Claims authentication against Windows Live ID for SharePoint 2010

Windows Live ID The SharePoint engineering team at Fpweb.net is always striving to discover new frontiers. To declare that the impossible is… well, possible. Recently, we put our heads together to find a way to use both Live ID and Open ID as an authentication method for SharePoint Server 2010.

With the addition of the new claims based authentication framework in SharePoint 2010, SharePoint is now more loosely coupled to the authentication layer than ever. You’ve probably seen presentations or webinars where it was mentioned that you can use claims authentication against authentication providers such as Live ID and OpenID. However, the documentation for configuring Live ID authentication is relatively hard to come by.

Recently, Chris Schwab and I were working with an Fpweb.net customer that needed to use Live ID as an external authentication source for their internet-facing hosted SharePoint 2010 Server farm.  They wanted to “outsource” the user account repository and password management for their site to Windows Live ID. While this lessened the burden of user account administration, they still needed to give the Windows Live users SharePoint permissions. Below is a step-by-step guide on how to set up claims authentication using Windows Live ID for SharePoint 2010.

Configure the Windows Live ID security token service

  1. Login to the Microsoft Services Manager for Windows Live with your Live account.
  2. Click Register Your Site.
    You’ll notice that you are redirected to https://msm.live-int.com.
  3. You are redirected to the “int” version of Live.com because your site has not been reviewed by Microsoft and has not been given the “Prod” indication (meaning your site is compliant).
  4. Below is a screenshot of the Microsoft Services Manager after clicking the “Register Your Site” link.

Configure the Windows Live ID Security Token Service

How to fill out the fields shown in the screenshot above:

  1. Name:
    1. Enter in a useful description for your site.
  2. DNS Name:
    1. Enter in a value for the DNS name of your site. This must be unique and match the setting you give for realm on the SharePoint Server (I’ll give more detail on this later)For now it can be urn:whateveryouwant.
  3. Policy:
    1. Select Window Live ID for the policy group.
    2. Click Submit and then Yes on the confirmation page.
  4. Default Return Url:
    1. https://yourdomain/_trust/default.aspx
  5. Override Authentication Policy (advanced settings):
    1. MBI_FED_SSL

Note: You will have to build your site authentication against Live-Int.com at first. Then, you’ll have to submit it to Microsoft for a compliance review. You will not be sent back real email addresses from the Live ID STS, only the PUID of the user. Once the user is authenticated to your site, they will need to enter their email/name if you need this information.

Retrieve and install the x509 certificate on the web servers

  1. Download this -int version of the x509 cert.
  2. Open it, and locate the <KeyDescriptor use=”signing” wsu:Id=”stscer”> node.
    1. Copy the contents within the <X509Certificate> node.
  3. Create a new text file in notepad, and paste the contents into it.
    1. Save as C:\LiveIDPublic.cer
    2. NOTE: from here-on, we will refer to this file as the “x509 cert”
  4. Import the new certificate using Start > Run > MMC
  5. You should see the screenshot shown below. From the File Menu, Choose:
    1. Add Snap-ins > Certificates > Computer Account > Next Local Computer > OK
  6. Import the x509 cert to all 3 places shown below:
    1. SharePoint
    2. Trusted People
    3. Trusted Root Certification Authorities

Retrieve and install the x509 certificate on the web servers

Configure a SharePoint 2010 claims provider using PowerShell

Add-PsSnapin Microsoft.SharePoint.PowerShell 
$realm = "urn:andyliveid:dev"
$certloc = "C:\LiveIDPublic.cer"
$rootcert = Get-PfxCertificate $certloc
New-SPTrustedRootAuthority "Production OpenID Token Signing Cert"
-Certificate $rootcert | Out-Null
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certloc)
$map1 = New-SPClaimTypeMapping
-IncomingClaimType "http://schemas.xmlsoap.org/claims/EmailAddress"
-IncomingClaimTypeDisplayName "http://schemas.xmlsoap.org/claims/EmailAddress"
–SameAsIncoming $map2 = New-SPClaimTypeMapping
-IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
-IncomingClaimTypeDisplayName "UPN"
-LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
$user = "[email protected]" #your unique live PUID
$apSAML = New-SPTrustedIdentityTokenIssuer
-Name "LiveIDInt" -Description "LiveIDInt"
-Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2
-SignInUrl https://login.live—int.com/login.srf
-IdentifierClaim "http://schemas.xmlsoap.org/claims/EmailAddress"
$cpSAML = New-SPClaimsPrincipal -TrustedIdentityTokenIssuer
$apSAML -Identity $user.tolower()

Set your web app to use claims / Windows NTLM authentication

  1. Set your web app to use claims / Windows NTLM authentication Open SharePoint 2010 Central Administration > Application Management > Manage Web Applications > Select your Web application > Authentication Providers > Default Zone
  2. Select “Enable Windows Authentication”, “Trusted Identity Provider” and “LiveID”

Test your SharePoint 2010 site login with Live ID credentials

  1. Open the Fiddler 2 app you downloaded earlier so that it starts logging http requests and responses. This is useful for seeing what URLs SharePoint redirects you to and what the Live ID STS is sending back.
  2. Browse to your site on the server. You should see an authentication method drop down with Live ID and Windows as options.

If everything is setup correctly you’ll be routed to the Live-Int login page and NOT see a red error. You’ll be able to login and get redirected back to your SharePoint site where you see access denied for user [email protected]. This is because you haven’t given your live id account SharePoint permissions.

After you pass the Microsoft compliance review

This section provides an educated guess on what you’ll need to do in order to configure your SharePoint 2010 server to use the Prod live.com STS vs. INT.

(our Fpweb.net SharePoint 2010 team was able to skip this part since we were working hand-in-hand with Microsoft to get this authentication method working).

We assume that essentially, you’ll repeat all of the above steps but remove the “-int” from your Claims provider. You’ll also need to get the prod x509 certificate and use that to copy/paste when creating your cert on the web servers.

Update: 7/18/2011: Chris Schwab has written a helpful post about which Fpweb.net SharePoint Hosting Plans can utilize LiveID authentication!

2010-08-16T16:20:19+00:00 August 16th, 2010|

87 Comments

  1. Subhash August 2, 2011 at 2:05 am - Reply

    Hi,i followed the steps to configure Windows Live authentication for INT environment,but when i try to login with my INT Zone Credentials iam redirected to logout page..any help ??thanks in advance

  2. Mallikharjuna Mulagundla September 27, 2011 at 11:57 pm - Reply

    I have followed the same steps metioned above and enbaled Live Id Authentication on SharePoint 2010. My Issue is – Its not Signing out completely. In Sign-in Page, it is asking to choose “Live Id” or “Windows Authentication” from Dropdown. I logged in successfully using Live ID into the site. Once I click on Sign-out, its redirecting to Sign-in page(starting page) but not Signing out properly. again I choose LiveID from drop down, its not asking for credentials its taking previous login credentials. am I missing anything?

  3. Marlene Fidelis October 30, 2011 at 2:04 am - Reply

    bondia senhores eu ando muito nervosa com vcs ja tenho 57 anos e vc bloquearão minha conta e meu mesn ,para desbloquear eu tenho que fornecer numero do meu carão de dredito e a data de validade os ultimos 4 digitos e o nome conforme aparece no meu cartão porque senão eu não terei minha conta de volta .O que é isso acho que que é caso de policia, eu ter que passar meu numero de cartão se não vou ter minha conta desbloqueada sei dos meus direito.olha quero minha conta desbloqueada senão vou fazer um boletim de ocorrencia e pode ter certeza, eu não vou colocar meu numero de cartão de credito afora é com vc. marlene Fidelis

  4. Doug November 18, 2011 at 2:26 pm - Reply

    I fixed the dash problem, but am getting a slightly different error now:

    PS C:Usersspsqladmin> New-SPTrustedRootAuthority “Production OpenID Token Signing Cert ” -Certificate $rootcert
    PS C:Usersspsqladmin> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certloc)
    PS C:Usersspsqladmin> $map1 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/claims/EmailAddres
    s” -IncomingClaimTypeDisplayName “http://schemas.xmlsoap.org/claims/EmailAddress” -SameAsIncoming
    PS C:Usersspsqladmin> $map2 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identit
    y/claims/nameidentifier” -IncomingClaimTypeDisplayName “UPN” -LocalClaimType “http://schemas.xmlsoap.org/ws/2005/05/iden
    tity/claims/upn”
    PS C:Usersspsqladmin> $user = “[email protected]” #your unique live PUID
    PS C:Usersspsqladmin> $emailclaim = New-SPClaimTypeMapping -IncomingClaimType http://schemas.xmlsoap.org/claims/EmailA
    ddress -incomingClaimTypeDisplayName http://schemas.xmlsoap.org/claims/EmailAddress -SameAsIncoming
    PS C:Usersspsqladmin> $signinurl = “https://login.live-int.com/login.srf”
    PS C:Usersspsqladmin> $apSAML = New-SPTrustedIdentityTokenIssuer -Name “LiveIDInt” -Description “LiveIDInt” -Realm $re
    alm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl $signinurl -IdentifierClaim “http://schemas.xml
    soap.org/claims/EmailAddress”

    New-SPTrustedIdentityTokenIssuer : Exception of type ‘System.ArgumentException’ was thrown.
    Parameter name: newObj
    At line:1 char:43
    + $apSAML = New-SPTrustedIdentityTokenIssuer <<<< -Name "LiveIDInt" -Description "LiveIDInt" -Realm $realm -ImportTrus
    tCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl $signinurl -IdentifierClaim "http://schemas.xmlsoap.org/claim
    s/EmailAddress"
    + CategoryInfo : InvalidData: (Microsoft.Share…dentityProvider:SPCmdletNewSPIdentityProvider) [New-SPTr
    ustedIdentityTokenIssuer], ArgumentException
    + FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletNewSPIdentityProvider

  5. Oscar Bautista January 4, 2012 at 5:24 pm - Reply

    Hi. Thank you for the informative post. I have ocnfigured as instructed. I think I am very close. When I visit my site I am redirected to select authentication type. I select Windows Live and then redirected here:

    https://login.live-int.com/login.srf?wa=wsignin1.0&wtrealm=urn%3amydomain%3aint&wctx=https%3a%2f%2fmydomain.local%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252F

    When I enter my credentials, it appears as though something is happening because the login.live page flickers and I see something going on (processing/posting back), but I am not redirected back to my local sharepoint site.

    Curious if you can help point me in the right direction?

    Thanks so much…

  6. Sergey February 12, 2012 at 6:57 pm - Reply

    As for me live-int.com don’t redirect me anywhere… Did you solved this issue?

  7. Kanwal Khipple August 18, 2010 at 10:11 am - Reply

    This is definitely a functionality I’m considering for SharePoint Buzz. Will fpweb be implementing / allowing this for their customers?

  8. Erucy August 19, 2010 at 5:30 am - Reply

    How can I get the PUID of my live id?
    I’ve tried to use my live id as $user, when I login, it redirect to the live login page, but throw an “email or password is not correct” error when I click “login”.
    I found there was a hotfix on June 29th, which mentioned the puid problem, do I need to patch it?

  9. Andy Milsark August 19, 2010 at 11:30 am - Reply

    We currently allow claims authentication to Live ID and we have customers that already have or are implementing it now. We may offer consulting services on this in the future.

  10. Andy Milsark August 19, 2010 at 11:31 am - Reply

    @Erucy
    @Erucy, this sounds like you are just typing in the wrong credentials for live. Keep in mind that there is a live-int.com and live.com domains. You’ll need to create an account in the live-int realm for testing until your site has been approved for prod by MS.

  11. Kevin Korb August 19, 2010 at 12:11 pm - Reply

    Great Post Andy

    I’m half way ther but am getting an error when creating the trustedidentitytokenissueer

    it appears that it doesn’t like the signonurl
    New-SPTrustedIdentityTokenIssuer : https://login.live-int.com/login.srf
    At line:1 char:43
    + $apSAML = New-SPTrustedIdentityTokenIssuer <<<< -Name "LiveIDInt" -Description "LiveIDInt" -Realm $realm -ImportTrus
    tCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl https://login.live-int.com/login.srf -IdentifierClaim "http:
    //schemas.xmlsoap.org/claims/EmailAddress"
    + CategoryInfo : InvalidArgument: (https://login.live-int.com/login.srf:String) [New-SPTrustedIdentityTok
    enIssuer], UriFormatException
    + FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletNewSPIdentityProvider

    Any Ideas ?

  12. Kevin Korb August 19, 2010 at 12:22 pm - Reply

    Sorry

    I had to create a variable to store the URL and reference it on the New-SPTrustedIdentityTokenIssuer command.

    Getting this now from the live logon page

    The Windows Live Network is unavailable from this site for one of the following reasons:

  13. Andy Milsark August 19, 2010 at 12:26 pm - Reply

    @Kevin Korb
    We saw that error too. Double check that the Realm in your powershell config matches the DNS name on the msm site. Also I would use fiddler to examine the http posts and requests.

  14. Kevin Korb August 19, 2010 at 5:22 pm - Reply

    thanks Andy

    Is the realm suppose to be a FQDN ? I currently have mine set to orbits.net. Does it need to be resolved orbits.net.live-int.com or is it just used to match up the liveid sites ?

  15. Erucy August 20, 2010 at 1:29 am - Reply

    @Andy Milsark
    Thanks, Andy. Great post, but it seems the signup page of live-int is blocked from China… 🙁
    I’ll try it later, sigh.

  16. Tony Krijnen August 22, 2010 at 4:31 am - Reply

    When I want to register my site and use URN:Anythingyouwant (URN:Tonydaniel in my case) after step 3 (Policy) I get the following errors when I continue and click Yes:

    Error
    – Validation failed for DefaultImageURL: The field cannot contain any leading or trailing spaces, and must contain a valid URL that begins with http:// or https://.
    – Validation failed for RootURL: This field cannot contain any leading or trailing spaces, must contain fewer than 513 characters, and must start and end with an alphanumeric character. This field can include only alphanumeric characters, ‘.’, and ‘-‘.
    – Validation failed for DefaultReturnURL: The field cannot contain any leading or trailing spaces, and must contain a valid URL that begins with http:// or https://.
    – Validation failed for ExpireCookieURL: The field cannot contain any leading or trailing spaces, and must contain a valid URL that begins with http:// or https://.
    – DefaultReturnURL does not contain the domain name.
    – ExpireCookieURL does not contain the domain name.

    Seems I need to setup something before I submit this? I don’t get to the part “Default Return Url”. Any thoughts?

  17. Tony Krijnen August 22, 2010 at 4:34 am - Reply

    I guess I misunderstood this URN: thing. When I entered the FQDN (www.tonydaniel.ms) it went through ok, sorry!

  18. Kevin Korb August 23, 2010 at 11:30 am - Reply

    Sorry to keep buggin everyone. I’m still struggling to get the authentication working with live ID. Everything seems to be setup fine. I cann grant permissions on sharepoint to live ID users. The liveid logon page comes up with no errors. After entering the username and password, it just goes out to la la land.

    Fiddler shows a connection time out

    HTTPS connection failed. System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 65.55.70.91:443 at Fiddler.ServerChatter.CreateConnectedSocket(IPAddress[] arrDestIPs, Int32 iPort, Session _oSession) at Fiddler.Session._handleHTTPSConnect()

    I think its something to do with my return URL. I have not built a custom logon page and we are also using host header webapp. Here is what I have it set to. (XXX is replaced with a valid host name)

    https://xxxx.orbits.net/_trust/default.aspx

    any ideas ? Aynone else get tis working ?

  19. Andy Milsark August 23, 2010 at 1:55 pm - Reply

    @Kevin Korb
    Does it seem like it’s in an infinite loop after you type in the credentials to live and click sign in? I saw something like that as well. Did you import the x509 cert into all the folders i specified in the article?

  20. Kevin Korb August 23, 2010 at 2:04 pm - Reply

    Yes I did import the cert. No infinite loop, I did have that previously. It just appears to time out

  21. Andy Milsark August 23, 2010 at 2:22 pm - Reply

    @Kevin Korb
    Anything in the application or security event logs?

  22. Kevin Korb August 23, 2010 at 3:46 pm - Reply

    @Andy Milsark

    nope blank

  23. Krishna August 23, 2010 at 9:25 pm - Reply

    @Andy Milsark
    I am facing the same issue. I get a redirected to the Windows Live Login page – where it shows the name of my site. However, it says:

    The Windows Live Network is unavailable from this site for one of the following reasons…

    I’ve checked the DNS name, domain name on the msm site and the realm I used to setup the SPTrustedIdentityTokenIssuer – they are all the same.

    The only thing in my case is that I’m not using https for my site, and the port is 4200 (not the standard 80). 4200 however is openly accessible from the internet.

    Any ideas?

  24. Kevin Korb August 24, 2010 at 8:34 am - Reply

    @Krishna
    Krishna

    We are offloading SSL on our load balanacer, I’m going to reconfigure everything and bypass the load balancer. I’ll post the results. I still think it has something to do with the default return URL. What do you have yours set to ? Mine it https://VALID External FDN/_trust/Default.aspx

  25. Andy Milsark August 24, 2010 at 9:56 am - Reply

    @Krishna
    I believe you have to be using an SSL secured site on port 442. Not 100% sure though. I’m hoping Microsoft releases some documentation about the msm side of things soon.

  26. Kevin Korb August 24, 2010 at 10:02 am - Reply

    @Andy Milsark
    442 on what the Signon URL ? That might make sense why I’m receiving all the connection timeouts

  27. Andy Milsark August 24, 2010 at 1:00 pm - Reply

    @Kevin Korb
    I believe for your whole Sharepoint site including the return URL.

  28. Andy Milsark August 24, 2010 at 1:59 pm - Reply

    @Kevin Korb
    Yeah, we are not doing SSL termination at the load balancer. Our return url is https://domain.com/_trust/default.aspx

  29. Andy Milsark August 26, 2010 at 2:39 pm - Reply

    @Andy Milsark
    Sorry @Kevin Korb, I meant port 443, the standard https port

  30. Andy Milsark August 26, 2010 at 2:41 pm - Reply

    @Tony Krijnen
    I believe the realm/dns has to be the same and all lower case

  31. Fugle August 27, 2010 at 1:09 pm - Reply

    @Andy Milsark
    I have tried to register account via live-int.com but can only create account within “@hotmail-int.com”. Can I create an account like [email protected] and change the powershell script to $user = “[email protected]” ?

  32. Fugle August 27, 2010 at 3:47 pm - Reply

    Somebody able to register account ?
    When I try to sign-up new account via https://accountservices.passport-int.net I get error message:
    ————-
    We’re unable to complete your request
    Windows Live ID is experiencing some technical difficulties while creating your account. To start using Windows Live today, get support now, click here ,choose Windows Live ID and copy paste the code below into the form.

    LEFKPK~OIURMRQTQU[[U]
    —————

  33. Fugle August 27, 2010 at 6:49 pm - Reply

    I go one step further and try to run the powershell-script. I have followed the tips from Kevin regarding putting signinurl in variable but still get error.
    Here is my ps script:
    ————————–
    Add-PsSnapin Microsoft.SharePoint.PowerShell
    $realm = “site.domain.org”
    $certloc = “C:UtilLiveID-Authx509certificateLiveIDPublic.cer”
    $rootcert = Get-PfxCertificate $certloc
    New-SPTrustedRootAuthority “Production OpenID Token Signing Cert” -Certificate $rootcert | Out-Null
    $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certloc)
    $map1 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/claims/EmailAddress” -IncomingClaimTypeDisplayName “http://schemas.xmlsoap.org/claims/EmailAddress” –SameAsIncoming
    $map2 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier” -IncomingClaimTypeDisplayName “UPN” -LocalClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn”
    $user = “[email protected]” #your unique live PUID
    $signinurl = “https://login.live—int.com/login.srf”
    $apSAML = New-SPTrustedIdentityTokenIssuer -Name “LiveIDInt” -Description “LiveIDInt” -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl $signinurl -IdentifierClaim “http://schemas.xmlsoap.org/claims/EmailAddress”
    $cpSAML = New-SPClaimsPrincipal -TrustedIdentityTokenIssuer $apSAML -Identity $user.tolower()
    ————————–

    Error message:
    ————————–
    New-SPTrustedIdentityTokenIssuer : https://login.live—int.com/login.srf
    At line:11 char:43
    + $apSAML = New-SPTrustedIdentityTokenIssuer <<<< -Name "LiveIDInt" -Description "LiveIDInt" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2
    -SignInUrl $signinurl -IdentifierClaim "http://schemas.xmlsoap.org/claims/EmailAddress&quot;
    + CategoryInfo : InvalidArgument: (https://login.live—int.com/login.srf:String) [New-SPTrustedIdentityTokenIssuer], UriFormatException
    + FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletNewSPIdentityProvider

    ————————–

  34. Fugle August 27, 2010 at 6:52 pm - Reply

    I try to run powershell script with live.com account but still get error. Have tried to follow tips regarding putting url in variable.

    My PS script:
    ———————
    Add-PsSnapin Microsoft.SharePoint.PowerShell
    $realm = “site.domain.org”
    $certloc = “C:UtilLiveID-Authx509certificateLiveIDPublic.cer”
    $rootcert = Get-PfxCertificate $certloc
    New-SPTrustedRootAuthority “Production OpenID Token Signing Cert” -Certificate $rootcert | Out-Null
    $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certloc)
    $map1 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/claims/EmailAddress” -IncomingClaimTypeDisplayName “http://schemas.xmlsoap.org/claims/EmailAddress” –SameAsIncoming
    $map2 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier” -IncomingClaimTypeDisplayName “UPN” -LocalClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn”
    $user = “[email protected]” #your unique live PUID
    $signinurl = “https://login.live—int.com/login.srf”
    $apSAML = New-SPTrustedIdentityTokenIssuer -Name “LiveIDInt” -Description “LiveIDInt” -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl $signinurl -IdentifierClaim “http://schemas.xmlsoap.org/claims/EmailAddress”
    $cpSAML = New-SPClaimsPrincipal -TrustedIdentityTokenIssuer $apSAML -Identity $user.tolower()
    ———————

    Error message:
    ———————
    New-SPTrustedIdentityTokenIssuer : https://login.live—int.com/login.srf
    At line:6 char:43
    + $apSAML = New-SPTrustedIdentityTokenIssuer <<<< -Name "LiveIDInt" -Description "LiveIDInt" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2
    -SignInUrl $signinurl -IdentifierClaim "http://schemas.xmlsoap.org/claims/EmailAddress&quot;
    + CategoryInfo : InvalidArgument: (https://login.live—int.com/login.srf:String) [New-SPTrustedIdentityTokenIssuer], UriFormatException
    + FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletNewSPIdentityProvider
    ———————

  35. Fugle August 27, 2010 at 6:54 pm - Reply

    Test

  36. Fugle August 27, 2010 at 6:56 pm - Reply

    Error message when running ps script:

    New-SPTrustedIdentityTokenIssuer : https://login.live—int.com/login.srf
    At line:11 char:43
    + $apSAML = New-SPTrustedIdentityTokenIssuer <<<< -Name "LiveIDInt" -Description "LiveIDInt" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2
    -SignInUrl $signinurl -IdentifierClaim "http://schemas.xmlsoap.org/claims/EmailAddress&quot;
    + CategoryInfo : InvalidArgument: (https://login.live—int.com/login.srf:String) [New-SPTrustedIdentityTokenIssuer], UriFormatException
    + FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletNewSPIdentityProvider

    My PS Script:
    Add-PsSnapin Microsoft.SharePoint.PowerShell
    $realm = "site.domain.org"
    $certloc = "C:UtilLiveID-Authx509certificateLiveIDPublic.cer"
    $rootcert = Get-PfxCertificate $certloc
    New-SPTrustedRootAuthority "Production OpenID Token Signing Cert" -Certificate $rootcert | Out-Null
    $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certloc)
    $map1 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/claims/EmailAddress&quot; -IncomingClaimTypeDisplayName "http://schemas.xmlsoap.org/claims/EmailAddress&quot; –SameAsIncoming
    $map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier&quot; -IncomingClaimTypeDisplayName "UPN" -LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn&quot;
    $user = "[email protected]" #your unique live PUID
    $signinurl = "https://login.live—int.com/login.srf&quot;
    $apSAML = New-SPTrustedIdentityTokenIssuer -Name "LiveIDInt" -Description "LiveIDInt" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl $signinurl -IdentifierClaim "http://schemas.xmlsoap.org/claims/EmailAddress&quot;
    $cpSAML = New-SPClaimsPrincipal -TrustedIdentityTokenIssuer $apSAML -Identity $user.tolower()

  37. Ashkan August 28, 2010 at 1:30 am - Reply

    Great post.

    I almost have it working. After I sign in using my test Hotmail account and it redirects back to the SharePoint site I get the following error:

    Request information:
    Request URL: https://my.dummy.org:443/_trust/default.aspx
    Request path: /_trust/default.aspx
    User host address: fe80::109d:8609:e5ab:30fcInvalidOperationException
    User:
    Is authenticated: False
    Authentication Type:
    Thread account name: DUMMYsvc-sp-managed

    Thread information:
    Thread ID: 19
    Thread account name: DUMMYsvc-sp-managed
    Is impersonating: False
    Stack trace: at System.Uri.GetLeftPart(UriPartial part)
    at Microsoft.SharePoint.Administration.SPAlternateUrl.Canonicalize(Uri uri)
    at Microsoft.SharePoint.Administration.SPWebApplication.Lookup(SPFarm farm, Uri requestUri, Boolean fallbackToHttpContext, SPAlternateUrl& alternateUrl, SPSiteLookupInfo& hostHeaderSiteInfo, Boolean& lookupRequiredContext)
    at Microsoft.SharePoint.Administration.SPWebApplication.Lookup(Uri requestUri, Boolean fallbackToHttpContext)
    at Microsoft.SharePoint.IdentityModel.SPSaml11SecurityTokenHandler.RetrieveWebApplicationIdAndZoneFromUri(Uri context, Guid& webAppId, SPUrlZone& zone)
    at Microsoft.SharePoint.IdentityModel.SPSaml11SecurityTokenHandler.ValidateSingleAudienceCondition(Uri audienceUri, Guid requestWebAppId, SPUrlZone requestZone, IEnumerable`1 trustedLoginProviderNames)
    at Microsoft.SharePoint.IdentityModel.SPSaml11SecurityTokenHandler.ValidateAudienceConditions(SamlConditions conditions)
    at Microsoft.SharePoint.IdentityModel.SPSaml11SecurityTokenHandler.ValidateConditions(SamlConditions conditions, Boolean enforceAudienceRestriction)
    at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)
    at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)
    at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
    at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
    at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
    at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

    Your help is greatly appreciated.
    Ashkan

  38. Ashkan August 28, 2010 at 1:33 am - Reply

    @Ashkan

    Forgot to mention that I have the latest CU updates for June installed.

  39. Erucy August 30, 2010 at 4:13 am - Reply

    @Ashkan
    I’ve met the same error. But it appears after I choose “LiveID” from the login page…It doesn’t jump to the login page at all!

  40. Carlos Morales August 30, 2010 at 9:40 am - Reply

    Hi Andy,

    When I first configured Live ID with Sharepoint 2007 a long time ago, I registered my sites at msm.live.com (not INT). It looks like in the past few months, Microsoft moved some of these accounts around, and I can’t access my site registration details, through msm.live.com, however, I still can, through live.azure.com. This allows me to configure the return url, grab the App ID and Secret Key (Not sure if they are used in your guide, but they were for SP 2007).. however there’s no DNS Name or “Override Authentication Policy” I can set. Do you know if I can still use these registrations with SP 2010. I’d hate to register a site with INT, because I my sites already approved in the production domain. By the way, when I tried to register a site with msm.live-int.com, after clicking Submit and Yes, it displayed a lot of errors in red I am not sure where they came from. I noticed that in the registration screen, you can optionally enter an Application ID and a Secret Key.. however I am not sure how this will make things different…

  41. Ashkan August 30, 2010 at 8:05 pm - Reply

    @Erucy

    That’s weird. When do you get the exception? For me the exception happens when after a successful login and posts back to my site.

    Do you have the cumulative updates for June installed? I wonder if the CU is causing the error since the CU contains updates for the SP IdentityModel assembly.

  42. Carlos Morales August 31, 2010 at 12:43 pm - Reply

    Hi Andy,

    When I first configured Live ID with Sharepoint 2007 a long time ago, I registered my sites at msm.live.com (not INT). It looks like in the past few months, Microsoft moved some of these accounts around, and I can’t access my site registration details, through msm.live.com, however, I still can, through live.azure.com. This allows me to configure the return url, grab the App ID and Secret Key (Not sure if they are used in your guide, but they were for SP 2007).. however there’s no DNS Name or “Override Authentication Policy” I can set. Do you know if I can still use these registrations with SP 2010. I’d hate to register a site with INT, because I my sites already approved in the production domain. By the way, when I tried to register a site with msm.live-int.com, after clicking Submit and Yes, it displayed a lot of errors in red I am not sure where they came from. I noticed that in the registration screen, you can optionally enter an Application ID and a Secret Key.. however I am not sure how this will make things different…

  43. Carlos Morales September 1, 2010 at 12:13 am - Reply

    Hi Everybody,

    When I go to the MSM site and fill out the details, click Submit, and the click Yes, I get the following errors:

    Validation failed for DefaultImageURL: The field cannot contain any leading or trailing spaces, and must contain a valid URL that begins with http:// or https://.
    Validation failed for RootURL: This field cannot contain any leading or trailing spaces, must contain fewer than 513 characters, and must start and end with an alphanumeric character. This field can include only alphanumeric characters, ‘.’, and ‘-‘.
    Validation failed for DefaultReturnURL: The field cannot contain any leading or trailing spaces, and must contain a valid URL that begins with http:// or https://.
    Validation failed for ExpireCookieURL: The field cannot contain any leading or trailing spaces, and must contain a valid URL that begins with http:// or https://.
    DefaultReturnURL does not contain the domain name.
    ExpireCookieURL does not contain the domain name.

    Any ideas?

    Thanks!

  44. Carlos Morales September 1, 2010 at 12:18 am - Reply

    Please disregard my last message.. Tony was right… the “urn:something:dev” doesnt work. When I added my site domain name, it went through just fine. 🙂

  45. Steve Paplanus September 2, 2010 at 6:45 pm - Reply

    We have followed your instructions and have gotten this to work. Is it possible, now that we can add users by the PUID, any way we can see the [email protected] to a friendly name (or email) that is associated with the user on the sharepoint side. If you have more than a couple of PUIDs, it can get confusing quickly when a site owner is setting permissions (which PUID = which person). Also, the user who logs in under LiveID seems to have the PUID at the top right hand corner the sharepoint site, which may cause some users to panic.

  46. Andy Milsark September 3, 2010 at 10:10 am - Reply

    @Steve Paplanus
    Excellent! If you have any ideas on some of the issues people are running into here, please share them. I do not think MS Live will send you back the user’s email addresses (at least not in the INT version). I think you will have to figure out a programmatic registration to replace the users display name. From what I’ve heard this is similar to what was done in SP 2007.

  47. Carlos Morales September 5, 2010 at 10:32 am - Reply

    Kevin Korb :Great Post Andy
    I’m half way ther but am getting an error when creating the trustedidentitytokenissueer
    it appears that it doesn’t like the signonurlNew-SPTrustedIdentityTokenIssuer : https://login.live-int.com/login.srfAt line:1 char:43+ $apSAML = New-SPTrustedIdentityTokenIssuer <<<< -Name “LiveIDInt” -Description “LiveIDInt” -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl https://login.live-int.com/login.srf -IdentifierClaim “http://schemas.xmlsoap.org/claims/EmailAddress”+ CategoryInfo : InvalidArgument: (https://login.live-int.com/login.srf:String) [New-SPTrustedIdentityTokenIssuer], UriFormatException+ FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletNewSPIdentityProvider
    Any Ideas ?

    Hi Kevin,

    I am getting the error you got even after creating the new variable.. I am executing this:
    $signinurl = “https://login.live—int.com/login.srf”
    $apSAML = New-SPTrustedIdentityTokenIssuer -Name “LiveIDInt” -Description “LiveIDInt” -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl $signinurl -IdentifierClaim “http://schemas.xmlsoap.org/claims/EmailAddress”

    And the error is:

    New-SPTrustedIdentityTokenIssuer : https://login.live-int.com/login.srf
    At line:1 char:43
    + $apSAML = New-SPTrustedIdentityTokenIssuer <<<< -Name "LiveIDInt" -Description "LiveIDInt" -Realm $realm -ImportTrus
    tCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl $signinurl -IdentifierClaim "http://schemas.xmlsoap.org/claim
    s/EmailAddress"
    + CategoryInfo : InvalidArgument: (https://login.live-int.com/login.srf:String) [New-SPTrustedIdentityTok
    enIssuer], UriFormatException
    + FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletNewSPIdentityProvider

    Any ideas?

  48. Carlos Morales September 5, 2010 at 10:35 am - Reply

    @Kevin Korb

    Hi Kevin,

    I am getting the same error you got even after setting the new variable.

    Here’s the line I am executing:

    $signinurl = “https://login.live—int.com/login.srf”

    $apSAML = New-SPTrustedIdentityTokenIssuer -Name “LiveIDInt” -Description “LiveIDInt” -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl $signinurl -IdentifierClaim “http://schemas.xmlsoap.org/claims/EmailAddress”

    And here’s the error:

    New-SPTrustedIdentityTokenIssuer : https://login.live-int.com/login.srf
    At line:1 char:43
    + $apSAML = New-SPTrustedIdentityTokenIssuer <<<< -Name "LiveIDInt" -Description "LiveIDInt" -Realm $realm -ImportTrus
    tCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl $signinurl -IdentifierClaim "http://schemas.xmlsoap.org/claim
    s/EmailAddress"
    + CategoryInfo : InvalidArgument: (https://login.live-int.com/login.srf:String) [New-SPTrustedIdentityTok
    enIssuer], UriFormatException
    + FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletNewSPIdentityProvider

    Any Ideas??

  49. Aaron Boswell September 5, 2010 at 11:00 am - Reply

    For some who may be having problems with the New-SPTrustedIdentityTokenIssuer statement. If you copy and paste the powershell script from this site, the dash “-” in the SignInUrl parameter is not the valid style for a dash and you will get an invalid parameter error. Just type over the dash with the normal minus sign and it should work.

  50. Carlos Morales September 6, 2010 at 11:28 am - Reply

    Ok Guys, I am getting a step further at a time.. However I still need some help. I could successfully complete the configuration described in this article using the INT site, however our goal is to be on production, right? :). Based on that, I decided to give this a try using the Production settings, to see if I could successfully configure my site to redirect to the Live.com production environment as I had it when I was using SP 2007.

    My sites are registered in the live.com production environment through Azure Live Services. After repeating the configuration of this article using the production servers and settings, I made some strides but I am not there yet.. when I go to my site now, this is the url I see generated by sharepoint (I am replacing my domain with for this post):

    http:///_login/default.aspx?ReturnUrl=%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252F&Source=%2F

    Here I can select Windows Authentication or “Windows Live ID” (the STS I configured). Once I select the “Windows Live ID” option from the menu, I get redirected to this site:

    -https://login.live.com/login.srf?wa=wsignin1.0&wtrealm=&wctx=http%3a%2f%2f%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252F

    And this page error is displayed:

    “This displays an error: We’re unable to complete your request
    Windows Live ID is experiencing technical difficulties. Please try again later.”

    After doing some extra testing, I noticed, that if I manually add my site’s APPID (coming from Azure Live Services) to the url’s querystring the Sign in page takes me to once I select Windows Live from the menu (notice 1st parameter in the querystring):

    https://login.live.com/login.srf?appid=XXXXXXXXXXXXXXXX&wa=wsignin1.0&wtrealm=&wctx=http%3a%2f%2f%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252F

    The authentication process works just great! I get redirected to the production login.live.com site, I enter my credentials, and I get redirected back to my site as expected.

    Now, my question is: Is there a way to modify the PowerShell script above to have Sharepoint pass the appid as part of the querystring when selecting “Windows Live” from the Sign in page menu?

    I think that will solve this issue.. Any thoughts guys?

  51. Carlos Morales September 6, 2010 at 11:29 am - Reply

    Ok Guys, I am getting a step further at a time.. However I still need some help. I could successfully complete the configuration described in this article using the INT site, however our goal is to be on production, right? :). Based on that, I decided to give this a try using the Production settings, to see if I could successfully configure my site to redirect to the Live.com production environment as I had it when I was using SP 2007.

    My sites are registered in the live.com production environment through Azure Live Services. After repeating the configuration of this article using the production servers and settings, I made some strides but I am not there yet.. when I go to my site now, this is the url I see generated by sharepoint (I am replacing my domain with SERVER for this post):

    http://SERVER/_login/default.aspx?ReturnUrl=%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252F&Source=%2F

    Here I can select Windows Authentication or “Windows Live ID” (the STS I configured). Once I select the “Windows Live ID” option from the menu, I get redirected to this site:

    -https://login.live.com/login.srf?wa=wsignin1.0&wtrealm=SERVER&wctx=http%3a%2f%2fSERVER%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252F

    And this page error is displayed:

    “This displays an error: We’re unable to complete your request
    Windows Live ID is experiencing technical difficulties. Please try again later.”

    After doing some extra testing, I noticed, that if I manually add my site’s APPID (coming from Azure Live Services) to the url’s querystring the Sign in page takes me to once I select Windows Live from the menu (notice 1st parameter in the querystring):

    https://login.live.com/login.srf?appid=XXXXXXXXXXXXXXXX&wa=wsignin1.0&wtrealm=SERVER&wctx=http%3a%2f%2fSERVER%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252F

    The authentication process works just great! I get redirected to the production login.live.com site, I enter my credentials, and I get redirected back to my site as expected.

    Now, my question is: Is there a way to modify the PowerShell script above to have Sharepoint pass the appid as part of the querystring when selecting “Windows Live” from the Sign in page menu?

    I think that will solve this issue.. Any thoughts guys?

  52. C Morales September 7, 2010 at 10:26 am - Reply

    Ok Guys, I am getting a step further at a time.. However I still need some help. I could successfully complete the configuration described in this article using the INT site, however our goal is to be on production, right? :). Based on that, I decided to give this a try using the Production settings, to see if I could successfully configure my site to redirect to the Live.com production environment as I had it when I was using SP 2007.

    My sites are registered in the live.com production environment through Azure Live Services. After repeating the configuration of this article using the production servers and settings, I made some strides but I am not there yet.. when I go to my site now, this is the url I see generated by sharepoint (I am replacing my domain with SERVER for this post):

    http://SERVER/_login/default.aspx?ReturnUrl=%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252F&Source=%2F

    Here I can select Windows Authentication or “Windows Live ID” (the STS I configured). Once I select the “Windows Live ID” option from the menu, I get redirected to this site:

    -https://login.live.com/login.srf?wa=wsignin1.0&wtrealm=SERVER&wctx=http%3a%2f%2fSERVER%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252F

    And this page error is displayed:

    “This displays an error: We’re unable to complete your request
    Windows Live ID is experiencing technical difficulties. Please try again later.”

    After doing some extra testing, I noticed, that if I manually add my site’s APPID (coming from Azure Live Services) to the url’s querystring the Sign in page takes me to once I select Windows Live from the menu (notice 1st parameter in the querystring):

    https://login.live.com/login.srf?appid=XXXXXXXXXXXXXXXX&wa=wsignin1.0&wtrealm=SERVER&wctx=http%3a%2f%2fSERVER%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252F

    The authentication process works just great! I get redirected to the production login.live.com site, I enter my credentials, and I get redirected back to my site as expected.

    Now, my question is: Is there a way to modify the PowerShell script above to have Sharepoint pass the appid as part of the querystring when selecting “Windows Live” from the Sign in page menu?

    I think that will solve this issue.. Any thoughts guys?

  53. C Morales September 7, 2010 at 10:29 am - Reply

    Ok Guys, I am getting a step further at a time.. However I still need some help. I could successfully complete the configuration described in this article using the INT site, however our goal is to be on production, right? . Based on that, I decided to give this a try using the Production settings, to see if I could successfully configure my site to redirect to the Live.com production environment as I had it when I was using SP 2007.

    My sites are registered in the live.com production environment through Azure Live Services. After repeating the configuration of this article using the production servers and settings, I made some strides but I am not there yet.. when I go to my site now, this is the url I see generated by sharepoint (I am replacing my domain with SERVER for this post):

    – http: // SERVER/_login/default.aspx?ReturnUrl=%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252F&Source=%2F

    Here I can select Windows Authentication or “Windows Live ID” (the STS I configured). Once I select the “Windows Live ID” option from the menu, I get redirected to this site:

    -https: // login.live.com/login.srf?wa=wsignin1.0&wtrealm=SERVER&wctx=http%3a%2f%2fSERVER%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252F

    And this page error is displayed:

    “This displays an error: We’re unable to complete your request
    Windows Live ID is experiencing technical difficulties. Please try again later.”

    After doing some extra testing, I noticed, that if I manually add my site’s APPID (coming from Azure Live Services) to the url’s querystring the Sign in page takes me to once I select Windows Live from the menu (notice 1st parameter in the querystring):

    https: // login.live.com/login.srf?appid=XXXXXXXXXXXXXXXX&wa=wsignin1.0&wtrealm=SERVER&wctx=http%3a%2f%2fSERVER%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252F

    The authentication process works just great! I get redirected to the production login.live.com site, I enter my credentials, and I get redirected back to my site as expected.

    Now, my question is: Is there a way to modify the PowerShell script above to have Sharepoint pass the appid as part of the querystring when selecting “Windows Live” from the Sign in page menu?

    I think that will solve this issue.. Any thoughts guys?

    P.S: The comments I was entering weren’t being posted because I was adding some urls I think.. I hope this one goes through..

  54. Amit September 9, 2010 at 12:20 am - Reply

    After signing in, I am receiving this exception on https:///_trust/default.aspx page. This happens in both Live ID INT and PROD environments.

    [InvalidOperationException: This operation is not supported for a relative URI.]
    System.Uri.GetLeftPart(UriPartial part) +7154343
    Microsoft.SharePoint.Administration.SPAlternateUrl.Canonicalize(Uri uri) +25
    Microsoft.SharePoint.Administration.SPWebApplication.Lookup(SPFarm farm, Uri requestUri, Boolean fallbackToHttpContext, SPAlternateUrl& alternateUrl, SPSiteLookupInfo& hostHeaderSiteInfo, Boolean& lookupRequiredContext) +182
    Microsoft.SharePoint.Administration.SPWebApplication.Lookup(Uri requestUri, Boolean fallbackToHttpContext) +205
    Microsoft.SharePoint.IdentityModel.SPSaml11SecurityTokenHandler.RetrieveWebApplicationIdAndZoneFromUri(Uri context, Guid& webAppId, SPUrlZone& zone) +124
    Microsoft.SharePoint.IdentityModel.SPSaml11SecurityTokenHandler.ValidateSingleAudienceCondition(Uri audienceUri, Guid requestWebAppId, SPUrlZone requestZone, IEnumerable`1 trustedLoginProviderNames) +130
    Microsoft.SharePoint.IdentityModel.SPSaml11SecurityTokenHandler.ValidateAudienceConditions(SamlConditions conditions) +385
    Microsoft.SharePoint.IdentityModel.SPSaml11SecurityTokenHandler.ValidateConditions(SamlConditions conditions, Boolean enforceAudienceRestriction) +28
    Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token) +393
    Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri) +118
    Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request) +461
    Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +1099510
    System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
    System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +171
    ——————————————————————————–
    Version Information: Microsoft .NET Framework Version:2.0.50727.4952; ASP.NET Version:2.0.50727.4927

  55. Amit September 9, 2010 at 12:23 am - Reply

    The URL is https://REALM/_trust/default.aspx
    I do NOT have any SP 2010 CU installed. Any pointers?

  56. Amit September 9, 2010 at 1:32 am - Reply

    Did anyone get it fully working?

  57. Amit September 10, 2010 at 4:21 pm - Reply

    @Amit

    If that helps anyone, the DNS Name on MSM site registration must be in “urn::” format and realm of SharePoint 2010 trusted identity token issuer must match the registered DNS Name on MSM. Return URL is not affected by DNS name.
    For example,
    Domain Name: mydomain.com
    DNS Name: urn:subdomain:Geneva
    Return URL: https://subdomain.part.anotherpart.mydomain.com/_trust/default.aspx

    This resolves the Microsoft.SharePoint.Administration.SPAlternateUrl.Canonicalize(Uri uri) error I was seeing earlier.

  58. Kevin September 13, 2010 at 10:36 am - Reply

    @Amit:

    My main issue is when I attempt to log into my site (portal.dev.com), I am redirected to the Windows Live loging screen, but receive the error “The Windows Live Network is unavailable from this site for one of the following reasons…”

    I initially used the FQDN name (portal.dev.com) of my SharePoint site as the DNS name for MSM, but after reading your comments, I attempted to use “urn:portal:kjmtest”

    When I submit that request, I receive a number of errors, such as illegal leading/trailing spaces, bad http formats, etc. How did you actually register a site with MSM if the “urn:abc:def” format is not accepted?

    Also: I believe I understand that whatever the DNS entry is in MSM, it has to match the “$realm” in the Powershell commands. If you’ve alread set up the membership providor; can you simply re-run the powershell commands to change the realm of the memebrship providor? Or is there some delete process you would need to go through?

  59. madnik7 September 17, 2010 at 6:26 pm - Reply

    Hi andy
    Here is another solution that supports OpenID and Windows Live Id both together, in this solution Security Token Service (STS) will be installed at same machine. Have some benefit such as give permission just by e-mail and email verification too, it very great feature to prevent our mail server send spam to unwanted email address, it will be installed as security token service and doesn’t need ADFS 2.0 server.
    One of the other benefit is that you can add live users with SharePoint Poeple Picker and also you can give access to a user just by valid emails.
    Check it here: http://www.shetabtech.com/english/SharePointLiveAuth

  60. Ben October 22, 2010 at 9:04 am - Reply

    @Carlos Morales
    The dash is an “em dash”
    “https://login.live—int.com/login.srf”
    should be
    “https://login.live-int.com/login.srf”

    – instead of —

  61. Akalpita December 8, 2010 at 1:50 am - Reply

    I get ‘The file type is not recognizable.Select another file.’When I try to import the X509 certificate.Please help me in this.

  62. Joe January 6, 2011 at 9:36 pm - Reply

    Two questions:
    1. What is the purpose of ‘Manage Certificates’ in the Microsoft Site Manager site?
    2. Can this set by only using ‘e-mail’ claims and not UPN?
    3. If we are using certificates in step 1, should I care about using the x509 cert you described above?
    4. If we are using certificates in step 1 and not using UPN claims, should I care about having the [email protected] user?

    Thanks in advance for your help. I am looking to setup Sharepoint in a slightly different way than described above and can’t seem to make it work.

  63. Andy Milsark January 7, 2011 at 1:44 am - Reply

    @Joe
    Hi Joe! Thanks for reading!

    Wictor Wilen did a follow up and in depth walk through of setting up Live ID in his post here http://www.wictorwilen.se/Post/Visual-guide-to-Windows-Live-ID-authentication-with-SharePoint-2010-part-1.aspx
    If you are not an internal Microsoft entity, you will not have access to Live ID users’ email addresses, only their UPN. You will have to capture the email address after after they register for your site.

    You need to properly configure the x509 certificate to communicate with the Live services. Your sharepoint site itself is required to use an SSL certificate in order to use Live services. These certificates are separate.

  64. Andy Milsark January 7, 2011 at 1:46 am - Reply

    @Akalpita
    My guess is that you did not copy the correct nodes of xml to your .cer file before the import.

  65. Andy Milsark January 7, 2011 at 1:49 am - Reply

    @madnik7
    That is a very neat solution, not free however 🙂

  66. Louis Hernandez January 7, 2011 at 2:31 pm - Reply

    I have Live Authentication working. Thank you for all the helpful information. My question is with regard to the cryptic names. Is there any way to display their real live ID?? Adding and maintaining users is a nightmare because I never really know who is who. All you get is the [email protected] ID.
    Any suggestions??
    Lou

  67. Nilesh Teli January 13, 2011 at 12:18 am - Reply

    Hi Lou,

    Did it work in INT environment? We are using INT environment but facing an issue. We get to see the Login screen and once we provide valid credentials it goes in loop.We have even tried to debug it using fiddler but without success. The last URL we get from fiddler is ‘http://account.live-int.com:443’

    Any help will be appreciated.

    Thanks in advance.

    Nilesh

  68. Andy Milsark January 13, 2011 at 7:58 am - Reply

    @Nilesh Teli
    I have seen this loop before. Your URL indicated.. shouldn’t that be https://account.live-int.com ?

  69. Nilesh Teli January 19, 2011 at 3:56 am - Reply

    Thanks Andy. URL is not an issue. We are using https://account.live-int.com.
    One quick question : does http://www.live-int.com work for you thr’ browser. We are not able to sign in using valid hotmail-int account. Can you confirm from your end that this ‘live-int’ environment is working fine at your end.
    Thanks

  70. Andy Milsark January 19, 2011 at 7:29 am - Reply

    @Nilesh Teli
    When i browse to http://www.live-int.com it redirects me to https://login.live-int.com and I am able to login.

  71. Nilesh January 29, 2011 at 1:08 am - Reply

    @Andy,

    After getting authenticated from Live ID we need to capture email id ,name of the user and associate it with UID returned from Live ID. Do we need to implement custom claims provider for this? If yes, can you please help me with steps. We intend to have flow as following:
    1. User authenticates with Live Id and gets redirected to our site (this is already implemented and working fine)
    2. We need to extract PUID of the user from token and direct him to the form to capture additional details i.e. name ,email id etc.
    3. We store this info in custom DB alongwith PUID mapping
    4. We intend to show Name of user instead of PUID on our site. Also people picker should allow us to select from our DB than Live Id

    Any suggestions.
    Thanks in advance

  72. Sam February 8, 2011 at 12:42 pm - Reply

    Is anyone else having trouble with the live-int.com sites? The login.live-int.com page seems to work, but the account pages don’t seem to work nor does the redirect from sharepoint. It seems the server times out.

    Thanks,
    Sam

  73. stephanus February 21, 2011 at 7:09 am - Reply

    Hi Sam,

    Same here, on firefox the message I get is "The server at account.live-int.com is taking too long to respond."

    Any idea why?

  74. California Psychics November 14, 2012 at 2:14 am - Reply

    Oh my goodness! Amazing article dude! Thank you, However I am having troubles with your RSS.
    I don’t know the reason why I cannot subscribe to it. Is there anybody having the same RSS problems? Anyone that knows the answer will you kindly respond? Thanks!!

  75. thinkingthings.pixnet.net November 14, 2012 at 7:12 pm - Reply

    Woah! I’m really digging the template/theme of this site. It’s simple, yet effective.
    A lot of times it’s very hard to get that “perfect balance” between superb usability and visual appearance. I must say you have done a awesome job with this. In addition, the blog loads extremely quick for me on Chrome. Excellent Blog!

  76. Pożyczki pod zastaw nieruchomości December 5, 2012 at 11:38 am - Reply

    Can I just say what a comfort to discover someone
    who genuinely understands what they are discussing on the
    web. You certainly understand how to bring a problem to light
    and make it important. A lot more people should check this out and understand this side of your story.
    It’s surprising you’re not more popular because you certainly have the
    gift.

  77. Damien December 6, 2012 at 4:34 am - Reply

    Howdy! This post couldn’t be written any better! Reading this post reminds me of my old room mate! He always kept talking about this. I will forward this article to him. Fairly certain he will have a good read. Thanks for sharing!

  78. spain davis cup shirt December 30, 2012 at 1:28 pm - Reply

    Hiya very cool web site!! Guy .. Beautiful .. Amazing .
    . I will bookmark your blog and take the feeds

    additionally…I am glad to search out numerous

    useful info here within the put up, we need work out more techniques on this regard, thank you for

    sharing. . . . . .

  79. 4 star all inclusive hotels in torremolinos February 19, 2013 at 4:39 pm - Reply

    This design is incredible! You definitely know how to

    keep a reader amused. Between your wit and your videos, I was almost moved to start my own blog (well,

    almost…HaHa!) Great job. I really enjoyed what you had
    to say, and more than

    that, how you presented it. Too cool!

  80. Tiffani May 27, 2013 at 4:57 pm - Reply

    hi!,I really like your writing very so much! proportion we communicate more approximately your post on AOL?
    I need a specialist in this space to resolve my problem. Maybe that is you!
    Taking a look forward to look you.

  81. […] interested in diving deeper into the process, check out Andy Milsark’s blog about using claims authentication in SharePoint 2010 via Live ID. We have some true SharePoint geniuses roaming around […]

  82. polaris snowmobile helmets June 25, 2014 at 12:14 pm - Reply

    I raredly drop responses, however i did a few searching and wound up here
    Claims authentication against Windows Live ID for SharePoint 2010.
    And I do have 2 questions for you if you tend not to mind.

    Could it be only me oor does it look as if like sme of tthe commments look like they are wriitten by brain dead people?
    😛 And, if youu are posting on additional sites, I’d
    like to follow anything new yyou have to post. Coulkd you llist of
    all off your social sites like your twitter feed,
    Facebook page or linkedin profile?

  83. polaris atv parts lookup June 25, 2014 at 3:41 pm - Reply

    Fine wayy of explaining, and nice piece oof writing to take
    data concernhing my presentation subject matter, which i am going to present in academy.

  84. polaris Razor June 25, 2014 at 4:43 pm - Reply

    Thank you for sharing your info. I really appreciate your efforts aand I
    will be waiting for your next wriute ups thank you once again.

  85. snowmobile polaris June 25, 2014 at 5:51 pm - Reply

    Way cool! Some very valpid points! I appreciate you wriying this post annd
    the rest of the site iss also really good.

  86. Melvina November 2, 2015 at 6:32 am - Reply

    I’ll right away seize your rss feed as I can’t find your email subscription hyperlink or
    e-newsletter service. Do you have any? Please permit me recognize in order that I could subscribe.
    Thanks.

Leave A Comment