Internet Facing SharePoint 2010 Site with Windows Live ID–Part 1

In this series of post I will talk about how to allow Windows Live users to login to an internet facing SharePoint 2010 site. Most of the information can be found online, but I am putting them here in a form of a series to make it easy for who ever wants to implement the integration to find the information easily.

The first part of the series would be how to register and configure the site to use Windows Live ID as an authentication provider.

Registering with Windows Live ID

To use Windows Live ID authentication, the site should be registered first using the Microsoft Service Manager web application located at http://msm.live.com. Below are the steps needed to register the website for Windows Live ID Authentication

1. In your browser, browse to http://msm.live.com

2. Login to the website using an already registered Windows Live ID. This Windows Live ID will be the main ID that will be used to manage the Windows Live ID registration.

3. In the left menu, click on Register Your Site

4. A page will open where you need to enter the name of the site and the DNS Name

image

5. Choose Windows Live ID

6. Click Submit

7. On the confirmation page, click Yes.

8. The below screen will appear

image

9. Click on Go to Manage your Site link.

10. In the drop-down list, select the site that was just registered and the click on Modify Editable Site Properties

image 

11. In the next screen, check the Show advanced properties check box to enable more options
 image

12. Enter the values in the fields that appear on the screen (Replace the below with your own domain)
Domain Name: contoso.com
DNS Name: urn:contososharepoint:int
Default Return URL: https://contoso.com/_trust/default.aspx
Expire Cookie URL: https://contoso.com/wlid/expirecookie.aspx

image

13. Scroll down until you see the Override Authentication Policy. Select MBI_FED_SSL from the dropdown.

image

14. Scroll up to the page and click the Submit button.

15. On the next screen, note down all the information on the screen, and then click the Yes button.

image

 

Certificates

Claims based authentication uses certificates for encryption and signing and we have to trust the certificate of the IP on the SharePoint servers. The following steps must be done on all WFE’s in the farm.

1. To get the IP Certificate, browse to the federation metadata URL
https://nexus.passport-int.com/federationmetadata2/2007-06/federationmetadata.xml

2. Select and copy the text from the first X509Certificate node

image

3. Make sure to select only the inner text, excluding the <X509Certificate></X509Certificate> tags.

4. Open Notepad application, paste the text and then save the file as LiveID-INT.cer. We now have the certificate in a file and we need to import it to the correct locations on the SharePoint Servers.

5. On the WFE server, press Window Key + R on the keyboard and then type mmc.exe and press enter to open up the management console.

6. Add the Certificates snap-in to the management console. Choose Computer Account to manage and then select to use the Local Computer as computer to manage

7. Expand the tree until your reach SharePoint > Certificates. Right click on the node and select All Tasks > Import…

image

8. In the import wizard, locate the LiveID-int.cer file we just created and then click Next > Next > Finish.

9. Repeat same procedure above to import the certificate to the Trusted Root Certificate Authority and Trusted People.

image

10. These procedures should be done on all WFE servers.

 

Create the STS Provider in SharePoint 2010

We need to create a Trusted Identity Token Issuer in SharePoint which will be configured to be used as the login provider for our Web Application.

1. On one of the SharePoint servers, fire up the Powershell console.

2. Execute the below powershell script

1: asnp microsoft.sharepoint.powershell
2: $realm = "urn:contososharepoint:int"
3: $certfile = "C:TempLiveID-INT.cer"
4: $rootcert = Get-PfxCertificate $certfile
5: New-SPTrustedRootAuthority "Live ID INT Root Authority" -Certificate $rootcert
6: $emailclaim = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/claims/EmailAddress&quot; -IncomingClaimTypeDisplayName "http://schemas.xmlsoap.org/claims/EmailAddress&quot; -SameAsIncoming
7: $upnclaim = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier&quot; -IncomingClaimTypeDisplayName "UPN" -LocalClaimType http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
8: $authp = New-SPTrustedIdentityTokenIssuer -Name "LiveID INT" -Description "LiveID INT" -Realm $realm -ImportTrustCertificate $certfile -ClaimsMappings $emailclaim,$upnclaim -SignInUrl "https://login.live-int.com/login.srf&quot; -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier&quot;

3. After running the script, verify that the script executed correctly by going to Central Administration > Security > Manage Trust.

image

 

Create the Web Application

1. From Central Administration, go to Application Management > Manage Web Applications.

2. Click on Create a new Web Application

3. In the Create New Web Application page, choose Claims Based Authentication from Authentication providers list.

4. Choose Create a new IIS website. Use the following values to fill the IIS Web Site fields (Replace the below with values that correspond to your website)
Name: Contoso Public Portal
Port: 443
Host Header: contoso.com

5. Under Security Configuration, select Yes under Use Secure Sockets Layer (SSL)

image

6. Under Claims Authentication Types, check the Trusted Identity provider checkbox

7. Check the LiveID INT checkbox from the list

image

8. Click on Create Web Application button.

After following the above steps, your web application will be ready to authenticate against Windows Live ID.

Leave a Reply