SharePoint 2013 Role claims augmentation

Say you have ADFS configured (or any trusted provider for that matter) in your web application and you use ADFS roles to grant permissions to the sites in it. When users log in everything works correctly but then an admin wants to check the permissions of a certain user. And then… why does SharePoint say…


SharePoint 2013 Automatically update the ADFS token signing certificate – Revisited

In my last post I wrote about a PowerShell script that can be used to automatically update the token signing certificate in the ADFS trusted providers. This project aims to solve this problem by creating a custom timer job that will download the ADFS federation metadata and check if the primary token signing certificate has changed….


SharePoint 2013 Automatically update the ADFS token signing certificate – Updated

The problem   One of the caveats when using ADFS as authentication provider in SharePoint is that out-of-the-box there is no way to automatically update the ADFS token signing certificate when it’s changed in the ADFS server. Many times, the ADFS admins leave the ADFS certificate auto rollover enabled. This means that ADFS will automatically…


SharePoint 2013 Grant permissions via custom ADFS claims

In the times of classic authentication, you could only grant permissions to users by grouping them into Active Directory groups or by granting permissions directly to users. With claims authentication we can now virtually use any claim that the users have to grant permissions. The high level view of this process would be: Identify which…


SharePoint 2010 and 2013 FedAuth cookie encryption

The issue   If you are using SharePoint with AD FS, you may know how these two products interact. The following summarizes the login process: When the user is not logged in, SharePoint will redirect the user to the AD FS login page. The user enters his credentials. AD FS validates the credentials and creates…


SharePoint 2013 authentication lifetime settings

When SharePoint 2013 authenticates a user, the Security Token Service creates a security token with the user’s identity and several other claims. This token is then added to the Distributed Logon Token Cache so that it can be checked later to confirm that the user is authenticated.   When built, the token gets a lifetime…


SharePoint 2013 Apps and AAM

After the installation of the March 2013 PU, new options to assign Alternate Access Mappings for Apps were made available. The update allowed SharePoint admins to add alternate URLs for SharePoint hosted Apps. This new feature can only be managed via PowerShell: New-SPWebApplicationAppDomain Get-SPWebApplicationAppDomain Remove-SPWebApplicationAppDomain How does it work?  Let’s suppose you already have a…