Share point 2013 in a hybrid world

1,775 views
1,549 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,775
On SlideShare
0
From Embeds
0
Number of Embeds
449
Actions
Shares
0
Downloads
20
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Share point 2013 in a hybrid world

  1. 1. SharePoint 2013 in a Hybrid World.
  2. 2. Jethro SEGHERS Cloud Solution Architect J-Solutions – Flexamit - Microsoft http://blog.j-solutions.be @jseghers
  3. 3. AGENDA • What is hybrid within Office 365 • Why hybrid • Different setups • Analysis of the building blocks • Different Steps • See The Results • Resources • Q&A
  4. 4. ON PREMISE vs OFFICE 365
  5. 5. ON PREMISE + OFFICE 365
  6. 6. OFFICE 365 IS ATTRACTIVE 1. It saves me a lot of €€€€€ 2. I always have the latest and greatest collaboration, email and UC tools 3. Allows me to focus on my core business, not IT 4. Microsoft can run SP more reliably and efficiently than I can 5. I can easily scale up/down according to demand 6. I can more easily work with customers, partners outside of my company
  7. 7. But …. MY BUSINESS IS ON PREMISE 1. I have existing investments (customized SP deployments w/lots of data and settings, custom solutions, LOB systems, etc) 2. I can’t do everything in the Cloud that I can do on premise 3. I want to protect my sensitive data by keeping it close
  8. 8. WHY HYBRID • Migration • Business Driven
  9. 9. WHY HYBRID - MIGRATION • Early Adopter: Move all data to the cloud ASAP. • Risk Averse: Get a trial on SPO, Evaluate Risks, Numbers (ROI) • Typical: Freeze on Premise Site Creation; start with new content first.
  10. 10. WHY HYBRID - MIGRATION • Same Sign On • 1 URL to enter SP & SPO • Use Hybrid Search • Use Hybrid BCS
  11. 11. WHY HYBRID - BUSINESS DRIVEN • Keep Sensitive Data on Premise -whatever sensitive may mean- • Capacity Flexibility • Intranet – Extranet • Collaboration with External Partners • Typically defined in your Information structure & governance plan. • Geo Location • …
  12. 12. DIFFERENT SETUPS ONE-WAY OUTBOUND
  13. 13. DIFFERENT SETUPS ONE-WAY INBOUND
  14. 14. DIFFERENT SETUPS TWO-WAY
  15. 15. DIFFERENT SETUPS TWO-WAY DETAIL
  16. 16. FROM THEORY TO IMPLEMENTATION • Reason of going Hybrid • Choosing which Setup • Configuring all Components • Supporting Authentication • Securing traffic
  17. 17. INGREDIENTS • An operational on-premises AD DS domain in a single forest • An on-premises server for AD FS 2.0. • An on-premises server for the Windows Azure Directory Synchronization tool. • Windows Azure PowerShell Cmdlets • Internet Domain & DNS access • Operation SharePoint 2013 Farm • An X.509 wildcard or SAN certificate. • Office 365 Enterprise Subscription with 15.0.0.4420 as the minimum build number • A supported on-premises reverse proxy device (only for inbound & bidirectional communication).
  18. 18. ENVIRONMENT CONFIGURATION • NON SharePoint Tasks Reverse Proxy and Certificate Auth Identity Provider MSOL Tools Dirsync UAG ADFS Servers SharePoint Servers Office 365 Dirsync and Tools Servers MSOL Tools
  19. 19. Reverse Proxy and Auth • When using hybrid features Office 365 sends requests from sites in the cloud to your on- premise farm • You need to establish a reverse proxy for these calls to be channeled through to secure the process • Those requests can be authenticated at the reverse proxy before they are forwarded to SharePoint • SharePoint supports using a certificate for authenticating to the reverse proxy server when sending a request UAG ADFS Servers SharePoint Servers Office 365 Dirsync and Tools Servers
  20. 20. Reverse Proxy Requirements • 2 network cards - one connected to the Internet and the other to the internal company network • Route inbound SSL traffic to the on-premises SharePoint farm without rewriting packet headers • Support SSL termination • UAG, F5, … UAG ADFS Servers SharePoint Servers Office 365 Dirsync and Tools Servers
  21. 21. Identity Provider • In order to have a single-sign on experience, you need a federated identity provider like ADFS • 2 or more load balanced ADFS servers • An SSL certificate for the ADFS site • A proxy device, like the ADFS proxy server • All users must have a UPN of a registered domain (i.e. “.local” or similar suffixes will not work) • Service Account: Logon as Batch Job & Logon as a Service UAG ADFS Servers SharePoint Servers Office 365 Dirsync and Tools Servers
  22. 22. MSOL TOOLS • Microsoft Online Sign In Assistant • Windows Azure Active Directory PowerShell Cmdlets (in portal) • You need to run this on SharePoint Server to configure trust with ACS • You need to run this for SSO (usually run on own server) UAG ADFS Servers SharePoint Servers Office 365 Dirsync and Tools Servers
  23. 23. SSO • Connect ADFS to Office 365 1. Connect-MSOLService 2. New-MSOLFederatedDomain 3. Update DNS • OR 1. Add Domain via Office 365 Portal 2. Update DNS 3. Connect-MSOLService 4. Convert-MSOLDomainToFederated • !!! USE SMARTLINKS !!! • !!! Run this on your Primary ADFS Server !!! UAG ADFS Servers SharePoint Servers Office 365 Dirsync and Tools Servers
  24. 24. DirSync • Do Not Run it on an AD – Single Forest (at this time) • Service accounts: svc_dirsync: Enterprise Admin on AD • Global Administrator on Office 365 • Install DirSync and let the Wizard Run • Syncs Users, Groups & Contacts • !!! It doesn’t give your Users Licenses !!! UAG ADFS Servers SharePoint Servers Office 365 Dirsync and Tools Servers
  25. 25. ReCAP
  26. 26. SharePoint 2013 Config 1. New STS Token Signing Certificate 2. Configuration of a Trust between SP on Premise & ACS 3. Configure Secure Store 4. Configure UPA 5. Try it !
  27. 27. STS Token Signing Certificate • You need to replace the default token signing certificate for the SharePoint STS because Access Control Service (ACS) will not trust it • Replace it with • A certificate issued by a public certificate authority • A self signed certificate that you create in IIS Manager • NOT: Domain-issued certificate • Set-SPSecurityTokenServiceConfig with the ImportSigningCertificate flag.
  28. 28. Trust Between SP & ACS • Now you need to create an OAuth trust for applications to exchange data between o365 and on-prem • Using MSOL PowerShell (on prem): • Create an AppPrincipal using New-MsolServicePrincipalCredential • Create a proxy to ACS using New- SPAzureAccessControlServiceApplicationProxy • Complete the trust using New-SPTrustedSecurityTokenIssuer
  29. 29. Configure Secure Store • The Secure Store Service is used to create an application that stores the certificate used to authenticate with the UAG HTTPS trunk • In Office 365 create a new Secure Store Service target application • Save the Target Application ID name because you will use that configuring a result source • In the credentials field configure it as a Certificate Password • Click the Set button for the Credentials • Browse to the certificate CER file that was used for the UAG HTTPS trunk; leave the password fields blank
  30. 30. Configure UPA • It’s critically important that you: • Have a UPA up and running • Have it populated with current data from Active Directory • We use the UPA on the local farm to determine what rights a user has – what claims they have, what groups they belong to, etc. • With a hybrid solution, anything that you grant rights to needs to be in the profile system • E.g., if you augment claims on premise and use a custom claims provider to grant rights to content using those claims, an office 365 user would not see that data because those custom claims are not added when you login to office 365
  31. 31. RECAP Necessary Steps • Install & Configure all necessary tools • Replace STS Certificate • Upload Certificate to Office 365 • Add Hostname of server to SP Principal object of Office 365 • Register SPO S2S Principal Object to On Premise • Set SP Authentication Realm to Context ID of Office 365 Tenant • Configure On Premise ACS Proxy and setup Trust with ACS.
  32. 32. Create A Result Source • Create a new result source and: • Use Remote SharePoint as the Protocol • If you are on-prem and getting results from Office 365: • Use the Url of your office 365 for the Remote Service Url • Use Default Authentication for credentials • If you are office 365 and getting results from on-prem : • Use the HTTPS Url of the UAG HTTPS trunk for the Remote Service Url • Use SSO id for credentials and enter the name of the SSO application definition you created to store the UAG certificate
  33. 33. Create A Result Source
  34. 34. Create A Result Source
  35. 35. Create A Result Source
  36. 36. Create A Query Rule • This is where you can do a “live” test to see if everything is working • Create a new query rule • Remove the default Condition • Click on Add Result Block • Select your result source • Click on the Test tab and then • Click the “Show more” link • Type some query terms in the “{subjectTerms}:” edit box • Click the “Test query” button • If you have configured everything correctly – Voila! – you will see search results from the remote farm
  37. 37. See the Results Results from the Cloud Results from On Prem
  38. 38. RESOURCES • OnRamp • https://onramp.office365.com/onramp/ • HYBRID • http://technet.microsoft.com/en-us/library/jj838715.aspx • Try To Find the WORD Documents ….
  39. 39. TroubleshootTips • If you aren’t getting data back between the two environments here are some things that you can do to narrow down the issue: • In your on prem farm turn up the ULS logging • Go into Central Admin, Monitoring, Configure diagnostic logging; expand SharePoint Foundation and select: • App Auth • Application Authentication • Authentication Authorization • Claims Authentication • Change the “least critical” dropdowns to Verbose and save changes • Monitor the ULS logs each time you execute a query
  40. 40. Troubleshoot Tips (cont.) • Use Fiddler as a reverse proxy on your SharePoint server; this requires • Installing Fiddler on the SharePoint server • Write a Fiddler script rule as described in Option #2 here: http://www.fiddler2.com/Fiddler/help/reverseproxy.asp • Look at the TextView of the Response. Here’s an example of an error that you can see in there:
  41. 41. Troubleshooting Tips (cont.) • Be aware of latency in queries across the cloud and on- premises • When a query is executed, ALL results must come back before the result is shown to the user • Latencies can run 1200 to 1500 milliseconds • Because of this you may want to put some thought into when you want to fire a query at a remote source • If you duplicate every single query you could introduce significant load on a farm • Where you want results back ASAP then you wouldn’t want remote queries to fire • You can also create a dedicated page that only queries the remote source • In short – you can mix and match with query rules to decide what works best
  42. 42. Q&A

×