Organizations planning for Extranet access to SharePoint 2010 or faced with providing access to an Intranet from multiple internal authentication platforms often find it challenging to properly architect SharePoint for extranets, to isolate content, and to manage identities across disparate systems. The complexity involved in understanding how to isolate content from a security perspective but still provide for a collaborative space for end users is complex, and if not done correctly can lead to security breaches and confusion. This session focuses on understanding the various extranet models for SharePoint 2010 and providing real world guidance on how to implement them. Covered are extranet content models and extranet authentication options, including Claims-based authentication and also covering advanced options using tools such as Microsoft's Forefront Identity Manager (FIM) 2010 to centralize identity management to SharePoint 2010 farms, allowing for better control, automatic account provisioning, and synchronization of profile information across multiple SharePoint authentication providers. • Review Extranet design options with SharePoint 2010 • Understand the need for identity management across SharePoint farms • Examine real world deployment guidance and architecture for SharePoint environments using multiple authentication providers

1. Platinum Sponsor
Gold Sponsors

2. Michael Noel
PLANNING EXTRANETS WITH
SHAREPOINT 2010

3. MICHAEL NOEL
• Author of SAMS Publishing titles ―SharePoint 2007 Unleashed,‖ the upcoming
―SharePoint 2010 Unleashed,‖ ―SharePoint 2003 Unleashed‖, ―Teach Yourself
SharePoint 2003 in 10 Minutes,‖ ―Windows Server 2008 R2 Unleashed,‖ ―Exchange
Server 2010 Unleashed‖, ―ISA Server 2006 Unleashed‖, and many other titles .
• Partner at Convergent Computing (www.cco.com / +1(510)444-5700) – San Francisco,
U.S.A. based Infrastructure/Security specialists for SharePoint, AD, Exchange, Security

4. WHAT WE‘LL COVER
• Why an Extranet?
• SharePoint 2010 Extranets
• Extranet Architecture Options
• Claims-based Authentication
• Forefront Unified Access Gateway (UAG) for extranets
• Forefront Identity Manager for Identity Management in an
Extranet

5. WHY AN EXTRANET?

6. WHY AN EXTRANET?
• Security Isolation
• Isolation of Data
• Less Exposure, Perimeter Network Scenarios
• Partner Collaboration
• Share SP Content with External Partners
• Control Partner Accounts
Anonymous Customer Scenarios are not really Extranets

7. SHAREPOINT 2010 EXTRANETS
• Claims-based Authentication Support
• Multiple Authentication Providers
• Better Scalability (Services Architecture)
• Goodbye SSP!
• Server Groups
• Services Applications
• Multiple Authentication Types per Web Application

8. SAMPLE EXTRANET ARCHITECTURE

9. DESIGN AROUND SECURITY REQUIREMENTS
• Scenario 1: Extranet and Internal Users in Single Farm
• 1A: Single Web App / Single Site Collection Less
Secure
• 1B: Single Web App / Separate Site Collections
• 1C: Multiple Web Apps / Content DBs
• 1D: Separate App Pool / Service App Group
• Scenario 2: Extranet and Internal Users in Single Farm / Separate
Trusted Forests
• Scenario 3: Extranet and Internal Users in Multiple Farms / One-Way
Trust
• Scenario 4: Extranet an Internal Users in Separate Farms / Claims-
based Auth for Internal Access to Extranet
More
• Scenario 5: Extranet an Internal Users in Separate Farms / No Secure
Access for Internal Accounts to Extranet
• Scenario 6: Separate Farms / AD FS Federation for Extranet Auth

10. EXTRANET SCENARIO 1:
EXTRANET AND INTERNAL USERS IN SINGLE FARM
1A: Single Web App / Single Site Collection
1B: Single Web App / Separate Site Collections
1C: Multiple Web Apps / Content DBs
1D: Separate App Pool / Service App Group

11. EXTRANET SCENARIO 2:
EXTRANET AND INTERNAL USERS IN SINGLE FARM
/ SEPARATE TRUSTED FORESTS

12. EXTRANET SCENARIO 3:
EXTRANET AND INTERNAL USERS IN MULTIPLE FARMS AND
PERIMETER NETWORK / ONE-WAY TRUST

13. EXTRANET SCENARIO 4:
EXTRANET AN INTERNAL USERS IN SEPARATE FARMS /
CLAIMS-BASED AUTH PROVIDER FOR INTERNAL AUTH TO
EXTRANET

14. EXTRANET SCENARIO 5:
EXTRANET AN INTERNAL USERS IN SEPARATE FARMS / NO
ACCESS FOR INTERNAL ACCOUNTS TO EXTRANET

15. EXTRANET SCENARIO 6:
SEPARATE FARMS / AD FS FEDERATION FOR EXTRANET
AUTH

16. EXTRANET NOTES

17. ONE-WAY TRUST SCENARIOS
• People Picker needs to be configured to crawl domain if it doesn‘t trust the
domain where the SharePoint farm is installed.
• Only with STSADM (Rare exception when you can‘t use PowerShell)
• Example Syntax:
• stsadm.exe -o setapppassword -password AnyPassw0rd
• stsadm.exe -o setproperty -pn peoplepicker-searchadforests -pv
"domain:companyabc.com,COMPANYABCsvc_sppplpick,Password1;domain:extran
etabc.com" -url https://extranet.companyabc.com
• stsadm.exe -o setproperty -pn peoplepicker-searchadforests -pv
"domain:companyabc.com,COMPANYABCsvc_sppplpick,Password1;domain:extran
etabc.com" -url https://spcaext.companyabc.com
• Syntax is critical
• Run against all web apps

18. DESIGN FOR CLIENTLESS ACCESS TO
SHAREPOINT
• Services Applications for Extranet Clients:
• Word Services
• Excel Services
• Visio Services
• Access Services
• InfoPath Forms Services
• Allows ‗Clientless‘ access to SharePoint content, for
Extranet partners without Office

19. STANDARD REQUIREMENTS APPLY TO
EXTRANETS AS WELL
• SharePoint-aware Antivirus
• i.e. Forefront Protection for SharePoint
• SharePoint-aware Backup and Restore
• i.e. System Center Data Protection Manager (DPM) 2010
• Rights Management?
• Active Directory Rights Management Services (AD RMS)

20. CONTENT DEPLOYMENT WITH EXTRANETS

21. CLAIMS-BASED AUTHENTICATION

22. CLAIMS-BASED AUTH
• SharePoint doesn‘t actually Authenticate Users, it relies on IIS or
other providers
• SharePoint 2010 Allows for Classic and Claims-based Auth
Scenarios
• Classic Authentication is similar to SharePoint 2007
• Claims based Auth adds the following key benefits:
• Allows for Multiple Authentication Types per Web Application Zone
• Removes SharePoint from the Authentication Provider
• Allows for federation between organizations (AD FS, etc.) scenarios
• Does not require Kerberos Delegation
• Remember the difference between Authentication and
Authorization…

23. CLASSIC VS. CLAIMS-BASED AUTH
Classic-mode Claims-based
Type authentication authentication
Windows
NTLM
Kerberos
Yes Yes
Anonymous
Basic
Digest
Forms-based authentication
LDAP
No Yes
SQL database or other database
Custom or third-party membership and role providers
SAML token-based authentication
AD FS 2.0
No Yes
Third-party identity provider
LDAP

24. MIXED-MODE VS. MULTI-AUTHENTICATION

25. EXAMPLE: PARTNER ENVIRONMENT WITH
MULTIPLE AUTH TYPES ON SINGLE W.A.

26. FOREFRONT UNIFIED ACCESS
GATEWAY 2010

27. UAG ARCHITECTURE Data Center / Corporate Network
Exchange
CRM
Mobile SharePoint
IIS based
IBM, SAP, Oracle
Home / Friend
/ Kiosk Layer3 VPN Terminal /
Remote Desktop
HTTPS (443) Services
Internet
DirectAccess
Non web
Business Partners / AD, ADFS,
Sub-Contractors RADIUS, LDAP….
NPS, ILM
Employees Managed Machines

29. WHAT ABOUT TMG? (NEW ISA)
Capability TMG 2010 UAG
2010
Publish Web applications using HTTPS X X
Publish internal mobile applications to roaming mobile devices X X
Layer 3 firewall X X*
Outbound scenarios support X X*
Array support X
Globalization and administration console localization X
Wizards and predefined settings to publish SharePoint sites and Exchange X X
Wizards and predefined settings to publish various applications X
Active Directory Federation Services (ADFS) support X
Rich authentication (for example, one-time password, forms-based, smart card) X X
Application protection (Web application firewall) Basic Full
Endpoint health detection X
Information leakage prevention X
Granular access policy X
Unified Portal X

30. WHAT IS FOREFRONT IDENTITY MANAGER?

31. IDENTITY AND ACCESS MANAGEMENT
Secure Messaging Secure Collaboration Secure Endpoint
Information Protection
Identity and Access Management
Active Directory Federation Services
®

32. WHY FIM FOR SHAREPOINT?

33. MANAGE SHAREPOINT IDENTITIES
• Create Multiple Authentication Providers for SharePoint
Farms
• AD DS Forests (Extranet forests)
• AD LDS Authentication Providers
• SQL Table (FBA) Authentication Sources
• LDAP Providers
• Etc…
• Keep those Authentication Providers Managed

34. IDENTITY MANAGEMENT
USER PROVISIONING FOR SHAREPOINT AND OTHER APPLICATIONS
• Policy-based identity lifecycle management system
• Built-in workflow for identity management
• Automatically synchronize all user information to different directories across the enterprise
• Automates the process of on-boarding users
Active
Directory
Extranet
Forest
Workflow
User Enrollment
Test
Forest
FIM
HR System
FBA
Table
Approval
LOB
User provisioned on all allowed systems App
Manager VPN

35. IDENTITY MANAGEMENT
USER DE-PROVISIONING
• Automated user de-provisioning
• Built-in workflow for identity management
• Real-time de-provisioning from all systems to prevent unauthorized access
and information leakage
Active
Directory
Extranet
Forest
Workflow
User de-provisioned Test
Forest
FIM
HR System
FBA
Table
LOB
User de-provisioned or disabled on all systems App
VPN

36. IDENTITY SYNCHRONIZATION AND CONSISTENCY
IDENTITY SYNCHRONIZATION ACROSS MULTIPLE DIRECTORIES
Attribute
HR givenName Samantha
Ownership
System sn Dearing FIM
title
mail
FirstName
employeeID 007
LastName telephone
EmployeeID GivenName
givenName Samantha
sn Dearing
title Coordinator
Internal givenName Samara
mail someone@example.com
AD sn
title
Darling
Coordinator
employeeID 007
telephone 555-0129
mail
Title
employeeID 007
telephone
Identity
Extranet
Data
givenName Sam
AD sn Dearing
title Intern
E-Mail mail
employeeID
someone@example.com
007 Aggregation
telephone
LDAP givenName Sammy
sn Dearling
title
mail
Telephone
employeeID 008
telephone 555-0129

37. IDENTITY SYNCHRONIZATION AND CONSISTENCY
IDENTITY CONSISTENCY ACROSS MULTIPLE DIRECTORIES
Attribute
HR givenName Samantha
Ownership
System sn Dearing FIM
title
mail
FirstName
employeeID 007
LastName telephone
EmployeeID givenName Samantha
Bob
sn Dearing
title Coordinator
Internal givenName Samara
mail someone@example.com
someone@example.com
AD sn
title
Darling
Coordinator
employeeID 007
telephone 555-0129
mail
Title
employeeID 007
telephone
Identity
Extranet
Data
givenName Sam
AD sn
title
Dearing
Intern
E-Mail mail
employeeID
someone@example.com
007 Brokering
telephone
(Convergence)
LDAP givenName Sammy
sn Dearling
title
mail
Telephone
employeeID 007
telephone 555-0129

38. CUSTOMIZABLE IDENTITY PORTAL
SharePoint-based Identity Portal
for Management and Self Service
How you extend it
Add your own portal pages
or web parts
Build new custom solutions
Expose new attributes to manage by
extending FIM schema
Choose SharePoint theme to customize
look and feel

39. CUSTOMIZABLE IDENTITY PORTAL
• Can be used to allow Extranet Partners to Perform Self-
Service Management
• Give control of Account Management to users/administrators of
the extranet partner
• Secure access to portal through VPN/Reverse Proxy
• Portal in the DMZ
• Can be used for Self-Service Password Reset (via
domain-joined computer)

40. STRONG AUTHENTICATION—CERTIFICATE AUTHORITY
• Streamline deployment by enrolling user and computer certificates
without user intervention
• Simplify certificate and SmartCard management using Forefront
Identity Manager (FIM)
• Can be used to automate Certificate management for dual factor auth
approaches to SharePoint logins
End User SmartCard
User is validated using multi-
FIM policy triggers request for factor authentication
FIM CM to issue certificate or
Certificate is issued to user and
SmartCard
written to either machine or
smart card
FIM CM
End User
SmartCard
FIM
HR System
FIM Certificate Management
(CM) requests certificate User ID and
User Enrollment and AD CS
creation from
Authentication request sent by Password
HR System
Active Directory Certificate
Services (AD CS)

41. REAL WORLD FIM USAGE SCENARIOS

42. FIM FOR EXTRANET FOREST MGMT
• Internal AD DS Forest
• DMZ Extranet AD DS Forest
• FIM Auto-provisions certain user accounts in Extranet forest and
keeps Passwords in Sync to allow Internal users to
access/collaborate with Partners
• FIM allows Self-Service Portal Access for Extranet user accounts
in the partner forest
• Two-factor Auth scenarios, to automate provisioning of user
accounts AND certificates to systems

43. FIM FOR ROLE BASED ACCESS
CONTROL
• FIM is central to RBAC Strategy
• Can auto-add users to Groups based on RBAC Criteria
• HR Defines a user‘s access based on their role
• FIM auto-adds that user to specific Role Groups in AD DS, which
are tied to SharePoint Groups that have the rights that that role
group requires.
User1
Role SharePoint
Group Group
User2

44. SESSION SUMMARY
• Understand the Extranet Design Options for 2010
• Keep Extranet Accounts out of local AD
• Determine how Identities will be Managed
• Use FIM for Identity Management, Self-Service, and
Provisioning/Deprovisioning of Extranet Accounts
• Use UAG to secure inbound access to extranets/intranets

45. Thank you to our Sponsors
Gold Sponsors
Silver Sponsors
Bronze Sponsors

46. Michael Noel
Twitter: @MichaelTNoel
www.cco.com
Slides: slideshare.net/michaeltnoel