configuring hybrid workloads for sharepoint 2013 and o365 by neil hodgkinson
DESCRIPTION
Hybrid scenarios between SharePoint Server 2013 and O365 take a number of guises including search and business connectivity capabilities. All hybrid scenarios require a base identity configuration on which the hybrid workload can be configured. Hybrid workloads can operate in what are known as inbound and outbound directions. Outbound is considered the simplest configuration with inbound being complicated by the addition of extra on premises infrastructure and the perception of it being a difficult task to configure correctly. In this session we want to dispel that myth and show how configuring the identity infrastructure including dirsync with password synchronization to support outbound and inbound hybrid search between SharePoint 2013 server and O365 can be done. Configuration of Windows 2012 R2 Web Application Proxy (WAP) Server to support inbound hybrid authentication will be a key component of this session as well as the use of Windows Azure for the on premises SharePoint roles.TRANSCRIPT
Neil HodgkinsonSenior Program ManagerMicrosoft CXP CAT
Configuring Hybrid Workloads for SharePoint 2013 and Office 365
Neil HodgkinsonPre-MicrosoftProcess Chemist (Drugs, Poisons and Explosives)
CSC SharePoint Specialist – 5 Years
Microsoft (2005-)SharePoint PFE - 5 Years
SharePoint Service Engineering O365 - 3 Years
Office 365 CXP CAT - Current
MCM/MCSM SharePoint Instructor Team
ContactEmail – [email protected]
Twitter - @nellymo
Session Objectives: • Verbalise the advantages hybrid scenarios bring as a
waypoint towards a full cloud experience• Discuss the technical implementation of hybrid
configurations with architects and engineers• Understand the role of the reverse proxy server in an
inbound hybrid setup, and in particular gain insight into the configuration of Windows Web Application Proxy
Session Objectives
Agenda
SharePoint Hybrid Scenarios
Hybrid Components and Configuration
Hybrid Deployment
Configuring Hybrid Search & Query Rules
What is Hybrid? And why ?
Hybrid Solution
What is Hybrid? And why ?
On Premises Cloud
Hybrid Search
One-way outbound topology
12
On-premises SharePoint Server 2013 Enterprise Search portal: Local and remote search results are available
SharePoint Online search portal: Local search results are available
Primary web app
SharePoint Online
Local search results only
Site collection
Microsoft Office 365 tenant
SharePoint
SharePoint Server 2013 Farm
Hybrid search results
Outbound
Inbound
SharePoint Online cannot query SharePoint Server
InternetMicrosoft data center IntranetCustomer network
SharePoint Server can query SharePoint Online
One-way inbound topology
14
On-premises SharePoint Server 2013 Enterprise Search portal: Local search results are available
SharePoint Online search portal: Local and remote search results are available
InternetMicrosoft data center Intranet
Inbound
Perimeter network
Customer network
Outbound
Reverse proxy
SharePoint Online can query SharePoint Server SharePoint Server cannot query SharePoint Online
SharePoint Online
Microsoft Office 365 tenant
SharePoint
SharePoint Server 2013 Farm
Hybrid search results
Site collection Local search results only
Primary web app
Two-way (bidirectional) topology
16
On-premises SharePoint Server 2013 Enterprise Search portal and SharePoint Online search portal: Local and remote
search results are available.
Inbound
Outbound
SharePoint Online can query SharePoint Server
InternetMicrosoft data center IntranetPerimeter network
Customer network
Reverse proxy
SharePoint Search can query SharePoint Online
SharePoint Online
Microsoft Office 365 tenant
SharePoint
SharePoint Server 2013 Farm
Hybrid search results
Site collection Primary web appHybrid search
results
User Experience – Outbound Search
Results from Cloud
Results from
SharePoint On-
Premise
Query Flow – On Premise Search Center
SharePointOn Premises
SharePointOnline
On Premises Search Center Index Component
Index Component
Index Component
Index Component
Query Processing Component
? ?
Query Processing Component
User Profile Service App
Authenticated User
Query Flow – Cloud Search Center
SharePoint Online
SharePointOn Premises
O365Search Center Index Component
Index Component
Index Component
Index Component
Query Processing Component
? ?
Query Processing Component
User Profile Service App
Authenticated User
Reverse Proxy
Hybrid BCS
Review of Business Connectivity Services on-premises
Create a Business Data Connectivity service application in SharePointon-premises
Configure the Business Connectivity Services Metadata Store
Configure the target application for the Secure Store Service
Define the external content type for external data
Create the external list and configure permissions
Authorization and data flow
SharePoint service layer
❸
External system layer
Client layer❺ ❻
❹
SharePoint 2013 Business Connectivity Services and Secure Store Service
External data source
Business Connectivity Services on-premises deployment
A user in need of on-premises data goes to an on-premises application or external list
The external list or application requests data and sends it to Business Connectivity Services
Business Connectivity Services accesses the external content type to determine how to gain access to the external data and what credentials to
use
Business Connectivity Services passes a request to a connector that retrieves the data by using either the user’s credentials
or credentials from a secure store
Optional: The user uses Connect to Outlook to take data offline
The Click Once installation installs the Business Connectivity Services model on the client
Microsoft Outlook connects to the external data and synchronizes to the Outlook SharePoint external list (formatted as a contact list)
The user interacts with the data, and synchronizes changes with the external data source manually or automatically
❼
❷
❶ ❽
Introduction to hybrid Business Connectivity ServicesEnables users to publish on-premises data to a list or application external to SharePoint Online
Enables federated users to gain access to on-premises data from SharePoint Online
Requires a two-way authentication topology using an external URL published by reverse proxy
Connects only through OData source
Prerequisites for hybrid Business Connectivity Services
• Business Connectivity Services must be installed on-premises
• On-premises instance must have connectivity to the external data source
• Two-way authentication topology must be configured
• External URL to SharePoint on-premises must be configured
Hybrid Business Connectivity Services authorization and data flow
Using federated credentials, a user in need of on-premises data logs on to the online app or external list
The app or external list creates a request for data and sends it to Business Connectivity Services
Business Connectivity Services gains access to the external content type to determine how to access the external data and what credentials to use
Business Connectivity Services retrieves a secure-channel certificate from the secure store and an OAuth token from Windows Azure Active Directory for user authentication
Business Connectivity Services sends an HTTPS request to the published endpoint for the data source with the certificate and token
The reverse proxy authenticates the request and forwards it to SharePoint on-premises
SharePoint on-premises retrieves the identity from the token and maps it to the on-premises identity that has access to the data
On-premises Business Connectivity Services forwards the request to the OData service endpoint
The OData endpoint authenticates the request through Internet Information Services and returns the data
❶
SharePoint Online tenancy
External listBusiness Connectivity
Services
Secure store and Access Control Service
Perimeternetwork
Reverse proxy
Internal network
On-premises SharePoint farm
External data source
Authentication flowData flow
❷ ❸
❼
❻
❹
❾
❺
❽
Cloud-only solution overview
Enables integration of data into SharePoint Online from SQL Azure
Enables external users to gain access to data published online
• Can be configured in addition to or separate from hybrid Business Connectivity Services
• Does not require a hybrid environment or hybrid identity management infrastructure
Configuration and requirements
SharePoint online
SQL Azure
Cloud-only authorization and data flow
❶
❼
❷
❹
❺
❻
❸
Users who need online data go to the online application or external list
The external list or online application creates a request for data and sends it to Business Connectivity Services
Business Connectivity Services accesses the external content type to determine how to access the external data
The external content type tells Business Connectivity Services the credentials to use—in this case, credentials from the secure store
Business Connectivity Services passes the request to the endpoint of SQL Azure Windows Communication Foundation Service
SQL Azure returns the data
SharePoint Online displays the data in the browser
Deployment
Deployment - Phases
Infrastructure Setup
S2S Trust & Identity Management
Workload Integration
Deployment - Phases Infrastructure Setup• Domain Setup• ADFS• Directory Synchronization• Reverse Proxy
S2S Trust & Identity Management
Workload Integration
On Premises Infrastructure
InternetMicrosoft data center IntranetPerimeter network
Customer network
ADFS Proxy AD Servers
Office 365
tenant
DirSync Server
Azure ADDirectory Service
ADFS Servers
ACS Trust
Azure AD Tenant Azure AD Proxy
SharePoint STS
User Profile Sync
Service
Secure Store
Target App
SharePoint
Reverse Proxy
Federation Gateway
Identity Platform
Infrastructure Deployment
SharePoint
On Premises Infrastructure
Infrastructure for Outbound Hybrid with Password Sync
InternetMicrosoft data center IntranetPerimeter network
Customer network
Azure ADDirectory Service
ACS Trust
Azure AD Tenant Azure AD Proxy
Federation Gateway
Identity Platform
Office 365
tenantAD Servers
DirSync Server with Password
Sync
SharePoint STS
User Profile Sync
Service
SharePointSharePoint
On Premises Infrastructure
Core identity scenarios with Office 365Cloud Identity
Single identity in the cloud Suitable for small
organizations with no integration to on-premises
directories
Directory & Password Synchronization*
Single identitysuitable for medium
and large organizations without federation*
Federated Identity
Single federated identity and credentials suitable
for medium and large organizations
Federated Identity
Single federated identity and credentials suitable
for medium and large organizations
Cloud Identity
Single identity in the cloud Suitable for small
organizations with no integration to on-premises
directories
Core identity scenarios with Office 365 Directory & Password
Synchronization*
Single identitysuitable for medium
and large organizations without federation*
Directory Synchronization Features• Directory synchronization between on-premises and online
• Identities are created and managed
on-premises and synchronized to the cloud
• Single identity and credentials but no single Sign-On for on-premises and Office 365 services
Windows Azure Active Directory
User
On-Premises IdentityEx: Domain\Alice
Directory Synchronization
Cloud IdentityEx: [email protected]
AD
Steps to configure Directory Sync
For Directory synchronization detailed configuration see: http://aka.ms/directorysync
• Activate directory synchronization in your tenantActivate
• Add on-premises domain to O365 tenantAdd Domain
• Update DNS recordsTXT or MX Records
• Run the wizard and start the syncInstall and Configure
• In O365 dashboard validate users and groupsSync
• Activate users and grant licenses Activate Users
DemoSynchronisation of User Account
Supported Proxy Devices
Web Application Proxy
Threat Management Gateway
F5 Big IP
Citrix Netscaler
Squid
Setting up WAP
Certificates• SSL• Client
Auth• ADFS
ADFS• Install• Configure
WAP• Install• Publish
SharePoint• PowerShell
Test• Access• Result
Source
On Premises Infrastructure
InternetMicrosoft data center IntranetPerimeter network
Customer network
AD Servers
Office 365
tenant
Azure ADDirectory Service
ACS Trust
Azure AD Tenant Azure AD Proxy
SharePoint STS
User Profile Sync
Service
Secure Store
Target App
SharePoint
Reverse Proxy
Federation Gateway
Identity Platform
Reverse Proxy Configuration
SharePoint
https://evolutions.shar
epoint.com
https://internet.nelly
mo.com
https://internet.nelly
mo.com
https://userauth.nelly
mo.com
Demo: Setting up WAP
Deployment - Phases
Infrastructure Setup• Directory Synchronization• Reverse Proxy for Inbound
S2S Trust & Identity Management• Replace S2S Token Signing Certificate for S2S Trust• Validate UPA• ACS Trust Setup
Workload Integration
Establish Server To Server Authentication
Replace the STS certificate across all SharePoint servers in
on-premises farm
Deploy Windows Azure AD PoSH with the pre-requisite of
Microsoft Sign-in Assistant
Establish trust between on-premises
SP Farm and SP Online by replacing
certificate
Add SPN for the on-premises domain.
(Eg.00000003-0000-0ff1-ce00-
000000000000“ /*.nellymo.com)
Register SP Online application principal as a trusted provider in SP on-premises
Set authentication realm for SharePoint
Configure a proxy in the on-premise farm
for Azure AD
For Remote Index to work we need to establish an OAuth Trust with ACS between SharePoint On-Premises and Online.
This enables S2S Authentication – 7 Steps to Heaven
Validate User Profile Service Application
User Profile Service Application is configured and running
Profile Service App createdProfile Services StartedProfile Sync Service RunningMIIS Client
User Profiles are synced with AD for the same set of users as specified for DirSync
User Profile Service Profile SearchO365 Users and Groups
User profile attributes are correctly populated, key ones are:
User Principal Name (UPN)Name Identifier (Most Commonly this is Windows Security Identifier(SID))Simple Mail Transport Protocol (SMTP) AddressSession Initiation Protocol (SIP) address
Options:
SUPPORTED: Self-signed certificate. Certificate issued by a public certificate authority like Baltimore, VeriSign, GoDaddy, Thawte, etc.
DOES NOT WORK: Domain-issued certificate
Use the Set-SPSecurityTokenServiceConfig with ImportSigningCertificate flag to change the token signing certificate
Replace SharePoint STS Token Signing Certificate
Validate S2S trust
• Certificate Thumbprint• Get-SPSecurityTokenServiceConfig
Confirm STS Configuratio
n
• Get-MsolServicePrincipal
Confirm App Principal
Registration
DemoSetup S2S Authentication and ACS Trustand Validate Configuration
On Premises Infrastructure
Infrastructure for Outbound Hybrid with Password Sync
InternetMicrosoft data center IntranetPerimeter network
Customer network
Azure ADDirectory Service
ACS Trust
Azure AD Tenant Azure AD Proxy
Federation Gateway
Identity Platform
Office 365
tenantAD Servers
DirSync Server with Password
Sync
SharePoint STS
User Profile Sync
Service
SharePointSharePoint
On Premises Infrastructure
Deployment - Phases
Infrastructure Setup• Directory Synchronization
S2S Trust & Identity Management
Workload Integration i.e. Search• Configure Result Source• Create a Query Rule• Validate Search Configuration
DemoConfigure Search Result Sources and Query Rules for Outbound and Inbound Hybrid
• Protocol should be chosen as Remote SharePoint
• SPO URL should be
specified as Tenant Root Site URL
(https://tenant.sharepoint.com)
• For Credentials information select Default Authentication
Configure Result Source – On Premises
• From Result Source drop-down list, select the specified result source
• Under Query is performed on these sources, if you select “One of these sources”, make sure to select the result source you created
Create A Query Rule – On Premises
• Query Conditions section, click Remove Condition so that the rule will fire for every query
• Within Edit Result Block choose This block is always shown above core results
Launch Query Builder from the Query Rule you’ve created
• Click on the Test tab and then
• Click the Show more link
• Type some query terms in the
“{subjectTerms}:” edit box
• Click the Test query button
Validate your Search Configuration
You should see search results from SharePoint Online or a detailed error message
With all components in place you will see Search results form both verticals.
See the Results
Results from Cloud
Results from
SharePoint On-Premise
Results from Cloud
Results from
SharePoint On-
Premise
ReferencesBlogs http://blogs.msdn.com/b/spses/archive/2013/10/22/office-365-configure-hybrid-search-with-directory-synchronization.aspx - Configure Outbound Hybrid Search with Directory Synchronization
http://blogs.msdn.com/b/spses/archive/2014/01/05/office-365-configure-hybrid-search-with-directory-synchronization-password-sync-part2.aspx - Configure Inbound Hybrid Search with Directory Synchronization
http://blogs.msdn.com/b/spses/archive/2014/01/07/identity-federation-amp-single-sign-on-deployment-for-hybrid-search-in-office-365-sharepoint-online-part3.aspx - Configure Single Sign on experience for Hybrid Search with Directory Synchronization
http://blogs.msdn.com/b/spses/archive/2014/07/06/sharepoint-2013-configure-on-premises-users-to-leverage-office-365-for-their-mysite-onedrive-part-4.aspx - Configure OneDrive Redirection to SharePoint Online with SharePoint 2013 SP1
http://blogs.msdn.com/b/spses/archive/2014/07/06/configure-onedrive-for-business-as-a-hybrid-search-vertical-in-sharepoint-onpremise-search-center-part5.aspx - Configure OneDrive as a Hybrid Search vertical in SharePoint 2013
Hybrid Search Scenarios - recapOutbound Search (most common)Outbound from customers network (SharePoint on premises) to SharePoint OnlineUser that is in the customers network, on corpnet, searches from on premises. There is an outbound request to SPO to return results. Results from both are shown
Inbound SearchInbound from SharePoint Online to customers network (SharePoint on premises)User that is not on customers network, but signed into SPO, searches. There is an inbound request to customers network - SharePoint on prem to return results. Results from both are shown
Two-way SearchSearch is setup both inbound and outbound as described above. Both scenarios are supported in that case – whether user is on premises on corpnet, or only signed in to SharePoint Online
Guidance: Start small with outbound search first. Then as needed, add inbound search
Hybrid Key Components - recap• DirSync - synchronizes users and groups from on-
premises AD to Azure AD• Azure AD - cloud directory service, which provides the
ability to store and manage the organizational identities in the cloud
• ACS – cloud-based federation service which provides and easy way to authenticate users against identity providers and Azure AD
• OAuth – open standard for authorization• S2S Authentication – OAuth implementation
used to enable communication between servers to access and request resources
Hybrid Key Components - recap• Result Source - used to specify a provider
to get search results from• Query Rule - search customization feature
which allows to read, transform and act on a user-entered search term
• Reverse Proxy – proxy server which directs incoming requests to the on-premises farm
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.