We have installed SharePoint Server 2010 and Project Server 2010 without AD. We're a disconnected bunch and thought we'd take it for a spin since being part of BizSpark. But now I'm seeing an issue with editing user account info like email address. Can anyone give me some hints on how life might be like without AD or how to supplement what we might be missing by running the system without AD. Many posts note it is supported but little has notes on what you might be missing.
Thanks in advance.
What you need is to check out the User Profile Service Application area.
Go to SharePoint Central Administration
Go to Manage Service Applications
Select User Profile Service Application
This area is the home of the accounts that are in SharePoint, as well as all the information about the users and how it is displayed on their "My Site"/profile page areas.
If you select Manage User Profiles, this is the area where you can override information from Active Directory about users that are in sharepoint. If you connect to AD, you'll see a little database icon next to the fields that indicates it is synchronized. Even if you use AD, these field can be individually overriden with new information. If you don't have AD, then these will all need to be populated manually by you.
If you go to Manage User Properties you will find all the options to show which fields are editable and which fields are not on a user's profile. This includes, but is not limited to:
Email
Display Name
Homepage/Url
Department
Manager
If you have AD, you'll rarely visit this service admin page, because everything will just work. If you don't, then you'll need to check out this area to change the information about the people that are using your SharePoint instance.
Hope that helps!
Related
I have a React Application that uses Microsoft AD to authenticate users.
As a first step, and according to Microsoft Documentation, we need to register the application with the Microsoft identity platform.
This is inline with Microsoft Identity Platform Documentation, in this diagram we can see that for ALL types of applications (SPA, Web App, etc), we always need to configure an application in AzureAD:
This process is "cumbersome", and i'm trying to remove it by having the application installed automatically.
Several third-parties do this, such as Zapier, SpecFlow, etc.
Basically, they have a process where:
User logs in on Zapier
User is redirected to Azure AD sign-in page
User is authenticated and authorized
AzureAD shows the Consent Page
User consents
Application is installed on user's AzureAD
I've been reading and searching in Microsoft's Documentation, and i cannot find a single document that shows or even mentions this type of flow.
BUT, i know that this is possible, as there are several third parties that are doing exactly this, as Zapier, for example.
Can anyone point me in the right direction, there must exist some Microsoft document that explains how this process is done!
Apologies if this should be a comment, not an answer. I do not have enough SO reputation to write comments.
Zapier is published to the Azure Active Directory application gallery (1c76d9b0-0826-4b19-8706-29572657af1e). You can do this as well:
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/v2-howto-app-gallery-listing
If an application already exists in the gallery, it does not need to be "registered" in the user's tenant, as the registration definition is defined in the gallery.
Once an app is in the gallery, users can use it only if their tenant's administrators allow this, per the settings on this page:
Enterprise applications | User settings
https://entra.microsoft.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/UserSettings
From the user's end, there are other governance controls that may impact the user's ability to use your app, but I think "register your app in the gallery" is probably what you're asking for.
We used to be able to have social accounts request access packages by signing in at myaccess.microsoft.com. Now, we get an error that says you can not sign in with a personal account. Why is this the case since it remains possible to create a domain like gmail.com or outlook.com as a connected organization in Entitlement Management?
Also, after landing on the myaccess portal and expanding an access package that a user has been approved for to view its resources, it used to be able for example, to open a SharePoint site or an application directly from this view by simply clicking on the resource or clicking an open Now that ability has been removing leaving us to have to send links tot he resource to users. This degrades experience substantially. Can we have this ability returned?
Please check the type of personal account in your portal, and if guest, you cannot log in myaccess.onmicrosoft.com , if created in the portal or of type member, it is accessible.
This is the relevant doc.
Sign in to the My Access portal.
Be sure you use your organizational (work or school) account. If
you're unsure, check with your project or business manager.
I invited my personal account (user type) to test if I login directly myaccess.onmicrosoft.com.And the following screenshots do report errors.
I need to set up a new SSRS site but I'm not sure if adding Users in the Site Settings as System User is required. I've added the Users to Roles on each folder and the Home folder. Is that enough?
The last few SSRS sites I've used only had BuiltIn\Administrators listed on the Site Settings Security page and Users were given Content Manager roles on the Home folder and sub-folders inherited that. And that worked.
But, most of the guides I see online start by telling you to add each User as a System User in the Site Settings and THEN to add them into Roles in the Home folder. So, I'm confused.
Thanks.
It is not required to add all users/groups to the System User role. However, if you do not add users/groups to that role, they will not be able to view shared schedules. In other words, if the users set up subscriptions, they will not be able to pick an existing shared schedule; they will only be able to create a report-specific schedule.
Here is a link to the Microsoft Docs article on that role (link is for SQL Server 2017):
https://learn.microsoft.com/en-us/sql/reporting-services/security/role-definitions-predefined-roles?view=sql-server-2017#bkmk_systemuser
I'd appreciate if anyone could provide a clear description on SSRS user access configuration.
I've installed latest SSRS and its database on a single server, set the web portal and everything works fine, except I cannot grant access to a specific user group for a specific folder. Till now all the users have access to everything.
I've been struggling with this for several weeks and still couldn't find any tutorial.
Based on documentation Reporting Services provides an authentication subsystem and role-based authorization model. Authentication and authorization models vary depending on whether the report server runs in native mode or SharePoint mode. Here is detailed explanation called Secure Reports and Resources related to native mode and this one talks about Set Permissions for Report Server Operations in a SharePoint Web Application. Also this youtube tutorial and this one was helpful to get me started.
You have probably added the user group to a role using the Site Settings / Security page, or added them to the Home folder / Manage / Security page. A typical user group should not appear in either list.
Instead, navigate to the "specific folder" / Manage / Security page, click Customize security (if required) and then assign the user group to a role (typically Browser).
Here's the full doco on those tasks:
https://learn.microsoft.com/en-us/sql/reporting-services/security/grant-user-access-to-a-report-server?view=sql-server-2017
We are planning to create two sharepoint web applications using SharePoint 2010 Enterprise Edition.
All Users that have access to web app 1, should also be able to access web app 2.
This authentication shall be powered by server 2003 active directory.
--> do I need to use claims based authentication?
If so --> can I use Windows Based Authentication with NTLM for that?
The only thing I really want is that users navigating from web app 1 to web app 2 (and vice versa) do not have to authenticate twice.
I do NOT want to configure Kerberos if it is not absolutely necessare though...
Can you give me any hints?
Thanks!
EDIT:
ok - I'll try to be more precise:
In our SharePoint 2010 environment, we've got two web applications running
http(s)://humanresources.domain.com
http(s)://sales.domain.com
Both are running on the same IIS and have host headers configured (with wildcard domain certificate for HTTPS).
Both apps provide a link to the other web application (sales -> humanresources and humanresources -> sales)
Now whenever someone logged in to sales navigates to humaresources, I do not want that that person needs to login again. Therefore I thought I would need claims based authentication???...
Please enlight my brain! :D
EDIT 2:
Thank you for your answers!
#Panagiotis Kanavos - yes we have Users accessing the site from outside our environment: 1) Users which have an AD accound and are working on their laptops outside of our building (e.g.: they have been all day at a customer and are working at home for the remaining hours) 2) We plan to have users without an AD Accound --> Forms Based Authentication: (e.g.: customers accessing our TFS 2010 project protals to get an overview of the project). As far as I know, if you want FBA and WIN-Auth you need to configure Claims Based Authentication...
However configuring a Web Application with Claims Based Authentication did not work. I chose "Enable Windows Authentication" together with "Integrated Windows authentication -> NTLM" as we do not have Kerberos configured (and I'd love to leave it like that ;-)).
However the Users could not login to that application sometimes, and five minutes afterwards it worked. Additionally, when I added permissions to an AD user, SharePoint seemed to save the Token instead of the Group-/Account Id:
e.g.: Instead of MyDomain\user1 it saved something like "0|=MyDomain\user1" and for groups it even only saved weird character strings "022-12.3"
Could it be the case, that my 2003 windows AD does not support that?
IF you are using Active Directory and running both sites within your domain you should not be challenged when users go to either site. It just becomes an implementation issue about who has access to what, either via AD Groups or SharePoint groups.
Claims based authentication is a bit of a different animal. You need to have a security token which contains a number of "claims" about the user, for example UserA is a member of HR and UserB is a member of Sales. Based on these claims you can then have your site/application respond correspondingly. Claims based auth is relatively new for SharePoint and Microsoft and is a bit of steeper learning curve. It may make more sense if you have a mixed mode environment, with both AD and Forms Based Users getting access. However with your described heterogeneous environment it doesn't seem like it's needed.
More info on SharePoint 2010 Authentication is available here.
John
The easiest solution is to create an AD group with the users of both sites and add the group as a user to the Members Sharepoint group of each site. This way users will not have to login at all since Sharepoint will detect the identity of the logged-in user automatically.
Why are you asking about login, claims, and why are you using certificates? None of this is necessary in an intranet scenario where the farm and users are in the same domain or if the farm's domain trusts the user's domain. Do you have users accessing the site from outside your domain?