Forms Based Authentication with External ADDS

Hello SharePoint Administrators!

Tired of Searching for Form-based Authentication (FBA) with external ADDS? Look no further!

As a SharePoint Administrator, you are likely to face a lot of issues while configuring FBA. You might get a lot of information over the internet for configuring and troubleshooting the FBA with SQL as well as ADFS, but you are unlikely to gather any information about External ADDS. Considering all the hardships that I faced during my project, I thought of sharing my knowledge about FBA with external ADDS.

Before we proceed any further, let’s quickly recap what FBA is and when can it be used.

FBA in SharePoint

Form Based Authentication (FBA) provides us a mechanism to use our own authentication method using a web form. A large number of organizations use FBA as a way of extending a site for non-Active Directory (AD) users.

FBA is a claims-based identity management system based on ASP.NET membership and role provider authentication. It can be used in different scenarios where credentials are stored in an authentication provider, such as:

• Active Directory Domain Service (ADDS)
• SQL Server database
• Lightweight Directory Access Protocol (LDAP)
• Data store such as Novell eDirectory
• Novell Directory Services (NDS), or Sun ONE

How I Conquered My Rome

In my case, the SharePoint site was supposed to be accessible for both internal as well as external users. External users were not supposed to have access to any internal resource and could access the site only through custom login procedure.

Here’s how I implemented it:

• We had an External AD (Domain B) and an internal AD (Domain A).
• The internal domain users were using Windows Authentication. For External domain users, we needed to configure Form Based Authentication.
• As external users would have access to the Internal farm Extended Web application only (no other resources should be available), SQL with FBA was not appropriate for the above requirement.

Farm Design

• Two Zones (Default, Internet)
• Default Zone – Windows Authentication Internal ADDS
• Internet Zone – FBA with External ADDS.
• 3-tier Architecture.

Figure: Farm Design

Farm Components

• Application Server/Internal web front end (WFE) server
  
  Role: Acts as an application server to run and manage multiple service applications. In the current farm structure, Application Server was also configured as internal Web Front End.
• External web front end server
  
  Role: Handles web page requests from External users.
• SQL Server
  Role: Stores content and configuration databases for all the sites and service application.
• Internal ADDS(Domain A)
  
  Role: Active Directory for the internal users.
• External ADDS(Domain B)
  
  Role: Active Directory for the External users.

As you can see in the above diagram, all the farm components except External ADDS were in Domain A which was created on Internal ADDS.

Now we needed to configure the Web application for FBA authentication.

• Using Central Administration, we created a web application with windows authentication enabled in default zone.
• As the next step, I needed to extend the web application to the internet zone. Once the Web application was extended, I then needed to change the authentication provider for the Internet Zone from Windows to Forms Based Authentication.

Since the site was ready for external users, we proceeded with the FBA configuration!

Configuration of the FBA

Enable FBA from Central Administration

As the first step, I enabled the FBA through the following 5-step process:

• Go to central administration and select your application
• Click on Authentication link, you will see two zones: Default and Internet
• In order to enable FBA, click on Internet zone and click the checkbox next to it
• Once the FBA is enabled, you need to add the membership Provider name and Role manager name as shown in the following figure

I have used MembershipP for membership provider and RolesP for roles provider. You can provide the names as per your choice.

Note*: Please make a note of the provider names given by you as we would be using these names in the Connection string for external ADDS.

Figure: Farm Design

Great! You have successfully enabled FBA on the internet zone! Now you need to check the accessibility of Domain B from External WFE.

To check this,

1. Go to the external WFE and open the command prompt
2. Try to ping the external ADDS
3. If you get a reply from Domain B, you are just a few steps away from completing the configuration!

Note*: In this configuration, we are going to make some changes in the web.config file of our web application on Application server and Web front end server.

A recommended practice is to take a backup of the original web.config file before making any changes in it so that they can be reverted, if needed.

Changes to Web.config File on the WFE Server

Follow the steps listed below to make changes in the web.config file on the WFE Server. You need to be very careful with the following changes, as even a single comma or space in the web.config can create problems.

Step 1

• On Web Front End Server, Open IIS site - > Right Click on the extended Web application and Click on Explore
• Open the web.config file of our web application and search for <membership> tag
• Add membership provider and role manager connection strings as shown below:

• Now, search the PeoplePickerWildCards tag and add the below entry so that People Picker is able to find other domain users

• Save and close the web.config file

Step 2

• Open the web.config file of Security Token Service application
• Add membership provider and roles manager connection string as shown below:

Done! We have completed the web.config changes on WFE Server.

Changes to Web.config File on Application Server

Follow the steps listed below to make changes in web.config file on Application Server.

• Go to application server and open the web.config file of Central Administration application
• Add membership provider and roles manager in the web.config file

• Now, search the <PeoplePickerWildCards> tag and add the entry as shown below:

Note : The provider’s connection string should match as shown in the image above

The configurations are now complete.

Now cross your fingers and start the testing ☺

Testing

• Go to the WFE server and browse your web application
• For multiple authentication, a dropdown is displayed to select the authentication type for login as shown below:

• Select Forms authentication and enter Domain B user’s credentials

You might get a message that the Site is not shared with you, which means that the Domain B\user has been successfully authenticated but the user does not have the permissions to access the site.

In this case, the Site Administrator can add the external users (Domain B\user) to the site by using Central Administration.

• Go to Central Administration and select your web application
• Click on User Policy from the top ribbon and Add the Users

And…we are done! I hope next time you need FBA, you won’t need to tear out your hair in despair! ☺



Written by Shrikant Mane,  SharePoint Champion at Eternus Solutions

Read More »

What Nobody Tells You About Outsourcing

“We have outsourced before and did not like the quality of the deliverables, hence we will no longer outsource!”

“Any outsourced work item almost takes twice the number of hours otherwise taken by my in-house team. Cost-effective Outsourcing is a myth.”

These are common statements I hear when I initiate a conversation with my overseas prospects. Over the years, I have realized that there are a lot of myths about Outsourcing. A lot of people who could otherwise benefit a great deal from outsourcing refrain from it, only because of a lack of knowledge around outsourcing.

Outsourcing is a piece of Cake!

Suppose you went to a bakery and bought a chocolate cake which did not quite turn out to taste like you expected it to. Would you stop buying cake altogether or would you search for a different bakery?

Often, companies refrain from outsourcing because of a past bad experience with their service provider. Well, outsourcing is a tad different from a cake and one bad experience doesn’t make outsourcing a taboo!

Having said that, I wouldn’t agree with those either, who say everyone should outsource. So the pertinent question is…

Who should outsource?

Let’s go back to my example. You have to throw a birthday party, make arrangements for guests, put the decorations on, buy gifts… you know the routine. Now with so many things going on, you obviously won’t have the time to bake a cake or even if you do plan on baking it yourself, you would have to hunt for the right ingredients to go in it. Solution? Voila! A Bakery! Not only do you get the options in the flavours and sizes but also you save a lot of time, energy and money by just buying the cake off a bakery.

Similarly, companies who are in a completely different business line, cannot look to hire resources for their IT needs and then keep them on bench. That would not only cost them a lot but their focus would waver time and again to manage the operational cost of those needs. Whereas, in an outsource/offshore company, one can find a pool of resources having expertise on various technologies. Talk about going to a one-stop shop to get all your needs sorted! Doesn’t that sound wonderful?

When should IT Companies outsource?

I explained who should ideally outsource their work. But that does not imply that IT companies themselves cannot outsource to get the work done. I am sure most of us have faced at least one of the following situations:

• When you don't have a particular skill required to get the job done:
  How many times have we faced this? I bet a lot! Sometimes a project comes in with requirements that fit your expertise, except for maybe one teeny tiny part that is out of your expertise and therefore you are forced to let go of that project with a heavy heart.
• When projects are coming in but you are understaffed:
  Similar to the previous situation, if you don’t have the resources to work, you again end up letting go of the project. Doesn’t situations like these make you wish you had more resources or skills sets available on hand? Of course it does, BUT let’s not forget, YOU would be the one paying for the infrastructure and salary cost for them, and if they are on bench, well, you are staring at huge overheads.
  
  Often business owners face a situation where they are at crossroads to decide whether to hire a new resource or outsource. Because humans are hard wired to play it safe, most of us would go with the former option and hire someone. And as I quote Mark Zuckerberg “The biggest risk is not taking any risk. In a world that’s changing really quickly, the only strategy that’s guaranteed to fail is not taking risks”, the ball is in your court!

Why should you Outsource?

IT or non-IT, all organizations are set to reap some serious benefits if they choose to outsource.

• Focus on Your Core Business: Once you have a trusted, dedicated outsourcing team managing your IT needs, all you need to do is to get a daily or a weekly update from them. This would ensure you spend your time and energy focussing on your core business, therefore positively impacting your top line.
  
• Technology Expertise: Thanks to the rapid speed with which technology keeps changing, in-house expertise is often insufficient for your growing and ever-changing needs. A good outsourcing vendor will always have expertise in Cross platform integrations, expertise on diverse frameworks and APIs, ensuring your needs are fulfilled.
  
• Business Understanding: Good outsourcing companies have a clear vertical focus, ensuring that they have skilled SMEs who understand your business needs and guide you through the correct processes and operations.
  
• One-stop shop: Why hunt all over the place for resources with experience in different technologies and spend resources on hiring and managing them, when you can just send the requirements to a company with all these expertise under one roof?
  
• Delivery Quality focus: There’s a beautiful quote by Jim Rohn which says, “One customer well taken care of could be more valuable than $10,000 worth of advertising”. If an outsourcing company has to compete in today’s world, it has to focus on the quality of services delivered. And if a company has retained clients over the years, that itself speaks enough about the quality of work they provide.
  
• Global Delivery Centre (GDC) and Savings on Infrastructure cost: Many companies are offering this as one of the engagement models for their clients where it is a win-win for both the parties. If you are looking to open a GDC, why not save a huge chunk of budget on the infrastructure cost and partner with an outsourcing vendor instead who can serve as your GDC?
  
• Pay for what you use, therefore save on infrastructure & operations cost: One of the perks of using Outsourcing as a service is that you only pay for the hours of service that you utilize and it gives you the flexibility of scaling the team as per your needs. Add the factor that you do not spend on the infrastructure and it’s a win-win deal you’ve got yourself!
  
• Cost benefits: You can save money by not outsourcing at all, but when you’ve got to accomplish something, outsourcing makes for a worthwhile investment. Efficient and quality delivery services reduces costs, improve your company’s effectiveness and boost your bottom line.
  
•  24X7 Support: Engage with a quality outsourcing partner and ensure that your systems are take care of round the clock. You never have to lose your sleep over the maintenance and upkeep of your systems anymore!

If done in the right way and with the right partner, outsourcing can and will work wonders for the growth of your organisation.






Written by Sahebkour Kung, Account Manager at Eternus Solutions

Read More »

Analyzing Salesforce data with Google Analytics: Part 2

In our quest of tracking the most popular Accounts based on page views, we had configured our Google Analytics account in the previous post. In this post, I will take you through the configurations required in your Salesforce org.

Creation of Home Page Custom Link

The first step in configuration of your Salesforce org is the creation of a Home Page Custom Link that will load our Google Analytics resource for tracking every page. This is a simple 7-step process:

1. Go to Setup | Customize | Home | Custom Links
2. Click on the New button
3. Label it as Google Analytics
4. Change the Behavior to Execute JavaScript
5. Change the Content Source to OnClick JavaScript
6. Copy the relative path URL of the JavaScript file that we added in the static resource
   
   We need to use {!REQUIRESCRIPT()} function, as using this function will load the script automatically upon page load, without even  needing to click on the Custom Link. The final URL will look somewhat like:
   {!REQUIRESCRIPT("/resource/1428508522000/GoogleAnalytics")}
   
   
   
   
   
7. Click on Save

Creation of the Home Page Component

Once you have created the Home Page Custom Link, you will need to create a Home Page Component in your Salesforce org, through a simple 8-step process listed below:

1. Go to Setup | Customize | Home | Home Page Components
2. Click on New button
3. Click on Next button if the Overview page is loaded
4. Name the new custom component as Google_Analytics
5. Select Type as Links
   
   
   
6. Click on Next button
7. Choose your Google_Analytics custom link from the left section list of options and move it to the right under the Custom Links to show tab in this new home page component, as shown below
   
   
   
8. Click on Save

Add Home Page Component to the Home Page Layout

As the next step, you need to add this home page component to a Home Page Layout and assign it to the users that you need to track.

1. Go to Setup | Customize | Home | Home Page Layouts
2. Click on Edit on the action column (see the screenshot below) next to the layout in which you want to add the Google Analytics tracking
   
   
   
   
   
3. Check the Google Analytics checkbox under “Select Narrow Components to Show“section.
   
   
   
4. Click on Next
5. You will be redirected to the Order the components step, where you need to add your home page component into the Narrow(Left) Column section
   
   
   
6. Click on Save

Show Custom Sidebar Components on All Pages

As the final step of configuring your Salesforce org, you need to show your Custom Sidebar Component on all the pages, through a simple 3-step process listed below.

1. Go to Setup | Customize | User Interface
2. Ensure the sidebar option Show Custom Sidebar Components on All Pages is checked
   
   
   
3. You can check your custom sidebar components on all the pages. It should look similar to the screenshot shown below:
   
   
   
   
   

Good News..!!! We are almost done…!!! Let’s see what we have got.

1. Click on any tab of your Salesforce site and check under the Real time section of Google Analytics by clicking on the overview link.  Google will show the tab or page you clicked most recently. You can also see the Active page URL on the “Top Active Pages” section.
   
   
   
   
   
2. You can also see the all site content like numbers of visits, unique page views, bounce rate, page title, and average time on page etc. on the Behavior section of Google Analytics.
   
   
   
   
   

In my next step, I will show how Google Analytics can be used for tracking your most popular Accounts based on page views, so that the key insights help your Sales reps take strategic action. Till then, stay tuned.


Analyzing Salesforce data with Google Analytics:  Part 1, Part 3, Part 4

Written by Arun Kumar Bharati,  Salesforce Developer at Eternus Solutions

Read More »