Extending SharePoint 2010 to your customers and partners

transcript

anaheim, ca

october

3–6 t h

Conference 2011

Extending SharePoint 2010 to your customers and partnersCorey Roth@coreyroth

Problems with using E-mail for collaboration E-mail is not ideal for

sharing with external users Inboxes flooded Versioning issues Files blocked Send / Receive limits

Agenda Why you need an extranet Extranet network topologies Authentication Options Document Management for Extranets

Questions to ask yourself… What is an extranet? Do we need an extranet? Who will use the extranet? What does SharePoint offer? How will users get to the extranet? How will users authenticate? How do I populate content on the

extranet?

Do we need an extranet?

If you answer yes to any of the following then you might: Does your organization often share documents with

customers, vendors, partners, and suppliers? Have you had issues caused by transmitting the wrong

version of a document? Do you have employees that routinely send out

contracts, reports, invoices, and other documents outside the company?

Do you have security or document expiration concerns with the documents you share?

Do you need to be able to search the documents you are sharing?

Who will use the extranet? What type of users are extranets suitable for?

Extranet Scenarios – Customers and Partners Collaborate by sharing documents and data Security allows content for each partner to be isolated Partners can’t view each others data

Extranet Scenarios – Remote Employees Allow remote employees to

access corporate information without needing a VPN connection

Ideal for traveling employees, remote workers, or geographically disperse teams

What does SharePoint offer? Authenticate and authorize users Fine-tune permissions for a given partner or group of

users Take advantage of ECM features like document libraries Calendars, announcements, picture libraries, tasks Allow users to search for the documents they seek Take documents offline with SharePoint Workspace

SharePoint ECM Features Enterprise Search Check in / Check out Auditing Versioning Policies (Retention /

Expiration) Office Web Apps SharePoint Workspace

Questions to ask yourself… What is an extranet? Do we need an extranet? Who will use the extranet? What does SharePoint provide me? How will users get to the

extranet? How will users authenticate? How do I populate content on the

extranet?

SharePoint Farms for Extranet Different farm Multi-tenancy Same farm with a separate web

application Same farm with the same web

application

It’s all about the network… Choosing the right network

topology is important. Topologies affect where

SharePoint, SQL, and Active Directory servers are in the network

Several common network topologies can be used for SharePoint extranets

Network TopologyEdge Firewall

Network TopologyBack-to-back Perimeter

Network TopologySplit Back-to-back Perimeter

Questions to ask yourself… What is an extranet? Do we need an extranet? Who will use the extranet? What does SharePoint provide me? How will users get to the extranet? How will users authenticate? How do I populate content on the

extranet?

What are my authentication options? Active Directory Forms Based Authentication – ASP.NET Membership

Provider Forms Based Authentication - Active Directory Trusted Identity Provider – Windows Live Id Many others / custom

AuthenticationActive Directory

Same authentication your internal users use External users presented with a browser login dialog Users login with domain\username Not very user friendly Users get prompted often for authentication Combined with an application firewall to provide FBA

AuthenticationForms Based Authentication – ASP.NET Membership Provider

Users log in via forms using the ASP.NET Membership provider

Uses Claims-Based Authentication Users stored in SQL Server database Management of users requires code or third party tools

SharePoint 2010 FBA Pack: http://sharepoint2010fba.codeplex.com

CKS: http://cks.codeplex.com/releases/view/7450

AuthenticationFBA (ASP.NET) – Configuration Steps

1) Configure web application to use Claims Based Authentication

2) Configure the membership provider and role manager3) Modify web.config files4) Grant permissions

AuthenticationFBA (ASP.NET) – Configuration – Claims Based Authentication

Create a new web application or extend an existing web application Select Claims Based

Authentication for Authentication Check Enable Forms Based

Authentication Specify an ASP.NET Membership

provider name Specify an ASP.NET Role manager

Convert existing web apps converted to Claims using PowerShell

AuthenticationFBA (ASP.NET) – Configuration – Membership / Role Provider

Create membership database with aspnet_regsql.exe Located at C:\Windows\Microsoft.NET\Framework64\v2.0.50727

Specify a name for the membership database (default: aspnetdb)

Grant SQL Server permissions to membership database Application Pool accounts Farm account

AuthenticationFBA (ASP.NET) – Configuration – web.config

Connection string, membership provider and role provider must be added to web.config files

Modifications are required in the following web.config files Forms Based Web Application Central Administration STS (%programfiles%\common files\Microsoft Shared\web

server extensions\14\WebServices\SecurityToken) Modifications on following slides

AuthenticationFBA (ASP.NET) – Configuration – web.config Modifications

<!–- Before system.web element --><!– These changes should be added to both FBA web application and Central Admin web.config -><connectionStrings><add name=“MembershipConnectionString" connectionString="data source=SQLServer;Integrated Security=SSPI;Initial Catalog=aspnetdb" /></connectionStrings>

</providers></roleManager>

AuthenticationFBA (ASP.NET) – Configuration – Grant Permissions

Create users in membership database Create users with code or third party tools

SharePoint 2010 FBA Pack: http://sharepoint2010fba.codeplex.com

CKS: http://cks.codeplex.com/releases/view/7450 After users are created, grant access at Web Application

level Web Applications -> User Policy -> Add User (Default Zone)

FBA – ASP.NET Membership Provider

Corey Roth@coreyroth

AuthenticationForms Based Authentication - Active Directory

Similar to ASP.NET Membership configuration Specify users in AD using an LDAP connection string

i.e.: LDAP://dc.domain.local/OU=Users,DC=domain,DC=local Classic Authentication AD users != FBA AD Users Configure web application to use Claims Based

Authentication Specify Membership provider name but no role manager

Edit web.config files

AuthenticationFBA (AD) – Configuration – Web.config Modifications

<!–- Before system.web element --><!– These changes should be added to both FBA web application, Central Admin, and STS web.config -><connectionStrings> <add name=“ActiveDirectoryConnectionString" connectionString="LDAP://dc.domain.local/OU=Users,DC=domain,DC=local" /> </connectionStrings>

<membership defaultProvider=“ActiveDirectoryMembership"> <providers> <add name="ActiveDirectoryMembership" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" …

… connectionStringName=“ActiveDirectoryConnectionString" enableSearchMethods="true" attributeMapUsername="sAMAccountName" /> </providers> </membership>

FBA – Active Directory

AuthenticationTrusted Identity Provider – Windows Live Id

Login to the Microsoft Services Manager site with a Windows Live Id https://msm.live.com/

Register your site Site name DNS name (urn:someurl) Policy: Select Windows Live ID Default return URL: http://yourdomain/_trust/default.aspx Override Authentication Policy: MBI_FED_SSL

AuthenticationTrusted Identity Provider – Windows Live Id

Install x509 certificate Configure Claims Provider using PowerShell Configure Web App to use Trusted Identity Provider Test your site with Windows Live ID credentials Begin compliance review Repeat above steps for production Live ID

Windows Live Id Provider

Questions to ask yourself… What is an extranet? Do we need an extranet? Who will use the extranet? What does SharePoint provide me? How will users get to the extranet? How will users authenticate? How do I populate content on the

extranet?

How do I populate content? I have an extranet! Now how do I

populate it? Manual Uploading Publishing Send to connections Custom code (i.e.: Event Receivers /

Workflows)

Send to Connections

Resources SharePoint Extranet Topologies

http://technet.microsoft.com/en-us/library/cc263513.aspx TechNet: Configuring claims-based authentication using

Windows Live ID http://technet.microsoft.com/en-us/library/ff973117.aspx

Setting up FBA Claims with AD http://blogs.msdn.com/b/sridhara/archive/2010/01/07/setting-up

-fba-claims-in-sharepoint-2010-with-active-directory-membership-provider.aspx

SharePoint 2010 FBA Pack sharepoint2010fba.codeplex.com

Community Kit for SharePoint http://cks.codeplex.com/releases/view/7450

Related Sessions at SPCSPC Code

Session Name Day Time Type Location

SPC3997 TITUS: Using Claims for Authentication in SharePoint 2010

Weds 10/5

5:00p Partner

SPC411 Security Design with Claims Based Authentication

Thurs 10/6

12:00p

Microsoft

© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted

to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Extending SharePoint 2010 to your customers and partners

Technology