0
SharePoint 2013 ina hybrid world#spsbe20Jethro SEGHERS
Thanks to ourSponsorsPlatinumGoldSilver
ABOUT ME• Jethro SEGHERS• Office 365 MVP• @jseghers• http://www.j-solutions.be/blog
AGENDA • What is hybrid within Office 365• Why hybrid• Different setups• Analysis of the building blocks• Different Steps•...
ON PREMISEvsOFFICE 365
ON PREMISE+OFFICE 365
OFFICE 365ISATTRACTIVE1. It saves me a lot of €€€€€2. I always have the latest and greatestcollaboration, email and UC too...
But ….MYBUSINESSISON PREMISE1. I have existing investments (customized SPdeployments w/lots of data and settings,custom so...
WHYHYBRID• Migration• Business Driven
WHYHYBRID-MIGRATION• Early Adopter: Move all data tothe cloud ASAP.• Risk Averse: Get a trial on SPO,Evaluate Risks, Numbe...
WHYHYBRID-MIGRATION• Same Sign On• 1 URL to enter SP & SPO• Use Hybrid Search• Use Hybrid BCS
WHY HYBRID-BUSINESSDRIVEN• Keep Sensitive Data on Premise -whateversensitive may mean-• Capacity Flexibility• Intranet – E...
DIFFERENTSETUPSONE-WAYOUTBOUND
DIFFERENTSETUPSONE-WAYINBOUND
DIFFERENTSETUPSTWO-WAY
DIFFERENTSETUPSTWO-WAYDETAIL
FROMTHEORYTOIMPLEMEN-TATION• Reason of going Hybrid• Choosing which Setup• Configuring all Components• Supporting Authenti...
INGREDIENTS • An operational on-premises AD DS domain in a singleforest• An on-premises server for AD FS 2.0.• An on-premi...
ENVIRONMENTCONFIGURATIONNON SharePointTasksReverse Proxy andCertificate AuthIdentity ProviderMSOL ToolsDirsyncUAGADFS Serv...
ReverseProxyandAuth• When using hybrid features Office 365sends requests from sites in the cloud toyour on-premise farm• Y...
ReverseProxyRequirements• 2 network cards - oneconnected to the Internet andthe other to the internalcompany network• Rout...
IdentityProviderIn order to have a single-sign on experience, you need afederated identity provider like ADFS2 or more loa...
MSOLTOOLSMicrosoft Online Sign In AssistantWindows Azure Active Directory PowerShell Cmdlets(in portal)You need to run thi...
SSO Connect ADFS to Office 3651. Connect-MSOLService2. New-MSOLFederatedDomain3. Update DNSOR1. Add Domain via Office 365 ...
DirSync Do Not Run it on an AD – Single Forest (at this time)Service accounts: svc_dirsync: Enterprise Admin onADGlobal Ad...
ReCAP
SharePoint2013Config1. New STS Token SigningCertificate2. Configuration of a Trust betweenSP on Premise & ACS3. Configure ...
STSTokenSigningCertificateYou need to replace the default token signing certificate for the SharePointSTS because Access C...
TrustBetweenSP&ACSNow you need to create an OAuth trust forapplications to exchange data between o365and on-premUsing MSOL...
ConfigureSecure StoreThe Secure Store Service is used to create an applicationthat stores the certificate used to authenti...
ConfigureUPAIt’s critically important that you:• Have a UPA up and running• Have it populated with current data from Activ...
RECAPNecessarySteps• Install & Configure all necessary tools• Replace STS Certificate• Upload Certificate to Office 365• A...
Create AResult SourceCreate a new result source and:Use Remote SharePoint as the ProtocolIf you are on-prem and getting re...
Create AResult Source
Create AQuery RuleThis is where you can do a “live” test to see if everything isworkingCreate a new query ruleRemove the d...
See theResultsResults fromthe CloudResults fromOn Prem
RESOURCESOnRamphttps://onramp.office365.com/onramp/HYBRIDhttp://technet.microsoft.com/en-us/library/jj838715.aspxTry To Fi...
THANK YOUJethro SEGHERSJethro.seghers@j-solutions.behttp://www.j-solutions.be/blog@jseghers
TroubleshootTipsIf you aren’t getting data back between thetwo environments here are some things thatyou can do to narrow ...
TroubleshootTips (cont.)Use Fiddler as a reverse proxy on yourSharePoint server; this requiresInstalling Fiddler on the Sh...
Troubleshooting Tips(cont.)Be aware of latency in queries across the cloudand on- premisesWhen a query is executed, ALL re...
Upcoming SlideShare
Loading in...5
×

SharePoint 2013 in a hybrid world

1,842

Published on

SharePoint 2013 in a hybrid world

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,842
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
73
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • Template may not be modified Twitter hashtag: #spsbe for all sessions
  • Please use a picture of yourself in a mountain/cloudscene
  • Transcript of "SharePoint 2013 in a hybrid world"

    1. 1. SharePoint 2013 ina hybrid world#spsbe20Jethro SEGHERS
    2. 2. Thanks to ourSponsorsPlatinumGoldSilver
    3. 3. ABOUT ME• Jethro SEGHERS• Office 365 MVP• @jseghers• http://www.j-solutions.be/blog
    4. 4. AGENDA • What is hybrid within Office 365• Why hybrid• Different setups• Analysis of the building blocks• Different Steps• See The Results• Resources• Q&A
    5. 5. ON PREMISEvsOFFICE 365
    6. 6. ON PREMISE+OFFICE 365
    7. 7. OFFICE 365ISATTRACTIVE1. It saves me a lot of €€€€€2. I always have the latest and greatestcollaboration, email and UC tools3. Allows me to focus on my core business, not IT4. Microsoft can run SP more reliably andefficiently than I can5. I can easily scale up/down according todemand6. I can more easily work with customers, partnersoutside of my company
    8. 8. But ….MYBUSINESSISON PREMISE1. I have existing investments (customized SPdeployments w/lots of data and settings,custom solutions, LOB systems, etc)2. I can’t do everything in the Cloud that I can doon premise3. I want to protect my sensitive data by keeping itclose
    9. 9. WHYHYBRID• Migration• Business Driven
    10. 10. WHYHYBRID-MIGRATION• Early Adopter: Move all data tothe cloud ASAP.• Risk Averse: Get a trial on SPO,Evaluate Risks, Numbers (ROI)• Typical: Freeze on Premise SiteCreation; start with new contentfirst.
    11. 11. WHYHYBRID-MIGRATION• Same Sign On• 1 URL to enter SP & SPO• Use Hybrid Search• Use Hybrid BCS
    12. 12. WHY HYBRID-BUSINESSDRIVEN• Keep Sensitive Data on Premise -whateversensitive may mean-• Capacity Flexibility• Intranet – Extranet• Collaboration with External Partners• Typically defined in your Information structure &governance plan.• Geo Location• …
    13. 13. DIFFERENTSETUPSONE-WAYOUTBOUND
    14. 14. DIFFERENTSETUPSONE-WAYINBOUND
    15. 15. DIFFERENTSETUPSTWO-WAY
    16. 16. DIFFERENTSETUPSTWO-WAYDETAIL
    17. 17. FROMTHEORYTOIMPLEMEN-TATION• Reason of going Hybrid• Choosing which Setup• Configuring all Components• Supporting Authentication• Securing traffic
    18. 18. INGREDIENTS • An operational on-premises AD DS domain in a singleforest• An on-premises server for AD FS 2.0.• An on-premises server for the Windows Azure DirectorySynchronization tool.• Windows Azure PowerShell Cmdlets• Internet Domain & DNS access• Operation SharePoint 2013 Farm• An X.509 wildcard or SAN certificate.• Office 365 Enterprise Subscription with 15.0.0.4420 asthe minimum build number• A supported on-premises reverse proxy device (only forinbound & bidirectional communication).
    19. 19. ENVIRONMENTCONFIGURATIONNON SharePointTasksReverse Proxy andCertificate AuthIdentity ProviderMSOL ToolsDirsyncUAGADFS ServersSharePoint ServersOffice 365Dirsync and Tools ServersMSOL Tools
    20. 20. ReverseProxyandAuth• When using hybrid features Office 365sends requests from sites in the cloud toyour on-premise farm• You need to establish a reverse proxyfor these calls to be channeled throughto secure the process• Those requests can be authenticated atthe reverse proxy before they areforwarded to SharePoint• SharePoint supports using a certificatefor authenticating to the reverse proxyserver when sending a requestUAGADFS ServersSharePoint ServersOffice 365Dirsync and Tools Servers
    21. 21. ReverseProxyRequirements• 2 network cards - oneconnected to the Internet andthe other to the internalcompany network• Route inbound SSL traffic tothe on-premises SharePointfarm without rewriting packetheaders• Support SSL termination• UAG, F5, …UAGADFS ServersSharePoint ServersOffice 365Dirsync and Tools Servers
    22. 22. IdentityProviderIn order to have a single-sign on experience, you need afederated identity provider like ADFS2 or more load balanced ADFS serversAn SSL certificate for the ADFS siteA proxy device, like the ADFS proxy serverAll users must have a UPN of a registered domain (i.e.“.local” or similar suffixes will not work)Service Account: Logon as Batch Job & Logon as aServiceUAGADFS ServersSharePoint ServersOffice 365Dirsync and Tools Servers
    23. 23. MSOLTOOLSMicrosoft Online Sign In AssistantWindows Azure Active Directory PowerShell Cmdlets(in portal)You need to run this on SharePoint Server toconfigure trust with ACSYou need to run this for SSO (usually run on ownserver)UAGADFS ServersSharePoint ServersOffice 365Dirsync and Tools Servers
    24. 24. SSO Connect ADFS to Office 3651. Connect-MSOLService2. New-MSOLFederatedDomain3. Update DNSOR1. Add Domain via Office 365 Portal2. Update DNS3. Connect-MSOLService4. Convert-MSOLDomainToFederated!!! USE SMARTLINKS !!!!!! Run this on your Primary ADFS Server !!!UAGADFS ServersSharePoint ServersOffice 365Dirsync and Tools Servers
    25. 25. DirSync Do Not Run it on an AD – Single Forest (at this time)Service accounts: svc_dirsync: Enterprise Admin onADGlobal Administrator on Office 365Install DirSync and let the Wizard RunSyncs Users, Groups & Contacts!!! It doesn’t give your Users Licenses !!!UAGADFS ServersSharePoint ServersOffice 365Dirsync and Tools Servers
    26. 26. ReCAP
    27. 27. SharePoint2013Config1. New STS Token SigningCertificate2. Configuration of a Trust betweenSP on Premise & ACS3. Configure Secure Store4. Configure UPA5. Try it !
    28. 28. STSTokenSigningCertificateYou need to replace the default token signing certificate for the SharePointSTS because Access Control Service (ACS) will not trust itReplace it with• A certificate issued by a public certificate authority• A self signed certificate that you create in IIS Manager• NOT: Domain-issued certificateSet-SPSecurityTokenServiceConfig with the ImportSigningCertificate flag.
    29. 29. TrustBetweenSP&ACSNow you need to create an OAuth trust forapplications to exchange data between o365and on-premUsing MSOL PowerShell (on prem):Create an AppPrincipal using New-MsolServicePrincipalCredentialCreate a proxy to ACS using New-SPAzureAccessControlServiceApplicationProxyComplete the trust using New-SPTrustedSecurityTokenIssuer
    30. 30. ConfigureSecure StoreThe Secure Store Service is used to create an applicationthat stores the certificate used to authenticate with the UAGHTTPS trunkIn Office 365 create a new Secure Store Service targetapplicationSave the Target Application ID name because you will use thatconfiguring a result sourceIn the credentials field configure it as a Certificate PasswordClick the Set button for the CredentialsBrowse to the certificate CER file that was used for the UAG HTTPS trunk; leave the password fieldsblank
    31. 31. ConfigureUPAIt’s critically important that you:• Have a UPA up and running• Have it populated with current data from Active DirectoryWe use the UPA on the local farm to determine what rights a user has– what claims they have, what groups they belong to, etc.With a hybrid solution, anything that you grant rights to needs to be inthe profile systemE.g., if you augment claims on premise and use a custom claims provider togrant rights to content using those claims, an office 365 user would not see thatdata because those custom claims are not added when you login to office 365
    32. 32. RECAPNecessarySteps• Install & Configure all necessary tools• Replace STS Certificate• Upload Certificate to Office 365• Add Hostname of server to SP Principalobject of Office 365• Register SPO S2S Principal Object to OnPremise• Set SP Authentication Realm to Context ID ofOffice 365 Tenant• Configure On Premise ACS Proxy and setupTrust with ACS.
    33. 33. Create AResult SourceCreate a new result source and:Use Remote SharePoint as the ProtocolIf you are on-prem and getting results from Office365:• Use the Url of your office 365 for the Remote Service Url• Use Default Authentication for credentialsIf you are office 365 and getting results from on-prem:• Use the HTTPS Url of the UAG HTTPS trunk for the RemoteService Url• Use SSO id for credentials and enter the name of the SSO applicationdefinition you created to store the UAG certificate
    34. 34. Create AResult Source
    35. 35. Create AQuery RuleThis is where you can do a “live” test to see if everything isworkingCreate a new query ruleRemove the default ConditionClick on Add Result BlockSelect your result sourceClick on the Test tab and thenClick the “Show more” linkType some query terms in the “{subjectTerms}:” edit boxClick the “Test query” buttonIf you have configured everything correctly – Voila! – you will see search results fromthe remote farm
    36. 36. See theResultsResults fromthe CloudResults fromOn Prem
    37. 37. RESOURCESOnRamphttps://onramp.office365.com/onramp/HYBRIDhttp://technet.microsoft.com/en-us/library/jj838715.aspxTry To Find the WORD Documents ….
    38. 38. THANK YOUJethro SEGHERSJethro.seghers@j-solutions.behttp://www.j-solutions.be/blog@jseghers
    39. 39. TroubleshootTipsIf you aren’t getting data back between thetwo environments here are some things thatyou can do to narrow down the issue:In your on prem farm turn up the ULS loggingGo into Central Admin, Monitoring, Configure diagnostic logging;expand SharePoint Foundation and select:App AuthApplication AuthenticationAuthentication AuthorizationClaims AuthenticationChange the “least critical” dropdowns to Verbose andsave changesMonitor the ULS logs each time you execute a query
    40. 40. TroubleshootTips (cont.)Use Fiddler as a reverse proxy on yourSharePoint server; this requiresInstalling Fiddler on the SharePoint serverWrite a Fiddler script rule as described in Option #2here:http://www.fiddler2.com/Fiddler/help/reverseproxy.aspLook at the TextView of the Response. Here’s anexample of an error that you can see in there:
    41. 41. Troubleshooting Tips(cont.)Be aware of latency in queries across the cloudand on- premisesWhen a query is executed, ALL results must come backbefore the result is shown to the userLatencies can run 1200 to 1500 millisecondsBecause of this you may want to put some thought into whenyou want to fire a query at a remote sourceIf you duplicate every single query you could introduce significant load on afarmWhere you want results back ASAP then you wouldn’t want remote queriesto fireYou can also create a dedicated page that only queries the remote sourceIn short – you can mix and match with query rules to decide what worksbest
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×