SharePoint 2013 Extranets: How will SharePoint 2013 connect
Post on 04-Feb-2022
5 Views
Preview:
Transcript
0
SharePoint 2013 Extranets: How will SharePoint 2013 connect you to
your partners?
Brian Culver
1
Welcome to SharePoint Saturday Houston
• Please turn off all electronic devices or set them to vibrate.
• If you must take a phone call, please do so in the hall so as not to disturb others.
• Thanks to our Title Sponsor:
Thank you for being a part of the 4th Annual SharePoint Saturday for the greater Houston area!
2
Information
• Speaker presentation slides will be available at bit.ly/GoSPSHOU within a week
• The Houston SharePoint User Group will be having it’s next meeting Wednesday April 17th. Please join us at www.h-spug.org
3
About Brian Culver
– SharePoint Solutions Architect for Expert Point Solutions
– Based in Houston, TX
– Author• Upcoming SharePoint 2013 Workflows
• SharePoint 2010 Unleashed
• Various White Papers
– Speaker and Blogger
4
Session Agenda
• Extranet Definition
• Extranet Design Considerations & Challenges
• Common Extranet Scenarios and Topologies
• SharePoint Authentication
• Mixed Mode vs. Multi-Authentication
• Extranet Portal Structures
• Mobile and Device Channels
5
Extranet - Definition
• A web application that is shared with external users, such as partners, vendors, and customers
• Common attributes for an extranet:
• Sharing a private network or secured network
• Requires authenticated access, but the identity of the consumer is not always known
• Has better security controls than an Internet Web application but usually less secure than the Intranet
• Web application
6
Extranet – Why?
• Better Collaboration
• Higher ROI
• Employee Access 24/7
• Targeting content
• Selling Products and Services
• Better Support
• Improved Efficiency
• Improved Communication
• Unite Workforce Experience
• …
7
Extranet Design Considerations & Challenges
Network Topology and Access On-premise scenarios
Hybrid Scenarios
Identity Management (AD, FBA, ADFS)
Seamless Single Sign-on Experience
Content Security and Access
Antivirus - Client vs Server
Mobile Device Experience
Licensing
8
Common Extranet Scenarios
9
Edge Firewall Topology
10
Back-to-Back Perimeter Topology
11
Split Back-to-Back Topology
12
Hybrid Extranets• Using Office 365
– Avoid firewall and topology hassles
– Allows “Sharing” with external users
– 50 free External Users
– With Enterprise accounts, 500 free External Users
• Azure Infrastructure – IaaS– Build dedicated farms on the Microsoft
Cloud
– Scale Out – Add servers
• Federate with corporate domain
For more info: http://technet.microsoft.com/en-us/library/jj151794.aspx
13
Security Terms
• Authentication is the mechanism whereby systems may securely identify their users
– Creates an identity for security principal
– Who am I?
• Authorization is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system.
– Determines what resources an identity has access to
– What can I access?
14
SharePoint Authentication
• SharePoint does not authenticate
– Windows authentication via Windows server and IIS (Kerberos/NTLM)
– FBA via ASP. NET and authentication providers (SQL, LDAP, etc.)
– Web SSO via Active Directory Federation Services (ADFS) and other Identity Management Systems
• SharePoint creates user profiles
– SPUser object represents security principal
– User Profile List in Site Collections track user profiles
15
SharePoint 2010 Security
• SharePoint 2010 changes authentication
– Uses classic mode and claims based authentication
– Classic mode is SharePoint 2007 style legacy mode
– Claims-based authentication is the new security model
• What are the benefits?
– Claims decouples SharePoint from the authentication provider
– Allows SharePoint to support multiple authentication providers per URL
– Identities can be passed without Kerberos delegation
– Allows federation between organizations
– ACLs can be configured with
– DLs, Audiences and OUs
16
SharePoint 2013 Security
• SharePoint 2013 authentication:
– Still supports classic mode and claims based authentication
– Claims-based authentication is the default security model
• Supported Authentication modes:
– Windows claims–mode sign-in (default)
– SAML passive sign-in mode
– ASP.NET membership and role passive sign-in
– Windows classic–mode sign-in (deprecated in SP2013)
• Claims authentication is basically the only way to go!
17
Identity Normalization
18
Claims-Based Terminology
• Identity: security principal used to configure the security policy
• Claim (Assertion): attribute of an identity (such as Login Name, AD Group, etc.)
• Security Token: serialized set of claims (assertions) about an authenticated user.
19
Claim-based Authentication
• Security Token Service (STS): builds, signs and issues security tokens. It can receive and submit tokens.
• Issuing Authority: identity management system(s) that “knows” the claims (AD, ASP.NET, LiveID, etc.)
• Identity Provider: trusted party that creates and submits claims
• Relying Party: application that makes authorization decisions based on received claims
20
Claim-based Authentication
21
Claim-based Authentication
22
Mixed Mode Authentication vs Multi-Authentication
Regular label-callout text
Multi-AuthenticationMixed Authentication
SharePoint
Farm
Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Zone: Custom
Zone: Extranet
Zone: Intranet
Zone: Internet
Zone: DefaultWindows
Authentication
FBA
Authentication
...
...
...
SharePoint
Farm
Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Zone: Custom
Zone: Extranet
Zone: Intranet
Zone: Internet
Zone: DefaultWindows Authentication
FBA Authentication
SAML Based Authentication
FBA Authentication
Windows Authentication
...
...
23
Auth Scenarios - Multi Authentication
s
24
Authentication ScenariosMixed Mode: When to Use It
•
•
•
•
•
•
•
•
25
Authentication ScenariosMulti Authentication: When to Use It
•
•
•
•
•
26
FBA Claims Configuration
1. Run C:\Windows\Microsoft.NET\Framework\v2.0.x\aspnet_regsql.exeorC:\Windows\Microsoft.NET\Framework\v4.0.x\aspnet_regsql.exe
2. Enable Claims Authentication on Web Application via Central Administration
3. Modify web.config for the FBA Web Application4. Modify web.config for Central Administration
27
FBA Claims Configuration
5. Modify web.config for Security Token Service
– %programfiles%\common files\Microsoft Shared\web server extensions\14\WebServices\SecurityToken
– %programfiles%\common files\Microsoft Shared\web server extensions\15\WebServices\SecurityToken
– Changes need to be made to the Security Token Service virtual directory on each server hosting CA or the claims-based web application
6. Configure FBA Provider in Central Administration
7. Create Web Application Policy to give SQL Auth User(s) access to site
28
FBA Claims Configuration
29
FBA Claims Configuration
30
FBA Claims Configuration
31
FBA Claims Configuration
32
FBA Claims Configuration
33
Sample Extranet Portal StructuresScenarios Includes Key design elements
Corporate Portal with Path-based Sites
Most common types of sites deployed within an organization.
• Path-based site collections• Claims-based authentication• Multiple authentication providers and authentication types implemented in a single zone
Extranet Portal with Host-names sites
Most common types of sites deployed within an organization.
• Host-named site collections• Claims-based authentication• Multiple authentication providers and authentication types implemented in a single zone
Extranet with Dedicated Zones for Authentication
Only the partner web site. Provides an alternate configuration for partner collaboration.
• Host-named site collections• Claims-based authentication• Different zone for each authentication method
34
Extranet PortalCorporate Portal with Path-based Site Collections• Traditional path-based site collections• Dedicated Web applications• Single top-level site collection per Web application• Provides additional security provided by multiple web apps with separate app
pools.
35
Extranet PortalCorporate Portal with Host-named Site Collections• Host-named site collections• All sites deployed in a single Web application• Highly scalable and provides more flexibility in managing URLs.• 2013 Recommended Approach
36
Extranet PortalExtranet with Dedicated Zones for Authentication• Many top-level project sites with vanity URLs by using host-named sites for each
project site (instead of organizing project sites underneath a top-level site collection).
• Additional isolation between domain URLs, which might be desired in a partner collaboration solution.
• Additional costs of managing a greater number of host names, including managing SSL certificates.
• If SAML authentication is used, additional configuration is required.
37
Mobile Browser Experience
SharePoint Server 2013 offers improvements to the mobile browser experience with the introduction of a new contemporary view. Depending on the mobile browser, users have one of the following browsing options:
Contemporary view An optimized mobile browser experience to users and renders in HTML5. This view is available to Mobile Internet Explorer version 9.0 or later versions for Windows Phone 7.5, Safari version 4.0 or later versions for iPhone iOS 5.0, and the Android browser for Android 4.0 or later versions.
Classic view Renders in HTML format, or similar markup languages (CHTML, WML, and so on), and provides backward compatibility for mobile browsers that cannot render in the new contemporary view. The classic experience in SharePoint Server 2013 is identical to the mobile browser experience of SharePoint Server 2010.
Full-screen UI There is also the ability to have a full desktop view of a SharePoint site on a smartphone device.
38
Mobile Views
Contemporary View Classic View Full Screen UI
• Contemporary View - default view (uses HTML5) on select site templates (Team Site, Blank Site, Document Workspace, Document Center, and Project Site).
• Classic View - for devices that cannot render the contemporary view.• Full Screen UI – An option in the contemporary view.• Learn more: http://technet.microsoft.com/en-us/library/jj673030.aspx
39
Device Channels• For smartphone and slate
devices. Can only be used with a publishing site.
• With device channels, you can render a single publishing site in multiple ways by using different designs that target different devices based on their user agent string.
• The site and content can be mapped to use different master pages and style sheets for a specific device or group of devices.
• You can easily show different content to different device channels by using same page and page layout.
40
Licensing in SP2013
• Much simpler to license
• Regular SharePoint Server license
– SharePoint for Internet Sites (FIS) is gone.
• Need CAL for Intranet Users
• No need to license Extranet Users
– External users means users that are not either your or your affiliates’ employees, or your or your affiliates’ onsite contractors or onsite agents.
41
Questions
??
?
?
42
Constructive Feedback Is Appreciated
Great information, but would like to have learned more about [Insert Topic]Brian – Your
presentation was …
Good Demos!
Thanks!
43
Please Leave Feedback During Q&A
If you leave session feedback and provide contact information in the survey, you will be qualified for a book, ebook or DVD giveaway.
Scan the QR Code to the right or go to bit.ly/spshou11
44
Thanks to all our Sponsors!
45
Useful Links
• SharePoint 2013 design samples: Corporate portal and extranet siteshttp://technet.microsoft.com/en-us/library/cc261995.aspx
• Architecture design for SharePoint 2013 IT pros
• http://technet.microsoft.com/en-us/sharepoint/fp123594.aspx
• Technical diagrams for SharePoint 2013http://technet.microsoft.com/en-us/library/cc263199.aspx
• Plan for mobile devices in SharePoint 2013http://technet.microsoft.com/en-us/library/gg610510
• Plan for mobile devices in SharePoint 2013http://technet.microsoft.com/en-us/library/gg610510
top related