Using Windows Live ID for SharePoint Authentication

  • Article

I recently got an email from Yaroslav Pentsarskyy who has a blog at https://www.sharemuch.com/.  He contacted me with feedback that the Canadian IT Pro blog, and others blogs that the Canadian Audience Team contributes to like the Canadian Developers Blog, do not have all that much SharePoint content.  He asked why and also wanted to know if he can help.  My first reaction to this was “Yup, he’s right. Not that much SharePoint content”.  My second was, I think I’ll take him up on his offer.  Here is the first in what will hopefully be a series of contributing posts from Yaroslav to the Canadian IT Pro Blog. 

BTW, if you like the post or think we should have more SharePoint content (or content on other technologies), leave a comment or email me through the email link on the top left or at damirb@microsoft.com.  Your feedback allows us to add content that makes the blog a better resource for you.

------------------------------------------------------------------------------------

Authentication and credentials management is not a trivial thing anywhere, least of which in SharePoint. You have to ask yourself the following:

  • How do I handle new user registrations?
  • What about resetting passwords?
  • How do I handle the “forgot password” scenario?
  • How do I ensure password complexity requirements?
  • How should I handle password expiration?
  • Should authentication be going through an encrypted connection (SSL)?
  • Should user login be an email address, or just a name?

That’s a lot of questions, and if you maintain a public site, all of the questions above are very relevant.  This is true not only from for security purposes but also from a usability perspective, since you don’t want to confuse users with some unusual workflows and scenarios.

If you have a customer service or support portal implemented as a SharePoint solution you might want to consider Live ID authentication to address all of the challenges above.  Many people have one or more Live IDs for their email and other online services’ access now.  Microsoft widely uses Live ID in many scenarios. People have learned to trust Live ID user interface, and are familiar with basic workflow.

There are few implementation of Live ID/SharePoint integration out there. Some of them are commercial.  In this article I wanted to share a free community toolkit from CodePlex (developed by Lawrence Liu) which takes care of Live ID/SharePoint integration: https://www.codeplex.com/CKS/Release/ProjectReleases.aspx?ReleaseId=7746

The integration module is implemented as a SharePoint solution, therefore allowing for quick deployment
and management.

Here are the steps:

  1. Download Community Tookit from https://www.codeplex.com/CKS/Release/ProjectReleases.aspx?ReleaseId=7746
  2. We’ll place CKS.MembershipProvider.WindowsLiveAuthentication.wsp into c:\LiveId
  3. Execute: “C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\bin\stsadm.exe” -o addsolution -filename C:\LiveId\CKS.MembershipProvider.WindowsLiveAuthentication.wsp
  4. Execute: “C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\bin\stsadm.exe” -o deploysolution -name C:\LiveId\CKS.MembershipProvider.WindowsLiveAuthentication.wsp -immediate -allowgacdeployment
  5. Execute: “C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\bin\stsadm.exe” -o execadmsvcjobs

This will take care of installing the solution to your farm

Next, you’ll register your public site with the Live ID Authentication server using the steps below:

  1. Open https://msm.live.com/app/default.aspx and click on “Register an Application”.
  2. You’ll be required to sign in and fill out few registration steps.
  3. Take a note of the Application ID provided since you will need it during the next few steps.

Next we’ll configure SharePoint to use LiveID as a membership provider, following the steps below:

  1. Go to the Central Administration and click on Application Management tab.
  2. Open the Authentication Providers link.
  3. Pick the Web Application and Zone you’d like LiveID authentication to be enabled on.
  4. Ensure Authentication Type is set to Forms
  5. Enter a Membership provider name of LiveID and a Role manager name of LiveRoles
  6. Click the Save.

Finally, we need to ensure SharePoint knows how to communicate with LiveID webservice for its Authentication needs.  

In a command prompt we execute the following:

"C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\bin\stsadm.exe” -o addwindowsliveauth
-appid <application id> -appkey <application secret key> -appmode <http/https> -profsite <URL of site that contains the profile list> -proflist <user profile list name> -locked <URL to send locked users to> -url <URL of the Web Application>

This needs to be executed for both URLs (selected web application and central administration).  The Central administration part is important for this configuration since that way site collection administrator (administrator LiveId) can be assigned.

As you can see from the last command prompt statement “-proflist” will define the name of the list where new users
will be added as they register. Once new users exist in this list - you can manage their IDs and other information using a default user management and permissions interface.

Hopefully this was helpful, if any more details required either ping me at www.sharemuch.com or
check with the Tookit developer at https://www.codeplex.com/CKS/Release/ProjectReleases.aspx?ReleaseId=7746

Cheers!

Yaroslav Pentsarskyy