SharePoint Workspace and Single Sign-on

For those of you who are new to SharePoint Workspace – welcome and thank you for exploring the product. You can comfortably proceed on to other parts of the web without reading the rest of this blog entry.  However, for those of you keen on a little history lesson or come from our Groove customer base – please read on to learn about changes to our sign-in process.

One of the early design goals for Groove has always been around security. Picture the time – it was the late nineties and the founders saw how much trouble there was to have easy and secure collaboration with others inside or outside your organization. When I joined the company as a field sales engineer in mid-2002, I was stunned that the first part of the training was security – it was unique. Many other products I had worked with saw security as a bolt-on for later releases.

That being said, there is a price to pay for stringent security in any product. And unfortunately, casual users always seem to pay that price first. Enterprises often struggled with the basic operational aspects of password management, account resets, and other security measures in Groove. Those who really wanted these features loved us; and the larger majority suffered through this aspect of our product or sometimes (gasp) abandoned us for simpler (even if less secure) technologies.

Advance the clock forward 12 years to now and the world has changed a lot since the very early days of Groove. OS security has improved greatly. Two of these aspects that are keen to SharePoint Workspace security are the login process and disk encryption. I’ll set aside data encryption - my colleague Drew Harris plans to cover that topic in a future blog.

The SharePoint Workspace engineering team looked at the login process and decided that we could solve a real pain for a large majority of our customer base while simplifying the product as well. This brings us to describe one of the changes you will first see when you use SharePoint Workspace: you will not have to login.

I’ll rely upon Leon Alexandrou to walk us through what that means to you and to your IT team that supports SharePoint Workspace.

SharePoint Workspace 2010 now has a single sign-on experience where logging onto your Windows OS account will also automatically log you onto your SharePoint Workspace 2010 account. Our implementation uses the Windows Data Protection (DPAPI) to maintain secure access to your account while using your Windows logon for protection. It supports password or smartcard logon, and works whether your PC is Active Directory domain joined or in a Workgroup.

Behind the scenes with single sign-on, SharePoint Workspace 2010 has a master key that is used to encrypt the account. The account master key is secured using the master key password. The master key password is a large, machine-generated random string, unknown to the user. The master key password is then separately encrypted via DPAPI based on the user’s Windows logon. When the user successfully logs onto Windows, the master key password is then accessible and may then be used to decrypt the account master key, and subsequently unlock the user’s SharePoint Workspace 2010 account.

For IT Pros who have had to manage Groove in the past, this should come as good news. Gone are the days of password resets just because a user changed his hardware or did not use his account for an extended period.

And for enterprises operating managed systems, there is a Groove Server 2010 Manager policy available that can restrict managed accounts to a list a of specified Active Directory domain(s). This can restrict the users’ managed accounts to Active Directory domains the enterprise manages.

While single sign-on is the general user experience for all SharePoint Workspace 2010 users, there are occasions where the user account may need to be recovered. In such cases the user may be one time prompted for an account recovery password. Occasions when this may happen include: on upgrade from Office Groove 2007, after adding to the SharePoint Workspace 2010 account to new PC or upon a user’s Windows logon credential reset.

We recognize this is a change for our Groove customers and that is why we wanted to cover it here. We believe based upon our conversation with customers that most of them will enjoy this new approach while removing a barrier to daily usage of our product.

Paul Cannon
Leon Alexandrou