Installing AD FS Windows Token Based Web Agents with Microsoft Office SharePoint Server 2007

References: http://blogs.technet.com/b/adfs/archive/2008/05/13/using-adfs-with-constrained-delegation.aspx

When using the Windows Token-Based web agents for ADFS, the server hosting SharePoint must be able to delegate a user’s account to any line of business (LOB) database when using BDC web parts.  Without using the following steps, the user will be able to authenticate to SharePoint but any BDC web parts that talk to another server will fail.  This failure can be seen in the ULS logs under the Business Data category and should indicate that the logon to the LOB system with an anonymous account.

Note:  These steps assume that SharePoint has been installed and configured.

Prerequisites

·         A SharePoint web application that is set up to use Windows Authentication and Kerberos

·         An Active Directory domain account to be used for the ADFS Web Agent Authentication Service that will be installed on the SharePoint web front end servers

·         An Active Directory domain account that is used for the Application Pool account for the SharePoint web application that is set to run Kerberos (if this is already created, ignore this )

·         Two SPNs for the Active Directory account running Microsoft SQL Server

o   MSSQLSvc/fqdn.of.sqlserver:1433

o   MSSQLSvc/shortnameofsqlserver:1433

Setup accounts needed

1.       Log onto a domain controller in the environment.

2.       If the account that is running Microsoft SQL Server already has SPNs set for MSSQLSvc, skip to step 4.

3.       Open an eleveated command prompt and type the following:

a.       Setspn -a MSSQLSvc/fqdn.of.sqlserver:1433 domain\sqlaccount

b.      Setspn -a MSSQLSvc/shortnameofsqlserver:1433 domain\sqlaccount

 

4.       Create an active directory domain user to run the ADFS Web Agent Authentication Service.  This account does not need to be a member of any group except Domain Users.

5.       Open an eleveated command prompt and type the following:

a.       Setspn -a HTTP/test domain\accountforadfsservice ( this is only done to see the delegation tab)

b.      Make sure that Advanced Features is checked inside Active Directory Users and Computers

c.       Right click on the ADFS Service user account and select Properties.

d.      Located and click on the Delegation tab.

e.      Click the radio button for Trust user for specified services only.

f.        Click the radio button for Use any authentication protocol.

g.       Click the Add button

h.      Click the Users or Computers

i.         Enter the account running the SQL Server service that SharePoint uses

j.        Select the MSSQLSvc/fqdn.of.sqlserver:1433

k.       Click the OK button.

l.         Click OK to close the user account properties.

6.       If the SharePoint web application is already currently configured to run Kerberos,  skip to step 9

7.       Open an eleveated command prompt and type the following:

a.       Setspn -a HTTP/<fully qualified SharePoint URL> domain\<account used for web application pool>  (i.e. setspn -a HTTP/sp.microsoft.mil ms\mossapppool)

8.       Open up Active Directory Users and Computers

a.        Make sure that Advanced Features is checked inside Active Directory Users and Computers

b.      Right click on the Application Pool account and select Properties.

c.       Located and click on the Delegation tab.

d.      Click the radio button for Trust user for specified services only.

e.      Click the radio button for Use any authentication protocol.

f.        Click the Add button

g.       Click the Users or Computers

h.      Enter the account used to run the application pool (i.e. mossapppool )

i.         Select the HTTP/<fully qualified SharePoint URL>

j.        Click the OK button.

k.       Click the Add button

l.         Click the Users or Computers

m.    Enter the account running the SQL Server service that SharePoint uses

n.      Select the MSSQLSvc/fqdn.of.sqlserver:1433

o.      Click the OK button.

p.      Click OK to close the user account properties. 

q.      Do not perform step 8.

9.       On the domain controller, open up Active Directory Users and Computers

a.       Right click on the Application Pool account and select Properties.

b.      Located and click on the Delegation tab.

c.       Click the Add button

d.      Click the Users or Computers

e.      Enter the account running the SQL Server service that SharePoint uses

f.        Select the MSSQLSvc/fqdn.of.sqlserver:1433

g.       Click the OK button.

h.      Click OK to close the user account properties.

Install and Configure AD FS Web Agents for Windows Server 2008 R2

1.       Open up Server Manager on the server that hosts SharePoint

2.       Click on Roles on the left hand side.

3.       Underneath Roles Summary, click Add Roles

4.       Click Next

5.       Select the Active Directory Federation Services checkbox.

6.       Click Next and Next again.

7.       Choose Windows Token-based Agent and select Next.

8.       Enter the FQDN of the federation server in the environment.

9.       Click Install.

10.   Once the installation has complete, open up IIS Manager.

11.   Expand Sites and locate the SharePoint web application web site.

12.   Click on this web site and double click on the Authentication icon on the right side of the screen.

13.   Right click on AD FS Windows Token-Based Agent and select Enable.

14.   Once enabled, right click on AD FS Windows Token-Based Agent and choose Edit

15.   Enter the Return Url to match the URL of the SharePoint site and leave the other settings as is.

16.   Click ok.

User right assignments on the SharePoint server

1.       Log onto the server that is running Microsoft Office SharePoint Server

2.       Go to Start | Administrative Tools | Local Security Policy

3.       Expand Local Policy

4.       Expand User Rights Assignments

5.       Add the Application Pool account to the following permissions:

a.       Logon as Service ( should be already set )

b.      Generate Security Audit Event

6.       Add the AD FS Web Agent service account to the following permissions:

a.       Act as part of the operating system

b.      Logon as Service

c.       Generate Security Audit Event

7.       Add the account created for the ADFS Web Agent Authentication Service to the local Administrators group.

8.       Add the account created for the ADFS Web Agent Authentication Service and the Application pool account to the IIS_IUSRS group.

Configuring ADFS Web Agent Authentication Service

1.       Click Start | Administrative Tools | Services

2.       Locate the ADFS Web Agent Authentication Service

3.       Right click on the service and select Properties

4.       Click the Identity tab

5.       Enter the domain\username of the account created for the ADFS Web Agent Authentication Service.

6.       Enter the password for the account and click Ok.

7.       Restart the service and open up the Event Viewer

8.       Click on the Application log and verify that there is an information level event for the ADFS Web Agent Authentication Service that states it has successfully retrieved information from the ADFS server.

Update Images Web.config file for SharePoint

1.       Log onto the server running SharePoint.

2.       Open IIS manager from Start | Run | Administrative Tools | Internet Information Services Manager.

3.       Expand Sites and expand the website for the SharePoint web application

4.       Expand the Layouts folder and click on Images

5.       Choose and double click the Authentication icon on the right.

6.        Right click on ADFS and choose Disable.

7.       Restart IIS to commit the authentication changes.