This post shows the steps which leads towards the configuration of Live Authentication in SharePoint 2010.
Before going in depth I want to tell some key points when configuring Live Authentication in SharePoint 2010. Actually WLID provides two zones “INT” and “PROD”. The “INT” zone is for testing purpose and the “PROD” zone is for production and you can use your actual hotmail or live accounts to authenticate users in SharePoint. One cannot directly submit their site to PROD until and unless they first submit their site in “INT”.
Creating a Test account
First of all create a test account in account services database.
1. Go to https://accountservices.msn-int.com
2. Sign up a new account
3. Choose “Yes, use my e-mail address” in the Signup window and press continue
4. Fill the form and specify an email address which contains @hotmail-int.com in the end. for e.g. email@example.com
5. After creating account we need to see the unique id of the newly created account.
6. Click on credentials and note the UniqueId, save it somewhere we need to use it while specifying the site collection administrator for sharepoint site.
Registering a Site at Microsoft Services Manager
1. Navigate to http://msm.live.com
2. Enter your hotmail or live account id and sign in
3. Click on “Register your Site” link
4. Specify the name of your site for e.g. “Ovais Live Site”
5. Specify the DNS name of your site for e.g. “ovais.live”
6. Select the checkbox named “Windows Live Id”
7. Click on submit
8. Now after done submitting click on the “Manage your site” link
9. In the Manage your site page click on “Modify Editable Site properties”
10. Click on “Show Advanced Properties”
11. Configure the domain name in my case i have specified ovais.live.com
12. Specify DNS in my case i have specified urn:ovaislivesite:int
13. Specify the domain name in the default return url to https://ovais.live.com/_trust/default.aspx. Make sure it should match with the domain name.
14. Specify the domain name in the Expire cookie URL to https://ovais.live.com/wlid/expirecookie.aspx. Make sure it should match with the domain name.
15. Select “Override Authentication Policy” to MBI_FED_SSL
16. Click on Submit.
Creating and Importing a Certificate provided by Nexus Passport INT
1. Navigate to the https://nexus.passport-int.com/federationmetadata2/2007-06/federationmetadata.xml
2. Copy the inner text of X509Certificate node and paste it in a notepad.
3. Save the file with .cer as file extension
4. Run MMC.
5. Add Certificates Snap In
6. Import the newly created certificate in three places.
– SharePoint > Certificates
– Trusted People > Certificates
– Trusted Root Certification Authority > Certificates
Create STS Provider
Open Microsoft Shell Management and execute scripts as defined below. Note: the $realm should match with the DNS name you have specified while creating your site at msm.live.com. The $certfile should map to the path where the certificate is stored which was created in the previous section.
1. asnp microsoft.sharepoint.powershell
2. $realm = “urn:ovaislivesite:int”
3. $certfile = “C:\Live.cer”
4. $rootcert = Get-PfxCertificate $certfile
5. New-SPTrustedRootAuthority “Live ID INT Root Authority” -Certificate $rootcert
6. $emailclaim = New-SPClaimTypeMapping
7. $upnclaim = New-SPClaimTypeMapping
8. $authp = New-SPTrustedIdentityTokenIssuer -Name “LiveID INT”
-Description “LiveID INT” -Realm $realm -ImportTrustCertificate $certfile
-ClaimsMappings $emailclaim,$upnclaim -SignInUrl “https://login.live-int.com/login.srf”
Create Web Application in SharePoint
1. Open Central Management and click on Application Management
2. Click on New in the top panel
3. Select Claim Based in the Authentication
4. Select Allow Anonymous to No and SSL to Yes as shown below.
5. Click OK to finish creating a web application.
6. Now create a site collection. Click on the Create Site Collection under Application Management tab in Central Administration
7. Specify any title and select any template
8. In the Site collection administrator specify the live account address, the format should be firstname.lastname@example.org.
Add Certificate to Web Application
1. Open IIS
2. Open Server Certificates
3. Click on “Create Self Signed Certificate”
4. Specify certificate name in my case i had specified “ovais.live.com”
5. Add this certificate in the newly created web application and also add https binding to 443.
4. Check by accessing https://ovais.live.com
8. Press Sign In
9. It will show the SharePoint site as shown below.