Pages

Thursday, 9 November 2017

How to Configure SharePoint 2013 Extended Web Application to Trust ADFS using PowerShell

Export this ADFS token signing certificate to all SharePoint server(s)

ADFS Token signing certificate must be exported from ADFS server and used while creating trust in SharePoint Server. Here is how:

   a.From ADFS console, Expand "Certificates" folder, Right Click on your ADFS token signing
   b.certificate and choose "View Certificate".
   c.Under the "Details" tab, Click on "Copy to file" button.
   d.For Export Private key section, choose "No, do not export the private key"
   e.Click "Next". Choose export file format as "DER Encoded binary x.509 (.CER)"
   f.This will export the certificate from ADFS.

Configure SharePoint 2013 to Trust ADFS

Let’s create a trusted identity token issuer pointing to ADFS as the claims provider, using PowerShell

#Register the Token Signing certificate from ADFS Server to establish Trust between SharePoint and ADFS server
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("F:\Raja\externalADFS.cer")

#Map the claims attributes
$emailMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming

$upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming

$RoleClaimmap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" –SameAsIncoming

$realm="urn:portal.world.com"

#Sign-in URL will be ADFS Server instance
$signInURL="https://external.world.com/adfs/ls/"

#Create new trusted identity token issuer
$ap1 = New-SPTrustedIdentityTokenIssuer -Name “ISS Portal Claims” -Description “ISS with Claims Authentication using ADFS 3.0 on Sharepoint 2013” -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $upnClaimMap,$emailMap,$RoleClaimmap -SignInUrl $signInURL -IdentifierClaim $emailmap.InputClaimType

IISReset


The first two lines of the above code, registers the certificate in SharePoint certificate store. Moreover, You may have to do this for Root Certificate Authority as well. You can see them under "Manage Trusts" link in security section of central administration.

Realm - is a identifier which helps ADFS to load respective configuration for a particular profile. which uses the convention of: urn:yourwebapp:yourdomain (can be anything, technically. It just uniquely identifies between multiple web applications)

IdentifierClaim - is the unique ID that identifies users in SharePoint. So,when users logged in via ADFS, they'll be identified by Email id in this case. Also, when granting access to SharePoint sites from ADFS, we'll have to use this identifier as user names. Make sure that the mapped claims exists in the source. E.g. If E-mail is mapped as Identifierclaim, then It must be exists in AD. In other worlds, E-mail field must contain a value, shouldn't be null!

SharePoint 2013 ADFS with multiple web applications 
So, You have established trusted identity provider for your primary web applications, and all other  web apps as well, say for e.g. My sites. Now, You'll have to add them in your trusted identity provider with this PowerShell code:

$ap = Get-SPTrustedIdentityTokenIssuer "ADFS Portal Claims"
$uri = new-object System.Uri("https://portal.world.com")
$ap.ProviderRealms.Add($uri, "urn:portal.world.com")
$ap.Update()

Register ADFS to newly Creating Extended Web Applications

$ap = Get-SPTrustedIdentityTokenIssuer -Identity "ADFS Portal Claims"
Write-host "Creating Extended Extranet WebApplication" -foregroundcolor "magenta"
Get-SPWebApplication -Identity http://test.portal.world.local | New-SPWebApplicationExtension -Name "test.portal.issworld.com - https" -SecureSocketsLayer -Path "C:\inetpub\wwwroot\wss\VirtualDirectories\test.portal.world.com443" -HostHeader "test.portal.world.com" -Zone "Intranet" -URL "https://test.portal.world.com" -Port 443 -SignInRedirectURL "/_trust/default.aspx"  -AuthenticationProvider $ap
Write-host "Extended Extranet WebApplication Created" -foregroundcolor "magenta"
Posted by Kali Rajakumar at 16:38:00 0 comments
Labels: , ,

What is ADFS and How the ADFS - SharePoint authentication process works?

Active directory federation services are the solution for extending enterprise identity beyond corporate firewall. It simplifies sharing identities between trusted partners across organizations. It’s a common requirement in a typical business scenario, users in one organization wants to access a secured application/website from an another organization. Without ADFS, we'd end-up re-creating user logins for the partner company in our AD. But that introduces the problem of maintaining and managing two separate identities for the partner company users. Here is where ADFS comes to the picture. It solves the problem by federating identities and establishing single sign-on capability. SharePoint 2013 - ADFS integration is seamless as its natively supported.

Generally, in SharePoint world, ADFS is used in these three scenarios:

     a. Domains which are not part of your AD forest (Such as acquired companies without trusts established, with network connectivity between them in place): User in one organization accesses an application in another organization, so that you can collaborate across organizational boundaries. Say for E.g. Your company is running an internal SharePoint site/application and your partner company/acquired company wants to make use of the same.  across organizational boundaries without duplicating user logins.

     b. Extranet setups for partners/customers - Accessing SharePoint application via the Internet, which extends the first scenario to include remote Internet access who are outside the organization. The external domain is still responsible for validate provided credentials and pass it on the SharePoint.

     c. Office 365/Cloud - You are running a SharePoint farm either in Cloud or in Office 365 and want to provide access to the users of your company without re-creating their identities in the cloud.

How the ADFS - SharePoint authentication process works?

    1. User types SharePoint site URL and picks the relevant authentication provider from the sign-in page.
   2. SharePoint redirects to the respective ADFS server configured already, User promoted for credentials.
   3. ADFS handles the authentication by Verifying the provided user name and password from the identity provider – AD.
   4. ADFS creates a Token, Signs and puts it in a cookie. Redirects to SharePoint with that cookie.
   5. SharePoint STS validates and extracts the claims from the token.
   6. SharePoint performs authorization and connects the user to the web application.
Posted by Kali Rajakumar at 15:05:00 0 comments
Labels: , ,

Wednesday, 8 November 2017

How to get SharePoint Farm Content Inventory report using PowerShell Script

      Today, in this article we are going to see How to get SharePoint Farm Content Inventory report using PowerShell Script.

This script is comprised of several functions that will collectively inventory content within a SharePoint 2007, 2010, and 2013 farm and generate CSV files that detail the web apps, site collections, webs, lists, and Content Types.  The script will also output groups, unique permisisons at various scopes, workflow associations, etc.

Note that the destination folder should not be your system drive and needs to have enough free space on the disk to accomodate the CSV files (I've seen some large environments generate 2GB of logs).  Also, if you wish to clear prior logs, you can include the -ClearPriorLogs switch.

How to run the below PowerShell script

  1. Copy and paste entire script into 'SharePoint 2013 Management Shall'
  2. Run this command Run-FullInventory -LogFilePrefix "SP2013SP1_SPFarmInventoryReport" -DestinationFolder      "C:\temp\InventoryReport"

Click here to download PowerShell Script


Posted by Kali Rajakumar at 12:44:00 0 comments
Labels: , ,

Friday, 3 November 2017

how to find out how may documents are in your document libraries on a particular SharePoint site

Today, in this article we are going to see how to find out how may documents are in your document libraries on a particular SharePoint site? You can use this script to point to a particular site, or even the root site, and get that information quickly and easily.

1. Download the script and save as Get-SPDocumentCount.ps1
2. Edit the file and change the PARAM section and change $RootSite to the root URL of your SharePoint site.
3. Edit $ReportPath to where you want the script to save your report and save the file.

** IMPORTANT **
Script must be run on your SharePoint server.


Script:

[Microsoft.SharePoint.SPSecurity]::RunWithElevatedPrivileges({
Param (
    [Parameter(Mandatory=$true)]
    [string]$Site,
    [string]$RootSite = "https://test.portal/lobalcr/eam",
    [string]$ReportPath = "c:\reports"
)
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

$Webs = Get-SPWeb -Site $RootSite -Filter { $_.Template -like "*" } -Limit ALL | Where { $_.URL -like "$Site*" }
$Result = @()
ForEach ($Web in $Webs)
{   ForEach ( $List in $Web.Lists )
    {   $Result += New-Object PSObject -Property @{
            'Library Title' = $List.Title
            Count = $List.Items.Count
            'Site Title' = $Web.Title
            URL = $Web.URL
            'Library Type' = $List.BaseType
        }
    }
}
$Result | Select 'Site Title',URL,'Library Type','Library Title',Count | Export-Csv "$ReportPath\SPListReport.csv" -NoTypeInformation
});
Posted by Kali Rajakumar at 15:37:00 0 comments
Labels: , ,

Thursday, 2 November 2017

how to add a user with full control rights on multiple SharePoint site collections from import .csv file using power shall script

Today, in this article we are going to see how to add a user with full control rights on multiple SharePoint site collections from import .csv file using power shall script

1. Adding ADFS account users to site collection

[Microsoft.SharePoint.SPSecurity]::RunWithElevatedPrivileges({
$csv=import-csv C:\SiteCollectionUrls.csv
foreach($site in $csv){Set-SPUser -Identity 'i:05.t|adfs claims|user@email.com' -Web $site.Site -AddPermissionLevel "Full Control"}
});

2. Adding windows account users to site collection

[Microsoft.SharePoint.SPSecurity]::RunWithElevatedPrivileges({
$csv=import-csv C:\ SiteCollectionUrls.csv
foreach($site in $csv){Set-SPUser -Identity ' i:0#.w|domain\userid' -Web $site.Site -AddPermissionLevel "Contribute"}

});

Hope it helps you.

Documentation: https://technet.microsoft.com/en-us/library/ff607827.aspx
Posted by Kali Rajakumar at 16:30:00 0 comments
Subscribe to: Posts (Atom)