Your SlideShare is downloading. ×
0
www.expertpointsolutions.com
SharePoint 2013 Extranets & Authentication
About Brian Culver
• SharePoint Solutions Architect for Expert Point Solutions
• Based in Houston, TX
• Author
• Upcoming ...
Working on it…
Session Agenda
• Extranet Definition
• Extranet Design Considerations & Challenges
• Common Extranet Scenarios and Topolog...
Extranet - Definition
• A web application that is shared with external users, such
as partners, vendors, and customers
• C...
Extranet – Why?
• Better Collaboration
• Higher ROI
• Employee Access 24/7
• Targeting content
• Selling Products and
Serv...
Extranet Design Considerations & Challenges
Network Topology and Access
On-premise scenarios
Hybrid Scenarios
Identity...
Common Extranet Scenarios
Edge Firewall Topology
Back-to-Back Perimeter Topology
Split Back-to-Back Topology
Hybrid Extranets
• Using Office 365 – SaaS/PaaS
– Avoid firewall and topology hassles
– Allows “Sharing” with external use...
Security Terms
• Authentication is the mechanism whereby systems may
securely identify their users
• Creates an identity f...
SharePoint Authentication
• SharePoint does not authenticate
• Windows authentication via Windows server and IIS
(Kerberos...
SharePoint 2010 Security
• SharePoint 2010 changes authentication
• Uses classic mode and claims based authentication
• Cl...
SharePoint 2013 Security
• SharePoint 2013 authentication:
• Still supports classic mode and claims based authentication
•...
Identity Normalization
Claims-Based Terminology
• Identity: security principal used to configure
the security policy
• Claim (Assertion): attribu...
Claim-based Authentication
• Security Token Service (STS): builds,
signs and issues security tokens. It can
receive and su...
Claim-based Authentication
Claim-based Authentication
Mixed Mode Authentication vs Multi-Authentication
Regular label-callout text
Multi-AuthenticationMixed Authentication
Shar...
Auth Scenarios - Multi Authentication
s
Authentication Scenarios
Mixed Mode: When to Use It
•
•
•
•
•
•
•
•
Authentication Scenarios
Multi Authentication: When to Use It
•
•
•
•
•
FBA Claims Configuration
1. Run
C:WindowsMicrosoft.NETFrameworkv2.0.xaspnet_regsql.exe
or
C:WindowsMicrosoft.NETFrameworkv...
FBA Claims Configuration
5. Modify web.config for Security Token Service
• %programfiles%common filesMicrosoft Sharedweb s...
FBA Claims Configuration
FBA Claims Configuration
FBA Claims Configuration
FBA Claims Configuration
FBA Claims Configuration
Sample Extranet Portal Structures
Scenarios Includes Key design elements
Corporate Portal
with Path-based Sites
Most commo...
Extranet Portal
Corporate Portal with Path-based Site Collections
• Traditional path-based site collections
• Dedicated We...
Extranet Portal
Corporate Portal with Host-named Site Collections
• Host-named site collections
• All sites deployed in a ...
Extranet Portal
Extranet with Dedicated Zones for Authentication
• Many top-level project sites with vanity URLs by using ...
Mobile Browser Experience
SharePoint Server 2013 offers improvements to the mobile browser
experience with the introductio...
Mobile Views
Contemporary
View
Classic View Full Screen UI
• Contemporary View - default view (uses HTML5) on select site ...
Device Channels
• For smartphone and tablet
devices. Can only be used
with a publishing site.
• With device channels, you
...
Licensing in SP2013
• Much simpler to license
• Regular SharePoint Server license
• SharePoint for Internet Sites (FIS) is...
Questions
??
?
?
Constructive Feedback Is Appreciated
Great information,
but would like to
have learned more
about [Insert Topic]Brian – Yo...
Useful Links
• SharePoint 2013 design samples: Corporate portal and extranet sites
http://technet.microsoft.com/en-us/libr...
Useful Links
• SharePoint 2013 FBA Pack
http://sharepoint2013fba.codeplex.com/
• SharePoint 2010 FBA Pack
http://sharepoin...
Upcoming SlideShare
Loading in...5
×

SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How will SharePoint 2013 connect you to your partners?

600

Published on

How will SharePoint 2013 allow organizations to collaborate and share knowledge with clients and partners? SharePoint empowers organization to build extranet sites and partner portals inexpensively and securely. Learn about the Product Catalog site template and how you can to use it. Learn about the new improvements in SharePoint 2013 regarding extranets. Learn how SharePoint 2013 can help your organization open its doors to its clients and partners securely.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
600
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
33
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How will SharePoint 2013 connect you to your partners?"

  1. 1. www.expertpointsolutions.com SharePoint 2013 Extranets & Authentication
  2. 2. About Brian Culver • SharePoint Solutions Architect for Expert Point Solutions • Based in Houston, TX • Author • Upcoming SharePoint 2013 Workflows • SharePoint 2010 Unleashed • Various White Papers • Speaker and Blogger
  3. 3. Working on it…
  4. 4. Session Agenda • Extranet Definition • Extranet Design Considerations & Challenges • Common Extranet Scenarios and Topologies • SharePoint Authentication • Mixed Mode vs. Multi-Authentication • Extranet Portal Structures • Mobile and Device Channels
  5. 5. Extranet - Definition • A web application that is shared with external users, such as partners, vendors, and customers • Common attributes for an extranet: • Sharing a private network or secured network • Requires authenticated access, but the identity of the consumer is not always known • Has better security controls than an Internet Web application but usually less secure than the Intranet • Web application
  6. 6. Extranet – Why? • Better Collaboration • Higher ROI • Employee Access 24/7 • Targeting content • Selling Products and Services • Better Support • Improved Efficiency • Improved Communication • Unite Workforce Experience • …
  7. 7. Extranet Design Considerations & Challenges Network Topology and Access On-premise scenarios Hybrid Scenarios Identity Management (AD, FBA, ADFS) Seamless Single Sign-on Experience Content Security and Access Antivirus - Client vs Server Mobile Device Experience Licensing
  8. 8. Common Extranet Scenarios
  9. 9. Edge Firewall Topology
  10. 10. Back-to-Back Perimeter Topology
  11. 11. Split Back-to-Back Topology
  12. 12. Hybrid Extranets • Using Office 365 – SaaS/PaaS – Avoid firewall and topology hassles – Allows “Sharing” with external users – 50 free External Users – With Enterprise accounts, 500 free External Users • Azure Infrastructure – IaaS – Build dedicated farms on the Microsoft Cloud – Scale Out – Add servers • Federate with corporate domain For more info: http://technet.microsoft.com/en-us/library/jj151794.aspx
  13. 13. Security Terms • Authentication is the mechanism whereby systems may securely identify their users • Creates an identity for security principal • Who am I? • Authorization is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system. • Determines what resources an identity has access to • What can I access?
  14. 14. SharePoint Authentication • SharePoint does not authenticate • Windows authentication via Windows server and IIS (Kerberos/NTLM) • FBA via ASP. NET and authentication providers (SQL, LDAP, etc.) • Web SSO via Active Directory Federation Services (ADFS) and other Identity Management Systems • SharePoint creates user profiles • SPUser object represents security principal • User Profile List in Site Collections track user profiles
  15. 15. SharePoint 2010 Security • SharePoint 2010 changes authentication • Uses classic mode and claims based authentication • Classic mode is SharePoint 2007 style legacy mode • Claims-based authentication is the new security model • What are the benefits? • Claims decouples SharePoint from the authentication provider • Allows SharePoint to support multiple authentication providers per URL • Identities can be passed without Kerberos delegation • Allows federation between organizations • ACLs can be configured with • DLs, Audiences and OUs
  16. 16. SharePoint 2013 Security • SharePoint 2013 authentication: • Still supports classic mode and claims based authentication • Claims-based authentication is the default security model • Supported Authentication modes: • Windows claims–mode sign-in (default) • SAML passive sign-in mode • ASP.NET membership and role passive sign-in • Windows classic–mode sign-in (deprecated in SP2013) • Claims authentication is basically the only way to go!
  17. 17. Identity Normalization
  18. 18. Claims-Based Terminology • Identity: security principal used to configure the security policy • Claim (Assertion): attribute of an identity (such as Login Name, AD Group, etc.) • Security Token: serialized set of claims (assertions) about an authenticated user.
  19. 19. Claim-based Authentication • Security Token Service (STS): builds, signs and issues security tokens. It can receive and submit tokens. • Issuing Authority: identity management system(s) that “knows” the claims (AD, ASP.NET, LiveID, etc.) • Identity Provider: trusted party that creates and submits claims • Relying Party: application that makes authorization decisions based on received claims
  20. 20. Claim-based Authentication
  21. 21. Claim-based Authentication
  22. 22. Mixed Mode Authentication vs Multi-Authentication Regular label-callout text Multi-AuthenticationMixed Authentication SharePoint Farm Web Application Extended Web Application Extended Web Application Extended Web Application Extended Web Application Zone: Custom Zone: Extranet Zone: Intranet Zone: Internet Zone: Default Windows Authentication FBA Authentication ... ... ... SharePoint Farm Web Application Extended Web Application Extended Web Application Extended Web Application Extended Web Application Zone: Custom Zone: Extranet Zone: Intranet Zone: Internet Zone: Default Windows Authentication FBA Authentication SAML Based Authentication FBA Authentication Windows Authentication ... ...
  23. 23. Auth Scenarios - Multi Authentication s
  24. 24. Authentication Scenarios Mixed Mode: When to Use It • • • • • • • •
  25. 25. Authentication Scenarios Multi Authentication: When to Use It • • • • •
  26. 26. FBA Claims Configuration 1. Run C:WindowsMicrosoft.NETFrameworkv2.0.xaspnet_regsql.exe or C:WindowsMicrosoft.NETFrameworkv4.0.xaspnet_regsql.exe 2. Enable Claims Authentication on Web Application via Central Administration 3. Modify web.config for the FBA Web Application 4. Modify web.config for Central Administration
  27. 27. FBA Claims Configuration 5. Modify web.config for Security Token Service • %programfiles%common filesMicrosoft Sharedweb server extensions14WebServicesSecurityToken • %programfiles%common filesMicrosoft Sharedweb server extensions15WebServicesSecurityToken • Changes need to be made to the Security Token Service virtual directory on each server hosting CA or the claims- based web application 6. Configure FBA Provider in Central Administration 7. Create Web Application Policy to give SQL Auth User(s) access to site
  28. 28. FBA Claims Configuration
  29. 29. FBA Claims Configuration
  30. 30. FBA Claims Configuration
  31. 31. FBA Claims Configuration
  32. 32. FBA Claims Configuration
  33. 33. Sample Extranet Portal Structures Scenarios Includes Key design elements Corporate Portal with Path-based Sites Most common types of sites deployed within an organization. • Path-based site collections • Claims-based authentication • Multiple authentication providers and authentication types implemented in a single zone Extranet Portal with Host-names sites Most common types of sites deployed within an organization. • Host-named site collections • Claims-based authentication • Multiple authentication providers and authentication types implemented in a single zone Extranet with Dedicated Zones for Authentication Only the partner web site. Provides an alternate configuration for partner collaboration. • Host-named site collections • Claims-based authentication • Different zone for each authentication method
  34. 34. Extranet Portal Corporate Portal with Path-based Site Collections • Traditional path-based site collections • Dedicated Web applications • Single top-level site collection per Web application • Provides additional security provided by multiple web apps with separate app pools.
  35. 35. Extranet Portal Corporate Portal with Host-named Site Collections • Host-named site collections • All sites deployed in a single Web application • Highly scalable and provides more flexibility in managing URLs. • 2013 Recommended Approach
  36. 36. Extranet Portal Extranet with Dedicated Zones for Authentication • Many top-level project sites with vanity URLs by using host-named sites for each project site (instead of organizing project sites underneath a top-level site collection). • Additional isolation between domain URLs, which might be desired in a partner collaboration solution. • Additional costs of managing a greater number of host names, including managing SSL certificates. • If SAML authentication is used, additional configuration is required.
  37. 37. Mobile Browser Experience SharePoint Server 2013 offers improvements to the mobile browser experience with the introduction of a new contemporary view. Depending on the mobile browser, users have one of the following browsing options:  Contemporary view An optimized mobile browser experience to users and renders in HTML5. This view is available to Mobile Internet Explorer version 9.0 or later versions for Windows Phone 7.5, Safari version 4.0 or later versions for iPhone iOS 5.0, and the Android browser for Android 4.0 or later versions.  Classic view Renders in HTML format, or similar markup languages (CHTML, WML, and so on), and provides backward compatibility for mobile browsers that cannot render in the new contemporary view. The classic experience in SharePoint Server 2013 is identical to the mobile browser experience of SharePoint Server 2010.  Full-screen UI There is also the ability to have a full desktop view of a SharePoint site on a smartphone device.
  38. 38. Mobile Views Contemporary View Classic View Full Screen UI • Contemporary View - default view (uses HTML5) on select site templates (Team Site, Blank Site, Document Workspace, Document Center, and Project Site). • Classic View - for devices that cannot render the contemporary view. • Full Screen UI – An option in the contemporary view. • Learn more: http://technet.microsoft.com/en-us/library/jj673030.aspx
  39. 39. Device Channels • For smartphone and tablet devices. Can only be used with a publishing site. • With device channels, you can render a single publishing site in multiple ways by using different designs that target different devices based on their user agent string. • The site and content can be mapped to use different master pages and style sheets for a specific device or group of devices. • You can easily show different content to different device channels by using same page and page layout.
  40. 40. Licensing in SP2013 • Much simpler to license • Regular SharePoint Server license • SharePoint for Internet Sites (FIS) is gone. • Need CAL for Intranet Users • No need to license Extranet Users • External users means users that are not either your or your affiliates’ employees, or your or your affiliates’ onsite contractors or onsite agents.
  41. 41. Questions ?? ? ?
  42. 42. Constructive Feedback Is Appreciated Great information, but would like to have learned more about [Insert Topic]Brian – Your presentation was … Good Demos! Thanks!
  43. 43. Useful Links • SharePoint 2013 design samples: Corporate portal and extranet sites http://technet.microsoft.com/en-us/library/cc261995.aspx • Architecture design for SharePoint 2013 IT pros http://technet.microsoft.com/en-us/sharepoint/fp123594.aspx • Technical diagrams for SharePoint 2013 http://technet.microsoft.com/en-us/library/cc263199.aspx • Plan for mobile devices in SharePoint 2013 http://technet.microsoft.com/en-us/library/gg610510 • Plan for mobile devices in SharePoint 2013 http://technet.microsoft.com/en-us/library/gg610510
  44. 44. Useful Links • SharePoint 2013 FBA Pack http://sharepoint2013fba.codeplex.com/ • SharePoint 2010 FBA Pack http://sharepoint2010fba.codeplex.com/ • SharePoint 2010 Claims FBA Examples with OpenID http://sp2010claimsfbaexs.codeplex.com/ • Community Kit for SharePoint http://cks.codeplex.com/
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×