extending sharepoint 2010 to your customers and partners
DESCRIPTION
Slides for the talk I gave at SPC11 about Extranets.TRANSCRIPT
anaheim, ca
october
3–6 t h
2011
Conference 2011
Extending SharePoint 2010 to your customers and partnersCorey Roth@coreyroth
Problems with using E-mail for collaboration E-mail is not ideal for
sharing with external users Inboxes flooded Versioning issues Files blocked Send / Receive limits
Agenda Why you need an extranet Extranet network topologies Authentication Options Document Management for Extranets
Questions to ask yourself… What is an extranet? Do we need an extranet? Who will use the extranet? What does SharePoint offer? How will users get to the extranet? How will users authenticate? How do I populate content on the
extranet?
Do we need an extranet?
If you answer yes to any of the following then you might: Does your organization often share documents with
customers, vendors, partners, and suppliers? Have you had issues caused by transmitting the wrong
version of a document? Do you have employees that routinely send out
contracts, reports, invoices, and other documents outside the company?
Do you have security or document expiration concerns with the documents you share?
Do you need to be able to search the documents you are sharing?
Who will use the extranet? What type of users are extranets suitable for?
Extranet Scenarios – Customers and Partners Collaborate by sharing documents and data Security allows content for each partner to be isolated Partners can’t view each others data
Extranet Scenarios – Remote Employees Allow remote employees to
access corporate information without needing a VPN connection
Ideal for traveling employees, remote workers, or geographically disperse teams
What does SharePoint offer? Authenticate and authorize users Fine-tune permissions for a given partner or group of
users Take advantage of ECM features like document libraries Calendars, announcements, picture libraries, tasks Allow users to search for the documents they seek Take documents offline with SharePoint Workspace
SharePoint ECM Features Enterprise Search Check in / Check out Auditing Versioning Policies (Retention /
Expiration) Office Web Apps SharePoint Workspace
Questions to ask yourself… What is an extranet? Do we need an extranet? Who will use the extranet? What does SharePoint provide me? How will users get to the
extranet? How will users authenticate? How do I populate content on the
extranet?
SharePoint Farms for Extranet Different farm Multi-tenancy Same farm with a separate web
application Same farm with the same web
application
It’s all about the network… Choosing the right network
topology is important. Topologies affect where
SharePoint, SQL, and Active Directory servers are in the network
Several common network topologies can be used for SharePoint extranets
Network TopologyEdge Firewall
Network TopologyBack-to-back Perimeter
Network TopologySplit Back-to-back Perimeter
Questions to ask yourself… What is an extranet? Do we need an extranet? Who will use the extranet? What does SharePoint provide me? How will users get to the extranet? How will users authenticate? How do I populate content on the
extranet?
What are my authentication options? Active Directory Forms Based Authentication – ASP.NET Membership
Provider Forms Based Authentication - Active Directory Trusted Identity Provider – Windows Live Id Many others / custom
AuthenticationActive Directory
Same authentication your internal users use External users presented with a browser login dialog Users login with domain\username Not very user friendly Users get prompted often for authentication Combined with an application firewall to provide FBA
AuthenticationForms Based Authentication – ASP.NET Membership Provider
Users log in via forms using the ASP.NET Membership provider
Uses Claims-Based Authentication Users stored in SQL Server database Management of users requires code or third party tools
SharePoint 2010 FBA Pack: http://sharepoint2010fba.codeplex.com
CKS: http://cks.codeplex.com/releases/view/7450
AuthenticationFBA (ASP.NET) – Configuration Steps
1) Configure web application to use Claims Based Authentication
2) Configure the membership provider and role manager3) Modify web.config files4) Grant permissions
AuthenticationFBA (ASP.NET) – Configuration – Claims Based Authentication
Create a new web application or extend an existing web application Select Claims Based
Authentication for Authentication Check Enable Forms Based
Authentication Specify an ASP.NET Membership
provider name Specify an ASP.NET Role manager
name
Convert existing web apps converted to Claims using PowerShell
AuthenticationFBA (ASP.NET) – Configuration – Membership / Role Provider
Create membership database with aspnet_regsql.exe Located at C:\Windows\Microsoft.NET\Framework64\v2.0.50727
Specify a name for the membership database (default: aspnetdb)
Grant SQL Server permissions to membership database Application Pool accounts Farm account
AuthenticationFBA (ASP.NET) – Configuration – web.config
Connection string, membership provider and role provider must be added to web.config files
Modifications are required in the following web.config files Forms Based Web Application Central Administration STS (%programfiles%\common files\Microsoft Shared\web
server extensions\14\WebServices\SecurityToken) Modifications on following slides
AuthenticationFBA (ASP.NET) – Configuration – web.config Modifications
<!–- Before system.web element --><!– These changes should be added to both FBA web application and Central Admin web.config -><connectionStrings><add name=“MembershipConnectionString" connectionString="data source=SQLServer;Integrated Security=SSPI;Initial Catalog=aspnetdb" /></connectionStrings>
AuthenticationFBA (ASP.NET) – Configuration – web.config Modifications
<roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false"><providers><add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
AuthenticationFBA (ASP.NET) – Configuration – web.config Modifications
<add connectionStringName="MembershipConnectionString" applicationName="/" description="Stores and retrieves roles from SQL Server" name="SQL-RoleManager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers></roleManager>
AuthenticationFBA (ASP.NET) – Configuration – web.config Modifications
<membership defaultProvider="i"><providers><add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
AuthenticationFBA (ASP.NET) – Configuration – web.config Modifications
<add connectionStringName=“MembershipConnectionString" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" description="" name="SQL-MembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /></providers></membership>
AuthenticationFBA (ASP.NET) – Configuration – Grant Permissions
Create users in membership database Create users with code or third party tools
SharePoint 2010 FBA Pack: http://sharepoint2010fba.codeplex.com
CKS: http://cks.codeplex.com/releases/view/7450 After users are created, grant access at Web Application
level Web Applications -> User Policy -> Add User (Default Zone)
FBA – ASP.NET Membership Provider
Corey Roth@coreyroth
demo
AuthenticationForms Based Authentication - Active Directory
Similar to ASP.NET Membership configuration Specify users in AD using an LDAP connection string
i.e.: LDAP://dc.domain.local/OU=Users,DC=domain,DC=local Classic Authentication AD users != FBA AD Users Configure web application to use Claims Based
Authentication Specify Membership provider name but no role manager
Edit web.config files
AuthenticationFBA (AD) – Configuration – Web.config Modifications
<!–- Before system.web element --><!– These changes should be added to both FBA web application, Central Admin, and STS web.config -><connectionStrings> <add name=“ActiveDirectoryConnectionString" connectionString="LDAP://dc.domain.local/OU=Users,DC=domain,DC=local" /> </connectionStrings>
AuthenticationFBA (AD) – Configuration – Web.config Modifications
<membership defaultProvider=“ActiveDirectoryMembership"> <providers> <add name="ActiveDirectoryMembership" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" …
AuthenticationFBA (AD) – Configuration – Web.config Modifications
… connectionStringName=“ActiveDirectoryConnectionString" enableSearchMethods="true" attributeMapUsername="sAMAccountName" /> </providers> </membership>
FBA – Active Directory
Corey Roth@coreyroth
demo
AuthenticationTrusted Identity Provider – Windows Live Id
Login to the Microsoft Services Manager site with a Windows Live Id https://msm.live.com/
Register your site Site name DNS name (urn:someurl) Policy: Select Windows Live ID Default return URL: http://yourdomain/_trust/default.aspx Override Authentication Policy: MBI_FED_SSL
AuthenticationTrusted Identity Provider – Windows Live Id
AuthenticationTrusted Identity Provider – Windows Live Id
Install x509 certificate Configure Claims Provider using PowerShell Configure Web App to use Trusted Identity Provider Test your site with Windows Live ID credentials Begin compliance review Repeat above steps for production Live ID
Windows Live Id Provider
Corey Roth@coreyroth
demo
Questions to ask yourself… What is an extranet? Do we need an extranet? Who will use the extranet? What does SharePoint provide me? How will users get to the extranet? How will users authenticate? How do I populate content on the
extranet?
How do I populate content? I have an extranet! Now how do I
populate it? Manual Uploading Publishing Send to connections Custom code (i.e.: Event Receivers /
Workflows)
Send to Connections
Corey Roth@coreyroth
demo
Resources SharePoint Extranet Topologies
http://technet.microsoft.com/en-us/library/cc263513.aspx TechNet: Configuring claims-based authentication using
Windows Live ID http://technet.microsoft.com/en-us/library/ff973117.aspx
Setting up FBA Claims with AD http://blogs.msdn.com/b/sridhara/archive/2010/01/07/setting-up
-fba-claims-in-sharepoint-2010-with-active-directory-membership-provider.aspx
SharePoint 2010 FBA Pack sharepoint2010fba.codeplex.com
Community Kit for SharePoint http://cks.codeplex.com/releases/view/7450
Related Sessions at SPCSPC Code
Session Name Day Time Type Location
SPC3997 TITUS: Using Claims for Authentication in SharePoint 2010
Weds 10/5
5:00p Partner
SPC411 Security Design with Claims Based Authentication
Thurs 10/6
12:00p
Microsoft
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted
to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.