STS Background: In SharePoint 2010, 2013, 2016, etc, the Security Token Service (STS) is a web service hosted under the “SharePoint Web Services” IIS site on HTTP port 32843 and HTTPS port 32844, in a virtual directory called SecurityTokenServiceApplication. In SharePoint 2010, it contains 2 web services:Securitytoken.svcWindowstokencache.svc In SharePoint 2013 and 2016, it contains
This post is a similar to my previous post on Check Permissions, except here, we’ll be talking about Forms-Based Authentication (FBA). The way “Check Permissions” works varies by authentication method. For Windows or Trusted Provider auth, see my other posts: Windows-Claims Authentication: https://joshroark.com/sharepoint-troubleshooting-check-permissions-windows-auth/ Trusted Provider Authentication: https://joshroark.com/sharepoint-check-permissions-and-external-tokens-adfs-saml-auth/ With Forms-Based Authentication, all of the same
Consider the following scenario: You have a SharePoint 2016 site that has been enabled for anonymous access. You have some Microsoft Office (Word, Excel, PowerPoint, etc) documents in a library that anonymous users also have access to. A user clicks on a (for example) Word document to open it. They receive a credential prompt,
This post covers the scenario where users log in via a trusted provider / SAML-claims (like ADFS, Ping, Site Minder, etc) and intermittently, they are redirected to the login page to re-authenticate. There are a few pieces of information you need for a scenario like this (beyond the regular scoping): 1. Output of Get-SPSecurityTokenServiceConfig2. A Fiddler trace
Update: 8/5/19 — Made an amendment to Fact #3. Facts: 1. The Claims to Windows Token Service (from here on denoted as “C2WTS”) is only used when SharePoint needs to get data from an external system that does not understand claims. Examples of features that can be configured to use C2WTS include, but are not
There are a couple known issues with user profile pictures when your Mysite web application uses Trusted Provider (ADFS / SAML) authentication. Symptoms There are two different known symptoms with the same cause and solution: #1When running User Profile Synchronization, nothing is imported or exported. In the Forefront Identity Manager (FIM) client, we see
NTLM authentication is not great. It’s not the fastest. In most cases, that honor would go to Kerberos. It’s not the most secure. Again, Kerberos. It’s not all that flexible. For example, it doesn’t work well for extranets or anything cross-firewall. In those scenarios, Trusted Provider auth (SAML / WS-Fed) works well. See: AD FS.