spca2013 - sharepoint 2013 in a hybrid world
DESCRIPTION
SharePoint 2013 in a Hybrid WorldTRANSCRIPT
SharePoint 2013 in a Hybrid World
WHO am I
Twitter: @jseghersE-mail: [email protected]: [email protected]: [email protected]: http://blog.j-solutions.be
Consultant
Blogger Trainer
AGENDA
What is Hybrid with Office 365 Why Hybrid Different Setups Analysis of the different building blocks See the Results Resources Q & A
ON PREMISES vs OFFICE 365
ON PREMISES OFFICE 365 Combined
OFFICE 365 IS ATTRACTIVE
1. It saves me a lot of €€€€€2. I always have the latest and greatest
collaboration, email and UC tools3. Allows me to focus on my core business, not IT4. Microsoft can run SP more reliably and
efficiently than I can5. I can easily scale up/down according to demand6. I can more easily work with customers, partners
outside of my company
But ….MY BUSINESS IS ON PREMISE1. I have existing investments (customized SP
deployments w/lots of data and settings, custom solutions, LOB systems, etc)
2. I can’t do everything in the Cloud that I can do on premise
3. I want to protect my sensitive data by keeping it close
WHY HYBRID
• Migration • Business Driven
WHY HYBRID - MIGRATION
• Early Adopter: Move all data to the cloud ASAP.• Risk Averse: Get a trial on SPO, Evaluate Risks,
Numbers (ROI)• Typical: Freeze on Premise Site Creation; start with
new content first.
WHY HYBRID - MIGRATION
• Same Sign On• 1 URL to enter SP & SPO• Use Hybrid Search• Use Hybrid BCS
WHY HYBRID - BUSINESS DRIVEN• Keep Sensitive Data on Premise -whatever sensitive
may mean- • Capacity Flexibility • Intranet – Extranet• Collaboration with External Partners• Typically defined in your Information structure &
governance plan.• Geo Location• Integration with other Service, e.g. Yammer• …
DIFFERENT SETUPS ONE-WAY OUTBOUND
DIFFERENT SETUPS ONE-WAY INBOUND
DIFFERENT SETUPS TWO-WAY
FROM THEORY TOIMPLEMENTATION• Reason of going Hybrid• Choosing which Setup• Configuring all Components• Supporting Authentication• Securing traffic
INGREDIENTS
• An operational on-premises AD DS domain in a single forest• An on-premises server for AD FS 2.0.• An on-premises server for the Windows Azure Directory
Synchronization tool.• Windows Azure PowerShell Cmdlets• Internet Domain & DNS access• Operation SharePoint 2013 Farm• An X.509 wildcard or SAN certificate.• Office 365 Enterprise Subscription with 15.0.0.4420 as the
minimum build number• A supported on-premises reverse proxy device (only for inbound
& bidirectional communication).
ENVIRONMENTCONFIGURATIONNON SharePoint Tasks
Reverse Proxy and Certificate
Auth
Identity Provider
MSOL Tools
Dirsync
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
MSOL Tools
Reverse Proxy and Auth
• When using hybrid features Office 365 sends requests from sites in the cloud to your on-premise farm
• You need to establish a reverse proxy for these calls to be channeled through to secure the process
• Those requests can be authenticated at the reverse proxy before they are forwarded to SharePoint
• SharePoint supports using a certificate for authenticating to the reverse proxy server when sending a request
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
Reverse Proxy Requirements
• 2 network cards - one connected to the Internet and the other to the internal company network
• Route inbound SSL traffic to the on-premises SharePoint farm without rewriting packet headers
• Support SSL termination• UAG, F5, …
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
Identity Provider
In order to have a single-sign on experience, you need a federated identity provider like ADFS
2 or more load balanced ADFS servers
An SSL certificate for the ADFS site
A proxy device, like the ADFS proxy server
All users must have a UPN of a registered domain (i.e. “.local” or similar suffixes will not work)
Service Account: Logon as Batch Job & Logon as a Service
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
MSOL TOOLS
Microsoft Online Sign In Assistant
Windows Azure Active Directory PowerShell Cmdlets (in portal)
You need to run this on SharePoint Server to configure trust with ACS
You need to run this for SSO (usually run on own server)
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
SSO
Connect ADFS to Office 365
1. Connect-MSOLService
2. New-MSOLFederatedDomain
3. Update DNS
OR
1. Add Domain via Office 365 Portal
2. Update DNS
3. Connect-MSOLService
4. Convert-MSOLDomainToFederated
!!! USE SMARTLINKS !!!
!!! Run this on your Primary ADFS Server !!!
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
DirSync
Do Not Run it on an AD – Single Forest (at this time)
Service accounts: svc_dirsync: Enterprise Admin on AD
Global Administrator on Office 365
Install DirSync and let the Wizard Run
Syncs Users, Groups & Contacts
!!! It doesn’t give your Users Licenses !!!
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
SharePoint 2013 Config
1. New STS Token Signing Certificate2. Configuration of a Trust between SP on Premise &
ACS3. Configure Secure Store4. Configure UPA5. Try it !
STS Token Signing Certificate
You need to replace the default token signing certificate for the SharePoint STS because Access Control Service (ACS) will not trust it
Replace it with • A certificate issued by a public certificate authority • A self signed certificate that you create in IIS Manager• NOT: Domain-issued certificate
Set-SPSecurityTokenServiceConfig with the ImportSigningCertificate flag.
Trust Between SP & ACS
Now you need to create an OAuth trust for applications to exchange data between o365 and on-prem
Using MSOL PowerShell (on prem):Create an AppPrincipal using New-MsolServicePrincipalCredentialCreate a proxy to ACS using New-SPAzureAccessControlServiceApplicationProxyComplete the trust using New-SPTrustedSecurityTokenIssuer
Configure Secure Store
The Secure Store Service is used to create an application that stores the certificate used to authenticate with the UAG HTTPS trunk
In Office 365 create a new Secure Store Service target applicationSave the Target Application ID name because you will use that configuring a result source
In the credentials field configure it as a Certificate Password
Click the Set button for the CredentialsBrowse to the certificate CER file that was used for the UAG HTTPS trunk; leave the password fields blank
Configure UPA
It’s critically important that you:• Have a UPA up and running• Have it populated with current data from Active Directory
We use the UPA on the local farm to determine what rights a user has – what claims they have, what groups they belong to, etc.
With a hybrid solution, anything that you grant rights to needs to be in the profile system
E.g., if you augment claims on premise and use a custom claims provider to grant rights to content using those claims, an office 365 user would not see that data because those custom claims are not added when you login to office 365
RECAP Necessary Steps
• Install & Configure all necessary tools• Replace STS Certificate• Upload Certificate to Office 365• Add Hostname of server to SP Principal object of
Office 365• Register SPO S2S Principal Object to On Premise• Set SP Authentication Realm to Context ID of Office
365 Tenant• Configure On Premise ACS Proxy and setup Trust
with ACS.
Create A Result Source
Create a new result source and:Use Remote SharePoint as the ProtocolIf you are on-prem and getting results from Office 365:
• Use the Url of your office 365 for the Remote Service Url• Use Default Authentication for credentials
If you are office 365 and getting results from on-prem :
• Use the HTTPS Url of the UAG HTTPS trunk for the Remote Service Url• Use SSO id for credentials and enter the name of the SSO application
definition you created to store the UAG certificate
Create A Query Rule
This is where you can do a “live” test to see if everything is workingCreate a new query ruleRemove the default ConditionClick on Add Result BlockSelect your result sourceClick on the Test tab and then
Click the “Show more” link
Type some query terms in the “{subjectTerms}:” edit box
Click the “Test query” button
If you have configured everything correctly – Voila! – you will see search results from the remote farm
Results from the
Cloud
Results from On
Prem
RESOURCES
OnRamphttps://onramp.office365.com/onramp/
HYBRIDhttp://technet.microsoft.com/en-us/library/jj838715.aspx
Try To Find the WORD Documents ….
TroubleshootTips
If you aren’t getting data back between the two environments here are some things that you can do to narrow down the issue:
In your on prem farm turn up the ULS logging• Go into Central Admin, Monitoring, Configure diagnostic logging;
expand SharePoint Foundation and select:• App Auth• Application Authentication• Authentication Authorization• Claims Authentication
Change the “least critical” dropdowns to Verbose and save changesMonitor the ULS logs each time you execute a query
Use Fiddler as a reverse proxy on your SharePoint server; this requires
Installing Fiddler on the SharePoint serverWrite a Fiddler script rule as described in Option #2 here: http://www.fiddler2.com/Fiddler/help/reverseproxy.asp Look at the TextView of the Response. Here’s an example of an error that you can see in there:
Troubleshooting Tips (cont.)
Be aware of latency in queries across the cloud and on- premises
When a query is executed, ALL results must come back before the result is shown to the user• Latencies can run 1200 to 1500 milliseconds
Because of this you may want to put some thought into when you want to fire a query at a remote source• If you duplicate every single query you could introduce significant load on
a farm• Where you want results back ASAP then you wouldn’t want remote queries
to fire• You can also create a dedicated page that only queries the remote source• In short – you can mix and match with query rules to decide what works
best
Q & A
