TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
Upcoming SlideShare
Loading in...5
×
 

TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010

on

  • 1,418 views

Organizations planning for Extranet access to SharePoint 2010 or faced with providing access to an Intranet from multiple internal authentication platforms often find it challenging to properly ...

Organizations planning for Extranet access to SharePoint 2010 or faced with providing access to an Intranet from multiple internal authentication platforms often find it challenging to properly architect SharePoint for extranets, to isolate content, and to manage identities across disparate systems. The complexity involved in understanding how to isolate content from a security perspective but still provide for a collaborative space for end users is complex, and if not done correctly can lead to security breaches and confusion. This session focuses on understanding the various extranet models for SharePoint 2010 and providing real world guidance on how to implement them. Covered are extranet content models and extranet authentication options, including Claims-based authentication and also covering advanced options using tools such as Microsoft's Forefront Identity Manager (FIM) 2010 to centralize identity management to SharePoint 2010 farms, allowing for better control, automatic account provisioning, and synchronization of profile information across multiple SharePoint authentication providers. • Review Extranet design options with SharePoint 2010 • Understand the need for identity management across SharePoint farms • Examine real world deployment guidance and architecture for SharePoint environments using multiple authentication providers

Statistics

Views

Total Views
1,418
Views on SlideShare
1,418
Embed Views
0

Actions

Likes
0
Downloads
61
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • We value your feedback – please submit your session evaluation to stand in line to win a Leatherman Kick Multi Tool sponsored by Microsoft Virtual Academy

TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010 TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010 Presentation Transcript

  • 17-20 OCTOBER 2011
    DURBAN ICC
  • Collaborating with Extranet Partners on SharePoint 2010
    OFC306
    Michael Noel – Convergent Computing
  • Michael Noel
    Author of SAMS Publishing titles “SharePoint 2010 Unleashed,” “SharePoint 2007 Unleashed,” “SharePoint 2003 Unleashed”, “Teach Yourself SharePoint 2003 in 10 Minutes,” “Windows Server 2008 R2 Unleashed,” “Exchange Server 2010 Unleashed”, “ISA Server 2006 Unleashed”, and many other titles .
    Partner at Convergent Computing (www.cco.com / +1(510)444-5700) – San Francisco Bay Area based Infrastructure/Security specialists for SharePoint, AD, Exchange, Security
  • What we’ll cover
    Why an Extranet?
    SharePoint 2010 Extranets
    Extranet Architecture Options
    Claims-based Authentication
    Forefront Unified Access Gateway (UAG) for extranets
    Forefront Identity Manager for Identity Management in an Extranet
  • Why an Extranet?
  • Why an Extranet?
    Security Isolation
    Isolation of Data
    Less Exposure, Perimeter Network Scenarios
    Partner Collaboration
    Share SP Content with External Partners
    Control Partner Accounts
    Anonymous Customer Scenarios are not Extranets
  • SharePoint 2010 Extranets
    Claims-based Authentication Support
    Multiple Authentication Providers
    Better Scalability (Services Architecture)
    Goodbye SSP!
    Server Groups
    Services Applications
    Multiple Authentication Types per Web Application
  • Sample Extranet Architecture
  • Design around Security Requirements
    Less
    Security
    More
    Security
    Scenario 1: Extranet and Internal Users in Single Farm
    1A: Single Web App / Single Site Collection
    1B: Single Web App / Separate Site Collections
    1C: Multiple Web Apps / Content DBs
    1D: Separate App Pool / Service App Group
    Scenario 2: Extranet and Internal Users in Single Farm / Separate Trusted Forests
    Scenario 3: Extranet and Internal Users in Multiple Farms / One-Way Trust
    Scenario 4: Extranet an Internal Users in Separate Farms / Claims-based Authfor Internal Access to Extranet
    Scenario 5: Extranet an Internal Users in Separate Farms / No Access for Internal Accounts to Extranet
    Scenario 6: Separate Farms / AD FS Federation for Extranet Auth
  • Extranet Scenario 1:Extranet and Internal Users in Single Farm
    1A: Single Web App / Single Site Collection
    1B: Single Web App / Separate Site Collections
    1C: Multiple Web Apps / Content DBs
    1D: Separate App Pool / Service App Group
  • Extranet Scenario 2:Extranet and Internal Users in Single Farm / Separate Trusted Forests
  • Extranet Scenario 3:Extranet and Internal Users in Multiple Farms and Perimeter Network / One-Way Trust
  • Extranet Scenario 4:Extranet an Internal Users in Separate Farms / Claims-based Auth Provider for Internal Auth to Extranet
  • Extranet Scenario 5:Extranet an Internal Users in Separate Farms / No Access for Internal Accounts to Extranet
  • Extranet Scenario 6:Separate Farms / AD FS Federation for Extranet Auth
  • Extranet Notes
  • One-Way Trust Scenarios
    People Picker needs to be configured to crawl domain if it doesn’t trust the domain where the SharePoint farm is installed.
    Only with STSADM (Rare exception when you can’t use PowerShell)
    Example Syntax:
    stsadm.exe -o setapppassword -password AnyPassw0rd
    stsadm.exe -o setproperty -pnpeoplepicker-searchadforests -pv "domain:companyabc.com,COMPANYABCsvc_sppplpick,Password1;domain:extranetabc.com" -url https://extranet.companyabc.com
    stsadm.exe -o setproperty -pnpeoplepicker-searchadforests -pv "domain:companyabc.com,COMPANYABCsvc_sppplpick,Password1;domain:extranetabc.com" -url https://spcaext.companyabc.com
    Syntax is critical
    Run against all web apps
  • Design for Clientless Access to SharePoint
    Services Applications for Extranet Clients:
    Word Services
    Excel Services
    Visio Services
    Access Services
    InfoPath Forms Services
    Allows ‘Clientless’ access to SharePoint content, for Extranet partners without Office
  • Standard Requirements Apply to Extranets as well
    SharePoint-aware Antivirus
    i.e. Forefront Protection for SharePoint
    SharePoint-aware Backup and Restore
    i.e. System Center Data Protection Manager (DPM) 2010
    Rights Management?
    Active Directory Rights Management Services (AD RMS)
  • Content Deployment with Extranets
  • Claims-based Authentication
  • Claims-Based Auth
    SharePoint doesn’t actually Authenticate Users, it relies on IIS or other providers
    SharePoint 2010 Allows for Classic and Claims-based AuthScenarios
    Classic Authentication is similar to SharePoint 2007
    Claims based Auth adds the following key benefits:
    Allows for Multiple Authentication Types per Web Application Zone
    Removes SharePoint from the Authentication Provider
    Allows for federation between organizations (AD FS, etc.) scenarios
    Does not require Kerberos Delegation
    Current limitations with Claims-based auth involve SQL Reporting Services, PowerPivot, PerformancePoint, and other SQL tools that require delegation. These appear to be fixed in SQL 2012.
    Remember the difference between Authentication and Authorization…
  • Classic vs. Claims-based Auth
  • Mixed-Mode vs. Multi-Authentication
  • Example: Partner Environment with Multiple Auth Types on single W.A.
  • Forefront Unified Access Gateway
  • UAG Architecture
    Data Center / Corporate Network
    Exchange
    CRM
    SharePoint
    IIS based
    IBM, SAP, Oracle
    Mobile
    HTTPS / HTTP
    Home / Friend
    / Kiosk
    Layer3 VPN
    Terminal / Remote Desktop Services
    HTTPS (443)
    Internet
    DirectAccess
    Non web
    AD, ADFS,
    RADIUS, LDAP….
    Business Partners /
    Sub-Contractors
    NPS, ILM
    Employees Managed Machines
  • What about TMG? (New ISA)
  • Forefront Identity Manager
  • Identity and Access Management
    Secure Messaging
    Secure Endpoint
    Secure Collaboration
    Information Protection
    Identity and Access Management
    Active Directory®Federation Services
  • Manage SharePoint Identities
    Create Multiple Authentication Providers for SharePoint Farms
    AD DS Forests (Extranet forests)
    AD LDS Authentication Providers
    SQL Table (FBA) Authentication Sources
    LDAP Providers
    Etc…
    Keep those Authentication Providers Managed
  • Identity ManagementUser provisioning for SharePoint and other Applications
    • Policy-based identity lifecycle management system
    • Built-in workflow for identity management
    • Automatically synchronize all user information to different directories across the enterprise
    • Automates the process of on-boarding users
    ActiveDirectory
    Extranet Forest
    Workflow
    User Enrollment
    Test Forest
    FIM
    FBA Table
    Approval
    LOB
    App
    VPN
    HR System
    Manager
    User provisioned on all allowed systems
  • Identity ManagementUser de-provisioning
    • Automated user de-provisioning
    • Built-in workflow for identity management
    • Real-time de-provisioning from all systems to prevent unauthorized access and information leakage
    ActiveDirectory
    Extranet Forest
    Workflow
    User de-provisioned
    Test
    Forest
    FIM
    FBA
    Table
    LOB
    App
    VPN
    HR System
    User de-provisioned or disabled on all systems
  • GivenName
    Samantha
    sn
    Dearing
    title
    Coordinator
    mail
    someone@example.com
    employeeID
    007
    telephone
    555-0129
    givenName
    sn
    title
    mail
    employeeID
    telephone
    Identity Synchronization and ConsistencyIdentity synchronization across multiple directories
    HR
    System
    FIM
    Samantha
    givenName
    Samantha
    sn
    Dearing
    Dearing
    title
    mail
    employeeID
    007
    007
    telephone
    Attribute Ownership
    Internal
    AD
    givenName
    Samara
    sn
    Darling
    title
    Coordinator
    Coordinator
    mail
    employeeID
    007
    FirstName
    LastName
    EmployeeID
    telephone
    Identity
    Data
    Aggregation
    Extranet
    AD
    givenName
    Sam
    sn
    Dearing
    title
    Intern
    mail
    someone@example.com
    employeeID
    007
    telephone
    Title
    someone@example.com
    LDAP
    givenName
    Sammy
    sn
    Dearling
    title
    mail
    employeeID
    008
    555-0129
    telephone
    555-0129
    E-Mail
    Telephone
  • Identity Synchronization and ConsistencyIdentity consistency across multiple directories
    FIM
    HR
    System
    givenName
    Samantha
    sn
    Dearing
    title
    mail
    employeeID
    007
    telephone
    givenName
    Bob
    Samantha
    Samantha
    Samantha
    sn
    Dearing
    Dearing
    Dearing
    Attribute Ownership
    title
    Coordinator
    Coordinator
    Coordinator
    Coordinator
    Internal
    AD
    givenName
    Samara
    mail
    someone@example.com
    someone@example.com
    someone@example.com
    someone@example.com
    sn
    Darling
    employeeID
    007
    title
    Coordinator
    telephone
    555-0129
    555-0129
    555-0129
    555-0129
    mail
    Incorrect or Missing
    Information
    employeeID
    007
    FirstName
    LastName
    EmployeeID
    telephone
    Identity
    Data
    Brokering
    (Convergence)
    Extranet
    AD
    givenName
    Sam
    sn
    Dearing
    title
    Intern
    mail
    someone@example.com
    employeeID
    007
    telephone
    Title
    LDAP
    givenName
    Sammy
    sn
    Dearling
    title
    mail
    employeeID
    007
    telephone
    555-0129
    E-Mail
    Telephone
  • Customizable Identity Portal
    SharePoint-based Identity Portal for Management and Self Service
    How you extend it
    Add your own portal pages or web parts
    Build new custom solutions
    Expose new attributes to manage by extending FIM schema
    Choose SharePoint theme to customize look and feel
  • Strong Authentication—Certificate Authority
    • Streamline deployment by enrolling user and computer certificates without user intervention
    • Simplify certificate and SmartCard management using Forefront Identity Manager (FIM)
    • Can be used to automate Certificate management for dual factor auth approaches to SharePoint logins
    User is validated using multi-factor authentication
    FIM policy triggers request for FIM CM to issue certificate or SmartCard
    Certificate is issued to user and written to either machine or smart card
    SmartCard
    End User
    End User
    FIM CM
    FIM Certificate Management (CM) requests certificate creation from AD CS
    User Enrollment and Authentication request sent by HR System
    Active Directory Certificate Services (AD CS)
    FIM
    SmartCard
    User ID andPassword
    Multi-Factor Authentication
    HR System
  • FIM for Extranet Forest Mgmt
    Internal AD DS Forest
    DMZ Extranet AD DS Forest
    FIM Auto-provisions certain user accounts in Extranet forest and keeps Passwords in Sync to allow Internal users to access/collaborate with Partners
    FIM allows Self-Service Portal Access for Extranet user accounts in the partner forest
    Two-factor Auth scenarios, to automate provisioning of user accounts AND certificates to systems
  • FIM for Role Based Access Control
    FIM is central to RBAC Strategy
    Can auto-add users to Groups based on RBAC Criteria
    HR Defines a user’s access based on their role
    FIM auto-adds that user to specific Role Groups in AD DS, which are tied to SharePoint Groups that have the rights that that role group requires.
    SharePoint Group
  • Session Summary
    Understand the Extranet Design Options for 2010
    Keep Extranet Accounts out of local AD
    Determine how Identities will be Managed
    Use FIM for Identity Management, Self-Service, and Provisioning/Deprovisioning of Extranet Accounts
    Use UAG to secure inbound access to extranets/intranets
  • http://microsoftvirtualacademy.com
    Submit your session evaluation for a chance to win!
    Sponsored by MVA
  • Creating
    the future
    together
  • Thanks for attending!Questions?
    Michael Noel
    Twitter: @MichaelTNoel
    www.cco.com
    Slides: slideshare.net/michaeltnoel