Connector for Microsoft SharePoint - Authentication

Integration module Consume data Connector for Microsoft SharePoint Microsoft SharePoint menu/ New data source or Edit an existing connection

1. Activate Windows authentication

Activate this setting for the basic or Kerberos authentication.

1.1 Integrated Windows authentication

The option Windows integrated authentication provides you with the ability to use Single Sign On. Based on Kerberos tickets, the Kerberos authentication provides the Intrexx users with Single Sign On access to the SharePoint server. To ensure successful authentication with Kerberos, please take note of the following foundational requirements:
  1. The Intrexx portal needs to operate with integrated authentication.
  2. The users from your Active Directory must be added or imported accordingly. Please make sure that at least one user is a member of the Administrators group so that you can continue to administrate the system.
  3. The server, where Intrexx is installed, requires the group rule "Delegation" in the Active Directory ("Trust this computer for delegation to any service (Kerberos only)").
  4. All clients and servers must be members of the same domain.
  5. The Intrexx portal and the SharePoint server muss belong to the local intranet zone from the perspective of the client (browser). The SPNEGO authentication must be activated in the browsers. In Internet Explorer for example, the option "Automatic log-on with current username and password" must be selected in the security settings of the used zone. Additionally, the option "Enable Integrated Windows Authentication" must be activated in the advanced settings. When using Google Chrome, the hostnames of the Intrexx SharePoint servers need to be added to a white list in the registry. You can find more information about this here: https://dev.chromium.org/administrators/policy-list-3#AuthNegotiateDelegateWhitelist With Firefox, you need to add the servers to the white list in the Firefox configuration (about:config) under the keys:
    network.negotiate-auth.trusted-uris
    and
    network.negotiate-auth.delegation-uris
  6. To provide Kerberos tickets, the Intrexx Kerberos Token Provider Service must be installed in the Internet Information Server that is used to communicate with Intrexx. Click here for more information.

1.1.1. Intrexx Token Service - Service Principal Name / SharePoint Service Principal Name / Token service URI

You need to specify a so-called Service Principal Name (SPN) for the authentication to be successful. The SPN contains information about the service for which a Kerberos ticket should be created. This ticket is needed for the Internet Information Server of the Intrexx Portal Server. The SPN is usually compiled as follows:
http/<Computer-DNS-Name>@<KERBEROS_REALM>
Computer-DNS-Name: Fully qualified hostname (e.g. mycomputer.mycompany.com)
KERBEROS_REALM: The domain is usually entered in capitals. (e.g. MYCOMPANY.COM)
The SPN from the example above would look like this:
http/mycomputer.mycompany.com@MYCOMPANY.COM

1.2 Basic authentication

If the user cannot be authenticated, the basic authentication can be activated automatically. With the Basic authentication, the username and password of a SharePoint user are requested in Intrexx and sent as the header in the HTTP request to SharePoint. This is the simplest login method and should only be used in connection with HTTPS because otherwise, credentials are transferred without being encrypted.

2. Forms-based authentication

The forms-based authentication allows users to log in using a SharePoint login form. With this option, a login form will be shown in Intrexx to the user when they access the SharePoint data for the first time. Intrexx then carries out the authentication using the SharePoint Web service (or /_vti_bin/authenticate.asmx) in the background.

3. OAuth2 authentication (ADFS/Azure AD)

Click here for more information.

4. Trusted identity provider

This option can be used to perform an authentication using an SAML-conforming identity provider. Intrexx currently only supports Microsoft Active Directory Federation Services (ADFS) as an identity provider. The following prerequisites apply when using ADFS as authentication:

4.1. Active Directory Federation Services URL

In this field, the URL for the ADFS server's login page is specified, as it is sent from the SharePoint server to the client browser via redirect. This could look something like this:

https://logon.spdev.net/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=urn%3asharepoint%3asp2013adfs&wctx=http%3a%2f%2fsp2013adfs.spdev.net%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F

The URL contains the three essential parameters "wa", "wtrealm" and "wctx". The required values for these parameters can be taken from your SharePoint ADFS configuration. Please note that the URL character string is already encoded in such a way that it conforms to URL.

Intrexx sends the user login details to this URL and, if the login was successful, is redirected to the SharePoint server to complete the authentication and authorization. When using basic authentication, the username and password are sent directly to ADFS. With Kerberos, a ticket will first of all be requested for ADFS using the Intrexx Kerberos Provider Service, this ticket will then be sent to ADFS. Additionally, the Service Principal Name of the ADFS server will be needed for Kerberos. Windows integrated authentication must also be activated and the SPN of the Intrexx Kerberos Token Service must be specified.

4.2 Assigning users for the authentication methods

If more than one authentication method is activated, the first available method will be selected according to the following order of priority:
  1. Basic authentication
  2. Windows integrated authentication
  3. Forms-based authentication
  4. ADFS authentication
In principle, the basic authentication and/or forms-based authentication need to be activated to access data using the Portal Manager when creating applications. So that you can specify at the user/group level which Intrexx user should use which SharePoint authentication method for logging in, the methods to be used can be defined in a user-specific schema attribute in the Intrexx User Schema Manager. To do that, create a new attribute with the string type and with a length of 50 in the Schema Manager for users and/or groups. The name can be chosen freely. The SharePoint authentication method for a user or group can now be entered as this attribute. The list below shows which name should be entered for each method:

Name Method
HTTP_BASIC Windows basic authentication
KERBEROS_INTREXX Windows integrated authentication
SHAREPOINT_FORMS_BASED Forms-based authentication
SHAREPOINT_FEDAUTH_SAML Trusted identity provider

Make sure you are precise when entering the name. Intrexx ascertains the method to be used from the user attribute during runtime when accessing the SharePoint data groups for the first time. If this is not available or specified, Intrexx will search for the attribute in the user groups. If it cannot be found there either, Intrexx will proceed with the order of priority listed above. The connector must also be informed as to what the user or group attribute is called.