• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
 

SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010

on

  • 1,642 views

Organizations planning for Extranet access to SharePoint 2010 or faced with providing access to an Intranet from multiple internal authentication platforms often find it challenging to properly ...

Organizations planning for Extranet access to SharePoint 2010 or faced with providing access to an Intranet from multiple internal authentication platforms often find it challenging to properly architect SharePoint for extranets, to isolate content, and to manage identities across disparate systems. The complexity involved in understanding how to isolate content from a security perspective but still provide for a collaborative space for end users is complex, and if not done correctly can lead to security breaches and confusion. This session focuses on understanding the various extranet models for SharePoint 2010 and providing real world guidance on how to implement them. Covered are extranet content models and extranet authentication options, including Claims-based authentication and also covering advanced options using tools such as Microsoft's Forefront Identity Manager (FIM) 2010 to centralize identity management to SharePoint 2010 farms, allowing for better control, automatic account provisioning, and synchronization of profile information across multiple SharePoint authentication providers. • Review Extranet design options with SharePoint 2010 • Understand the need for identity management across SharePoint farms • Examine real world deployment guidance and architecture for SharePoint environments using multiple authentication providers

Statistics

Views

Total Views
1,642
Views on SlideShare
1,642
Embed Views
0

Actions

Likes
0
Downloads
52
Comments
1

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Vry helpful information...
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Opening slide please include
  • With automated user provisioning through Forefront Identity Manager, IT can automatically give and update rights to resources and business applications as per the user’s profile. It becomes easy to provision user identity to only those resources and applications which user is suppose to work and prevent from unauthorized use.organizations using Forefront Identity Manager can define policies that automatically create user accounts, mail boxes, and group memberships in real time so that new employees are productive immediately. When a user changes roles within an organization, Forefront Identity Manager automatically makes the necessary changes in heterogeneous target systems to add and remove access rights.For example, if a user moves from a role in sales to a role in marketing, Forefront Identity Manager can remove them from sales-specific groups and add them to marketing-specific groups to deliver appropriate access permissions to perform their job function.
  • With Forefront Identity Manager (FIM), organizations can define automatic policy enforcement for removing user accounts, mail boxes, and group memberships in real time, which minimizes the risk of information leakage from unauthorized access to resources and confidential information. With FIM, de-provisioning for users leaving the enterprise also becomes centralized and less complicated, which makes it easier to ensure complete de-provisioning to handle future compliance audits.For example, if a user leaves the organization, the HR system forwards a de-provisioning request to FIM. FIM follows approval workflow. With the manager’s approval, FIM automatically removes all rights, account information, mail boxes, and memberships from all relevant applications, groups, and different directories.
  • organizations can also use FIM to synchronize e-mail address lists that are maintained by heterogeneous e-mail systems, such as Microsoft Exchange Server 2000, Exchange Server 2007, and Lotus Notes. organizations that have multiple Active Directory Domain Services and Exchange forests can use FIM to build a single address book. This increases the value of identity integration by simplifying collaboration as well as increasing IT control.Note:FIM 2010 provides a simplified single sign on experience through its identity synchronization capabilities, delivering the ability to synchronize passwords across heterogeneous systems.The policy-based management system of FIM manages users’ identity lifecycle and protects corporate assets against misuse as users move between roles or leave the organization. http://www.microsoft.com/forefront/identitymanager/en/us/features.aspxhttp://download.microsoft.com/download/3/2/A/32A7B77A-7D3A-4D24-ACE7-5AA3A908B95E/Understanding%20FIM%202010.docx
  • Combining identity data across multiple directories and systems yields automated account reconciliation and consistency management for user accounts, credentials, and attributes. This means organizations with many different directories and other data repositories, such as an HR application, can use Forefront Identity Manager to synchronize user accounts across systems.
  • Active Directory Certificate Services (AD CS) provides an integrated public key infrastructure that enables the secure exchange of information. With strong security and easy administration across the Internet, extranets, intranets, and applications, AD CS provides customizable services for issuing and managing the certificates used in software security systems employing public key technologies.BenefitsIncrease access security with better security than username and password solutions, and verify the validity of certificates using the Online Certificate Status Protocol (OCSP).Reduce cost of ownership by taking advantage of Active Directory integration for enrollment, storage, and revocation processes.Simplify certificate management using a single information store that comes from full integration with Microsoft Management Console.Streamline deployment by enrolling user and computer certificates without user intervention.Client retrieves certificate policy from Active Directory.Client submits certificate request to Certificate Server based on policy.Certificate Server retrieves user information from Active Directory.Certificate Server returns signed digital certificate to the client.

SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010 SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010 Presentation Transcript

  • Platinum Sponsor Gold Sponsors
  • Michael NoelPLANNING EXTRANETS WITH SHAREPOINT 2010
  • MICHAEL NOEL• Author of SAMS Publishing titles ―SharePoint 2007 Unleashed,‖ the upcoming ―SharePoint 2010 Unleashed,‖ ―SharePoint 2003 Unleashed‖, ―Teach Yourself SharePoint 2003 in 10 Minutes,‖ ―Windows Server 2008 R2 Unleashed,‖ ―Exchange Server 2010 Unleashed‖, ―ISA Server 2006 Unleashed‖, and many other titles .• Partner at Convergent Computing (www.cco.com / +1(510)444-5700) – San Francisco, U.S.A. based Infrastructure/Security specialists for SharePoint, AD, Exchange, Security
  • WHAT WE‘LL COVER• Why an Extranet?• SharePoint 2010 Extranets• Extranet Architecture Options• Claims-based Authentication• Forefront Unified Access Gateway (UAG) for extranets• Forefront Identity Manager for Identity Management in an Extranet
  • WHY AN EXTRANET?
  • WHY AN EXTRANET?• Security Isolation • Isolation of Data • Less Exposure, Perimeter Network Scenarios• Partner Collaboration • Share SP Content with External Partners • Control Partner Accounts Anonymous Customer Scenarios are not really Extranets
  • SHAREPOINT 2010 EXTRANETS• Claims-based Authentication Support• Multiple Authentication Providers• Better Scalability (Services Architecture) • Goodbye SSP! • Server Groups • Services Applications• Multiple Authentication Types per Web Application
  • SAMPLE EXTRANET ARCHITECTURE
  • DESIGN AROUND SECURITY REQUIREMENTS• Scenario 1: Extranet and Internal Users in Single Farm • 1A: Single Web App / Single Site Collection Less Secure • 1B: Single Web App / Separate Site Collections • 1C: Multiple Web Apps / Content DBs • 1D: Separate App Pool / Service App Group• Scenario 2: Extranet and Internal Users in Single Farm / Separate Trusted Forests• Scenario 3: Extranet and Internal Users in Multiple Farms / One-Way Trust• Scenario 4: Extranet an Internal Users in Separate Farms / Claims- based Auth for Internal Access to Extranet More• Scenario 5: Extranet an Internal Users in Separate Farms / No Secure Access for Internal Accounts to Extranet• Scenario 6: Separate Farms / AD FS Federation for Extranet Auth
  • EXTRANET SCENARIO 1:EXTRANET AND INTERNAL USERS IN SINGLE FARM 1A: Single Web App / Single Site Collection 1B: Single Web App / Separate Site Collections 1C: Multiple Web Apps / Content DBs 1D: Separate App Pool / Service App Group
  • EXTRANET SCENARIO 2:EXTRANET AND INTERNAL USERS IN SINGLE FARM/ SEPARATE TRUSTED FORESTS
  • EXTRANET SCENARIO 3:EXTRANET AND INTERNAL USERS IN MULTIPLE FARMS ANDPERIMETER NETWORK / ONE-WAY TRUST
  • EXTRANET SCENARIO 4:EXTRANET AN INTERNAL USERS IN SEPARATE FARMS /CLAIMS-BASED AUTH PROVIDER FOR INTERNAL AUTH TOEXTRANET
  • EXTRANET SCENARIO 5:EXTRANET AN INTERNAL USERS IN SEPARATE FARMS / NOACCESS FOR INTERNAL ACCOUNTS TO EXTRANET
  • EXTRANET SCENARIO 6:SEPARATE FARMS / AD FS FEDERATION FOR EXTRANETAUTH
  • EXTRANET NOTES
  • ONE-WAY TRUST SCENARIOS• People Picker needs to be configured to crawl domain if it doesn‘t trust the domain where the SharePoint farm is installed.• Only with STSADM (Rare exception when you can‘t use PowerShell)• Example Syntax: • stsadm.exe -o setapppassword -password AnyPassw0rd • stsadm.exe -o setproperty -pn peoplepicker-searchadforests -pv "domain:companyabc.com,COMPANYABCsvc_sppplpick,Password1;domain:extran etabc.com" -url https://extranet.companyabc.com • stsadm.exe -o setproperty -pn peoplepicker-searchadforests -pv "domain:companyabc.com,COMPANYABCsvc_sppplpick,Password1;domain:extran etabc.com" -url https://spcaext.companyabc.com• Syntax is critical• Run against all web apps
  • DESIGN FOR CLIENTLESS ACCESS TO SHAREPOINT• Services Applications for Extranet Clients: • Word Services • Excel Services • Visio Services • Access Services • InfoPath Forms Services• Allows ‗Clientless‘ access to SharePoint content, for Extranet partners without Office
  • STANDARD REQUIREMENTS APPLY TO EXTRANETS AS WELL• SharePoint-aware Antivirus • i.e. Forefront Protection for SharePoint• SharePoint-aware Backup and Restore • i.e. System Center Data Protection Manager (DPM) 2010• Rights Management? • Active Directory Rights Management Services (AD RMS)
  • CONTENT DEPLOYMENT WITH EXTRANETS
  • CLAIMS-BASED AUTHENTICATION
  • CLAIMS-BASED AUTH• SharePoint doesn‘t actually Authenticate Users, it relies on IIS or other providers• SharePoint 2010 Allows for Classic and Claims-based Auth Scenarios• Classic Authentication is similar to SharePoint 2007• Claims based Auth adds the following key benefits: • Allows for Multiple Authentication Types per Web Application Zone • Removes SharePoint from the Authentication Provider • Allows for federation between organizations (AD FS, etc.) scenarios • Does not require Kerberos Delegation• Remember the difference between Authentication and Authorization…
  • CLASSIC VS. CLAIMS-BASED AUTH Classic-mode Claims-basedType authentication authenticationWindows NTLM Kerberos Yes Yes Anonymous Basic DigestForms-based authentication LDAP No Yes SQL database or other database Custom or third-party membership and role providersSAML token-based authentication AD FS 2.0 No Yes Third-party identity provider LDAP
  • MIXED-MODE VS. MULTI-AUTHENTICATION
  • EXAMPLE: PARTNER ENVIRONMENT WITHMULTIPLE AUTH TYPES ON SINGLE W.A.
  • FOREFRONT UNIFIED ACCESS GATEWAY 2010
  • UAG ARCHITECTURE Data Center / Corporate Network Exchange CRM Mobile SharePoint IIS based IBM, SAP, OracleHome / Friend / Kiosk Layer3 VPN Terminal / Remote Desktop HTTPS (443) Services Internet DirectAccess Non webBusiness Partners / AD, ADFS, Sub-Contractors RADIUS, LDAP…. NPS, ILM Employees Managed Machines
  • WHAT ABOUT TMG? (NEW ISA)Capability TMG 2010 UAG 2010Publish Web applications using HTTPS X XPublish internal mobile applications to roaming mobile devices X XLayer 3 firewall X X*Outbound scenarios support X X*Array support XGlobalization and administration console localization XWizards and predefined settings to publish SharePoint sites and Exchange X XWizards and predefined settings to publish various applications XActive Directory Federation Services (ADFS) support XRich authentication (for example, one-time password, forms-based, smart card) X XApplication protection (Web application firewall) Basic FullEndpoint health detection XInformation leakage prevention XGranular access policy XUnified Portal X
  • WHAT IS FOREFRONT IDENTITY MANAGER?
  • IDENTITY AND ACCESS MANAGEMENT Secure Messaging Secure Collaboration Secure Endpoint Information Protection Identity and Access Management Active Directory Federation Services ®
  • WHY FIM FOR SHAREPOINT?
  • MANAGE SHAREPOINT IDENTITIES• Create Multiple Authentication Providers for SharePoint Farms • AD DS Forests (Extranet forests) • AD LDS Authentication Providers • SQL Table (FBA) Authentication Sources • LDAP Providers • Etc…• Keep those Authentication Providers Managed
  • IDENTITY MANAGEMENTUSER PROVISIONING FOR SHAREPOINT AND OTHER APPLICATIONS • Policy-based identity lifecycle management system • Built-in workflow for identity management • Automatically synchronize all user information to different directories across the enterprise • Automates the process of on-boarding users Active Directory Extranet Forest Workflow User Enrollment Test Forest FIM HR System FBA Table Approval LOB User provisioned on all allowed systems App Manager VPN
  • IDENTITY MANAGEMENTUSER DE-PROVISIONING • Automated user de-provisioning • Built-in workflow for identity management • Real-time de-provisioning from all systems to prevent unauthorized access and information leakage Active Directory Extranet Forest Workflow User de-provisioned Test Forest FIM HR System FBA Table LOB User de-provisioned or disabled on all systems App VPN
  • IDENTITY SYNCHRONIZATION AND CONSISTENCYIDENTITY SYNCHRONIZATION ACROSS MULTIPLE DIRECTORIES Attribute HR givenName Samantha Ownership System sn Dearing FIM title mail FirstName employeeID 007 LastName telephone EmployeeID GivenName givenName Samantha sn Dearing title Coordinator Internal givenName Samara mail someone@example.com AD sn title Darling Coordinator employeeID 007 telephone 555-0129 mail Title employeeID 007 telephone Identity Extranet Data givenName Sam AD sn Dearing title Intern E-Mail mail employeeID someone@example.com 007 Aggregation telephone LDAP givenName Sammy sn Dearling title mail Telephone employeeID 008 telephone 555-0129
  • IDENTITY SYNCHRONIZATION AND CONSISTENCYIDENTITY CONSISTENCY ACROSS MULTIPLE DIRECTORIES Attribute HR givenName Samantha Ownership System sn Dearing FIM title mail FirstName employeeID 007 LastName telephone EmployeeID givenName Samantha Bob sn Dearing title Coordinator Internal givenName Samara mail someone@example.com someone@example.com AD sn title Darling Coordinator employeeID 007 telephone 555-0129 mail Title employeeID 007 telephone Identity Extranet Data givenName Sam AD sn title Dearing Intern E-Mail mail employeeID someone@example.com 007 Brokering telephone (Convergence) LDAP givenName Sammy sn Dearling title mail Telephone employeeID 007 telephone 555-0129
  • CUSTOMIZABLE IDENTITY PORTALSharePoint-based Identity Portalfor Management and Self Service How you extend it Add your own portal pages or web parts Build new custom solutions Expose new attributes to manage by extending FIM schema Choose SharePoint theme to customize look and feel
  • CUSTOMIZABLE IDENTITY PORTAL• Can be used to allow Extranet Partners to Perform Self- Service Management • Give control of Account Management to users/administrators of the extranet partner • Secure access to portal through VPN/Reverse Proxy • Portal in the DMZ• Can be used for Self-Service Password Reset (via domain-joined computer)
  • STRONG AUTHENTICATION—CERTIFICATE AUTHORITY • Streamline deployment by enrolling user and computer certificates without user intervention • Simplify certificate and SmartCard management using Forefront Identity Manager (FIM) • Can be used to automate Certificate management for dual factor auth approaches to SharePoint logins End User SmartCard User is validated using multi- FIM policy triggers request for factor authentication FIM CM to issue certificate or Certificate is issued to user and SmartCard written to either machine or smart card FIM CM End User SmartCard FIMHR System FIM Certificate Management (CM) requests certificate User ID and User Enrollment and AD CS creation from Authentication request sent by Password HR System Active Directory Certificate Services (AD CS)
  • REAL WORLD FIM USAGE SCENARIOS
  • FIM FOR EXTRANET FOREST MGMT• Internal AD DS Forest• DMZ Extranet AD DS Forest• FIM Auto-provisions certain user accounts in Extranet forest and keeps Passwords in Sync to allow Internal users to access/collaborate with Partners• FIM allows Self-Service Portal Access for Extranet user accounts in the partner forest• Two-factor Auth scenarios, to automate provisioning of user accounts AND certificates to systems
  • FIM FOR ROLE BASED ACCESS CONTROL• FIM is central to RBAC Strategy• Can auto-add users to Groups based on RBAC Criteria• HR Defines a user‘s access based on their role• FIM auto-adds that user to specific Role Groups in AD DS, which are tied to SharePoint Groups that have the rights that that role group requires. User1 Role SharePoint Group Group User2
  • SESSION SUMMARY• Understand the Extranet Design Options for 2010• Keep Extranet Accounts out of local AD• Determine how Identities will be Managed• Use FIM for Identity Management, Self-Service, and Provisioning/Deprovisioning of Extranet Accounts• Use UAG to secure inbound access to extranets/intranets
  • Thank you to our Sponsors Gold Sponsors Silver SponsorsBronze Sponsors
  • Michael Noel Twitter: @MichaelTNoel www.cco.comSlides: slideshare.net/michaeltnoel