Presentation from SharePoint Saturday Virginia Beach

A big thank you to the organizers, sponsors, and attendees of SharePoint Saturday Virginia Beach! The event was well put-on, and it is a great location, with a great layout! I cannot believe it took me 4 years to get down there, I wish I had gone much sooner!

I am looking forward to the next #SPSVB, but in the meantime, you can find my presentation from my session, Planning and Configuring Extranets in SharePoint 2010 below… please leave any questions you have in the comments!



Secure Your SharePoint Extranet!

Or any extranet really… I presented tonight at the Baltimore SharePoint Users Group on Planning and Configuring Extranets in SharePoint 2010, and had the idea to make a quick post like this.

If you are opening your organizations virtual doors to the outside world, please, please,  PLEASE, only open up port 443, and use a secure certificate (or Secure Sockets Layer certificate), a/k/a, SSL certificate, to secure it.

Even if you do not have anything resembling a budget – you can still be secure. GoDaddy offers SSL certificates for as little as $12.99 – just use this link.

Why? Well… take this scenario. Say you are connecting to your extranet from a café, and they do not have a secure WiFi setup, and you can just connect and browse. I bet you that somewhere in there, there is some pimply kid with his Macbook his parents bought him, in his Misfits T-Shirt, sniffing the unsecured WEP network, and watching you log into your Forms Based Authentication extranet, over an unencrypted port 80. Not only does he see the URL you are visiting, and your username and password. He can also see everything you do. Confidential documents, payroll information – you name it. And there you go, your company’s data has been breached.

Now, if you take the extra time, and spend a few dollars – this would not have happened. SSL encrypts the connection from the end user’s browser, all the way to the server, so all the pimply faced hacker would see is just gobbledygook.

So a login session may just look like this (encrypted using SSL):

OIHP(@Q*YPR*Y@*(Y@C*(YR(*@YUP&@G&*T(*@&^$&@()&*CNHUSHLKSJLSHGLRWCTBLSUGL*r(*n^N(*#9693r562095876209387652097cUYTOIWESOFIY#3tyiuGi IWOLIWJdILW#T&@RLIU@HDIWUYR(Q*&#@yrOiu32H  lu hr*#@y*ry b@r*hsdiu wOIU8H9WQ83H RL iuliug # iqq&*g(iU3RG qiu

That looks a lot better than this (unencrypted – not using SSL):


While I do not have specific details, certificate providers also can actually insure your SSL certificates, in case a data breach does take place. GoDaddy, Network Solutions, GeoTrust, Thawte, etc. Look around, find what is right for you. And secure your extranet. Not tomorrow, but NOW. Pay for some security, it is worth it to pay money up front and be secure, than be involved in lawsuits, and corporate losses, all due to a yearly fee of up to a couple of hundred dollars. Protect your company, protect yourself, and protect your clients.

Resources and Slides from Granite State SharePoint Users Group Meeting

GSSPUGI had the pleasure of presenting my Planning and Configuring Extranets in SharePoint 2010 session at the Granite State SharePoint Users Group this past Thursday evening.

After a pleasant drive up to Nashua, I was met with a good sized crowd, and had fun presenting, as well as interacting with the crowd.

I would like to thank the #NHSPUG for allowing me to come up and present – and hope I get a chance to do it again soon!

Below is my deck from the session. Please feel free to contact me directly, or, via the comments below with any questions on the material!


Slides and Resources from SharePoint Saturday New Hampshire

SharePoint Saturday New Hampshire was a great event! A job well done by the organizers. This was the first SharePoint Saturday New Hampshire, and there seemed to be a great turnout, and the location worked out well. Saw a lot of familiar faces, as well as was able to meet a bunch of great new people. This was also my first official event as a Jornata employee, even though today is officially my first day 🙂

This next part of this post is special for those who attended my session, it’s out little inside joke.

My session was very well attended, and I got nothing but great remarks.

Thank you all again for attending, and for the standing ovation – really, you didn’t have to. But thank you none-the-less. Below you will find my slides from the event.

And if you missed my session, or just want to see it again, come see me in a couple weeks at the Granite State SharePoint Users Group, where I will be presenting the same session, on October 13th.

And if you’re in the Baltimore area, I will be presenting this at the Baltimore SharePoint Users Group on October 20th.

Without further ado – here is my slide deck from the event.

In the slide deck is also the updated URL for access to the demonstration environment (

Recap and Resources from SharePoint Saturday NYC

I have to hand it to the organizers of the event, Becky Isserman (@MossLover), Jason Gallicchio (@PrincetonSUG), Greg Hurlman (@ghurlman), and Tasha Scott (@TashasEv) as well as their volunteers, for putting together once of the best organized SharePoint Saturdays I have been to. Great job! Lots of great sessions, sponsors, and speakers made this quite the memorable event! I was able to connect with old friends, and meet plenty of new ones.

The organizers also did something very special and unique with the speaker, volunteer, and organizer shirts – each of them either had a patch for the NYPD, NY Port Authority, or FDNY, remembering the attacks on the World Trade Center, as in just over a month from now, will be the 10th anniversary of that tragic day, in which thousands of lives were lost. This shirt will be definitely one of the conference shirts that I will be holding on to. There were lots of conversations about that day – the people we knew, where we were, and what we were doing… and how it has affected our lives since.

I had a great time giving my session (once I caught my breath after literally running around right up until the starting bell, searching for a power adapter, as mine would not work!), and had a lot of great questions from the crowd! With that, here are my slides from the event, with one important update – the CloudShare link no longer works… found the expiration notice in my junk mail folder the day after the environment was removed 😦 I will work on getting a new one up and running within the next couple of weeks – then the link should be functional again.



Thank you all for attending, if you were able to make it. Someone was even there due to my extranets blog post series (Part 1, Part 2, Part 3), so I know at least once person is reading this!

If you’re in the DC area this week, be sure to catch my session at SharePoint Saturday – The Conference!

“Sign me in automatically” in Forms Authentication


Now this is not just limited to SharePoint, but, since my main focus is SharePoint, this is where I come across this issue the most. When you log in with SharePoint via Forms Based Authentication, there is that little “Sign me in automatically” checkbox below the FBA login form. If you check this, you may realize that a few hours later, when you go to log back into the site, it does not seem to actually remember you at all. That is because by default, it will only remember you for 30 minutes. We can change this quite easily however… This option is controlled within your web application configuration file (web.config) on the server.

If you open this file directly, search for <authentication mode=”Forms”> under <system.web>, you will see, by default, this:

<authentication mode="Forms">
<forms loginUrl="/_login/default.aspx" />

You can also look in IIS as well, under the Configuration Editor feature in the Management section of the web application



If we expand system.web, and click on authentication


Now, the two options we want to look at in here are timeout, and sliding expiration…


The definitions for both of these settings are below, taken from MSDN.

When the SlidingExpiration is set to true, the time interval during which the authentication cookie is valid is reset to the expiration Timeout property value. This happens if the user browses after half of the timeout has expired. For example, if you set an expiration of 20 minutes by using sliding expiration, a user can visit the site at 2:00 PM and receive a cookie that is set to expire at 2:20 PM. The expiration is only updated if the user visits the site after 2:10 PM. If the user visits the site at 2:09 PM, the cookie is not updated because half of the expiration time has not passed. If the user then waits 12 minutes, visiting the site at 2:21 PM, the cookie will be expired. (from:

The amount of time in minutes after which the authentication expires. The default value is 30 minutes. (from:

I suggest setting this to something much higher… if your users will generally log in once a month, setting this to a couple of months, will ensure they are remembered, and with sliding expiration configured, if they log in during the 3rd month, then the system will reset the time on that cookie, remembering them for another 3 months from that date. For sites which have users logging in less often, setting this to a year will be a decent bet that this will remember them for some time. A year in minutes would be: 525600

Hopefully this helps in your configuration of FBA for SharePoint, as well as other FBA applications.

Planning and Configuring Extranets in SharePoint 2010-Part 3 “The Environment”

I know quite a few people have been waiting for this post. In this post we’ll cover the environment itself, which I have made mention of in Part 1 of this series, and went through more of the configuration in during Part 2. I even made mention of it during my session at SharePoint Saturday Boston on the same subject. I have been extremely busy over the past two weeks with work, and finally had a chance today to finally put the finish touches and testing on the environment, and it is now ready for release.

extranets_csI would like to thank the folks over at CloudShare for making this possible. If you are not familiar with them – well, they say it better than I can

“CloudShare makes it easy to build, manage and share any business application instantly and on-demand, in the cloud. Used by individual business and IT professionals, developers, consultants, teams and enterprises, CloudShare offers complete and easy cloud solutions for development and testing, migration, training, demos and proofs of concept. Its latest product, CloudShare ProPlus, enables users to quickly build SharePoint environments and access preconfigured production-grade SharePoint farms – no physical servers, installs, recoding or software licensing of any kind.“

So, what they have allowed me to do, is build up a demonstration environment, using CloudShare ProPlus, and using the SharePoint and Office 2010 Information Worker Virtual Image from Microsoft as a base (actual environment setup took about 5 minutes to do – and then it was just a simple matter of configuration. Then, after taking a snapshot of that environment, I can now share that environment out. Each and every person that uses the link will have their very own copy to use. Using the link provided below you will be required to register for CloudShare Pro Plus, as a 14-day trial account, which you can play around with the image as much as you want. If you like what you see, you can keep that going, even dumping this environment and creating your own, for just $49/month. You can then share out your environments with other if you’d like. This is really one of the best cloud SaaS solutions I’ve seen on the market to date.

So, with that – have at it!


If you have any questions or comments, please let me know in the comments below.

More posts to come within this series as well!

Finally into the Office 365 Beta Program

imageIt seems that Microsoft has done another massive push into the Office 365 Beta program. So, yesterday, after months of waiting, I was finally able to get in. I most likely not be using this blog to market off the benefits (you can find those here: Top benefits), but rather, share my observations.

One neat thing which I did not expect… the Developer Dashboard is part of O365!


I thought that was a pretty cool inclusion they did for this. After all, this is a hosted version of SharePoint, and they are using FBA to connect to what I can assume is an LDAP database to host accounts.


Anyhow, more information and observations to come… hopefully some interesting stuff.

At the very least, I now have a * subdomain… That’s just cool.

Planning and Configuring Extranets in SharePoint 2010–Part 2

extranetIn Part 1 of this series, we walked through creating of the actual databases for managing our FBA users, as well as the general scope of this blog series. Today, we are going to focus on the configuration of SharePoint [insert crowd roar here]. Ok, ok, I know you are excited, this however, is the hardest part IMHO, so, please pay attention, and try to color inside the lines to the best of your ability while we are following this exercise.


Membership and Role Providers

First, let us do a quick definition of what these are.

Membership Providers are the authentication sources for applications. A provider can be a number of back ends (LDAP, SQL, 3rd party application, or a custom membership provider). In our specific case here, we are using SQL, specifically, the ASP.NET Membership Database. If you look at the tables we created in Part 1, you can see how this provider stores a username, password, and other information about the user. Just like active directory, it can hold information about a user, and also be used for authentication.

Role Managers are similar to membership providers, however, these are more like groups in Active Directory. A person in the membership provider can belong to a number of different roles, or groups. We will be configuring these as well.

So, hopefully the brief introduction to these terms above is enough to make sense, so we can move onto our next bit.

At this point, they do not need to have a name. We can name them whatever we’d like to. So, we will use:

  • Membership Provider: SQL-MembershipProvider
  • Role Manager: SQL-RoleManager


Extending our Web Application with Claims Based Authentication

Now that we have our database up and running, we need to extend our web application in SharePoint 2010, so that we can create an FBA-Only authentication portal, for our partners at Contoso to access.

To do so, we need to enable Claims Based Authentication on our site, because it is already created, we need to enable our existing site to be “Claims aware”.

Note: a great blog on configuring Claims Based Authentication can be found here:] I’ve relied heavily on that article in the past, so you will see a lot of the same information in this article as you will see in my reference above. This is not a swipe of that article, it is more of a homage 🙂


Extending the Web Application and Enabling Claims Authentication

To do so, go into Central Administration.

In Central Administration, go to Application Management > Manage web applications, and click on the site you would like to extend. In this example, I will be using the Intranet site within the SharePoint 2010 Information Worker demo image. Click on that site


And then click on Extend up in the Ribbon.


Now, time to configure the extended site. Give it a name, port, etc. (If you give it a DNS name, make sure you add in a DNS entry!)



Then select the Extranet zone. This doesn’t do anything but classify the extended web application, and allow us to modify the authentication methods used. Then click OK.

Now, once we have done that, you will notice, if you keep the web application selected in the list, click on Authentication Providers in the Ribbon, and then click on Extranet


You will notice that we cannot change the authentication type from Windows to Forms.


Don’t worry, we have a fix for that. To convert the web application from Classic Authentication to Claims Based Authentication, open up the SharePoint 2010 Administration Console (PowerShell – as an administrator)


   1: $webApp = Get-SPWebApplication http://extranet

   2: $webApp.UseClaimsAuthentication = "true"

   3: $webApp.Update()

This will enable Claims authentication on our web application.

Now if we click on Authentication Providers on the ribbon again, you can see that they now show up as Claims Based Authentication


Click on the Extranet again, you will now see that we can change the authentication type for this web application. If you want to have both AD users as well as FBA users to be access the same portal with their respective accounts, go ahead and check both Enable Windows Authentication as well as Enable Forms Based Authentication. Remember how I listed the Membership Provider and the Role Manager at the beginning of this article? Now is when I make use of those.


Note:  If you want to create a custom login page, you can specify that option from here (right below the Claims Authentication Types section). Maybe in an addendum to this article down the road I will write a quick post on how to do that. It’s easy, but, this article is more IT Pro/Admin focused, so we’ll skip that for now 🙂

Now go to the bottom and click on Save.  SharePoint will deal with the configuration of this web application.


Extranet Web Application Configuration

Our next item of concern is the configuration for the extranet. We need to re-configure the web.config settings for this extended web application. To do so, open the web.config file for the extranet web application, in my example, it is located at (C:\inetpub\wwwroot\wss\VirtualDirectories\extranet80\web.config)

Search for </SharePoint>, which should appear right before <system.web>, and insert the following code, after </SharePoint>, and before <system.web>.

   1: <connectionStrings> 

   2:   <add name="SQLConnectionString" connectionString="data source=DEMO2010A;Integrated Security=SSPI;Initial Catalog=aspnetdb" /> 

   3: </connectionStrings>

And where the two highlighted bits are above, insert your SQL server name, and FBA database name respectively. (see Part 1 for creating this database).

Once that is complete, locate the end of the </system.web>, mentioned above, where we just put the connectionStrings information above. It will be right above </system.webServer>. there are many other system.web declarations within this file, so be sure to use the right one. You should see tags in the XML for membership and rolemanager there.

We will leave these AS-IS! No need to modify those lines. Now, we need to add the following code within the <providers> and </providers> tags within the <membership> element, as directed in the image below


   1: <add connectionStringName="SQLConnectionString" 

   2: passwordAttemptWindow="5" 

   3: enablePasswordRetrieval="true" 

   4: enablePasswordReset="true" 

   5: requiresQuestionAndAnswer="true" 

   6: applicationName="/" 

   7: requiresUniqueEmail="true" 

   8: passwordFormat="Hashed" 

   9: description="Stores and Retrieves membership data from SQL Server" 

  10: name="SQL-MembershipProvider" 

  11: type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

Make sure that the connectionStringName and name attributes match the connection string we used above, as well as the membership provider name we used in SharePoint respectively.

Next, the piece of xml we are going to use will fit in between the <providers> and </providers> tags within the <roleManager> element, as directed in the image below


   1: <add connectionStringName="SQLConnectionString" 

   2: applicationName="/" 

   3: description="Stores and retrieves roles from SQL Server" 

   4: name="SQL-RoleManager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> 

again, making sure that the connectionStringname and name attributes match the connection string we used above, as well as the role manager name we used in SharePoint respectively.

Then save the web.config file.

Central Administration Web Application Configuration

We now need to modify the Central Administration web.config file as well. In our example here, our Central Admin web.config file is located at: C:\inetpub\wwwroot\wss\VirtualDirectories\44535\web.config

We will be editing in the same places within the config file that we did for our extranet web application above, but with just a few slight changes.

So, first, locate the closing </SharePoint> tag, and the opening <system.web>. Just as we did above, we are going to paste in our connection strings here.

   1: <connectionStrings> 

   2:   <add name="SQLConnectionString" connectionString="data source=DEMO2010A;Integrated Security=SSPI;Initial Catalog=aspnetdb" /> 

   3: </connectionStrings> 

And next, as you may have guessed, just before we close out the </system.web> tag in this web.config, we need to put in our membership provider and role information. This is slightly different from the one we used for the extranet web.config above, notice the default membership provider. Don’t change this – leave this as-is. It is NOT a typo.

   1: <roleManager defaultProvider="AspNetWindowsTokenRoleProvider" enabled="true" cacheRolesInCookie="false"> 

   2:   <providers> 

   3:     <add connectionStringName="SQLConnectionString" applicationName="/" description="Stores and retrieves roles from SQL Server" name="SQL-RoleManager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> 

   4:   </providers> 

   5: </roleManager> 

   6: <membership defaultProvider="SQL-MembershipProvider"> 

   7:   <providers> 

   8:     <add connectionStringName="SQLConnectionString" passwordAttemptWindow="5" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" description="Stores and Retrieves membership data from SQL Server" name="SQL-MembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> 

   9:   </providers> 

  10: </membership> 


Security Token Web Service Application Configuration

Last, but certainly not least, we must also update the web.config for the SecurityToken service.

Within your SharePoint Root folder, under WebServices\SecurityToken (generally found at C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\WebServices\SecurityToken), you will find another web.config file. Before the end <configuration> </configuration> section, add in the following… again, tailored to your configuration which we have specified above.

   1: <connectionStrings> 

   2:     <add name="SQL-ConnectionString" connectionString="data source=DEMO2010A;Integrated Security=SSPI;Initial Catalog=aspnetdb" /> 

   3: </connectionStrings> 

   4: <system.web> 

   5:     <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false"> 

   6:         <providers> 

   7:             <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" /> 

   8:             <add connectionStringName="SQL-ConnectionString" applicationName="/" description="Stores and retrieves roles from SQL Server" name="SQL-RoleManager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> 

   9:         </providers> 

  10:     </roleManager> 

  11:     <membership defaultProvider="i"> 

  12:         <providers> 

  13:             <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" /> 

  14:             <add connectionStringName="SQL-ConnectionString" passwordAttemptWindow="5" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" description="Stores and Retrieves membership data from SQL Server" name="SQL-MembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> 

  15:         </providers> 

  16:     </membership> 

  17: </system.web>

Once you do that, it would be healthy to restart IIS as well (just humor me on this one, while not required, as changes to the web.config will cause the application pools to recycle, I’ve seen issues where a reset to IIS has been known to do good).

And lastly, once you visit your site, you should get one of these nice choice boxes:



You should be configured, and ready to roll!

Now stay tuned for Part 3… get access to this test environment!

Planning and Configuring Extranets in SharePoint 2010–Part 1

extranetFor my SharePoint Saturday Boston session on April 9th, I will be delivering a presentation on Planning and Configuring Extranets in SharePoint 2010. As I am building up my virtual environment for this presentation, I thought I would also write a blog series on the subject. The abstract for the session is below, and, if you can make it to SharePoint Saturday Boston, I hope you’ll come and see the presentation.

Most companies, large or small, require contact and collaboration with external entities, whether they are vendors, clients, or contractors. SharePoint gives us the ability to open up portals for collaboration with these external entities – this session will show you how to accomplish this using SharePoint 2010.

We will review what is required to make SharePoint “open” to the external world, discuss scenarios regarding security and privacy, as well as walk through configuring Forms Based Authentication, Claims Based Authentication, as well as using Business Connectivity Services in SharePoint 2010, to authenticate, and manage our external users.

Once completing this session, you should have a firm grasp on how to configure an extranet environment using SharePoint 2010, as well as what should be considered during the planning of your extranet scenarios.

At the conclusion of this series, as well as after the presentation at SPS Boston, I will include my slide deck here, as well as links to the actual virtual environment I am creating for this via cloudshare, as well as follow-up answers to questions asked during the session. I am using this to build up the shareable version of my presentation, because, it doesn’t use any local resources, I can access it from anywhere, and, I can share it with an unlimited amount of people, and I can update it from time to time.

So, let’s get started. To give some background on what we are going to be accomplishing here as our end game – we are going to configure the SharePoint 2010 Information Worker image with FBA, using the ASP.NET membership database as our backend. As well as using some built-in and home-grown tools to manage those users.

So now, really this time, lets get started… oh wait, before I do, notice the two images that start off this blog post? get it? an “extra net”, hah! Wow, did I strike a funny bone on that one.

Ok, I am seriously serious about moving forward on this. Let’s go.

Creating the ASP.NET Membership Database

So, first, we will need to be able to authenticate users. In the imaginary (but none-the-less exciting!) extranet planning that took place for Contoso, we decided we wanted to not have our external users, our partners, to have Active Directory accounts. Sure, we can secure AD users, and create a sub-domain to support them, but, just in case, we want to make sure that with the username and password they are given, they cannot access any other resource at all, no matter what, within our organization. Even if they came into our office and plopped down onto a computer connected to our internal network, and started typing away. A SQL-based authentication source will guarantee that.

To do this, we are going to follow this resource here ( to create our authentication database (pay no attention to the fact that the content is outdated – it is not for our purposes!). If we visit that link, and scroll down to Using the SQLMemberShipProvider, and look at Step 2, we have the commands needed to configure our ASP.NET Membership Database.

aspnet_regsql.exe -E -S localhost -A -all

If you do not have aspnet_reqsql.exe in your path, it can be found in C:\Windows\Microsoft.NET\<FRAMEWORK VERSION>\<versionNumber>\aspnet_regsql.exe


This will create all of the tables needed (we might need roles, web part personalization, etc. so that is why I chose the “All” option. Information on all of the above options can be found here at the Creating the Application Services Database for SQL Server link from technet.

Once that completes, if you check SQL, you should have a new database named aspnetdb, as well as the tables.


And time to leave you hanging until Part 2… until then, stay tuned for more extranet fun in SharePoint 2010!

%d bloggers like this: