SHAREPOINT AND PROJECT CONFERENCE ADRIATICS 2013

ZAGREB, NOVEMBER 27-28 2013

IDENTITY MANAGEMENT IN SHAREPOINT 2013

ALEKSANDAR DRAŠKOVIĆ, MCM SHAREPOINT 2010

sponsors

Aleksandar Drašković

• Microsoft Certified Master for SharePoint 2010• Over 6 years in SharePoint business• Over 15 years in the Enterprise IT• Expertise in various other products and technologies• Active Directory• Exchange• TMG / UAG• Etc.

Solution Architect

Agenda• Identity Management• User Profile Service• User Profile Synchronization• Approach for a successful implementation

IDENTITY MANAGEMENT

Identity management• Handling with user profiles is not only configuring

SharePoint• Work with and talk to the administrators of the identity

management system• Most time identity management is not really a technical

challenge, it often is more a political one• Improper handling might break the social networking

functionality in the SharePoint environment

Data quality

Who is the owner of the data?

Is the data up to date?

Can we get the necessary data?

Connect to the data

• Are the IDM systems accessible?

• How can we connect to the IDM system?

• Do we have to connect to any other external system?

• Are we able to write back information to the IDM system?

USER PROFILE SERVICE

User Profile Service in SharePoint 2013

Important for all social featuresWorkflow Manager 1.0 (SharePoint 2013 Workflows)Translation Service ApplicationWork Management Service

Needs an associated Managed Metadata Service Application

Databases • Profile Database• User profile data, activities, audiences

• Social Database• Social stuff, e.g. ratings, tags and comments

• Sync Database

Create a User Profile Service Application• Think about how to handle the site names for the My

Content sites of the users• Create the MySite host and check the Managed Path for

the MyContent sites• Do not use more than one User Profile Service

Application in your farm• As best practice approach use PowerShell scripting to

create the User Profile Service Application, but be aware of the database schema

Active Directory import

One-way

No write-back to the Active Directory

No BCS connections for synchronization Very fast

Active Directory to SharePoint

It ist just an import Only connections to Active Directory

Due to the direct connection to Active Directory

User Profile Synchronization• Set "Replicating Directory Changes" permission• Configure synchronization settings• Configure synchronization connection(s)• Start a synchronization• Configure incremental synchronization

APPROACH FOR THE SUCCESSFULL IMPLEMENTATION

Start of the implementation process

Sit down and THINK!

Think about the source system and source information

Think about how the data should be represented in

SharePoint

Think about writing data back

Think about operating the profile synchronization

Configure and start UPA

Prerequisites PowerShell Separate TestHave the Managed Metadata Service Application up and running

Use a PowerShell script to configure and start the user profile service application

Separate adding and starting user profile service application from configuring and starting sychronization

Test this step before the synchronization is configured and started

Set permissions

Replicating Directory Changes

Local Adminstrator Write back Reboot

Set the "Replicating Directory Changes" permission for the sync account in the domain

Make the farm account local administrator on the machine, where the synchronization should be started

Set the "Create Child Objects" and "Write All Properties" permission for the sync account, when write back is necessary

Reboot the machine that was choosen as the sync host, so that the new permissions become active

Domain permissions

Replicating Directory Changes

Windows 2003 domain controller

NetBIOS domain name not FQDN

Need to export to Active Directory

Must be set in the domain, no matter which Windows version the domain controller is using

Add synchronization account to the Pre-Windows-2000 Compatible Access group

Grant Replicating Directory Changes permission to the synchronization account to the cn=configuration container

Grant the synchronization account the Create Child Objects and the Write All Properties permissions on the organization unit you are synchronizing

Optional: NetBIOSDomainNamesEnabled• Necessary, when the NetBIOS name of the domain is

not equal to the full qualified domain name

Example: full qualified domain name: corporation.intNetBIOS domain name: CORP

Configure and start UPS

Powershell Use farm accountRun as Administrator Be patient

Use a PowerShell script to configure and start the user profile synchronization service

Log in as the farm account, before you try to start the synchronization

Run the SharePoint Management Shell as Administrator

Even under normal circumstances this operation might take some time

Profile properties and timer job• Configure any additional profile properties you need• Configure export of profile properties if necessary

(remember the "Create Child Objects" permission)• Use Central Administration to configure synchronization

connection, not the PowerShell cmdlets• Configure all necessary connections

Profile properties and timer job (contd.) • From Central Administration run a full synchronization

• Set the interval in which the incremental sync should run

• Denote the farm account from the local admin role on the sync host

ADDITIONAL TIPS

Best practices• Clean up your directory service• Specify the domain controller to synchronize with• Make friends with the directory service administrator• Restart the sync service after installing updates• Check timer job settings

Troubleshooting

• Check permissions • Most problems when deploying user profile synchronization are caused by

wrong permission settings

• Event Log• The Windows Event Log might contain additional information about what is

going wrong

• ULS Log• Use the ULS logs (in conjunction with an ULS Viewer) to find proper error

messages

• MIISClient• Use C:\Program Files\Microsoft Office Servers\15.0\Synchronization Service\

UIShell\miisclient.exe on the synchronization host to see FIM messages.

A couple of things you should you never do...

• Use the Farm Configuration Wizard to configure and start the user profile service application in STAGE and PROD environments• Start or stop the FIM services manually• Do any changes to the FIM services using the services

applet• Use the MIISClient to do any changes• Use farm account as a synchronization account

Summary

• Identity Management• Is the starting point for the implementation of the User Profile

Synchronization.

• User Profile Service Application• Depends on the Managed Metadata Service Application and is

necessary lot of services and functionalities in SharePoint 2013

• User Profile Synchronization• All in all a straight forward process, but depends on the correct

permission settings and the account you are using to activate synchronization.

• Best practices

questions?

WWW.ADRIT.DE/BLOG

@ADRASKOVIC

thank you.

SHAREPOINT AND PROJECT CONFERENCE ADRIATICS 2013

ZAGREB, NOVEMBER 27-28 2013