Flowing Identity in the Microsoft BI Stack using Claims-based Authentication

Size: px
Start display at page:

Download "Flowing Identity in the Microsoft BI Stack using Claims-based Authentication"

Transcription

1 Flowing Identity in the Microsoft BI Stack using Claims-based Authentication If you are adopting Active Directory Federation Services () as a method of user authentication for and desire to implement role based (per-user) security with Microsoft Business Intelligence (BI) tools accessing enterprise data sources, one challenge you ll find is bridging the gap between SAML-based authentication used by and the proprietary Windows Authentication used by enterprise data sources, like SQL Server Analysis Services (SSAS). This problem is important because more and more organizations are adopting claims-based authentication for internal and/or external user access. Any back-end system that does not support SAML claims can become inaccessible without implementing some kind of translation system between SAML and the system s native authentication mechanism. Custom solutions can be created, but they can be cumbersome to manage. Also, user mapping is error prone and introduces another point of failure. White Paper Matt Youngstrom Greg Moser Jared Zagelbaum

2 more and more organizations are adopting claims-based authentication for internal and/or external user access." Introduction The complexity required in translating authentication methods can be mitigated if one is willing to accept a many-to-one mapping of users to a single service account. However, with the reduced management headaches, you also lose the ability to track usage and restrict authorization at a per-user level. This can be an unacceptable risk, especially if you are in a heavily regulated business in which security and data privacy compliance is of utmost importance. Even in less regulated environments, the practice of mapping roles to service accounts requires that multiple copies of each data visualization definition be maintained for each unique emulated role. Better yet to leverage OOTB data security included in enterprise tools like SSAS, and maintain this security at the source layer. This ensures that the visualization tools used by developers or business users are the consumers of security, and not entrusted with the role of enforcing data authorization. This white paper looks at the SAML to proprietary problem within the context of, SharePoint, and SSAS. It will examine the problem in detail, show a solution, and provide a roadmap for its implementation. It does not provide instructions for installing the various components; references will be made to the relevant TechNet articles within the context of this white paper for installation instructions. Examining the Issue Traditionally, Single-Sign-On (SSO) solutions provide drivers that allow a user s identity to be translated into a format that the target system requires. As an SSO solution, is different in that it only interacts with other systems using SAML. While SAML succeeds in simplifying proprietary authentication methods into a single crossplatform standard, it also requires that all target systems implement SAML, which is not yet a reality. SharePoint is able to work with SAML authentication. Whereas in 2010 it was an option, in all users are only represented in SAML internally to SharePoint regardless of the originating authentication mechanism. When a SharePoint service application like Excel Services needs to authenticate with an external system that does not support SAML claims (in this case SSAS), a service running in SharePoint called the Claims to Windows Token Service (C2WTS) converts the user s SAML claim back to a Windows token. But the C2WTS will not convert any SAML claim to a Windows token; it is hard-coded to verify that the SAML claim was generated based on a Windows token. If not, no Windows token is generated and authentication with SSAS fails. The following diagram summarizes this process by illustrating what happens when a user authenticated with a Windows token accesses an Excel workbook (with an SSAS data source and a specified per-user connection) through Excel Services. Notice the presence of the Secure Token Service (STS), which is responsible for initially converting the user s Windows token into a SAML token for SharePoint consumption. This is an internal, OOTB process to SharePoint, and is different from the STS that can be created by an administrator at the farm level to map user ids to stored credentials (which in our case defeats the purpose of what we are trying to accomplish). 1 Flowing Identity in the Microsoft BI Stack using Claims-based Authentication

3 DESKTOP SERVER INTERNET BROWSER Excel Workbook WEB 1 IPrincipal FRONT-END 2 Excel Web Access SECURE TOKEN SERVICE IClaims Principal 3 APP SERVER Excel Services Excel Workbook 4 Content Database CLAIMS TO WINDOWS TOKEN SERVICE SSAS DOMAIN CONTROLLER (AD) Kerberos Constrained Delegation configured If the authentication method originating with the request is not Windows Authentication (at #1 above), such as, the orange line effectively stops at #4 (though in actuality an anonymous Windows Token is generated despite failing to create a Windows token for the user and that anonymous token is passed to SSAS instead). The Solution Because is of concern, we need to transition from -generated SAML Claims to Windows Tokens prior to authenticating to SharePoint. In other words, what is needed is this: WINDOWS TOKEN WINDOWS TOKEN -generated SAML Claim Sharepoint-generated SAML Claim SSAS WINDOWS TOKEN WINDOWS TOKEN 2 Flowing Identity in the Microsoft BI Stack using Claims-based Authentication

4 The added peace of mind gained from being able to track SSAS access on a per-user basis is well worth the configuration and effort, especially if your business is highly regulated and depends on a well thought-out data privacy strategy. One way to solve this problem is using a reverse proxy server that would inspect the incoming request, reformulate it, and pass it on to the target application, which in this case is SharePoint. Microsoft has had products that provided such functionality, such as the Unified Access Gateway (UAG). However, UAG is expensive, bulky, and slated for retirement. Fortunately, in the latest incarnation of, dubbed R2, a new feature has been added called the (WAP) which is capable of meeting our solution requirements. The new WAP server role s purpose is to proxy authentication requests to designated applications on behalf of (utilizing Kerberos constrained delegation) and redirect the user if successfully authenticated. These target applications can use SAML for authentication or Windows Authentication. In the case of the latter, WAP converts the SAML Token into a Windows Token before forwarding the request onto the target application. Given our scenario, this is exactly what is needed. Implementation To prove that this does indeed work, an environment was built utilizing Windows Azure for infrastructure. The following diagram shows the server farm and its components: DATA WAREHOUSE / BI SQL Server 2012 SP1 Enterprise DBEngine, SSAS Web Front-End/Application Server SQL Server 2012 SP1 Enterprise SharePoint Content Database Server 2012 R R2 DOMAIN CONTROLLERS HTTPS EndPoint Primary Domain Controller Backup Domain Controller Internet 3 Flowing Identity in the Microsoft BI Stack using Claims-based Authentication

5 The process was tested using a SharePoint Business Intelligence site with an Excel workbook connected to an SSAS Cube (specifying a per-user connection). The diagram below describes what happens when the user tries to authenticate to the SharePoint site and access the Excel workbook (note that the internet s DNS would be updated such that requests to the SharePoint-enabled web application are directed to the WAP but for the sake of the POC, we configured our local hosts file in lieu of making internet DNS changes): Windows DATA WAREHOUSE / BI 3 SQL Server 2012 SP1 Enterprise DBEngine, SSAS Windows Web Front-End/Application Server SQL Server 2012 SP1 Enterprise SharePoint Content Database Server SAML 2012 R R2 SAML HTTPS EndPoint Internet 1) When browsing to the site s URL, the login screen for appears (either the out-of-the-box screen or a custom login screen) as though the user was logging into. When the user enters credentials, the WAP authenticates against the directory and then, if authentication is successful, and if the proxy is configured to redirect to a windows authentication-enabled web application, it converts the generated SAML token to a Windows token and passes the Windows token to the target SharePoint windows authentication-enabled web application. 2) SharePoint then takes the Windows token and converts it back to a SAML token for internal use via its own internal STS. When a request is made to view an Excel workbook with a connection specifying per user identity to an SSAS Cube, Excel Services utilizes the C2WTS to convert the SharePoint-generated SAML token successfully back to a Windows token (because in this case the SAML token was generated based on a Windows token). 3) Authentication then proceeds to SSAS which, if the user has the appropriate access, is successfully authenticated using Windows authentication. 4 Flowing Identity in the Microsoft BI Stack using Claims-based Authentication

6 Another way of looking at this: Name: SPWEBAPP1 Web Front-End & App Server Web App 1) The user navigates to the URL of the target application and is directed to the WAP 2) The WAP communicates with the server and redirects the user to 3) displays the login page 4) The user enters credentials 5) If authenticated, communicates back to the WAP that it s OK to redirect to the target site 6) The WAP passes the user s credentials to the SharePoint web application and proxies subsequent HTTP requests to and from SharePoint 6 5 R2 2 R2 3 Login Page 1 4 Installation As was mentioned in the introduction, detailed instructions for installation are not provided. Please refer to the following TechNet articles for, WAP, and installation planning and instructions. dd807092(v=ws.10).aspx WAP on Azure IaaS aspx?id=38428 Configuration While you can gain most of what you need to know from the installation documentation, the following configuration areas were not straightforward, and so they are detailed here for your reference. Keep in mind that the amount of configuration depends on how the environment is scaled to meet usage demands, so in some ways this is only representative of the environment noted above and not for your particular implementation. Nonetheless, the environment referenced in this white paper is intentionally simple, and allows you to easily extrapolate what you need from the basic artifacts it contains. 5 Flowing Identity in the Microsoft BI Stack using Claims-based Authentication

7 Kerberos In order for the initial SAML token from to be converted to a windows token, the target web application must be configured for windows authentication. But the environment as a whole needs to be configured for Kerberos and specifically for constrained delegation. While a discussion on Kerberos is beyond the scope of this post, here is a high-level overview of the configuration: 1) Service Principal Names (SPN) needed to be set up for the following: a. The target SharePoint web application b. The SSAS service 2) Both the WAP and the servers need to be able to delegate to the target SharePoint web applications. 3) Excel Services needs to be able to delegate to SSAS. 4) The C2WTS needs to be able to delegate to SSAS. The following diagram shows this in more detail: Name: SPWEBAPP1 Web Front-End & App Server Web App Pool Service Account: DOMAIN\SP_FARM_DB Excel Service App Pool Service Account: DOMAIN\SP_BI* DATA WAREHOUSE / BI Name: SQLBI1 SQL Server 2012 SP1 Enterprise SSAS Service Account: DOMAIN\ SQLBISERVICE Claims to Windows Token Service (C2WTS) Service Account: DOMAIN\C2WTS* SQL Server 2012 SP1 Enterprise SPN: MSOLAPSVC.3/SQLBI1.int DOMAIN\SQLBISERVICE SPN: MSOLAPSVC.3/SQLBI1 DOMAIN\SQLBISERVICE Name: WEBPROXY1 Name: 1 SPN: HTTP/spwebapp1.int DOMAIN\SP_FARM_DB SPN: HTTP/spwebapp1 DOMAIN\SP_FARM_DB R2 R2 Constrained Delegation: SERVICE ACCOUNT: DOMAIN\C2WTS -> MSOLAPSVC.3/SQLBi1 Constrained Delegation: SERVICE ACCOUNT: DOMAIN\SP_BI -> MSOLAPSVC.3/SQLBi1 Constrained Delegation: COMPUTER: WEBPROXY1 -> HTTP/SPWEBAPP1 Constrained Delegation: COMPUTER: 1 -> HTTP/SPWEBAPP1 6 Flowing Identity in the Microsoft BI Stack using Claims-based Authentication * 2 "dummy" SPNs must be created for DOMAIN\SP_BI and DOMAIN\C2WTS so that the delegation tab appears in the account properties in the Active Directory Users and Computers snap-in OR utilize PowerShell to configure constrained delegation.

8 Domain Name System The internet domain name system (DNS) needs to be configured such that: 1) The domain name for the SharePoint web application is mapped to the IP address of the WAP 2) The domain name for the server is mapped to the IP address of the WAP SharePoint Domain Name -> IP Address of WAP Domain Name -> IP Address of WAP Secure Sockets Layer In general, it is recommended to utilize SSL whenever possible. For the purposes of the WAP and, however, two certificates for SSL are required for securing the wire between: 1) the WAP and 2) the WAP and the SharePoint Web Application Without these certificates, the WAP will not communicate with either system. SSL encryption elsewhere is not required, but recommended. Name: SPWEBAPP1 Web Front-End & App Server Web App SharePoint SSL Cert SSL Cert 6 SSL 5 SSL R2 2 R2 3 SSL SSL Login Page 1 SSL 4 SSL Both certificates must be installed in the "Personal" as well as "Trusted Root Certification Authorities" in the Computer Certificates snap-in on the WAP 7 Flowing Identity in the Microsoft BI Stack using Claims-based Authentication

9 Conclusion While this method bridges the gap between utilizing for login and windows authentication for SharePoint, at the end of the day the WAP is a proxy. Clients never really access the target SharePoint site directly; all traffic is handled through the proxy. Each time a new web application in SharePoint is added that will be used externally, you will need to register it in the WAP configuration so that the WAP knows how to proxy requests based on their target addresses. Still, this is a fairly small price to pay for being able to utilize the strengths of -based authentication with the ability to use back-end systems that require credential delegation to operate correctly. The added peace of mind gained from being able to track SSAS access on a per-user basis is well worth the configuration and effort, especially if your business is highly regulated and depends on a well thought-out data privacy strategy. About Magenic Founded in 1995 by the same technical minds that still run the company, Magenic focuses on the Microsoft stack and mobile application development. Visit us at magenic.com or call us at to learn more or to engage Magenic today. 8 Flowing Identity in the Microsoft BI Stack using Claims-based Authentication

Hybrid for SharePoint Server 2013. Search Reference Architecture

Hybrid for SharePoint Server 2013. Search Reference Architecture Hybrid for SharePoint Server 2013 Search Reference Architecture 2014 Microsoft Corporation. All rights reserved. This document is provided as-is. Information and views expressed in this document, including

More information

Agenda. How to configure

Agenda. How to configure dlaw@esri.com Agenda Strongly Recommend: Knowledge of ArcGIS Server and Portal for ArcGIS Security in the context of ArcGIS Server/Portal for ArcGIS Access Authentication Authorization: securing web services

More information

SharePoint 2013 Logical Architecture

SharePoint 2013 Logical Architecture SharePoint 2013 Logical Architecture This document is provided "as-is". Information and views expressed in this document, including URL and other Internet Web site references, may change without notice.

More information

SharePoint 2013 Business Connectivity Services Hybrid Overview

SharePoint 2013 Business Connectivity Services Hybrid Overview SharePoint 2013 Business Connectivity Services Hybrid Overview Christopher J Fox Microsoft Corporation November 2012 Applies to: SharePoint 2013, SharePoint Online Summary: A hybrid SharePoint environment

More information

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG) SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG) A RSACCESS WHITE PAPER 1 Microsoft Forefront Unified Access Gateway Overview 2 Safe-T RSAccess Secure Front-end Overview

More information

SAM Context-Based Authentication Using Juniper SA Integration Guide

SAM Context-Based Authentication Using Juniper SA Integration Guide SAM Context-Based Authentication Using Juniper SA Integration Guide Revision A Copyright 2012 SafeNet, Inc. All rights reserved. All attempts have been made to make the information in this document complete

More information

Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief

Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief Guide Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief October 2012 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 21 Contents

More information

Tenrox. Single Sign-On (SSO) Setup Guide. January, 2012. 2012 Tenrox. All rights reserved.

Tenrox. Single Sign-On (SSO) Setup Guide. January, 2012. 2012 Tenrox. All rights reserved. Tenrox Single Sign-On (SSO) Setup Guide January, 2012 2012 Tenrox. All rights reserved. About this Guide This guide provides a high-level technical overview of the Tenrox Single Sign-On (SSO) architecture,

More information

Protecting Juniper SA using Certificate-Based Authentication. Quick Start Guide

Protecting Juniper SA using Certificate-Based Authentication. Quick Start Guide Protecting Juniper SA using Certificate-Based Authentication Copyright 2013 SafeNet, Inc. All rights reserved. All attempts have been made to make the information in this document complete and accurate.

More information

ABOUT TOOLS4EVER ABOUT DELOITTE RISK SERVICES

ABOUT TOOLS4EVER ABOUT DELOITTE RISK SERVICES CONTENTS About Tools4ever... 3 About Deloitte Risk Services... 3 HelloID... 4 Microsoft Azure... 5 HelloID Security Architecture... 6 Scenarios... 8 SAML Identity Provider (IDP)... 8 Service Provider SAML

More information

SP-2002-10231 - Designing a Microsoft SharePoint 2010 Infrastructure

SP-2002-10231 - Designing a Microsoft SharePoint 2010 Infrastructure SP-2002-10231 - Designing a Microsoft SharePoint 2010 Infrastructure Duration: 5 days Course Price: $2,975 Software Assurance Eligible Course Description Course Overview This 5 day ILT training course

More information

Configuring SonicWALL TSA on Citrix and Terminal Services Servers

Configuring SonicWALL TSA on Citrix and Terminal Services Servers Configuring on Citrix and Terminal Services Servers Document Scope This solutions document describes how to install, configure, and use the SonicWALL Terminal Services Agent (TSA) on a multi-user server,

More information

Session Code*: 0310 Demystifying Authentication and SSO Options in Business Intelligence. Greg Wcislo

Session Code*: 0310 Demystifying Authentication and SSO Options in Business Intelligence. Greg Wcislo Session Code*: 0310 Demystifying Authentication and SSO Options in Business Intelligence Greg Wcislo Introduction We will not go into detailed how-to, however links to multiple how-to whitepapers will

More information

Microsoft Dynamics CRM Server 2011 software requirements

Microsoft Dynamics CRM Server 2011 software requirements Microsoft Dynamics CRM Server 2011 software requirements This section lists the software and application requirements for Microsoft Dynamics CRM Server 2011. Windows Server operating system: Microsoft

More information

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect Identity Federation: Bridging the Identity Gap Michael Koyfman, Senior Global Security Solutions Architect The Need for Federation 5 key patterns that drive Federation evolution - Mary E. Ruddy, Gartner

More information

Authentication Methods

Authentication Methods Authentication Methods Overview In addition to the OU Campus-managed authentication system, OU Campus supports LDAP, CAS, and Shibboleth authentication methods. LDAP users can be configured through the

More information

ADFS Integration Guidelines

ADFS Integration Guidelines ADFS Integration Guidelines Version 1.6 updated March 13 th 2014 Table of contents About This Guide 3 Requirements 3 Part 1 Configure Marcombox in the ADFS Environment 4 Part 2 Add Relying Party in ADFS

More information

HOW TO CONFIGURE SQL SERVER REPORTING SERVICES IN ORDER TO DEPLOY REPORTING SERVICES REPORTS FOR DYNAMICS GP

HOW TO CONFIGURE SQL SERVER REPORTING SERVICES IN ORDER TO DEPLOY REPORTING SERVICES REPORTS FOR DYNAMICS GP HOW TO CONFIGURE SQL SERVER REPORTING SERVICES IN ORDER TO DEPLOY REPORTING SERVICES REPORTS FOR DYNAMICS GP When you install SQL Server you have option to automatically deploy & configure SQL Server Reporting

More information

SharePoint Server 2016. Quick Start Guide for Single Server Farms

SharePoint Server 2016. Quick Start Guide for Single Server Farms 1 SharePoint Server 2016 Quick Start Guide for Single Server Farms 2016 Microsoft Corporation. All rights reserved. This document is provided as-is. Information and views expressed in this document, including

More information

Identity Implementation Guide

Identity Implementation Guide Identity Implementation Guide Version 37.0, Summer 16 @salesforcedocs Last updated: May 26, 2016 Copyright 2000 2016 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com,

More information

MicrosoftDynam ics GP 2015. TenantServices Installation and Adm inistration Guide

MicrosoftDynam ics GP 2015. TenantServices Installation and Adm inistration Guide MicrosoftDynam ics GP 2015 TenantServices Installation and Adm inistration Guide Copyright Copyright 2014 Microsoft Corporation. All rights reserved. Limitation of liability This document is provided as-is.

More information

Software Version 1.0 ConnectKey TM Share to Cloud April 2013. Xerox ConnectKey Share to Cloud User / Administrator s Guide

Software Version 1.0 ConnectKey TM Share to Cloud April 2013. Xerox ConnectKey Share to Cloud User / Administrator s Guide Software Version 1.0 ConnectKey TM Share to Cloud April 2013 Xerox ConnectKey Share to Cloud User / Administrator s Guide 2013 Xerox Corporation. All rights reserved. Xerox, Xerox and Design, and Xerox

More information

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365 Configuring Single Sign-On from the VMware Identity Manager Service to Office 365 VMware Identity Manager JULY 2015 V1 Table of Contents Overview... 2 Passive and Active Authentication Profiles... 2 Adding

More information

Coveo Platform 7.0. Microsoft SharePoint Connector Guide

Coveo Platform 7.0. Microsoft SharePoint Connector Guide Coveo Platform 7.0 Microsoft SharePoint Connector Guide Notice The content in this document represents the current view of Coveo as of the date of publication. Because Coveo continually responds to changing

More information

SETUP SSL IN SHAREPOINT 2013 (USING SELF-SIGNED CERTIFICATE)

SETUP SSL IN SHAREPOINT 2013 (USING SELF-SIGNED CERTIFICATE) 12/15/2012 WALISYSTEMSINC.COM SETUP SSL IN SHAREPOINT 2013 (USING SELF-SIGNED CERTIFICATE) Setup SSL in SharePoint 2013 In the last article (link below), you learned how to setup SSL in SharePoint 2013

More information

September 9 11, 2013 Anaheim, California 507 Demystifying Authentication and SSO Options in Business Intelligence

September 9 11, 2013 Anaheim, California 507 Demystifying Authentication and SSO Options in Business Intelligence September 9 11, 2013 Anaheim, California 507 Demystifying Authentication and SSO Options in Business Intelligence Greg Wcislo Introduction We will not go into detailed how-to, however links to multiple

More information

Web Application Proxy

Web Application Proxy Application Proxy Ing. Ondřej Ševeček GOPAS a.s. MCSM:Directory2012 MCM:Directory2008 MVP:Enterprise Security CEH: Certified Ethical Hacker CHFI: Computer Hacking Forensic Investigator ondrej@sevecek.com

More information

Integration Guide. SafeNet Authentication Service. Using SAS with Web Application Proxy. Technical Manual Template

Integration Guide. SafeNet Authentication Service. Using SAS with Web Application Proxy. Technical Manual Template SafeNet Authentication Service Integration Guide Technical Manual Template Release 1.0, PN: 000-000000-000, Rev. A, March 2013, Copyright 2013 SafeNet, Inc. All rights reserved. 1 Document Information

More information

Reverse Proxy Guide. Version 2.0 April 2016

Reverse Proxy Guide. Version 2.0 April 2016 Version 2.0 April 2016 Reverse Proxy Guide Copyright 2016 iwebgate. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated

More information

SharePoint 2010 Interview Questions-Architect

SharePoint 2010 Interview Questions-Architect Basic Intro SharePoint Architecture Questions 1) What are Web Applications in SharePoint? An IIS Web site created and used by SharePoint 2010. Saying an IIS virtual server is also an acceptable answer.

More information

Owner of the content within this article is www.isaserver.org Written by Marc Grote www.it-training-grote.de

Owner of the content within this article is www.isaserver.org Written by Marc Grote www.it-training-grote.de Owner of the content within this article is www.isaserver.org Written by Marc Grote www.it-training-grote.de Microsoft Forefront TMG Publishing RD Web Access with RD Gateway Part II Abstract In this short

More information

Microsoft SharePoint Architectural Models

Microsoft SharePoint Architectural Models Microsoft SharePoint This topic is 1 of 5 in a series Introduction to Fundamental SharePoint This series is intended to raise awareness of the different fundamental architectural models through which SharePoint

More information

Working with Structured Data in Microsoft Office SharePoint Server 2007 (Part1): Configuring Single Sign On Service and Database

Working with Structured Data in Microsoft Office SharePoint Server 2007 (Part1): Configuring Single Sign On Service and Database Working with Structured Data in Microsoft Office SharePoint Server 2007 (Part1): Configuring Single Sign On Service and Database Applies to: Microsoft Office SharePoint Server 2007 Explore different options

More information

Microsoft Office Web Apps Server 2013 Integration with SharePoint 2013 Setting up Load Balanced Office Web Apps Farm with SSL (HTTPS)

Microsoft Office Web Apps Server 2013 Integration with SharePoint 2013 Setting up Load Balanced Office Web Apps Farm with SSL (HTTPS) Microsoft Office Web Apps Server 2013 Integration with SharePoint 2013 Setting up Load Balanced Office Web Apps Farm with SSL (HTTPS) December 25 th, 2015 V.1.0 Prepared by: Manoj Karunarathne MCT, MCSA,

More information

The increasing popularity of mobile devices is rapidly changing how and where we

The increasing popularity of mobile devices is rapidly changing how and where we Mobile Security BACKGROUND The increasing popularity of mobile devices is rapidly changing how and where we consume business related content. Mobile workforce expectations are forcing organizations to

More information

Gateway Apps - Security Summary SECURITY SUMMARY

Gateway Apps - Security Summary SECURITY SUMMARY Gateway Apps - Security Summary SECURITY SUMMARY 27/02/2015 Document Status Title Harmony Security summary Author(s) Yabing Li Version V1.0 Status draft Change Record Date Author Version Change reference

More information

Microsoft Lync Server 2010

Microsoft Lync Server 2010 Microsoft Lync Server 2010 Scale to a Load Balanced Enterprise Edition Pool with WebMux Walkthrough Published: March. 2012 For the most up to date version of the Scale to a Load Balanced Enterprise Edition

More information

SAML-Based SSO Solution

SAML-Based SSO Solution About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,

More information

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access With IDENTIKEY Server / Axsguard IDENTIFIER Integration Guidelines Disclaimer Disclaimer of Warranties and Limitations

More information

Course Syllabus. 2553A: Administering Microsoft SharePoint Portal Server 2003. Key Data. Audience. At Course Completion.

Course Syllabus. 2553A: Administering Microsoft SharePoint Portal Server 2003. Key Data. Audience. At Course Completion. Key Data Course #: 2553A Number of Days: 3 Format: Instructor-Led This course syllabus should be used to determine whether the course is appropriate for the students, based on their current skills and

More information

PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN

PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN CONNECTING TO THE CLOUD DAVID CHAPPELL DECEMBER 2009 SPONSORED BY AMAZON AND MICROSOFT CORPORATION CONTENTS The Challenge:

More information

Getting Started with AD/LDAP SSO

Getting Started with AD/LDAP SSO Getting Started with AD/LDAP SSO Active Directory and LDAP single sign- on (SSO) with Syncplicity Business Edition accounts allows companies of any size to leverage their existing corporate directories

More information

Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008

Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008 Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008 Nature of Document: Guideline Product(s): IBM Cognos Express Area of Interest: Infrastructure 2 Copyright and Trademarks Licensed Materials

More information

TIBCO Spotfire Platform IT Brief

TIBCO Spotfire Platform IT Brief Platform IT Brief This IT brief outlines features of the system: Communication security, load balancing and failover, authentication options, and recommended practices for licenses and access. It primarily

More information

Mixed Authentication Setup

Mixed Authentication Setup Mixed Authentication Setup Version 8.2 January 1, 2016 For the most recent version of this document, visit our documentation website. Table of Contents 1 Overview 3 2 IIS installed components 3 2.1 Creating

More information

Configuring and Administering Microsoft SharePoint 2010

Configuring and Administering Microsoft SharePoint 2010 Course 10174 : Configuring and Administering Microsoft SharePoint 2010 Page 1 of 7 Configuring and Administering Microsoft SharePoint 2010 Course 10174: 4 days; Instructor-Led Introduction This four-day

More information

Configuration Guide. BES12 Cloud

Configuration Guide. BES12 Cloud Configuration Guide BES12 Cloud Published: 2016-04-08 SWD-20160408113328879 Contents About this guide... 6 Getting started... 7 Configuring BES12 for the first time...7 Administrator permissions you need

More information

Contents Release Notes... ... 3 System Requirements... ... 4 Administering Jive for Office... ... 5

Contents Release Notes... ... 3 System Requirements... ... 4 Administering Jive for Office... ... 5 Jive for Office TOC 2 Contents Release Notes...3 System Requirements... 4 Administering Jive for Office... 5 Getting Set Up...5 Installing the Extended API JAR File... 5 Updating Client Binaries...5 Client

More information

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER Table of Contents Introduction.... 3 Requirements.... 3 Horizon Workspace Components.... 3 SAML 2.0 Standard.... 3 Authentication

More information

Introduction to Directory Services

Introduction to Directory Services Introduction to Directory Services Overview This document explains how AirWatch integrates with your organization's existing directory service such as Active Directory, Lotus Domino and Novell e-directory

More information

Content Filtering Client Policy & Reporting Administrator s Guide

Content Filtering Client Policy & Reporting Administrator s Guide Content Filtering Client Policy & Reporting Administrator s Guide Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your system. CAUTION: A CAUTION

More information

Deploying RSA ClearTrust with the FirePass controller

Deploying RSA ClearTrust with the FirePass controller Deployment Guide Deploying RSA ClearTrust with the FirePass Controller Deploying RSA ClearTrust with the FirePass controller Welcome to the FirePass RSA ClearTrust Deployment Guide. This guide shows you

More information

DottsConnected SHAREPOINT 2010 ADMIN TRAINING. Exercise 1: Create Dedicated Service Accounts in Active Directory

DottsConnected SHAREPOINT 2010 ADMIN TRAINING. Exercise 1: Create Dedicated Service Accounts in Active Directory DottsConnected SHAREPOINT 2010 ADMIN TRAINING Module 1 - Getting started with SharePoint 2010 This introductory module introduces students to the fundamental terminology and architecture of SharePoint

More information

Federation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015

Federation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015 Federation At Fermilab Al Lilianstrom National Laboratories Information Technology Summit May 2015 About Fermilab Since 1967, Fermilab has worked to answer fundamental questions and enhance our understanding

More information

technical brief browsing to an installation of HP Web Jetadmin. Internal Access HTTP Port Access List User Profiles HTTP Port

technical brief browsing to an installation of HP Web Jetadmin. Internal Access HTTP Port Access List User Profiles HTTP Port technical brief in HP Overview HP is a powerful webbased software utility for installing, configuring, and managing networkconnected devices. Since it can install and configure devices, it must be able

More information

Centralized Mac Home Directories On Windows Servers: Using Windows To Serve The Mac

Centralized Mac Home Directories On Windows Servers: Using Windows To Serve The Mac Making it easy to deploy, integrate and manage Macs, iphones and ipads in a Windows environment. Centralized Mac Home Directories On Windows Servers: Using Windows To Serve The Mac 2011 ENTERPRISE DEVICE

More information

Virtual Appliance Setup Guide

Virtual Appliance Setup Guide The Barracuda SSL VPN Vx Virtual Appliance includes the same powerful technology and simple Web based user interface found on the Barracuda SSL VPN hardware appliance. It is designed for easy deployment

More information

Introduction to the EIS Guide

Introduction to the EIS Guide Introduction to the EIS Guide The AirWatch Enterprise Integration Service (EIS) provides organizations the ability to securely integrate with back-end enterprise systems from either the AirWatch SaaS environment

More information

WorkEngine Pre-Deployment Checklist

WorkEngine Pre-Deployment Checklist 01.06.2011.01 Contents 1.0 Installer s Knowledge Pre-requisites... 1 2.0 Software Prerequisites... 1 3.0 Required Information Prior to Installation... 3 4.0 Client Desktop (Optional)... 4 1.0 Installer

More information

Google Apps SSO to Office 365 Integration

Google Apps SSO to Office 365 Integration KETS Google Apps SSO to Office 365 Integration Kentucky Department of Education Version 1.5 12/3/2014 Google Apps for Education (GAFE) + Microsoft Active Directory Integration Introduction Welcome to the

More information

How To Use Saml 2.0 Single Sign On With Qualysguard

How To Use Saml 2.0 Single Sign On With Qualysguard QualysGuard SAML 2.0 Single Sign-On Technical Brief Introduction Qualys provides its customer the option to use SAML 2.0 Single Sign On (SSO) authentication with their QualysGuard subscription. When implemented,

More information

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines Ameritas Single Sign-On (SSO) and Enterprise SAML Standard Architectural Implementation, Patterns and Usage Guidelines 1 Background and Overview... 3 Scope... 3 Glossary of Terms... 4 Architecture Components...

More information

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Implementation Guide SAP NetWeaver Identity Management Identity Provider Implementation Guide SAP NetWeaver Identity Management Identity Provider Target Audience Technology Consultants System Administrators PUBLIC Document version: 1.10 2011-07-18 Document History CAUTION Before

More information

AvePoint Meetings 3.2.2 for SharePoint On-Premises. Installation and Configuration Guide

AvePoint Meetings 3.2.2 for SharePoint On-Premises. Installation and Configuration Guide AvePoint Meetings 3.2.2 for SharePoint On-Premises Installation and Configuration Guide Issued August 2015 Table of Contents About AvePoint Meetings for SharePoint... 4 System Requirements... 5 2 System

More information

Kerberos planning, and then we're going to take a deep dive look at how we actually configure Kerberos for the relational database engine.

Kerberos planning, and then we're going to take a deep dive look at how we actually configure Kerberos for the relational database engine. Configuring and Securing Complex BI Applications in a SharePoint 2010 Environment with SQL Server 2012 Tom Wisnowski - Architect, Microsoft Consulting Service Hello. Welcome to Configuring and Securing

More information

How To Use Salesforce Identity Features

How To Use Salesforce Identity Features Identity Implementation Guide Version 35.0, Winter 16 @salesforcedocs Last updated: October 27, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of

More information

H3C SSL VPN RADIUS Authentication Configuration Example

H3C SSL VPN RADIUS Authentication Configuration Example H3C SSL VPN RADIUS Authentication Configuration Example Copyright 2012 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by

More information

Using SAP Logon Tickets for Single Sign on to Microsoft based web applications

Using SAP Logon Tickets for Single Sign on to Microsoft based web applications Collaboration Technology Support Center - Microsoft - Collaboration Brief March 2005 Using SAP Logon Tickets for Single Sign on to Microsoft based web applications André Fischer, Project Manager CTSC,

More information

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES pingidentity.com EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES Best practices for identity federation in AWS Table of Contents Executive Overview 3 Introduction: Identity and Access Management in Amazon

More information

Strong Security in Multiple Server Environments

Strong Security in Multiple Server Environments White Paper Strong Security in Multiple Server Environments VeriSign OnSite for Server IDs Contents 1. Introduction 1 2. Security Solutions: The Digital ID System 2 2.1. What Is a Digital ID? 2 2.2 How

More information

Security IIS Service Lesson 6

Security IIS Service Lesson 6 Security IIS Service Lesson 6 Skills Matrix Technology Skill Objective Domain Objective # Configuring Certificates Configure SSL security 3.6 Assigning Standard and Special NTFS Permissions Enabling and

More information

Smart Policy - Web Collector. Version 1.1

Smart Policy - Web Collector. Version 1.1 Smart Policy - Web Collector Version 1.1 Prepared by: "Vincent Le Toux" Date: 29/05/2014 1 Table of Contents Table of Contents Revision History Overview Requirements... 5 Overview... 5 Check that a certificate

More information

Installing Lumension Endpoint Management and Security Suite (L.E.M.S.S.) Using a Remote SQL Server

Installing Lumension Endpoint Management and Security Suite (L.E.M.S.S.) Using a Remote SQL Server Installing Lumension Endpoint Management and Security Suite (L.E.M.S.S.) Using a Remote SQL Server A Step-by-Step Guide July 2011 v.1.0 Copyright 2009, Lumension Table of Contents Description... 3 Step-by-Step

More information

Microsoft Corporation. Project Server 2010 Installation Guide

Microsoft Corporation. Project Server 2010 Installation Guide Microsoft Corporation Project Server 2010 Installation Guide Office Asia Team 11/4/2010 Table of Contents 1. Prepare the Server... 2 1.1 Install KB979917 on Windows Server... 2 1.2 Creating users and groups

More information

Microsoft 10972 - Administering the Web Server (IIS) Role of Windows Server

Microsoft 10972 - Administering the Web Server (IIS) Role of Windows Server 1800 ULEARN (853 276) www.ddls.com.au Microsoft 10972 - Administering the Web Server (IIS) Role of Windows Server Length 5 days Price $4169.00 (inc GST) Version B Overview This course provides students

More information

KEMP LoadMaster. Enabling Hybrid Cloud Solutions in Microsoft Azure

KEMP LoadMaster. Enabling Hybrid Cloud Solutions in Microsoft Azure KEMP LoadMaster Enabling Hybrid Cloud Solutions in Microsoft Azure Introduction An increasing number of organizations are moving from traditional on-premises datacenter architecture to a public cloud platform

More information

Secret Server Installation Windows Server 2008 R2

Secret Server Installation Windows Server 2008 R2 Table of Contents Introduction... 2 ASP.NET Website... 2 SQL Server Database... 2 Administrative Access... 2 Prerequisites... 2 System Requirements Overview... 2 Additional Recommendations... 3 Beginning

More information

Owner of the content within this article is www.isaserver.org Written by Marc Grote www.it-training-grote.de

Owner of the content within this article is www.isaserver.org Written by Marc Grote www.it-training-grote.de Owner of the content within this article is www.isaserver.org Written by Marc Grote www.it-training-grote.de Forefront UAG authentication options Abstract In this article I will show you the different

More information

MultiSite Manager. Setup Guide

MultiSite Manager. Setup Guide MultiSite Manager Setup Guide Contents 1. Introduction... 2 How MultiSite Manager works... 2 How MultiSite Manager is implemented... 2 2. MultiSite Manager requirements... 3 Operating System requirements...

More information

White Paper. What is an Identity Provider, and Why Should My Organization Become One?

White Paper. What is an Identity Provider, and Why Should My Organization Become One? White Paper What is an Identity Provider, and Why Should My Organization Become One? May 2015 Executive Overview Tame Access Control Security Risks: Become an Identity Provider (IdP) Organizations today

More information

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2 Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2 Last revised: November 12, 2014 Table of Contents Table of Contents... 2 I. Introduction... 4 A. ASP.NET Website... 4 B.

More information

USING FEDERATED AUTHENTICATION WITH M-FILES

USING FEDERATED AUTHENTICATION WITH M-FILES M-FILES CORPORATION USING FEDERATED AUTHENTICATION WITH M-FILES VERSION 1.0 Abstract This article provides an overview of federated identity management and an introduction on using federated authentication

More information

AD RMS Microsoft Federation Gateway Support Installation and Configuration Guide... 3 About this guide... 3

AD RMS Microsoft Federation Gateway Support Installation and Configuration Guide... 3 About this guide... 3 Contents AD RMS Microsoft Federation Gateway Support Installation and Configuration Guide... 3 About this guide... 3 Microsoft Federation Gateway Support Overview... 4 Deploying and Configuring Microsoft

More information

Optimization in a Secure Windows Environment

Optimization in a Secure Windows Environment WHITE PAPER Optimization in a Secure Windows Environment A guide to the preparation, configuration and troubleshooting of Riverbed Steelhead appliances for Signed SMB and Encrypted MAPI September 2013

More information

MIGRATING SHAREPOINT TO THE CLOUD

MIGRATING SHAREPOINT TO THE CLOUD MIGRATING SHAREPOINT TO THE CLOUD Our Lessons Learned February 2015 www.reisystems.com TABLE OF CONTENTS Introduction... 2 What is Office 365 and what are the models of installation available?... 2 When

More information

Administering the Web Server (IIS) Role of Windows Server

Administering the Web Server (IIS) Role of Windows Server Course 10972B: Administering the Web Server (IIS) Role of Windows Server Page 1 of 7 Administering the Web Server (IIS) Role of Windows Server Course 10972B: 4 days; Instructor-Led Introduction This course

More information

Administering the Web Server (IIS) Role of Windows Server 10972B; 5 Days

Administering the Web Server (IIS) Role of Windows Server 10972B; 5 Days Lincoln Land Community College Capital City Training Center 130 West Mason Springfield, IL 62702 217-782-7436 www.llcc.edu/cctc Administering the Web Server (IIS) Role of Windows Server 10972B; 5 Days

More information

SafeNet Authentication Service

SafeNet Authentication Service SafeNet Authentication Service Push OTP Integration Guide All information herein is either public information or is the property of and owned solely by Gemalto NV. and/or its subsidiaries who shall have

More information

Interwise Connect. Working with Reverse Proxy Version 7.x

Interwise Connect. Working with Reverse Proxy Version 7.x Working with Reverse Proxy Version 7.x Table of Contents BACKGROUND...3 Single Sign On (SSO)... 3 Interwise Connect... 3 INTERWISE CONNECT WORKING WITH REVERSE PROXY...4 Architecture... 4 Interwise Web

More information

Integrating IBM Cognos 8 BI with 3rd Party Auhtentication Proxies

Integrating IBM Cognos 8 BI with 3rd Party Auhtentication Proxies Guideline Integrating IBM Cognos 8 BI with 3rd Party Auhtentication Proxies Product(s): IBM Cognos 8 BI Area of Interest: Security Integrating IBM Cognos 8 BI with 3rd Party Auhtentication Proxies 2 Copyright

More information

Two-Factor Authentication

Two-Factor Authentication Two-Factor Authentication IT Professional & Customer Service Desk Feature Guide Two-Factor Authentication for Exchange Online Office 365 Dedicated & ITAR-Support Plans April 26, 2013 The information contained

More information

Course: 10174B: Configuring and Administering Microsoft SharePoint 2010

Course: 10174B: Configuring and Administering Microsoft SharePoint 2010 Course: 10174B: Configuring and Administering Microsoft SharePoint 2010 Description: This five-day instructor-led course teaches students how to install, configure, and administer Microsoft SharePoint

More information

Microsoft Dynamics GP Release

Microsoft Dynamics GP Release Microsoft Dynamics GP Release Workflow Installation and Upgrade Guide February 17, 2011 Copyright Copyright 2011 Microsoft. All rights reserved. Limitation of liability This document is provided as-is.

More information

Guide to SASL, GSSAPI & Kerberos v.6.0

Guide to SASL, GSSAPI & Kerberos v.6.0 SYMLABS VIRTUAL DIRECTORY SERVER Guide to SASL, GSSAPI & Kerberos v.6.0 Copyright 2011 www.symlabs.com Chapter 1 Introduction Symlabs has added support for the GSSAPI 1 authentication mechanism, which

More information

Enterprise Knowledge Platform

Enterprise Knowledge Platform Enterprise Knowledge Platform Single Sign-On Integration with Windows Document Information Document ID: EN136 Document title: EKP Single Sign-On Integration with Windows Version: 1.3 Document date: 19

More information

Tableau Server Security. Version 8.0

Tableau Server Security. Version 8.0 Version 8.0 Author: Marc Rueter Senior Director, Strategic Solutions, Tableau Software June 2013 p2 Today s enterprise class systems need to provide robust security in order to meet the varied and dynamic

More information

Egnyte Single Sign-On (SSO) Installation for OneLogin

Egnyte Single Sign-On (SSO) Installation for OneLogin Egnyte Single Sign-On (SSO) Installation for OneLogin To set up Egnyte so employees can log in using SSO, follow the steps below to configure OneLogin and Egnyte to work with each other. 1. Set up OneLogin

More information

A viable alternative to TMG / UAG Web Application security, acceleration and authentication with DenyAll s DA-WAF

A viable alternative to TMG / UAG Web Application security, acceleration and authentication with DenyAll s DA-WAF A viable alternative to TMG / UAG Web Application security, acceleration and authentication with DenyAll s DA-WAF Whitepaper 08/17/2015 Summary 1. Introductio... 3 1.1 What is TMG / UAG?... 3 2. How can

More information

Designing a Microsoft SharePoint 2010 Infrastructure

Designing a Microsoft SharePoint 2010 Infrastructure Course Code: M10231 Vendor: Microsoft Course Overview Duration: 5 RRP: 1,980 Designing a Microsoft SharePoint 2010 Infrastructure Overview This five day ILT course teaches IT professionals to design and

More information

Configuring and Administering Microsoft SharePoint 2010

Configuring and Administering Microsoft SharePoint 2010 Configuring and Administering Microsoft Course Details Course Code: Duration: Notes: 10174B 5 days This course syllabus should be used to determine whether the course is appropriate for the students, based

More information