.Net Http module

Cas.net is an http module that allows any asp.net application to authenticate to a CAS server. We use this module as an authentication provider for  Windows Sharepoint Services. I think that it should work for MOSS 2007 and OWA too.

The authentication mecanism is transparent to the application witch in return have a standard .NET user object. So in the application the user login is available with User.Identity.Name property.

In this version, the call to the CAS server is done only on the first call. Afterwards, authentication is based on .NET standand authentication mecanism.

Installation

The module is a dll that can be download here https://sourcesup.cru.fr/projects/cas4net and the installation is quite simple

asp.net application

Just drop casModule.dll in the BIN folder of the root directory of the application and add the following to the web.config file in the root directory

  <appSettings>
    <add key="loginUrl" value="https://cas.server/login" />
    <add key="validateUrl" value="https://cas.server/serviceValidate" />
    <add key="logoutUrl" value="https://cas.server/logout" />
  </appSettings>

to indicate CAS urls and

  <system.web>
    ...
    <httpModules>
      <add name="CasModule" type="Upmc.CasModule.CasModule, CasModule"/>
    </httpModules>
    ...
  </system.web>

an httpModules tag to declare the module.

Last, you have to disable any default authentication in asp.net by turning the authentication mode to None in the <system.web> section

<authentication mode="None">
    </authentication>
    <authorization>
        <allow users="*"/>
    </authorization>

As every request is intercepted by the module, only authenticated user gains access to the application. Of course you also have to deal with authorization, here every authenticated user is allowed to process the application.

For IIS 7, the configuration file is slightly different for the module part, so to better use the new IIS manager UI to have the job done. Add the module with the module config, the application setting with the application settings, disable all authentication module except anonymous.   

Windows Sharepoint Services 3

As Windows Sahrepoint Services version 3 (WSS 3) is based on the .NET framework, this module can be used as an authentication provider. This should be also true for Microsoft Office Sharepoint Server 2007 (MOSS 2007), but i have not try yet.

The installation is as easy as standard asp.net application, the configuration is a little more intricate due to security configuration.

1. Copy the casModule.dll in the bin folder of sharepoint site collection. And do the following in the web.config file.

2. Add CAS server location in the appSettings tag

  <appSettings>
    <add key="loginUrl" value="https://cas.server/login" />
    <add key="validateUrl" value="https://cas.server/serviceValidate" />
    <add key="logoutUrl" value="https://cas.server/logout" />
  </appSettings>

3. Declare the module

  <system.web>
    ...
    <httpModules>
      <clear />
      <add name="SPRequest" type="Microsoft.SharePoint.ApplicationRuntime.SPRequestModule,
          Microsoft.SharePoint, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <add name="OutputCache" type="System.Web.Caching.OutputCacheModule" />
      <add name="CasModule" type="Upmc.CasModule.CasModule, CasModule" />
      <add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />
      <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
      <add name="WindowsAuthentication" type="System.Web.Security.WindowsAuthenticationModule" />
      <add name="RoleManager" type="System.Web.Security.RoleManagerModule" />
      <!-- <add name="Session" type="System.Web.SessionState.SessionStateModule"/> -->
    </httpModules>
    ...
  </system.web>

4. Modify the security policy to enable the module
The policy file to modify is based on Sharepoint trust level declare in this tag

  <trust level="WSS_Medium" originUrl="" />

and the location of the policy file is declare in

    <securityPolicy>
      <trustLevel name="WSS_Medium" policyFile="C:\Program Files\Common Files\Microsoft Shared\
          Web Server Extensions\12\config\wss_mediumtrust.config" />
      <trustLevel name="WSS_Minimal" policyFile="C:\Program Files\Common Files\Microsoft Shared\
          Web Server Extensions\12\config\wss_minimaltrust.config" />
    </securityPolicy>

In the security file add the folliwing in the first CodeGroup tag

  <CodeGroup
    class="UnionCodeGroup"
    version="1"
    PermissionSetName="FullTrust">
    <IMembershipCondition
      class="UrlMembershipCondition"
      version="1"
      Url="$AppDirUrl$/bin/casModule.dll"
    />
  </CodeGroup>

5. Last step modify the site collection configuration to enable sso and add a membership provider through Sharepoint administration site.

To be done

Some more work and test should be done in order to :

  • have a nice 500 error if the CAS server is down on validation.
  • add an optional sliding time to live for authentication check
  • handle CAS logout protocol

I am also planning to rapidly test this module in an IIS 7 autentication pipe line. I have no idea yet on how to handle the user id the application.

And of course other your feedback.

et pour les français vous pouvez lire mon article sur techHeadBrothers.com

Jean Marie