SharePoint 2013 in a hybrid world
Upcoming SlideShare
Loading in...5
×
 

SharePoint 2013 in a hybrid world

on

  • 1,984 views

SharePoint 2013 in a hybrid world

SharePoint 2013 in a hybrid world

Statistics

Views

Total Views
1,984
Views on SlideShare
1,980
Embed Views
4

Actions

Likes
1
Downloads
60
Comments
0

1 Embed 4

https://twitter.com 4

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Template may not be modified Twitter hashtag: #spsbe for all sessions
  • Please use a picture of yourself in a mountain/cloudscene

SharePoint 2013 in a hybrid world SharePoint 2013 in a hybrid world Presentation Transcript

  • SharePoint 2013 ina hybrid world#spsbe20Jethro SEGHERS
  • Thanks to ourSponsorsPlatinumGoldSilver
  • ABOUT ME• Jethro SEGHERS• Office 365 MVP• @jseghers• http://www.j-solutions.be/blog
  • AGENDA • What is hybrid within Office 365• Why hybrid• Different setups• Analysis of the building blocks• Different Steps• See The Results• Resources• Q&A
  • ON PREMISEvsOFFICE 365
  • ON PREMISE+OFFICE 365
  • OFFICE 365ISATTRACTIVE1. It saves me a lot of €€€€€2. I always have the latest and greatestcollaboration, email and UC tools3. Allows me to focus on my core business, not IT4. Microsoft can run SP more reliably andefficiently than I can5. I can easily scale up/down according todemand6. I can more easily work with customers, partnersoutside of my company
  • But ….MYBUSINESSISON PREMISE1. I have existing investments (customized SPdeployments w/lots of data and settings,custom solutions, LOB systems, etc)2. I can’t do everything in the Cloud that I can doon premise3. I want to protect my sensitive data by keeping itclose
  • WHYHYBRID• Migration• Business Driven
  • WHYHYBRID-MIGRATION• Early Adopter: Move all data tothe cloud ASAP.• Risk Averse: Get a trial on SPO,Evaluate Risks, Numbers (ROI)• Typical: Freeze on Premise SiteCreation; start with new contentfirst.
  • WHYHYBRID-MIGRATION• Same Sign On• 1 URL to enter SP & SPO• Use Hybrid Search• Use Hybrid BCS
  • WHY HYBRID-BUSINESSDRIVEN• Keep Sensitive Data on Premise -whateversensitive may mean-• Capacity Flexibility• Intranet – Extranet• Collaboration with External Partners• Typically defined in your Information structure &governance plan.• Geo Location• …
  • DIFFERENTSETUPSONE-WAYOUTBOUND
  • DIFFERENTSETUPSONE-WAYINBOUND
  • DIFFERENTSETUPSTWO-WAY
  • DIFFERENTSETUPSTWO-WAYDETAIL
  • FROMTHEORYTOIMPLEMEN-TATION• Reason of going Hybrid• Choosing which Setup• Configuring all Components• Supporting Authentication• Securing traffic
  • INGREDIENTS • An operational on-premises AD DS domain in a singleforest• An on-premises server for AD FS 2.0.• An on-premises server for the Windows Azure DirectorySynchronization tool.• Windows Azure PowerShell Cmdlets• Internet Domain & DNS access• Operation SharePoint 2013 Farm• An X.509 wildcard or SAN certificate.• Office 365 Enterprise Subscription with 15.0.0.4420 asthe minimum build number• A supported on-premises reverse proxy device (only forinbound & bidirectional communication).
  • ENVIRONMENTCONFIGURATIONNON SharePointTasksReverse Proxy andCertificate AuthIdentity ProviderMSOL ToolsDirsyncUAGADFS ServersSharePoint ServersOffice 365Dirsync and Tools ServersMSOL Tools
  • ReverseProxyandAuth• When using hybrid features Office 365sends requests from sites in the cloud toyour on-premise farm• You need to establish a reverse proxyfor these calls to be channeled throughto secure the process• Those requests can be authenticated atthe reverse proxy before they areforwarded to SharePoint• SharePoint supports using a certificatefor authenticating to the reverse proxyserver when sending a requestUAGADFS ServersSharePoint ServersOffice 365Dirsync and Tools Servers
  • ReverseProxyRequirements• 2 network cards - oneconnected to the Internet andthe other to the internalcompany network• Route inbound SSL traffic tothe on-premises SharePointfarm without rewriting packetheaders• Support SSL termination• UAG, F5, …UAGADFS ServersSharePoint ServersOffice 365Dirsync and Tools Servers
  • IdentityProviderIn order to have a single-sign on experience, you need afederated identity provider like ADFS2 or more load balanced ADFS serversAn SSL certificate for the ADFS siteA proxy device, like the ADFS proxy serverAll users must have a UPN of a registered domain (i.e.“.local” or similar suffixes will not work)Service Account: Logon as Batch Job & Logon as aServiceUAGADFS ServersSharePoint ServersOffice 365Dirsync and Tools Servers
  • MSOLTOOLSMicrosoft Online Sign In AssistantWindows Azure Active Directory PowerShell Cmdlets(in portal)You need to run this on SharePoint Server toconfigure trust with ACSYou need to run this for SSO (usually run on ownserver)UAGADFS ServersSharePoint ServersOffice 365Dirsync and Tools Servers
  • SSO Connect ADFS to Office 3651. Connect-MSOLService2. New-MSOLFederatedDomain3. Update DNSOR1. Add Domain via Office 365 Portal2. Update DNS3. Connect-MSOLService4. Convert-MSOLDomainToFederated!!! USE SMARTLINKS !!!!!! Run this on your Primary ADFS Server !!!UAGADFS ServersSharePoint ServersOffice 365Dirsync and Tools Servers
  • DirSync Do Not Run it on an AD – Single Forest (at this time)Service accounts: svc_dirsync: Enterprise Admin onADGlobal Administrator on Office 365Install DirSync and let the Wizard RunSyncs Users, Groups & Contacts!!! It doesn’t give your Users Licenses !!!UAGADFS ServersSharePoint ServersOffice 365Dirsync and Tools Servers
  • ReCAP
  • SharePoint2013Config1. New STS Token SigningCertificate2. Configuration of a Trust betweenSP on Premise & ACS3. Configure Secure Store4. Configure UPA5. Try it !
  • STSTokenSigningCertificateYou need to replace the default token signing certificate for the SharePointSTS because Access Control Service (ACS) will not trust itReplace it with• A certificate issued by a public certificate authority• A self signed certificate that you create in IIS Manager• NOT: Domain-issued certificateSet-SPSecurityTokenServiceConfig with the ImportSigningCertificate flag.
  • TrustBetweenSP&ACSNow you need to create an OAuth trust forapplications to exchange data between o365and on-premUsing MSOL PowerShell (on prem):Create an AppPrincipal using New-MsolServicePrincipalCredentialCreate a proxy to ACS using New-SPAzureAccessControlServiceApplicationProxyComplete the trust using New-SPTrustedSecurityTokenIssuer
  • ConfigureSecure StoreThe Secure Store Service is used to create an applicationthat stores the certificate used to authenticate with the UAGHTTPS trunkIn Office 365 create a new Secure Store Service targetapplicationSave the Target Application ID name because you will use thatconfiguring a result sourceIn the credentials field configure it as a Certificate PasswordClick the Set button for the CredentialsBrowse to the certificate CER file that was used for the UAG HTTPS trunk; leave the password fieldsblank
  • ConfigureUPAIt’s critically important that you:• Have a UPA up and running• Have it populated with current data from Active DirectoryWe use the UPA on the local farm to determine what rights a user has– what claims they have, what groups they belong to, etc.With a hybrid solution, anything that you grant rights to needs to be inthe profile systemE.g., if you augment claims on premise and use a custom claims provider togrant rights to content using those claims, an office 365 user would not see thatdata because those custom claims are not added when you login to office 365
  • RECAPNecessarySteps• Install & Configure all necessary tools• Replace STS Certificate• Upload Certificate to Office 365• Add Hostname of server to SP Principalobject of Office 365• Register SPO S2S Principal Object to OnPremise• Set SP Authentication Realm to Context ID ofOffice 365 Tenant• Configure On Premise ACS Proxy and setupTrust with ACS.
  • Create AResult SourceCreate a new result source and:Use Remote SharePoint as the ProtocolIf you are on-prem and getting results from Office365:• Use the Url of your office 365 for the Remote Service Url• Use Default Authentication for credentialsIf you are office 365 and getting results from on-prem:• Use the HTTPS Url of the UAG HTTPS trunk for the RemoteService Url• Use SSO id for credentials and enter the name of the SSO applicationdefinition you created to store the UAG certificate
  • Create AResult Source
  • Create AQuery RuleThis is where you can do a “live” test to see if everything isworkingCreate a new query ruleRemove the default ConditionClick on Add Result BlockSelect your result sourceClick on the Test tab and thenClick the “Show more” linkType some query terms in the “{subjectTerms}:” edit boxClick the “Test query” buttonIf you have configured everything correctly – Voila! – you will see search results fromthe remote farm
  • See theResultsResults fromthe CloudResults fromOn Prem
  • RESOURCESOnRamphttps://onramp.office365.com/onramp/HYBRIDhttp://technet.microsoft.com/en-us/library/jj838715.aspxTry To Find the WORD Documents ….
  • THANK YOUJethro SEGHERSJethro.seghers@j-solutions.behttp://www.j-solutions.be/blog@jseghers
  • TroubleshootTipsIf you aren’t getting data back between thetwo environments here are some things thatyou can do to narrow down the issue:In your on prem farm turn up the ULS loggingGo into Central Admin, Monitoring, Configure diagnostic logging;expand SharePoint Foundation and select:App AuthApplication AuthenticationAuthentication AuthorizationClaims AuthenticationChange the “least critical” dropdowns to Verbose andsave changesMonitor the ULS logs each time you execute a query
  • TroubleshootTips (cont.)Use Fiddler as a reverse proxy on yourSharePoint server; this requiresInstalling Fiddler on the SharePoint serverWrite a Fiddler script rule as described in Option #2here:http://www.fiddler2.com/Fiddler/help/reverseproxy.aspLook at the TextView of the Response. Here’s anexample of an error that you can see in there:
  • Troubleshooting Tips(cont.)Be aware of latency in queries across the cloudand on- premisesWhen a query is executed, ALL results must come backbefore the result is shown to the userLatencies can run 1200 to 1500 millisecondsBecause of this you may want to put some thought into whenyou want to fire a query at a remote sourceIf you duplicate every single query you could introduce significant load on afarmWhere you want results back ASAP then you wouldn’t want remote queriesto fireYou can also create a dedicated page that only queries the remote sourceIn short – you can mix and match with query rules to decide what worksbest