Archive for November, 2010

Writing your own Trusted Identity provider for SP2010 (3)

November 16, 2010

This is part three of a Multi Blog post on “writing your own Trusted Identity provider / Claim Provider for SP2010“. In the first post I covered:

In the second post I covered:

In this post will:

  • Create a Trust between your Tusted Identity Provider (STS) and SharePoint 2010
  • Create or Configure your SP2010 WebApplication to use the Tusted Identity Provider

To create a Trust between your new STS and SharePoint you need to run a few powershell steps:
First we have some variables to set:

$invocation = (Get-Variable MyInvocation -Scope 0).Value
$rootPath = Split-Path $invocation.MyCommand.Path

$spClaimTypesCsv = Join-Path $rootPath "claim-types.csv"

# identity provider certificate
$idpSigningCertificatePath = Join-Path $rootPath "idp-certificate.crt"
# identity provider ca certificate
$idpSigningCertificateAuthority = Join-Path $rootPath "idp-certificate-ca.crt"

# identity provider url and name
$idpPassivEndpoint = ""
$idpName = "Verbondsleden"
$idpDisplayName = "Verbondsleden"

# sharepoint webapplication we are going to use to log in to with this identity provider
$spRealm = ""
# name of the SPClaimProvider in SharePoint we registered earlier
$claimProvider = "VerbondsledenClaimsProvider"
# login/username Claim Type
$userIdentityClaimType = ""

Next we start with the creation of a trust:

"Creating signing certificate for {0} from {1}" -f $idpName, $idpSigningCertificatePath
$idpSigningCertificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($idpSigningCertificatePath)
echo $idpSigningCertificate

"Trusting the IdP certificate directly {0}" -f $idpSigningCertificatePath
$rootCert = Get-PfxCertificate $idpSigningCertificatePath
Remove-SPTrustedRootAuthority $idpName

#Register the new identity provider
New-SPTrustedRootAuthority $idpName -Certificate $rootCert

This adds a Trust, and you can view this in the Central Administration :

Now we create a SPTrustedIdentityTokenIssuer:

# remove if it already exists
$sts = Get-SPTrustedIdentityTokenIssuer | where {$_.Name -eq $idpName }
if(-not ($sts -eq $null)) {
	"SPTrustedIdentityTokenIssuer {0} already exists, attempting to remove" -f $idpName
    Remove-SPTrustedIdentityTokenIssuer -Identity $idpName

# the ClaimTypes the Identity Provider provides, this is not needed because we have a SPClaimProvider
[array] $claimTypeMappings = @()
$spClaimType = Import-Csv $spClaimTypesCsv
foreach ($claimType in $spClaimType) {
	"Adding claim type {0} ({1})" -f $claimType.ClaimType, $claimType.Description
	$claimTypeMapping = New-SPClaimTypeMapping $claimType.ClaimType -IncomingClaimTypeDisplayName $claimType.Name -SameAsIncoming
    if(-not (($claimTypeMapping -eq $null) -or ($claimTypeMapping.InputClaimType -eq $null))) {
        $claimTypeMappings += $claimTypeMapping

"Creating SPTrustedIdentityTokenIssuer {0}" -f $idpName
$sts = New-SPTrustedIdentityTokenIssuer -Name $idpName -Description $idpDisplayName -Realm $spRealm -ImportTrustCertificate $idpSigningCertificate -ClaimsMappings $claimTypeMappings -SignInUrl $idpPassivEndpoint -IdentifierClaim $userIdentityClaimType
echo $sts

if($claimProvider -eq "") {
	"Default claim provider selected for {0}" -f $idpName
} else {
	"Setting claim provider for {0} to {1}" -f $idpName, $claimProvider
	Set-SPTrustedIdentityTokenIssuer -Identity $idpName -ClaimProvider $claimProvider

And now we can trust our own STS in our Claims Based WebApplication:

Off course there is an App/Wizard for this also: SPFedUtil.

So there you have it, when you browse your Claims Based WebApplicaiton you will now get this screen:

Choose your STS, login with proper credentials, and you will be redirected to your SharePoint WebApplication:

Small Bonus tip: add an identity claim to a Site collection Group

$usr = New-SPClaimsPrincipal -TrustedIdentityTokenIssuer "Verbondsleden" -Identity ""
New-SPUser $usr.ToEncodedString() -web
Set-SPUser -Identity $usr.ToEncodedString() -web $url -group "Groupname"

# done

Small Bonus tip 2: add a AD Group to a Site collection group with Claims based authentication:

$grp1 = (New-Object System.Security.Principal.NTAccount("TEST", "domain users")).Translate([System.Security.Principal.SecurityIdentifier]).Value
$memberclaims = New-SPClaimsPrincipal -Identity $grp1 -IdentityType WindowsSecurityGroupSid
New-SPUser  $memberclaims.ToEncodedString() -web
Set-SPUser -Identity $memberclaims.ToEncodedString() -web $url -group "Groupname"

# done

Enterprise Search query giving FaultException when using an ORDER BY

November 12, 2010

Ran into this on a project when using the “FullTextSqlQuery” object to query against the Enterprise Search Service of SharePoint 2010.
Had a query that included an Order By clause on my own Managed property other than the normal RANK.

string query = "SELECT Title, ItemContentType, Projectnaam, Projectnummer, Projectomschrijving, Projectstatus, Projectlocatie, DeelprojectVan, Thema,Opdrachtgever,Projectlogo, Path, Rank, Write FROM SCOPE() ";
query += "WHERE  ( (\"SCOPE\" = '";
query+= allSites;
query+= "') and ";
query += "((ItemContentType='Project Homepage') OR (ItemContentType='Bouw Homepage')) ";
query += ") ";
query += "ORDER BY Projectnaam";

I kept getting an exception: “System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]”

The problem was my Managed Property could not be used as an order by property.

Solution is easy to fix by PowerShell or the Central Admin:
Go to your Search Service application, click on through to the Managed Property you want to ORDER BY and check this box ON:

The text actually says you need to disable the checkbox for order by to work, but it kind of works the other way around.
In powershell:


$searchapp = Get-SPEnterpriseSearchServiceApplication "$searchAppName"
$prop = Get-SPEnterpriseSearchMetadataManagedProperty -SearchApplication $searchapp $fieldName
$prop.MaxCharactersInPropertyStoreIndex = 0x40