project server 2003: dc340: security (part 1 of 2): how to securely deploy project server in an...
TRANSCRIPT
Project Server 2003: Project Server 2003: DC340: Security (Part 1 of 2): How DC340: Security (Part 1 of 2): How to securely deploy Project Server to securely deploy Project Server in an enterprise environmentin an enterprise environment
Pradeep GanapathyRaj (PM), Pradeep GanapathyRaj (PM), Karthik Chermakani (Test)Karthik Chermakani (Test)ProjectProjectMicrosoft CorporationMicrosoft Corporation
ApproachApproach
Identify key deployment optionsIdentify key deployment options
Identify key project server processesIdentify key project server processes
Walkthrough processes for each Walkthrough processes for each deployment scenario – with security in deployment scenario – with security in mindmind
P11 architectureP11 architecture
Data Tier
Application TierClient Tier
Project Professional
Internet Explorer (PWA)
Outlook
Office Web Controls (OWC)
LOB Applications
Project Server
PWA
Middle tier business objects
Views Processing
Session Manager
WSS
Project, Security tables
Views tables
Analysis Services
Web, Cube tables
Key deployment optionsKey deployment options
Single domainSingle domainOne boxOne box
Multiple boxesMultiple boxes
Multi domainMulti domainOne way trustOne way trust
No trustNo trust
Firewalled Multi domainFirewalled Multi domainExtranet deploymentExtranet deployment
Key processesKey processes
Project open and saveProject open and save
Publishing a projectPublishing a project
Share pointShare point• Assign users to appropriate Sharepoint Assign users to appropriate Sharepoint
rolesroles• Accessing WSS site (issues/risks/docs)Accessing WSS site (issues/risks/docs)
Portfolio analyzerPortfolio analyzerBuilding the cubeBuilding the cube
Building the viewsBuilding the views
Accessing the cubeAccessing the cube
Project SecurityProject Security
AuthenticationAuthenticationWindows AuthenticationWindows Authentication
Single logon accountSingle logon account
Seamless experience across all Project Server Seamless experience across all Project Server componentscomponents
Project User AccountsProject User AccountsSharePoint complicationsSharePoint complications
OLAP complicationsOLAP complications
AuthorizationAuthorizationCategories, Global permissions, RolesCategories, Global permissions, Roles
Project 2003 HighlightsProject 2003 Highlights
Publishing from Non-Trusted Domain Publishing from Non-Trusted Domain user can login with Windows User Account in user can login with Windows User Account in Project Professional client ??Project Professional client ??
SharepointSharepointSites created, roles populated for Sharepoint siteSites created, roles populated for Sharepoint site
Portfolio AnalyzerPortfolio AnalyzerNew extranet address field for accessing New extranet address field for accessing Portfolio Analyzer from the internetPortfolio Analyzer from the internet
New version of OWC 11 will prompt for New version of OWC 11 will prompt for credentials when accessing across domainscredentials when accessing across domains
Single v/s Multi domainSingle v/s Multi domain
WSS Server SQL Server w/Analysis Services
Project Server
Project Pro Client
PWA
DC1
DC2
WSS Server
SQL Server w/Analysis Services
Project Server
Project Pro Client
PWA
Domain1
Domain1
Domain2
Single Domain Multi Domain
Multi domain-extreme caseMulti domain-extreme case
WSS ServerDomain 1
SQL Server w/Analysis Services
Domain 2
Project ServerDomain 3
Project Pro ClientDomain 4
PWADomain 5
Project open/save Project open/save architecturearchitecture
Project Pro Project Server
PJSecurity
SQL Server
MSP tables
IIS
PDSRequest.asp
2) PermcheckCcomm
ServerSerializer
ODBC Plugin
1)
PDS3)
4)
Proj AuthProj Auth
AuthorizationAuthorization
Publish architecturePublish architecture
Proj AuthProj Auth
WSS AuthWSS Auth
Directory PermDirectory Perm
User 1
User 1
Project Open/Save/Publish Success
Project Open/Save/Publish Fail because Project Server does not recognize User 1
No Trust between2 Domains
WSS Subweb created with PSComPlus Account
User 1
Project ClientDomain 5
Project ServerDomain 3
WSS ServerDomain 1Sharepoint fails to assign
role to User 1
PSComPlus
Sharepoint recoginizes User 1Role assigned correctly
Project Open/Save/PublishProject Open/Save/Publish
No Trust Between Domains
WSS Server assigns role to User 1
Project PublishProject Publish
Publish from Project ProfessionalPublish from Project ProfessionalLog in with Windows Users Accounts Log in with Windows Users Accounts (local/User1)(local/User1)
We check for user1 account in Project We check for user1 account in Project Server machineServer machine
WSS site creation with PSComPlus WSS site creation with PSComPlus credentials, correct windows users roles credentials, correct windows users roles added if WSS/User1 existadded if WSS/User1 exist
User 1
Generic WSS User Account
SharepointGroup Account
User 1
PWA Login SuccessBrowse to WSS SectionWSS Section Login Success
WSS Server Challenges User 1
SharepointRecognized User
User 1
PWADomain 4
Project ServerDomain 3
WSS ServerDomain 1
No Trust Between Domains
Sharepoint AccessSharepoint Access
Sharepoint AccessSharepoint Access
User log into PWA with windows user User log into PWA with windows user accountaccount
User access sharepoint sectionUser access sharepoint sectioniFrame prompts for login informationiFrame prompts for login information
User enters information that matches with User enters information that matches with sharepoint machine (instead of replicating sharepoint machine (instead of replicating ALL project users, admin can choose to ALL project users, admin can choose to create only a few sharepoint users)create only a few sharepoint users)
Portfolio Analyzer Portfolio Analyzer Architecture Architecture – create cubes– create cubes
Project Server
Pjdbcomm.dll (ISAPI filter)
Pjmsghlr.dll (Message Handler)
3)
View DropDirectory
Views Notification
Service
4)Notify5)2) Decode
Message
Analysis Services
CUBE
SQL Server
MSP_CUBE tables
1) Build cube
ProjOLAP.dll
6) Populate Data
7)
DSO
8) Build cube
OLAPOLAPAdminAdmin
Perm2 ?Perm2 ?
Portfolio Analyzer Portfolio Analyzer Architecture Architecture – access/build views– access/build views
User’s workstation
Project Server
PJSecurity
Analysis Services
CUBE
3)
IIS
PWA Views page
1)2) Permcheck
OWC
OLAPOLAPUserUser
PermPermcheckcheck
Administrator browse toCube creation page to create cube
OLAP Cube created with PSComPlus Credentials
Administrator
PWADomain 4
Project ServerDomain 3
SQL ServerDomain 2
PSComPlus
User 1
OLAP AccessAccount
Portfolio Analyzer – Cube Portfolio Analyzer – Cube CreationCreation
Administrator must add users or generic accounts to SQL Server
Portfolio Analyzer – Cube Portfolio Analyzer – Cube CreationCreation
PWA admin login with windows user PWA admin login with windows user accountsaccounts
Project Server uses PSComPlus Project Server uses PSComPlus credentials to create a cubecredentials to create a cube
Admin creates a view and roles must Admin creates a view and roles must be assigned to replicated user be assigned to replicated user accounts in analysis serveraccounts in analysis server
PWA Login SuccessBrowse to Portfolio AnalyzerUser granted access to Portfolio Analyzer
User 1
PWADomain 4
Project ServerDomain 3
SQL ServerDomain 2
User 1
OLAP AccessAccount
Portfolio AnalyzerPortfolio Analyzer
OLAP AccessAccount
OWC connects to SQL Serverwith account in connection string
OWC challenges User 1
Portfolio Analyzer - OWCPortfolio Analyzer - OWC
Project User logs into Project Server Project User logs into Project Server with Windows user credentialswith Windows user credentials
User arrives at page with Office Web User arrives at page with Office Web ComponentComponent
OWC prompts user for login informationOWC prompts user for login information
User enters local Analysis Server User enters local Analysis Server credentials to browse the cubecredentials to browse the cube
WSS Server
Project ServerWith IIS
Terminal Server
ExtranetExtranet
SQL + Analysisserver
WSS
Project ServerWith IIS
External User
Application/DataServices
DMZ
Extranet
Internal User
Corporate Intranet
3389
80/443
80/443
80/443
14332725
ExtranetExtranet
Use SSL for extranet access from PWAUse SSL for extranet access from PWA
SSL not needed for intranet usersSSL not needed for intranet users
2 instances of Project Server and WSS2 instances of Project Server and WSS1 for external access, 1 for internal access1 for external access, 1 for internal access
Terminal Server in DMZ for Project Terminal Server in DMZ for Project Professional Client usersProfessional Client users
Extranet – Publishing/File Extranet – Publishing/File open/Saveopen/Save
Extranet user connect to Terminal Extranet user connect to Terminal Server inside DMZServer inside DMZ
User login with Windows user accountUser login with Windows user account
Extranet - WSSExtranet - WSS
iFrame will prompt for login infoiFrame will prompt for login info
User must enter a windows account User must enter a windows account that has been granted access to that has been granted access to SharepointSharepoint
Extranet – Portfolio AnalyzerExtranet – Portfolio Analyzer
Cube creationCube creationPWA Administrator login using windows PWA Administrator login using windows authentication w/ SSL authentication w/ SSL Project server uses PSComPlus to create Project server uses PSComPlus to create cubecube
New Portfolio Analyzer view ??New Portfolio Analyzer view ??specifies the http address of Analysis specifies the http address of Analysis server (requires SQL Enterprise edition)server (requires SQL Enterprise edition)
Portfolio Analyzer view accessPortfolio Analyzer view accessOWC connects to the http address, OWC connects to the http address, Analysis Server challenges userAnalysis Server challenges userUser enters Windows User informationUser enters Windows User information
SummarySummary
Sharepoint requires Windows Sharepoint requires Windows AuthenticationAuthentication
SQL Analysis Server requires Windows SQL Analysis Server requires Windows AuthenticationAuthentication
Sharepoint and Project Server should Sharepoint and Project Server should be placed in the same domainbe placed in the same domain
Most problems can be worked around Most problems can be worked around by creating matching user accountsby creating matching user accounts
Questions ?Questions ?
© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.