000017374 - Configuring SharePoint 2010 for SecurID protection with SSO

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000017374
Applies ToMicrosoft Sharepoint 2010
Single Sign-On (SSO)

Microsoft Windows 2008 R2 Server
IssueConfiguring SharePoint 2010 for SecurID protection with SSO
If the RSA agent documentation is followed, SSO functions but SharePoint content is forbidden.
CauseOur documentation instructs the admin to change the SharePoint Application Pool to run as LocalSystem.  This will break any content that needs to be accessed as a network based user.
ResolutionA code fix was written and included in the RSA Authentication Agent for IIS version 7.1.3.
In addition to this code fix the SharePoint site must be changed from Classic Windows authentication to "Claims Based" authentication.  This newer authentication type is actually the default for SharePoint Server 2013.
There are articles online on how to run a command to change your site from Classic to Claims however it has a note that it is irreversible and warns that some sites may not be compatible.  For this reason a procedure was documented by RSA to clone your site to claims and make the clone be your default.  This procedure below is also included in the 7.1.3 release notes as an Addenda.  The below instructions are step by step, they may appear to be lengthy, however they are relatively fast to accomplish.
Configuring a New SharePoint Server 2010 Site to Use Claims Based Authentication:
In order for SharePoint Server 2010 to work with the single sign-on feature of RSA Authentication Agent for Web,
SharePoint must be configured to use claims-based authentication. SharePoint Server 2013 uses claims based
authentication by default, but SharePoint Server 2010 does not. Changing an existing SharePoint site to use claims
based authentication, however, is irreversable. Therefore, RSA recommends creating a new, alternate SharePoint site
configured to use claims based authentication, while preserving the original site and configuration as a fallback.
The following procedures provide an example of how to configure a new Sharepoint 2010 site to use claims based
Create Backup
Create a backup of your existing SharePoint site.
1. On the Central Administration home page, click Backup and Restore.
2. Under ?Granular Backup,? click Perform a site collection backup.
3. On the right hand side, make sure the Site collection is for the application that currently has your data.
4. Populate the file name, for example:
5. Click Start Backup.
The following output appears:
Current Job
Status No operation in progress.
Previous Job
Status Succeeded
Completed 3/14/2014 9:12 AM
Duration (hh:mm:ss) 0:00:02
Recovery Step To recover the data, use the PowerShell restore command Restore-SPSite. For more details, type
Restore-SPSite -? at the PowerShell command prompt.
Create Alternate Site:
Create a new SharePoint site that uses claims based authentication.
1. On the Central Administration home page, below "Application Management,? click Manage web applications.
2. In the uppper left toolbar click New.
3. Change the default Authentication from Classic Mode Authentication to Claims Based Authentication.
RSA Authentication Agent 7.1.3 for Web for IIS 7.0, 7.5, and 8.0 Web Server
April 2014 9
4. Select Create a new IIS web site. Complete settings as follows:
? Name: For examplle, use Sharepoint - New.
? Port: Specify an unused port such as 8080 (this will be changed later to 80/443 after site is tested).
? Host Header: Leave this blank.
? Path: Specify a location that has space similar to the original you are replicating.
? Make sure the "Application Pool" section has the user you want for running the pool?either Network
Service, or a domain user that is used on the original SharePoint site.
? Leave the defaults for all other settings.
5. Scroll to the bottom and click OK.
Populate Alternate Site:
Now that you have a new site, create a empty collection that you will overwrite with your backup.
1. On the Central Administration home page, click Application Management.
2. Under the ?Site Collections,? click Create site collections.
Important: Make sure the "Web application" on the right is the site:8080.
3. Specify any Title.
4. Select a primary and secondary collection administrator.
5. Click OK.
6. Test the site to make sure you can log in with the primary or secondary collection administrator, prior to
restoring the backup.
Restore SharePoint Data to Alternate Site:
Now restore the backup to this newly created IIS / SharePoint instance.
1. Click Start > All Programs > Microsoft SharePoint 2010 Products > SharePoint 2010 Management Shell.
2. Run the command Restore-SPSite -Identity http://<spssite> -Path <path to the .bak file> -Force. For
Restore-SPSite -Identity http://sharepoint.rsa.com:8080 -Path c:\temp\sharepoint80.bak -Force
If you do not know your SPSite, you can query it by running the following command:
Bind Original SharePoint URL to New Site:
Once you are confident that the site is working on port 8080, change the alternate access mapping for your original
1. On the Central Administration home page, under ?System Settings,? click Configure alternate access
2. Change the Default URLs to an invalid entry. For example, change http://sharepoint.rsa.com to
3. Change the Alternate Site that was created to http://sharepoint.rsa.com.
Change the port bindings in IIS Manager as follows:
a. Highlight the default site (typically Sharepoint - 80).
b. Click Bindings in the far right pane.
c. Change the ports 80 and 443 to invalid ports such as 1080 and 1443.
d. Highlight the Sharepoint - New instance on the left.
e. Click Bindings in the far right pane.
10 April 2014
RSA Authentication Agent 7.1.3 for Web for IIS 7.0, 7.5, and 8.0 Web Server
f. Change the port from 8080 to 80.
g. If using SSL, also add 443 and select the appropriate certificate.
If you encounter issues after performing this procedure, you can revert just the bindings and alternate access
mappings to revert to using the original site.

Legacy Article IDa65379