how to deploy sharepoint 2010 to external users?
DESCRIPTION
A presentation about all the different aspects to be aware of when deploying SharePoint 2010 as an extranet platform, as well as the available options for network topologies and authentication methods.TRANSCRIPT
How to deploy SharePoint to Extranet Users?
Raphael Londner
Silicon Valley SharePoint User Group02/10/2011
© RL Soft 2011
Who am I?
• SharePoint, .NET, SQL Server, AD… since 2001• Consultant, administrator, developer, pre-sales
engineer www.rl-soft.com www.rl-soft.com/en/blog
@rlondner
www.youtube.com/xtrashare
© RL Soft 2011
• Definition and Scenarios• Extranet Network Topologies• Identity Management in SharePoint• Claims-Based Authentication• SharePoint 2010 Authentication Options• XtraShare for SharePoint Highlight
Agenda
© RL Soft 2011
• Definition and Scenarios• Extranet Network Topologies• Identity Management in SharePoint• Claims-Based Authentication• SharePoint 2010 Authentication Options• XtraShare for SharePoint Highlight
Agenda
© RL Soft 2011
Extranet - Definition
• A web application shared with external users, such as partners, vendors, customers, community users, industry peers…
• Typical attributes of an extranet:• Requires authenticated access, but the identity of
the user is not always known• Has stronger security controls than an Internet
web site but usually less secure than an Intranet
© RL Soft 2011
Common Extranet Scenarios
Line of Business ApplicationsCollaborationStatic Content or Publishing
Remote Employees
Isolate and segregate dataAuthorize users to only access sites and data that are necessary for their contributionsRestrict partners from viewing other partners’ data
Partners
Foster a community of users with shared interestsAllow users to registerSelf-service tools (password reminder, profile update…) Delegate user administration
Community Sites
© RL Soft 2011
Extranet Design Considerations
• Network Topologies• Identity Management
© RL Soft 2011
• Definition and Scenarios• Extranet Network Topologies• Identity Management in SharePoint• Claims-Based Authentication• SharePoint 2010 Authentication Options• XtraShare for SharePoint Highlight
Agenda
© RL Soft 2011
Edge Firewall Topology
• Pros Least amount of hardware, software and configuration Single point of data
• Cons Single firewall between corporate network and the Internet
© RL Soft 2011
Back-to-back Perimeter
• Pros Isolated, extranet farm External user access isolated to the perimeter network
• Cons Additional network infrastructure, hardware, software licenses…
© RL Soft 2011
Split-to-back Perimeter
• Pros Single SQL Server Store, app servers (only) in corporate network
• Cons Increased complexity (domain trusts…)
© RL Soft 2011
• Definition and Scenarios• Extranet Network Topologies• Identity Management in SharePoint• Claims-Based Authentication• SharePoint 2010 Authentication Options• XtraShare for SharePoint Highlight
Agenda
© RL Soft 2011
Terminology• Authentication
Creates an identity for a security principal Who am I?
• Authorization Determines which resources a user has access to What can I access?
• SharePoint does not authenticate but does authorize
• SharePoint creates user profiles (SPUser) Stored in the User Information List at the site
collection level
© RL Soft 2011
SharePoint 2001
• Windows Server 2000/IIS 5.0• ASP 3.0• Windows Authentication (Active Directory)
© RL Soft 2011
SharePoint 2003
• Windows Server 2003/ IIS 6.0• ASP.NET 1.1
2.0 w/ SP1• Windows Authentication (Active Directory)
© RL Soft 2011
SharePoint 2007
• Windows Server 2003/2008 IIS 6.0/7.0
• ASP.NET 2.0• Windows Authentication (Active Directory)• Forms-Based Authentication (FBA)
Allows users to connect through a web form ASP.NET 2.0 Membership Provider/Role Manager Can authenticate users against “any” user store
Web SSO (ADFS), LDAP, SQL… One authencation method per SharePoint Zone
© RL Soft 2011
SharePoint 2010
• Windows Server 2008/2008 R2 IIS 7.0/7.5
• ASP.NET 3.5• Windows Authentication (AD)• Claims-Based Authentication (CBA)
Windows Identity Foundation (WIF) Multiple authentication methods per SharePoint
Zone (Url) Standards-based (WS-Trust, SAML) Automatic, secure identity delegation
© RL Soft 2011
• Definition and Scenarios• Extranet Network Topologies• Identity Management in SharePoint• Claims-Based Authentication• SharePoint 2010 Authentication Options• XtraShare for SharePoint Highlight
Agenda
What is Claims-Based Authentication?
© RL Soft 2011
Login.aspx Page1.aspx
CredentialTypes / APIs
CredentialStores
User AttributesStores
Your Applications Are Prisoners!
Identity in Real Life
?
!?
ExternalizesAuthentication
Gets user info from the document
Claims Can Set Your Applications FreeIdentity Provider
STS
Security Token
Claims Relying Party
CLAIMS DEMO(yes, you can click on the link, it’s a YouTube vide)
© RL Soft 2011
CBA Terminology• Identity: security principal used to configure the security
policy• Claim (Assertion): attribute of an identity (such as Login
Name, First Name, Gender, Age, etc.)• Issuer: trusted party that creates claims• Security Token: serialized set of claims (assertions) about
an authenticated user• Issuing Authority: issues security tokens knowing claims
desired by target application (AD, ASP.NET, LiveID, etc.) • Security Token Service (STS): builds, signs and issues
security tokens• Relying Party: application that makes authorization
decisions based on claims
SharePoint 2007 – Identity Flow
Authentication methods
SharePoint Web
Application
Windows integrated
Membership & Role Providers
Web SSO
Access control
Roles protected
Anonymous access Windows Identity
SharePoint Service
Applications
Content Database
Trusted sub-systems
Client
WIF WIF
Claims protected
WIF – SPSTS
Claims-aware
SP-STS
Auth
App logi
c
Windows Identity
SharePoint 2010 – Identity Flow
Services Application Framework
Windows ASP.Net (FBA)
Claims Based Identity
SAML Web SSO
© RL Soft 2011
Externalizing Authentication - Overview
SharePoint-STS
trust
SharePoint Web ApplicationsJill Frank
1. Attempt access
Fabrikam EnterpriseFarm-A
Windows claims
2. Redirect to STS for
auth
3. Post Token
{SP-Token}
2.2 Augment claims
3.1 Extract Claims and construct
IClaimsPrincipal
2.1 Authentica
te user
© RL Soft 2011
Externalizing Authentication – In Detail
Web Application
Windows Authentication
Module
Cookie Management
SharePoint-STS
WS-Federation Authentication
Module
Session Authentication
Module
BrowserClient
WS-Federation
Passive Serializer
Security Token
Service
IIS ASP.NET
3
1
5
46
7
8. Cookie
2
© RL Soft 2011
Claims-Based Authentication Process
Active Directory
LiveID
ASP.net Membership Trust
SharePointSTS
Client
SharePoint
Security token
4
Service token request5
Identity ProviderSecurity Token Service
(IP-STS)
SAML Based
SharePointAuthorization
ClaimsProviders
Trust
Authentication Request
3
Request Resource with service token
7
Security token response6
Request Resource
1
Authenticate Request/Redirect
2
© RL Soft 2011
• Definition and Scenarios• Extranet Network Topologies• Identity Management in SharePoint• Claims-Based Authentication• SharePoint 2010 Authentication Options• XtraShare for SharePoint Highlight
Agenda
Sign-In Methods• Sign-in methods supported in SP 2010:
NT TokenWindows Identity
ASP.NET (FBA)SQL, LDAP, Custom
…
SAML TokenClaims Based
Identity
SPUser
NT TokenWindows Identity
SAML1.1+ADFS, Custom, etc.
Classic Claims
© RL Soft 2011
© RL Soft 2011
Mixed-Mode Authentication
• Pros Automated
Authentication• Cons
Single Url per Authentication Provider
Regular label-callout text
Multi-AuthenticationMixed Authentication
SharePointFarm
Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Zone: Custom
Zone: Extranet
Zone: Intranet
Zone: Internet
Zone: DefaultWindows Authentication
FBAAuthentication
...
...
...
SharePointFarm
Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Zone: Custom
Zone: Extranet
Zone: Intranet
Zone: Internet
Zone: DefaultWindows AuthenticationFBA Authentication
SAML Based AuthenticationFBA Authentication
Windows Authentication
...
...
© RL Soft 2011
Mixed-Mode Scenario
Remote Employe
es
ExtranetZone
IntranetZone
EmployeesFBA
claimsWindowsclaims
https://extranet.contoso.com http://contoso
© RL Soft 2011
Mixed-Mode: When to use it
• Different protocols on different channels Intranet (HTTP) Extranet (HTTPS)
• Isolation of authentication providers Dedicate Extranet to partners only
• Internet Sites• Publishing Portal
Authored by employees Consumed by customers
© RL Soft 2011
Multi-Mode Authentication
• Pros Single Url
• Cons Single Prompt for
Authentication Type
Regular label-callout text
Multi-AuthenticationMixed Authentication
SharePointFarm
Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Zone: Custom
Zone: Extranet
Zone: Intranet
Zone: Internet
Zone: DefaultWindows Authentication
FBAAuthentication
...
...
...
SharePointFarm
Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Zone: Custom
Zone: Extranet
Zone: Intranet
Zone: Internet
Zone: DefaultWindows AuthenticationFBA Authentication
SAML Based AuthenticationFBA Authentication
Windows Authentication
...
...
© RL Soft 2011
Multi-Mode Scenario
IntranetZone
Employees
FBAclaims
Windowsclaims
https://Corporate.contoso.com
SAMLclaims
Vendors Partners
© RL Soft 2011
Multi-Mode: When to use it
• Single experience for different class of users
• Single URL experience• Partner collaboration sites• Federation between two organizations
© RL Soft 2011
ASP.NET Providers
• Microsoft provides several OOTB providers Active Directory LDAP ASP.NET SQL Database ADFS (WebSSO) You can write your own too!
• Added in web.config files <system.web>
<membership> <providers>
<add…/></providers> </membership> </system.web>
© RL Soft 2011
Active Directory Membership Provider<add name="ADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADConnection" connectionUsername="domain\account" connectionPassword="password" attributeMapUsername="SAMAccountName"/> <connectionStrings> <add connectionString="LDAP://DomainController.local/DC=DomainController,DC=local" name="ADConnection"/> </connectionStrings>
Note: no role provider seems to be available…
© RL Soft 2011
LDAP Membership Provider/Role Manager
<add name="LDAPmembership" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="redmond.corp.microsoft.com" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="OU=UserAccounts,DC=redmond,DC=corp,DC=microsoft,DC=com" userObjectClass="person" userFilter="(&(ObjectClass=person))" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />
<add name="LDAProlemanager" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="redmond.corp.microsoft.com" port="389" useSSL="false" groupContainer="DC=redmond,DC=corp,DC=microsoft,DC=com" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(&(ObjectClass=group))" userFilter="(&(ObjectClass=person))" scope="Subtree" />
Note: Only available with MOSS 2007 or SP Server 2010 (not WSS 3.0/SP Foundation 2010)
© RL Soft 2011
ASP.NET DB Membership Provider<add name="SQLmembership“type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="FBAConnectionStr" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" passwordAttemptWindow="10" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" />
<add name="SQLrolemanager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="FBAConnectionStr" applicationName="/" />
<connectionStrings> <add name="FBAConnectionStr" connectionString="server=yourserver;database=aspnetdb;Trusted_Connection=True" providerName="" /></connectionStrings>
© RL Soft 2011
ADFS Membership Provider
<add name="SingleSignOnMembershipProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" fs="https://fs-server/adfs/fs/federationserverservice.asmx" />
© RL Soft 2011
Challenges in extranet scenarios• Graceful, branded login page• Ability to delegate user management
To business users or external users• Self-service capability
Password reminder, password reset, profile management
• Registration forms Activation links, Captcha, etc…
• Automated Notifications• Account Lockout mechanism• Identity Confidentiality
© RL Soft 2011
Windows Claims in Extranet Scenarios
• Pros OOTB Support in SharePoint Security
• Cons Separate AD/network/farm for extranet Managed by IT (not business users) No OOTB Self-Service Capability No OOTB User Management Delegation Requires ASP.NET AD Provider (or FIM 2010) to
avoid the dreaded Basic Authentication Prompt
© RL Soft 2011
FBA Claims in Extranet Scenarios• Pros
Lightweight footprint on infrastructure Flexibility (development)
• Cons Many manual configuration steps
3 web.config files to update… at least! Hard to troubleshoot Steve Peshka on MS SharePoint blog: “Admittedly,
there are many steps involved in configuring multiple authentication providers for SharePoint”
No OOTB Full Name Resolution No Self-Service Capability/Delegated
Administration…
© RL Soft 2011
Trusted Provider Claims in Extranet Scenarios
• Pros Easier configuration Reusability (across other applications) It’s the future of authentication
OpenID/OAuth…
• Cons New technology scarce skilled resources Development complexity
© RL Soft 2011
Extranet Best Practices
• Branded sites Use anonymous top-level site collection with custom login
web part Secure content in sub-sites or even better site collections
• User Multi-Tenancy Do NOT use sub-sites
User Information List is at site collection level and is always available in the Picker Control for ALL users
Use one site collection per external organization Implement a filtering mechanism in the People Picker
control stsadm -Peoplepicker-searchadcustomquery for AD Custom filtering in Find…() methods for an ASP.NET
Membership Provider
© RL Soft 2011
• Definition and Scenarios• Extranet Network Topologies• Identity Management in SharePoint• Claims-Based Authentication• SharePoint 2010 Authentication Options• XtraShare for SharePoint Highlight
Agenda
© RL Soft 2011
Setting up a SharePoint Extranet is complex…
© RL Soft 2011
..but XtraShare delivers SharePoint Extranets for the Masses!
A fully-packaged, tightly integrated
extranet enablement solution
for companies of all sizes
XtraShare for SharePoint
• Delivering on the Promise• Technical expertise is no longer needed• Point-to-click installer
• Full Automation• Administration Site provisioned at installation time• Creates the user store (SQL DB) from the SharePoint UI• Complex modifications of configuration files• CBA web application configuration• Web Parts deployment• Adds a Login Web Part on home page for anonymous sites• …
A Fully Packaged SolutionKey Automation Benefits
• Fully built on .NET and SharePoint features
• Management site integrated in SharePoint Central Administration• Configuration, FBA activation, user/group management
• Site template for delegated user management
• Web Parts for login, self-registration, password reset, password reminder, profile management
A Tightly Integrated SolutionKey Architectural Features
• Customer and Partner Extranet Sites• Credential Notifications (Email Templates)• User-to-SPGroup Assignment (Drag’n’Drop TreeView)• Mass import/update of users (Object Model)
• Anonymous Internet Sites• Extensible Self-Registration w/ Captcha• Default Group Assignment• Password Change/Password Reminder
• Social Networking/Community Sites• Delegated Administration• Multi-Tenancy
Opening the Door to New UsagesScenarios made possible by XtraShare
• Installation of 3 SharePoint Solutions Administration, End-User Web Parts, Site Templates
• Deployment of membership/role providers to GAC• Creation of Administration Site• Central Administration CBA readiness
Web.config modifications to support membership/role providers
• SiteMap Update of Central Administration Modification of admin.sitemap for easy navigation
• Resource Files Deployment Deployed to CA App_GlobalResources folder
Deciphering the XtraShare “Magic”Inside the XtraShare Installer
© RL Soft 2010
• Object Model/Web Service to interact with the XtraShare objects (users/groups…)
• Full source code of Web Parts provided upon request
• Extensible Event Trigger Mechanism Useful to implement registration workflows
Partner OpportunitiesHow to customize XtraShare
© RL Soft 2011
Thanks to…
• Brian Culver’s Extranet presentation http://
www.slideshare.net/bculver/sharepoint-2010-extranets-and-authentication-how-will-sharepoint-2010-connect-you-to-your-partners
• SharePoint 2010 Unleashed (by Michael Noel) http://www.amazon.com/Microsoft-SharePoint-2010-Unleashed-Michael/dp/0672333
252
• Windows Identity Foundation Training Kit http://
www.microsoft.com/downloads/en/details.aspx?FamilyID=c3e315fa-94e2-4028-99cb-904369f177c0
• Extranet Topologies for SharePoint 2010: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=EB4BFF2
5-BABA-4112-B518-F2FC442D5467
© RL Soft 2011
References
• An Introduction to Claims http://msdn.microsoft.com/en-us/library/ff359101.aspx
• Windows Identity Foundation http://msdn.microsoft.com/en-us/security/aa570351.aspx
• Plan authentication methods (SP 2010) http://technet.microsoft.com/en-us/library/cc262350.aspx
If you want to know more…
Contact us [email protected]
Download and evaluate XtraShare athttp://www.rl-soft.com