Hybrid for SharePoint Server BCS Reference Architecture

Transcription

1 Hybrid for SharePoint Server 2013 BCS Reference Architecture

2 Contents About this white paper... 4 Who this white paper is for... 4 Overview of hybrid computing... 4 Why hybrid SharePoint?... 4 Integrating SharePoint Online and SharePoint on-premises... 5 Business Connectivity Services... 6 Step 1: Creating an OData source... 8 Add ADO.NET Entity Data Model... 8 Add WCF Data Service Step 2: Creating External Content Types...11 Create new SharePoint app Step 3: Making ECT tenant-ready...15 Upload ECT to BDC model Step 4: Connecting to on-premises services...18 Validate external access to reverse proxy Prepare tenant environment Configure Secure Store Target Application Set permissions on your online BCS Connect Office 365 BCS to on-premises Import ECT file to SharePoint Online Step 5: Validating BCS hybrid environment...26 Troubleshoot hybrid configuration Appendix A: Hybrid infrastructure Configuring SharePoint on-premises...30 Meet basic SSO deployment requirements Configure SharePoint 2013 services Configure SharePoint 2013 for inbound requests Configuring SharePoint Online...32 Choose authentication topology Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 2

3 Appendix B: Secure Store Service Configuring Secure Store Service...35 Register managed account Start Secure Store Service Create target application Enable the audit log Additional information Microsoft Corporation. All rights reserved. This document is provided as-is. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. You may modify this document for your internal, reference purposes. Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 3

4 About this white paper Microsoft SharePoint implementations frequently span locally deployed and hosted servers to meet the business requirements of internal users, partners, and customers. This document specifies the procedures necessary for an experienced SharePoint administrator to configure Microsoft Business Connectivity Services in online, on-premises, and hybrid SharePoint environments. The procedures and prerequisites covered in this paper assume expert-level technical proficiency and experience with Microsoft SharePoint Server 2013 and Office 365 Online, as well as an existing properly configured infrastructure. Who this white paper is for This white paper is intended for system administrators who need detailed guidelines for setting up a hybrid SharePoint 2013 environment. To ensure a smooth setup process, this paper includes configuration steps, commands, and links to additional reference material. Overview of hybrid computing Today s organizations face significant challenges, including driving IT efficiency and business value in the face of increased pressure to comply with regulations. The goal of any hybridization or the combining of two related but dissimilar entities is to gain leverage from the strengths of both parts, while minimizing the components weaknesses. Hybrid computing is based on a computing model that allows organizations to use a combination of traditional and cloud computing environments to achieve a higher degree of flexibility, rather than forcing a choice between either an on-premises or cloud model. Why hybrid SharePoint? Organizations can use Microsoft SharePoint Online and SharePoint on-premises to achieve a hybrid computing model. With hybrid SharePoint, these organizations can start to realize the benefits associated with the use of cloud computing coupled with the flexibility to customize the environment and govern data as tightly as in an on-premises system while delivering a consistent experience to users. Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 4

5 Figure 1 shows some of the most immediate benefits, including the following: Maintain consistency across clouds with familiar tools and resources. Extend your data center with a consistent management toolset and familiar development and identity solutions. Provide enterprise-grade performance and security in the data center and in the cloud. Meet changing business needs with greater flexibility. Deliver capacity on demand. Figure 1: Maximizing user connectivity with a hybrid SharePoint environment Integrating SharePoint Online and SharePoint onpremises Hybrid environments can be helpful when it is not possible for an organization to migrate to the cloud immediately or in full due to business, technical, or other reasons. Cloud services such as SharePoint Online in Microsoft Office 365 can be an attractive alternative to on-premises SharePoint business solutions, but you might find that you need to deploy only specific solutions in the cloud while still maintaining your on-premises SharePoint farm. New functionality in Microsoft SharePoint Server 2013 and SharePoint Online Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 5

6 enables you to integrate services like Search, Business Connectivity Services (BCS), and Duet Enterprise Online across the on-premises and cloud boundary. This paper provides the information needed to configure security for a hybrid SharePoint environment. Business Connectivity Services Microsoft Business Connectivity Services (BCS) is a centralized infrastructure in SharePoint 2013 and Office 2013 that supports integrated data solutions. With Business Connectivity Services, you can use SharePoint 2013 and Office 2013 clients as interfaces to get data that doesn t live within SharePoint For example, this external data may be in a database and can be accessed using the Business Connectivity Services connector for that database. Business Connectivity Services also connects to data that is available through a web service, or published as an OData source or other data types. Business Connectivity Services does this through out-of--box or custom connectors, which bridge communications between SharePoint 2013 and the external data-hosting system. At the most fundamental level, every Business Connectivity Services configuration is driven by the location of both its own infrastructure and that of the external system hosting the data. The Business Connectivity Services infrastructure can relate to the external system in three ways, as an on-premises, cloud-only, or BCS hybrid solution: 1. An on-premises solution locates both the SharePoint 2013 farm and the external system behind a company s firewall to live in company-controlled data centers. Users gain access only through the company s network. 2. With a cloud-only configuration, Business Connectivity Services in a SharePoint Online tenancy can access data from various cloud services. For example, SharePoint Online can access data from a third-party stock quotes service or from the Windows Azure Marketplace Data Market by using the BCS web service connector. Because this type of solution consists of solely cloud-based services and no customer-maintained SharePoint 2013 farms or hardware,, it is called a cloud-only solution. 3. A BCS hybrid solution makes use of both SharePoint Online and SharePoint 2013 onpremises. It integrates data from an on-premises OData service endpoint into a SharePoint Online tenancy. Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 6

7 Figure 2 shows the data flow of the Business Connectivity Services hybrid solution. Figure 2: Integrating data in a Business Connectivity Services hybrid solution To set up your Hybrid BCS environment, follow these steps: 1. Create OData data source 2. Create External Content Type 3. Make your ECT tenant ready 4. Connect to on-premises services 5. Validate your BCS Hybrid environment Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 7

8 Step 1: Creating an OData source The BCS hybrid scenario supports connecting only to an Open Data Protocol (OData) source. If your external data already has an OData service endpoint, you can skip this step. Using Visual Studio 2013, create an empty ASP.NET web application named NorthwindWeb, and follow these steps: Add ADO.NET Entity Data Model 1. Right-click on the project and choose Add New Item. 2. Select Data under Visual C#. 3. Select ADO.NET Entity Data Model. 4. Call it NorthwindModel.edmx. 5. Click Add. 6. Select Generate from database in the Entity Data Model Wizard. Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 8

9 7. Click Next. 8. Choose New Connection if you do not have a connection, or connect to an existing one. 9. Click Next. 10. Select Entity Framework Select all of the tables. 12. Click Finish. 13. Compile the project. Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 9

10 Add WCF Data Service 1. Right-click on the project and choose Add New Item. 2. From the Web node, choose the WCF Data Service 5.6 item. 3. In the Name text box, enter Northwind. 4. Click Add. 5. Update the Northwind code, using the Code Editor to enter the new code below:: a. public class NorthwindCustomers : DataService<NorthwindEntities> b. config.setentitysetaccessrule("*", EntitySetRights.All); (insert in InitializeService event handler): 6. Compile the project. Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 10

11 Step 2: Creating External Content Types Next, create an External Content Type (ECT) based on the OData source. Again, note that Hybrid BCS implementation only works with OData-based External Content Types, which need to be created with Visual Studio (not SharePoint Designer). To create an ECT, you need the following: SharePoint Server 2013 Visual Studio 2013 Office Developer Tool for Visual Studio 2013 OData service that can be accessed from the Internet Create new SharePoint app Using Visual Studio 2013, create a new SharePoint app: 1. Under the Office/SharePoint templates, select App for SharePoint to create a new project. 2. Name your project and click OK. 3. Select your local on-premises SharePoint URL to debug your project. Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 11

12 4. Select SharePoint-hosted. Note SharePoint-hosted apps support all components on either an on-premises or Office 365 SharePoint farm. These apps are installed on a SharePoint 2013 website, or host web. 5. Click Finish. Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 12

13 6. In the Solution Explorer, click Add Content Types for an External Data Source. Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 13

14 7. Enter the URL of your OData service published in the previous section and name it. 8. Click Next. Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 14

15 9. Select one or more data entity. 10. Click Finish. This process will create the External Content Type for each of the entities you have selected. Step 3: Making ECT tenant-ready After creating an External Content Type, add it to your Business Data Catalog (BDC) to use in your site collections. In the previous section, you learned how to create an ECT, in which each entity in the OData source represents a single ECT. However, the entities use a shared name in the ECT file, which prevents you from uploading more than one entity to the BDC. To fix this and be able to use all entities in SharePoint, follow these steps: 1. From Visual Studio, right-click on the ECT file, and select Open with. Each entity will have its own.ect file, located under External Content Types\<folder name>. 2. Select XML Editor and click OK. Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 15

16 3. In the top of the document, within the Model element, you will see a Name attribute. This Name attribute is the name you selected when you connected to the OData source, such as NorthwindCustomersModel. The value of this name is the same in all of the ECT files created from the entities, but it has to be unique in order to use it in SharePoint. You will need to change the name based on the ECT you are using (for example, Categories Table, Employees Table, etc.). 4. Change the name in each ECT file. 5. Change the name of the Namespace in the Entity element (optional). 6. Save the ECT file. Upload ECT to BDC model After making these changes to your ECT files, you can upload all of your entities to your BDC model. To do so: 1. Go to your SharePoint Central Administration. 2. Navigate to Application Management Manage service applications. 3. Click on your BDC model. 4. Click Import. Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 16

17 5. Navigate to your ECT file locations and import each ECT file As an alternative solution, you can develop a PowerShell script to import all of the files. 6. Click OK. 7. Repeat the above steps for all of your models. 8. After importing the BDC models, grant permissions for users to access them. 9. On each of the models, click the dropdown menu and select Set Permissions. Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 17

18 10. Select the appropriate permission for each group. Step 4: Connecting to on-premises services Setting a hybrid connection between your SharePoint Online and on-premises requires communication trusts between the two farms. Refer to Appendix A: Hybrid infrastructure for more details. Validate external access to reverse proxy At this point in deploying the BCS hybrid scenario, confirm that you can access your onpremises SharePoint 2013 farm (now configured to receive hybrid calls from SharePoint Online). To confirm access to external URL: 1. Copy the certificate to your extranet computer, and then click the certificate. You will be prompted to enter the certificate password. This adds the certificate to your personal certificate store. 2. Open a web browser and browse to the externally published URL of your on-premises farm. You should be prompted for credentials. If not, check your browser settings to ensure that your logged-on credentials are not being automatically passed. 3. Provide the credentials of the federated user. If you don't see the published site, contact the administrators who set up your hybrid infrastructure. Do not continue with the BCS hybrid scenario until this issue is resolved. Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 18

19 Prepare tenant environment In order for your SharePoint Online tenant to connect to your on-premises tenant, you will need to configure your security to accept connections to your services. To establish a trust between your online and on-premises tenants, do the following. 1. Click a service account that will access the OData service endpoint that you configured previously; this procedure will be called ODataAccount. 2. Create a global security group for your OData service endpoint; this procedure will be called ODataGroup. 3. Add the service account to the global security group. Configure Secure Store Target Application 1. Go to SharePoint Central Administration in your on-premises tenant. 2. Navigate to Application Management Manage service applications. 3. Click Secure Store. 4. If you have never used Secure Store, you will need to generate a new key first. 5. Click Generate New Key. Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 19

20 6. Enter Passphrase, and then click OK. 7. Click New under Manage Target Applications. 8. Enter your application name, display name, and address. 9. Select Group in the Target Application Type. Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 20

21 10. Click Next. 11. Accept the default values in the Create New Secure Store Target Application page. 12. Click Next. 13. Enter the Farm Administrator account in the Target Application Administrators, and enter the group name you created for your OData Service Endpoint in the Members section. 14. Click OK. Tip A pass phrase string must be a minimum of eight characters and contain at least three of the following four elements: Uppercase characters Lowercase characters Numerals Any of the following special characters:! " # $ % & ' ( ) * +, -. / : ; < = [ \ ] ^ _ ` { } ~ Note The pass phrase that you entered is not stored: make sure to record and store it in a safe place. You must have it to refresh the key, such as when you add a new application server to the server farm. For security precautions, or as part of regular maintenance, you may decide to generate a new encryption key and force the Secure Store Service to be re-encrypted based on the new key. You can use the same procedure detailed above to do this. Important: first back up the database of the Secure Store Service application before generating a new key. Set permissions on your online BCS Setting permissions on your SharePoint Online BDC Metadata Store is different than on the on-premises tenant. 1. Open your SharePoint Online administration page. 2. Click bcs. Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 21

22 3. Click Manage BDC models and External Content Types. 4. Under Permissions, click Set Metadata Store Permissions. 5. Select All users, and then set the Execute. 6. Select the check box to Propagate permissions to all BDC Models. 7. Click OK. Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 22

23 Connect Office 365 BCS to on-premises Unlike BCS in SharePoint 2013, BCS in SharePoint Online requires that you configure a connection settings object (CSO), which contains additional information to establish the connection to the external system and the OData source you created. When you create a CSO in your SharePoint Online tenant, you must provide a URL for your on-premises farm (the external URL you have configured in your reverse proxy to connect to your internal SharePoint services). Your SharePoint Online tenant will try to reach out to that endpoint in order to invoke your on-premises BCS and connect to your data source. Whichever URL you may choose to publish, your CSO must have /_vti_bin/client.svc at the end of the URL to work properly. Before you begin this procedure, make sure you have the following: Configuration tools installed on an on-premises web server. ID of the Secure Store Target Application that you configured. Internet-facing URL that Office 365 uses to connect to the service address (published by the reverse proxy). ID of the Secure Store Target Application for the Secure Channel certificate in Office 365. To create a CSO to your on-premises tenant: 1. Open your SharePoint Online administration page. 2. Click bcs. 3. Click Manage connections to on-premises services. 4. Click Add. 5. Enter the Title and the OData Service Address URL. 6. Under Authentication, select Use credentials stored in SharePoint on-premises. 7. Enter the Secure Store Target Application ID. Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 23

24 8. Under Authentication Mode, select Impersonate Window s Identity. 9. Enter the Internet-facing URL you have configured under the reverse proxy, making sure to include /_vti_bin/client.svc at the end of the URL. 10. Click Create. Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 24

25 Your model will use your Connection Settings object from SharePoint Online to connect to the on-premises data. Before you can connect to the on-premises data source, you will need to make the following edits: 1. Copy the ECT file you'll be importing, in order to maintain the version set up with your OData project. 2. Delete the ODataServiceMetadataUrl and ODataServiceMetadataAuthenticationMode properties from the LobSystem property list in the ECT file. 3. Delete the ODataServiceUrl and ODataServiceAuthenticationMode properties from the LobSystemInstance property list in the ECT file. 4. Add this property to the list of properties for both the LobSystem and LobSystemInstance: <Property Name="ODataConnectionSettingsId" Type="System.String">yourConnectionSettingsObjectName</Property>. Import ECT file to SharePoint Online As with the on-premises tenant, next import your new ECT file (modified in the previous section) to your SharePoint Online BCS tenant. 1. Open your SharePoint Online administration page. 2. Click bcs. 3. Select Manage your BDC models and External Content Types. 4. Click Import. 5. Navigate to your ECT file locations and import each ECT file; as an alternative solution, you can develop a PowerShell script to import all the files. Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 25

26 6. Click OK After your model uploads successfully, create a new external list in SharePoint Online and use that to work with your on-premises LOB data. Follow this article to create an external list. Step 5: Validating BCS hybrid environment Now that you have created an external list, or deployed an app for SharePoint in SharePoint Online, test the security you put in place. Every account that will access and manipulate external data must have three properties: Contain user or greater permissions to the SharePoint Online site and the external list or app for SharePoint. Be a federated account. Be a member of the on-premises global security group that you are using to control access to the OData service endpoint. For example, it must be a member of ODataGroup. In this procedure, you will open the SharePoint Online site and the external list or app for SharePoint with four different accounts. Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 26

27 To validate security on the BCS hybrid: 1. Identify or create one account for each of the account types listed in the following table. Account Expected outcome Troubleshooting step Account A Has site/list/app permissions. Is federated. Is a member of the onpremises global security group (ODataGroup). External data displayed and editable. If the external data does not display or you cannot edit it, check the site permissions, your federation setup, and the membership of your on-premises global security group (for example, the ODataGroup). Account B Does not have site/list/app permissions. Is federated. Is a member of the onpremises global security group (ODataGroup). External data does not display. If the external data does display and you can edit it, check the site/list/app permissions. Account C Has site/list/app permissions. Is not federated (is an Office 365 account only). Can't be added to the on-premises global security group (ODataGroup). External data does not display. If the external data does display and you can edit it, check your federation setup and membership of your onpremises global security group (OData Group). Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 27

28 Account Expected outcome Troubleshooting step Account D Has site/list/app permissions. Is federated. Is not a member of your on-premises global security group (ODataGroup). External data does not display. If the external data does display and you can edit it, check the membership of your on-premises global security group (ODataGroup) and the permissions that you set on the OData service endpoint that you configure in Prepare the SharePoint Online environment for the Business Connectivity Services hybrid scenario. 2. Open (via In-Private browsing if possible) the SharePoint Online site that contains the external list or app for SharePoint by using each account in turn. Be sure to log out completely and close your browser in between tests. 3. If you don t see the expected outcome, refer to the troubleshooting steps in the previous table, fix the issue, and repeat all four tests until you achieve the expected outcome. If you see the error message: ResourceBudgetExceeded, sending throttled status code. Exception=Microsoft.SharePoint.SPResourceBudgetExceededException: ResourceBudgetExceeded at Microsoft.SharePoint.SPResourceTally.Check(Int32 value) at Microsoft.SharePoint.SPAggregateResourceTally.Check(SPResourceKind kind, Int32 value) at Microsoft.SharePoint.Client.SPClientServiceHost.OnBeginRequest() You can either remove the throttling: $webapp = Get-SPWebApplication -Identity of your on-premises farm> $rule = $webapp.appresourcetrackingsettings.rules.get([microsoft.sharep oint.spresourcekind]::clientservicerequestduration) $rule.remove() Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 28

29 Or change the throttling value: $webapp = Get-SPWebApplication -Identity of your on-premises farm> $webapp. AppResourceTrackingSettings.Rules.Add([Microsoft.SharePoint.SPR esourcekind]::clientservicerequestduration, , ) $webapp.appresourcetrackingsettings.windowcount = 10 $webapp.appresourcetrackingsettings.windowsize = [System.TimeSpan]::FromSeconds(30) $webapp.update() Note Keep in mind that (above) indicates time in milliseconds, equivalent to 150 seconds. Troubleshoot hybrid configuration If you encounter further issues with data display, also try the following: 1. Verify that the external data source is running and accessible. 2. Verify that one-way outbound or two-way authentication is working. 3. Verify configuration steps presented earlier. 4. Check logs written by the Unified Logging Service (ULS logs or trace logs). Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 29

30 Appendix A: Hybrid infrastructure This section describes how to configure the hybrid SharePoint infrastructure. It starts with configuring SharePoint on-premises, and then moves to configuring SharePoint Online. Configuring SharePoint on-premises Setting up SharePoint on-premises requires that you meet basic Single Sign-On (SSO) deployment requirements first, before configuring SharePoint 2013 services and inbound requests. Meet basic SSO deployment requirements When you set up and enable SSO, users in your organization are able to use their corporate credentials to access the Office 365 service offerings. This removes the burden of managing multiple logon identities and passwords. Without SSO, an Office 365 user would have to maintain separate user names and passwords. For an even better end-user experience, you can create and deploy smart links, which can help speed user sign-in requests by reducing the number of redirects necessary for authentication. In addition to user advantages, administrators and the organization can also benefit from SSO. For example, configuring SSO helps to enforce the organization s password policies and account restrictions in both the on-premises directory and the Office 365 directory. To prepare, confirm that the environment meets SSO requirements. Next, verify that the Active Directory and Azure Active Directory tenant are set up to be compatible with Single Sign-On requirements. Also, Active Directory must be deployed and running in Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 with a functional level of mixed or native mode. If you plan to use Active Directory Federation Services (AD FS) as your Security Token Service (STS), you will need to do one of the following: Download, install, and deploy AD FS 2.0 on a Windows Server 2008 or Windows Server 2008 R2 server. Deploy an AD FS 2.0 proxy, if users will be connecting from outside the company network. Install the AD FS role service on a Windows Server 2012 or Windows Server 2012 R2 server. Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 30

31 In addition, Active Directory must have certain settings configured to work properly with Single Sign-On. In particular, the UPN, or user logon name, must be set up in a specific way for each user. Configure SharePoint 2013 services You need to configure the User Profile Service to synchronize user and group profiles from the on-premises Active Directory domain. When federated users access resources in a hybrid environment, the STS makes calls to the User Profile Service to obtain user account metadata, such as the UPN and property values. This metadata is used by the STS to construct security tokens during the authentication process. SharePoint Online presents claims to the on-premises SharePoint farm by using the Simple Mail Transfer Protocol (SMTP). To support this, ensure that the SharePoint user profiles for all federated users are populated with the user s address by using the correct UPN. This means that the work field in the on-premises SharePoint User Profile Store needs to contain the user s federated address. For example, if a federated user logs on to the on-premises domain as contoso\karenb and the public domain for the hybrid environment is contoso.com, her federated address is karenb@contoso.com. Verify that the App Management and Microsoft SharePoint Foundation Subscription Settings services are started and configured. These services should be enabled to support certain configuration procedures, and to help register SharePoint Online as a high-trust application in SharePoint Configure SharePoint 2013 for inbound requests If the hybrid environment is configured for an inbound authentication topology, ensure that a single on-premises web application is configured to receive requests from SharePoint Online. This web application is referred to as the primary web application for the hybrid environment, and it accepts requests from the external endpoint URL. No specific web application configuration is required to support a one-way, outbound authentication topology. In a SharePoint Server 2013 hybrid environment, outbound connections can be made from any on-premises web application. A single SharePoint Server 2013 web application must be configured for inbound connections; it is used as the primary web application for accepting inbound connections, and configuring services and connection objects for the Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 31

32 hybrid features you deploy. You can either create a new web application and site collection, or configure an existing web application for this purpose. Configuring SharePoint Online Setting up SharePoint Online requires that you choose an application authentication topology and make additional configuration choices for the service. Choose authentication topology As shown in Figure 3, your choice of an authentication topology determines how certificates are configured and what capabilities are present in the hybrid solution. Figure 3: Setting up SharePoint Online with an application authentication topology One-way outbound topology Both one-way inbound and two-way (bidirectional) topologies are supported with hybrid BCS, but not one-way outbound topology. One-way inbound topology A one-way inbound hybrid topology enables SharePoint Online to connect to SharePoint Server 2013 through a reverse proxy device (Figure 4). For example, users of a SharePoint Online Search portal can see both local and remote search results, but only local results are available in the SharePoint Server 2013 Search portal. Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 32

33 Figure 4: Configuring one-way inbound topology A one-way inbound topology can be configured to let users access on-premises SharePoint search results from the Internet, as long as they have access to the intranet through a virtual private network or DirectAccess. On-premises SharePoint Server 2013 Enterprise Search portal: Local search results are available. SharePoint Online search portal: Local and remote search results are available. Two-way (bidirectional) topology A two-way topology enables bidirectional hybrid service integration between the onpremises SharePoint Server 2013 farm environment and the Office 365 tenant (Figure 5). For example, search can be configured to allow federated users to see both local and remote search results in either SharePoint Server 2013 or SharePoint Online search portals. Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 33

34 Figure 5: Configuring two-way (bidirectional) topology Configuring a two-way topology lets users access on-premises SharePoint Internet search results, as long as access to the intranet is with a virtual private network or DirectAccess: On-premises SharePoint Server 2013 Enterprise search portal and SharePoint Online search portal: Local and remote search results are available. If extranet authentication services are configured, extranet users can log on remotely through an on-premises Active Directory account and use all available hybrid functionality. Refer to these articles for more on how to configure your reverse proxy server and establish a secure connection between your SharePoint Online and on-premises tenants. Link to procedure Description of procedure Configure a one-way inbound hybrid topology Configure a two-way bidirectional hybrid topology Learn how to configure the infrastructure for SharePoint 2013 hybrid environments that use a one-way inbound authentication topology. Learn how to configure the infrastructure for SharePoint 2013 hybrid environments using a two-way authentication topology. Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 34

35 Appendix B: Secure Store Service This section describes how to configure the Secure Store Service on a SharePoint Server 2013 farm. Secure Store has important planning considerations associated with it. Be sure to read Plan the Secure Store Service in SharePoint Server 2013 before you begin the procedures in this section. Configuring Secure Store Service To configure Secure Store, perform the following steps: 1. Register a managed account in SharePoint Server 2013 to run the Secure Store application pool. 2. Start the Secure Store Service on an application server in the farm. 3. Create a Secure Store Service application. Video demonstration (configuration) To run the application pool, you must have a standard domain account. No specific permissions are required for this account. After the account is created in Active Directory, follow these steps to register it with SharePoint Server Register managed account 1. On the SharePoint Central Administration website home page, in the left navigation pane, click Security. 2. On the Security page, in the General Security section, click Configure managed accounts. 3. On the Managed Accounts page, click Register Managed Account. 4. In the User name box, type the name of the account. 5. In the Password box, type the password for the account. 6. If you want SharePoint Server 2013 to handle changing the password for the account, select the Enable automatic password change box and specify the password change parameters that you want to use. 7. Click OK. Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 35

36 After configuring the registered account, start the Secure Store Service on an application server in the farm. Because Secure Store deals with sensitive information, be sure to use a separate application server just for the Secure Store Service for better security. Start Secure Store Service 1. On the Central Administration home page, in the System Settings section, click Manage services on server. 2. Above the Service list, click the Server drop-down list, and then click Change Server. 3. Select the application server where you want to run the Secure Store Service. 4. In the Service list, click Start next to Secure Store Service. After starting the service, it is important to create a Secure Store Service application. Use the following procedure to create the service application. Create target application Target applications are configured on the Secure Store Service Application page in Central Administration. To create a target application: 1. On the Central Administration home page, in the Application Management section, click Manage service applications. 2. Click the Secure Store service application. 3. In the Manage Target Applications group, click New. 4. In the Target Application ID box, type a text string. This is the unique string that you will use externally to identify this target application. 5. In the Display Name box, type a text string that will be used to display the identifier of the target application in the user interface. 6. In the Contact box, type the address of the primary contact for this target application. This can be any legitimate address and does not have to be the identity of an administrator of the Secure Store Service application. 7. When you create a target application of type Individual (see below), you can implement a custom webpage that lets users add individual credentials for the destination data source. This requires custom code to pass the credentials to the Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 36

37 target application. If you did this, type the full URL of this page in the Target Application Page URL field. There are three options: a. Use default page: Any websites that use the target application to access external data will have an individual sign-up page that was added automatically. b. The URL of this page will be <TargetApplicationID>, where <TargetApplicationID> is the string typed in the Target Application ID box. c. By publicizing the location of this page, you can enable users to add their credentials for the external data source. d. Use custom page: You provide a custom webpage that lets users provide individual credentials. Type the URL of the custom page in this field. e. None: There is no sign-up page. Individual credentials are added only by a Secure Store Service administrator who is using the Secure Store Service application. 8. In the Target Application Type drop-down list, choose: Group, for group credentials, or Individual, if each user is to be mapped to a unique set of credentials on the external data source. Note You can use two primary types to create a target application: Group: for mapping all the members of one or more groups to a single set of credentials on the external data source. Individual: for mapping each user to a unique set of credentials on the external data source. 9. Click Next. 10. Use the Specify the credential fields for your Secure Store Target Application page to configure the various fields which may be required to provide credentials to the external data source. By default, two fields are listed: Windows User Name and Windows Password. To add an additional field for supplying credentials to the external data source, on the Specify the credential fields for your Secure Store Target Application page, click Add Field. Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 37

38 By default, the type of the new field is Generic. The following field types are available: Field Generic User Name Password PIN Key Windows User Name Windows Password Certificate Certificate Password Description Values that do not fit in any of the other categories. A user account that identifies the user. A secret word or phrase. A personal identification number. A parameter that determines the functional output of a cryptographic algorithm or cipher. A Windows user account that identifies the user. A secret word or phrase for a Windows account. A certificate. The password for the certificate. To change the type of a new or existing field, click the arrow that appears next to the type of the field, and then select the new type of field. Note Every field that you add needs to contain data when you set the credentials for this target application. a. You can change the name that a user sees when interacting with a field. In the Field Name column of the Specify the credential fields for your Secure Store Target Application page, change a field name by selecting the current text and typing new text. b. When a field is masked, each character that a user types is not displayed but is replaced with a mask character such as the asterisk "*". To mask a field, click the check box for that field in the Masked column of the page. c. To delete a field, click the delete icon for that field in the Delete column of the page. Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 38

39 d. When you have finished editing the credential fields, click Next. 11. In the Specify the membership settings page, in the Target Application Administrators Field, list all users who have access to manage the target application settings. 12. If the Target Application Type is group, in the Members field, list the user groups to map to a set of credentials for this target application. 13. Click OK to complete configuring the target application. Target application credentials After creating a target application, an administrator of that target application can set credentials for it. These credentials are used by the calling application to provide access to an external data source. If the target application is of type Individual, you can also enable users to supply their own credentials. To set credentials for a target application: 1. On the Central Administration home page, in the Application Management section, click Manage service applications. 2. Click the Secure Store service application. 3. In the Target Application Type drop-down list, select the application for which you want to set credentials, click the arrow that appears and, in the menu, Set credentials. a. If the target application is of type Group, type the credentials for the external data source. Depending on the information that is required by the external data source, the fields for setting credentials will vary. b. If the target application is of type Individual, type the user name of the individual who will be mapped to this set of credentials on the external data source, and type the credentials for the external data source. Depending on the information that is required by the external data source, the fields for setting credentials will vary. 4. Click OK. After setting the credentials for the target application, it is ready to be used by a SharePoint Server 2013 service such as Business Connectivity Services or Excel Services. Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 39

40 Enable the audit log Audit entries for the Secure Store service are stored in the Secure Store Service database. By default, the audit log file is disabled. An audit log entry stores information about a Secure Store Service action, such as when it was performed, whether it succeeded, why it failed, the Secure Store Service user who performed it, and, optionally, the Secure Store Service user on whose behalf it was performed. Therefore, a valid reason to enable an audit log file is to troubleshoot an authentication issue. To enable the audit log by using Central Administration: 1. On the Central Administration home page, in the Application Management section, click Manage service applications. 2. Select the Secure Store service application. (That is, select the service application, but do not click the link to go to the Secure Store Service application settings page.) 3. On the ribbon, click Properties. 4. From the Enable Audit section, click to select the Audit log enabled box. 5. To change the number of days that entries will be purged from the audit log file, specify a number in days in the Days Until Purge field. The default value is 30 days. 6. Click OK. Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 40

41 Additional information These links to articles and guides relate directly to SharePoint configuration and migration: Learn about SharePoint Server 2013 hybrid environments and the hybrid solutions available for SharePoint Server 2013 and SharePoint Online: Learn how to plan, prepare, and perform an upgrade to SharePoint 2013: Explore links on this page to find out more about how to implement SharePoint 2013: Review technical diagrams for SharePoint 2013: Learn how to upgrade to SharePoint 2013 in advanced scenarios, such as from Office SharePoint Server 2007 or Windows SharePoint Services 3.0, from FAST Search Server, or when using content type syndication: Hybrid for SharePoint Server 2013 BCS Reference Architecture March 2015 Page 41