• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
How to deploy SharePoint 2010 to external users?
 

How to deploy SharePoint 2010 to external users?

on

  • 41,160 views

A presentation about all the different aspects to be aware of when deploying SharePoint 2010 as an extranet platform, as well as the available options for network topologies and authentication ...

A presentation about all the different aspects to be aware of when deploying SharePoint 2010 as an extranet platform, as well as the available options for network topologies and authentication methods.

Statistics

Views

Total Views
41,160
Views on SlideShare
41,119
Embed Views
41

Actions

Likes
11
Downloads
1,058
Comments
2

3 Embeds 41

https://collaborate.mcpsmd.org 29
http://dagama2012 10
http://paper.li 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

12 of 2 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Are those glasses of beer on slide 20? Now I'm thirsty...
    Are you sure you want to
    Your message goes here
    Processing…
  • Awesome presentation!
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Authentication = the mechanism whereby systems may securely identify their usersAuthorization = the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system

How to deploy SharePoint 2010 to external users? How to deploy SharePoint 2010 to external users? Presentation Transcript

  • How to deploy SharePoint to Extranet Users?
    Raphael Londner
    SiliconValley SharePoint User Group
    02/10/2011
  • © RL Soft 2011
    Who am I?
    SharePoint, .NET, SQL Server, AD… since 2001
    Founder of RL Soft
    www.rl-soft.com
    www.rl-soft.com/en/blog
    @rlondner
    www.youtube.com/xtrashare
  • © RL Soft 2011
    Definition and Scenarios
    Extranet Network Topologies
    Identity Management in SharePoint
    Claims-Based Authentication
    SharePoint 2010 Authentication Options
    XtraShare for SharePoint Highlight
    Agenda
  • © RL Soft 2011
    Definition and Scenarios
    Extranet Network Topologies
    Identity Management in SharePoint
    Claims-Based Authentication
    SharePoint 2010 Authentication Options
    XtraShare for SharePoint Highlight
    Agenda
  • © RL Soft 2011
    Extranet - Definition
    A web application shared with external users, such as partners, vendors, customers, community users, industry peers…
    Typical attributes of an extranet:
    • Requires authenticated access, but the identity of the user is not always known
    • Has stronger security controls than an Internet web site but usually less secure than an Intranet
  • © RL Soft 2011
    Common Extranet Scenarios
    Line of Business Applications
    Collaboration
    Static Content or Publishing
    Isolate and segregate data
    Authorize users to only access sites and data that are necessary for their contributions
    Restrict partners from viewing other partners’ data
    Foster a community of users with shared interests
    Allow users to register
    Self-service tools (password reminder, profile update…)
    Delegate user administration
    Remote Employees
    Partners
    Community Sites
  • © RL Soft 2011
    Extranet Design Considerations
    Network Topologies
    Identity Management
  • © RL Soft 2011
    Definition and Scenarios
    Extranet Network Topologies
    Identity Management in SharePoint
    Claims-Based Authentication
    SharePoint 2010 Authentication Options
    XtraShare for SharePoint Highlight
    Agenda
  • © RL Soft 2011
    Edge Firewall Topology
    Pros
    Least amount of hardware, software and configuration
    Single point of data
    Cons
    Single firewall between corporate network and the Internet
  • © RL Soft 2011
    Back-to-back Perimeter
    Pros
    Isolated, extranet farm
    External user access isolated to the perimeter network
    Cons
    Additional network infrastructure, hardware, software licenses…
  • © RL Soft 2011
    Split-to-back Perimeter
    Pros
    Single SQL Server Store, app servers (only) in corporate network
    Cons
    Increased complexity (domain trusts…)
  • © RL Soft 2011
    Definition and Scenarios
    Extranet Network Topologies
    Identity Management in SharePoint
    Claims-Based Authentication
    SharePoint 2010 Authentication Options
    XtraShare for SharePoint Highlight
    Agenda
  • © RL Soft 2011
    Terminology
    Authentication
    Creates an identity for a security principal
    Who am I?
    Authorization
    Determines which resources a user has access to
    What can I access?
    SharePoint does not authenticate but does authorize
    SharePoint creates user profiles (SPUser)
    Stored in the User Information List at the site collection level
  • © RL Soft 2011
    SharePoint 2001
    Windows Server 2000/IIS 5.0
    ASP 3.0
    Windows Authentication (Active Directory)
  • © RL Soft 2011
    SharePoint 2003
    Windows Server 2003/ IIS 6.0
    ASP.NET 1.1
    2.0 w/ SP1
    Windows Authentication (Active Directory)
  • © RL Soft 2011
    SharePoint 2007
    Windows Server 2003/2008
    IIS 6.0/7.0
    ASP.NET 2.0
    Windows Authentication (Active Directory)
    Forms-Based Authentication (FBA)
    Allows users to connect through a web form
    ASP.NET 2.0 Membership Provider/Role Manager
    Can authenticate users against “any” user store
    Web SSO (ADFS), LDAP, SQL…
    One authencation method per SharePoint Zone
  • © RL Soft 2011
    SharePoint 2010
    Windows Server 2008/2008 R2
    IIS 7.0/7.5
    ASP.NET 3.5
    Windows Authentication (AD)
    Claims-Based Authentication (CBA)
    Windows Identity Foundation (WIF)
    Multiple authentication methods per SharePoint Zone (Url)
    Standards-based (WS-Trust, SAML)
    Automatic, secure identity delegation
  • © RL Soft 2011
    Definition and Scenarios
    Extranet Network Topologies
    Identity Management in SharePoint
    Claims-Based Authentication
    SharePoint 2010 Authentication Options
    XtraShare for SharePoint Highlight
    Agenda
  • What is Claims-Based Authentication?
    Your Applications Are Prisoners!
    Login.aspx
    Page1.aspx
    Credential
    Stores
    Credential
    Types / APIs
    User Attributes
    Stores
    © RL Soft 2011
  • Identity in Real Life
    Externalizes
    Authentication
    ?
    ?
    !
    Gets user info from the document
  • Claims Can Set Your Applications Free
    Identity Provider
    STS
    Claims
    Relying Party
    Security Token
  • CLAIMSDEMO
    (yes, youcan click on the link, it’s a YouTube vide)
  • © RL Soft 2011
    CBA Terminology
    Identity: security principal used to configure the security policy
    Claim (Assertion): attribute of an identity (such as Login Name, First Name, Gender, Age, etc.)
    Issuer: trusted party that creates claims
    Security Token: serialized set of claims (assertions) about an authenticated user
    Issuing Authority: issues security tokens knowing claims desired by target application (AD, ASP.NET, LiveID, etc.)
    Security Token Service (STS): builds, signs and issues security tokens
    Relying Party: application that makes authorization decisions based on claims
  • SharePoint 2007 – Identity Flow
    SharePoint 2010 – Identity Flow
    SAML Web SSO
    ASP.Net (FBA)
    Windows
    Windows integrated
    Roles protected
    Anonymous access
    Membership & Role Providers
    Windows Identity
    Claims-aware
    Claims protected
    Claims Based Identity
    Trusted sub-systems
    WebSSO
    WIF
    WIF
    WIF – SPSTS
    SP-STS
    Authentication methods
    Access control
    Services Application Framework
    Auth
    App logic
    SharePoint Service Applications
    SharePoint Web Application
    Content
    Database
    Client
    Windows Identity
  • © RL Soft 2011
    Externalizing Authentication - Overview
    SharePoint-STS
    Fabrikam Enterprise
    Farm-A
    Windows claims
    2.2 Augmentclaims
    2.1 Authenticate user
    2. Redirect
    to STS for auth
    3. Post Token
    {SP-Token}
    trust
    Jill Frank
    SharePoint Web Applications
    3.1 Extract Claims and construct IClaimsPrincipal
    1. Attempt access
  • © RL Soft 2011
    Externalizing Authentication – In Detail
    SharePoint-STS
    Web
    Application
    Security Token Service
    Session Authentication Module
    Cookie Management
    5
    6
    2
    4
    WS-Federation Passive Serializer
    Windows Authentication Module
    WS-Federation Authentication Module
    3
    1
    7
    IIS ASP.NET
    Browser
    Client
    8. Cookie
  • © RL Soft 2011
    Claims-Based Authentication Process
  • © RL Soft 2011
    Definition and Scenarios
    Extranet Network Topologies
    Identity Management in SharePoint
    Claims-Based Authentication
    SharePoint 2010 Authentication Options
    XtraShare for SharePoint Highlight
    Agenda
  • Sign-In Methods
    Sign-in methods supported in SP 2010:
    Classic
    Claims
    NT TokenWindows Identity
    NT TokenWindows Identity
    SAML1.1+ADFS, Custom, etc.
    ASP.NET (FBA)SQL, LDAP, Custom …
    SAML Token
    Claims Based Identity
    SPUser
    © RL Soft 2011
  • © RL Soft 2011
    Mixed-Mode Authentication
    Pros
    Automated Authentication
    Cons
    Single Url per Authentication Provider
  • © RL Soft 2011
    Mixed-Mode Scenario
    https://extranet.contoso.com
    Extranet
    Zone
    Intranet
    Zone
    http://contoso
    FBA
    claims
    Windows
    claims
    Remote Employees
    Employees
  • © RL Soft 2011
    Mixed-Mode: When to use it
    Different protocols on different channels
    Intranet (HTTP)
    Extranet (HTTPS)
    Isolation of authentication providers
    Dedicate Extranet to partners only
    Internet Sites
    Publishing Portal
    Authored by employees
    Consumed by customers
  • © RL Soft 2011
    Multi-Mode Authentication
    Pros
    Single Url
    Cons
    Single Prompt for Authentication Type
  • © RL Soft 2011
    Multi-Mode Scenario
    https://Corporate.contoso.com
    Intranet
    Zone
    FBA
    claims
    Windows
    claims
    SAML
    claims
    Employees
    Vendors
    Partners
  • © RL Soft 2011
    Multi-Mode: When to use it
    Single experience for different class of users
    Single URL experience
    Partner collaboration sites
    Federation between two organizations
  • © RL Soft 2011
    ASP.NET Providers
    Microsoft provides several OOTB providers
    Active Directory
    LDAP
    ASP.NET SQL Database
    ADFS (WebSSO)
    You can write your own too!
    Added in web.config files
    <system.web>
    <membership>
    <providers>
    <add…/>
    </providers> </membership> </system.web>
  • © RL Soft 2011
    Active Directory Membership Provider
    <add name="ADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADConnection" connectionUsername="domainaccount" connectionPassword="password" attributeMapUsername="SAMAccountName"/>
    <connectionStrings>
    <add connectionString="LDAP://DomainController.local/DC=DomainController,DC=local" name="ADConnection"/>
    </connectionStrings>
    Note: no role provider seems to be available…
  • © RL Soft 2011
    LDAP Membership Provider/Role Manager
    <add name="LDAPmembership" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="redmond.corp.microsoft.com" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="OU=UserAccounts,DC=redmond,DC=corp,DC=microsoft,DC=com" userObjectClass="person" userFilter="(&amp;(ObjectClass=person))" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />
    <add name="LDAProlemanager" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="redmond.corp.microsoft.com" port="389" useSSL="false" groupContainer="DC=redmond,DC=corp,DC=microsoft,DC=com" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(&amp;(ObjectClass=group))" userFilter="(&amp;(ObjectClass=person))" scope="Subtree" />
    Note: Only available with MOSS 2007 or SP Server 2010 (not WSS 3.0/SP Foundation 2010)
  • © RL Soft 2011
    ASP.NET DB Membership Provider
    <add name="SQLmembership“type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"connectionStringName="FBAConnectionStr" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" passwordAttemptWindow="10" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" />
    <add name="SQLrolemanager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="FBAConnectionStr" applicationName="/" />
    <connectionStrings>
    <add name="FBAConnectionStr" connectionString="server=yourserver;database=aspnetdb;Trusted_Connection=True" providerName="" />
    </connectionStrings>
  • © RL Soft 2011
    ADFS Membership Provider
    <add name="SingleSignOnMembershipProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
    fs="https://fs-server/adfs/fs/federationserverservice.asmx" />
  • © RL Soft 2011
    Challenges in extranet scenarios
    Graceful, branded login page
    Ability to delegate user management
    To business users or external users
    Self-service capability
    Password reminder, password reset, profile management
    Registration forms
    Activation links, Captcha, etc…
    Automated Notifications
    Account Lockout mechanism
    Identity Confidentiality
  • © RL Soft 2011
    Windows Claims in Extranet Scenarios
    Pros
    OOTB Support in SharePoint
    Security
    Cons
    Separate AD/network/farm for extranet
    Managed by IT (not business users)
    No OOTB Self-Service Capability
    No OOTB User Management Delegation
    Requires ASP.NET AD Provider (or FIM 2010) to avoid the dreaded Basic Authentication Prompt
  • © RL Soft 2011
    FBA Claims in Extranet Scenarios
    Pros
    Lightweight footprint on infrastructure
    Flexibility (development)
    Cons
    Many manual configuration steps
    3 web.config files to update… at least!
    Hard to troubleshoot
    Steve Peshka on MS SharePoint blog: “Admittedly, there are many steps involved in configuring multiple authentication providers for SharePoint”
    No OOTB Full Name Resolution
    No Self-Service Capability/Delegated Administration…
  • © RL Soft 2011
    Trusted Provider Claims in Extranet Scenarios
    Pros
    Easier configuration
    Reusability (across other applications)
    It’s the future of authentication
    OpenID/OAuth…
    Cons
    New technology  scarce skilled resources
    Development complexity
  • © RL Soft 2011
    Extranet Best Practices
    Branded sites
    Use anonymous top-level site collection with custom login web part
    Secure content in sub-sites or even better site collections
    User Multi-Tenancy
    Do NOT use sub-sites
    User Information List is at site collection level and is always available in the Picker Control for ALL users
    Use one site collection per external organization
    Implement a filtering mechanism in the People Picker control
    stsadm -Peoplepicker-searchadcustomquery for AD
    Custom filtering in Find…() methods for an ASP.NET Membership Provider
  • © RL Soft 2011
    Definition and Scenarios
    Extranet Network Topologies
    Identity Management in SharePoint
    Claims-Based Authentication
    SharePoint 2010 Authentication Options
    XtraShare for SharePoint Highlight
    Agenda
  • © RL Soft 2011
    Setting up a SharePoint Extranet is complex…
  • © RL Soft 2011
    ..but XtraShare delivers SharePoint Extranets for the Masses!
  • XtraShare for SharePoint
    A fully-packaged,
    tightly integrated extranet enablement solution
    for companies of all sizes
  • A Fully Packaged Solution
    Key Automation Benefits
    • Delivering on the Promise
    • Technical expertise is no longer needed
    • Point-to-click installer
    • Full Automation
    • Administration Site provisioned at installation time
    • Creates the user store (SQL DB) from the SharePoint UI
    • Complex modifications of configuration files
    • CBA web application configuration
    • Web Parts deployment
    • Adds a Login Web Part on home page for anonymous sites
  • A Tightly Integrated SolutionKey Architectural Features
    • Fully built on .NET and SharePoint features
    • Management site integrated in SharePoint Central Administration
    • Configuration, FBA activation, user/group management
    • Site template for delegated user management
    • Web Parts for login, self-registration, password reset, password reminder, profile management
  • Opening the Door to New UsagesScenarios made possible by XtraShare
    • Customer and Partner Extranet Sites
    • Credential Notifications (Email Templates)
    • User-to-SPGroup Assignment (Drag’n’DropTreeView)
    • Mass import/update of users (Object Model)
    • Anonymous Internet Sites
    • Extensible Self-Registration w/ Captcha
    • Default Group Assignment
    • Password Change/Password Reminder
    • Social Networking/Community Sites
    • Delegated Administration
    • Multi-Tenancy
  • DEMO
    (yes, youcan click on the link ;-)
  • Deciphering the XtraShare “Magic”Inside the XtraShare Installer
    Installation of 3 SharePoint Solutions
    Administration, End-User Web Parts, Site Templates
    Deployment of membership/role providers to GAC
    Creation of Administration Site
    Central Administration CBA readiness
    Web.config modifications to support membership/role providers
    SiteMap Update of Central Administration
    Modification of admin.sitemap for easy navigation
    Resource Files Deployment
    Deployed to CA App_GlobalResources folder
  • © RL Soft 2010
    Partner Opportunities
    How to customize XtraShare
    Object Model/Web Service to interact with the XtraShare objects (users/groups…)
    Full source code of Web Parts provided upon request
    Extensible Event Trigger Mechanism
    Useful to implement registration workflows
  • © RL Soft 2011
    Thanks to…
    Brian Culver’s Extranet presentation
    http://www.slideshare.net/bculver/sharepoint-2010-extranets-and-authentication-how-will-sharepoint-2010-connect-you-to-your-partners
    SharePoint 2010 Unleashed (by Michael Noel)
    http://www.amazon.com/Microsoft-SharePoint-2010-Unleashed-Michael/dp/0672333252
    Windows Identity Foundation Training Kit
    http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c3e315fa-94e2-4028-99cb-904369f177c0
    Extranet Topologies for SharePoint 2010:
    http://www.microsoft.com/downloads/en/details.aspx?FamilyID=EB4BFF25-BABA-4112-B518-F2FC442D5467
  • © RL Soft 2011
    References
    An Introduction to Claims
    http://msdn.microsoft.com/en-us/library/ff359101.aspx
    Windows Identity Foundation
    http://msdn.microsoft.com/en-us/security/aa570351.aspx
    Plan authentication methods (SP 2010)
    http://technet.microsoft.com/en-us/library/cc262350.aspx
  • If you want to know more…Contact us atinfo@rl-soft.comDownload and evaluate XtraShare athttp://www.rl-soft.com