Single sign-on in SharePoint Workspace 2010

  • Article

Hello everyone! Now that the Office 2010 release is near, I'm planning to start a series of articles on changes in the product from Microsoft Office Groove 2007. This article is about single sign-on authentication -- first some general information, and then what you should know if you administer managed Groove accounts.

SharePoint Workspace 2010, supports single sign-on authentication. Groove 2007 and previous Groove products required a password at startup, and you either had to provide this password each time, or configure Groove to remember it and risk forgetting it yourself. Now, SharePoint Workspace will link your SharePoint Workspace account to your Windows login, and once you are logged into Windows, you will be able to start up SharePoint Workspace without being prompted for a password.

A brief note on security

So, what is the effect on security? Surprisingly positive! I'm not going to cover that in detail, as Paul Cannon and Leon Alexandrou have a great post on it here: https://blogs.msdn.com/sharepoint_workspace_development_team/archive/2010/02/18/sharepoint-workspace-and-single-sign-on.aspx. One point they don't cover is the rise of malware that harvests passwords as the user types them. As that sort of thing has become more common, the risks associated with individual application authentication prompts have increased. Also, be aware that your account still has a password internally -- it just happens to be a very long one that Windows provides for you. If someone took all the Groove data files off your computer and moved them to all the right places on their own computer, they would not gain access to the data by installing Groove over it. See the linked post for more information.

Behavior at First launch

Obviously, with single sign-on, there's not a lot to see. If SharePoint Workspace 2010 is a new installation, then the first time you start SharePoint Workspace, you are be prompted to create or install an account, as before, but that account creation process is a little shorter, because you are not prompted to set a password. When the account is created, SharePoint Workspace generates an internal password that is accessed through your Windows account, after you log into Windows. It will use that password behind the scenes when you start SharePoint Workspace.

If you are upgrading from Groove 2007, this is a little different. The first time you start SharePoint Workspace, you will be prompted for your Groove 2007 account password. If you do not remember it, you will be prompted to reset your password. Once you have provided the password, or the reset has completed successfully, SharePoint Workspace converts your account to use single sign-on.

Importing your account

If you subsequently import your account on another computer, SharePoint Workspace will display a password prompt. If you upgraded from Groove 2007 and remember your 2007 password, you can enter it here. Otherwise, click Reset Password and follow the instructions in the confirmation email you receive. Again, your account on this computer will be linked to the current Windows account.

Single sign-on with domain management

In an unmanaged environment, single sign-on links the SharePoint Workspace account to the active user's local Windows account. However, it is possible for an administrator to configure Groove Manager and Active Directory so that a SharePoint Workspace account is linked to the active user's domain account instead.

Configuration

Configuring the servers

Here are the basic steps administrators must take to integrate single sign-on with domain accounts.

  1. Install Groove Server Manager 2010. In Directory Configuration, opt to connect to an Active Directory server, and provide the name of the Active Directory Forest.
  2. Configure Active Directory for integration with SharePoint Workspace provisioning by adding the schema extension for use in the Active Directory Users and Computers (ADUC) tool. (For details, see https://technet.microsoft.com/en-us/library/ee681773(office.14).aspx.)
  3. Enable automatic account configuration by creating a Group Policy Object (GPO) that assigns domain members to the Groove Manager. (For details, see https://technet.microsoft.com/en-us/library/ee681783(office.14).aspx.) 

After you have completed this configuration, qualified users who install SharePoint Workspace will have SharePoint Workspace accounts linked to domain accounts instead of to local Windows accounts.

Requirements on the desktop

To benefit from the above configuration, the following conditions must be met on the computer that will run SharePoint Workspace:

  • The computer is joined to a domain that is in the Active Directory Forest that the Groove Manager is integrated with.
  • The person who will use SharePoint Workspace logs in to the computer using a domain account that has the GPO designating a Groove Manager.
  • The person who will use SharePoint Workspace is the person who starts SharePoint Workspace for the first time. (If SharePoint Workspace is installed by someone other than the person who will use it, the installer must not start the application after the installation completes.)

When the user launches SharePoint Workspace for the first time, SharePoint Workspace will contact the assigned Groove Manager and fetch the user's account.