Collaborating with Extranet Partners on SharePoint 2010

bugenigmaSoftware and s/w Development

Oct 30, 2013 (3 years and 11 months ago)

372 views

SharePoint dnevi 2011

Collaborating with Extranet
Partners on SharePoint 2010


Michael Noel
-

CCO

Bled, 24. in 25. oktober 2011

SharePoint dnevi 2011

Michael Noel


Author of SAMS Publishing titles “SharePoint 2010 Unleashed,” “SharePoint 2007
Unleashed,” “SharePoint 2003 Unleashed”, “Teach Yourself SharePoint 2003 in 10
Minutes,” “Windows Server 2008 R2 Unleashed,” “Exchange Server 2010 Unleashed”,
“ISA Server 2006 Unleashed”, and many other titles .


Partner at Convergent Computing (www.cco.com / +1(510)444
-
5700)


San Francisco
Bay Area based Infrastructure/Security specialists for SharePoint, AD, Exchange,
Security


Bled, 24. in 25. oktober 2011

SharePoint dnevi 2011

What we’ll cover


Why an Extranet?


SharePoint 2010 Extranets


Extranet Architecture Options


Claims
-
based Authentication


Forefront Unified Access Gateway (UAG) for
extranets


Forefront Identity Manager for Identity
Management in an Extranet



SharePoint dnevi 2011

Why an Extranet?

Bled, 24. in 25. oktober 2011

SharePoint dnevi 2011

Why an Extranet?


Security Isolation


Isolation of Data


Less Exposure, Perimeter Network Scenarios


Partner Collaboration


Share SP Content with External Partners


Control Partner Accounts


Anonymous Customer Scenarios are not Extranets





Bled, 24. in 25. oktober 2011

SharePoint dnevi 2011

SharePoint 2010 Extranets


Claims
-
based Authentication Support


Multiple Authentication Providers


Better Scalability (Services Architecture)


Goodbye SSP!


Server Groups


Services Applications


Multiple Authentication Types per Web
Application

SharePoint dnevi 2011

Sample Extranet
Architecture

Bled, 24. in 25. oktober 2011

SharePoint dnevi 2011

Design around Security
Requirements


Scenario 1:
Extranet and Internal Users in Single Farm


1A: Single Web App / Single Site Collection


1B: Single Web App / Separate Site Collections


1C: Multiple Web Apps / Content DBs


1D: Separate App Pool / Service App Group


Scenario 2:
Extranet and Internal Users in Single Farm / Separate
Trusted Forests


Scenario 3
:
Extranet
and Internal Users in
Multiple Farms / One
-
Way Trust


Scenario 4
:
Extranet
an Internal Users in Separate Farms / Claims
-
based
Auth

for Internal Access to Extranet


Scenario 5
: Extranet
an Internal Users in Separate Farms / No
Access for Internal Accounts to Extranet


Scenario 6
: Separate
Farms / AD FS Federation for Extranet
Auth


Less

Security










More

Security

Bled, 24. in 25. oktober 2011

SharePoint dnevi 2011

Extranet Scenario 1:

Extranet and Internal Users in Single Farm

1A
: Single Web App / Single Site Collection

1B
: Single Web App / Separate Site Collections

1C
: Multiple Web Apps / Content DBs

1D
: Separate App Pool / Service App Group

Bled, 24. in 25. oktober 2011

SharePoint dnevi 2011

Extranet Scenario 2:

Extranet and Internal Users in Single Farm
/
Separate Trusted Forests

Bled, 24. in 25. oktober 2011

SharePoint dnevi 2011

Extranet Scenario 3:

Extranet
and Internal Users in Multiple
Farms and Perimeter
Network /
One
-
Way Trust


Bled, 24. in 25. oktober 2011

SharePoint dnevi 2011

Extranet Scenario 4:

Extranet an Internal Users in Separate Farms

/ Claims
-
based
Auth

Provider for Internal
Auth

to Extranet

Bled, 24. in 25. oktober 2011

SharePoint dnevi 2011

Extranet Scenario 5:

Extranet
an Internal Users in Separate Farms /
No Access for Internal
Accounts to Extranet

Bled, 24. in 25. oktober 2011

SharePoint dnevi 2011

Extranet Scenario 6:

Separate Farms / AD FS Federation for Extranet
Auth

SharePoint dnevi 2011

Extranet Notes

Bled, 24. in 25. oktober 2011

SharePoint dnevi 2011

One
-
Way Trust Scenarios


People Picker needs to be configured to crawl domain if it doesn’t trust
the domain where the SharePoint farm is installed.


Only with STSADM (Rare exception when you can’t use PowerShell)


Example Syntax:


stsadm.exe
-
o
setapppassword

-
password
AnyPassw0rd


stsadm.exe
-
o
setproperty

-
pn

peoplepicker
-
searchadforests

-
pv

"
domain:companyabc.com,COMPANYABC
\
svc_sppplpick,Password1;domain:e
xtranetabc.com"
-
url

https://
extranet.companyabc.com


stsadm.exe
-
o
setproperty

-
pn

peoplepicker
-
searchadforests

-
pv

"
domain:companyabc.com,COMPANYABC
\
svc_sppplpick,Password1;domain:e
xtranetabc.com"
-
url

https://
spcaext.companyabc.com


Syntax is critical


Run against all web apps

Bled, 24. in 25. oktober 2011

SharePoint dnevi 2011

Design for Clientless Access to SharePoint


Services Applications for Extranet Clients:


Word Services


Excel Services


Visio Services


Access Services


InfoPath Forms Services


Allows ‘Clientless’ access to SharePoint
content, for Extranet partners without Office

Bled, 24. in 25. oktober 2011

SharePoint dnevi 2011

Standard Requirements Apply to
Extranets as well


SharePoint
-
aware Antivirus


i.e. Forefront Protection for SharePoint


SharePoint
-
aware Backup and Restore


i.e. System Center Data Protection Manager
(DPM) 2010


Rights Management?


Active Directory Rights Management Services (AD
RMS)

Bled, 24. in 25. oktober 2011

SharePoint dnevi 2011

Content Deployment with Extranets

SharePoint dnevi 2011

Claims
-
based
Authentication

Bled, 24. in 25. oktober 2011

SharePoint dnevi 2011

Claims
-
Based
Auth


SharePoint doesn’t actually Authenticate Users, it relies on IIS or
other providers


SharePoint 2010 Allows for Classic and Claims
-
based
Auth

Scenarios


Classic Authentication is similar to SharePoint 2007


Claims based
Auth

adds the following key benefits:


Allows for Multiple Authentication Types per Web Application Zone


Removes SharePoint from the Authentication Provider


Allows for federation between organizations (AD FS, etc.) scenarios


Does not require Kerberos Delegation


Current limitations with Claims
-
based
auth

involve SQL Reporting
Services,
PowerPivot
, PerformancePoint, and other SQL tools that
require delegation. These appear to be fixed in SQL 2012.


Remember the difference between Authentication and
Authorization…

Bled, 24. in 25. oktober 2011

SharePoint dnevi 2011

Classic vs. Claims
-
based
Auth

Type

Classic
-
mode
authentication

Claims
-
based
authentication

Windows

NTLM

Kerberos

Anonymous

Basic

Digest

Yes

Yes

Forms
-
based authentication

LDAP

SQL database or other
database

Custom or third
-
party membership and
role
providers

No

Yes

SAML token
-
based authentication

AD FS
2.0

Third
-
party identity
provider

LDAP

No

Yes

Bled, 24. in 25. oktober 2011

SharePoint dnevi 2011

Mixed
-
Mode vs. Multi
-
Authentication

Bled, 24. in 25. oktober 2011

SharePoint dnevi 2011

Example: Partner Environment with
Multiple
Auth

Types on single W.A.

SharePoint dnevi 2011

Forefront Unified
Access Gateway

Bled, 24. in 25. oktober 2011

SharePoint dnevi 2011

UAG Architecture

DirectAccess

HTTPS
(443)

Layer3 VPN

Data Center / Corporate Network

Business
Partners /

Sub
-
Contractors

AD, ADFS,

RADIUS, LDAP….

Home /
Friend

/ Kiosk

Employees Managed Machines

Mobile

Exchange

CRM

SharePoint

IIS based

IBM, SAP, Oracle

Terminal / Remote
Desktop Services


Non web


NPS, ILM

Internet

Bled, 24. in 25. oktober 2011

SharePoint dnevi 2011


Bled, 24. in 25. oktober 2011

SharePoint dnevi 2011

What about TMG? (New ISA)


Capability


TMG
2010


UAG

2010

Publish Web applications using HTTPS

X

X

Publish internal mobile applications to roaming mobile devices

X

X

Layer 3 firewall

X

X*

Outbound scenarios support

X

X*

Array support

X



Globalization and administration console localization

X



Wizards and predefined settings to publish SharePoint sites and Exchange

X

X

Wizards and predefined settings to publish various applications



X

Active Directory Federation Services (ADFS) support



X

Rich authentication (for example, one
-
time password, forms
-
based, smart card)

X

X

Application protection (Web application firewall)

Basic

Full

Endpoint health detection



X

Information leakage prevention



X

Granular access policy



X

Unified Portal



X

SharePoint dnevi 2011

Forefront Identity
Manager

Bled, 24. in 25. oktober 2011

SharePoint dnevi 2011

Identity and Access Management










Identity and Access Management

Secure Messaging

Secure Endpoint

Secure Collaboration

Active Directory
®

Federation Services

Information Protection

Bled, 24. in 25. oktober 2011

SharePoint dnevi 2011

Manage SharePoint Identities


Create Multiple Authentication Providers for
SharePoint Farms


AD DS Forests (Extranet forests)


AD LDS Authentication Providers


SQL Table (FBA) Authentication Sources


LDAP Providers


Etc…


Keep those Authentication Providers Managed


Bled, 24. in 25. oktober 2011

SharePoint dnevi 2011

Active

Directory

Extranet
Forest

Test
Forest

FBA
Table

LOB

App

HR System

FIM

Workflow

Manager


Policy
-
based identity lifecycle management system


Built
-
in workflow for identity management


Automatically synchronize all user information to different directories across the enterprise


Automates the process of on
-
boarding users

User

Enrollment

Approval

User provisioned on all allowed systems

Identity Management

User provisioning for SharePoint and other Applications

VPN

Bled, 24. in 25. oktober 2011

SharePoint dnevi 2011

HR System

FIM

Workflow


Automated user de
-
provisioning


Built
-
in workflow for identity management


Real
-
time de
-
provisioning from all systems to prevent unauthorized access
and information leakage

User de
-
provisioned

User de
-
provisioned or disabled on all systems

Identity Management

User de
-
provisioning

Active

Directory

Extranet
Forest

Test

Forest

FBA

Table

LOB

App

VPN

Bled, 24. in 25. oktober 2011

SharePoint dnevi 2011

HR

System

FIM

LDAP

Extranet

AD

Internal

AD

gi venName

sn

ti tl e

mai l

empl oyeeID

tel ephone

Sammy

Dearling

008

gi venName

sn

ti tl e

mai l

empl oyeeID

tel ephone

gi venName

sn

ti tl e

mai l

empl oyeeID

tel ephone

Samara

Darl ing

007

gi venName

sn

ti tl e

mai l

empl oyeeID

tel ephone

Sam

Dearing

Intern

007

gi venName

sn

ti tl e

mai l

empl oyeeID

tel ephone

555
-
0129

Samantha

Dearing

007

Coordi nator

someone@example.com

555
-
0129

Samantha

Dearing

Coordi nator

007

Identity

Data

Aggregation

G
i venName

sn

ti tl e

mai l

empl oyeeID

tel ephone

someone@example.com

Samantha

Dearing

007

Coordi nator

555
-
0129

Identity Synchronization and Consistency

Identity synchronization across multiple directories

Attribute
Ownership

FirstName

LastName

EmployeeID

Title

E
-
Mail

Telephone

Bled, 24. in 25. oktober 2011

SharePoint dnevi 2011

Attribute
Ownership

FirstName

LastName

EmployeeID

Title

E
-
Mail

Telephone

FIM

HR

System

LDAP

Extranet

AD

Internal

AD

Identity

Data

Brokering

(Convergence)

gi venName

sn

ti tl e

mai l

empl oyeeID

tel ephone

Sammy

Dearling

007

gi venName

sn

title

mai l

empl oyeeID

tel ephone

gi venName

sn

ti tl e

mai l

empl oyeeID

tel ephone

Samara

Darl ing

007

gi venName

sn

ti tl e

mai l

empl oyeeID

tel ephone

Sam

Dearing

Intern

007

gi venName

sn

ti tl e

mai l

empl oyeeID

tel ephone

555
-
0129

Bob

Dearing

007

Coordi nator

555
-
0129

Samantha

Dearing

Coordi nator

someone@example.com

007

someone@example.com

Samantha

Dearing

Coordi nator

someone@example.com

555
-
0129

Coordi nator

someone@example.com

555
-
0129

Samantha

Dearing

someone@example.com

Samantha

Coordi nator

555
-
0129

Identity Synchronization and Consistency

Identity consistency across multiple directories

Bled, 24. in 25. oktober 2011

SharePoint dnevi 2011

Customizable Identity Portal

How you extend it

SharePoint
-
based Identity Portal

for Management and Self Service

Add
your own portal
pages

or web parts

Build new custom solutions

Expose new attributes to manage by
extending FIM schema

Choose SharePoint theme to customize
look and feel

Bled, 24. in 25. oktober 2011

SharePoint dnevi 2011


Streamline deployment by enrolling user and computer certificates
without user intervention


Simplify certificate and
SmartCard

management using Forefront
Identity Manager (FIM)


Can be used to automate Certificate management for dual factor
auth

approaches to SharePoint logins

Strong Authentication

Certificate Authority

HR System

Active Directory Certificate
Services (AD CS)

FIM CM

FIM

User Enrollment and
Authentication request sent by
HR System

FIM policy triggers request for
FIM CM to issue certificate or
SmartCard

User is validated using multi
-
factor authentication

FIM Certificate Management
(CM) requests certificate
creation from AD CS

Certificate is issued to user and
written to either machine or
smart card

End User

SmartCard

User ID and

Password

SmartCard

End User

Bled, 24. in 25. oktober 2011

SharePoint dnevi 2011

FIM for Extranet Forest
Mgmt


Internal AD DS Forest


DMZ Extranet AD DS Forest


FIM Auto
-
provisions certain user accounts in Extranet forest
and keeps Passwords in Sync to allow Internal users to
access/collaborate with Partners


FIM allows Self
-
Service Portal Access for Extranet user
accounts in the partner forest


Two
-
factor
Auth

scenarios, to automate provisioning of user
accounts AND certificates to systems

Bled, 24. in 25. oktober 2011

SharePoint dnevi 2011

FIM for Role Based Access Control


FIM is central to RBAC Strategy


Can auto
-
add users to Groups based on RBAC Criteria


HR Defines a user’s access based on their role


FIM auto
-
adds that user to specific Role Groups in AD DS,
which are tied to SharePoint Groups that have the rights that
that role group requires.

User1

User2

Role
Group

SharePoint
Group

Bled, 24. in 25. oktober 2011

SharePoint dnevi 2011

Session Summary


Understand the Extranet Design Options for 2010


Keep Extranet Accounts out of local AD


Determine how Identities will be Managed


Use FIM for Identity Management, Self
-
Service, and
Provisioning/
Deprovisioning

of Extranet Accounts


Use UAG to secure inbound access to
extranets/intranets



Bled, 24. in 25. oktober 2011

SharePoint dnevi 2011


Michael Noel

Twitter: @
Michael
T
Noel

www.cco.com

Slides:
slideshare.net/
michaeltnoe
l