Your SlideShare is downloading. ×
0
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010

1,109

Published on

Organizations planning for Extranet access to SharePoint 2010 or faced with providing access to an Intranet from multiple internal authentication platforms often find it challenging to properly …

Organizations planning for Extranet access to SharePoint 2010 or faced with providing access to an Intranet from multiple internal authentication platforms often find it challenging to properly architect SharePoint for extranets, to isolate content, and to manage identities across disparate systems. The complexity involved in understanding how to isolate content from a security perspective but still provide for a collaborative space for end users is complex, and if not done correctly can lead to security breaches and confusion. This session focuses on understanding the various extranet models for SharePoint 2010 and providing real world guidance on how to implement them. Covered are extranet content models and extranet authentication options, including Claims-based authentication and also covering advanced options using tools such as Microsoft's Forefront Identity Manager (FIM) 2010 to centralize identity management to SharePoint 2010 farms, allowing for better control, automatic account provisioning, and synchronization of profile information across multiple SharePoint authentication providers. • Review Extranet design options with SharePoint 2010 • Understand the need for identity management across SharePoint farms • Examine real world deployment guidance and architecture for SharePoint environments using multiple authentication providers

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,109
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
63
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • We value your feedback – please submit your session evaluation to stand in line to win a Leatherman Kick Multi Tool sponsored by Microsoft Virtual Academy
  • Transcript

    • 1. 17-20 OCTOBER 2011<br />DURBAN ICC<br />
    • 2. Collaborating with Extranet Partners on SharePoint 2010 <br />OFC306<br />Michael Noel – Convergent Computing<br />
    • 3. Michael Noel<br />Author of SAMS Publishing titles “SharePoint 2010 Unleashed,” “SharePoint 2007 Unleashed,” “SharePoint 2003 Unleashed”, “Teach Yourself SharePoint 2003 in 10 Minutes,” “Windows Server 2008 R2 Unleashed,” “Exchange Server 2010 Unleashed”, “ISA Server 2006 Unleashed”, and many other titles .<br />Partner at Convergent Computing (www.cco.com / +1(510)444-5700) – San Francisco Bay Area based Infrastructure/Security specialists for SharePoint, AD, Exchange, Security<br />
    • 4. What we’ll cover<br />Why an Extranet?<br />SharePoint 2010 Extranets<br />Extranet Architecture Options<br />Claims-based Authentication<br />Forefront Unified Access Gateway (UAG) for extranets<br />Forefront Identity Manager for Identity Management in an Extranet<br />
    • 5. Why an Extranet?<br />
    • 6. Why an Extranet?<br />Security Isolation<br />Isolation of Data<br />Less Exposure, Perimeter Network Scenarios<br />Partner Collaboration<br />Share SP Content with External Partners<br />Control Partner Accounts<br />Anonymous Customer Scenarios are not Extranets<br />
    • 7. SharePoint 2010 Extranets<br />Claims-based Authentication Support<br />Multiple Authentication Providers<br />Better Scalability (Services Architecture)<br />Goodbye SSP!<br />Server Groups<br />Services Applications<br />Multiple Authentication Types per Web Application<br />
    • 8. Sample Extranet Architecture<br />
    • 9. Design around Security Requirements<br />Less<br />Security<br />More<br />Security<br />Scenario 1: Extranet and Internal Users in Single Farm<br />1A: Single Web App / Single Site Collection<br />1B: Single Web App / Separate Site Collections<br />1C: Multiple Web Apps / Content DBs<br />1D: Separate App Pool / Service App Group <br />Scenario 2: Extranet and Internal Users in Single Farm / Separate Trusted Forests<br />Scenario 3: Extranet and Internal Users in Multiple Farms / One-Way Trust<br />Scenario 4: Extranet an Internal Users in Separate Farms / Claims-based Authfor Internal Access to Extranet<br />Scenario 5: Extranet an Internal Users in Separate Farms / No Access for Internal Accounts to Extranet<br />Scenario 6: Separate Farms / AD FS Federation for Extranet Auth<br />
    • 10. Extranet Scenario 1:Extranet and Internal Users in Single Farm<br />1A: Single Web App / Single Site Collection<br />1B: Single Web App / Separate Site Collections<br />1C: Multiple Web Apps / Content DBs<br />1D: Separate App Pool / Service App Group <br />
    • 11. Extranet Scenario 2:Extranet and Internal Users in Single Farm / Separate Trusted Forests<br />
    • 12. Extranet Scenario 3:Extranet and Internal Users in Multiple Farms and Perimeter Network / One-Way Trust<br />
    • 13. Extranet Scenario 4:Extranet an Internal Users in Separate Farms / Claims-based Auth Provider for Internal Auth to Extranet<br />
    • 14. Extranet Scenario 5:Extranet an Internal Users in Separate Farms / No Access for Internal Accounts to Extranet<br />
    • 15. Extranet Scenario 6:Separate Farms / AD FS Federation for Extranet Auth<br />
    • 16. Extranet Notes<br />
    • 17. One-Way Trust Scenarios<br />People Picker needs to be configured to crawl domain if it doesn’t trust the domain where the SharePoint farm is installed.<br />Only with STSADM (Rare exception when you can’t use PowerShell)<br />Example Syntax:<br />stsadm.exe -o setapppassword -password AnyPassw0rd<br />stsadm.exe -o setproperty -pnpeoplepicker-searchadforests -pv &quot;domain:companyabc.com,COMPANYABCsvc_sppplpick,Password1;domain:extranetabc.com&quot; -url https://extranet.companyabc.com<br />stsadm.exe -o setproperty -pnpeoplepicker-searchadforests -pv &quot;domain:companyabc.com,COMPANYABCsvc_sppplpick,Password1;domain:extranetabc.com&quot; -url https://spcaext.companyabc.com<br />Syntax is critical<br />Run against all web apps<br />
    • 18. Design for Clientless Access to SharePoint<br />Services Applications for Extranet Clients:<br />Word Services<br />Excel Services<br />Visio Services<br />Access Services<br />InfoPath Forms Services<br />Allows ‘Clientless’ access to SharePoint content, for Extranet partners without Office<br />
    • 19. Standard Requirements Apply to Extranets as well<br />SharePoint-aware Antivirus<br />i.e. Forefront Protection for SharePoint<br />SharePoint-aware Backup and Restore<br />i.e. System Center Data Protection Manager (DPM) 2010<br />Rights Management?<br />Active Directory Rights Management Services (AD RMS)<br />
    • 20. Content Deployment with Extranets<br />
    • 21. Claims-based Authentication<br />
    • 22. Claims-Based Auth<br />SharePoint doesn’t actually Authenticate Users, it relies on IIS or other providers<br />SharePoint 2010 Allows for Classic and Claims-based AuthScenarios<br />Classic Authentication is similar to SharePoint 2007<br />Claims based Auth adds the following key benefits:<br />Allows for Multiple Authentication Types per Web Application Zone<br />Removes SharePoint from the Authentication Provider<br />Allows for federation between organizations (AD FS, etc.) scenarios<br />Does not require Kerberos Delegation<br />Current limitations with Claims-based auth involve SQL Reporting Services, PowerPivot, PerformancePoint, and other SQL tools that require delegation. These appear to be fixed in SQL 2012.<br />Remember the difference between Authentication and Authorization…<br />
    • 23. Classic vs. Claims-based Auth<br />
    • 24. Mixed-Mode vs. Multi-Authentication<br />
    • 25. Example: Partner Environment with Multiple Auth Types on single W.A.<br />
    • 26. Forefront Unified Access Gateway<br />
    • 27. UAG Architecture<br />Data Center / Corporate Network<br />Exchange<br />CRM<br />SharePoint<br />IIS based<br />IBM, SAP, Oracle<br />Mobile<br />HTTPS / HTTP<br />Home / Friend <br />/ Kiosk<br />Layer3 VPN<br />Terminal / Remote Desktop Services<br />HTTPS (443)<br />Internet<br />DirectAccess<br />Non web<br />AD, ADFS, <br />RADIUS, LDAP….<br />Business Partners /<br />Sub-Contractors<br />NPS, ILM<br />Employees Managed Machines<br />
    • 28.
    • 29. What about TMG? (New ISA)<br />
    • 30. Forefront Identity Manager<br />
    • 31. Identity and Access Management<br />Secure Messaging<br />Secure Endpoint<br />Secure Collaboration<br />Information Protection<br />Identity and Access Management<br />Active Directory®Federation Services<br />
    • 32. Manage SharePoint Identities<br />Create Multiple Authentication Providers for SharePoint Farms<br />AD DS Forests (Extranet forests)<br />AD LDS Authentication Providers<br />SQL Table (FBA) Authentication Sources<br />LDAP Providers<br />Etc…<br />Keep those Authentication Providers Managed<br />
    • 33. Identity ManagementUser provisioning for SharePoint and other Applications<br /><ul><li>Policy-based identity lifecycle management system
    • 34. Built-in workflow for identity management
    • 35. Automatically synchronize all user information to different directories across the enterprise
    • 36. Automates the process of on-boarding users</li></ul>ActiveDirectory<br />Extranet Forest<br />Workflow<br />User Enrollment <br />Test Forest<br />FIM<br />FBA Table<br />Approval<br />LOB <br />App<br />VPN<br />HR System<br />Manager<br />User provisioned on all allowed systems<br />
    • 37. Identity ManagementUser de-provisioning<br /><ul><li>Automated user de-provisioning
    • 38. Built-in workflow for identity management
    • 39. Real-time de-provisioning from all systems to prevent unauthorized access and information leakage</li></ul>ActiveDirectory<br />Extranet Forest<br />Workflow<br />User de-provisioned <br />Test<br />Forest<br />FIM<br />FBA<br />Table<br />LOB<br />App<br />VPN<br />HR System<br />User de-provisioned or disabled on all systems<br />
    • 40. GivenName<br />Samantha<br />sn<br />Dearing<br />title<br />Coordinator<br />mail<br />someone@example.com<br />employeeID<br />007<br />telephone<br />555-0129<br />givenName<br />sn<br />title<br />mail<br />employeeID<br />telephone<br />Identity Synchronization and ConsistencyIdentity synchronization across multiple directories<br />HR<br />System<br />FIM<br />Samantha<br />givenName<br />Samantha<br />sn<br />Dearing<br />Dearing<br />title<br />mail<br />employeeID<br />007<br />007<br />telephone<br />Attribute Ownership<br />Internal<br />AD<br />givenName<br />Samara<br />sn<br />Darling<br />title<br />Coordinator<br />Coordinator<br />mail<br />employeeID<br />007<br />FirstName<br />LastName<br />EmployeeID<br />telephone<br />Identity<br />Data<br />Aggregation<br />Extranet<br />AD<br />givenName<br />Sam<br />sn<br />Dearing<br />title<br />Intern<br />mail<br />someone@example.com<br />employeeID<br />007<br />telephone<br />Title<br />someone@example.com<br />LDAP<br />givenName<br />Sammy<br />sn<br />Dearling<br />title<br />mail<br />employeeID<br />008<br />555-0129<br />telephone<br />555-0129<br />E-Mail<br />Telephone<br />
    • 41. Identity Synchronization and ConsistencyIdentity consistency across multiple directories<br />FIM<br />HR<br />System<br />givenName<br />Samantha<br />sn<br />Dearing<br />title<br />mail<br />employeeID<br />007<br />telephone<br />givenName<br />Bob<br />Samantha<br />Samantha<br />Samantha<br />sn<br />Dearing<br />Dearing<br />Dearing<br />Attribute Ownership<br />title<br />Coordinator<br />Coordinator<br />Coordinator<br />Coordinator<br />Internal<br />AD<br />givenName<br />Samara<br />mail<br />someone@example.com<br />someone@example.com<br />someone@example.com<br />someone@example.com<br />sn<br />Darling<br />employeeID<br />007<br />title<br />Coordinator<br />telephone<br />555-0129<br />555-0129<br />555-0129<br />555-0129<br />mail<br />Incorrect or Missing<br />Information<br />employeeID<br />007<br />FirstName<br />LastName<br />EmployeeID<br />telephone<br />Identity<br />Data<br />Brokering<br />(Convergence)<br />Extranet<br />AD<br />givenName<br />Sam<br />sn<br />Dearing<br />title<br />Intern<br />mail<br />someone@example.com<br />employeeID<br />007<br />telephone<br />Title<br />LDAP<br />givenName<br />Sammy<br />sn<br />Dearling<br />title<br />mail<br />employeeID<br />007<br />telephone<br />555-0129<br />E-Mail<br />Telephone<br />
    • 42. Customizable Identity Portal<br />SharePoint-based Identity Portal for Management and Self Service<br />How you extend it<br />Add your own portal pages or web parts<br />Build new custom solutions<br />Expose new attributes to manage by extending FIM schema<br />Choose SharePoint theme to customize look and feel<br />
    • 43. Strong Authentication—Certificate Authority<br /><ul><li>Streamline deployment by enrolling user and computer certificates without user intervention
    • 44. Simplify certificate and SmartCard management using Forefront Identity Manager (FIM)
    • 45. Can be used to automate Certificate management for dual factor auth approaches to SharePoint logins</li></ul>User is validated using multi-factor authentication<br />FIM policy triggers request for FIM CM to issue certificate or SmartCard<br />Certificate is issued to user and written to either machine or smart card<br />SmartCard<br />End User<br />End User<br />FIM CM<br />FIM Certificate Management (CM) requests certificate creation from AD CS<br />User Enrollment and Authentication request sent by HR System<br />Active Directory Certificate Services (AD CS) <br />FIM<br />SmartCard<br />User ID andPassword<br />Multi-Factor Authentication<br />HR System<br />
    • 46. FIM for Extranet Forest Mgmt<br />Internal AD DS Forest<br />DMZ Extranet AD DS Forest<br />FIM Auto-provisions certain user accounts in Extranet forest and keeps Passwords in Sync to allow Internal users to access/collaborate with Partners<br />FIM allows Self-Service Portal Access for Extranet user accounts in the partner forest<br />Two-factor Auth scenarios, to automate provisioning of user accounts AND certificates to systems<br />
    • 47. FIM for Role Based Access Control<br />FIM is central to RBAC Strategy<br />Can auto-add users to Groups based on RBAC Criteria<br />HR Defines a user’s access based on their role<br />FIM auto-adds that user to specific Role Groups in AD DS, which are tied to SharePoint Groups that have the rights that that role group requires.<br />SharePoint Group<br />
    • 48. Session Summary<br />Understand the Extranet Design Options for 2010<br />Keep Extranet Accounts out of local AD<br />Determine how Identities will be Managed<br />Use FIM for Identity Management, Self-Service, and Provisioning/Deprovisioning of Extranet Accounts<br />Use UAG to secure inbound access to extranets/intranets<br />
    • 49. http://microsoftvirtualacademy.com<br />Submit your session evaluation for a chance to win! <br />Sponsored by MVA<br />
    • 50. Creating<br />the future<br />together<br />
    • 51. Thanks for attending!Questions?<br />Michael Noel<br />Twitter: @MichaelTNoel<br />www.cco.com<br />Slides: slideshare.net/michaeltnoel<br />

    ×