Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How to deploy SharePoint 2010 to external users?


Published on

A presentation about all the different aspects to be aware of when deploying SharePoint 2010 as an extranet platform, as well as the available options for network topologies and authentication methods.

Published in: Technology
  • Are those glasses of beer on slide 20? Now I'm thirsty...
    Are you sure you want to  Yes  No
    Your message goes here
  • Awesome presentation!
    Are you sure you want to  Yes  No
    Your message goes here

How to deploy SharePoint 2010 to external users?

  1. 1. How to deploy SharePoint to Extranet Users?<br />Raphael Londner<br />SiliconValley SharePoint User Group<br />02/10/2011<br />
  2. 2. © RL Soft 2011<br />Who am I?<br />SharePoint, .NET, SQL Server, AD… since 2001<br />Founder of RL Soft<br /><br /><br />@rlondner<br /><br />
  3. 3. © RL Soft 2011<br />Definition and Scenarios<br />Extranet Network Topologies<br />Identity Management in SharePoint<br />Claims-Based Authentication<br />SharePoint 2010 Authentication Options<br />XtraShare for SharePoint Highlight<br />Agenda<br />
  4. 4. © RL Soft 2011<br />Definition and Scenarios<br />Extranet Network Topologies<br />Identity Management in SharePoint<br />Claims-Based Authentication<br />SharePoint 2010 Authentication Options<br />XtraShare for SharePoint Highlight<br />Agenda<br />
  5. 5. © RL Soft 2011<br />Extranet - Definition<br />A web application shared with external users, such as partners, vendors, customers, community users, industry peers…<br />Typical attributes of an extranet:<br /><ul><li>Requires authenticated access, but the identity of the user is not always known
  6. 6. Has stronger security controls than an Internet web site but usually less secure than an Intranet</li></li></ul><li>© RL Soft 2011<br />Common Extranet Scenarios<br />Line of Business Applications<br />Collaboration<br />Static Content or Publishing<br />Isolate and segregate data<br />Authorize users to only access sites and data that are necessary for their contributions<br />Restrict partners from viewing other partners’ data<br />Foster a community of users with shared interests<br />Allow users to register<br />Self-service tools (password reminder, profile update…) <br />Delegate user administration<br />Remote Employees<br />Partners<br />Community Sites<br />
  7. 7. © RL Soft 2011<br />Extranet Design Considerations<br />Network Topologies<br />Identity Management<br />
  8. 8. © RL Soft 2011<br />Definition and Scenarios<br />Extranet Network Topologies<br />Identity Management in SharePoint<br />Claims-Based Authentication<br />SharePoint 2010 Authentication Options<br />XtraShare for SharePoint Highlight<br />Agenda<br />
  9. 9. © RL Soft 2011<br />Edge Firewall Topology<br />Pros<br />Least amount of hardware, software and configuration<br />Single point of data<br />Cons<br />Single firewall between corporate network and the Internet<br />
  10. 10. © RL Soft 2011<br />Back-to-back Perimeter<br />Pros<br />Isolated, extranet farm<br />External user access isolated to the perimeter network<br />Cons<br />Additional network infrastructure, hardware, software licenses…<br />
  11. 11. © RL Soft 2011<br />Split-to-back Perimeter<br />Pros<br />Single SQL Server Store, app servers (only) in corporate network<br />Cons<br />Increased complexity (domain trusts…)<br />
  12. 12. © RL Soft 2011<br />Definition and Scenarios<br />Extranet Network Topologies<br />Identity Management in SharePoint<br />Claims-Based Authentication<br />SharePoint 2010 Authentication Options<br />XtraShare for SharePoint Highlight<br />Agenda<br />
  13. 13. © RL Soft 2011<br />Terminology<br />Authentication<br />Creates an identity for a security principal<br />Who am I?<br />Authorization<br />Determines which resources a user has access to<br />What can I access?<br />SharePoint does not authenticate but does authorize<br />SharePoint creates user profiles (SPUser)<br />Stored in the User Information List at the site collection level<br />
  14. 14. © RL Soft 2011<br />SharePoint 2001<br />Windows Server 2000/IIS 5.0<br />ASP 3.0<br />Windows Authentication (Active Directory)<br />
  15. 15. © RL Soft 2011<br />SharePoint 2003<br />Windows Server 2003/ IIS 6.0<br />ASP.NET 1.1 <br />2.0 w/ SP1<br />Windows Authentication (Active Directory)<br />
  16. 16. © RL Soft 2011<br />SharePoint 2007<br />Windows Server 2003/2008<br />IIS 6.0/7.0<br />ASP.NET 2.0<br />Windows Authentication (Active Directory)<br />Forms-Based Authentication (FBA)<br />Allows users to connect through a web form<br />ASP.NET 2.0 Membership Provider/Role Manager<br />Can authenticate users against “any” user store<br />Web SSO (ADFS), LDAP, SQL…<br />One authencation method per SharePoint Zone<br />
  17. 17. © RL Soft 2011<br />SharePoint 2010<br />Windows Server 2008/2008 R2<br />IIS 7.0/7.5<br />ASP.NET 3.5<br />Windows Authentication (AD)<br />Claims-Based Authentication (CBA)<br />Windows Identity Foundation (WIF)<br />Multiple authentication methods per SharePoint Zone (Url)<br />Standards-based (WS-Trust, SAML)<br />Automatic, secure identity delegation<br />
  18. 18. © RL Soft 2011<br />Definition and Scenarios<br />Extranet Network Topologies<br />Identity Management in SharePoint<br />Claims-Based Authentication<br />SharePoint 2010 Authentication Options<br />XtraShare for SharePoint Highlight<br />Agenda<br />
  19. 19. What is Claims-Based Authentication?<br />Your Applications Are Prisoners!<br />Login.aspx<br />Page1.aspx<br />Credential<br />Stores<br />Credential<br />Types / APIs<br />User Attributes<br />Stores<br />© RL Soft 2011<br />
  20. 20. Identity in Real Life<br />Externalizes<br />Authentication<br />?<br />?<br />!<br />Gets user info from the document<br />
  21. 21. Claims Can Set Your Applications Free<br />Identity Provider<br />STS<br />Claims<br />Relying Party<br />Security Token<br />
  22. 22. CLAIMSDEMO<br />(yes, youcan click on the link, it’s a YouTube vide) <br />
  23. 23. © RL Soft 2011<br />CBA Terminology<br />Identity: security principal used to configure the security policy<br />Claim (Assertion): attribute of an identity (such as Login Name, First Name, Gender, Age, etc.)<br />Issuer: trusted party that creates claims<br />Security Token: serialized set of claims (assertions) about an authenticated user<br />Issuing Authority: issues security tokens knowing claims desired by target application (AD, ASP.NET, LiveID, etc.) <br />Security Token Service (STS): builds, signs and issues security tokens<br />Relying Party: application that makes authorization decisions based on claims<br />
  24. 24. SharePoint 2007 – Identity Flow<br />SharePoint 2010 – Identity Flow<br />SAML Web SSO<br />ASP.Net (FBA)<br />Windows<br />Windows integrated<br />Roles protected<br />Anonymous access<br />Membership & Role Providers<br />Windows Identity<br />Claims-aware<br />Claims protected<br />Claims Based Identity<br />Trusted sub-systems<br />WebSSO<br />WIF<br />WIF<br />WIF – SPSTS<br />SP-STS<br />Authentication methods<br />Access control<br />Services Application Framework<br />Auth<br />App logic<br />SharePoint Service Applications<br />SharePoint Web Application<br />Content <br />Database<br />Client<br />Windows Identity<br />
  25. 25. © RL Soft 2011<br />Externalizing Authentication - Overview<br />SharePoint-STS<br />Fabrikam Enterprise<br />Farm-A<br />Windows claims<br />2.2 Augmentclaims<br />2.1 Authenticate user<br />2. Redirect <br />to STS for auth<br />3. Post Token<br />{SP-Token}<br />trust<br />Jill Frank<br />SharePoint Web Applications<br />3.1 Extract Claims and construct IClaimsPrincipal<br />1. Attempt access<br />
  26. 26. © RL Soft 2011<br />Externalizing Authentication – In Detail<br />SharePoint-STS<br />Web <br />Application<br />Security Token Service<br />Session Authentication Module<br />Cookie Management<br />5<br />6<br />2<br />4<br />WS-Federation Passive Serializer<br />Windows Authentication Module<br />WS-Federation Authentication Module<br />3<br />1<br />7<br />IIS ASP.NET<br />Browser<br />Client<br />8. Cookie<br />
  27. 27. © RL Soft 2011<br />Claims-Based Authentication Process<br />
  28. 28. © RL Soft 2011<br />Definition and Scenarios<br />Extranet Network Topologies<br />Identity Management in SharePoint<br />Claims-Based Authentication<br />SharePoint 2010 Authentication Options<br />XtraShare for SharePoint Highlight<br />Agenda<br />
  29. 29. Sign-In Methods<br />Sign-in methods supported in SP 2010:<br />Classic<br />Claims<br />NT TokenWindows Identity<br />NT TokenWindows Identity<br />SAML1.1+ADFS, Custom, etc.<br />ASP.NET (FBA)SQL, LDAP, Custom …<br />SAML Token<br />Claims Based Identity<br />SPUser<br />© RL Soft 2011<br />
  30. 30. © RL Soft 2011<br />Mixed-Mode Authentication<br />Pros<br />Automated Authentication<br />Cons<br />Single Url per Authentication Provider<br />
  31. 31. © RL Soft 2011<br />Mixed-Mode Scenario<br /><br />Extranet<br />Zone<br />Intranet<br />Zone<br />http://contoso<br />FBA<br />claims<br />Windows<br />claims<br />Remote Employees<br />Employees<br />
  32. 32. © RL Soft 2011<br />Mixed-Mode: When to use it<br />Different protocols on different channels<br />Intranet (HTTP)<br />Extranet (HTTPS)<br />Isolation of authentication providers<br />Dedicate Extranet to partners only<br />Internet Sites<br />Publishing Portal<br />Authored by employees<br />Consumed by customers<br />
  33. 33. © RL Soft 2011<br />Multi-Mode Authentication<br />Pros<br />Single Url<br />Cons<br />Single Prompt for Authentication Type <br />
  34. 34. © RL Soft 2011<br />Multi-Mode Scenario<br /><br />Intranet<br />Zone<br />FBA<br />claims<br />Windows<br />claims<br />SAML<br />claims<br />Employees<br />Vendors<br />Partners<br />
  35. 35. © RL Soft 2011<br />Multi-Mode: When to use it<br />Single experience for different class of users<br />Single URL experience<br />Partner collaboration sites<br />Federation between two organizations<br />
  36. 36. © RL Soft 2011<br />ASP.NET Providers<br />Microsoft provides several OOTB providers<br />Active Directory<br />LDAP<br />ASP.NET SQL Database<br />ADFS (WebSSO)<br />You can write your own too!<br />Added in web.config files<br /><system.web> <br /><membership> <br /> <providers> <br /><add…/><br /></providers> </membership> </system.web> <br />
  37. 37. © RL Soft 2011<br />Active Directory Membership Provider<br /><add name="ADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADConnection" connectionUsername="domainaccount" connectionPassword="password" attributeMapUsername="SAMAccountName"/> <br /><connectionStrings> <br /><add connectionString="LDAP://DomainController.local/DC=DomainController,DC=local" name="ADConnection"/> <br /></connectionStrings><br />Note: no role provider seems to be available…<br />
  38. 38. © RL Soft 2011<br />LDAP Membership Provider/Role Manager<br /><add name="LDAPmembership" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="OU=UserAccounts,DC=redmond,DC=corp,DC=microsoft,DC=com" userObjectClass="person" userFilter="(&amp;(ObjectClass=person))" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" /><br /><add name="LDAProlemanager" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="" port="389" useSSL="false" groupContainer="DC=redmond,DC=corp,DC=microsoft,DC=com" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(&amp;(ObjectClass=group))" userFilter="(&amp;(ObjectClass=person))" scope="Subtree" /><br />Note: Only available with MOSS 2007 or SP Server 2010 (not WSS 3.0/SP Foundation 2010)<br />
  39. 39. © RL Soft 2011<br />ASP.NET DB Membership Provider<br /><add name="SQLmembership“type="System.Web.Security.SqlMembershipProvider, System.Web, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"connectionStringName="FBAConnectionStr" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" passwordAttemptWindow="10" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" /><br /><add name="SQLrolemanager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="FBAConnectionStr" applicationName="/" /><br /> <connectionStrings><br /> <add name="FBAConnectionStr" connectionString="server=yourserver;database=aspnetdb;Trusted_Connection=True" providerName="" /><br /></connectionStrings><br />
  40. 40. © RL Soft 2011<br />ADFS Membership Provider<br /><add name="SingleSignOnMembershipProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2, System.Web.Security.SingleSignOn.PartialTrust, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35" <br />fs="https://fs-server/adfs/fs/federationserverservice.asmx" /><br />
  41. 41. © RL Soft 2011<br />Challenges in extranet scenarios<br />Graceful, branded login page<br />Ability to delegate user management<br />To business users or external users<br />Self-service capability<br />Password reminder, password reset, profile management<br />Registration forms<br />Activation links, Captcha, etc…<br />Automated Notifications<br />Account Lockout mechanism<br />Identity Confidentiality<br />
  42. 42. © RL Soft 2011<br />Windows Claims in Extranet Scenarios<br />Pros<br />OOTB Support in SharePoint<br />Security<br />Cons<br />Separate AD/network/farm for extranet<br />Managed by IT (not business users)<br />No OOTB Self-Service Capability<br />No OOTB User Management Delegation<br />Requires ASP.NET AD Provider (or FIM 2010) to avoid the dreaded Basic Authentication Prompt<br />
  43. 43. © RL Soft 2011<br />FBA Claims in Extranet Scenarios<br />Pros<br />Lightweight footprint on infrastructure<br />Flexibility (development)<br />Cons<br />Many manual configuration steps<br />3 web.config files to update… at least!<br />Hard to troubleshoot<br />Steve Peshka on MS SharePoint blog: “Admittedly, there are many steps involved in configuring multiple authentication providers for SharePoint”<br />No OOTB Full Name Resolution<br />No Self-Service Capability/Delegated Administration…<br />
  44. 44. © RL Soft 2011<br />Trusted Provider Claims in Extranet Scenarios<br />Pros<br />Easier configuration<br />Reusability (across other applications)<br />It’s the future of authentication<br />OpenID/OAuth…<br />Cons<br />New technology  scarce skilled resources<br />Development complexity<br />
  45. 45. © RL Soft 2011<br />Extranet Best Practices<br />Branded sites<br />Use anonymous top-level site collection with custom login web part<br />Secure content in sub-sites or even better site collections<br />User Multi-Tenancy <br />Do NOT use sub-sites<br />User Information List is at site collection level and is always available in the Picker Control for ALL users<br />Use one site collection per external organization<br />Implement a filtering mechanism in the People Picker control<br />stsadm -Peoplepicker-searchadcustomquery for AD<br />Custom filtering in Find…() methods for an ASP.NET Membership Provider<br />
  46. 46. © RL Soft 2011<br />Definition and Scenarios<br />Extranet Network Topologies<br />Identity Management in SharePoint<br />Claims-Based Authentication<br />SharePoint 2010 Authentication Options<br />XtraShare for SharePoint Highlight<br />Agenda<br />
  47. 47. © RL Soft 2011<br />Setting up a SharePoint Extranet is complex…<br />
  48. 48. © RL Soft 2011<br />..but XtraShare delivers SharePoint Extranets for the Masses!<br />
  49. 49. XtraShare for SharePoint<br />A fully-packaged, <br />tightly integrated extranet enablement solution <br />for companies of all sizes<br />
  50. 50. A Fully Packaged Solution<br />Key Automation Benefits<br /><ul><li>Delivering on the Promise
  51. 51. Technical expertise is no longer needed
  52. 52. Point-to-click installer
  53. 53. Full Automation
  54. 54. Administration Site provisioned at installation time
  55. 55. Creates the user store (SQL DB) from the SharePoint UI
  56. 56. Complex modifications of configuration files
  57. 57. CBA web application configuration
  58. 58. Web Parts deployment
  59. 59. Adds a Login Web Part on home page for anonymous sites
  60. 60. …</li></li></ul><li>A Tightly Integrated SolutionKey Architectural Features<br /><ul><li>Fully built on .NET and SharePoint features
  61. 61. Management site integrated in SharePoint Central Administration
  62. 62. Configuration, FBA activation, user/group management
  63. 63. Site template for delegated user management
  64. 64. Web Parts for login, self-registration, password reset, password reminder, profile management</li></li></ul><li>Opening the Door to New UsagesScenarios made possible by XtraShare<br /><ul><li>Customer and Partner Extranet Sites
  65. 65. Credential Notifications (Email Templates)
  66. 66. User-to-SPGroup Assignment (Drag’n’DropTreeView)
  67. 67. Mass import/update of users (Object Model)
  68. 68. Anonymous Internet Sites
  69. 69. Extensible Self-Registration w/ Captcha
  70. 70. Default Group Assignment
  71. 71. Password Change/Password Reminder
  72. 72. Social Networking/Community Sites
  73. 73. Delegated Administration
  74. 74. Multi-Tenancy</li></li></ul><li>DEMO<br />(yes, youcan click on the link ;-) <br />
  75. 75. Deciphering the XtraShare “Magic”Inside the XtraShare Installer<br />Installation of 3 SharePoint Solutions<br />Administration, End-User Web Parts, Site Templates<br />Deployment of membership/role providers to GAC<br />Creation of Administration Site<br />Central Administration CBA readiness<br />Web.config modifications to support membership/role providers<br />SiteMap Update of Central Administration<br />Modification of admin.sitemap for easy navigation<br />Resource Files Deployment<br />Deployed to CA App_GlobalResources folder<br />
  76. 76. © RL Soft 2010<br />Partner Opportunities<br />How to customize XtraShare<br />Object Model/Web Service to interact with the XtraShare objects (users/groups…)<br />Full source code of Web Parts provided upon request<br />Extensible Event Trigger Mechanism<br />Useful to implement registration workflows<br />
  77. 77. © RL Soft 2011<br />Thanks to…<br />Brian Culver’s Extranet presentation<br /><br />SharePoint 2010 Unleashed (by Michael Noel)<br /><br />Windows Identity Foundation Training Kit<br /><br />Extranet Topologies for SharePoint 2010:<br /><br />
  78. 78. © RL Soft 2011<br />References<br />An Introduction to Claims<br /><br />Windows Identity Foundation<br /><br />Plan authentication methods (SP 2010)<br /><br />
  79. 79. If you want to know more…Contact us atinfo@rl-soft.comDownload and evaluate XtraShare at<br />