Plan for authentication in Project Server 2010
Applies to: Project Server 2010
Topic Last Modified: 2011-10-21
In this article:
Claims authentication and token issuance
This article describes planning for security in a Microsoft Project Server 2010 Enterprise Project Management (EPM) Solution. This material is useful for Project Management Organizations (PMOs) and system administrators who are responsible for planning the deployment of a Project Server 2010 EPM Solution.
The Project Server 2010 security model is largely inherited from the Microsoft SharePoint Server security model, by which users and groups (security principals) are granted permission to access security objects. The Project Server 2010 security model allows you to control and manage access to projects, resources, and reports stored in the Project Server 2010 content database; Project Web App pages; and features that are available in Project Server 2010 and Project Web App. In addition, the security architecture enables you to manage many users and projects easily by assigning permissions to groups of users and unique categories. This reduces the number of times that you need to update permissions in Project Web App.
Users can connect to Project Server in several ways:
Project Web App client
Microsoft Project Professional 2010 client
Microsoft Outlook 2010 though Exchange Server integration
When accessing Project Server 2010 by any one of these methods, a user can be authenticated to Project Server 2010 though either Windows authentication, Claims authentication, or forms-based authentication.
Claims authentication and token issuance
Claims authentication is an authentication mechanism provided in Project Server 2010 by SharePoint Server 2010 that uses a security token that contains a set of identity assertions about an authenticated user. These assertions are attributes that are associated with a user’s identity and can include a user name, a role, an employee ID, and various other custom attributes that can be used to determine authorization and permission levels for access to Project Server 2010 resources and data. Assertions are made up of a list of types and values. A type can be an employee name, for example, and a value can be a text string. Security tokens are issued and managed by a Security Token Service (STS). An STS encapsulates a collection of assertions, based on attributes specified by a policy, into a security token that can be used to authenticate and authorize a user.
The Security Token Service (STS) is a Web service that responds to authentication requests by issuing security tokens made up of identity claims that are based on user account information in attribute stores. An attribute store can be contained within Active Directory Domain Services, a SQL Server database, or an LDAP store. The content of each security token is determined by the attribute type requirements of the authentication requests that are agreed upon for an STS and the Project Server farm. An agreed-upon collection of claims and claim rules is known as a policy. Policies are available in a policy store and are accessed by an STS, based on the requirements of the calling Web application.
Changing the authentication mode in IIS to certificate authentication is unsupported and results in a failure for any calls to projectserver.svc. For more information, see Configure Client Certificate Authentication (SharePoint Server 2010).
Forms-based authentication is a term that is used to encapsulate any authentication model whereby a user enters a user name and password on a form that is then posted to an authentication server to process and verify the information. Project Server 2010 uses SharePoint Server 2010 for the extensions necessary to take advantage of ASP.NET in forms-based authentication. One important difference in Project Server 2010 from Microsoft Office Project Server 2007 is that forms-based authentication in Project Server 2010 uses the claims authentication infrastructure and requires that a claims mode Web application be set up in the SharePoint Central Administration Web site. There are two authentication store options available when using forms-based authentication with Project Server 2010:
SQL Server-based forms authentication requires creating an authentication store in SQL Server.
AD-LDAP–based forms authentication uses the Active Directory directory service as an authentication store and requires no additional configuration.