Follow me on Twitter @AntonioMaio2

Tuesday, September 4, 2012

Configuring Site Collection Admin in a SharePoint 2010 Claims Enabled Web App

The other day I was working with one of my claims enabled SharePoint 2010 web application and I was logged in as (what I thought) was a site collection admin.  But, I noticed that some of the features that I should have access to on the site settings page for the root site were not available - features like configuring SharePoint auditing and audit trimming. 

I double checked I was logged in as an administrative user account. -CHECK. 

I double checked that I was accessing the correct web application URL -CHECK.

I double checked that I was accessing the root web site settings page, and that I was in fact missing links that a site collection administrator should be able to access.  -CHECK

I logged into SharePoint Central Admin and double checked that my administrative user account was configured as the site collection admin.  My user account was set as the Primary Site Collection administrator. -CHECK.

So, what was the issue?  In an attempt to resolve the issue, I reviewed the SharePoint authentication configuration for my web app. 

For my claims enabled web application I was logging in through ADFS 2.0 (Active Directory Federation Services) as a trusted identity provider and retrieving a SAML token.  When configuring a SAML trusted identity provider you need to chose an "identifier claim" - that is 1 claim which uniquely identifies every user in the domain.  I often choose email address claim because an email address must be globally unique. You must configure ADFS2 to return the email address attribute when a user logs into.  As well, you must configure your SharePoint 2010 trusted identity provider with your chosen identifier claim when registering the provider through PowerShell - this powershell configuration often looks like this:

$map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
# Define other variables... cert, realm, signinurl...
# Adds the STS to SharePoint
$ap = New-SPTrustedIdentityTokenIssuer -Name "ADFS20 Provider" -Description "SharePoint secured by ADFS20" -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map -SignInUrl $signinurl -IdentifierClaim $map.InputClaimType
In the past, I have run into issues logging into SharePoint when configured as such if the email address attribute is no populated in AD (Active Directory).

So, I double checked that my administrator user account had a valid email address and it did.  -CHECK

I checked the Central Admin site collection administrator configuration again, and found that I had configured my Primary Site Collection admin with the AD username 'SPDEMO\administrator' which normally would work fine in a non-claims enabled web app.  So, I decided to try changing it to the identifier claim:  administrator@spdemo.titus.local.

I logged in again and found the same thing was happening.  I would navigate to the site settings page for the root site and would only see links that a site owner would see, and not links that a site collection admin should see.

So, I returned to the Central Admin site collection administrator configuration page reset my Primary Site Collection administrator to 'administrator' and set my Secondary Site Collection Administrator to the identifier claim: administrator@spdemo.titus.local.  As in the following:



Voila!  When I logged back into my claims enabled web application as the same user, I was now in fact a site collection administrator.  I could now navigate to the Site Settings page in my root site and I could see the links that should be available to a site collection admin:



So, it turns out that in a claims enabled web application a site collection administrator needs to have both their AD domain\username and their identifier claim set as the site collection administrator identity.

 -Antonio


51 comments:

  1. Only if they (the site collection admin) logs into both zones, which isn't typical in a non-SharePoint Administrator role. Actually, even a SharePoint administrator has limited needs to log in to the zone used by application users. Other than testing purposes, and I would say use an account (test account or other) that doesn't have the privileges a typical admin account would on the server or SharePoint farm. Using administrative accounts can mask errors that less privileged users would see. Plus, using IDP logins when you are only doing admin work just introduces other variables that aren't necessary. When possible, only login to the Windows auth zone.

    ReplyDelete
    Replies
    1. Great Article Cyber Security Projects projects for cse Networking Security Projects JavaScript Training in Chennai JavaScript Training in Chennai The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

      Delete
  2. This post provide me good information about how to enable web application in sharepoint 2010. US web app development

    ReplyDelete
  3. Don't clone a website for mobile devices and say we're done. You must customize the mobile app in the context of users. Desktop computers to mobile conversion may be easy but there are lots more in it. You can get all things done in a mobile as you do those in your website. The likely scenario is to save time using the mobile app while you are standing in a queue and want to finish things with your brand. But you are probably not going to accomplish everything from your mobile phone while you are waiting. mobile phone tracker

    ReplyDelete
  4. In an attempt to resolve the issue, I reviewed the SharePoint authentication configuration for my web app. web design tips

    ReplyDelete
  5. Get the IIM edge in IFBS, New Delhi.Only B-School with faculty from India's premier B-Schools and an all IIM-A alumni management . Placement network across IITs and IIMs recorded highest avg.placement package in Delhi/NCR.

    Banking PGDM Institute in Delhi

    ReplyDelete
  6. Going through something so fantastic has a retouching power for the heart and mind.
    landing page

    ReplyDelete
  7. Hi admin.Great post.Thank you so much for sharing about Claims Audit Enabled Web App.Keep in blogging.. Warehouse Audit

    ReplyDelete

  8. This is genuinely an awesome read for me. I have bookmarked it and I am anticipating perusing new articles. Keep doing awesome!
    Web Development

    ReplyDelete

  9. This is genuinely an awesome read for me. I have bookmarked it and I am anticipating perusing new articles. Keep doing awesome!
    Web Development

    ReplyDelete
  10. Thanks for sharing this valuable and interesting article with good content stuff.Keep in blogging. AP Vendor Helpdesk | Internal Audit | Fraud Dectection


    ReplyDelete
  11. Often purchased themes are so rigid that even moving an element from one part of the page to another is impossible to do with this type of limited knowledge.
    https://edkentmedia.com/toronto-website-design-development/

    ReplyDelete
  12. I have been checking out a few of your stories and i can state pretty good stuff. I will definitely bookmark your blog.
    software development company in delhi

    ReplyDelete
  13. I encourage you to read this text it is fun described ...
    mason soiza

    ReplyDelete
  14. Remember, a good web application development firm will not only deliver an exact web application to automate your online business processing, but also get into online promotion for your website.skrajučių gamyba

    ReplyDelete
  15. You absolutely can't turn out badly in view of composing with your crowd: what you need is to sincerely associate with your prospects,seo services company in gurgaon and do whatever it takes not to sustain an undeniably flighty mammoth that Google has transformed into.

    ReplyDelete
  16. When it has to do with web design, it is necessary to consider creatively. Today, web design is connected with the accumulation of income of the company a significant concern in an easy way.web designer nuneaton

    ReplyDelete
  17. Like any business exchange or buy you should possibly spend your cash when you feel good.Webdesign

    ReplyDelete
  18. Cost is one reason why most bloggers and website admins decide to utilize Premium WordPress themes over hand crafted theme. In spite of the fact that it shouldn't be the situation, site proprietors are restricted with their assetspremium wordpress blog themes

    ReplyDelete
  19. Great blog about the SharePoint 2010 Claims Enabled Web App ..
    web design jacksonville fl

    ReplyDelete
  20. A complete sententious blog, intended to impress people.
    Brave Browser

    ReplyDelete
  21. Hello I am so delighted I located your site, I really located you by mistake, while I was looking on yahoo for something else, Anyways I am here now and could just like to say cheers for a tremendous post and a all round entertaining website. Please do keep up the great work. ui design agency san francisco

    ReplyDelete
  22. As I website owner I think the articles here is rattling superb , thanks for your efforts. iphone template

    ReplyDelete
  23. Interesting post. which i wondered about this issue so thanks for posting and very good article which is a really very nice and useful article. Thank you
    Data Science Course in Noida

    ReplyDelete
  24. Very great post which I really enjoy reading this and it is not everyday that I have the possibility to see something like this. Thank You.
    Best Online Data Science Courses

    ReplyDelete
  25. Very interesting blog and lot of the blogs we see these days don't provide anything that interests me but i am really interested in this one just thought I would post and let you know.
    Data Science Training Institute in Noida

    ReplyDelete
  26. Excellently written article and information was helpful. Please keep it up thank for sharing.
    Business Analytics Course in Lucknow

    ReplyDelete
  27. I like viewing this web page which comprehend the price of delivering the excellent useful resource free of charge and truly adored reading your posting. Thank you!
    Data Science Certification Course

    ReplyDelete
  28. You have done a great job and will definitely dig it and personally recommend to my friends. Thank You.
    Data Science Online Training

    ReplyDelete
  29. This is truly an practical and pleasant information for all and happy to see this awesome post by the way thanks for sharing this post.
    Data Scientist Course in Noida

    ReplyDelete
  30. The blog and data is excellent and informative as well your work is very good and I appreciate well hopping for some more informative posts.
    Business Analytics Course in Gurgaon

    ReplyDelete
  31. Nice Post thank you very much for sharing such a useful information and will definitely saved and revisit your site and i have bookmarked to check out new things frm your post.
    Data Science Course

    ReplyDelete
  32. 1Solutions is the top-rated WordPress development company providing end-to-end digital solutions that include conceptualization, design, development, and marketing. Our WordPress websites are easy to manage and create a lasting impression. Get in touch for more details.

    ReplyDelete
  33. I like to view your web site which is very useful and excellent resource and truly adored reading your posting. Thank you!
    Data Science Course in Gurgaon

    ReplyDelete
  34. Nice blog, Thankyou for sharing such a informative content. I have also shared about Website Designing in Gurgaon. Dixinfotech in web-related services includes Website Designing, Web Development, E-commerce Website Development, etc. They provide affordable website designing services and their cost is very low They develop customized websites for the clients as per the requirement of the business. They provide the best services.

    ReplyDelete
  35. I am hoping the same best effort from you in the future as well and in fact your creative writing skills has inspired me.
    Data Science Course near me

    ReplyDelete
  36. We are really grateful for your blog post. You will find a lot of approaches after visiting your post. Great work thank you.
    Data Analytics Course in Chandigarh

    ReplyDelete
  37. This is really nice which is really cool blog and you have really helped a lot of people who visit the blog and give them useful information.
    Data Science Training in Noida

    ReplyDelete
  38. Nice post. This is a great article and am pretty much pleased with your good work. Very helpful information. Thank you.
    Best Data Science Courses

    ReplyDelete
  39. I am always searching online for articles that can help me and you made some good points in Features also. Keep working, great job
    Data Science Training

    ReplyDelete
  40. Really this article is truly one of the best in article history and am a collector of old "items" and sometimes read new items if i find them interesting which is one that I found quite fascinating and should be part of my collection. Very good work!
    Data Scientist Course in Gurgaon

    ReplyDelete
  41. When selecting a web design or ui ux design company, one thing you should consider is the process the agency uses to take your design from concept to reality. There are actually three different methods or approaches that an agency may follow.

    ReplyDelete
  42. Really impressed! Information shared was very helpful Your website is very valuable. Thanks for sharing.
    Business Analytics Course in Bangalore

    ReplyDelete