Follow me on Twitter @AntonioMaio2

Thursday, April 11, 2013

How do I know which Claims were retrieved?

Many people know that I do a lot of work with Claims in SharePoint.  Claims based authentication was introduced in SharePoint 2010 for the purpose of both authentication and authorization.  SharePoint 2013 has only strengthened its use of claims by making Claims Based Authentication the default authentication mechanism, and relegating Classic Mode Authentication to only configurable through PowerShell. 

For a while, I've been a big proponent of using claims based authentication/authorization in general, and I tend to specialize in using claims for various security related purposes within SharePoint.  When working on enforcing security policies in SharePoint, you often get into a situation where you need to figure out why a particular policy is not doing what you expected it to do.  Sometimes its simply because the correct claim types or claim values were not retrieved.  As well, sometimes you need to figure out why your claims based authentication is not working the way you expected - again, this can simply because the claim values returned were not configured correctly for the user that is logging in.

The question is - when you're logged into SharePoint, how do you know which claims were retrieved? 

To answer this, there is a free tool available from Microsoft that has been indispensable in helping with this kind of analysis.  The tool was created by Steve Peschka of Microsoft, so big shout out to him for writing it and making it freely available.  Its called the "SharePoint Claims Web Part".  A few people have been asking me about it recently - its a pretty simple process but I thought a blog post that goes into detail about where you get it and how you configure it would be useful.


First of all, the web part must be downloaded from here

Install to the GAC

Next step is to install the included DLL to the GAC:

1.       Copy “SharePointClaims.dll” to each SharePoint web front end server in the farm (i.e. c:\SharePointClaims\)

2.       Open a command window (make sure you do this as an administrator) and navigate to the location where the file has been copied

3.       Run the command:   gacutil -if SharePointClaims.dll

Configure the Web Part

Next we must configure the web part to appear where we want it to appear.  I typically display it on the home page of the site collection I'm logging into so that its the first thing I see.  Here are the steps to do that:

1.       On each SharePoint web front end server, navigate to the physical directory where the web application is located (i.e. “C:\inetpub\wwwroot\wss\VirtualDirectories\443”) and open the web.config file.

2.       Add the following SafeControl entry to the web application's web.config file on all web front ends you are using:
<SafeControl Assembly="SharePointClaims, Version=, Culture=neutral, PublicKeyToken=d01fae4d46160aca" Namespace="SharePointClaims" TypeName="ClaimWP" Safe="True" AllowRemoteDesigner="True" SafeAgainstScript="False" />

3.       Issue an IISRESET using the command window.

4.       Log in to the SharePoint site using a Site Collection Administrator account and go to Site Settings.


5.       Select Web Parts under Galleries.


6.       In “Library Tools” select “Upload a Document”.
7.       Browse for the location of the file “SharePointClaims.webpart”.
8.       Accept the default settings.
9.   Navigate to the SharePoint page in which you want to view the claims retrieved.  Again, I usually add the web part to the Home site collection page, so its the first thing I see after logging in.  However, if you are deploying this to a production farm, you may want to add it to a site page that end users typically do not see.
10. Click Site Settings, then Edit Page, then the Insert Tab, and then the Web Part button in the ribbon.  Now click Add a Web Part.

11. Select “Miscellaneous” on the left panel, select “SharePoint Claims Web Part” in the middle panel and click “Add”.


12. The web part will appear. On the Page tab, click “Stop Editing” to return to the normal view.

      The web part will now appear as follows and you can see all of the claims that were returned from any claims provider (trusted identity provider or custom claim provider) that SharePoint is configured with.
Hopefully this is helpful.