Friday, March 26, 2010

Ping + Kerberos + SharePoint

Ping Basics: IdP, SP, adapters
http://www.pingidentity.com/tech-answers/integration/

Ping + Citrix Docs:
http://www.pingidentity.com/support-and-downloads/product-documentation/citrix-integration-kit/2-0/loader.cfm?csModule=security/getfile&pageid=5900

Ping + SharePoint
http://www.pingidentity.com/support-and-downloads/product-documentation/iis-integration-kit/2-2/loader.cfm?csModule=security/getfile&pageid=5917

Use Impersonation and Delegation
http://msdn.microsoft.com/en-us/library/ms998351.aspx

Delegation of authentication

In Windows, a server can be marked as “trusted for delegation.” This means a server can authenticate to services as if it were a user. The services cannot tell that the request is being made by a server rather than directly by a user.

There are two types of delegation:

Unconstrained delegation: If you select the Trust this computer for delegation to any service (Kerberos Only) check box, the server can access any other service as the user as long as the user authenticated to it using Kerberos.
Note: This setting does not work with ADFS deployments.

Constrained delegation: If you select the Trust this computer to specified services only check box, the server can access only certain services as the user.

http://support.citrix.com/article/ctx110784
The setup for Citrix for Ping must involve Kerberos and is similar to setup for SharePoint front endservers and sql server.

Kerberos Issues:
http://support.microsoft.com/kb/907272