sharepointfest 2013 washington dc - spt 103 - sharepoint 2013 extranets: how will sharepoint 2013...
DESCRIPTION
How will SharePoint 2013 allow organizations to collaborate and share knowledge with clients and partners? SharePoint empowers organization to build extranet sites and partner portals inexpensively and securely. Learn about the Product Catalog site template and how you can to use it. Learn about the new improvements in SharePoint 2013 regarding extranets. Learn how SharePoint 2013 can help your organization open its doors to its clients and partners securely.TRANSCRIPT
www.expertpointsolutions.com
SharePoint 2013 Extranets & Authentication
About Brian Culver
• SharePoint Solutions Architect for Expert Point Solutions
• Based in Houston, TX
• Author• Upcoming SharePoint 2013 Workflows
• SharePoint 2010 Unleashed
• Various White Papers
• Speaker and Blogger
Working on it…
Session Agenda
• Extranet Definition
• Extranet Design Considerations & Challenges
• Common Extranet Scenarios and Topologies
• SharePoint Authentication
• Mixed Mode vs. Multi-Authentication
• Extranet Portal Structures
• Mobile and Device Channels
Extranet - Definition
• A web application that is shared with external users, such
as partners, vendors, and customers
• Common attributes for an extranet:
• Sharing a private network or secured network
• Requires authenticated access, but the identity of the
consumer is not always known
• Has better security controls than an Internet Web
application but usually less secure than the Intranet
• Web application
Extranet – Why?
• Better Collaboration
• Higher ROI
• Employee Access 24/7
• Targeting content
• Selling Products and
Services
• Better Support
• Improved Efficiency
• Improved Communication
• Unite Workforce Experience
• …
Extranet Design Considerations & Challenges
Network Topology and Access
On-premise scenarios
Hybrid Scenarios
Identity Management (AD, FBA,
ADFS)
Seamless Single Sign-on
Experience
Content Security and Access
Antivirus - Client vs Server
Mobile Device Experience
Licensing
Common Extranet Scenarios
Edge Firewall Topology
Back-to-Back Perimeter Topology
Split Back-to-Back Topology
Hybrid Extranets
• Using Office 365 – SaaS/PaaS– Avoid firewall and topology hassles
– Allows “Sharing” with external users
– 50 free External Users
– With Enterprise accounts, 500 free External Users
• Azure Infrastructure – IaaS– Build dedicated farms on the Microsoft
Cloud
– Scale Out – Add servers
• Federate with corporate domain
For more info: http://technet.microsoft.com/en-us/library/jj151794.aspx
Security Terms
• Authentication is the mechanism whereby systems may
securely identify their users
• Creates an identity for security principal
• Who am I?
• Authorization is the mechanism by which a system
determines what level of access a particular authenticated user
should have to secured resources controlled by the system.
• Determines what resources an identity has access to
• What can I access?
SharePoint Authentication
• SharePoint does not authenticate
• Windows authentication via Windows server and IIS
(Kerberos/NTLM)
• FBA via ASP. NET and authentication providers (SQL, LDAP, etc.)
• Web SSO via Active Directory Federation Services (ADFS) and
other Identity Management Systems
• SharePoint creates user profiles
• SPUser object represents security principal
• User Profile List in Site Collections track user profiles
SharePoint 2010 Security
• SharePoint 2010 changes authentication
• Uses classic mode and claims based authentication
• Classic mode is SharePoint 2007 style legacy mode
• Claims-based authentication is the new security model
• What are the benefits?
• Claims decouples SharePoint from the authentication provider
• Allows SharePoint to support multiple authentication providers per
URL
• Identities can be passed without Kerberos delegation
• Allows federation between organizations
• ACLs can be configured with
• DLs, Audiences and OUs
SharePoint 2013 Security
• SharePoint 2013 authentication:
• Still supports classic mode and claims based authentication
• Claims-based authentication is the default security model
• Supported Authentication modes:
• Windows claims–mode sign-in (default)
• SAML passive sign-in mode
• ASP.NET membership and role passive sign-in
• Windows classic–mode sign-in (deprecated in SP2013)
• Claims authentication is basically the only way to go!
Identity Normalization
Claims-Based Terminology
• Identity: security principal used to configure
the security policy
• Claim (Assertion): attribute of an identity
(such as Login Name, AD Group, etc.)
• Security Token: serialized set of claims
(assertions) about an authenticated user.
Claim-based Authentication
• Security Token Service (STS): builds,
signs and issues security tokens. It can
receive and submit tokens.
• Issuing Authority: identity management
system(s) that “knows” the claims (AD,
ASP.NET, LiveID, etc.)
• Identity Provider: trusted party that
creates and submits claims
• Relying Party: application that makes
authorization decisions based on received
claims
Claim-based Authentication
Claim-based Authentication
Mixed Mode Authentication vs Multi-Authentication
Regular label-callout text
Multi-AuthenticationMixed Authentication
SharePoint
Farm
Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Zone: Custom
Zone: Extranet
Zone: Intranet
Zone: Internet
Zone: DefaultWindows
Authentication
FBA
Authentication
...
...
...
SharePoint
Farm
Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Zone: Custom
Zone: Extranet
Zone: Intranet
Zone: Internet
Zone: DefaultWindows Authentication
FBA Authentication
SAML Based Authentication
FBA Authentication
Windows Authentication
...
...
Auth Scenarios - Multi Authentication
s
Authentication Scenarios
Mixed Mode: When to Use It
•
•
•
•
•
•
•
•
Authentication Scenarios
Multi Authentication: When to Use It
•
•
•
•
•
FBA Claims Configuration
1. Run
C:\Windows\Microsoft.NET\Framework\v2.0.x\aspnet_regsql.exe
or
C:\Windows\Microsoft.NET\Framework\v4.0.x\aspnet_regsql.exe
2. Enable Claims Authentication on Web Application via Central
Administration
3. Modify web.config for the FBA Web Application
4. Modify web.config for Central Administration
FBA Claims Configuration
5. Modify web.config for Security Token Service
• %programfiles%\common files\Microsoft Shared\web server
extensions\14\WebServices\SecurityToken
• %programfiles%\common files\Microsoft Shared\web server
extensions\15\WebServices\SecurityToken
• Changes need to be made to the Security Token Service
virtual directory on each server hosting CA or the claims-
based web application
6. Configure FBA Provider in Central Administration
7. Create Web Application Policy to give SQL Auth User(s)
access to site
FBA Claims Configuration
FBA Claims Configuration
FBA Claims Configuration
FBA Claims Configuration
FBA Claims Configuration
Sample Extranet Portal Structures
Scenarios Includes Key design elements
Corporate Portal with Path-based Sites
Most common types of sites deployed within an organization.
• Path-based site collections• Claims-based authentication• Multiple authentication providers and authentication types implemented in a single zone
Extranet Portal with Host-names sites
Most common types of sites deployed within an organization.
• Host-named site collections• Claims-based authentication• Multiple authentication providers and authentication types implemented in a single zone
Extranet with Dedicated Zones for Authentication
Only the partner web site. Provides an alternate configuration for partner collaboration.
• Host-named site collections• Claims-based authentication• Different zone for each authentication method
Extranet Portal
Corporate Portal with Path-based Site Collections
• Traditional path-based site collections
• Dedicated Web applications
• Single top-level site collection per Web application
• Provides additional security provided by multiple web apps with separate
app pools.
Extranet Portal
Corporate Portal with Host-named Site Collections
• Host-named site collections
• All sites deployed in a single Web application
• Highly scalable and provides more flexibility in managing URLs.
• 2013 Recommended Approach
Extranet Portal
Extranet with Dedicated Zones for Authentication
• Many top-level project sites with vanity URLs by using host-named sites
for each project site (instead of organizing project sites underneath a
top-level site collection).
• Additional isolation between domain URLs, which might be desired in a
partner collaboration solution.
• Additional costs of managing a greater number of host names, including
managing SSL certificates.
• If SAML authentication is used, additional configuration is required.
Mobile Browser Experience
SharePoint Server 2013 offers improvements to the mobile browser
experience with the introduction of a new contemporary view. Depending on
the mobile browser, users have one of the following browsing options:
Contemporary view An optimized mobile browser experience to users and
renders in HTML5. This view is available to Mobile Internet Explorer version 9.0 or
later versions for Windows Phone 7.5, Safari version 4.0 or later versions for
iPhone iOS 5.0, and the Android browser for Android 4.0 or later versions.
Classic view Renders in HTML format, or similar markup languages (CHTML,
WML, and so on), and provides backward compatibility for mobile browsers that
cannot render in the new contemporary view. The classic experience in
SharePoint Server 2013 is identical to the mobile browser experience of
SharePoint Server 2010.
Full-screen UI There is also the ability to have a full desktop view of a
SharePoint site on a smartphone device.
Mobile Views
Contemporary
View
Classic View Full Screen UI
• Contemporary View - default view (uses HTML5) on select site templates (Team
Site, Blank Site, Document Workspace, Document Center, and Project Site).
• Classic View - for devices that cannot render the contemporary view.
• Full Screen UI – An option in the contemporary view.
• Learn more: http://technet.microsoft.com/en-us/library/jj673030.aspx
Device Channels
• For smartphone and tablet
devices. Can only be used
with a publishing site.
• With device channels, you
can render a single publishing
site in multiple ways by using
different designs that target
different devices based on
their user agent string.
• The site and content can be
mapped to use different
master pages and style
sheets for a specific device or
group of devices.
• You can easily show different
content to different device
channels by using same page
and page layout.
Licensing in SP2013
• Much simpler to license
• Regular SharePoint Server license
• SharePoint for Internet Sites (FIS) is gone.
• Need CAL for Intranet Users
• No need to license Extranet Users
• External users means users that are not either your or your
affiliates’ employees, or your or your affiliates’ onsite
contractors or onsite agents.
Questions
??
?
?
Constructive Feedback Is Appreciated
Great information,
but would like to
have learned more
about [Insert Topic]Brian – Your
presentation
was …
Good
Demos!
Thanks!
Useful Links
• SharePoint 2013 design samples: Corporate portal and extranet sites
http://technet.microsoft.com/en-us/library/cc261995.aspx
• Architecture design for SharePoint 2013 IT pros
http://technet.microsoft.com/en-us/sharepoint/fp123594.aspx
• Technical diagrams for SharePoint 2013
http://technet.microsoft.com/en-us/library/cc263199.aspx
• Plan for mobile devices in SharePoint 2013
http://technet.microsoft.com/en-us/library/gg610510
• Plan for mobile devices in SharePoint 2013
http://technet.microsoft.com/en-us/library/gg610510
Useful Links
• SharePoint 2013 FBA Pack
http://sharepoint2013fba.codeplex.com/
• SharePoint 2010 FBA Pack
http://sharepoint2010fba.codeplex.com/
• SharePoint 2010 Claims FBA Examples with OpenID
http://sp2010claimsfbaexs.codeplex.com/
• Community Kit for SharePoint
http://cks.codeplex.com/