Your SlideShare is downloading. ×
How to deploy SharePoint 2010 to external users?
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

How to deploy SharePoint 2010 to external users?

43,002
views

Published on

A presentation about all the different aspects to be aware of when deploying SharePoint 2010 as an extranet platform, as well as the available options for network topologies and authentication …

A presentation about all the different aspects to be aware of when deploying SharePoint 2010 as an extranet platform, as well as the available options for network topologies and authentication methods.

Published in: Technology

2 Comments
11 Likes
Statistics
Notes
  • Are those glasses of beer on slide 20? Now I'm thirsty...
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Awesome presentation!
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
43,002
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
1,097
Comments
2
Likes
11
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Authentication = the mechanism whereby systems may securely identify their usersAuthorization = the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system
  • Transcript

    • 1. How to deploy SharePoint to Extranet Users?
      Raphael Londner
      SiliconValley SharePoint User Group
      02/10/2011
    • 2. © RL Soft 2011
      Who am I?
      SharePoint, .NET, SQL Server, AD… since 2001
      Founder of RL Soft
      www.rl-soft.com
      www.rl-soft.com/en/blog
      @rlondner
      www.youtube.com/xtrashare
    • 3. © RL Soft 2011
      Definition and Scenarios
      Extranet Network Topologies
      Identity Management in SharePoint
      Claims-Based Authentication
      SharePoint 2010 Authentication Options
      XtraShare for SharePoint Highlight
      Agenda
    • 4. © RL Soft 2011
      Definition and Scenarios
      Extranet Network Topologies
      Identity Management in SharePoint
      Claims-Based Authentication
      SharePoint 2010 Authentication Options
      XtraShare for SharePoint Highlight
      Agenda
    • 5. © RL Soft 2011
      Extranet - Definition
      A web application shared with external users, such as partners, vendors, customers, community users, industry peers…
      Typical attributes of an extranet:
      • Requires authenticated access, but the identity of the user is not always known
      • 6. Has stronger security controls than an Internet web site but usually less secure than an Intranet
    • © RL Soft 2011
      Common Extranet Scenarios
      Line of Business Applications
      Collaboration
      Static Content or Publishing
      Isolate and segregate data
      Authorize users to only access sites and data that are necessary for their contributions
      Restrict partners from viewing other partners’ data
      Foster a community of users with shared interests
      Allow users to register
      Self-service tools (password reminder, profile update…)
      Delegate user administration
      Remote Employees
      Partners
      Community Sites
    • 7. © RL Soft 2011
      Extranet Design Considerations
      Network Topologies
      Identity Management
    • 8. © RL Soft 2011
      Definition and Scenarios
      Extranet Network Topologies
      Identity Management in SharePoint
      Claims-Based Authentication
      SharePoint 2010 Authentication Options
      XtraShare for SharePoint Highlight
      Agenda
    • 9. © RL Soft 2011
      Edge Firewall Topology
      Pros
      Least amount of hardware, software and configuration
      Single point of data
      Cons
      Single firewall between corporate network and the Internet
    • 10. © RL Soft 2011
      Back-to-back Perimeter
      Pros
      Isolated, extranet farm
      External user access isolated to the perimeter network
      Cons
      Additional network infrastructure, hardware, software licenses…
    • 11. © RL Soft 2011
      Split-to-back Perimeter
      Pros
      Single SQL Server Store, app servers (only) in corporate network
      Cons
      Increased complexity (domain trusts…)
    • 12. © RL Soft 2011
      Definition and Scenarios
      Extranet Network Topologies
      Identity Management in SharePoint
      Claims-Based Authentication
      SharePoint 2010 Authentication Options
      XtraShare for SharePoint Highlight
      Agenda
    • 13. © RL Soft 2011
      Terminology
      Authentication
      Creates an identity for a security principal
      Who am I?
      Authorization
      Determines which resources a user has access to
      What can I access?
      SharePoint does not authenticate but does authorize
      SharePoint creates user profiles (SPUser)
      Stored in the User Information List at the site collection level
    • 14. © RL Soft 2011
      SharePoint 2001
      Windows Server 2000/IIS 5.0
      ASP 3.0
      Windows Authentication (Active Directory)
    • 15. © RL Soft 2011
      SharePoint 2003
      Windows Server 2003/ IIS 6.0
      ASP.NET 1.1
      2.0 w/ SP1
      Windows Authentication (Active Directory)
    • 16. © RL Soft 2011
      SharePoint 2007
      Windows Server 2003/2008
      IIS 6.0/7.0
      ASP.NET 2.0
      Windows Authentication (Active Directory)
      Forms-Based Authentication (FBA)
      Allows users to connect through a web form
      ASP.NET 2.0 Membership Provider/Role Manager
      Can authenticate users against “any” user store
      Web SSO (ADFS), LDAP, SQL…
      One authencation method per SharePoint Zone
    • 17. © RL Soft 2011
      SharePoint 2010
      Windows Server 2008/2008 R2
      IIS 7.0/7.5
      ASP.NET 3.5
      Windows Authentication (AD)
      Claims-Based Authentication (CBA)
      Windows Identity Foundation (WIF)
      Multiple authentication methods per SharePoint Zone (Url)
      Standards-based (WS-Trust, SAML)
      Automatic, secure identity delegation
    • 18. © RL Soft 2011
      Definition and Scenarios
      Extranet Network Topologies
      Identity Management in SharePoint
      Claims-Based Authentication
      SharePoint 2010 Authentication Options
      XtraShare for SharePoint Highlight
      Agenda
    • 19. What is Claims-Based Authentication?
      Your Applications Are Prisoners!
      Login.aspx
      Page1.aspx
      Credential
      Stores
      Credential
      Types / APIs
      User Attributes
      Stores
      © RL Soft 2011
    • 20. Identity in Real Life
      Externalizes
      Authentication
      ?
      ?
      !
      Gets user info from the document
    • 21. Claims Can Set Your Applications Free
      Identity Provider
      STS
      Claims
      Relying Party
      Security Token
    • 22. CLAIMSDEMO
      (yes, youcan click on the link, it’s a YouTube vide)
    • 23. © RL Soft 2011
      CBA Terminology
      Identity: security principal used to configure the security policy
      Claim (Assertion): attribute of an identity (such as Login Name, First Name, Gender, Age, etc.)
      Issuer: trusted party that creates claims
      Security Token: serialized set of claims (assertions) about an authenticated user
      Issuing Authority: issues security tokens knowing claims desired by target application (AD, ASP.NET, LiveID, etc.)
      Security Token Service (STS): builds, signs and issues security tokens
      Relying Party: application that makes authorization decisions based on claims
    • 24. SharePoint 2007 – Identity Flow
      SharePoint 2010 – Identity Flow
      SAML Web SSO
      ASP.Net (FBA)
      Windows
      Windows integrated
      Roles protected
      Anonymous access
      Membership & Role Providers
      Windows Identity
      Claims-aware
      Claims protected
      Claims Based Identity
      Trusted sub-systems
      WebSSO
      WIF
      WIF
      WIF – SPSTS
      SP-STS
      Authentication methods
      Access control
      Services Application Framework
      Auth
      App logic
      SharePoint Service Applications
      SharePoint Web Application
      Content
      Database
      Client
      Windows Identity
    • 25. © RL Soft 2011
      Externalizing Authentication - Overview
      SharePoint-STS
      Fabrikam Enterprise
      Farm-A
      Windows claims
      2.2 Augmentclaims
      2.1 Authenticate user
      2. Redirect
      to STS for auth
      3. Post Token
      {SP-Token}
      trust
      Jill Frank
      SharePoint Web Applications
      3.1 Extract Claims and construct IClaimsPrincipal
      1. Attempt access
    • 26. © RL Soft 2011
      Externalizing Authentication – In Detail
      SharePoint-STS
      Web
      Application
      Security Token Service
      Session Authentication Module
      Cookie Management
      5
      6
      2
      4
      WS-Federation Passive Serializer
      Windows Authentication Module
      WS-Federation Authentication Module
      3
      1
      7
      IIS ASP.NET
      Browser
      Client
      8. Cookie
    • 27. © RL Soft 2011
      Claims-Based Authentication Process
    • 28. © RL Soft 2011
      Definition and Scenarios
      Extranet Network Topologies
      Identity Management in SharePoint
      Claims-Based Authentication
      SharePoint 2010 Authentication Options
      XtraShare for SharePoint Highlight
      Agenda
    • 29. Sign-In Methods
      Sign-in methods supported in SP 2010:
      Classic
      Claims
      NT TokenWindows Identity
      NT TokenWindows Identity
      SAML1.1+ADFS, Custom, etc.
      ASP.NET (FBA)SQL, LDAP, Custom …
      SAML Token
      Claims Based Identity
      SPUser
      © RL Soft 2011
    • 30. © RL Soft 2011
      Mixed-Mode Authentication
      Pros
      Automated Authentication
      Cons
      Single Url per Authentication Provider
    • 31. © RL Soft 2011
      Mixed-Mode Scenario
      https://extranet.contoso.com
      Extranet
      Zone
      Intranet
      Zone
      http://contoso
      FBA
      claims
      Windows
      claims
      Remote Employees
      Employees
    • 32. © RL Soft 2011
      Mixed-Mode: When to use it
      Different protocols on different channels
      Intranet (HTTP)
      Extranet (HTTPS)
      Isolation of authentication providers
      Dedicate Extranet to partners only
      Internet Sites
      Publishing Portal
      Authored by employees
      Consumed by customers
    • 33. © RL Soft 2011
      Multi-Mode Authentication
      Pros
      Single Url
      Cons
      Single Prompt for Authentication Type
    • 34. © RL Soft 2011
      Multi-Mode Scenario
      https://Corporate.contoso.com
      Intranet
      Zone
      FBA
      claims
      Windows
      claims
      SAML
      claims
      Employees
      Vendors
      Partners
    • 35. © RL Soft 2011
      Multi-Mode: When to use it
      Single experience for different class of users
      Single URL experience
      Partner collaboration sites
      Federation between two organizations
    • 36. © RL Soft 2011
      ASP.NET Providers
      Microsoft provides several OOTB providers
      Active Directory
      LDAP
      ASP.NET SQL Database
      ADFS (WebSSO)
      You can write your own too!
      Added in web.config files
      <system.web>
      <membership>
      <providers>
      <add…/>
      </providers> </membership> </system.web>
    • 37. © RL Soft 2011
      Active Directory Membership Provider
      <add name="ADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADConnection" connectionUsername="domainaccount" connectionPassword="password" attributeMapUsername="SAMAccountName"/>
      <connectionStrings>
      <add connectionString="LDAP://DomainController.local/DC=DomainController,DC=local" name="ADConnection"/>
      </connectionStrings>
      Note: no role provider seems to be available…
    • 38. © RL Soft 2011
      LDAP Membership Provider/Role Manager
      <add name="LDAPmembership" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="redmond.corp.microsoft.com" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="OU=UserAccounts,DC=redmond,DC=corp,DC=microsoft,DC=com" userObjectClass="person" userFilter="(&amp;(ObjectClass=person))" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />
      <add name="LDAProlemanager" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="redmond.corp.microsoft.com" port="389" useSSL="false" groupContainer="DC=redmond,DC=corp,DC=microsoft,DC=com" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(&amp;(ObjectClass=group))" userFilter="(&amp;(ObjectClass=person))" scope="Subtree" />
      Note: Only available with MOSS 2007 or SP Server 2010 (not WSS 3.0/SP Foundation 2010)
    • 39. © RL Soft 2011
      ASP.NET DB Membership Provider
      <add name="SQLmembership“type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"connectionStringName="FBAConnectionStr" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" passwordAttemptWindow="10" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" />
      <add name="SQLrolemanager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="FBAConnectionStr" applicationName="/" />
      <connectionStrings>
      <add name="FBAConnectionStr" connectionString="server=yourserver;database=aspnetdb;Trusted_Connection=True" providerName="" />
      </connectionStrings>
    • 40. © RL Soft 2011
      ADFS Membership Provider
      <add name="SingleSignOnMembershipProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
      fs="https://fs-server/adfs/fs/federationserverservice.asmx" />
    • 41. © RL Soft 2011
      Challenges in extranet scenarios
      Graceful, branded login page
      Ability to delegate user management
      To business users or external users
      Self-service capability
      Password reminder, password reset, profile management
      Registration forms
      Activation links, Captcha, etc…
      Automated Notifications
      Account Lockout mechanism
      Identity Confidentiality
    • 42. © RL Soft 2011
      Windows Claims in Extranet Scenarios
      Pros
      OOTB Support in SharePoint
      Security
      Cons
      Separate AD/network/farm for extranet
      Managed by IT (not business users)
      No OOTB Self-Service Capability
      No OOTB User Management Delegation
      Requires ASP.NET AD Provider (or FIM 2010) to avoid the dreaded Basic Authentication Prompt
    • 43. © RL Soft 2011
      FBA Claims in Extranet Scenarios
      Pros
      Lightweight footprint on infrastructure
      Flexibility (development)
      Cons
      Many manual configuration steps
      3 web.config files to update… at least!
      Hard to troubleshoot
      Steve Peshka on MS SharePoint blog: “Admittedly, there are many steps involved in configuring multiple authentication providers for SharePoint”
      No OOTB Full Name Resolution
      No Self-Service Capability/Delegated Administration…
    • 44. © RL Soft 2011
      Trusted Provider Claims in Extranet Scenarios
      Pros
      Easier configuration
      Reusability (across other applications)
      It’s the future of authentication
      OpenID/OAuth…
      Cons
      New technology  scarce skilled resources
      Development complexity
    • 45. © RL Soft 2011
      Extranet Best Practices
      Branded sites
      Use anonymous top-level site collection with custom login web part
      Secure content in sub-sites or even better site collections
      User Multi-Tenancy
      Do NOT use sub-sites
      User Information List is at site collection level and is always available in the Picker Control for ALL users
      Use one site collection per external organization
      Implement a filtering mechanism in the People Picker control
      stsadm -Peoplepicker-searchadcustomquery for AD
      Custom filtering in Find…() methods for an ASP.NET Membership Provider
    • 46. © RL Soft 2011
      Definition and Scenarios
      Extranet Network Topologies
      Identity Management in SharePoint
      Claims-Based Authentication
      SharePoint 2010 Authentication Options
      XtraShare for SharePoint Highlight
      Agenda
    • 47. © RL Soft 2011
      Setting up a SharePoint Extranet is complex…
    • 48. © RL Soft 2011
      ..but XtraShare delivers SharePoint Extranets for the Masses!
    • 49. XtraShare for SharePoint
      A fully-packaged,
      tightly integrated extranet enablement solution
      for companies of all sizes
    • 50. A Fully Packaged Solution
      Key Automation Benefits
      • Delivering on the Promise
      • 51. Technical expertise is no longer needed
      • 52. Point-to-click installer
      • 53. Full Automation
      • 54. Administration Site provisioned at installation time
      • 55. Creates the user store (SQL DB) from the SharePoint UI
      • 56. Complex modifications of configuration files
      • 57. CBA web application configuration
      • 58. Web Parts deployment
      • 59. Adds a Login Web Part on home page for anonymous sites
      • 60.
    • A Tightly Integrated SolutionKey Architectural Features
      • Fully built on .NET and SharePoint features
      • 61. Management site integrated in SharePoint Central Administration
      • 62. Configuration, FBA activation, user/group management
      • 63. Site template for delegated user management
      • 64. Web Parts for login, self-registration, password reset, password reminder, profile management
    • Opening the Door to New UsagesScenarios made possible by XtraShare
      • Customer and Partner Extranet Sites
      • 65. Credential Notifications (Email Templates)
      • 66. User-to-SPGroup Assignment (Drag’n’DropTreeView)
      • 67. Mass import/update of users (Object Model)
      • 68. Anonymous Internet Sites
      • 69. Extensible Self-Registration w/ Captcha
      • 70. Default Group Assignment
      • 71. Password Change/Password Reminder
      • 72. Social Networking/Community Sites
      • 73. Delegated Administration
      • 74. Multi-Tenancy
    • DEMO
      (yes, youcan click on the link ;-)
    • 75. Deciphering the XtraShare “Magic”Inside the XtraShare Installer
      Installation of 3 SharePoint Solutions
      Administration, End-User Web Parts, Site Templates
      Deployment of membership/role providers to GAC
      Creation of Administration Site
      Central Administration CBA readiness
      Web.config modifications to support membership/role providers
      SiteMap Update of Central Administration
      Modification of admin.sitemap for easy navigation
      Resource Files Deployment
      Deployed to CA App_GlobalResources folder
    • 76. © RL Soft 2010
      Partner Opportunities
      How to customize XtraShare
      Object Model/Web Service to interact with the XtraShare objects (users/groups…)
      Full source code of Web Parts provided upon request
      Extensible Event Trigger Mechanism
      Useful to implement registration workflows
    • 77. © RL Soft 2011
      Thanks to…
      Brian Culver’s Extranet presentation
      http://www.slideshare.net/bculver/sharepoint-2010-extranets-and-authentication-how-will-sharepoint-2010-connect-you-to-your-partners
      SharePoint 2010 Unleashed (by Michael Noel)
      http://www.amazon.com/Microsoft-SharePoint-2010-Unleashed-Michael/dp/0672333252
      Windows Identity Foundation Training Kit
      http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c3e315fa-94e2-4028-99cb-904369f177c0
      Extranet Topologies for SharePoint 2010:
      http://www.microsoft.com/downloads/en/details.aspx?FamilyID=EB4BFF25-BABA-4112-B518-F2FC442D5467
    • 78. © RL Soft 2011
      References
      An Introduction to Claims
      http://msdn.microsoft.com/en-us/library/ff359101.aspx
      Windows Identity Foundation
      http://msdn.microsoft.com/en-us/security/aa570351.aspx
      Plan authentication methods (SP 2010)
      http://technet.microsoft.com/en-us/library/cc262350.aspx
    • 79. If you want to know more…Contact us atinfo@rl-soft.comDownload and evaluate XtraShare athttp://www.rl-soft.com