Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Destaque
Destaque (20)
Semelhante a Spsnj case study 2014
Semelhante a Spsnj case study 2014 (20)
Último
Último (20)
Spsnj case study 2014
- 1. Case Study: Transitioning to using Active Directory Federation Services with SharePoint 2010 Joe Karam Princeton University Office of Information Technology SharePoint Saturday New Jersey 2014
- 2. New Jersey SharePoint user group • Different SharePoint discussions each month on various topics. Announced on meetup.com • Meets 4th Tuesday of every month • 6pm – 8pm • Microsoft Office (MetroPark) • 101 Wood Ave, Iselin, NJ 08830 • http://www.njspug.com
- 3. Thank You Event Sponsors • Diamond & Platinum sponsors have tables here in the Fireside Lounge • Please visit them and inquire about their products & services • Also to be eligible for prizes make sure to get your bingo card stamped
- 4. Agenda • introduction to SharePoint & ADFS @Princeton • advantages and concerns with transitioning to ADFS • configuration considerations with ADFS and SharePoint 2010 • issues with migrating data between NTLM and ADFS SharePoint environments • issues with using ADFS and AD Groups • cookie options with ADFS and impact on Office applications • troubleshooting issues with ADFS and user profile services • summary
- 5. Princeton SharePoint Implementation • Using SharePoint 2007 since 2008 • Currently migrating to SharePoint 2010 (over 80% complete) • Mostly used for internal department collaborations • Very little student use • Approximately 110 department sites • Approximately 750GB farm size • Some customized sites • Decentralized administration
- 6. What is Active Directory Federation Service (ADFS)? • Provides single sign-on to authenticate users to multiple web applications in a single session using token claims. • Allows organizations to provide access to trusted users from different domains. • Domain users and groups are encoded to claim identities • READ: How claims encoding works in SharePoint 2010
- 7. Why did Princeton choose ADFS for SP 2010? • Consistent authentication experience for a variety of clients using SharePoint 2010 from on-campus to all over the world • Improve security for authentication with SharePoint • Planning for the future migrating to Office 365 and using with other SSO applications. • Microsoft “encouragement” to use claims based authentication and providing limited support for classic authentication
- 8. Princeton SharePoint 2010 Environment • Two virtual ADFS servers • Three virtual SharePoint 2010 front-end servers • Two virtual SharePoint 2010 application servers • SQL Cluster backend with SAN storage • F5 Load Balancer • Firewall • AvePoint DocAve management
- 9. Is it an F5 issue? An ADFS issue? A SharePoint issue? • Our first experience with ADFS, SharePoint 2010, and F5 • Microsoft technical support going back and forth between ADFS and SharePoint teams for troubleshooting • Finding a trusted expert to assist us with integrating these services
- 10. ADFS Configuration Recommendations • Many useful resources are available • Primarily used Steve Peschka’s guide for configuring ADFS & SharePoint farm • Official Microsoft documentation • Expiration time of token signing certificate between ADFS and SharePoint (x509 certificate) • Determine ADFS session cookie timeout to work properly with SharePoint cookie timeout • Learn how the ForeFront Identity Manager interacts with the User Profile Sync Service in SharePoint 2010
- 12. Migrating data between ADFS (SP 2010) and NTLM (SP 2007) • Microsoft AD Claims mapping scripts & tools • Third Party Tools – AvePoint DocAve • Mapping users and groups properly • DOMAINUSER to i:0ǵ.t|adfs 2.0|USER • DOMAINGROUP to c:0-.t|adfs 2.0|GROUP • Ensure AD Groups are listed as “Domain Group”
- 13. General Concerns #1 • Search Service Application requires an NTLM web application, but make sure you do not put search site in the Intranet zone. Use extranet, internet, or custom. Outlook uses intranet zone first as default when connecting to SharePoint. • Set session cookies to false (default) to ensure Office applications do not need to re-authenticate (use persistent cookies) • Investigate whether F5 should use source IP address or cookie based persistent type • Test Explorer View and Access DataSheet views to ensure they work properly (hotfix for Access)
- 14. General Concerns #2 • Built-in People Picker does not work effectively with ADFS. Build custom people picker or try open source people picker. • InfoPath is not fully supported with ADFS • Incoming email requires changes to properly map users with trusted identity provider • Test email-enabled AD Groups to ensure alerts work properly • “Sign In as Different User” does not work unless closing browser, run-as, or in-private browsing? • Test Macintosh Microsoft Document Connection • Meeting Attendee lists require full email address
- 15. Summary • Test, Test, Test – all clients, internal networks, internet, all critical functions • Monitor end-to-end validating ADFS and SharePoint are authenticating users properly • SharePoint 2013 does resolve many issues (especially with cookies) • Just found: A good summary experience from Red Cross
- 16. Next Steps? • Upgrading to SharePoint 2013 and Office 365 • Continue the discussion: • jkaram@Princeton.edu • LinkedIn (jkaram) • Yammer (jkaram) • Twitter (@jkaram)
- 17. Appendix: Incoming email Commands • Need to have latest CU installed for SP 2010 • Can run either: $w = Get-SPWebApplication $w.Properties["disable-active-directory-resolve"] = "true" $w.Properties["enable-trusted-resolve"] = "true" $w.Update() OR $farm = Get-SPFarm $farm.Properties["disable-active-directory-resolve"] = "true" $farm.Properties["enable-trusted-resolve"] = "true" $farm.Update()
- 18. Useful Security Powershell Commands • Get-SPTrustedIdentityTokenIssuer • Get-SPTrustedServiceTokenIssuer • Get-SPClaimProvider • Adding a new relying party trust to existing provider