SharePoint 2013 Extranets: How will SharePoint 2013 connect you to your partners? Brian Culver

Transcription

1 SharePoint 2013 Extranets: How will SharePoint 2013 connect you to your partners? Brian Culver 0

2 Welcome to SharePoint Saturday Houston Thank you for being a part of the 4 th Annual SharePoint Saturday for the greater Houston area! Please turn off all electronic devices or set them to vibrate. If you must take a phone call, please do so in the hall so as not to disturb others. Thanks to our Title Sponsor: 1

3 Information Speaker presentation slides will be available at bit.ly/gospshou within a week The Houston SharePoint User Group will be having it s next meeting Wednesday April 17 th. Please join us at 2

4 About Brian Culver SharePoint Solutions Architect for Expert Point Solutions Based in Houston, TX Author Upcoming SharePoint 2013 Workflows SharePoint 2010 Unleashed Various White Papers Speaker and Blogger 3

5 Session Agenda Extranet Definition Extranet Design Considerations & Challenges Common Extranet Scenarios and Topologies SharePoint Authentication Mixed Mode vs. Multi-Authentication Extranet Portal Structures Mobile and Device Channels 4

6 Extranet - Definition A web application that is shared with external users, such as partners, vendors, and customers Common attributes for an extranet: Sharing a private network or secured network Requires authenticated access, but the identity of the consumer is not always known Has better security controls than an Internet Web application but usually less secure than the Intranet Web application 5

7 Extranet Why? Better Collaboration Higher ROI Employee Access 24/7 Targeting content Selling Products and Services Better Support Improved Efficiency Improved Communication Unite Workforce Experience 6

8 Extranet Design Considerations & Challenges Network Topology and Access On-premise scenarios Hybrid Scenarios Identity Management (AD, FBA, ADFS) Seamless Single Sign-on Experience Content Security and Access Antivirus - Client vs Server Mobile Device Experience Licensing 7

9 Common Extranet Scenarios 8

10 Edge Firewall Topology 9

11 Back-to-Back Perimeter Topology 10

12 Split Back-to-Back Topology 11

13 Hybrid Extranets Using Office 365 Avoid firewall and topology hassles Allows Sharing with external users 50 free External Users With Enterprise accounts, 500 free External Users Azure Infrastructure IaaS Build dedicated farms on the Microsoft Cloud Scale Out Add servers Federate with corporate domain For more info: 12

14 Security Terms Authentication is the mechanism whereby systems may securely identify their users Creates an identity for security principal Who am I? Authorization is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system. Determines what resources an identity has access to What can I access? 13

15 SharePoint Authentication SharePoint does not authenticate Windows authentication via Windows server and IIS (Kerberos/NTLM) FBA via ASP. NET and authentication providers (SQL, LDAP, etc.) Web SSO via Active Directory Federation Services (ADFS) and other Identity Management Systems SharePoint creates user profiles SPUser object represents security principal User Profile List in Site Collections track user profiles 14

16 SharePoint 2010 Security SharePoint 2010 changes authentication Uses classic mode and claims based authentication Classic mode is SharePoint 2007 style legacy mode Claims-based authentication is the new security model What are the benefits? Claims decouples SharePoint from the authentication provider Allows SharePoint to support multiple authentication providers per URL Identities can be passed without Kerberos delegation Allows federation between organizations ACLs can be configured with DLs, Audiences and OUs 15

17 SharePoint 2013 Security SharePoint 2013 authentication: Still supports classic mode and claims based authentication Claims-based authentication is the default security model Supported Authentication modes: Windows claims mode sign-in (default) SAML passive sign-in mode ASP.NET membership and role passive sign-in Windows classic mode sign-in (deprecated in SP2013) Claims authentication is basically the only way to go! 16

18 Identity Normalization 17

19 Claims-Based Terminology Identity: security principal used to configure the security policy Claim (Assertion): attribute of an identity (such as Login Name, AD Group, etc.) Security Token: serialized set of claims (assertions) about an authenticated user. 18

20 Claim-based Authentication Security Token Service (STS): builds, signs and issues security tokens. It can receive and submit tokens. Issuing Authority: identity management system(s) that knows the claims (AD, ASP.NET, LiveID, etc.) Identity Provider: trusted party that creates and submits claims Relying Party: application that makes authorization decisions based on received claims 19

21 Claim-based Authentication 20

22 Claim-based Authentication 21

23 Mixed Mode Authentication vs Multi-Authentication Mixed Authentication Multi-Authentication SharePoint Farm SharePoint Farm Web Application Zone: Default Windows Authentication Web Application Regular label-callout Zone: text Default Windows Authentication FBA Authentication Extended Web Application Zone: Extranet FBA Authentication Extended Web Application Zone: Extranet SAML Based Authentication FBA Authentication Extended Web Application Zone: Intranet... Extended Web Application Zone: Intranet Windows Authentication Extended Web Application Zone: Internet... Extended Web Application Zone: Internet... Extended Web Application Zone: Custom... Extended Web Application Zone: Custom... 22

24 Auth Scenarios - Multi Authentication s 23

25 Authentication Scenarios Mixed Mode: When to Use It 24

26 Authentication Scenarios Multi Authentication: When to Use It 25

27 FBA Claims Configuration 1. Run C:\Windows\Microsoft.NET\Framework\v2.0.x\asp net_regsql.exe or C:\Windows\Microsoft.NET\Framework\v4.0.x\asp net_regsql.exe 2. Enable Claims Authentication on Web Application via Central Administration 3. Modify web.config for the FBA Web Application 4. Modify web.config for Central Administration 26

28 FBA Claims Configuration 5. Modify web.config for Security Token Service %programfiles%\common files\microsoft Shared\web server extensions\14\webservices\securitytoken %programfiles%\common files\microsoft Shared\web server extensions\15\webservices\securitytoken Changes need to be made to the Security Token Service virtual directory on each server hosting CA or the claims-based web application 6. Configure FBA Provider in Central Administration 7. Create Web Application Policy to give SQL Auth User(s) access to site 27

29 FBA Claims Configuration 28

30 FBA Claims Configuration 29

31 FBA Claims Configuration 30

32 FBA Claims Configuration 31

33 FBA Claims Configuration 32

34 Sample Extranet Portal Structures Scenarios Includes Key design elements Corporate Portal with Path-based Sites Most common types of sites deployed within an organization. Path-based site collections Claims-based authentication Multiple authentication providers and authentication types implemented in a single zone Extranet Portal with Host-names sites Most common types of sites deployed within an organization. Host-named site collections Claims-based authentication Multiple authentication providers and authentication types implemented in a single zone Extranet with Dedicated Zones for Authentication Only the partner web site. Provides an alternate configuration for partner collaboration. 33 Host-named site collections Claims-based authentication Different zone for each authentication method

35 Extranet Portal Corporate Portal with Path-based Site Collections Traditional path-based site collections Dedicated Web applications Single top-level site collection per Web application Provides additional security provided by multiple web apps with separate app pools. 34

36 Extranet Portal Corporate Portal with Host-named Site Collections Host-named site collections All sites deployed in a single Web application Highly scalable and provides more flexibility in managing URLs Recommended Approach 35

37 Extranet Portal Extranet with Dedicated Zones for Authentication Many top-level project sites with vanity URLs by using host-named sites for each project site (instead of organizing project sites underneath a top-level site collection). Additional isolation between domain URLs, which might be desired in a partner collaboration solution. Additional costs of managing a greater number of host names, including managing SSL certificates. If SAML authentication is used, additional configuration is required. 36

38 Mobile Browser Experience SharePoint Server 2013 offers improvements to the mobile browser experience with the introduction of a new contemporary view. Depending on the mobile browser, users have one of the following browsing options: Contemporary view An optimized mobile browser experience to users and renders in HTML5. This view is available to Mobile Internet Explorer version 9.0 or later versions for Windows Phone 7.5, Safari version 4.0 or later versions for iphone ios 5.0, and the Android browser for Android 4.0 or later versions. Classic view Renders in HTML format, or similar markup languages (CHTML, WML, and so on), and provides backward compatibility for mobile browsers that cannot render in the new contemporary view. The classic experience in SharePoint Server 2013 is identical to the mobile browser experience of SharePoint Server Full-screen UI There is also the ability to have a full desktop view of a SharePoint site on a smartphone device. 37

39 Mobile Views Contemporary View Classic View Full Screen UI Contemporary View - default view (uses HTML5) on select site templates (Team Site, Blank Site, Document Workspace, Document Center, and Project Site). Classic View - for devices that cannot render the contemporary view. Full Screen UI An option in the contemporary view. Learn more: 38

40 Device Channels 39 For smartphone and slate devices. Can only be used with a publishing site. With device channels, you can render a single publishing site in multiple ways by using different designs that target different devices based on their user agent string. The site and content can be mapped to use different master pages and style sheets for a specific device or group of devices. You can easily show different content to different device channels by using same page and page layout.

41 Licensing in SP2013 Much simpler to license Regular SharePoint Server license SharePoint for Internet Sites (FIS) is gone. Need CAL for Intranet Users No need to license Extranet Users External users means users that are not either your or your affiliates employees, or your or your affiliates onsite contractors or onsite agents. 40

42 Questions???? 41

43 Constructive Feedback Is Appreciated Brian Your presentation was Great information, but would like to have learned more about [Insert Topic] Thanks! Good Demos! 42

44 Please Leave Feedback During Q&A If you leave session feedback and provide contact information in the survey, you will be qualified for a book, ebook or DVD giveaway. Scan the QR Code to the right or go to bit.ly/spshou11 43

45 Thanks to all our Sponsors! 44

46 Useful Links SharePoint 2013 design samples: Corporate portal and extranet sites Architecture design for SharePoint 2013 IT pros Technical diagrams for SharePoint Plan for mobile devices in SharePoint Plan for mobile devices in SharePoint