HAD05

Collaborating with Extranet Partners on SharePoint 2010

Michael Noel

CCO

@MichaelTNoel

Michael Noel

• Author of SAMS Publishing titles “SharePoint 2010 Unleashed,” “SharePoint 2007 Unleashed,” “SharePoint 2003 Unleashed”, “Teach Yourself SharePoint 2003 in 10 Minutes,” “Windows Server 2008 R2 Unleashed,” “Exchange Server 2010 Unleashed”, “ISA Server 2006 Unleashed”, and many other titles .

• Partner at Convergent Computing (www.cco.com / +1(510)444-5700) – San Francisco Bay Area based Infrastructure/Security specialists for SharePoint, AD, Exchange, Security

What we’ll cover

• Why an Extranet?• SharePoint 2010 Extranets• Extranet Architecture Options• Claims-based Authentication• Forefront Unified Access Gateway (UAG)

for extranets• Forefront Identity Manager for Identity

Management in an Extranet

Why an Extranet?

Why an Extranet?

• Security Isolation● Isolation of Data● Less Exposure, Perimeter Network Scenarios

• Partner Collaboration● Share SP Content with External Partners● Control Partner Accounts

Anonymous Customer Scenarios are not Extranets

SharePoint 2010 Extranets

• Claims-based Authentication Support• Multiple Authentication Providers• Better Scalability (Services Architecture)

● Goodbye SSP!● Server Groups● Services Applications

• Multiple Authentication Types per Web Application

Sample Extranet Architecture

Design around Security Requirements

• Scenario 1: Extranet and Internal Users in Single Farm● 1A: Single Web App / Single Site Collection● 1B: Single Web App / Separate Site Collections● 1C: Multiple Web Apps / Content DBs● 1D: Separate App Pool / Service App Group

• Scenario 2: Extranet and Internal Users in Single Farm / Separate Trusted Forests

• Scenario 3: Extranet and Internal Users in Multiple Farms / One-Way Trust

• Scenario 4: Extranet an Internal Users in Separate Farms / Claims-based Auth for Internal Access to Extranet

• Scenario 5: Extranet an Internal Users in Separate Farms / No Access for Internal Accounts to Extranet

• Scenario 6: Separate Farms / AD FS Federation for Extranet Auth

LessSecurity

MoreSecurity

Extranet Scenario 1:Extranet and Internal Users in Single Farm

1A: Single Web App / Single Site Collection1B: Single Web App / Separate Site Collections1C: Multiple Web Apps / Content DBs1D: Separate App Pool / Service App Group

Extranet Scenario 2:Extranet and Internal Users in Single Farm / Separate Trusted Forests

Extranet Scenario 3:Extranet and Internal Users in Multiple Farms and Perimeter Network / One-Way Trust

Extranet Scenario 4:Extranet an Internal Users in Separate Farms / Claims-based Auth Provider for Internal Auth to Extranet

Extranet Scenario 5:Extranet an Internal Users in Separate Farms / No Access for Internal Accounts to Extranet

Extranet Scenario 6:Separate Farms / AD FS Federation for Extranet Auth

Extranet Notes

One-Way Trust Scenarios

• People Picker needs to be configured to crawl domain if it doesn’t trust the domain where the SharePoint farm is installed.

• Only with STSADM (Rare exception when you can’t use PowerShell)• Example Syntax:

● stsadm.exe -o setapppassword -password AnyPassw0rd● stsadm.exe -o setproperty -pn peoplepicker-searchadforests -pv

"domain:companyabc.com,COMPANYABC\svc_sppplpick,Password1;domain:extranetabc.com" -url https://extranet.companyabc.com

● stsadm.exe -o setproperty -pn peoplepicker-searchadforests -pv "domain:companyabc.com,COMPANYABC\svc_sppplpick,Password1;domain:extranetabc.com" -url https://spcaext.companyabc.com

• Syntax is critical• Run against all web apps

Design for Clientless Access to SharePoint

• Services Applications for Extranet Clients:● Word Services● Excel Services● Visio Services● Access Services● InfoPath Forms Services

• Allows ‘Clientless’ access to SharePoint content, for Extranet partners without Office

Standard Requirements Apply to Extranets as well

• SharePoint-aware Antivirus● i.e. Forefront Protection for SharePoint

• SharePoint-aware Backup and Restore● i.e. System Center Data Protection Manager

(DPM) 2010• Rights Management?

● Active Directory Rights Management Services (AD RMS)

Content Deployment with Extranets

Claims-based Authentication

Claims-Based Auth

• SharePoint doesn’t actually Authenticate Users, it relies on IIS or other providers

• SharePoint 2010 Allows for Classic and Claims-based Auth Scenarios

• Classic Authentication is similar to SharePoint 2007• Claims based Auth adds the following key benefits:

● Allows for Multiple Authentication Types per Web Application Zone● Removes SharePoint from the Authentication Provider● Allows for federation between organizations (AD FS, etc.) scenarios● Does not require Kerberos Delegation

• Current limitations with Claims-based auth involve SQL Reporting Services, PowerPivot, PerformancePoint, and other SQL tools that require delegation. These appear to be fixed in SQL 2012.

• Remember the difference between Authentication and Authorization…

Classic vs. Claims-based Auth

Type Classic-mode authentication

Claims-based authentication

WindowsNTLMKerberosAnonymousBasicDigest

Yes Yes

Forms-based authenticationLDAPSQL database or other databaseCustom or third-party membership and role providers

No Yes

SAML token-based authenticationAD FS 2.0Third-party identity providerLDAP

No Yes

Mixed-Mode vs. Multi-Authentication

Example: Partner Environment with Multiple Auth Types on single W.A.

Forefront Unified Access Gateway

UAG Architecture

DirectAccess

HTTPS (443)

Layer3 VPN

Data Center / Corporate Network

Business Partners /Sub-Contractors

AD, ADFS, RADIUS, LDAP….

Home / Friend / Kiosk

Employees Managed Machines

Mobile

Exchange

CRM

SharePoint

IIS based

IBM, SAP, Oracle

Terminal / Remote Desktop ServicesNon web

HTTPS /

HTTP

NPS, ILM

Internet

What about TMG? (New ISA)

Capability TMG 2010

UAG 2010

Publish Web applications using HTTPS X X

Publish internal mobile applications to roaming mobile devices X X

Layer 3 firewall X X*Outbound scenarios support X X*Array support X  Globalization and administration console localization X  

Wizards and predefined settings to publish SharePoint sites and Exchange X X

Wizards and predefined settings to publish various applications   X

Active Directory Federation Services (ADFS) support   X

Rich authentication (for example, one-time password, forms-based, smart card) X X

Application protection (Web application firewall) Basic Full

Endpoint health detection   XInformation leakage prevention   XGranular access policy   XUnified Portal   X

Forefront Identity Manager

Identity and Access Management

Identity and Access Management

Secure Messaging Secure EndpointSecure Collaboration

Active Directory® Federation Services

Information Protection

Manage SharePoint Identities

• Create Multiple Authentication Providers for SharePoint Farms● AD DS Forests (Extranet forests)● AD LDS Authentication Providers● SQL Table (FBA) Authentication Sources● LDAP Providers● Etc…

• Keep those Authentication Providers Managed

ActiveDirectory

Extranet Forest

Test Forest

FBA Table

LOB App

HR SystemFIM

Workflow

Manager

• Policy-based identity lifecycle management system

• Built-in workflow for identity management

• Automatically synchronize all user information to different directories across the enterprise

• Automates the process of on-boarding users

User Enrollment

Approval

User provisioned on all allowed systems

Identity ManagementUser provisioning for SharePoint and other Applications

VPN

HR SystemFIM

Workflow

• Automated user de-provisioning

• Built-in workflow for identity management

• Real-time de-provisioning from all systems to prevent unauthorized access and information leakage

User de-provisioned

User de-provisioned or disabled on all systems

Identity ManagementUser de-provisioning

ActiveDirectory

Extranet Forest

TestForest

FBATable

LOBApp

VPN

HRSystem FIM

LDAP

ExtranetAD

InternalAD

givenNamesntitlemailemployeeIDtelephone

SammyDearling

008

givenNamesntitlemailemployeeIDtelephone

givenNamesntitlemailemployeeIDtelephone

SamaraDarling

007

givenNamesntitlemailemployeeIDtelephone

SamDearingIntern

007

givenNamesntitlemailemployeeIDtelephone

555-0129

SamanthaDearing

007

Coordinator

someone@example.com

555-0129

SamanthaDearing

Coordinator

007

IdentityData

Aggregation

GivenNamesntitlemailemployeeIDtelephone

someone@example.com

SamanthaDearing

007

Coordinator

555-0129

Identity Synchronization and ConsistencyIdentity synchronization across multiple directories

Attribute Ownership

FirstNameLastName

EmployeeID

Title

E-Mail

Telephone

Attribute Ownership

FirstNameLastName

EmployeeID

Title

E-Mail

Telephone

FIMHRSystem

LDAP

ExtranetAD

InternalAD

IdentityData

Brokering(Convergence)

givenNamesntitlemailemployeeIDtelephone

SammyDearling

007

givenNamesntitlemailemployeeIDtelephone

givenNamesntitlemailemployeeIDtelephone

SamaraDarling

007

givenNamesntitlemailemployeeIDtelephone

SamDearingIntern

007

givenNamesntitlemailemployeeIDtelephone 555-0129

BobDearing

007

Coordinator

555-0129

SamanthaDearing

Coordinator

someone@example.com

007

someone@example.com

SamanthaDearingCoordinatorsomeone@example.com

555-0129

Coordinatorsomeone@example.com

555-0129

SamanthaDearing

someone@example.com

Samantha

Coordinator

555-0129

Identity Synchronization and ConsistencyIdentity consistency across multiple directories

Customizable Identity Portal

How you extend it

SharePoint-based Identity Portal for Management and Self Service

Add your own portal pages or web parts

Build new custom solutions

Expose new attributes to manage by extending FIM schema

Choose SharePoint theme to customize look and feel

• Streamline deployment by enrolling user and computer certificates without user intervention

• Simplify certificate and SmartCard management using Forefront Identity Manager (FIM)

• Can be used to automate Certificate management for dual factor auth approaches to SharePoint logins

Strong Authentication—Certificate Authority

HR System

Active Directory Certificate Services (AD

CS)

FIM CM

FIM

User Enrollment and Authentication request sent by HR System

FIM policy triggers request for FIM CM to issue certificate or SmartCard

User is validated using multi-factor authentication

FIM Certificate Management (CM) requests certificate creation from AD CS

Certificate is issued to user and written to either machine or smart card

End User

SmartCard

User ID andPassword

SmartCard

End User

FIM for Extranet Forest Mgmt

• Internal AD DS Forest• DMZ Extranet AD DS Forest• FIM Auto-provisions certain user accounts in Extranet

forest and keeps Passwords in Sync to allow Internal users to access/collaborate with Partners

• FIM allows Self-Service Portal Access for Extranet user accounts in the partner forest

• Two-factor Auth scenarios, to automate provisioning of user accounts AND certificates to systems

FIM for Role Based Access Control

• FIM is central to RBAC Strategy• Can auto-add users to Groups based on RBAC Criteria• HR Defines a user’s access based on their role• FIM auto-adds that user to specific Role Groups in AD

DS, which are tied to SharePoint Groups that have the rights that that role group requires.

User1

User2

Role Group

SharePoint Group

Session Summary

• Understand the Extranet Design Options for 2010

• Keep Extranet Accounts out of local AD• Determine how Identities will be Managed• Use FIM for Identity Management, Self-Service,

and Provisioning/Deprovisioning of Extranet Accounts

• Use UAG to secure inbound access to extranets/intranets

Your Feedback is Important

Please fill out a session evaluation form drop it off at the conference registration

desk.

Thank you!

Thanks for attending!Questions?

Michael NoelTwitter: @MichaelTNoel

www.cco.com

Slides: slideshare.net/michaeltnoel