SharePoint Fest Chicago 2014 - Anatomy of SharePoint and Office 365 Hybrid Deployment – Real-world End-to-End Configuration Blueprint
1.
2. About Me
•Principal Consultant, Slalom Consulting, Chicago
•Current focus area SharePoint 2013 and Office 365
Contact Info
•Email-patenik2@yahoo.com
•Blog-Nik Patel’s SharePoint World -http://nikpatel.net/
•Twitter-@nikxpatel, @slalomchicago
•LinkedIn-linkedin.com/in/nikspatel
•Slideshare-slideshare.net/patenik2
5. Federated identity and directory synchronization
Enables consistent single sign-on experience across SharePoint online and on-premises
SharePointOn-premises
Hosting critical business data and applications with full control over ownership and change management cycle
SharePointOnline
Microsoft’s Mobile-First, Cloud- First, and Productivity-First model with innovations delivered more frequently
SharePoint Hybrid
Contents and workloads spanning to both on-premises and on the cloud
12. One-way
outbound
Enables SharePoint Server 2013
on-premises server farm to
connect to SharePoint Online
One-way
inbound
Enables SharePoint Online to
connect to SharePoint Server 2013
through a reverse-proxy device
Two-way
(bidirectional)
Enables connections between
SharePoint Online and SharePoint
Server 2013 from both systems
13. Corporate
Data Centers
Allows you to fully control the
SharePoint environment including
server and network updates
Third-party
Data Centers
Allows you to outsource
SharePoint environment as
dedicated service including server
and network updates
Windows Azure
or Amazon IaaS
Allows you to host SharePoint
environment to public cloud
service and offload server and
network maintenance tasks
14. CloudIdentity
Single identity in the cloud
Synchronized Identity
Single identity across both cloud and on-premises
Federated Identity (SSO)
Single federated identity across both cloud and on-premises
15. •External Sharing
•Collaboration
•Communication and Publishing
•Social Conversations
•Personal Storage
•Digital Asset Management
•Personalized Insights
•Self-Service BI
•Hybrid Search
•Custom Applications Integration with BCS
•Managed Metadata and Terms
•User Profiles and personalized preferences
•Web Content Management
•Record Management
•Enterprise BI
27. DOMAIN CONTROLLER
DOMAIN.NET
DOMAIN.COM
WINDOWS AZURE ACTIVE DIRECTORY
DOMAIN.SHAREPOINT.COM
EXTERNAL USERS INTERNAL USERS
NETWORK LOAD BALANCER
NETWORK LOAD BALANCER
28. Choose level of subscription –E1-E4, you can mix these licenses
Specify the unique tenant name and Global admin User id/password
Specify the country where your tenant will be located (unless your EA states otherwise)
29. Specify a domain name and confirm ownership (e.g. chipchybrid.com)
Set the domain purpose of which services (e.g. Lync or Exchange) will be used
Configure DNS by creating verification record with DNS hosting provider
Complete the domain setup and choose default domain
32. Configure SharePoint 2013 SP1 on-premises environments at minimum: SP1 allows Yammer and OneDrive for Business redirection from on-premises
Configure primary web applications and site collections
For hybrid search, web application with Integrated Windows Authentication NTLM claims is required –this can be dedicated zone extended from default SAML Claims zone
Enable SharePoint on-premises services for hybrid
•Required Service Applications
•User Profile Application (UPA)
•App Management Service and Subscription Settings Service
•Also it is recommended to enable
•Managed Metadata Service
•User Profile Sync Service (UPS)
43. Federation is optional for Outbound or Inbound Hybrid Topologies buts recommended to configure for SSO user experience
Have dedicated ADFS service account and activate ADFS 3.0 role on Windows Server 2012 R2
45. Publish ADFS through Reverse Proxy for external access
Create a Public DNS record for publishing to internet (e.g. adfs.chipchybrid.com)
46. Set up a trust between ADFS and Office 365 and Windows Azure AD
Install Microsoft Online Services Sign in Assistant and Windows Azure AD PowerShell Modules on ADFS server
Run Convert-MsolDomainToFederated–DomainName<domain>
47.
48. Server-to-server trust between SharePoint Online and SharePoint On-Premises: The trust relationship between SharePoint on-premises, SharePoint Online, and Windows Azure Active Directory
Security tokens issued by Windows Azure Active Directory Access Control Services are trusted by both SharePoint on-premises and SharePoint Online grant access to resources for users
SharePoint Online is registered as a high-trust application in SharePoint on- premises
49. Create a new security token service (STS) certificate (at least 2038 bit)
Either Self-Signed or Public CA certificate supported but domain-issued cert is not supported
50. #Import the SharePoint Management PowerShell
#Replace the STS certificate for the on-premises environment
Create a new security token service (STS) certificate (at least 2038 bit) for Server-to-Server trust
Either Self-Signed or Public CA certificate supported but domain-issued cert is not supported
Replace the default STS certificate on all on-premises SharePoint servers in the farm
51. # Load PowerShell Modules
# Configure Remoting in PowerShell
# Log on to SharePoint Online tenant (use credentials of a tenant Global Administrator)
Install the following tools on the Central Administration server
The Microsoft Online Services Sign-In Assistant
The Azure Active Directory Module for Windows PowerShell (64 bit version)
The SharePoint Online Management Shell (64 bit version)
Execute PowerShell to configure S2S trust between SharePoint on-premises and SharePoint Online
You must logon to the central admin server with a Farm Admin account (e.g. sp_farm) to run PowerShell
52. # Setup variables
# Upload the new on-premises STS certificate to SharePoint Online
# Add service principal name (SPN) for public domain name in Azure AD
53. # Register SharePoint Online application principal object ID as a trusted provider in SharePoint On-Premises farm
# Set the on-premises SharePoint authentication realm to the context ID of Office 365 tenancy
# Establish a S2S trust relationship between SharePoint on-premises and Windows Azure AD
# Configure an on-premises ACS proxy for Azure AD to validate OAuthrequests between SharePoint Online and SharePoint On-Premises, which will become a trusted token issuer for the on-premises farm
# Fix SharePoint on-premises (if on-premises April 2014 CU or later) -See: http://support.microsoft.com/kb/3000380
56. Enable Search Service on SharePoint on-premises services
Create crawled content in SharePoint on-premises and SharePoint Online
Verify search in SharePoint on-premises and SharePoint Online for same user
57. Protocol: Remote SharePoint
Remote Service URL: SharePoint Online root site URL
Credentials: Default Authentication -SharePoint Online is configured to authenticate queries using Windows Azure Active Directory
67. Create crawled content in SharePoint on-premises and SharePoint Online
Verify search on both SharePoint on-premises and SharePoint Online for same user
68. Protocol: Remote SharePoint
Remote Service URL: Reverse-proxy address of the SharePoint on-premises primary web application
Credentials: SSO ID -To authenticate to the reverse proxy, enter the secure store target application ID that contains the Windows certificate