sharepoint 2013 in a hybrid world

41
SharePoint 2013 in a hybrid world #spsbe20 Jethro SEGHERS

Upload: jethro-seghers

Post on 31-Oct-2014

12 views

Category:

Technology


3 download

DESCRIPTION

SharePoint 2013 in a hybrid world

TRANSCRIPT

  • 1. SharePoint 2013 ina hybrid world#spsbe20Jethro SEGHERS

2. Thanks to ourSponsorsPlatinumGoldSilver 3. ABOUT ME Jethro SEGHERS Office 365 MVP @jseghers http://www.j-solutions.be/blog 4. AGENDA What is hybrid within Office 365 Why hybrid Different setups Analysis of the building blocks Different Steps See The Results Resources Q&A 5. ON PREMISEvsOFFICE 365 6. ON PREMISE+OFFICE 365 7. OFFICE 365ISATTRACTIVE1. It saves me a lot of 2. I always have the latest and greatestcollaboration, email and UC tools3. Allows me to focus on my core business, not IT4. Microsoft can run SP more reliably andefficiently than I can5. I can easily scale up/down according todemand6. I can more easily work with customers, partnersoutside of my company 8. But .MYBUSINESSISON PREMISE1. I have existing investments (customized SPdeployments w/lots of data and settings,custom solutions, LOB systems, etc)2. I cant do everything in the Cloud that I can doon premise3. I want to protect my sensitive data by keeping itclose 9. WHYHYBRID Migration Business Driven 10. WHYHYBRID-MIGRATION Early Adopter: Move all data tothe cloud ASAP. Risk Averse: Get a trial on SPO,Evaluate Risks, Numbers (ROI) Typical: Freeze on Premise SiteCreation; start with new contentfirst. 11. WHYHYBRID-MIGRATION Same Sign On 1 URL to enter SP & SPO Use Hybrid Search Use Hybrid BCS 12. WHY HYBRID-BUSINESSDRIVEN Keep Sensitive Data on Premise -whateversensitive may mean- Capacity Flexibility Intranet Extranet Collaboration with External Partners Typically defined in your Information structure &governance plan. Geo Location 13. DIFFERENTSETUPSONE-WAYOUTBOUND 14. DIFFERENTSETUPSONE-WAYINBOUND 15. DIFFERENTSETUPSTWO-WAY 16. DIFFERENTSETUPSTWO-WAYDETAIL 17. FROMTHEORYTOIMPLEMEN-TATION Reason of going Hybrid Choosing which Setup Configuring all Components Supporting Authentication Securing traffic 18. INGREDIENTS An operational on-premises AD DS domain in a singleforest An on-premises server for AD FS 2.0. An on-premises server for the Windows Azure DirectorySynchronization tool. Windows Azure PowerShell Cmdlets Internet Domain & DNS access Operation SharePoint 2013 Farm An X.509 wildcard or SAN certificate. Office 365 Enterprise Subscription with 15.0.0.4420 asthe minimum build number A supported on-premises reverse proxy device (only forinbound & bidirectional communication). 19. ENVIRONMENTCONFIGURATIONNON SharePointTasksReverse Proxy andCertificate AuthIdentity ProviderMSOL ToolsDirsyncUAGADFS ServersSharePoint ServersOffice 365Dirsync and Tools ServersMSOL Tools 20. ReverseProxyandAuth When using hybrid features Office 365sends requests from sites in the cloud toyour on-premise farm You need to establish a reverse proxyfor these calls to be channeled throughto secure the process Those requests can be authenticated atthe reverse proxy before they areforwarded to SharePoint SharePoint supports using a certificatefor authenticating to the reverse proxyserver when sending a requestUAGADFS ServersSharePoint ServersOffice 365Dirsync and Tools Servers 21. ReverseProxyRequirements 2 network cards - oneconnected to the Internet andthe other to the internalcompany network Route inbound SSL traffic tothe on-premises SharePointfarm without rewriting packetheaders Support SSL termination UAG, F5, UAGADFS ServersSharePoint ServersOffice 365Dirsync and Tools Servers 22. IdentityProviderIn order to have a single-sign on experience, you need afederated identity provider like ADFS2 or more load balanced ADFS serversAn SSL certificate for the ADFS siteA proxy device, like the ADFS proxy serverAll users must have a UPN of a registered domain (i.e..local or similar suffixes will not work)Service Account: Logon as Batch Job & Logon as aServiceUAGADFS ServersSharePoint ServersOffice 365Dirsync and Tools Servers 23. MSOLTOOLSMicrosoft Online Sign In AssistantWindows Azure Active Directory PowerShell Cmdlets(in portal)You need to run this on SharePoint Server toconfigure trust with ACSYou need to run this for SSO (usually run on ownserver)UAGADFS ServersSharePoint ServersOffice 365Dirsync and Tools Servers 24. SSO Connect ADFS to Office 3651. Connect-MSOLService2. New-MSOLFederatedDomain3. Update DNSOR1. Add Domain via Office 365 Portal2. Update DNS3. Connect-MSOLService4. Convert-MSOLDomainToFederated!!! USE SMARTLINKS !!!!!! Run this on your Primary ADFS Server !!!UAGADFS ServersSharePoint ServersOffice 365Dirsync and Tools Servers 25. DirSync Do Not Run it on an AD Single Forest (at this time)Service accounts: svc_dirsync: Enterprise Admin onADGlobal Administrator on Office 365Install DirSync and let the Wizard RunSyncs Users, Groups & Contacts!!! It doesnt give your Users Licenses !!!UAGADFS ServersSharePoint ServersOffice 365Dirsync and Tools Servers 26. ReCAP 27. SharePoint2013Config1. New STS Token SigningCertificate2. Configuration of a Trust betweenSP on Premise & ACS3. Configure Secure Store4. Configure UPA5. Try it ! 28. STSTokenSigningCertificateYou need to replace the default token signing certificate for the SharePointSTS because Access Control Service (ACS) will not trust itReplace it with A certificate issued by a public certificate authority A self signed certificate that you create in IIS Manager NOT: Domain-issued certificateSet-SPSecurityTokenServiceConfig with the ImportSigningCertificate flag. 29. TrustBetweenSP&ACSNow you need to create an OAuth trust forapplications to exchange data between o365and on-premUsing MSOL PowerShell (on prem):Create an AppPrincipal using New-MsolServicePrincipalCredentialCreate a proxy to ACS using New-SPAzureAccessControlServiceApplicationProxyComplete the trust using New-SPTrustedSecurityTokenIssuer 30. ConfigureSecure StoreThe Secure Store Service is used to create an applicationthat stores the certificate used to authenticate with the UAGHTTPS trunkIn Office 365 create a new Secure Store Service targetapplicationSave the Target Application ID name because you will use thatconfiguring a result sourceIn the credentials field configure it as a Certificate PasswordClick the Set button for the CredentialsBrowse to the certificate CER file that was used for the UAG HTTPS trunk; leave the password fieldsblank 31. ConfigureUPAIts critically important that you: Have a UPA up and running Have it populated with current data from Active DirectoryWe use the UPA on the local farm to determine what rights a user has what claims they have, what groups they belong to, etc.With a hybrid solution, anything that you grant rights to needs to be inthe profile systemE.g., if you augment claims on premise and use a custom claims provider togrant rights to content using those claims, an office 365 user would not see thatdata because those custom claims are not added when you login to office 365 32. RECAPNecessarySteps Install & Configure all necessary tools Replace STS Certificate Upload Certificate to Office 365 Add Hostname of server to SP Principalobject of Office 365 Register SPO S2S Principal Object to OnPremise Set SP Authentication Realm to Context ID ofOffice 365 Tenant Configure On Premise ACS Proxy and setupTrust with ACS. 33. Create AResult SourceCreate a new result source and:Use Remote SharePoint as the ProtocolIf you are on-prem and getting results from Office365: Use the Url of your office 365 for the Remote Service Url Use Default Authentication for credentialsIf you are office 365 and getting results from on-prem: Use the HTTPS Url of the UAG HTTPS trunk for the RemoteService Url Use SSO id for credentials and enter the name of the SSO applicationdefinition you created to store the UAG certificate 34. Create AResult Source 35. Create AQuery RuleThis is where you can do a live test to see if everything isworkingCreate a new query ruleRemove the default ConditionClick on Add Result BlockSelect your result sourceClick on the Test tab and thenClick the Show more linkType some query terms in the {subjectTerms}: edit boxClick the Test query buttonIf you have configured everything correctly Voila! you will see search results fromthe remote farm 36. See theResultsResults fromthe CloudResults fromOn Prem 37. RESOURCESOnRamphttps://onramp.office365.com/onramp/HYBRIDhttp://technet.microsoft.com/en-us/library/jj838715.aspxTry To Find the WORD Documents . 38. THANK YOUJethro [email protected]://www.j-solutions.be/blog@jseghers 39. TroubleshootTipsIf you arent getting data back between thetwo environments here are some things thatyou can do to narrow down the issue:In your on prem farm turn up the ULS loggingGo into Central Admin, Monitoring, Configure diagnostic logging;expand SharePoint Foundation and select:App AuthApplication AuthenticationAuthentication AuthorizationClaims AuthenticationChange the least critical dropdowns to Verbose andsave changesMonitor the ULS logs each time you execute a query 40. TroubleshootTips (cont.)Use Fiddler as a reverse proxy on yourSharePoint server; this requiresInstalling Fiddler on the SharePoint serverWrite a Fiddler script rule as described in Option #2here:http://www.fiddler2.com/Fiddler/help/reverseproxy.aspLook at the TextView of the Response. Heres anexample of an error that you can see in there: 41. Troubleshooting Tips(cont.)Be aware of latency in queries across the cloudand on- premisesWhen a query is executed, ALL results must come backbefore the result is shown to the userLatencies can run 1200 to 1500 millisecondsBecause of this you may want to put some thought into whenyou want to fire a query at a remote sourceIf you duplicate every single query you could introduce significant load on afarmWhere you want results back ASAP then you wouldnt want remote queriesto fireYou can also create a dedicated page that only queries the remote sourceIn short you can mix and match with query rules to decide what worksbest