hybrid end-to-end: spc339 – monday 2pm office 365 identity federation using windows azure and...
TRANSCRIPT
SharePoint 2013 hybrid end-to-endSam HassaniPrincipal ConsultantBrightStarr
SPC339
Introductions…Who am I?Principal Consultant at BrightStarrMicrosoft Certified Master: SharePoint 2010Microsoft Certified Solutions Master: SharePointSharePoint 2013 Beta Engineer
Contact detailsTwitter: @samhassaEmail: [email protected]: www.brightstarr.comWeb: www.samhassani.comYammer: Operations and Management Group
Hybrid at SPCHybrid end-to-end: SPC339 – Monday 2pm
Office 365 identity federation using
Windows Azure and Windows Azure Active
Directory: SPC411 – Tuesday 9am
Configuring Hybrid Search with
SharePoint 2013 and SharePoint Online:
SPC320 – Tuesday 1:45pm
Configuring Hybrid Business Connectivity
Services with SharePoint 2013:
SPC319 – Tuesday 5pm
Best practices for Hybrid Search deployments:
SPC306 – Tuesday 5pm
Federating applications with Office 365 using
Windows Azure Active Directory: SPC421 – Wednesday 1:45pm
SharePoint Server 2013 and Office 365 Hybrid: Post
Conference Event – Thursday 1-5pm
AgendaWhy Hybrid?Configuring HybridIdentity ManagementChoosing a Hybrid TopologySharePoint Configuration
Hybrid ChallengesResourcesQuestions
Why Hybrid?
Benefit from the latest and greatest
Focus on the core business and easily scale up and down
SharePoint Online is attractive
More easily collaborate with external partners
SharePoint Online has limitations
Existing investments with lots of data and customizations
But my business runs on premises
Protect sensitive data
“Leverage the strengths of both parts while minimizing the components’ weaknesses”
A Hybrid Deployment
+ =HybridOnline Azure IaaS/ On-
premises
Get started in the cloud
Migrate existing
workloads in a phased
approach
Supplement cloud
environments
Rapid provisioning of new workloads
Common Hybrid Scenarios
SharePoint Hybrid OptionsSearchGet Search Results in SharePoint On-Premises or in SharePoint Online from the SharePoint On-Premises or SharePoint Online search indexes
Business Connectivity Services (BCS)Enable a SharePoint Online site collection to work with data in an on-premises OData service
Duet Enterprise Online Enable SharePoint Online users to perform both read and write operations against an on-premises SAP system.
Identity ManagementProvide a single identity and single sign on experience
Results from the Cloud
Results from On Premises
Identity ManagementCloud Identity
Single identity in the cloud
Directory Synchronization
Single identity
Federated Identity (SSO)
Single federated identity
Configuring Hybrid
Directory synchronizationSynchronization of objects for on-premises AD to Azure ADLimited to 50,000 objects, can be increased by engaging MicrosoftSynchronization occurs every 3 hours by default, can be initiated manuallyCan filter based on OU, Domain or User Attribute
This is a requirement for SharePoint Hybrid scenarios including SearchWhen a user issues a query from On-premises to SP Online, SP Online must rehydrates the user’s identityThe rehydration process looks up attributes in the SP Online profile storeIf no or multiple profiles exist the query will fail rather than security trimmed results being returned
Add on-premises domain to Office 365Determine and register public domain nameAdd domain in Office 365Provide nameCreate verification record with DNS hosting providerVerify domain name ownership
Activate Directory Synchronization
Activate Active Directory Synchronization for your Office 365 Tenant
Configure Directory SynchronizationDownload and install DirSync tool on a member server in on-premises environment
Configure Directory SynchronizationRun DirSync tool on server where installed
Configure SSOPrepare Active DirectoryWindows Server 2003 R2 functional level at a minimumUPNs are correctly set (if public domain differs to corporate domain name)
Deploy ADFS 2.0Install Microsoft Online Services Sign in Assistant and Windows Azure AD PowerShell ModulesSet up a trust between ADFS and Windows Azure ADConnect-MSOLServiceSet-MSOLADFSContextConvert-MsolDomainToFederated –DomainName <domain>
Demo EnvironmentOffice 365Windows Azure VMs
Domain ControllerSP 2013SQL 2012
https://intranet.hassanionprem.comhttps://my.hassanionprem.comADFS
DirSyncMSOL tools
https://brightstarrdevelopment.sharepoint.comhttps://brightstarrdevelopment-my.sharepoint.com
hassanionprem.com brightstarrdevelopment.onmicrosoft.com
Demo
DirSync and SSO with Office 365
One-way outbound topologyMICROSOFT DATA CENTER INTERNET INTRANET
SharePoint Online CANNOT QUERY SharePoint Server
2013
SharePoint Online
Site collection
Search portal: Local search results ONLY
Search: One-way outboundBCS: Not supportedDuet: Not supported
SharePoint Server 2013 CAN QUERY SharePoint
Online
Primary web application
Search portal: Local + Remote search results
Outbound
Inbound
Office 365 Tenant SharePoint Server 2013
Local Local/Remote
One-way inbound topologyMICROSOFT DATA CENTER INTERNET INTRANET
SharePoint Online CAN QUERY SharePoint Server
2013
SharePoint Online
Site collection
Search portal: Local search results ONLY
Search: One-way inboundBCS: SupportedDuet: Supported
SharePoint Server 2013 CANNOT QUERY
SharePoint Online
Primary web application
Office 365 Tenant SharePoint Server 2013
PERIMETER NETWORK
Reverse proxy
Outbound
Inbound
Local
Search portal: Local + Remote search results
Local/Remote
Two-way bi-directional topologyMICROSOFT DATA CENTER INTERNET INTRANET
SharePoint Online CAN QUERY SharePoint Server
2013
SharePoint Online
Site collection
Search: BidirectionalBCS: SupportedDuet: Supported
SharePoint Server 2013 CAN QUERY SharePoint
Online
Primary web application
Office 365 Tenant SharePoint Server 2013
PERIMETER NETWORK
Reverse proxy
Outbound
Inbound
Search portal: Local + Remote search results
Local/Remote
Search portal: Local + Remote search results
Local/Remote
Reverse Proxy Device optionsOnly required for ‘Inbound’ Hybrid topologye.g. Users issuing queries from a Search Center in SharePoint Online attempting to retrieve search results from an on-premises farm
Reverse Proxy Device RequirementsSupport client certificate authentication with a wildcard of SAN SSL certificateSupport pass-through authentication for OAuth 2.0Accept unsolicited inbound traffic on TCP port 443 (HTTPS)Bind a wildcard or SAN SSL certificate to a published endpointRelay traffic to an on-premises SharePoint 2013 farm without rewriting any packet headers
Supported Reverse Proxy DevicesForefront Threat management Gateway (TMG) 2010Windows Server 2012 R2 with Web Application Proxy (WAP)F5 BIG-IP
Configure SharePoint EnvironmentEnsure SharePoint services are started and configuredUser Profile ServiceApp Management ServiceSubscription Settings Service
Establish a trust relationship between on-premises farm and SharePoint Online (S2S authentication)Create a new STS certificate, replace in on-premises farm and upload to SharePoint OnlineRegister the on-premises STS as a service principal in Office 365Establish a trust between on-premises farm and Windows Azure AD
Publish SharePoint web applications through reverse-proxy device
Configure server-to-server (S2S) authentication$cer.Import("C:\SelfSignedSTS.cer")
$binCert = $cer.GetRawCertData()$credValue = [System.Convert]::ToBase64String($binCert);New-MsolServicePrincipalCredential -AppPrincipalId $spoappid -Type asymmetric -Usage Verify -Value $credValue -StartDate $cer.GetEffectiveDateString() -EndDate $cer.GetExpirationDateString()
$SharePoint = Get-MsolServicePrincipal -AppPrincipalId $spoappid$spns = $SharePoint.ServicePrincipalNames$spns.Add("$spoappid/*.hassanionprem.com")Set-MsolServicePrincipal -AppPrincipalId $spoappid -ServicePrincipalNames $spns
$site=Get-Spsite "https://intranet.hassanionprem.com"$appPrincipal = Register-SPAppPrincipal -site $site.rootweb -nameIdentifier "00000003-0000-0ff1-ce00-000000000000@bce49a51-dea4-44c3-8da0-0af70dbd186a" -displayName "SharePoint Online"
Set-SPAuthenticationRealm -realm bce49a51-dea4-44c3-8da0-0af70dbd186aNew-SPAzureAccessControlServiceApplicationProxy -Name "ACS" -MetadataServiceEndpointUri "https://accounts.accesscontrol.windows.net/bce49a51-dea4-44c3-8da0-0af70dbd186a/metadata/json/1" -DefaultProxyGroupNew-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https://accounts.accesscontrol.windows.net/bce49a51-dea4-44c3-8da0-0af70dbd186a/metadata/json/1" -IsTrustBroker -Name "ACS"
Configure SharePoint For Hybrid SearchConfigure result sourceIn this case as a remote SharePoint indexURL of remote locationSecure Store (for client certificate authentication)*
Configure Query rule to show remote resultsChoose context of Query ruleCan add a condition or fire on any query textDetermine search vertical e.g. Results block, promoted resultEnsure results block points to a specific results source (remote index)
Demo
Search Hybrid User Experience and Configuration
Hybrid Challenges
Handling the Social
experience
Application Lifecycle
Management
User Experience and
Transitions
Business Continuity
Management and
Operations
Hybrid Challenges
Handling the Social ExperienceUsers work in sites in both SharePoint On-premises and SharePoint OnlineE.g. Intranet On-premises, and Project/Collaboration sites Online
Which social experience should users be presented with?Editing Profile?Newsfeed?OneDrive for Business?
Demo
Consistent Social Experience in a Hybrid Environment
Handling the Social ExperienceUsers work in sites in both SharePoint On-premises and SharePoint OnlineE.g. Intranet On-premises, and Project/Collaboration sites Online
Which social experience should users be presented with?Editing Profile?Newsfeed?SkyDrive Pro?
What about the rest of the social experience?@mentions, tags, notes, following, commenting capability are stored in social/content databasesNo way Out of the box to replicate this information
Application Lifecycle ManagementRapid, incremental updates to SharePoint onlineTesting is important
Invest in test and development automationAutomated nightly buildsAutomation involves site and content recreation, solution deployment, managed property creation, etc.
Only one test tenant per AD??You can use multiple dirsync servers syncing to each unique tenantYou cannot sync the same objects into different tenants – use dirsync filtering
BCM and OperationsOperations don’t stop because services are in the cloudHow do you integrate Online operations and support with your own?IT Operations to consider:Monitoring and AlertingSupport DesksBackup and RestoreService Level Agreements
User Experience and Transitions
Final ThoughtsHybrid allows you to move to the cloud on your own termsHybrid is not the answer to every business requirementUnderstand the strengths and weakness of HybridPlan a phased transition of appropriate workloads to the cloud
ResourcesHybrid for SharePoint Server 2013:http://technet.microsoft.com/en-us/library/jj838715.aspx
Windows Azure AD PowerShellhttp://technet.microsoft.com/en-us/library/jj151815.aspx
Office 365 Communities and Wikis http://community.office365.com/en-us/default.aspx
Your Community
MySPCSponsored by
connect. reimagine. transform.
Evaluate sessionson MySPC using yourlaptop or mobile device:myspc.sharepointconference.com
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.