1 / 37

Building a Hybrid SharePoint Environment

Building a Hybrid SharePoint Environment. Buckeye SharePoint User’s Group June 16, 2016. Paul Papanek Stork. Principal Architect Blue Chip Consulting Group http://www.bluechip-llc.com. Author Developer’s Guide to WSS 3.0 MOSS 2007 Best Practices

noah
Download Presentation

Building a Hybrid SharePoint Environment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Building a Hybrid SharePoint Environment Buckeye SharePoint User’s Group June 16, 2016

  2. Paul Papanek Stork Principal Architect Blue Chip ConsultingGroup http://www.bluechip-llc.com Author Developer’s Guide to WSS 3.0 MOSS 2007 Best Practices MCTS: WSS 3.0 Configuration Study Guide (70-631) SharePoint 2010 Development for Office 365 • Microsoft Community Contributor • Technet Forums • MSDN Forums • Yammer Groups Contact Information Email: Paul.Stork@bluechip-llc.com Blog: http://dontPaPanic.com/blog Twitter: @PStork

  3. Why Companies Need Hybrid? • Building Blocks for Original Hybrid Search • Inbound Hybrid Search • Outbound Hybrid Search • New Cloud Search Service Application • Redirecting MySites to OneDrive • Hybrid Picker Agenda

  4. To replace network Home shares with “Free” storage in OneDrive for Business • To access On-premises legacy data from the Cloud • To search Exchange Online from On-premises SharePoint • To move “commodity” workloads to the Cloud • To provide easier external sharing • To replace third party file sharing like • Non-corporate - like OneDrive and Dropbox • Corporate - like Google Docs and Box • To smooth lengthy transition to the Cloud Why Hybrid?

  5. Hybrid Search • Inbound Hybrid – Search On-Premises from O365 • Outbound Hybrid – Search O365 from On-Premises • Results in Two Result Blocks • “Federated” Hybrid Search • New Name for Inbound/Outbound Hybrid Search • Cloud Hybrid Search • New Cloud Hybrid Search Service • After February 2016 CU for SharePoint 2013 • Checkbox when creating a Search Service Application • Can be done with Two PowerShell Scripts • CreateCloudSSA.ps1 – same as Checkbox when creating SSA • Onboard-CloudHybridSearch1.ps1 – hooks CloudSSA to Office 365 Different Kinds of Hybrid

  6. Inbound/Outbound Search • Redirected On-premises MySites/User Profiles • Inbound/Outbound Business Connectivity Services • Duet Enterprise Online • Access SAP on-premises from the cloud Current Hybrid “Federated” Workloads

  7. 2013 Hybrid search topology

  8. Demo1:Viewing Hybrid Results

  9. “Federated” Outbound Search Search the Cloud from On-premises

  10. Four Steps to Configure Outbound Hybrid Search • Install Infrastructure Pre-Requisites • Synchronize Identities • Establish S2S Trust with Azure ACS • Configure SharePoint On-Premises Search Outbound Walkthrough

  11. PowerShell access to SharePoint, O365, and Azure AD (Global/Farm Admin) Synchronize Identity between AD and Azure AD Add Corporate DNS Domain to Office 365 Service Applications to support security trimming and authentication One or more Publicly accessible Certificate(s) Active Directory Federation Services (ADFS) if using Server 2012 r2 proxy On-Premises patched to May 2014 CU Prerequisites

  12. Required Software – Installed on SharePoint Server • Microsoft Online Services Sign-In Assistant • Azure Active Directory Module for Windows PowerShell • SharePoint Online Management Shell Custom Domain – Normally done by Identity team • AD domain name must be added to Office 365 and Verified Infrastructure Prerequisites

  13. Outbound (in On-premises) • App Management Service • Search Service • Subscription Settings Service • User Profile Service • Inbound (in O365) • Search Service • Secure Store • User Profile Service Required Service Applications

  14. Normally an Identity Management project • Several possible methods • DirSync - obsolete • Azure AD Sync - obsolete • Azure AD Connect • Forefront Identity Management (FIM) or Microsoft Identity Management (MIM) Identity Synchronization

  15. Uses Server to Server OAUTH like high trust Apps • Replace the On-Premises STS Certificate • Self-Signed Cert – Demo or Dev • Public Cert - Production • Register the On-Premises STS as a Service Principal in Office 365 • Establish a trust between the On-Premises farm and Azure ACS Establish S2S Trust

  16. Add-PsSnapinMicrosoft.SharePoint.PowerShell Import-Module Microsoft.PowerShell.Utility Import-Module MSOnline -force Import-Module MSOnlineExtended -force Import-Module Microsoft.Online.SharePoint.PowerShell -force Enable-PSRemoting New-PSSession $Credentials = Get-Credential Connect-MsolService -Credential $Credentials $RootDomain = "*.acmeman.com" $RootSite = Get-SPSite "http://hybridsp01.acmeman.com" $Site = Get-SPSite $RootSite $SPOAppId = "00000003-0000-0ff1-ce00-000000000000" $PFXCertificate = "C:\Install\stscert.pfx" $CERCertificate = "C:\Install\stscert.cer" $PFXCertificatePassword = "P@ssw0rd" $SPOContextId = (Get-MsolCompanyInformation).ObjectID

  17. #-- Setup On-prem STS Cert $STSCertificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $PFXCertificate, $PFXCertificatePassword, 20 Set-SPSecurityTokenServiceConfig -ImportSigningCertificate $STSCertificate certutil -addstore -enterprise -f -v root $stsCertificate iisreset NET STOP SPTimerV4 NET START SPTimerV4 #----- Convert Cert to BASE 64 $STSCertificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList $PFXCertificate, $PFXCertificatePassword $PFXCertificateBin = $STSCertificate.GetRawCertData() $Certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $Certificate.Import($CERCertificate) $CERCertificateBin = $Certificate.GetRawCertData() $CredentialValue = [System.Convert]::ToBase64String($CERCertificateBin)

  18. #------- Add SPO Principal New-MsolServicePrincipalCredential -AppPrincipalId $SPOAppId -Type asymmetric -Usage Verify -Value $CredentialValue ` -StartDate $certificate.NotBefore -EndDate $certificate.NotAfter $SharePoint = Get-MsolServicePrincipal -AppPrincipalId $SPOAppId $ServicePrincipalName = $SharePoint.ServicePrincipalNames $ServicePrincipalName.Add("$SPOAppId/$RootDomain") Set-MsolServicePrincipal -AppPrincipalId $SPOAppId -ServicePrincipalNames $ServicePrincipalName #-------- Setup On-Prem $SPOContextId = (Get-MsolCompanyInformation).ObjectID $metadataEndpoint = "https://accounts.accesscontrol.windows.net/" + $SPOContextId + "/metadata/json/1" $SPOAppPrincipalId = (Get-MsolServicePrincipal -ServicePrincipalName $SPOAppId).ObjectID $SPONameIdentifier = "$SPOAppPrincipalId@$SPOContextId" $AppPrincipal = Register-SPAppPrincipal -site $Site.RootWeb -nameIdentifier $SPONameIdentifier -displayName "SPOnline“ #-------- Setup Azure ACS Set-SPAuthenticationRealm -realm $SPOContextId New-SPAzureAccessControlServiceApplicationProxy -Name "ACS" -MetadataServiceEndpointUri $metadataEndpoint ` -DefaultProxyGroup New-SPTrustedSecurityTokenIssuer -MetadataEndpoint $metadataEndpoint -IsTrustBroker:$true -Name "ACS"

  19. User doesn’t have an email address • Can’t re-hydrate Identity for Security trimming • Can’t install Azure Active Directory Module for Windows PowerShell • Change version build number in Registry till after install – see http://tinyurl.com/hu5pj9c • On-Premises site is HTTP:// - must allow OAuthOverHttp $STSconfig = Get-SPSecurityTokenServiceConfig $STSconfig.AllowMetadataOverHttp = $true $STSconfig.AllowOAuthOverHttp= $true $STSconfig.Update() Potential Issues

  20. Create Custom Result Source • Protocol = Remote SharePoint • Remote Service URL = Address of Published Site on Reverse Proxy • Credentials = Default Authentication • Create Query Rule with Promoted Result Block • Context = All Sources • Result Block – Add Above other Results Configure on-premises Search

  21. Demo 2: Configure Outbound Search

  22. Three Steps to Configure Outbound Hybrid Search • Install Reverse Proxy • Configure Secure Store • Configure SharePoint On-Line Search INbound Walkthrough

  23. Forefront Threat Management Gateway – Obsolete • Windows Server 2012 R2 Web Application Proxy – Free • Requires ADFS server • F5 Reverse Proxy Server • Cisco Reverse Proxy Server Supported Reverse Proxies

  24. #Configure Server 2012 r2 - WAP $ExternalUrl = https://shpt.acmeman.com $BackendUrl= https://shpt.acmeman.com $PFXCertificate = "C:\Install\stscert.pfx" #Get the thumbprint of the external URL certificate $externalcert = Get-pfxCertificate -FilePath $PFXCertificate #Get the thumbprint of the client pre-authentication certificate $clientcert = Get-pfxCertificate -FilePath $PFXCertificate Add-WebApplicationProxyApplication -Name "Hybrid Inbound Rule" -BackendServerUrl $BackendUrl ` -ExternalUrl $ExternalUrl -ExternalCertificateThumbprint $externalcert.Thumbprint ` -ExternalPreauthentication "ClientCertificate" -ClientCertificatePreauthenticationThumbprint $clientcert.Thumbprint

  25. Group Target Application • Two Fields • Certificate • Certificate Password • Members • Everyone who will use Search Secure Store

  26. Almost same configuration as On-premises • Create Custom Result Source • Protocol = Remote SharePoint • Remote Service URL = Address of Published Site on Reverse Proxy • Credentials = SSO Id set to AppId in Secure Store • Create Query Rule with Promoted Result Block • Context = All Sources • Result Block – Add Above other Results Configure on-Line Search

  27. Demo 3: Configure Inbound Search

  28. Cloud search service A unified Search experience

  29. Crawl and parse on-premises content and then process and index it in Office 365 Content is encrypted while in transit from the on-premises crawler through to the content processing stages in Office 365 Search results from both on-premises and Office 365 content Crawling configuration, including the Search service application, content sources, crawl rules etc. is carried out in the on-premises environment Modification to search experiences, for example search schema changes, are performed at the Office 365 level Much Easier in SharePoint 2016 Cloud Search Service Application

  30. Mandatory Configuration Steps Sync users and groups to Azure AD Create Cloud Search service Application (on-premises)Create-CloudSSA.ps1 Install onboarding pre-requisites Execute onboarding scriptOnboard-CloudHybridSearch.ps1 Create on-premises content sources Configure outbound query federation Configure SharePoint Online search vertical New-SPEnterpriseSearchServiceApplication –Name “Cloud Search Service” -ApplicationPool “Cloud Search App Pool” -DatabaseServer “SomeDBAlias” -CloudIndex $true (Get-SPEnterpriseSearchServiceApplication).CloudIndex True Getting started with cloud search Much Easier in SharePoint 2016!

  31. Demo 4: Configure Cloud Search Service

  32. Hybrid sites and onedrive The total experience

  33. Currently only available to First Release tenants Enables quick and easy server-to-server trust for hybrid scenarios Requires Global Administrator rights in Office 365, and Farm Administrator rights in on-premises SharePoint Farm Must be run from an on-premises SharePoint server Invokes the “click to run” installer Takes about ~37 seconds When done, only need to configure Secure Store Target Application appropriately Hybrid Picker Overview

  34. So how do I pick hybrids?

  35. On-Premises • Redirect OneDrive only • Redirect OneDrive and Sites • Stay On-premises • Limitations • No Synchronization of • Managed Metadata • Content Types • Followed Sites • Unified Social feed Hybrid OneDrive and Sites

  36. SharePoint 2013 Cloud Hybrid PowerShell Scripts https://www.microsoft.com/en-us/download/details.aspx?id=51490 • Bill Baer eBook http://hybrid.office.com/img/SharePoint_Book_2016.pdf • Full Walkthrough http://tinyurl.com/HybridHowTo • Hybrid Picker Articlehttp://tinyurl.com/hybridPicker • Plan SharePoint Server 2013 hybrid http://tinyurl.com/hybridRoadmap • Hybrid Resources Centerhttp://hybrid.office.com/ Additional Resources

  37. Questions? Contact Information Email: Paul.Stork@bluechip-llc.com Blog: http://dontPaPanic.com/blog Twitter: @PStork

More Related