1. Case Study:
Transitioning to using
Active Directory Federation Services
with SharePoint 2010
Joe Karam
Princeton University
Office of Information Technology
SharePoint Saturday New Jersey 2014
2. New Jersey SharePoint user group
⢠Different SharePoint discussions
each month on various topics.
Announced on meetup.com
⢠Meets 4th Tuesday of every
month
⢠6pm â 8pm
⢠Microsoft Office (MetroPark)
⢠101 Wood Ave, Iselin, NJ 08830
⢠http://www.njspug.com
3. Thank You Event
Sponsors
⢠Diamond & Platinum sponsors have tables
here in the Fireside Lounge
⢠Please visit them and inquire about their
products & services
⢠Also to be eligible for prizes make sure to
get your bingo card stamped
4. Agenda
⢠introduction to SharePoint & ADFS @Princeton
⢠advantages and concerns with transitioning to ADFS
⢠configuration considerations with ADFS and SharePoint 2010
⢠issues with migrating data between NTLM and ADFS SharePoint
environments
⢠issues with using ADFS and AD Groups
⢠cookie options with ADFS and impact on Office applications
⢠troubleshooting issues with ADFS and user profile services
⢠summary
5. Princeton SharePoint Implementation
⢠Using SharePoint 2007 since 2008
⢠Currently migrating to SharePoint 2010 (over 80% complete)
⢠Mostly used for internal department collaborations
⢠Very little student use
⢠Approximately 110 department sites
⢠Approximately 750GB farm size
⢠Some customized sites
⢠Decentralized administration
6. What is Active Directory Federation Service
(ADFS)?
⢠Provides single sign-on to authenticate users to multiple web
applications in a single session using token claims.
⢠Allows organizations to provide access to trusted users from different
domains.
⢠Domain users and groups are encoded to claim identities
⢠READ: How claims encoding works in SharePoint 2010
7. Why did Princeton choose ADFS for SP 2010?
⢠Consistent authentication experience for a variety of clients using
SharePoint 2010 from on-campus to all over the world
⢠Improve security for authentication with SharePoint
⢠Planning for the future migrating to Office 365 and using with other
SSO applications.
⢠Microsoft âencouragementâ to use claims based authentication and
providing limited support for classic authentication
8. Princeton SharePoint 2010 Environment
⢠Two virtual ADFS servers
⢠Three virtual SharePoint 2010 front-end servers
⢠Two virtual SharePoint 2010 application servers
⢠SQL Cluster backend with SAN storage
⢠F5 Load Balancer
⢠Firewall
⢠AvePoint DocAve management
9. Is it an F5 issue? An ADFS issue? A
SharePoint issue?
⢠Our first experience with ADFS, SharePoint 2010, and F5
⢠Microsoft technical support going back and forth between ADFS and
SharePoint teams for troubleshooting
⢠Finding a trusted expert to assist us with integrating these services
10. ADFS Configuration Recommendations
⢠Many useful resources are available
⢠Primarily used Steve Peschkaâs guide for configuring ADFS & SharePoint farm
⢠Official Microsoft documentation
⢠Expiration time of token signing certificate between ADFS and
SharePoint (x509 certificate)
⢠Determine ADFS session cookie timeout to work properly with
SharePoint cookie timeout
⢠Learn how the ForeFront Identity Manager interacts with the User
Profile Sync Service in SharePoint 2010
12. Migrating data between ADFS (SP 2010) and
NTLM (SP 2007)
⢠Microsoft AD Claims mapping scripts & tools
⢠Third Party Tools â AvePoint DocAve
⢠Mapping users and groups properly
⢠DOMAINUSER to i:0Ǿ.t|adfs 2.0|USER
⢠DOMAINGROUP to c:0-.t|adfs 2.0|GROUP
⢠Ensure AD Groups are listed as âDomain Groupâ
13. General Concerns #1
⢠Search Service Application requires an NTLM web application, but
make sure you do not put search site in the Intranet zone. Use
extranet, internet, or custom. Outlook uses intranet zone first as
default when connecting to SharePoint.
⢠Set session cookies to false (default) to ensure Office applications do
not need to re-authenticate (use persistent cookies)
⢠Investigate whether F5 should use source IP address or cookie based
persistent type
⢠Test Explorer View and Access DataSheet views to ensure they work
properly (hotfix for Access)
14. General Concerns #2
⢠Built-in People Picker does not work effectively with ADFS. Build
custom people picker or try open source people picker.
⢠InfoPath is not fully supported with ADFS
⢠Incoming email requires changes to properly map users with trusted
identity provider
⢠Test email-enabled AD Groups to ensure alerts work properly
⢠âSign In as Different Userâ does not work unless closing browser, run-as,
or in-private browsing?
⢠Test Macintosh Microsoft Document Connection
⢠Meeting Attendee lists require full email address
15. Summary
⢠Test, Test, Test â all clients, internal networks, internet, all critical
functions
⢠Monitor end-to-end validating ADFS and SharePoint are
authenticating users properly
⢠SharePoint 2013 does resolve many issues (especially with cookies)
⢠Just found: A good summary experience from Red Cross
16. Next Steps?
⢠Upgrading to SharePoint 2013 and Office 365
⢠Continue the discussion:
⢠jkaram@Princeton.edu
⢠LinkedIn (jkaram)
⢠Yammer (jkaram)
⢠Twitter (@jkaram)
17. Appendix: Incoming email Commands
⢠Need to have latest CU installed for SP 2010
⢠Can run either:
$w = Get-SPWebApplication
$w.Properties["disable-active-directory-resolve"] = "true"
$w.Properties["enable-trusted-resolve"] = "true"
$w.Update()
OR
$farm = Get-SPFarm
$farm.Properties["disable-active-directory-resolve"] = "true"
$farm.Properties["enable-trusted-resolve"] = "true"
$farm.Update()
18. Useful Security Powershell Commands
⢠Get-SPTrustedIdentityTokenIssuer
⢠Get-SPTrustedServiceTokenIssuer
⢠Get-SPClaimProvider
⢠Adding a new relying party trust to existing provider