Security

Introduction SharePoint 2013 (and previous versions) uses a client side “token” to validate posts back to SharePoint to prevent attacks where the user might be tricked into posting data back to the server. This token is known by many names; form digest or message digest or request digest. The token is unique to a user and a site and is only valid for a (configurable) limited time. When building Apps or customizations on top of SharePoint, especially using patterns such as Single Page Applications (SPA) or using frameworks such as knockout.

With this new wave of SharePoint, the Office Web Apps Server (WAC – I don’t like the OWA acronym, that’s something else in my opinion) is its own server product, implementing the WOPI client protocol, which allows a client to retrieve documents from SharePoint on the behalf of the user. Documents will flow from the WOPI servers (SharePoint, Lync, Exchange etc.) to the Office Web Apps Server – this means that potentially confidential information will be transferred from the SharePoint environment and stored/cached on another server.

This post serves as an index for all the articles in the Visual guide to Azure Access Controls Services authentication with SharePoint 2010. This series is a set [not yet determined amount] of articles where I show you how to leverage the Azure Access Controls Services (ACS) in combination with SharePoint 2010 to make it easier for you to use identity providers such as Google ID, Windows Live ID, Facebook AuthN etc.

Back with another promised post in the Visual guide to Azure Access Controls Services authentication with SharePoint 2010. This time I’m going to show you how to work with multiple web applications. We’re going to use the stuff we configured in part 1 (basic setup) and part 3 (Facebook setup), and hopefully we’re avoiding the problems discussed in part 2 (common problems). Scenario In this article I would like to show you how to use Azure ACS and SharePoint 2010 when we have multiple Web Applications in SharePoint.

Welcome back to a third post in the Visual Guide to Azure Access Control Services authentication with SharePoint 2010. In the first part I showed you how to do the basic configuration of Azure ACS and SharePoint 2010 and log in using a Google Id. The second part discussed the most common problems I’ve seen so far. In this post we’ll continue extending the ACS Relying Party to support another Identity Provider - namely Facebook!

This is a the second part of the Visual guide to Azure Access Control Services authentication with SharePoint 2010. I hope you’ve read part 1 which showed you how to configure SharePoint 2010 to use Windows Azure Access Control Services, ACS, as the federated Identity Provider, IP. In this post I’ll go through the most common errors that you might stumble upon (most likely due to the fact that you didn’t follow part 1 thoroughly).

The last week I stumbled upon a really interesting new and shiny User Profile Synchronization issue - one of these things that just make your day! We had to manually initialize a full synchronization, after doing some updates to one of the user profile properties, and the user profile synchronization would not just start… Everything looked fine (on the surface) and we tried the incremental sync, which also looked like it was starting but nothing happened.

If you have been installing SharePoint you have probably also seen and fixed the DCOM 10016 error. This error occurs in the event log when the SharePoint service accounts doesn’t have the necessary permissions (Local Activation to the IIS WAMREG admin service). Your farm will still function, but your event log will be cluttered. On a Windows Server 2003 or Windows Server 2008 machine you would just fire up the dcomcnfg utility (with elevated privileges) and enable Local Activation for your domain account.

Everybody has something to say about Windows Vista, good and bad. Most often I hear complaints and especially on the User Account Control. Today the Swedish IDG website had an article about the 10 most annoying things with Vista and how to solve them, and of course one of them was about the poor UAC. I must say, and I have been using Vista since before RTM, and only found the UAC annoying during the first few days, when installing the machine.

For the last year I have had really annoying security troubles when working with documents in SharePoint (2003 or 2007, WSS or MOSS) on my Windows Vista machine with Office 2007. Every time I have opened up a document for editing the Office applications have asked me to log in to access the document. I have been able to press Cancel three times, but then the document is opened up in read-only mode.

When using BitLocker or encrypting your file system with EFS on Windows Vista, you will be using certificates and/or passwords. If these certificates or passwords are lost the chance that you loose the information and data on the disks that are protected is very likely. The certificates can of course be backed up on removable media or similar. But storing these kind of crucial information bits on a remote location is of course the best way and you should do that.

Aaron Brethorst has written a nice tutorial on how to create an UAC aware manifest for you Windows Vista applications by creating a .manifest file. He will follow up this article with information on how to embedd the manifest into a managed executable file.

I recently ran into a problem where I had by mistake checked the Remember password checkbox in Internet Explorer 7 (RC) when visiting a NTLM based website, then I wanted to get back to use my currently logged on user to access this website. There is no way to clear these usernames and passwords using the standard ways in Internet Explorer. First of all I tried to turn off the Automatic logon only in Intranet Zone and entering a new but faulty password for the user and checking the remember password checkbox.

Yesterday I wrote about our new server which is now up and running nicely hosting a number of Virtual Server, this morning none of them was up and a few sites and applications was down. This was due to that the server had Windows Update set to Automatic which is recommended by the OS - which had led to that the server rebooted. I’ve seen it before so this time I found the resolution quick, but the last time it caused me a headache!

I have been using Microsof Internet Explorer 7 beta for a while and I have noticed that some sites are reported as suspicious phising websites. The address bar turns yellow and a big popup informs you about it. A few days ago the popup appeard on one of my blog entries. The popup includes a link to a site in which you may inform Microsoft that you are the owner of the site and the site is not a phising site.

Tristank has a nice article 3 Simple Rules to Kerberos Authentication/Delegation SPNs on how Kerberos authentication via HTTP should be configured. It contains well explained steps using the SETSPN utility.