Security

Introduction SharePoint 2013 (and previous versions) uses a client side “token” to validate posts back to SharePoint to prevent attacks where the user might be tricked into posting data back to the server. This token is known by many names; form digest or message digest or request digest. The token is unique to a user and a site and is only valid for a (configurable) limited time. When building Apps or customizations on top of SharePoint, especially using patterns such as Single Page Applications (SPA) or using frameworks such as knockout.js it is very common that you see errors due to that the token is invalidated, which is due to that you have not reloaded the page and the token has timed out. The purpose of this article is to show you how you can refresh this form digest using JavaScript.

With this new wave of SharePoint, the Office Web Apps Server (WAC – I don’t like the OWA acronym, that’s something else in my opinion) is its own server product, implementing the WOPI client protocol, which allows a client to retrieve documents from SharePoint on the behalf of the user. Documents will flow from the WOPI servers (SharePoint, Lync, Exchange etc.) to the Office Web Apps Server – this means that potentially confidential information will be transferred from the SharePoint environment and stored/cached on another server. This could result in unnecessary information leakage and compromise the enterprise security.

This post serves as an index for all the articles in the Visual guide to Azure Access Controls Services authentication with SharePoint 2010. This series is a set [not yet determined amount] of articles where I show you how to leverage the Azure Access Controls Services (ACS) in combination with SharePoint 2010 to make it easier for you to use identity providers such as Google ID, Windows Live ID, Facebook AuthN etc.

Back with another promised post in the Visual guide to Azure Access Controls Services authentication with SharePoint 2010. This time I’m going to show you how to work with multiple web applications. We’re going to use the stuff we configured in part 1 (basic setup) and part 3 (Facebook setup), and hopefully we’re avoiding the problems discussed in part 2 (common problems). Scenario In this article I would like to show you how to use Azure ACS and SharePoint 2010 when we have multiple Web Applications in SharePoint. The sample will assume the same web application as used in the previous posts, but now with a dedicated My Site Host Web Application (called http://my). If we just enable the same Trusted Identity Provider to the “My” Web Application, the user will be redirected to the Azure ACS log in page, but when he/she is redirected back it will redirect back to the other web application (called http://sp2010 in the previous posts), because that’s the web application we configured in the Return URL in Azure ACS.

Welcome back to a third post in the Visual Guide to Azure Access Control Services authentication with SharePoint 2010. In the first part I showed you how to do the basic configuration of Azure ACS and SharePoint 2010 and log in using a Google Id. The second part discussed the most common problems I’ve seen so far. In this post we’ll continue extending the ACS Relying Party to support another Identity Provider - namely Facebook! Depending on what type of site/community you’re trying to build with your SharePoint 2010 site it might be of interest to use Facebook login (they have like a gazillion of users or something). The Facebook AuthN parts are a bit different than the others OOB IP’s in Azure ACS - but not complicated at all, so let’s get started…

This is a the second part of the Visual guide to Azure Access Control Services authentication with SharePoint 2010. I hope you’ve read part 1 which showed you how to configure SharePoint 2010 to use Windows Azure Access Control Services, ACS, as the federated Identity Provider, IP. In this post I’ll go through the most common errors that you might stumble upon (most likely due to the fact that you didn’t follow part 1 thoroughly). These errors are also applicable to other providers such as ADFS.

The last week I stumbled upon a really interesting new and shiny User Profile Synchronization issue - one of these things that just make your day! We had to manually initialize a full synchronization, after doing some updates to one of the user profile properties, and the user profile synchronization would not just start… Everything looked fine (on the surface) and we tried the incremental sync, which also looked like it was starting but nothing happened. The sync service was up and running and the FIM services was started, the MIISClient showed no activity. We took a look at the timer jobs, which are responsible for kicking of the synchronizations and saw that they all failed with the error message Access Denied.

If you have been installing SharePoint you have probably also seen and fixed the DCOM 10016 error. This error occurs in the event log when the SharePoint service accounts doesn’t have the necessary permissions (Local Activation to the IIS WAMREG admin service). Your farm will still function, but your event log will be cluttered. On a Windows Server 2003 or Windows Server 2008 machine you would just fire up the dcomcnfg utility (with elevated privileges) and enable Local Activation for your domain account.

Everybody has something to say about Windows Vista, good and bad. Most often I hear complaints and especially on the User Account Control. Today the Swedish IDG website had an article about the 10 most annoying things with Vista and how to solve them, and of course one of them was about the poor UAC. I must say, and I have been using Vista since before RTM, and only found the UAC annoying during the first few days, when installing the machine. Since then I barely notices it – and if I do, I know why and I can feel more safe using my machine.

For the last year I have had really annoying security troubles when working with documents in SharePoint (2003 or 2007, WSS or MOSS) on my Windows Vista machine with Office 2007. Every time I have opened up a document for editing the Office applications have asked me to log in to access the document. I have been able to press Cancel three times, but then the document is opened up in read-only mode. The problem has not occurred on any Windows XP installations. I have seen this problem on several computers with Vista. There have been several reported workarounds, of which none has worked for me.

When using BitLocker or encrypting your file system with EFS on Windows Vista, you will be using certificates and/or passwords. If these certificates or passwords are lost the chance that you loose the information and data on the disks that are protected is very likely. The certificates can of course be backed up on removable media or similar. But storing these kind of crucial information bits on a remote location is of course the best way and you should do that. You can store it in any kind of web-storage such as SkyDrive, but the best way is to use a service called the Digital Locker by Microsoft.

Aaron Brethorst has written a nice tutorial on how to create an UAC aware manifest for you Windows Vista applications by creating a .manifest file. He will follow up this article with information on how to embedd the manifest into a managed executable file.

I recently ran into a problem where I had by mistake checked the Remember password checkbox in Internet Explorer 7 (RC) when visiting a NTLM based website, then I wanted to get back to use my currently logged on user to access this website. There is no way to clear these usernames and passwords using the standard ways in Internet Explorer. First of all I tried to turn off the Automatic logon only in Intranet Zone and entering a new but faulty password for the user and checking the remember password checkbox. This cleared the old password but after resetting the automatic logon Internet Explorer always asked for my password for that site and I didn’t want to enter my current logon information and save the password (this would only ask me for a new password whenever I change it).

Yesterday I wrote about our new server which is now up and running nicely hosting a number of Virtual Server, this morning none of them was up and a few sites and applications was down. This was due to that the server had Windows Update set to Automatic which is recommended by the OS - which had led to that the server rebooted. I’ve seen it before so this time I found the resolution quick, but the last time it caused me a headache!

I have been using Microsof Internet Explorer 7 beta for a while and I have noticed that some sites are reported as suspicious phising websites. The address bar turns yellow and a big popup informs you about it. A few days ago the popup appeard on one of my blog entries. The popup includes a link to a site in which you may inform Microsoft that you are the owner of the site and the site is not a phising site. I gave it a try and reported the site not to be phising site and that I am the owner. Within 24 ours I recieved a response from Microsoft that they had reviewd my request and a few ours later the warning was gone. Phew! I think it all worked very smoothly and I think it is a great feature of IE7. If you would like more information on the IE anti-phising filter, read about it here.

Tristank has a nice article 3 Simple Rules to Kerberos Authentication/Delegation SPNs on how Kerberos authentication via HTTP should be configured. It contains well explained steps using the SETSPN utility.