Wednesday, April 25, 2012

STS process

  1.  install WIF 4.0
  2.  install WIF SDK
  3. Create test page claim aware project with .Net framework 4.0 but may need to turn to 3.5 afterwards.
  4. create STS security token service project with .Net framework 4.0 but may need to turn to 3.5 afterwards.
  5. “C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\devenv” /ResetAddin Microsoft.IdentityModel.Tools.VS.VSAddin.FederationAddin (add STS reference addin)
  6. create a tool(Register STS1) to register a trusted login provider, delete a trusted login provider, update trusted login provider to tie it up to a customized claim provider. Default claim provider is unable to resolve or find any unknown user id.
  7. create a new sharepoint project to build a customized claim provider. 
deploy the project to sharepoint site.

 an Error may occur in deployment step
'Recycle IIS Application Pool': <nativehr>0x80070005</nativehr><nativestack></nativestack>Access denied. occurs when deploying. solution
The problem here is that Visual Studio is trying to access the site, specified in the project’s Site URL property, using the currently logged on windows account. As the site has been configured for claims-based authentication only, this process causes the access denied error to be thrown.
A quick fix for the development environment is to explicitly add your user account to the Web Application. Doing this will allow the Visual Studio process to recycle the application pool and deploy the solution package.
To do this, bring up the Central Administration site and navigate to the Manage Web Applications page (/_admin/WebApplicationList.aspx). Click on the web application that hosts the site you are trying to deploy to and then click the User Policy ribbon item.

8. Create a certificate.(optional)
    In the certificate snap-in window, in personal certificate, if the selfsigned certificate shows untrusted, copy  it to trusted folder. In snap-in, choose (right click) all tasks->manage private keys. Add read permission to machine\iis_iusrs(built in).

9. this step is easy to miss. 



10.  update people picker by running button7_Click event in the tool

You can use powershell to register a token issuer(trusted login provider) and claim provider.

run powershell
Add-PSSnapin Microsoft.SharePoint.Powershell
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\StudentFiles\STSTestCertPub.cer")
$map1 = New-SPClaimTypeMapping "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "Email" -SameAsIncoming
$map1.AddKnownClaimValue("user1@wingtip.com")     //$map1.RemoveKnownClaimValue("user1@wingtip.com") (only if you want to remove)
$map1.AddKnownClaimValue("user2@wingtip.com")
$map1.AddKnownClaimValue("user3@wingtip.com")
$realm = "http://comutolydvs11:42412"
$signinurl = "http://localhost:5977/WingtipTST/login.aspx"
New-SPTrustedIdentityTokenIssuer -Name "STSTestCert2" -Description "STSTestCert2" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1 -SignInUrl $signinurl -IdentifierClaim $map1.InputClaimType


New–SPClaimProvider -Name "MyClaimProvider" -Type "MyClaimProvider.Providers.CustomProvider" -Scope (Get-SPWebApplication http://test)

for add a new map see http://www.blogger.com/blogger.g?blogID=6019969618846052745#editor/target=post;postID=5961657639651071813



11. some useful commands
to remove a claim provider from sharepoint, you should do
Get-SPClaimProvider -Identity "WingtipClaimProvider
Remove-SPClaimProvider -Identity "WingtipClaimProvider"

to remove features
By name
1Get-SPFeature | Sort -Property DisplayName
By feature ID,
1Get-SPFeature | Sort -Property Id
By feature display name alphabetically and grouped by scope,
1Get-SPFeature | Sort -Property Scope,DisplayName | FT -GroupBy Scope DisplayName,Id
And to write this to a file to allow for viewing in Notepad, Excel etc,
1Get-SPFeature | Sort -Property Scope,DisplayName | FT -GroupBy Scope DisplayName,Id > c:\AllInstalledFeatures.txt

List all activated site scoped features
Especially in the case of hidden features it’s sometimes necessary to track down if a feature is active on a site collection. Here’s a quick way of seeing which features are activated for an SPSite:
1Get-SPFeature -Site http://sitecollectionurl/ | Sort DisplayName | FT DisplayName,Id
List all activated web scoped features
And only slightly modified from the Get-Help Get-SPFeature -examples text, here is a command to list all web activated featres for a site collection:
1Get-SPSite http://sitecollectionurl/ | Get-SPWeb -Limit ALL | %{ Get-SPFeature -Web $_ } | Sort DisplayName -Unique | FT DisplayName,Id


Uninstall-SPFeature FeatureFolderName
feature is located 
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\TEMPLATE\FEATURES
 
 
=============================================================================================================================================
Install claim provider 
 
'register dll to GAC
gacutil /i SecureAccessWAClaimProvider.dll

'install feature
xcopy SecureAccessWAClaimProvider_SecureAccessWAClaimProviderFeature "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\TEMPLATE\FEATURES"
install-spfeature -path SecureAccessWAClaimProvider_SecureAccessWAClaimProviderFeature

'register the claim provider to trust login provider
$cp = Get-SPTrustedIdentityTokenIssuer "SecureAccessWA"
$cp.ClaimProviderName = "SecureAccessWAClaimProvider"
$cp.Update()
 
 







Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)