How to deploy SharePoint 2010 to external users?


Published on

A presentation about all the different aspects to be aware of when deploying SharePoint 2010 as an extranet platform, as well as the available options for network topologies and authentication methods.

Published in: Technology
  • Are those glasses of beer on slide 20? Now I'm thirsty...
    Are you sure you want to  Yes  No
    Your message goes here
  • Awesome presentation!
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Authentication = the mechanism whereby systems may securely identify their usersAuthorization = the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system
  • How to deploy SharePoint 2010 to external users?

    1. 1. How to deploy SharePoint to Extranet Users?<br />Raphael Londner<br />SiliconValley SharePoint User Group<br />02/10/2011<br />
    2. 2. © RL Soft 2011<br />Who am I?<br />SharePoint, .NET, SQL Server, AD… since 2001<br />Founder of RL Soft<br /><br /><br />@rlondner<br /><br />
    3. 3. © RL Soft 2011<br />Definition and Scenarios<br />Extranet Network Topologies<br />Identity Management in SharePoint<br />Claims-Based Authentication<br />SharePoint 2010 Authentication Options<br />XtraShare for SharePoint Highlight<br />Agenda<br />
    4. 4. © RL Soft 2011<br />Definition and Scenarios<br />Extranet Network Topologies<br />Identity Management in SharePoint<br />Claims-Based Authentication<br />SharePoint 2010 Authentication Options<br />XtraShare for SharePoint Highlight<br />Agenda<br />
    5. 5. © RL Soft 2011<br />Extranet - Definition<br />A web application shared with external users, such as partners, vendors, customers, community users, industry peers…<br />Typical attributes of an extranet:<br /><ul><li>Requires authenticated access, but the identity of the user is not always known
    6. 6. Has stronger security controls than an Internet web site but usually less secure than an Intranet</li></li></ul><li>© RL Soft 2011<br />Common Extranet Scenarios<br />Line of Business Applications<br />Collaboration<br />Static Content or Publishing<br />Isolate and segregate data<br />Authorize users to only access sites and data that are necessary for their contributions<br />Restrict partners from viewing other partners’ data<br />Foster a community of users with shared interests<br />Allow users to register<br />Self-service tools (password reminder, profile update…) <br />Delegate user administration<br />Remote Employees<br />Partners<br />Community Sites<br />
    7. 7. © RL Soft 2011<br />Extranet Design Considerations<br />Network Topologies<br />Identity Management<br />
    8. 8. © RL Soft 2011<br />Definition and Scenarios<br />Extranet Network Topologies<br />Identity Management in SharePoint<br />Claims-Based Authentication<br />SharePoint 2010 Authentication Options<br />XtraShare for SharePoint Highlight<br />Agenda<br />
    9. 9. © RL Soft 2011<br />Edge Firewall Topology<br />Pros<br />Least amount of hardware, software and configuration<br />Single point of data<br />Cons<br />Single firewall between corporate network and the Internet<br />
    10. 10. © RL Soft 2011<br />Back-to-back Perimeter<br />Pros<br />Isolated, extranet farm<br />External user access isolated to the perimeter network<br />Cons<br />Additional network infrastructure, hardware, software licenses…<br />
    11. 11. © RL Soft 2011<br />Split-to-back Perimeter<br />Pros<br />Single SQL Server Store, app servers (only) in corporate network<br />Cons<br />Increased complexity (domain trusts…)<br />
    12. 12. © RL Soft 2011<br />Definition and Scenarios<br />Extranet Network Topologies<br />Identity Management in SharePoint<br />Claims-Based Authentication<br />SharePoint 2010 Authentication Options<br />XtraShare for SharePoint Highlight<br />Agenda<br />
    13. 13. © RL Soft 2011<br />Terminology<br />Authentication<br />Creates an identity for a security principal<br />Who am I?<br />Authorization<br />Determines which resources a user has access to<br />What can I access?<br />SharePoint does not authenticate but does authorize<br />SharePoint creates user profiles (SPUser)<br />Stored in the User Information List at the site collection level<br />
    14. 14. © RL Soft 2011<br />SharePoint 2001<br />Windows Server 2000/IIS 5.0<br />ASP 3.0<br />Windows Authentication (Active Directory)<br />
    15. 15. © RL Soft 2011<br />SharePoint 2003<br />Windows Server 2003/ IIS 6.0<br />ASP.NET 1.1 <br />2.0 w/ SP1<br />Windows Authentication (Active Directory)<br />
    16. 16. © RL Soft 2011<br />SharePoint 2007<br />Windows Server 2003/2008<br />IIS 6.0/7.0<br />ASP.NET 2.0<br />Windows Authentication (Active Directory)<br />Forms-Based Authentication (FBA)<br />Allows users to connect through a web form<br />ASP.NET 2.0 Membership Provider/Role Manager<br />Can authenticate users against “any” user store<br />Web SSO (ADFS), LDAP, SQL…<br />One authencation method per SharePoint Zone<br />
    17. 17. © RL Soft 2011<br />SharePoint 2010<br />Windows Server 2008/2008 R2<br />IIS 7.0/7.5<br />ASP.NET 3.5<br />Windows Authentication (AD)<br />Claims-Based Authentication (CBA)<br />Windows Identity Foundation (WIF)<br />Multiple authentication methods per SharePoint Zone (Url)<br />Standards-based (WS-Trust, SAML)<br />Automatic, secure identity delegation<br />
    18. 18. © RL Soft 2011<br />Definition and Scenarios<br />Extranet Network Topologies<br />Identity Management in SharePoint<br />Claims-Based Authentication<br />SharePoint 2010 Authentication Options<br />XtraShare for SharePoint Highlight<br />Agenda<br />
    19. 19. What is Claims-Based Authentication?<br />Your Applications Are Prisoners!<br />Login.aspx<br />Page1.aspx<br />Credential<br />Stores<br />Credential<br />Types / APIs<br />User Attributes<br />Stores<br />© RL Soft 2011<br />
    20. 20. Identity in Real Life<br />Externalizes<br />Authentication<br />?<br />?<br />!<br />Gets user info from the document<br />
    21. 21. Claims Can Set Your Applications Free<br />Identity Provider<br />STS<br />Claims<br />Relying Party<br />Security Token<br />
    22. 22. CLAIMSDEMO<br />(yes, youcan click on the link, it’s a YouTube vide) <br />
    23. 23. © RL Soft 2011<br />CBA Terminology<br />Identity: security principal used to configure the security policy<br />Claim (Assertion): attribute of an identity (such as Login Name, First Name, Gender, Age, etc.)<br />Issuer: trusted party that creates claims<br />Security Token: serialized set of claims (assertions) about an authenticated user<br />Issuing Authority: issues security tokens knowing claims desired by target application (AD, ASP.NET, LiveID, etc.) <br />Security Token Service (STS): builds, signs and issues security tokens<br />Relying Party: application that makes authorization decisions based on claims<br />
    24. 24. SharePoint 2007 – Identity Flow<br />SharePoint 2010 – Identity Flow<br />SAML Web SSO<br />ASP.Net (FBA)<br />Windows<br />Windows integrated<br />Roles protected<br />Anonymous access<br />Membership & Role Providers<br />Windows Identity<br />Claims-aware<br />Claims protected<br />Claims Based Identity<br />Trusted sub-systems<br />WebSSO<br />WIF<br />WIF<br />WIF – SPSTS<br />SP-STS<br />Authentication methods<br />Access control<br />Services Application Framework<br />Auth<br />App logic<br />SharePoint Service Applications<br />SharePoint Web Application<br />Content <br />Database<br />Client<br />Windows Identity<br />
    25. 25. © RL Soft 2011<br />Externalizing Authentication - Overview<br />SharePoint-STS<br />Fabrikam Enterprise<br />Farm-A<br />Windows claims<br />2.2 Augmentclaims<br />2.1 Authenticate user<br />2. Redirect <br />to STS for auth<br />3. Post Token<br />{SP-Token}<br />trust<br />Jill Frank<br />SharePoint Web Applications<br />3.1 Extract Claims and construct IClaimsPrincipal<br />1. Attempt access<br />
    26. 26. © RL Soft 2011<br />Externalizing Authentication – In Detail<br />SharePoint-STS<br />Web <br />Application<br />Security Token Service<br />Session Authentication Module<br />Cookie Management<br />5<br />6<br />2<br />4<br />WS-Federation Passive Serializer<br />Windows Authentication Module<br />WS-Federation Authentication Module<br />3<br />1<br />7<br />IIS ASP.NET<br />Browser<br />Client<br />8. Cookie<br />
    27. 27. © RL Soft 2011<br />Claims-Based Authentication Process<br />
    28. 28. © RL Soft 2011<br />Definition and Scenarios<br />Extranet Network Topologies<br />Identity Management in SharePoint<br />Claims-Based Authentication<br />SharePoint 2010 Authentication Options<br />XtraShare for SharePoint Highlight<br />Agenda<br />
    29. 29. Sign-In Methods<br />Sign-in methods supported in SP 2010:<br />Classic<br />Claims<br />NT TokenWindows Identity<br />NT TokenWindows Identity<br />SAML1.1+ADFS, Custom, etc.<br />ASP.NET (FBA)SQL, LDAP, Custom …<br />SAML Token<br />Claims Based Identity<br />SPUser<br />© RL Soft 2011<br />
    30. 30. © RL Soft 2011<br />Mixed-Mode Authentication<br />Pros<br />Automated Authentication<br />Cons<br />Single Url per Authentication Provider<br />
    31. 31. © RL Soft 2011<br />Mixed-Mode Scenario<br /><br />Extranet<br />Zone<br />Intranet<br />Zone<br />http://contoso<br />FBA<br />claims<br />Windows<br />claims<br />Remote Employees<br />Employees<br />
    32. 32. © RL Soft 2011<br />Mixed-Mode: When to use it<br />Different protocols on different channels<br />Intranet (HTTP)<br />Extranet (HTTPS)<br />Isolation of authentication providers<br />Dedicate Extranet to partners only<br />Internet Sites<br />Publishing Portal<br />Authored by employees<br />Consumed by customers<br />
    33. 33. © RL Soft 2011<br />Multi-Mode Authentication<br />Pros<br />Single Url<br />Cons<br />Single Prompt for Authentication Type <br />
    34. 34. © RL Soft 2011<br />Multi-Mode Scenario<br /><br />Intranet<br />Zone<br />FBA<br />claims<br />Windows<br />claims<br />SAML<br />claims<br />Employees<br />Vendors<br />Partners<br />
    35. 35. © RL Soft 2011<br />Multi-Mode: When to use it<br />Single experience for different class of users<br />Single URL experience<br />Partner collaboration sites<br />Federation between two organizations<br />
    36. 36. © RL Soft 2011<br />ASP.NET Providers<br />Microsoft provides several OOTB providers<br />Active Directory<br />LDAP<br />ASP.NET SQL Database<br />ADFS (WebSSO)<br />You can write your own too!<br />Added in web.config files<br /><system.web> <br /><membership> <br /> <providers> <br /><add…/><br /></providers> </membership> </system.web> <br />
    37. 37. © RL Soft 2011<br />Active Directory Membership Provider<br /><add name="ADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADConnection" connectionUsername="domainaccount" connectionPassword="password" attributeMapUsername="SAMAccountName"/> <br /><connectionStrings> <br /><add connectionString="LDAP://DomainController.local/DC=DomainController,DC=local" name="ADConnection"/> <br /></connectionStrings><br />Note: no role provider seems to be available…<br />
    38. 38. © RL Soft 2011<br />LDAP Membership Provider/Role Manager<br /><add name="LDAPmembership" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="OU=UserAccounts,DC=redmond,DC=corp,DC=microsoft,DC=com" userObjectClass="person" userFilter="(&amp;(ObjectClass=person))" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" /><br /><add name="LDAProlemanager" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="" port="389" useSSL="false" groupContainer="DC=redmond,DC=corp,DC=microsoft,DC=com" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(&amp;(ObjectClass=group))" userFilter="(&amp;(ObjectClass=person))" scope="Subtree" /><br />Note: Only available with MOSS 2007 or SP Server 2010 (not WSS 3.0/SP Foundation 2010)<br />
    39. 39. © RL Soft 2011<br />ASP.NET DB Membership Provider<br /><add name="SQLmembership“type="System.Web.Security.SqlMembershipProvider, System.Web, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"connectionStringName="FBAConnectionStr" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" passwordAttemptWindow="10" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" /><br /><add name="SQLrolemanager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="FBAConnectionStr" applicationName="/" /><br /> <connectionStrings><br /> <add name="FBAConnectionStr" connectionString="server=yourserver;database=aspnetdb;Trusted_Connection=True" providerName="" /><br /></connectionStrings><br />
    40. 40. © RL Soft 2011<br />ADFS Membership Provider<br /><add name="SingleSignOnMembershipProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2, System.Web.Security.SingleSignOn.PartialTrust, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35" <br />fs="https://fs-server/adfs/fs/federationserverservice.asmx" /><br />
    41. 41. © RL Soft 2011<br />Challenges in extranet scenarios<br />Graceful, branded login page<br />Ability to delegate user management<br />To business users or external users<br />Self-service capability<br />Password reminder, password reset, profile management<br />Registration forms<br />Activation links, Captcha, etc…<br />Automated Notifications<br />Account Lockout mechanism<br />Identity Confidentiality<br />
    42. 42. © RL Soft 2011<br />Windows Claims in Extranet Scenarios<br />Pros<br />OOTB Support in SharePoint<br />Security<br />Cons<br />Separate AD/network/farm for extranet<br />Managed by IT (not business users)<br />No OOTB Self-Service Capability<br />No OOTB User Management Delegation<br />Requires ASP.NET AD Provider (or FIM 2010) to avoid the dreaded Basic Authentication Prompt<br />
    43. 43. © RL Soft 2011<br />FBA Claims in Extranet Scenarios<br />Pros<br />Lightweight footprint on infrastructure<br />Flexibility (development)<br />Cons<br />Many manual configuration steps<br />3 web.config files to update… at least!<br />Hard to troubleshoot<br />Steve Peshka on MS SharePoint blog: “Admittedly, there are many steps involved in configuring multiple authentication providers for SharePoint”<br />No OOTB Full Name Resolution<br />No Self-Service Capability/Delegated Administration…<br />
    44. 44. © RL Soft 2011<br />Trusted Provider Claims in Extranet Scenarios<br />Pros<br />Easier configuration<br />Reusability (across other applications)<br />It’s the future of authentication<br />OpenID/OAuth…<br />Cons<br />New technology  scarce skilled resources<br />Development complexity<br />
    45. 45. © RL Soft 2011<br />Extranet Best Practices<br />Branded sites<br />Use anonymous top-level site collection with custom login web part<br />Secure content in sub-sites or even better site collections<br />User Multi-Tenancy <br />Do NOT use sub-sites<br />User Information List is at site collection level and is always available in the Picker Control for ALL users<br />Use one site collection per external organization<br />Implement a filtering mechanism in the People Picker control<br />stsadm -Peoplepicker-searchadcustomquery for AD<br />Custom filtering in Find…() methods for an ASP.NET Membership Provider<br />
    46. 46. © RL Soft 2011<br />Definition and Scenarios<br />Extranet Network Topologies<br />Identity Management in SharePoint<br />Claims-Based Authentication<br />SharePoint 2010 Authentication Options<br />XtraShare for SharePoint Highlight<br />Agenda<br />
    47. 47. © RL Soft 2011<br />Setting up a SharePoint Extranet is complex…<br />
    48. 48. © RL Soft 2011<br />..but XtraShare delivers SharePoint Extranets for the Masses!<br />
    49. 49. XtraShare for SharePoint<br />A fully-packaged, <br />tightly integrated extranet enablement solution <br />for companies of all sizes<br />
    50. 50. A Fully Packaged Solution<br />Key Automation Benefits<br /><ul><li>Delivering on the Promise
    51. 51. Technical expertise is no longer needed
    52. 52. Point-to-click installer
    53. 53. Full Automation
    54. 54. Administration Site provisioned at installation time
    55. 55. Creates the user store (SQL DB) from the SharePoint UI
    56. 56. Complex modifications of configuration files
    57. 57. CBA web application configuration
    58. 58. Web Parts deployment
    59. 59. Adds a Login Web Part on home page for anonymous sites
    60. 60. …</li></li></ul><li>A Tightly Integrated SolutionKey Architectural Features<br /><ul><li>Fully built on .NET and SharePoint features
    61. 61. Management site integrated in SharePoint Central Administration
    62. 62. Configuration, FBA activation, user/group management
    63. 63. Site template for delegated user management
    64. 64. Web Parts for login, self-registration, password reset, password reminder, profile management</li></li></ul><li>Opening the Door to New UsagesScenarios made possible by XtraShare<br /><ul><li>Customer and Partner Extranet Sites
    65. 65. Credential Notifications (Email Templates)
    66. 66. User-to-SPGroup Assignment (Drag’n’DropTreeView)
    67. 67. Mass import/update of users (Object Model)
    68. 68. Anonymous Internet Sites
    69. 69. Extensible Self-Registration w/ Captcha
    70. 70. Default Group Assignment
    71. 71. Password Change/Password Reminder
    72. 72. Social Networking/Community Sites
    73. 73. Delegated Administration
    74. 74. Multi-Tenancy</li></li></ul><li>DEMO<br />(yes, youcan click on the link ;-) <br />
    75. 75. Deciphering the XtraShare “Magic”Inside the XtraShare Installer<br />Installation of 3 SharePoint Solutions<br />Administration, End-User Web Parts, Site Templates<br />Deployment of membership/role providers to GAC<br />Creation of Administration Site<br />Central Administration CBA readiness<br />Web.config modifications to support membership/role providers<br />SiteMap Update of Central Administration<br />Modification of admin.sitemap for easy navigation<br />Resource Files Deployment<br />Deployed to CA App_GlobalResources folder<br />
    76. 76. © RL Soft 2010<br />Partner Opportunities<br />How to customize XtraShare<br />Object Model/Web Service to interact with the XtraShare objects (users/groups…)<br />Full source code of Web Parts provided upon request<br />Extensible Event Trigger Mechanism<br />Useful to implement registration workflows<br />
    77. 77. © RL Soft 2011<br />Thanks to…<br />Brian Culver’s Extranet presentation<br /><br />SharePoint 2010 Unleashed (by Michael Noel)<br /><br />Windows Identity Foundation Training Kit<br /><br />Extranet Topologies for SharePoint 2010:<br /><br />
    78. 78. © RL Soft 2011<br />References<br />An Introduction to Claims<br /><br />Windows Identity Foundation<br /><br />Plan authentication methods (SP 2010)<br /><br />
    79. 79. If you want to know more…Contact us atinfo@rl-soft.comDownload and evaluate XtraShare at<br />
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.