Windows SharePoint Services and SharePoint Portal Server 2003 Support boundaries for Active Directory Federation Services (912492)



The information in this article applies to:

  • Microsoft Office SharePoint Portal Server 2003
  • Microsoft Windows SharePoint Services
  • Microsoft Windows Server 2003 R2 Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003 R2 Enterprise Edition (32-Bit x86)
  • Microsoft Windows Server 2003 R2 Datacenter Edition (32-Bit x86)
  • Microsoft Windows Server 2003 R2 Standard x64 Edition
  • Microsoft Windows Server 2003 R2 Enterprise x64 Edition
  • Microsoft Windows Server 2003 R2 Datacenter x64 Edition

SUMMARY

Active Directory Federation Services (ADFS) enables web single sign-on, federated identity and access management by securely sharing digital identity and entitlement rights across security and enterprise boundaries. The ADFS functionality becomes available in Windows Server 2003 R2.

INTRODUCTION

The purpose of this article is to describe supported configurations, known limitations, and recommendations for improving the user experience when you deploy Microsoft Windows SharePoint Services and Microsoft Office SharePoint Portal Server 2003 with ADFS.

MORE INFORMATION

SharePoint and ADFS integration is dependent on the ADFS ability to seamlessly convert the ADFS authentication token to a Windows authentication token on the server. SharePoint server side functionality is mostly compatible with ADFS authentication. Limitations on the supported features for SharePoint and ADFS integration are driven by client side incompatibilities.

ADFS is a web-based authentication mechanism which relies on a system of client-side redirects in order to authenticate the end-user. This works well when the client is a Web browser such as Microsoft Internet Explorer. However, not all client programs support redirects.

When the user is authenticated, client-side redirects are used to obtain an ADFS authentication token, which is saved in a session cookie to authenticate subsequent requests using the same client program. Since session cookies are not shared between programs running in separate processes, Microsoft Office or other programs cannot access the cookie issued for a browser. This requires re-authenticating the user, for which the necessary redirects are not guaranteed to work in non-browser programs. Even if initial authentication succeeds, the resultant authentication cookie has an associated timeout. Thus periodic re-authentication is required, which is not guaranteed to work for all programs.

Several significant ADFS and SharePoint integration problems come from attempting to use client programs that do not work with redirects. For example, the use of SharePoint with Microsoft Office Outlook 2003, Microsoft Office FrontPage 2003, Microsoft Office Word 2003, or the Windows shell commands are either outright broken or have a sub-par experience.

The remainder of this article addresses what is supported and not supported, and how to best mitigate end-user problems that result from the known issues in this configuration.

Supported features

Any feature which operates exclusively in the Web browser will work and is fully supported. This includes the following:
  • Site navigation
  • List and document viewing
  • List item editing (including list editing by using the Edit in datasheet control)
  • Search (supported for large farm deployments, but it is not functional for single server evaluation installation)
  • File download
  • File upload
This support is dependent on the ADFS ability to seamlessly convert the ADFS authentication token to a Windows authentication token on the SharePoint server.

For more information about integrating SharePoint with ADFS, consult the ADFS Step-by-Step Guide available from the following Microsoft Web site:

Unsupported features

The following features are not supported when SharePoint is integrated with ADFS:
  • Using Office 2003 (or comparable) clients to open and save documents on a SharePoint server is not a supported scenario, when SharePoint is running under ADFS authentication. Even if the file is opened successfully, problems may occur if the ADFS cookie times out. If the user attempts to save the document after the cookie has expired, errors during the redirects required to re-authenticate the user may make it impossible to save the document back to the server. In this case, the user could save the document locally, and then upload it back to the server using a browser. To avoid problems, we suggest that you turn off the Office 2003 open features in SharePoint, and revert to file download and file upload by using the Web browser.
  • The SharePoint Office integration features which rely on SOAP Web services running outside of the browser will not work with ADFS and are not supported. These features include Outlook synchronization such as Linking to Outlook from a Contacts list or an Events list, Export to Spreadsheet, creating a new list by Importing Spreadsheet, Export to Access, and Editing in FrontPage.
  • Windows shell commands to map a drive to a site or document library or perform other operations is not supported.
  • Web Folders (such as by using Network Places) which rely on the DAV redirector, will no longer work as expected. Web folders are typically created in order to have a file explorer view of a site or document library to easily copy and move files. Using this feature when SharePoint is working with ADFS is not supported.
  • Independently federating the SharePoint content site and SharePoint Central Admin sites.
  • SharePoint Web Parts that utilize the SharePoint Portal Server single sign on (SSO) feature to access program data is unsupported.
  • Due to limitations in how ADFS handles SOAP requests, programmatic access to SharePoint data and functionality via Web Services through ADFS is not supported except when the request comes from within the content of a browser session such as from an ActiveX control.
  • SharePoint Portal Services Alternate Access Mappings are not supported with ADFS Web SSO. Alternate Access Mappings allow multiple URLs that correspond to the same Internet Information Services (IIS) virtual server, or Web site.

    You may want to deploy a SharePoint Portal Sever site that is accessible both internally (inside the intranet) and externally (from outside the corporate firewall), but not expose the same URL to clients in the different DNS "zones". The Internal URL is similar to https://myteam, but the external URL is similar to http://partners.extranet.company.com/myteam. ADFS does NOT support this feature; for security reasons it enforces a unique Return URL for a given site or program for added security.

    For more information about ADFS and the Return URL, visit the following Microsoft Web site:

Removing feature functionality that is not supported

To reduce end-user confusion, you can remove some feature functionality that is not supported. Removing the feature from the user interface will help prevent end-users from using a feature that will either be broken or have a sub par experience.

Disabling the Edit in Office Application and New Document controls

To turn off the Edit in Office Application control and the New Document control, you have to edit the Docicon.xml file on each front-end Web server. The Docicon.xml file is located in the following folder:

drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\60\Template\Xml

To edit the Docicon.xml file, open it in notepad and then locate the following section
    </ByProgID>
    <ByExtension>
        <Mapping Key="doc" Value="icdoc.gif" EditText="Microsoft Office Word" OpenControl="SharePoint.OpenDocuments"/>
To change this file so that it is not possible to use the Context Menu to Edit the document in Word, you have to modify the parameter as seen below. For example, after modifying the entry for Word documents, it would appear as follows:
    </ByProgID>
    <ByExtension>
        <Mapping Key="doc" Value="icdoc.gif"/>
The result of this change is that the Edit in Microsoft Office Word control will no longer appear on the context menu drop-down for the document. You will need to repeat this procedure for each Office file extension mapping.

After this change, if the user clicks New Document, the user will receive the following message: 'New Document' requires a Windows SharePoint Services-compatible application and Microsoft Internet Explorer 5.0 or greater. To add a document to this document library, click the 'Upload Document' button.More information about editing Docicon.xml is available in the Windows SharePoint Services SDK at the following Microsoft Web site: Client computers that have Office applications installed may receive error messages. These messages may be received when the client computers open a document that is stored in a document library that is located on a Shared Services SharePoint site. To remove these error messages, open the Htmltransinfo.xml file on the Web server computer, and then remove the ProgId mapping. To do this, follow these steps:
  1. In Microsoft Windows Explorer, find the Htmltransinfo.xml file. This file is located in the following folder on the Web server:

    driveletter:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\60\Template\Xml

  2. Right-click Htmltransinfo.xml, and then click Edit.
  3. Change the file to set ProgId to empty. For example, ProgId = "".
The following code is an example of how the Htmltransinfo.xml file looks before you set ProgID to empty.

Note The following lines may have been wrapped for easier readability on the Web.
<HtmlTrInfo> <Mapping Extension="xls" AcceptHeader="application/vnd.ms-excel" HandlerUrl="HtmlTranslate.aspx" 
ProgId="SharePoint.OpenDocuments.2"/> <Mapping Extension="doc" AcceptHeader="application/msword" HandlerUrl="HtmlTranslate.aspx" 
ProgId=""/> <Mapping Extension="ppt" AcceptHeader="application/vnd.ms-powerpoint" HandlerUrl="HtmlTranslate.aspx" 
ProgId="SharePoint.OpenDocuments.2"/> <Mapping Extension="pps" 
AcceptHeader="application/vnd.ms-powerpoint" HandlerUrl="HtmlTranslate.aspx" 
ProgId=""/> <Mapping Extension="one" AcceptHeader="" HandlerUrl="" 
ProgId="SharePoint.OpenDocuments.2"/> </HtmlTrInfo> 

The following is an example of how the Htmltransinfo.xml file looks after you set ProgId to empty.

Note The following lines may have been wrapped for easier readability on the Web.
<HtmlTrInfo> <Mapping Extension="xls" AcceptHeader="application/vnd.ms-excel" HandlerUrl="HtmlTranslate.aspx" 
ProgId=""/> <Mapping Extension="doc" AcceptHeader="application/msword" HandlerUrl="HtmlTranslate.aspx" 
ProgId=""/> <Mapping Extension="ppt" AcceptHeader="application/vnd.ms-powerpoint" HandlerUrl="HtmlTranslate.aspx" 
ProgId=""/> <Mapping Extension="pps" AcceptHeader="application/vnd.ms-powerpoint" HandlerUrl="HtmlTranslate.aspx" 
ProgId=""/> <Mapping Extension="one" AcceptHeader="" HandlerUrl="" 
ProgId=""/> </HtmlTrInfo>

Removing other Client-Integration Functionality

To remove or hide the client-integration functionality, you can follow the steps below.

Note These steps are intended to be implemented before deploying portal or Windows SharePoint Services sites, and should be performed on custom site definitions whenever possible.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

898631 Supported and unsupported scenarios for working with custom site definitions and custom area definitions in Windows SharePoint Services and in SharePoint Portal Server 2003



Note Attempting to implement these same changes on site definitions that have already been deployed will pose additional, and in some cases, unsupported challenges that are outside of the scope of this article.
  1. Implement a custom .js file. Refer to the Customizing the Shortcut Menu for List Items topic in the SharePoint Products and Technologies SDK as a guide: Create a new .js file named Custom_ows.js as the article indicates, and reference it in the corresponding Onet.xml file for the site definition files that you will be customizing. It is not necessary to implement the custom Check Out & Save command that is described in the article.
  2. Edit the custom .js file to remove or modify client-integration functionality. The following code snippet, which represents the entirety of the custom .js code needed for this step, can be added to the newly-created Custom_ows.js file, as-is:
    //begin code to modify client-integration
    	
    //disables "Export to Spreadsheet" functionality and returns friendly error to user 
    function ExportList(using)
    {
        var L_ExportListSpreadsheet_Text = "This feature has been disabled on your server.";
        alert(L_ExportListSpreadsheet_Text);
    }
    	
    //removes "Link to Outlook" link
    function GetStssyncAppName(strDefault)
    {
        return false;
    }
    
    //end code to modify client-integration
    
    After steps 1 and 2 have been completed, the "Export to Spreadsheet" and the "Link to Outlook" functionality will be modified or removed from any newly-created sites based on the site definition that references the custom .js file.
  3. Optionally, remove "Import Contacts" links from the "Contacts" list definitions.

    Note The "Import Contacts" link cannot be removed or disabled by editing the custom .js file, and requires manual editing of every contacts-based list definition (where Type=105, or custom list definitions based on the same) on the server to remove the link. Additionally, the supportability guidelines that are outlined in KB article 898631 for editing site and list definitions require that changes to Schema.xml files only be made within custom site definitions. Because of this, and because this is a fairly intensive task, administrators are advised to consider educating users about the status of this functionality rather than implementing a system-wide change to every contacts-based list definition.

    To remove the "Import Contacts" link, open the corresponding Schema.xml file for editing. The Schema.xml file is located in the list definition folder within the respective site definition's Lists folder, such as

    C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\60\Template\1033\Custom_sts\Lists\Contacts

    Within the Schema.xml file, find the section of code that is relative to the "Import Contacts" link, by searching for the string ImportFromAddressBook within the file. Remove the contents of the "CDATA" block that contains the "Import Contacts" link. For example, in the default contacts list definition, the following example code represents the state of the list definition before removing the contents of the CDATA section
    </SCRIPT>]]></HTML><HTML><![CDATA[
        <TD class=ms-separator>|</TD>
           <TD class="ms-toolbar"> <table cellpadding=1 cellspacing=0 border=0> <tr> <td class="ms-toolbar" nowrap> <a tabindex=2 ID=diidIOImportFromAddressBook class="ms-toolbar" title=]]></HTML><HTML>"Import from Address Book"</HTML><HTML><![CDATA[ ACCESSKEY=I href="javaScript:ImportFromAddressBook()" target=_self> <img src="/_layouts/images/impitem.gif" ID="tbbuttonstart1" alt=]]></HTML><HTML>"Import from Address Book"</HTML><HTML><![CDATA[ border=0 width=16 height=16></a></td> <td nowrap> <a tabindex=2 ID=diidIOImportFromAddressBook class="ms-toolbar" ACCESSKEY=I href="javaScript:ImportFromAddressBook()" target=_self>
                <LocID ID="L_ImportFromAddressBook">]]></HTML><HTML>Import Contacts</HTML><HTML><![CDATA[</LocID>
           </a> </td> </tr> </table> </TD>
    ]]></HTML>
    
    After removing the relevant code, the same code would look like the following example code:
    </SCRIPT>]]></HTML><HTML><![CDATA[
    ]]></HTML>
    
    Again, this change would need to be made for every contacts-based list definition system-wide.
In your deployment, you may find other unexpected issues when using ADFS with SharePoint. To determine if the problem is an Office or SharePoint specific issue, you will need to test on a separate server using the standard Windows Integrated Authentication. If it reproduces with standard Windows Authentication without ADFS integration, then the problem is a core Office or SharePoint problem and can be reported to Office or SharePoint product support services for assistance working around the issue or requesting a hotfix.

If the problem is unique to ADFS authentication, it is possible the problem could exist in the configuration of ADFS, an Internet Explorer issue with redirects, or possibly a non-supported scenario. Product Support Services ADFS support team can help investigate these issues. However, if the problem is a limitation in Office or SharePoint compatibility with ADFS style authentication, the Office or SharePoint product teams are not able to provide fixes to improve the ADFS integration experience. If there is a work around or other specific guidance that can be provided, this article will be amended to include the additional information.

Modification Type:MinorLast Reviewed:2/10/2006
Keywords:kbConfiguration kbtshoot kbExpertiseInter kbinfo KB912492 kbAudKnowledgeWorker