Download - Share point 2013 in a hybrid world
![Page 1: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/1.jpg)
Madrid, 10 de Octubre
SharePoint 2013 in a Hybrid World.
![Page 2: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/2.jpg)
Madrid, 10 de Octubre #IberianSPC
Jethro SEGHERSCloud Solution Architect
J-Solutions – Flexamit - Microsoft
http://blog.j-solutions.be
@jseghers
![Page 3: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/3.jpg)
#IberianSPC
AGENDA
• What is hybrid within Office 365• Why hybrid• Different setups• Analysis of the building blocks• Different Steps• See The Results• Resources• Q&A
![Page 4: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/4.jpg)
#IberianSPC
ON PREMISE vs OFFICE 365
![Page 5: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/5.jpg)
#IberianSPC
ON PREMISE + OFFICE 365
![Page 6: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/6.jpg)
#IberianSPC
OFFICE 365 IS ATTRACTIVE
1. It saves me a lot of €€€€€2. I always have the latest and greatest collaboration, email
and UC tools3. Allows me to focus on my core business, not IT4. Microsoft can run SP more reliably and efficiently than I can5. I can easily scale up/down according to demand6. I can more easily work with customers, partners outside of
my company
![Page 7: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/7.jpg)
#IberianSPC
But …. MY BUSINESS IS ON PREMISE
1. I have existing investments (customized SP deployments w/lots of data and settings, custom solutions, LOB systems, etc)
2. I can’t do everything in the Cloud that I can do on premise3. I want to protect my sensitive data by keeping it close
![Page 8: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/8.jpg)
#IberianSPC
WHY HYBRID
• Migration • Business Driven
![Page 9: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/9.jpg)
#IberianSPC
WHY HYBRID - MIGRATION
• Early Adopter: Move all data to the cloud ASAP.• Risk Averse: Get a trial on SPO, Evaluate Risks, Numbers (ROI)• Typical: Freeze on Premise Site Creation; start with new content
first.
![Page 10: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/10.jpg)
#IberianSPC
WHY HYBRID - MIGRATION
• Same Sign On• 1 URL to enter SP & SPO• Use Hybrid Search• Use Hybrid BCS
![Page 11: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/11.jpg)
#IberianSPC
WHY HYBRID - BUSINESS DRIVEN
• Keep Sensitive Data on Premise -whatever sensitive may mean- • Capacity Flexibility • Intranet – Extranet• Collaboration with External Partners• Typically defined in your Information structure & governance plan.• Geo Location• …
![Page 12: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/12.jpg)
#IberianSPC
DIFFERENT SETUPSONE-WAY OUTBOUND
![Page 13: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/13.jpg)
#IberianSPC
DIFFERENT SETUPSONE-WAY INBOUND
![Page 14: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/14.jpg)
#IberianSPC
DIFFERENT SETUPSTWO-WAY
![Page 15: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/15.jpg)
#IberianSPC
DIFFERENT SETUPSTWO-WAYDETAIL
![Page 16: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/16.jpg)
#IberianSPC
FROM THEORY TO IMPLEMENTATION
• Reason of going Hybrid• Choosing which Setup• Configuring all Components• Supporting Authentication• Securing traffic
![Page 17: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/17.jpg)
#IberianSPC
INGREDIENTS
• An operational on-premises AD DS domain in a single forest• An on-premises server for AD FS 2.0.• An on-premises server for the Windows Azure Directory Synchronization tool.• Windows Azure PowerShell Cmdlets• Internet Domain & DNS access• Operation SharePoint 2013 Farm• An X.509 wildcard or SAN certificate.• Office 365 Enterprise Subscription with 15.0.0.4420 as the minimum build
number• A supported on-premises reverse proxy device (only for inbound & bidirectional
communication).
![Page 18: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/18.jpg)
#IberianSPC
ENVIRONMENTCONFIGURATION• NON SharePoint Tasks
Reverse Proxy and Certificate Auth
Identity Provider
MSOL Tools
Dirsync
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
MSOL Tools
![Page 19: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/19.jpg)
#IberianSPC
Reverse Proxy and Auth
• When using hybrid features Office 365 sends requests from sites in the cloud to your on-premise farm
• You need to establish a reverse proxy for these calls to be channeled through to secure the process
• Those requests can be authenticated at the reverse proxy before they are forwarded to SharePoint
• SharePoint supports using a certificate for authenticating to the reverse proxy server when sending a request
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
![Page 20: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/20.jpg)
#IberianSPC
Reverse Proxy Requirements
• 2 network cards - one connected to the Internet and the other to the internal company network
• Route inbound SSL traffic to the on-premises SharePoint farm without rewriting packet headers
• Support SSL termination• UAG, F5, …
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
![Page 21: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/21.jpg)
#IberianSPC
Identity Provider
• In order to have a single-sign on experience, you need a federated identity provider like ADFS
• 2 or more load balanced ADFS servers
• An SSL certificate for the ADFS site
• A proxy device, like the ADFS proxy server
• All users must have a UPN of a registered domain (i.e. “.local” or similar suffixes will not work)
• Service Account: Logon as Batch Job & Logon as a Service
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
![Page 22: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/22.jpg)
#IberianSPC
MSOL TOOLS
• Microsoft Online Sign In Assistant
• Windows Azure Active Directory PowerShell Cmdlets (in portal)
• You need to run this on SharePoint Server to configure trust with ACS
• You need to run this for SSO (usually run on own server)
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
![Page 23: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/23.jpg)
#IberianSPC
SSO
• Connect ADFS to Office 365
1. Connect-MSOLService
2. New-MSOLFederatedDomain
3. Update DNS
• OR
1. Add Domain via Office 365 Portal
2. Update DNS
3. Connect-MSOLService
4. Convert-MSOLDomainToFederated
• !!! USE SMARTLINKS !!!
• !!! Run this on your Primary ADFS Server !!!
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
![Page 24: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/24.jpg)
#IberianSPC
DirSync
• Do Not Run it on an AD – Single Forest (at this time)
• Service accounts: svc_dirsync: Enterprise Admin on AD
• Global Administrator on Office 365
• Install DirSync and let the Wizard Run
• Syncs Users, Groups & Contacts
• !!! It doesn’t give your Users Licenses !!!
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
![Page 25: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/25.jpg)
#IberianSPC
ReCAP
![Page 26: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/26.jpg)
#IberianSPC
SharePoint 2013 Config
1. New STS Token Signing Certificate2. Configuration of a Trust between SP on Premise & ACS3. Configure Secure Store4. Configure UPA5. Try it !
![Page 27: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/27.jpg)
#IberianSPC
STS Token Signing Certificate
• You need to replace the default token signing certificate for the SharePoint STS because Access Control Service (ACS) will not trust it
• Replace it with • A certificate issued by a public certificate authority • A self signed certificate that you create in IIS Manager• NOT: Domain-issued certificate
• Set-SPSecurityTokenServiceConfig with the ImportSigningCertificate flag.
![Page 28: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/28.jpg)
#IberianSPC
Trust Between SP & ACS
• Now you need to create an OAuth trust for applications to exchange data between o365 and on-prem
• Using MSOL PowerShell (on prem):• Create an AppPrincipal using New-MsolServicePrincipalCredential• Create a proxy to ACS using New-
SPAzureAccessControlServiceApplicationProxy• Complete the trust using New-SPTrustedSecurityTokenIssuer
![Page 29: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/29.jpg)
#IberianSPC
Configure Secure Store
• The Secure Store Service is used to create an application that stores the certificate used to authenticate with the UAG HTTPS trunk
• In Office 365 create a new Secure Store Service target application• Save the Target Application ID name because you will use that configuring
a result source
• In the credentials field configure it as a Certificate Password
• Click the Set button for the Credentials• Browse to the certificate CER file that was used for the UAG HTTPS trunk; leave
the password fields blank
![Page 30: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/30.jpg)
#IberianSPC
Configure UPA
• It’s critically important that you:• Have a UPA up and running• Have it populated with current data from Active Directory
• We use the UPA on the local farm to determine what rights a user has – what claims they have, what groups they belong to, etc.
• With a hybrid solution, anything that you grant rights to needs to be in the profile system• E.g., if you augment claims on premise and use a custom claims provider
to grant rights to content using those claims, an office 365 user would not see that data because those custom claims are not added when you login to office 365
![Page 31: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/31.jpg)
#IberianSPC
RECAP Necessary Steps
• Install & Configure all necessary tools• Replace STS Certificate• Upload Certificate to Office 365• Add Hostname of server to SP Principal object of Office 365• Register SPO S2S Principal Object to On Premise• Set SP Authentication Realm to Context ID of Office 365 Tenant• Configure On Premise ACS Proxy and setup Trust with ACS.
![Page 32: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/32.jpg)
#IberianSPC
Create A Result Source
• Create a new result source and:• Use Remote SharePoint as the Protocol• If you are on-prem and getting results from Office 365:
• Use the Url of your office 365 for the Remote Service Url• Use Default Authentication for credentials
• If you are office 365 and getting results from on-prem :• Use the HTTPS Url of the UAG HTTPS trunk for the Remote Service Url• Use SSO id for credentials and enter the name of the SSO application definition
you created to store the UAG certificate
![Page 33: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/33.jpg)
#IberianSPC
Create A Result Source
![Page 34: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/34.jpg)
#IberianSPC
Create A Result Source
![Page 35: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/35.jpg)
#IberianSPC
Create A Result Source
![Page 36: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/36.jpg)
#IberianSPC
Create A Query Rule
• This is where you can do a “live” test to see if everything is working
• Create a new query rule• Remove the default Condition• Click on Add Result Block• Select your result source• Click on the Test tab and then
• Click the “Show more” link
• Type some query terms in the “{subjectTerms}:” edit box
• Click the “Test query” button
• If you have configured everything correctly – Voila! – you will see search results from the remote farm
![Page 37: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/37.jpg)
#IberianSPC
See the Results
Results from the Cloud
Results from On Prem
![Page 38: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/38.jpg)
#IberianSPC
RESOURCES
• OnRamp• https://onramp.office365.com/onramp/
• HYBRID• http://technet.microsoft.com/en-us/library/jj838715.aspx• Try To Find the WORD Documents ….
![Page 39: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/39.jpg)
#IberianSPC
TroubleshootTips
• If you aren’t getting data back between the two environments here are some things that you can do to narrow down the issue:• In your on prem farm turn up the ULS logging
• Go into Central Admin, Monitoring, Configure diagnostic logging; expand SharePoint Foundation and select:• App Auth• Application Authentication• Authentication Authorization• Claims Authentication
• Change the “least critical” dropdowns to Verbose and save changes• Monitor the ULS logs each time you execute a query
![Page 40: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/40.jpg)
#IberianSPC
Troubleshoot Tips (cont.)
•Use Fiddler as a reverse proxy on your SharePoint server; this requires• Installing Fiddler on the SharePoint server• Write a Fiddler script rule as described in Option #2
here: http://www.fiddler2.com/Fiddler/help/reverseproxy.asp • Look at the TextView of the Response. Here’s an
example of an error that you can see in there:
![Page 41: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/41.jpg)
#IberianSPC
Troubleshooting Tips (cont.)
• Be aware of latency in queries across the cloud and on- premises• When a query is executed, ALL results must come back before
the result is shown to the user• Latencies can run 1200 to 1500 milliseconds
• Because of this you may want to put some thought into when you want to fire a query at a remote source• If you duplicate every single query you could introduce significant load on
a farm• Where you want results back ASAP then you wouldn’t want remote
queries to fire• You can also create a dedicated page that only queries the remote source• In short – you can mix and match with query rules to decide what works
best
![Page 42: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/42.jpg)
Madrid, 10 de Octubre #IberianSPC
Q&A
![Page 43: Share point 2013 in a hybrid world](https://reader033.vdocument.in/reader033/viewer/2022061110/5452afa5af795907798b8b8e/html5/thumbnails/43.jpg)
Madrid, 10 de Octubre
#IberianSPC