I have to warn you - if you don't like certificates - stop reading!

Background

While I will explain more in details as we move along I think it is important to have a little heads up on claims based access and Windows Live ID. First of all (passive) claims based access is based on the simple scenario where a client/user (subject) trying to access a site (also called Relying Party/RP). This RP has distributed the login procedure to one or more trusted parties called Identity Providers (IP). In our case SharePoint is the RP and Live ID is the IP and you of course are the subject. When the subject tries to access the RP, the subject will be redirected to the IP where the actual logon process is taking place. By attaching cookies to the response and redirecting the user back to the RP with a set of (encrypted) claims the RP can finally authenticate the user. For a better understanding I recommend you to read A guide to Claims-based Identity and Access Control.

A little bit of claims

Windows Live ID (WLID) will take care of the login and send back a unique ID to the SharePoint site. This unique ID is the only claim WLID will give you. (Unfortunately you cannot get the correct e-mail address or the name of the user.) SharePoint will first verify the validity of the encrypted security token (containing the claims) before actually starting the AuthN and AuthZ process using the unique ID as username in SharePoint. You will later see how we give access to these unique ID's.

Another important thing to keep in mind is that WLID have two "zones"; INT and PROD. The PROD zone is what you normally use when logging in to Hotmail etc. The INT zone is used for development and testing and have a completely different account database, so you need to have accounts in the INT zone to continue, more about this in a little bit. You cannot skip the INT zone, you have to register your site there first before applying for approval in the PROD zone.

The steps provided here is only for the INT environment. For PROD it is basically the same and the post is long enough as it is...

Registering the site

MSMBefore even starting to configure the SharePoint site we need to register our site for usage with Windows Live ID. This is done using the Microsoft Service Manager web application located at http://msm.live.com/. You log in to this service using you normal (PROD) Windows Live ID account.

In the left menu click on Register Your Site (1). This will bring up the Register Your Site page where you should enter the name of your site, use a descriptive name (2) and the DNS Name of your site (3). The DNS Name is important! Here you must specify a DNS Name, which we will later change into a URI, or rather URN. Write something random such as wictor.live.

The DNS Name will be used as a SAML Audience when the security token is sent back and it will be verified by SharePoint. According to the SAML specification the audience must be a URI (a URN or URL). If you use a URL then WLID will for some reason remove the protocol from the audience when sending it back to the RP and SharePoint will throw an exception ([InvalidOperationException: This operation is not supported for a relative URI.] System.Uri.GetLeftPart(UriPartial part)). This might change in the future.

Finally you have to specify that you will use Windows Live ID (4). Click Submit to continue.

MSM Config

You will get a confirmation screen. Click Yes to confirm and proceed to the next step

MSM Confirmation

After a few seconds you will be presented with the results. If anything goes wrong you need to go back and edit your registration accordingly - but it shouldn't if you followed these steps.

Congrats!

Click on the Go to Manage Your Site link. In the drop-down (1) select the site that you just registered and then click on the Modify Editable Site Properties link (2).

Manage your site

The next screen allows you to edit the properties of the site. First of all check the Show advanced properties check box to enable more options.

Advanced stuff ahead...

First we need to rename the Domain name (1) and set our real domain name to use. Then we need to replace the dummy DNS name (2) with a URN, in this case I use urn:wictorslivesite:int. Remember not to specify a URL, it just won't work as of now. The third thing to edit is the Default Return Url (3); this must be an HTTPS url pointing to the /_trust/default.aspx page, for instance https://extranet.corp.local/_trust/default.aspx. This is the URL that the IP will post back the results to. Finally we have to edit the Expire Cookie URL (4). Just fix the URL and never mind the actual page (you can implement such a page if you feel to at a later time).

Options, options, options...

Then scroll down a bit on the page until you reach Override Authentication Policy, this step is crucial. Select MBI_FED_SSL in the drop-down. And when you're done click Submit (at the top of the page).

MBI_FED_SSL

Verify and confirm your changes by clicking Yes on the next screen. Take a screenshot and/or notes all these changes.

Confirmation again

That's it. Your site is now configured. Actually you can configure a bunch of more features here - but stick to these as of now...

Wohoooo

Let's move on to the SharePoint Server.

Certificates

Claims based authentication uses certificates for encryption and signing and you have to trust the certificate of the IP on your SharePoint servers. The following steps must be done on all WFE's in the farm.

To get the IP certificate; browse to federation metadata URL: https://nexus.passport-int.com/federationmetadata2/2007-06/federationmetadata.xml (this is for the INT zone). Then copy the inner text from the first X509Certificate node. Open up the Notepad application and paste the text and then save the file as LiveID-INT.cer. Make sure that you only get the inner text of the element.

XML en masse

Now you have the certificate in a file and you need to import it to the correct locations on the SharePoint Server(s). It is actually required to be stored locally on three different locations. Open mmc.exe and add the Certificates snap-in. When you select to add it you must first select to use the Computer Account to manage the accounts for and select to use the Local computer as computer to manage.

Expand the tree until you reach SharePoint > Certificates then right-click on the node and Select All Tasks > Import...

Certificates

In the import wizard that appears locate the LiveID-INT.cer file you just created and then click Next > Next > Finish. That's the first one.

Repeat this procedure for the Trusted Root Certification Authority and Trusted People. Don't worry if you don't have a Certificates sub-node. It will be created when you import the certificate.

Even more certificates

Now we're one step closer and it is time to get dirty with some PowerShell. You could of course have done this step using PowerShell, but I leave that for another crafty blogger to show how... Just remember to do this on all WFE's!

Create the STS provider

To create the Trusted Identity Token Issuer, that we will use to configure as the login provider for the Web Applications, we fire up PowerShell. This step will not be that "visual" as the previous ones, since none of these commands can be run using the standard SharePoint user interface. I guess it's just a matter of time until someone makes a neat add-on with these simple commands...

I'll give you the script first and then explains all the involved steps:

1: asnp microsoft.sharepoint.powershell
2: $realm = "urn:wictorslivesite:int"
3: $certfile = "C:\Temp\LiveID-INT.cer"
4: $rootcert = Get-PfxCertificate $certfile
5: New-SPTrustedRootAuthority "Live ID INT Root Authority" -Certificate $rootcert
6: $emailclaim = New-SPClaimTypeMapping     -IncomingClaimType "http://schemas.xmlsoap.org/claims/EmailAddress"     -IncomingClaimTypeDisplayName "http://schemas.xmlsoap.org/claims/EmailAddress"     -SameAsIncoming
7: $upnclaim =  New-SPClaimTypeMapping     -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"     -IncomingClaimTypeDisplayName "UPN"     -LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
8: $authp = New-SPTrustedIdentityTokenIssuer -Name "LiveID INT"     -Description "LiveID INT" -Realm $realm -ImportTrustCertificate $certfile     -ClaimsMappings $emailclaim,$upnclaim -SignInUrl "https://login.live-int.com/login.srf"     -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"

The first line just loads the SharePoint PowerShell Snapin (1), asnp is a shortcut for Add-PSSnapin and saves you a cpl of keystrokes. Then we set three local properties; realm corresponds to the DNS Name (that is the URN), certfile points to the location where you saved the LiveID-INT.cer file and the rootcert is the certificate loaded in as an object.

Make sure not to make any typos in the claims URN's - been there, done that!

Then we add the certificate to a SharePoint trusted Root Authority, using the New-SPTrustedRootAuthority cmdlet. You can verify that it is correctly imported by going to Central Adminitration > Security > Manage Trust:

Trusts in SharePoint

Then we need to create two claims mappings; one for e-mail (line 6) and one for the identifier (line 7). The claim mappings defines how the incoming claims are mapped to the SharePoint tokens. These two claims are then sent into the New-SPTrustedIdentityProvider cmdlet (line 8) and here is where the magic happens. This cmdlet creates a new trusted identity provider with a name and description, we instruct it which claims mappings to use and which claim is the identifier claim. We are also specifying the URL for the WLID (INT zone) login page.

Once these commands are executed, we are ready to head on over to the UI and create a Web Application. By all means, if you prefer to do the rest using PowerShell, feel free to do it.

If you are fiddling back and forwards using different registered Live ID services, you can switch the Realm using the DefaultProviderRealm property of the Trusted Identity Provider object (authp). Don't forget to call Update() on the object... You can only have one provider for each service, even if the realms differ.

Create the Web Application

Fire up Central Administration and go to Application Management > Manage web applications. Click New to create a new Web Application.

First of all you need to select to use Claims Based Authentication. Then enter a Name for your web application, use the port 443 (SSL) and (in this case) configure the host header to match the domain name that you entered while registering the WLID service. Just standard stuff so far.

Create the web application

Under Security Configuration make sure that you select Use Secure Sockets Layer (SSL).

SSL settings

Under Claims Authentication Types leave Windows Authentication enabled if you like, but make sure to check Trusted Identity Provider checkbox and then check the LiveID INT provider, the one we created using PowerShell.

Providers...

Once done click OK to create the Web Application.

We're almost there just a few steps more...

Create the Site Collection

Once the Web Application is created you can directly click on the Create Site Collection link. Enter name and description for the site, and also specify which template to use.

Now it is time to give some permissions to this site collection. Assume that we did not select any Windows Authentication when creating the Web Application, then we can only add Live ID users, right?

If you don't have a WLID account in the INT domain it is time to get one now. Open up a new browser window. Go to https://accountservices.passport-int.net/ and sign up for a new account or sign in using one of your existing INT accounts. (Stability of the INT domains are not 100% :-). When you have signed up or logged in click on Credentials and then View your unique ID.

Credentials

You will now see a screen with your unique ID; write it down, copy it or remember it...

Magin number

Close the browser and return to the Central Administration where you started creating a Site Collection. Now paste or write this unique ID and append @live.com in the Primary Site Collection Administrator. But, make sure to convert all characters to lowercase, otherwise you will not be able to log in later:

Magic number becomes an admin

Then click OK to create the Site Collection.

Final configurations

Before browsing to the site we need to make some final adjustment in the IIS. To be precise we will add a certificate to the site. You can use a certificate that you have acquired for your site or when testing just use a Self-Signed, which I will show you here.

To create a Self-Signed certificate start the IIS Manager and select the server. In the Features View double-click the Server Certificates module.

Ouch, more certificates

Then click Create Self-Signed Certificate in the Actions bar to the right and follow the instructions. Mostly next-next-finish.

I'll make one myself

The final configuration is to use this certificate on the Web Application. Choose the Web Application you created in SharePoint in the IIS Manager (1), then click on Bindings (2), select to edit the only binding you have (3) and choose the SSL certificate you just created in the drop-down (4). Click OK and close everything down.

Advanced stuff

That's it! Let's see how it behaves...

Taking it for a test drive

Now open up a web browser and go to the web application you have created using the domain name you specified when creating it, make sure to use https. You should see the standard warning in the browser that the certificate is not valid (add it as trusted if you want to skip this warning in the future), otherwise just click the continue link.

Bump, we just hit a certificate again...

If you have several authentication providers you will see the new SharePoint 2010 Sign In screen with a drop-down where you can choose the authentication provider you would like to use to log in with. If you only have one, in this case the WLID, you will be redirected to the WLID Log In screen - the same will happen if you select LiveID in the drop-down.

Signing in...

If you get an error stating We're unable to complete your request, like below, you most certainly have not used the correct Realm when creating the trusted identity provider using PowerShell. Make sure that the Realm and the DNS Name in the Live ID Service Manager are exactly the same, case sensitive and all.

Ooops, you made a mistake!

The Windows Live ID sign in screen should look as expected, just the same as logging in to other Live ID services. Enter your INT username and password (remember this is still the INT zone).

We're getting there

If you remembered your username and password correctly you will very soon see the beautiful SharePoint 2010 scenery:

Ahhh. So beatiful!

Note that your username and display name will be exactly the same as the unique id you have for that user. How to fix this is scheduled for a later post :)

Next steps

So, there you have it. It's a handful of steps to complete and you have to make sure not to mistype anything. I will continue this series with some more info that could be of great use when setting this up - hopefully not as long as this one though...

89 Comments

  • Carlos Morales said

    Hi Wictor, your article is great... I was looking for something like this for months already. I was trying to get this integration working with a url I found before yours (http: // blog.fpweb.net/claims-authentication-windows-live-id-for-sharepoint-2010/). I could successfully complete the configuration described in this article using the INT site, however our goal is to be on production, right? . Based on that, I decided to give this a try using the Production settings, to see if I could successfully configure my site to redirect to the Live.com production environment as I had it when I was using SP 2007. My sites are registered in the live.com production environment through Azure Live Services. After repeating the configuration of this article using the production servers and settings, I made some strides but I am not there yet.. when I go to my site now, this is the url I see generated by sharepoint (I am replacing my domain with SERVER for this post): - http: // SERVER/_login/default.aspx?ReturnUrl=%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252F&Source=%2F Here I can select Windows Authentication or “Windows Live ID” (the STS I configured). Once I select the “Windows Live ID” option from the menu, I get redirected to this site: -https: // login.live.com/login.srf?wa=wsignin1.0&wtrealm=SERVER&wctx=http%3a%2f%2fSERVER%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252F And this page error is displayed: “This displays an error: We’re unable to complete your request Windows Live ID is experiencing technical difficulties. Please try again later.” After doing some extra testing, I noticed that if I manually add my site’s APPID (coming from Azure Live Services) to the url’s querystring that the Sign in page takes me once I select Windows Live from the menu (notice 1st parameter in the querystring): https: // login.live.com/login.srf?appid=XXXXXXXXXXXXXXXX&wa=wsignin1.0&wtrealm=SERVER&wctx=http%3a%2f%2fSERVER%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252F The authentication process works just great! I get redirected to the production login.live.com site, I enter my credentials, and I get redirected back to my site as expected (As configured on live.azure.com). Now, my question is: Is there a way to modify the PowerShell script above to have Sharepoint pass the appid as part of the querystring when selecting “Windows Live” from the Sign in page menu? Unless I am not right, I don't think I need to create a site registration in the INT domain if I have a live.azure.com registration active. Another thing I am not sure how to do, is to set the MBI_FED_SSL setting you configure in your post. When I try to go to msm.live.com, my site is not registered... but through live.azure.com it is (And that's the same registration I had working when I used your SPWLA code from codeplex when I had this configured for 2007). Any thoughts on how to get this appid in the url to get this whole piece working with my current production site registrations? Thanks in advance!

  • Steve Paplanus said

    I wish I had this guide before I began, and it took me about 3 weeks to figure it out on my own. I have started on what you marked as your next step, to fix the username/display name. Hopefully you will post something about that soon, since I have been working on this for two days, and haven't gotten to far.

  • Sergey said

    Hi, After signing and redirect https://mydomain.local/_trust/default.aspx I have error : <configuration> <system.web> <customerrors mode="RemoteOnly"></customerrors> </system.web> </configuration>

  • Steve Paplanus said

    I wish I had this guide before I began, and it took me about 3 weeks to figure it out on my own. I have started on what you marked as your next step, to fix the username/display name. Hopefully you will post something about that soon, since I have been working on this for two days, and haven't gotten to far.

  • Sergey said

    Hi, After signing and redirect https://mydomain.local/_trust/default.aspx I have error. Server Error in '/' Application Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed Details: To enable the details of this specific error message to be viewable on the local server machine, please create a <customerrors> tag within a "web.config" configuration file located in the root directory of the current web application. This <customerrors> tag should then have its "mode" attribute set to "RemoteOnly". To enable the details to be viewable on remote machines, please set "mode" to "Off". </customerrors></customerrors>

  • Wictor said

    You seen the YSOD because you have not enabled full error details in the web.config. My guess is that you have used a URL instead of a URN in the DNS Name and Realm of the MSM application. Read the guide thoroughly and you should succeed.

  • Steve Paplansu said

    I wanted to check to see if you had this issue: I have a LiveID user account that is logging in successfully. The user goes to a list, and then clicks on Alert Me. They go through the wizard, and teh email address is xxxx@live.id (the PUID), and they hit finish. The result is an error page with : "You do not have an e-mail address. Alert has been created successfully but you will not receive notifications until valid e-mail or mobile address has been provided in your profile. " Do you get this error message or suggestions on how to fix this?

  • Steve Paplansu said

    I wanted to check to see if you had this issue: I have a LiveID user account that is logging in successfully. The user goes to a list, and then clicks on Alert Me. They go through the wizard, and teh email address is xxxx@live.id (the PUID), and they hit finish. The result is an error page with : "You do not have an e-mail address. Alert has been created successfully but you will not receive notifications until valid e-mail or mobile address has been provided in your profile. " Do you get this error message or suggestions on how to fix this?

  • Sergey said

    When I input login and password and click OK, I see error: ID4222: marker SamlSecurityToken rejected because not satisfied SamlAssertion.NotBefore. NotBefore: "17.09.2010 5:11:39" Current time: "17.09.2010 5:03:24" Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateConditions(SamlConditions conditions, Boolean enforceAudienceRestriction) +1357808 Microsoft.SharePoint.IdentityModel.SPSaml11SecurityTokenHandler.ValidateConditions(SamlConditions conditions, Boolean enforceAudienceRestriction) +49 Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token) +393 Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri) +118 Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request) +461 Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +1099462 System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +171 What's wrong?

  • Trackback said

    I'm back with the second part of the Visual guide to Windows Live ID authentication with SharePoint 2010 series. Part 1 was a huge success and has received a lot of feedback and hits - I hope many of ...

  • MArco said

    Great job here Wictor. This article is very useful. I'm in doubt about how I can give permission for all users in LiveID-INT without put each userID inside of the Sharepoint Site?

  • loogares said

    I was looking for that for loong ago, thanks a lot. After doing all the steps and choose LIVE ID to sign on , i get redirected to Windows Live where i can read the following message: The Windows Live Network is unavailable from this site for one of the following reasons: This site may be experiencing a problem The site may not be a member of the Windows Live Network You can: You can sign in or sign up at other sites on the Windows Live Network, or try again later at this site. Does anyone have any idea/suggestion? Thanks a lot

  • Sergey said

    Hi,I create and registered new site. After I configured and tested this site. And after I can Submit Site Properties to Production. Past 7 days, but My site is status - Compliance Pending. What's wrong? How get Prod site?

  • Braveson said

    Hi Wictor,I have configured my application but while browsing the site i get following error " Internet Explorer cannot display the webpage ". It is same when there is no internet connectivity and you try to access a site.

  • Kosich said

    Hi! Thanks for these great posts! ...but i got a problem: i've added certificates and executed your PowerShell script. (btw: script's line 8 has cmdlet "New-SPTrustedIdentityTokenIssuer", but then you give a description for cmdlet "New-SPTrustedIdentityProvider" which is epsent in the script). So it seems to me that im doing everything wright, but when im trying to create a new web application (claims based, ssl), there are no trusted identity providers although i can see it at "Central Adminitration > Security > Manage Trust" page. Have you got any idea? Thanks...

  • Kosich said

    added this to the script #-------------- $user = "xxxxxxxxxxx@live.com" $cpSAML = New-SPClaimsPrincipal -TrustedIdentityTokenIssuer $authp -Identity $user.tolower() #-------------- now almost everything works fine, except that i get "The site may not be a member of the Windows Live Network" message when trying to login via liveid. Should i double check the site properties at msm.live.com, or i should just wait?

  • Trackback said

    Here is the third part of my Visual guide to Windows Live ID authentication in SharePoint 2010. This part takes off just where we ended the last part. If you haven't read part 1 and part 2 then make s...

  • Jay said

    Hi Wictor, I have walked through everything and all seems good until I actually try and login. I can get the signin page I can select windows auth and use credentials and everything loads fine. When I select the LiveID option instead I get sent to the live id login page as expected put in username and password and then the page times out and gives the Internet Explorer cannot display the webpage error. What could I be doing wrong?

  • Jay said

    Hi, I'm receiving an exception in the 8th command of powershell commands as following: New-SPTrustedIdentityTokenIssuer : Exception of type 'System.ArgumentException' was thrown.Parameter name: claimType At line:1 char:42 + $authp = New-SPTrustedIdentityTokenIssuer < -name "liveid int" -description "liveid int" -realm $realm -importtrustcertificate $certfile -claimsmappings $emailclaim,$upnclaim -signinurl "https://login.live-int.com/login.srf" -identifierclaim $emailclaim.inputclaimtype + categoryinfo : invaliddata:(microsoft.share...dentityprovider:spcmdletnewspidentityprovider) [new-sptrustedidentitytokenissuer], argumentexception + fullyqualifiederrorid :microsoft.sharepoint.powershell.spcmdletnewspidentityprovider any solutions ???? -name="" "liveid="" int"="" -description="" "liveid="" int"="" -realm="" $realm="" -importtrustcertificate="" $certfile="" -claimsmappings="" $emailclaim,$upnclaim="" -signinurl="" "https://login.live-int.com/login.srf"="" -identifierclaim="" $emailclaim.inputclaimtype="" +="" categoryinfo="" :="" invaliddata:(microsoft.share...dentityprovider:spcmdletnewspidentityprovider)="" [new-sptrustedidentitytokenissuer],="" argumentexception="" +="" fullyqualifiederrorid="" :microsoft.sharepoint.powershell.spcmdletnewspidentityprovider="" any="" solutions=""></ -name "liveid int" -description "liveid int" -realm $realm -importtrustcertificate $certfile -claimsmappings $emailclaim,$upnclaim -signinurl "https://login.live-int.com/login.srf" -identifierclaim $emailclaim.inputclaimtype + categoryinfo : invaliddata:(microsoft.share...dentityprovider:spcmdletnewspidentityprovider) [new-sptrustedidentitytokenissuer], argumentexception + fullyqualifiederrorid :microsoft.sharepoint.powershell.spcmdletnewspidentityprovider any solutions ????>

  • Wictor said

    Need to get more info, but make sure that you have no typos in the claim identifiers (the claim URI's). Also how did you type in the cmd? Looks like you didnt specify the -IdentifierClaim parameter as in my sample...

  • Trackback said

    The time has come for me to do my summary post of 2010. This is my fifth summary post (2006, 2007, 2008 and 2009). This year has been truly amazing. Working in the SharePoint world has been so interes...

  • Louis said

    I have Live Authentication working. Thank you for all the helpful information. My question is with regard to the cryptic names. Is there any way to display their real live ID?? Adding and maintaining users is a nightmare because I never really know who is who. All you get is the 9812709817234@live ID. Any suggestions?? Lou

  • Carlos said

    Excellent Post Wictor, I made it work yesterday. I only had problems with the TMG server. I was getting "The remote server has been paused or is in the process of being started" every time when accessing the site's home page. I found out that in TMG when you have a server farm configured, if you choose 'Send an HTTP/HTTPS GET request' on the 'Connectivity Verification' tab, you have to fill out the site's URL in the Host Header field.

  • JT said

    I think I have everything working properly. I am trying to do this in production, when I select Live ID Int (I changed the url to the https://login.live.com, it redirects to the site, but says: The Windows Live Network is unavailable from this site for one of the following reasons: This site may be experiencing a problem The site may not be a member of the Windows Live Network You can: You can sign in or sign up at other sites on the Windows Live Network, or try again later at this site. I am sure I have something wrong in the MSM behind the scenes, but I'm not sure what. You can see for yourself at: https://www2.sharepointadvice.net Thanks for any assistance you can provide.

  • JT said

    I think I have everything working properly. I am trying to do this in production, when I select Live ID Int (I changed the url to the https://login.live.com, it redirects to the site, but says: The Windows Live Network is unavailable from this site for one of the following reasons: This site may be experiencing a problem The site may not be a member of the Windows Live Network You can: You can sign in or sign up at other sites on the Windows Live Network, or try again later at this site. I am sure I have something wrong in the MSM behind the scenes, but I'm not sure what. You can see for yourself at: https://www2.sharepointadvice.net Thanks for any assistance you can provide.

  • Mike said

    Thank you for this informative article!!! Everything seems to be going well, but when I try to create the provider in PS, I get the following error. I have not been able to find any further info on the error. Any light you can shed on this would be much appreciated! New-SPTrustedIdentityTokenIssuer : Exception of type 'System.ArgumentException' was thrown. Parameter name: newObj At line:1 char:42 + $authp = New-SPTrustedIdentityTokenIssuer < -name "liveidint" -descri ption "liveid int" -realm $realm -importtrustcertificate $certfile -claimsmappi ngs $emailclaim,$upnclaim -signinurl "https://login.live-int.com/login.srf" -identifierclaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameid entifier" + categoryinfo : invaliddata: (microsoft.share...dentityprovider: spcmdletnewspidentityprovider) [new-sptrustedidentitytokenissuer], argumen texception + fullyqualifiederrorid : microsoft.sharepoint.powershell.spcmdletnewspide ntityprovider -name="" "liveidint"="" -descri="" ption="" "liveid="" int"="" -realm="" $realm="" -importtrustcertificate="" $certfile="" -claimsmappi="" ngs="" $emailclaim,$upnclaim="" -signinurl="" "https://login.live-int.com/login.srf"="" -identifierclaim="" "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameid="" entifier"="" +="" categoryinfo="" :="" invaliddata:="" (microsoft.share...dentityprovider:="" spcmdletnewspidentityprovider)="" [new-sptrustedidentitytokenissuer],="" argumen="" texception="" +="" fullyqualifiederrorid="" :="" microsoft.sharepoint.powershell.spcmdletnewspide=""></ -name "liveidint" -descri ption "liveid int" -realm $realm -importtrustcertificate $certfile -claimsmappi ngs $emailclaim,$upnclaim -signinurl "https://login.live-int.com/login.srf" -identifierclaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameid entifier" + categoryinfo : invaliddata: (microsoft.share...dentityprovider: spcmdletnewspidentityprovider) [new-sptrustedidentitytokenissuer], argumen texception + fullyqualifiederrorid : microsoft.sharepoint.powershell.spcmdletnewspide ntityprovider>

  • Evgeniy said

    Wictor, i have got a question for you. How can i change the $Realm in sharepoint. I have configured everything as you have recommended here except for the realm. Instead of typing urn:mydomainasdf:int, i typed domain.com during registration on MSM.live.com After that, I typed $realm="domain.com" in powershell. And in the end, during authentication through live ID i get the message: We're unable to complete your request. Windows Live ID is experiencing technical difficulties. Please try again later. I have changed the DNS value (urn:mydomain:int)on MSM web-site and tried to set $realm="urn:mydomain:int" on sharepoint. But still receive the same error. In address bar on the page with this error i can see old value of the realm. Evgepr@narod.ru

  • cory said

    the site is down or something. I found it at https://msm.live.com/app/ but when I click "register an application" i get a server error. did the site move?

  • Steve said

    Great post Wictor. I have it working to the point where I can login with a Live ID and it does a post back to the _trust virtual directory with the token but it fails signature verification. I’ve installed the certificate to the trusted root authority in SharePoint as well as every other certificate location in Windows to no avail. I also confirmed the cert has the public key and the SKI matches up. Any suggestions would be appreciated. [SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier ( IsReadOnly = False, Count = 2, Clause[0] = X509SubjectKeyIdentifierClause(SKI = 0x55B27221C18BD008C1E3F5A6E03A9466EC7AB949), Clause[1] = KeyNameIdentifierClause(KeyName = 'Window Live ID') ) '. Ensure that the SecurityTokenResolver is populated with the required key.]

  • Ganesh.M said

    For some reason. The registration etc of the WLID site works properly only in IE and not in Google chrome. If you face any problems while registering your site using google chrome trying using IE instead; It solved my problem.

  • Capa said

    Hi, the following line (8) no work for me: $authp = New-SPTrustedIdentityTokenIssuer -Name "LiveID INT" -Description "LiveID INT" -Realm $realm -ImportTrustCertificate $certfile -ClaimsMappings $emailclaim,$upnclaim -SignInUrl "https://login.live-int.com/login.srf" -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" Result: New-SPTrustedIdentityTokenIssuer : Exception of type 'System.ArgumentException' was thrown. Parameter name: newProvider At line:1 char:42 + $authp = New-SPTrustedIdentityTokenIssuer < -name "liveid int" -description "liveid ttrustcertificate $certfile -claimsmappings $emailclaim,$upnclaim -signinurl "https://logi -identifierclaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" + categoryinfo : invaliddata: (microsoft.share...dentityprovider:spcmdletnewspide ustedidentitytokenissuer], argumentexception + fullyqualifiederrorid : microsoft.sharepoint.powershell.spcmdletnewspidentityprovider some body knows about this? -name="" "liveid="" int"="" -description="" "liveid="" ttrustcertificate="" $certfile="" -claimsmappings="" $emailclaim,$upnclaim="" -signinurl="" "https://logi="" -identifierclaim="" "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"="" +="" categoryinfo="" :="" invaliddata:="" (microsoft.share...dentityprovider:spcmdletnewspide="" ustedidentitytokenissuer],="" argumentexception="" +="" fullyqualifiederrorid="" :="" microsoft.sharepoint.powershell.spcmdletnewspidentityprovider="" some="" body="" knows="" about=""></ -name "liveid int" -description "liveid ttrustcertificate $certfile -claimsmappings $emailclaim,$upnclaim -signinurl "https://logi -identifierclaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" + categoryinfo : invaliddata: (microsoft.share...dentityprovider:spcmdletnewspide ustedidentitytokenissuer], argumentexception + fullyqualifiederrorid : microsoft.sharepoint.powershell.spcmdletnewspidentityprovider some body knows about this?>

  • Capa said

    Hi, the following line (8) no work for me: $authp = New-SPTrustedIdentityTokenIssuer -Name "LiveID INT" -Description "LiveID INT" -Realm $realm -ImportTrustCertificate $certfile -ClaimsMappings $emailclaim,$upnclaim -SignInUrl "https://login.live-int.com/login.srf" -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" Result: New-SPTrustedIdentityTokenIssuer : Exception of type 'System.ArgumentException' was thrown. Parameter name: newProvider At line:1 char:42 + $authp = New-SPTrustedIdentityTokenIssuer < -name "liveid int" -description "liveid ttrustcertificate $certfile -claimsmappings $emailclaim,$upnclaim -signinurl "https://logi -identifierclaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" + categoryinfo : invaliddata: (microsoft.share...dentityprovider:spcmdletnewspide ustedidentitytokenissuer], argumentexception + fullyqualifiederrorid : microsoft.sharepoint.powershell.spcmdletnewspidentityprovider some body knows about this? -name="" "liveid="" int"="" -description="" "liveid="" ttrustcertificate="" $certfile="" -claimsmappings="" $emailclaim,$upnclaim="" -signinurl="" "https://logi="" -identifierclaim="" "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"="" +="" categoryinfo="" :="" invaliddata:="" (microsoft.share...dentityprovider:spcmdletnewspide="" ustedidentitytokenissuer],="" argumentexception="" +="" fullyqualifiederrorid="" :="" microsoft.sharepoint.powershell.spcmdletnewspidentityprovider="" some="" body="" knows="" about=""></ -name "liveid int" -description "liveid ttrustcertificate $certfile -claimsmappings $emailclaim,$upnclaim -signinurl "https://logi -identifierclaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" + categoryinfo : invaliddata: (microsoft.share...dentityprovider:spcmdletnewspide ustedidentitytokenissuer], argumentexception + fullyqualifiederrorid : microsoft.sharepoint.powershell.spcmdletnewspidentityprovider some body knows about this?>

  • Anurag Chauhan said

    Hi, I have followed all the instructions given by you, but stuck at one point. please check this /WindowsLiveWriter/VisualguidetoWindowsLiveIDintegrationwit_86C9/SNAGHTML458d426.png. I am not able to see the item "SharePoint" in tree menu of mmc.exe. Please help. Regards anurag.chauhan@hotmail.com

  • Anurag Chauhan said

    Hi, I have followed all the instructions given by you, but stuck at one point. please check this /WindowsLiveWriter/VisualguidetoWindowsLiveIDintegrationwit_86C9/SNAGHTML458d426.png. I am not able to see the item "SharePoint" in tree menu of mmc.exe. Please help. Regards anurag.chauhan@hotmail.com

  • Mateusz said

    Thanks for the great guide, I managed to work it out. I was wondering why not use the 2007 forms based approach? Wouldn't it be faster (no need to wait for compliance) with the same user experience? What are the pros and cons for claims based and forms based authentication?

  • Mateusz said

    For those who got an error: "The site may not be a member of the Windows Live Network" - I had this error when I forgot to change http to https in default return url and expire cookie url, hope this helps.

  • Mateusz said

    For those who had ArfumentException on New-SPTrustedIdentityTokenIssuer command - try to remove the existing Token Issuers. First, run Get-SPTrusted....Issuer and see what the name of the token is. Then, run Remove-SPTrusted...Issuer "Name" Hope this helps :)

  • Hariom Sharma said

    Hi, Thanks for giving us such a breather in this direction. I need to know anynody has faced any issue in logging into the Windows live site using live-int credentials. I am trying to log into the site using live-int creds but it brings me back on the same log in page with no failure information. Can u pls suggest what is going wrong in that?

  • Doug Brown said

    At line 8: $authp = New-SPTrustedIdentityTokenIssuer -Name "LiveID INT" -Description "LiveID INT" -Realm $realm -ImportTrustCertificate $certfile -ClaimsMappings $emailclaim,$upnclaim -SignInUrl "https://login.live-int.com/login.srf" -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" I am getting the error: New-SPTrustedIdentityTokenIssuer : Exception of type 'System.ArgumentException' was thrown. Parameter name: newProvider At line:1 char:42 + $authp = New-SPTrustedIdentityTokenIssuer < -name "liveid int" -description "liveid int" -realm $realm -impor ttrustcertificate $certfile -claimsmappings $emailclaim,$upnclaim -signinurl "https://login.live-int.com/login.srf" -identifierclaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" + categoryinfo : invaliddata: (microsoft.share...dentityprovider:spcmdletnewspidentityprovider) [new-sptr ustedidentitytokenissuer], argumentexception + fullyqualifiederrorid : microsoft.sharepoint.powershell.spcmdletnewspidentityprovider i also tried entering the parameters for line 8 manually. i enter all of them as claimsmappings[0] and ps prompts me for claimsmappings[1] -name="" "liveid="" int"="" -description="" "liveid="" int"="" -realm="" $realm="" -impor="" ttrustcertificate="" $certfile="" -claimsmappings="" $emailclaim,$upnclaim="" -signinurl="" "https://login.live-int.com/login.srf"="" -identifierclaim="" "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"="" +="" categoryinfo="" :="" invaliddata:="" (microsoft.share...dentityprovider:spcmdletnewspidentityprovider)="" [new-sptr="" ustedidentitytokenissuer],="" argumentexception="" +="" fullyqualifiederrorid="" :="" microsoft.sharepoint.powershell.spcmdletnewspidentityprovider="" i="" also="" tried="" entering="" the="" parameters="" for="" line="" 8="" manually.="" i="" enter="" all="" of="" them="" as="" claimsmappings[0]="" and="" ps="" prompts="" me="" for="" claimsmappings[1]=""></ -name "liveid int" -description "liveid int" -realm $realm -impor ttrustcertificate $certfile -claimsmappings $emailclaim,$upnclaim -signinurl "https://login.live-int.com/login.srf" -identifierclaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" + categoryinfo : invaliddata: (microsoft.share...dentityprovider:spcmdletnewspidentityprovider) [new-sptr ustedidentitytokenissuer], argumentexception + fullyqualifiederrorid : microsoft.sharepoint.powershell.spcmdletnewspidentityprovider i also tried entering the parameters for line 8 manually. i enter all of them as claimsmappings[0] and ps prompts me for claimsmappings[1] >

  • Doug Brown said

    At line 8: $authp = New-SPTrustedIdentityTokenIssuer -Name "LiveID INT" -Description "LiveID INT" -Realm $realm -ImportTrustCertificate $certfile -ClaimsMappings $emailclaim,$upnclaim -SignInUrl "https://login.live-int.com/login.srf" -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" I am getting the error: New-SPTrustedIdentityTokenIssuer : Exception of type 'System.ArgumentException' was thrown. Parameter name: newProvider At line:1 char:42 + $authp = New-SPTrustedIdentityTokenIssuer < -name "liveid int" -description "liveid int" -realm $realm -impor ttrustcertificate $certfile -claimsmappings $emailclaim,$upnclaim -signinurl "https://login.live-int.com/login.srf" -identifierclaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" + categoryinfo : invaliddata: (microsoft.share...dentityprovider:spcmdletnewspidentityprovider) [new-sptr ustedidentitytokenissuer], argumentexception + fullyqualifiederrorid : microsoft.sharepoint.powershell.spcmdletnewspidentityprovider i also tried entering the parameters for line 8 manually. i enter all of them as claimsmappings[0] and ps prompts me for claimsmappings[1] -name="" "liveid="" int"="" -description="" "liveid="" int"="" -realm="" $realm="" -impor="" ttrustcertificate="" $certfile="" -claimsmappings="" $emailclaim,$upnclaim="" -signinurl="" "https://login.live-int.com/login.srf"="" -identifierclaim="" "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"="" +="" categoryinfo="" :="" invaliddata:="" (microsoft.share...dentityprovider:spcmdletnewspidentityprovider)="" [new-sptr="" ustedidentitytokenissuer],="" argumentexception="" +="" fullyqualifiederrorid="" :="" microsoft.sharepoint.powershell.spcmdletnewspidentityprovider="" i="" also="" tried="" entering="" the="" parameters="" for="" line="" 8="" manually.="" i="" enter="" all="" of="" them="" as="" claimsmappings[0]="" and="" ps="" prompts="" me="" for="" claimsmappings[1]=""></ -name "liveid int" -description "liveid int" -realm $realm -impor ttrustcertificate $certfile -claimsmappings $emailclaim,$upnclaim -signinurl "https://login.live-int.com/login.srf" -identifierclaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" + categoryinfo : invaliddata: (microsoft.share...dentityprovider:spcmdletnewspidentityprovider) [new-sptr ustedidentitytokenissuer], argumentexception + fullyqualifiederrorid : microsoft.sharepoint.powershell.spcmdletnewspidentityprovider i also tried entering the parameters for line 8 manually. i enter all of them as claimsmappings[0] and ps prompts me for claimsmappings[1] >

  • Oscar Bautista said

    Hi. Thank you for the informative post. I have ocnfigured as instructed. I think I am very close. When I visit my site I am redirected to select authentication type. I select Windows Live and then redirected here: https://login.live-int.com/login.srf?wa=wsignin1.0&wtrealm=urn%3amydomain%3aint&wctx=https%3a%2f%2fmydomain.local%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252F When I enter my credentials, it appears as though something is happening because the login.live page flickers and I see something going on (processing/posting back), but I am not redirected back to my local sharepoint site. Curious if you can help point me in the right direction? Thanks so much...

  • bob said

    I am getting error as shown below: The Windows Live Network is unavailable from this site for one of the following reasons: 1. This site may be experiencing a problem 2. The site may not be a member of the Windows Live Network

  • Saurabh Kumar Singh said

    Hi, I am trying to accomplish SharePoint 2010 claim based authentication with Windows Live ID. As per different articles, I have tried to setup authentication with Live-INT id, but I am not able to do sign-up with Live-INT.com . I have faced many problems to do sign-up for new user in Live-INT.com. So, Now, I am looking for steps to integrate SharePoint 2010 Site, directly with Windows LIVE ID in development environment, because LIVE-INT environment doesn't work. Please help me for it. Thanks, Saurabh Kumar Singh saurabhsinghmca@gmail.com

  • wictor said

    @Huy - thanks a lot
    [You should take a look at this series instead, which are far easier to set up.](http://www.wictorwilen.se/Post/Visual-guide-to-Azure-Access-Controls-Services-authentication-with-SharePoint-2010-Index-Post.aspx)
    /WW

  • Gino said

    I am trying to integrate the Live Authentication for a SharePoint 2010. Your process flow is great. Unfortunately, I am getting stack in executing the PS.
    Your PS instructions request to apply the following changes:
    1.0 $realm
    1.1 Placing the urn name between “urn:” and “:int”
    1.2 I am using the name of my URL (I am assuming is my DNS name)
    2.0 $certfile
    2.1 I placed the Certfile file in the same location that you indicated in the PS which is C:\TEMP\LiveID-INT.cer
    3.0 $rootcert
    3.1 You said that this “is the certificate loaded in as an object”
    3.2 I assumed that this is just a description statement and we just leave the variable without changes.
    No other changes were done to the PS.
    I open a SharePoint 2010 Management Shell window at the SharePoint server computer. I position on the location of the Add-PSSnapin file. I typed the name of the snap-in and hit enter. The system responds by displaying “name (0):” and waits for an input.
    I believe I am not executing the PS correctly. Can you advise me on step on how to execute the PS?
    Thanks, Gino

  • Gino said

    Oops... Nevermine about the PS execution. It seems that I would have to execute each of those statements one at a time from the cmd line.
    Let me know if the rest of the parameters that I defined in my previous email require any correction.
    Cheers,
    Gino

  • Gino said

    Never mind about the PS execution. It seems that I would have to execute each of those statements one at a time from the cmd line.
    Let me know if the rest of the parameters that I defined in my previous email require any correction.
    Cheers,
    Gino

  • Gino said

    After executing the last comand from PS:

    PS C:\> $authp =
    New-SPTrustedIdentityTokenIssuer -Name "LiveID INT"
    -Description "LiveID INT"
    -Realm $realm -ImportTrustCertificate $certfile
    -ClaimsMappings $emailclaim,$upnclaim
    -SignInUrl https://login.live-int.com/login.srf

    I received this message:
    cmdlet New-SPTrustedIdentityTokenIssuer at command pipeline position 1
    Supply values for the following parameters:

    Would kindly advise me what I need to establish in correcting this situation.
    Thanks,
    Gino

  • Gino said

    Ok, I fixed the problem.
    Make sure not to make any typos in the claim's URNs been there, done that!
    I am on the last step of the integration "Certificate binding to 443 Ports."
    If we are using the SSL port with other certificates, what should we do when we need to bind the WindowsLive SSL certificate with port 443?
    If I bind it will cause problems with the other 443 binded with other certificates.
    I am reaching out for anyone who can help to determine a solution other than setting it up in a separate dedicated SharePoint box.
    Best to ALL!
    Gino

  • Sameer Maske said

    Hi Wictor,

    I have followed the same steps as you metioned in this post and enbaled Live Id Authentication on SharePoint 2010. In Sign-in Page, it is asking to choose “Live Id” or “Windows Authentication” from Dropdown. I logged in successfully using Live ID into the site. Once I click on Sign-out, its redirecting to Sign-in page(starting page) but not Signing out properly. again I choose LiveID from drop down, its not asking for the credentials. its automatically taking previous login credentials. am I missing anything? Could someone help me.

    Thanks,

  • Rahul said

    Dear Wictor,

    I am not able to sign-in/sign-up for https://login.live-int.com. Can you please try signing-up with the new user or signing-in with existing user and let me know if its working.

    I have see couple of other forums facing the same issue but none of them have any solution on this. It would be great if you can help us.

    Thanks
    Rahul

  • christian louboutin sale said

    Lushan earthquake emergency rescue team, said that due to the increase in private cars of individual volunteers, relief convoys traveling affected. Five years ago, the earthquake experience, especially finishing rescue volunteer "seven army regulations", rational hope that the public can participate in the rescue.

  • ping anser said

    "There's lots of stakeholders a part of Lake Ontario sport fishing who will be concerned about what can occur together with the one fishery, having all eggs in a basket, literally," he was quoted saying. "If there is a disease problem, you will lose everything." The county fisheries board has commissioned an investigation, obtained by using a grant from CWM Chemical Services, on whether Joseph Davis Park and other sites in Western New York be the better choice for a fishery. The analysis is approximately halfdone, even though the operation could cost any where from $10 to $20 million, early indications are which a fishery can perform for the park, said Frank Campbell, chairman with the fisheries board as well as a an affiliate the Niagara River Anglers Association board.

  • gopi said

    The Web application at https://localhost/ could not be found. Verify that you have typed the URL correctly. If the URL should be serving existing content, the system administrator may need to add a new request URL mapping to the intended application.

Comments have been disabled for this content.

About Wictor...

Wictor Wilén is a Director and SharePoint Architect working at Connecta AB. Wictor has achieved the Microsoft Certified Architect (MCA) - SharePoint 2010, Microsoft Certified Solutions Master (MCSM) - SharePoint  and Microsoft Certified Master (MCM) - SharePoint 2010 certifications. He has also been awarded Microsoft Most Valuable Professional (MVP) for four consecutive years.

And a word from our sponsors...

SharePoint 2010 Web Parts in Action