17-20 OCTOBER 2011
DURBAN ICC
Collaborating with Extranet Partners on SharePoint 2010 OFC306
Michael Noel – Convergent Computing
Michael Noel• Author of SAMS Publishing titles “SharePoint 2010 Unleashed,” “SharePoint 2007 Unleashed,”
“SharePoint 2003 Unleashed”, “Teach Yourself SharePoint 2003 in 10 Minutes,” “Windows Server 2008 R2 Unleashed,” “Exchange Server 2010 Unleashed”, “ISA Server 2006 Unleashed”, and many other titles .
• Partner at Convergent Computing (www.cco.com / +1(510)444-5700) – San Francisco Bay Area based Infrastructure/Security specialists for SharePoint, AD, Exchange, Security
What we’ll cover• Why an Extranet?• SharePoint 2010 Extranets• Extranet Architecture Options• Claims-based Authentication• Forefront Unified Access Gateway (UAG) for extranets• Forefront Identity Manager for Identity Management
in an Extranet
Why an Extranet?
Why an Extranet?• Security Isolation– Isolation of Data– Less Exposure, Perimeter Network Scenarios
• Partner Collaboration– Share SP Content with External Partners– Control Partner Accounts
Anonymous Customer Scenarios are not Extranets
SharePoint 2010 Extranets• Claims-based Authentication Support• Multiple Authentication Providers• Better Scalability (Services Architecture)– Goodbye SSP!– Server Groups– Services Applications
• Multiple Authentication Types per Web Application
Sample Extranet Architecture
Design around Security Requirements
• Scenario 1: Extranet and Internal Users in Single Farm– 1A: Single Web App / Single Site Collection– 1B: Single Web App / Separate Site Collections– 1C: Multiple Web Apps / Content DBs– 1D: Separate App Pool / Service App Group
• Scenario 2: Extranet and Internal Users in Single Farm / Separate Trusted Forests
• Scenario 3: Extranet and Internal Users in Multiple Farms / One-Way Trust• Scenario 4: Extranet an Internal Users in Separate Farms / Claims-based
Auth for Internal Access to Extranet• Scenario 5: Extranet an Internal Users in Separate Farms / No Access for
Internal Accounts to Extranet• Scenario 6: Separate Farms / AD FS Federation for Extranet Auth
LessSecurity
MoreSecurity
Extranet Scenario 1:Extranet and Internal Users in Single Farm
1A: Single Web App / Single Site Collection1B: Single Web App / Separate Site Collections1C: Multiple Web Apps / Content DBs1D: Separate App Pool / Service App Group
Extranet Scenario 2:Extranet and Internal Users in Single Farm / Separate Trusted Forests
Extranet Scenario 3:Extranet and Internal Users in Multiple Farms and Perimeter Network / One-Way Trust
Extranet Scenario 4:Extranet an Internal Users in Separate Farms / Claims-based Auth Provider for Internal Auth to Extranet
Extranet Scenario 5:Extranet an Internal Users in Separate Farms / No Access for Internal Accounts to Extranet
Extranet Scenario 6:Separate Farms / AD FS Federation for Extranet Auth
Extranet Notes
One-Way Trust Scenarios• People Picker needs to be configured to crawl domain if it doesn’t trust the domain where
the SharePoint farm is installed.• Only with STSADM (Rare exception when you can’t use PowerShell)• Example Syntax:
– stsadm.exe -o setapppassword -password AnyPassw0rd– stsadm.exe -o setproperty -pn peoplepicker-searchadforests -pv
"domain:companyabc.com,COMPANYABC\svc_sppplpick,Password1;domain:extranetabc.com" -url https://extranet.companyabc.com
– stsadm.exe -o setproperty -pn peoplepicker-searchadforests -pv "domain:companyabc.com,COMPANYABC\svc_sppplpick,Password1;domain:extranetabc.com" -url https://spcaext.companyabc.com
• Syntax is critical• Run against all web apps
Design for Clientless Access to SharePoint
• Services Applications for Extranet Clients:– Word Services– Excel Services– Visio Services– Access Services– InfoPath Forms Services
• Allows ‘Clientless’ access to SharePoint content, for Extranet partners without Office
Standard Requirements Apply to Extranets as well
• SharePoint-aware Antivirus– i.e. Forefront Protection for SharePoint
• SharePoint-aware Backup and Restore– i.e. System Center Data Protection Manager (DPM)
2010• Rights Management?– Active Directory Rights Management Services (AD RMS)
Content Deployment with Extranets
Claims-based Authentication
Claims-Based Auth• SharePoint doesn’t actually Authenticate Users, it relies on IIS or other providers• SharePoint 2010 Allows for Classic and Claims-based Auth Scenarios• Classic Authentication is similar to SharePoint 2007• Claims based Auth adds the following key benefits:
– Allows for Multiple Authentication Types per Web Application Zone– Removes SharePoint from the Authentication Provider– Allows for federation between organizations (AD FS, etc.) scenarios– Does not require Kerberos Delegation
• Current limitations with Claims-based auth involve SQL Reporting Services, PowerPivot, PerformancePoint, and other SQL tools that require delegation. These appear to be fixed in SQL 2012.
• Remember the difference between Authentication and Authorization…
Classic vs. Claims-based AuthType Classic-mode
authentication Claims-based authentication
WindowsNTLMKerberosAnonymousBasicDigest
Yes Yes
Forms-based authenticationLDAPSQL database or other databaseCustom or third-party membership and role providers
No Yes
SAML token-based authenticationAD FS 2.0Third-party identity providerLDAP
No Yes
Mixed-Mode vs. Multi-Authentication
Example: Partner Environment with Multiple Auth Types on single W.A.
Forefront Unified Access Gateway
UAG Architecture
DirectAccess
HTTPS (443)
Layer3 VPN
Data Center / Corporate Network
Business Partners /Sub-Contractors
AD, ADFS, RADIUS, LDAP….
Home / Friend / Kiosk
Employees Managed Machines
Mobile
Exchange
CRM
SharePoint
IIS based
IBM, SAP, OracleTerminal / Remote Desktop ServicesNon web
HTTPS /
HTTP
NPS, ILM
Internet
What about TMG? (New ISA)Capability TMG 2010 UAG
2010Publish Web applications using HTTPS X XPublish internal mobile applications to roaming mobile devices X XLayer 3 firewall X X*Outbound scenarios support X X*Array support X Globalization and administration console localization X Wizards and predefined settings to publish SharePoint sites and Exchange X X
Wizards and predefined settings to publish various applications XActive Directory Federation Services (ADFS) support XRich authentication (for example, one-time password, forms-based, smart card) X X
Application protection (Web application firewall) Basic FullEndpoint health detection XInformation leakage prevention XGranular access policy XUnified Portal X
Forefront Identity Manager
Identity and Access Management
Identity and Access Management
Secure Messaging Secure EndpointSecure Collaboration
Active Directory® Federation Services
Information Protection
Manage SharePoint Identities• Create Multiple Authentication Providers for SharePoint
Farms– AD DS Forests (Extranet forests)– AD LDS Authentication Providers– SQL Table (FBA) Authentication Sources– LDAP Providers– Etc…
• Keep those Authentication Providers Managed
ActiveDirectory
Extranet Forest
Test Forest
FBA Table
LOB App
HR System FIM
Workflow
Manager
• Policy-based identity lifecycle management system
• Built-in workflow for identity management
• Automatically synchronize all user information to different directories across the enterprise
• Automates the process of on-boarding users
User Enrollment
Approval
User provisioned on all allowed systems
Identity ManagementUser provisioning for SharePoint and other Applications
VPN
HR System FIM
Workflow
• Automated user de-provisioning
• Built-in workflow for identity management
• Real-time de-provisioning from all systems to prevent unauthorized access and information leakage
User de-provisioned
User de-provisioned or disabled on all systems
Identity ManagementUser de-provisioning
ActiveDirectory
Extranet Forest
TestForest
FBATable
LOBApp
VPN
HRSystem
FIM
LDAP
ExtranetAD
InternalAD
givenNamesntitlemailemployeeIDtelephone
SammyDearling
008
givenNamesntitlemailemployeeIDtelephone
givenNamesntitlemailemployeeIDtelephone
SamaraDarling
007
givenNamesntitlemailemployeeIDtelephone
SamDearingIntern
007
givenNamesntitlemailemployeeIDtelephone
555-0129
SamanthaDearing
007
Coordinator
555-0129
SamanthaDearing
Coordinator
007
IdentityData
Aggregation
GivenNamesntitlemailemployeeIDtelephone
SamanthaDearing
007
Coordinator
555-0129
Identity Synchronization and ConsistencyIdentity synchronization across multiple directories
Attribute Ownership
FirstNameLastName
EmployeeID
Title
Telephone
Attribute Ownership
FirstNameLastName
EmployeeID
Title
Telephone
FIMHRSystem
LDAP
ExtranetAD
InternalAD
IdentityData
Brokering(Convergence)givenName
sntitlemailemployeeIDtelephone
SammyDearling
007
givenNamesntitlemailemployeeIDtelephone
givenNamesntitlemailemployeeIDtelephone
SamaraDarling
007
givenNamesntitlemailemployeeIDtelephone
SamDearingIntern
007
givenNamesntitlemailemployeeIDtelephone 555-0129
BobDearing
007
Coordinator
555-0129
SamanthaDearing
Coordinator
007
555-0129
555-0129
SamanthaDearing
Samantha
Coordinator
555-0129
Identity Synchronization and ConsistencyIdentity consistency across multiple directories
Customizable Identity Portal
How you extend it
SharePoint-based Identity Portal for Management and Self Service
Add your own portal pages or web partsBuild new custom solutionsExpose new attributes to manage by extending FIM schemaChoose SharePoint theme to customize look and feel
• Streamline deployment by enrolling user and computer certificates without user intervention
• Simplify certificate and SmartCard management using Forefront Identity Manager (FIM)
• Can be used to automate Certificate management for dual factor auth approaches to SharePoint logins
Strong Authentication—Certificate Authority
HR System
Active Directory Certificate Services (AD
CS)
FIM CM
FIM
User Enrollment and Authentication request sent by HR System
FIM policy triggers request for FIM CM to issue certificate or SmartCard
User is validated using multi-factor authentication
FIM Certificate Management (CM) requests certificate creation from AD CS
Certificate is issued to user and written to either machine or smart card
End User
SmartCard
User ID andPassword
SmartCardEnd User
FIM for Extranet Forest Mgmt• Internal AD DS Forest• DMZ Extranet AD DS Forest• FIM Auto-provisions certain user accounts in Extranet forest and
keeps Passwords in Sync to allow Internal users to access/collaborate with Partners
• FIM allows Self-Service Portal Access for Extranet user accounts in the partner forest
• Two-factor Auth scenarios, to automate provisioning of user accounts AND certificates to systems
FIM for Role Based Access Control• FIM is central to RBAC Strategy• Can auto-add users to Groups based on RBAC Criteria• HR Defines a user’s access based on their role• FIM auto-adds that user to specific Role Groups in AD DS, which are tied to
SharePoint Groups that have the rights that that role group requires.
User1
User2
Role Group
SharePoint Group
Session Summary• Understand the Extranet Design Options for 2010• Keep Extranet Accounts out of local AD• Determine how Identities will be Managed• Use FIM for Identity Management, Self-Service, and
Provisioning/Deprovisioning of Extranet Accounts• Use UAG to secure inbound access to
extranets/intranets
Submit your session evaluation for a chance to win!
Sponsored by MVA
http://microsoftvirtualacademy.com
Creating
the futuretogether
Thanks for attending!Questions?
Michael NoelTwitter: @MichaelTNoel
www.cco.comSlides: slideshare.net/michaeltnoel
Top Related