Impersonation Restriction Validation

Because Jive for SharePoint uses impersonation, steps must be taken to restrict impersonation requests such that only authorized requests are performed. The configuration for these restrictions are discussed in:

There are basically two ways to restrict impersonation: by service account and by originating IP address. Restricting by service account is recommended. Restricting by originating IP address can also be done, but if load balancers are used in front of SharePoint or Jive then this can be less useful without extra network configuration.

SharePoint Restriction Validation

  1. (Optional) Test with validation turned off.
    1. Validate that no restrictions are set. Review the settings on Configuring the Farm For Jive and verify that:
      • Impersonation is allowed
      • Valid Incoming IP Addresses for Impersonation is blank
      • Valid Incoming Service Accounts for Impersonation is blank
    2. Test hitting the custom SharePoint web services.
      1. Log into SharePoint as a regular user (not a service account). IE or Firefox are ideal browsers for this because the results are easier to see (Chrome does not show results very well).
      2. Determine a user you want to impersonate (not the account used above).
      3. Change the URL in your browser to the following. Change <user> to the login of the user chosen in the step above (do not include the domain).
        • <site_url>/_layouts/jive/webs.svc/rest/getwebs/<user>
        • For example, http://sharepoint.mycompany.com/_layouts/jive/webs.svc/rest/getwebs/john.doe
      4. You should see results in your browser showing a <webCollection> with more details. If this were to fail due to impersonation restrictions you should see something like:
        • Invalid service account of '<domain>\<user>' for impersonation. Request denied.
        • Invalid user host address of '<ip address>' for impersonation. Request denied.
  2. Restrict the service account.
    1. Update SharePoint configuration to restrict the service account.
      1. Navigate to Configuring the Farm For Jive.
      2. Add each SharePoint Service account(s) specified in Adding a SharePoint Location to the Valid Incoming Service Accounts field. Hit the check icon to validate that the user is found.
      3. Save your changes.
      4. Perform an IISRESET (do for all web front ends).
    2. Test hitting the SharePoint web services with service accounts restricted.
      1. Perform all steps under Step 1.2: Test hitting the custom SharePoint web services above. This should fail.
      2. Perform all steps under Step 1.2: Test hitting the custom SharePoint web services above, but log into SharePoint using one of the service accounts. This should succeed.
  3. (Optional) Restrict the incoming IP address.
    1. Update SharePoint configuration to restrict the IP address.
      1. Navigate to Configuring the Farm For Jive.
      2. Add each Jive server IP address to the Valid Incoming IP Addresses for Impersonation field. Separate each IP address with a newline/return.
        Note:

        You may need to add both IPv4 and IPv6 addresses.

        If you have load balancers in front of SharePoint, this setting should be left blank unless you can setup your network such that Jive->SharePoint requests bypass the load balancers and go direct to a SharePoint server. Otherwise you would need to enter the load balancer IP address here and that would defeat the purpose of this restriction.

      3. Save your changes.
      4. Perform an IISRESET (do for all web front ends).
  4. Test hitting the SharePoint web services with incoming IP addresses restricted.
    1. Perform all steps under Step 1.2: Test hitting the custom SharePoint web services above, but log into SharePoint using one of the service accounts and make sure your browser is not running from a Jive server. This should fail.
    2. Perform all steps under Step 1.2: Test hitting the custom SharePoint web services above, but log into SharePoint using one of the service accounts and make sure your browser is running from a Jive server. This should succeed.

Jive Restriction Validation

  1. (Optional) Test with validation turned off.
    1. Validate that no restrictions are set. Review the settings on System Properties for SharePoint Integration and verify that:
      • The system property sharepoint.ip.restrictions is blank or non-existent.
      • The system property sharepoint.serviceaccount.restrictions is blank or non-existent.
    2. Test hitting the custom Jive web services.
      1. Log into Jive as a regular user (not a service account and not a Jive admin account). IE or Firefox are ideal browsers for this because the results are easier to see (Chrome does not show results very well).
      2. Determine a user you want to impersonate (not the account used above).
      3. Change the URL in your browser to the following. Change <user> to the login of the user chosen in the step above (do not include the domain).
        • <jive_url>/rpc/rest/spintegration/places?username=<user>
        • Example: http://jive.mycompany.com/rpc/rest/spintegration/places?username=john.doe
      4. You should see results in your browser showing a <places> with more details. If this were to fail due to impersonation restrictions you should see something like:
        • User not authorized for this type of request. User was not found in 'sharepoint.serviceaccount.restrictions' and/or requesting IP was not found in 'sharepoint.ip.restrictions'.
  2. Restrict the service account.
    1. Update Jive configuration to restrict the service account.
      1. Review configuration settings on System Properties for SharePoint Integration.
      2. Create (or update) a property called sharepoint.serviceaccount.restrictions to have the Jive Service account(s) specified in each SharePoint Service account(s) specified in Manage Jive Installations. Separate multiple names with a comma. Do not include domain names.
      3. Save your changes.
    2. Test hitting the Jive web services with service accounts restricted.
      1. Perform all steps under Step 1.2: Test hitting the custom Jive web services above. This should fail.
      2. Perform all steps under Step 1.2: Test hitting the custom Jive web services above, but log into Jive using one of the service accounts. This should succeed.
  3. (Optional) Restrict the incoming IP address.
    1. Update Jive configuration to restrict the IP address.
      1. Review configuration settings on System Properties for SharePoint Integration.
      2. Create (or update) a property called "sharepoint.ip.restrictions" to have each SharePoint server IP address. Separate each IP address with a comma.
        Note:

        You may need to add both IPv4 and IPv6 addresses.

        If you have load balancers in front of Jive, this setting may not work as well and you may want to go without setting this property. If you can setup your network such that SharePoint->Jive requests bypass the load balancers and go direct to a Jive server it should work fine. Otherwise it may require that you enter the load balancer IP address here and that would defeat the purpose of this restriction.

      3. Save your changes.
    2. Test hitting the Jive web services with incoming IP addresses restricted.
      • Perform all steps under Step 1.2: Test hitting the custom Jive web services above, but log into Jive using one of the service accounts and make sure your browser is not running from a SharePoint server. This should fail.
      • Perform all steps under Step 1.2: Test hitting the custom Jive web services above, but log into Jive using one of the service accounts and make sure your browser is running from a SharePoint server. This should succeed.
Up to: Authentication Scenarios

Powered by Jive Software
© 1999-2012 Jive Software. All rights reserved. Follow us on Twitter @jivedocs