1 / 41

SharePoint External Access

GOPAS TechEd 2012. Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@ sevecek.com | www.sevecek.com |. SharePoint External Access. Designing Secure SharePoint External Access. Motivation. Why. Enable internal users to access from outside

palma
Download Presentation

SharePoint External Access

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GOPAS TechEd 2012 Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | www.sevecek.com | SharePoint External Access

  2. Designing Secure SharePoint External Access Motivation

  3. Why • Enable internal users to access from outside • Share portal access with business partners

  4. How • Forefront Threat Management Gateway • Forefront Unified Access Gateway

  5. Challenges • Secure authenticated access • Smooth document access from Office applications • Repeated password prompts • Endpoint compliance • Intrusion prevention

  6. Designing Secure SharePoint External Access Authentication Overview

  7. SharePoint Authentication • Classic Mode Authentication • NTLM or Kerberos • Claims Based Authentication • NTLM or Kerberos • Basic • ASP.NET Forms • Active Directory Federation Services

  8. SharePoint Authentication

  9. Extending Web Applications LAN WFE Web Application Content DB .PDF/.DOC Kerberos Intranet Web Site http://intranet Internet Visitors READ Forms Extranet Web Site https://extranet.idtt.com AD LDAP

  10. Extending Web Applications

  11. Designing Secure SharePoint External Access Windows Authentication

  12. SharePoint Authentication • External access for internal users • Basic • NTLM (no SSO) • Kerberos (only on intranet) • SSL client certificates • Not suitable for external users • accounts in AD • possibly other access

  13. SharePoint Authentication for Internal Users • Basic • plaintext password • works from internet • no SSO • NTLM • less secure, MD5 • performance problems at 200 +/- users per WFE • no SSO • Kerberos • secure, mutual authentication, AES, smart cards • faster, smoother • intranet only • SSL Client Certificates • the most secure, mutual authentication • SSO from outside

  14. Internal Users Authentication

  15. Basic Authentication with Port Forwarding

  16. Basic Authentication with Port Forwarding • Simplest to deploy • Less secure direct access to the farm • Must use public certificates on the farm • NTLM would require custom IE configuration and has performance problems

  17. Basic Authentication with TMG Inspection

  18. Basic Authentication with TMG Inspection • Authenticates users at the gateway level • Forms authentication (cookies) • Basic authentication • Inspects clear HTTP • plus URL filters etc. • intrusion prevention signatures • Automatically forwards the basic credentials • Offloads SSL encryption • or hides the internal certficates on the farm

  19. TMG and Forms Authentication

  20. TMG Inspection with Kerberos Delegation

  21. TMG Inspection with Kerberos Delegation • SSO or smart cards and tokens • No Basic authentication on the internal part • SharePoint “developers” do not receive your full password • Mutual authentication with client certificate • No password guessing

  22. UAG Inspection with Kerberos Delegation

  23. UAG Inspection with Kerberos Delegation • TMG features plus • Predefined URL and application inspections • User portal access • Endpoint policies and compliance

  24. UAG Portal and Forms Authentication

  25. Windows Authentication Recap • Deploy UAG with certificate logon and Kerberos Constrained Delegation, enforce endpoint compliance • TMG can also authenticate certificates and/or use Kerberos • Basic authentication is the most simple, but gives too much freedom to users and SharePoint “administrators”

  26. Designing Secure SharePoint External Access SharePoint 2010 Forms Authentication

  27. SharePoint Forms Authentication • No SSO • Separate accounts for external users • AD LDS, SQL DB, XML text file, ... • You manage the account database • create accounts • reset passwords

  28. AD LDS • Active Directory Lightweight Directory Services • Standalone LDAP/S server • Part of Windows Server 2008 and newer • previously free download ADAM • Installs on Windows 7 as well • Managed manually using ADSI Edit

  29. AD LDS User Accounts

  30. AD LDS Authentication with Port Forwarding

  31. AD LDS Authentication with UAG Inspection

  32. AD LDS with UAG and Certificates

  33. AD LDS Authentication with UAG Inspection • Pre-authenticates users at the gateway level • double login prompt or certificates • Predefined set of URL and application inspections • User portal access • Endpoint policies and compliance

  34. Designing Secure SharePoint External Access Active Directory Federation Services

  35. AD FS • HTTPS/XML authentication protocol • Replacement for AD trusts • Free download • RTW – released to web • Accounts managed by Account Partner • Resource Partner just accepts identity claims • Requires level of management on the Account Partner part

  36. AD FS Principles

  37. AD FS Principles

  38. AD FS Principles

  39. Designing Secure SharePoint External Access Takeaway

  40. Takeaway • Use certificates and/or Kerberos for internal users • Use AD LDS for external partners without AD FS • Use AD FS for larger external partners who do want to manage their own accounts

  41. GOPAS TechEd 2012 Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | www.sevecek.com | Thank you!

More Related