3. ABOUT ME
• Jethro SEGHERS
• Office 365 MVP
• @jseghers
• http://www.j-solutions.be/blog
4. AGENDA • What is hybrid within Office 365
• Why hybrid
• Different setups
• Analysis of the building blocks
• Different Steps
• See The Results
• Resources
• Q&A
7. OFFICE 365
IS
ATTRACTIVE
1. It saves me a lot of €€€€€
2. I always have the latest and greatest
collaboration, email and UC tools
3. Allows me to focus on my core business, not IT
4. Microsoft can run SP more reliably and
efficiently than I can
5. I can easily scale up/down according to
demand
6. I can more easily work with customers, partners
outside of my company
8. But ….
MY
BUSINESS
IS
ON PREMISE
1. I have existing investments (customized SP
deployments w/lots of data and settings,
custom solutions, LOB systems, etc)
2. I can’t do everything in the Cloud that I can do
on premise
3. I want to protect my sensitive data by keeping it
close
10. WHY
HYBRID
-
MIGRATION
• Early Adopter: Move all data to
the cloud ASAP.
• Risk Averse: Get a trial on SPO,
Evaluate Risks, Numbers (ROI)
• Typical: Freeze on Premise Site
Creation; start with new content
first.
12. WHY HYBRID
-
BUSINESS
DRIVEN
• Keep Sensitive Data on Premise -whatever
sensitive may mean-
• Capacity Flexibility
• Intranet – Extranet
• Collaboration with External Partners
• Typically defined in your Information structure &
governance plan.
• Geo Location
• …
18. INGREDIENTS • An operational on-premises AD DS domain in a single
forest
• An on-premises server for AD FS 2.0.
• An on-premises server for the Windows Azure Directory
Synchronization tool.
• Windows Azure PowerShell Cmdlets
• Internet Domain & DNS access
• Operation SharePoint 2013 Farm
• An X.509 wildcard or SAN certificate.
• Office 365 Enterprise Subscription with 15.0.0.4420 as
the minimum build number
• A supported on-premises reverse proxy device (only for
inbound & bidirectional communication).
20. Reverse
Proxy
and
Auth
• When using hybrid features Office 365
sends requests from sites in the cloud to
your on-premise farm
• You need to establish a reverse proxy
for these calls to be channeled through
to secure the process
• Those requests can be authenticated at
the reverse proxy before they are
forwarded to SharePoint
• SharePoint supports using a certificate
for authenticating to the reverse proxy
server when sending a request
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
21. Reverse
Proxy
Requirements
• 2 network cards - one
connected to the Internet and
the other to the internal
company network
• Route inbound SSL traffic to
the on-premises SharePoint
farm without rewriting packet
headers
• Support SSL termination
• UAG, F5, …
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
22. Identity
Provider
In order to have a single-sign on experience, you need a
federated identity provider like ADFS
2 or more load balanced ADFS servers
An SSL certificate for the ADFS site
A proxy device, like the ADFS proxy server
All users must have a UPN of a registered domain (i.e.
“.local” or similar suffixes will not work)
Service Account: Logon as Batch Job & Logon as a
Service
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
23. MSOL
TOOLS
Microsoft Online Sign In Assistant
Windows Azure Active Directory PowerShell Cmdlets
(in portal)
You need to run this on SharePoint Server to
configure trust with ACS
You need to run this for SSO (usually run on own
server)
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
24. SSO Connect ADFS to Office 365
1. Connect-MSOLService
2. New-MSOLFederatedDomain
3. Update DNS
OR
1. Add Domain via Office 365 Portal
2. Update DNS
3. Connect-MSOLService
4. Convert-MSOLDomainToFederated
!!! USE SMARTLINKS !!!
!!! Run this on your Primary ADFS Server !!!
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
25. DirSync Do Not Run it on an AD – Single Forest (at this time)
Service accounts: svc_dirsync: Enterprise Admin on
AD
Global Administrator on Office 365
Install DirSync and let the Wizard Run
Syncs Users, Groups & Contacts
!!! It doesn’t give your Users Licenses !!!
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
27. SharePoint
2013
Config
1. New STS Token Signing
Certificate
2. Configuration of a Trust between
SP on Premise & ACS
3. Configure Secure Store
4. Configure UPA
5. Try it !
28. STS
Token
Signing
Certificate
You need to replace the default token signing certificate for the SharePoint
STS because Access Control Service (ACS) will not trust it
Replace it with
• A certificate issued by a public certificate authority
• A self signed certificate that you create in IIS Manager
• NOT: Domain-issued certificate
Set-SPSecurityTokenServiceConfig with the ImportSigningCertificate flag.
29. Trust
Between
SP
&
ACS
Now you need to create an OAuth trust for
applications to exchange data between o365
and on-prem
Using MSOL PowerShell (on prem):
Create an AppPrincipal using New-MsolServicePrincipalCredential
Create a proxy to ACS using New-SPAzureAccessControlServiceApplicationProxy
Complete the trust using New-SPTrustedSecurityTokenIssuer
30. Configure
Secure Store
The Secure Store Service is used to create an application
that stores the certificate used to authenticate with the UAG
HTTPS trunk
In Office 365 create a new Secure Store Service target
application
Save the Target Application ID name because you will use that
configuring a result source
In the credentials field configure it as a Certificate Password
Click the Set button for the Credentials
Browse to the certificate CER file that was used for the UAG HTTPS trunk; leave the password fields
blank
31. Configure
UPA
It’s critically important that you:
• Have a UPA up and running
• Have it populated with current data from Active Directory
We use the UPA on the local farm to determine what rights a user has
– what claims they have, what groups they belong to, etc.
With a hybrid solution, anything that you grant rights to needs to be in
the profile system
E.g., if you augment claims on premise and use a custom claims provider to
grant rights to content using those claims, an office 365 user would not see that
data because those custom claims are not added when you login to office 365
32. RECAP
Necessary
Steps
• Install & Configure all necessary tools
• Replace STS Certificate
• Upload Certificate to Office 365
• Add Hostname of server to SP Principal
object of Office 365
• Register SPO S2S Principal Object to On
Premise
• Set SP Authentication Realm to Context ID of
Office 365 Tenant
• Configure On Premise ACS Proxy and setup
Trust with ACS.
33. Create A
Result Source
Create a new result source and:
Use Remote SharePoint as the Protocol
If you are on-prem and getting results from Office
365:
• Use the Url of your office 365 for the Remote Service Url
• Use Default Authentication for credentials
If you are office 365 and getting results from on-prem
:
• Use the HTTPS Url of the UAG HTTPS trunk for the Remote
Service Url
• Use SSO id for credentials and enter the name of the SSO application
definition you created to store the UAG certificate
35. Create A
Query Rule
This is where you can do a “live” test to see if everything is
working
Create a new query rule
Remove the default Condition
Click on Add Result Block
Select your result source
Click on the Test tab and then
Click the “Show more” link
Type some query terms in the “{subjectTerms}:” edit box
Click the “Test query” button
If you have configured everything correctly – Voila! – you will see search results from
the remote farm
39. Troubleshoot
Tips
If you aren’t getting data back between the
two environments here are some things that
you can do to narrow down the issue:
In your on prem farm turn up the ULS logging
Go into Central Admin, Monitoring, Configure diagnostic logging;
expand SharePoint Foundation and select:
App Auth
Application Authentication
Authentication Authorization
Claims Authentication
Change the “least critical” dropdowns to Verbose and
save changes
Monitor the ULS logs each time you execute a query
40. Troubleshoot
Tips (cont.)
Use Fiddler as a reverse proxy on your
SharePoint server; this requires
Installing Fiddler on the SharePoint server
Write a Fiddler script rule as described in Option #2
here:
http://www.fiddler2.com/Fiddler/help/reverseproxy.as
p
Look at the TextView of the Response. Here’s an
example of an error that you can see in there:
41. Troubleshooti
ng Tips
(cont.)
Be aware of latency in queries across the cloud
and on- premises
When a query is executed, ALL results must come back
before the result is shown to the user
Latencies can run 1200 to 1500 milliseconds
Because of this you may want to put some thought into when
you want to fire a query at a remote source
If you duplicate every single query you could introduce significant load on a
farm
Where you want results back ASAP then you wouldn’t want remote queries
to fire
You can also create a dedicated page that only queries the remote source
In short – you can mix and match with query rules to decide what works
best
Hinweis der Redaktion
Template may not be modified Twitter hashtag: #spsbe for all sessions
Please use a picture of yourself in a mountain/cloudscene