Identity Management in SharePoint 2013
Upcoming SlideShare
Loading in...5
×
 

Identity Management in SharePoint 2013

on

  • 526 views

In this session we will go through new and extended functions in the User Profile area. We will cover the planning and implementation from the organizational to the technical perspective, not only in ...

In this session we will go through new and extended functions in the User Profile area. We will cover the planning and implementation from the organizational to the technical perspective, not only in theory but also in the live demo.

Aleksandar Drašković

Statistics

Views

Total Views
526
Views on SlideShare
526
Embed Views
0

Actions

Likes
0
Downloads
15
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Identity Management in SharePoint 2013 Identity Management in SharePoint 2013 Presentation Transcript

  • IDENTITY MANAGEMENT IN SHAREPOINT 2013 ALEKSANDAR DRAŠKOVIĆ, MCM SHAREPOINT 2010 SHAREPOINT AND PROJECT CONFERENCE ADRIATICS 2013 ZAGREB, NOVEMBER 27-28 2013
  • sponsors
  • Aleksandar Drašković Solution Architect • • • • Microsoft Certified Master for SharePoint 2010 Over 6 years in SharePoint business Over 15 years in the Enterprise IT Expertise in various other products and technologies • • • • Active Directory Exchange TMG / UAG Etc.
  • Agenda • • • • Identity Management User Profile Service User Profile Synchronization Approach for a successful implementation
  • IDENTITY MANAGEMENT
  • Identity management • Handling with user profiles is not only configuring SharePoint • Work with and talk to the administrators of the identity management system • Most time identity management is not really a technical challenge, it often is more a political one • Improper handling might break the social networking functionality in the SharePoint environment
  • Data quality Who is the owner of the data? Can we get the necessary data? Is the data up to date?
  • Connect to the data • Are the IDM systems accessible? • How can we connect to the IDM system? • Do we have to connect to any other external system? • Are we able to write back information to the IDM system?
  • USER PROFILE SERVICE
  • User Profile Service in SharePoint 2013 Important for all social features Workflow Manager 1.0 (SharePoint 2013 Workflows) Translation Service Application Work Management Service Needs an associated Managed Metadata Service Application
  • Databases • Profile Database • User profile data, activities, audiences • Social Database • Social stuff, e.g. ratings, tags and comments • Sync Database
  • Create a User Profile Service Application • Think about how to handle the site names for the My Content sites of the users • Create the MySite host and check the Managed Path for the MyContent sites • Do not use more than one User Profile Service Application in your farm • As best practice approach use PowerShell scripting to create the User Profile Service Application, but be aware of the database schema
  • Active Directory import One-way No write-back to the Active Directory No BCS connections for synchronization Very fast Active Directory to SharePoint It ist just an import Only connections to Active Directory Due to the direct connection to Active Directory
  • User Profile Synchronization • • • • • Set "Replicating Directory Changes" permission Configure synchronization settings Configure synchronization connection(s) Start a synchronization Configure incremental synchronization
  • APPROACH FOR THE SUCCESSFULL IMPLEMENTATION
  • Start of the implementation process Sit down and THINK! Think about the source system and source information Think about how the data should be represented in SharePoint Think about writing data back Think about operating the profile synchronization
  • Configure and start UPA Prerequisites PowerShell Separate Test Have the Managed Metadata ServiceApplication up and running Use a PowerShell script to configure and start the user profile service application Separate adding and starting user profile service application from configuring and starting sychronization T this step before the est synchronization is configured and started
  • Set permissions Replicating Directory Changes Local Adminstrator Set the "Replicating Directory Changes" permission for the sync account in the domain Make the farm account local administrator on the machine, where the synchronization should be started Write back Reboot Set the "Create Child Objects" and "WriteAll Properties" permission for the sync account, when write back is necessary Reboot the machine that was choosen as the sync host, so that the new permissions become active
  • Domain permissions Replicating Directory Windows 2003 Changes domain controller NetBIOS domain name not FQDN Need to export to Active Directory Must be set in the domain, no matter which Windows version the domain controller is using Grant Replicating Directory Changes permission to the synchronization account to the cn=configuration container Grant the synchronization account the Create Child Objects and the WriteAll Properties permissions on the organization unit you are synchronizing Add synchronization account to the Pre-Windows-2000 CompatibleAccess group
  • Optional: NetBIOSDomainNamesEnabled • Necessary, when the NetBIOS name of the domain is not equal to the full qualified domain name Example: full qualified domain name: corporation.int NetBIOS domain name: CORP
  • Configure and start UPS Powershell Use farm account Run as Administrator Be patient Use a PowerShell script to configure and start the user profile synchronization service Log in as the farm account, before you try to start the synchronization Run the SharePoint Management Shell as Administrator Even under normal circumstances this operation might take some time
  • Profile properties and timer job • Configure any additional profile properties you need • Configure export of profile properties if necessary (remember the "Create Child Objects" permission) • Use Central Administration to configure synchronization connection, not the PowerShell cmdlets • Configure all necessary connections
  • Profile properties and timer job (contd.) • From Central Administration run a full synchronization • Set the interval in which the incremental sync should run • Denote the farm account from the local admin role on the sync host
  • ADDITIONAL TIPS
  • Best practices • • • • • Clean up your directory service Specify the domain controller to synchronize with Make friends with the directory service administrator Restart the sync service after installing updates Check timer job settings
  • Troubleshooting • Check permissions • Most problems when deploying user profile synchronization are caused by wrong permission settings • Event Log • The Windows Event Log might contain additional information about what is going wrong • ULS Log • Use the ULS logs (in conjunction with an ULS Viewer) to find proper error messages • MIISClient • Use C:Program FilesMicrosoft Office Servers15.0Synchronization ServiceUIShellmiisclient.exe on the synchronization host to see FIM messages.
  • A couple of things you should you never do... • Use the Farm Configuration Wizard to configure and start the user profile service application in STAGE and PROD environments • Start or stop the FIM services manually • Do any changes to the FIM services using the services applet • Use the MIISClient to do any changes • Use farm account as a synchronization account
  • Summary • Identity Management • Is the starting point for the implementation of the User Profile Synchronization. • User Profile Service Application • Depends on the Managed Metadata Service Application and is necessary lot of services and functionalities in SharePoint 2013 • User Profile Synchronization • All in all a straight forward process, but depends on the correct permission settings and the account you are using to activate synchronization. • Best practices
  • questions? WWW.ADRIT.DE/BLOG @ADRASKOVIC
  • thank you. SHAREPOINT AND PROJECT CONFERENCE ADRIATICS 2013 ZAGREB, NOVEMBER 27-28 2013