Presentation is loading. Please wait.

Presentation is loading. Please wait.

Building a Hybrid SharePoint Environment

Published byKory Perkins Modified over 6 years ago

Similar presentations

Presentation on theme: "Building a Hybrid SharePoint Environment"— Presentation transcript:

1 Building a Hybrid SharePoint Environment
Buckeye SharePoint User’s Group June 16, 2016

2 Paul Papanek Stork Principal Architect Author
Blue Chip Consulting Group Author Developer’s Guide to WSS 3.0 MOSS 2007 Best Practices MCTS: WSS 3.0 Configuration Study Guide (70-631) SharePoint 2010 Development for Office 365 Microsoft Community Contributor Technet Forums MSDN Forums Yammer Groups Contact Information Blog: Twitter: @PStork Principal SharePoint Architect for BlueChip Consulting Group SharePoint MVP for 8 years SharePoint Microsoft Certified Master Author Developer’s Guide to WSS 3.0 MOSS 2007 Best Practices MCTS: WSS 3.0 Configuration Study Guide (70-631) SharePoint 2010 Development for Office 365 Contact Information Blog:

3 Agenda Why Companies Need Hybrid?
Building Blocks for Original Hybrid Search Inbound Hybrid Search Outbound Hybrid Search New Cloud Search Service Application Redirecting MySites to OneDrive Hybrid Picker

4 Why Hybrid? To replace network Home shares with “Free” storage in OneDrive for Business To access On-premises legacy data from the Cloud To search Exchange Online from On-premises SharePoint To move “commodity” workloads to the Cloud To provide easier external sharing To replace third party file sharing like Non-corporate - like OneDrive and Dropbox Corporate - like Google Docs and Box To smooth lengthy transition to the Cloud

5 Different Kinds of Hybrid
Hybrid Search Inbound Hybrid – Search On-Premises from O365 Outbound Hybrid – Search O365 from On-Premises Results in Two Result Blocks “Federated” Hybrid Search New Name for Inbound/Outbound Hybrid Search Cloud Hybrid Search New Cloud Hybrid Search Service After February 2016 CU for SharePoint 2013 Checkbox when creating a Search Service Application Can be done with Two PowerShell Scripts CreateCloudSSA.ps1 – same as Checkbox when creating SSA Onboard-CloudHybridSearch1.ps1 – hooks CloudSSA to Office 365

6 Current Hybrid “Federated” Workloads
Inbound/Outbound Search Redirected On-premises MySites/User Profiles Inbound/Outbound Business Connectivity Services Duet Enterprise Online Access SAP on-premises from the cloud

7 2013 Hybrid search topology

8 Demo1: Viewing Hybrid Results

9 “Federated” Outbound Search
Search the Cloud from On-premises

10 Outbound Walkthrough Four Steps to Configure Outbound Hybrid Search
Install Infrastructure Pre-Requisites Synchronize Identities Establish S2S Trust with Azure ACS Configure SharePoint On-Premises Search

11 Prerequisites Replacement for Security Token Service
PowerShell access to SharePoint, O365, and Azure AD (Global/Farm Admin) Synchronize Identity between AD and Azure AD Add Corporate DNS Domain to Office 365 Service Applications to support security trimming and authentication One or more Publicly accessible Certificate(s) Active Directory Federation Services (ADFS) if using Server 2012 r2 proxy On-Premises patched to May 2014 CU Required SSL Certs Replacement for Security Token Service SSL cert for Reverse Proxy SSL cert for internal Web Application extended zone

12 Infrastructure Prerequisites
Required Software – Installed on SharePoint Server Microsoft Online Services Sign-In Assistant Azure Active Directory Module for Windows PowerShell SharePoint Online Management Shell Custom Domain – Normally done by Identity team AD domain name must be added to Office 365 and Verified

13 Required Service Applications
Outbound (in On-premises) App Management Service Search Service Subscription Settings Service User Profile Service Inbound (in O365) Secure Store

14 Identity Synchronization
Normally an Identity Management project Several possible methods DirSync - obsolete Azure AD Sync - obsolete Azure AD Connect Forefront Identity Management (FIM) or Microsoft Identity Management (MIM)

15 Establish S2S Trust Uses Server to Server OAUTH like high trust Apps
Replace the On-Premises STS Certificate Self-Signed Cert – Demo or Dev Public Cert - Production Register the On-Premises STS as a Service Principal in Office 365 Establish a trust between the On-Premises farm and Azure ACS

16 Add-PsSnapin Microsoft.SharePoint.PowerShell
Import-Module Microsoft.PowerShell.Utility Import-Module MSOnline -force Import-Module MSOnlineExtended -force Import-Module Microsoft.Online.SharePoint.PowerShell -force Enable-PSRemoting New-PSSession $Credentials = Get-Credential Connect-MsolService -Credential $Credentials $RootDomain = "*.acmeman.com" $RootSite = Get-SPSite " $Site = Get-SPSite $RootSite $SPOAppId = " ff1-ce " $PFXCertificate = "C:\Install\stscert.pfx" $CERCertificate = "C:\Install\stscert.cer" $PFXCertificatePassword = $SPOContextId = (Get-MsolCompanyInformation).ObjectID

17 #-- Setup On-prem STS Cert
$STSCertificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $PFXCertificate, $PFXCertificatePassword, 20 Set-SPSecurityTokenServiceConfig -ImportSigningCertificate $STSCertificate certutil -addstore -enterprise -f -v root $stsCertificate iisreset NET STOP SPTimerV4 NET START SPTimerV4 #----- Convert Cert to BASE 64 $STSCertificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList $PFXCertificate, $PFXCertificatePassword $PFXCertificateBin = $STSCertificate.GetRawCertData() $Certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $Certificate.Import($CERCertificate) $CERCertificateBin = $Certificate.GetRawCertData() $CredentialValue = [System.Convert]::ToBase64String($CERCertificateBin)

18 #------- Add SPO Principal
New-MsolServicePrincipalCredential -AppPrincipalId $SPOAppId -Type asymmetric -Usage Verify -Value $CredentialValue ` -StartDate $certificate.NotBefore -EndDate $certificate.NotAfter $SharePoint = Get-MsolServicePrincipal -AppPrincipalId $SPOAppId $ServicePrincipalName = $SharePoint.ServicePrincipalNames $ServicePrincipalName.Add("$SPOAppId/$RootDomain") Set-MsolServicePrincipal -AppPrincipalId $SPOAppId -ServicePrincipalNames $ServicePrincipalName # Setup On-Prem $SPOContextId = (Get-MsolCompanyInformation).ObjectID $metadataEndpoint = " + $SPOContextId + "/metadata/json/1" $SPOAppPrincipalId = (Get-MsolServicePrincipal -ServicePrincipalName $SPOAppId).ObjectID $SPONameIdentifier = $AppPrincipal = Register-SPAppPrincipal -site $Site.RootWeb -nameIdentifier $SPONameIdentifier -displayName "SPOnline“ # Setup Azure ACS Set-SPAuthenticationRealm -realm $SPOContextId New-SPAzureAccessControlServiceApplicationProxy -Name "ACS" -MetadataServiceEndpointUri $metadataEndpoint ` -DefaultProxyGroup New-SPTrustedSecurityTokenIssuer -MetadataEndpoint $metadataEndpoint -IsTrustBroker:$true -Name "ACS"

19 Potential Issues User doesn’t have an email address
Can’t re-hydrate Identity for Security trimming Can’t install Azure Active Directory Module for Windows PowerShell Change version build number in Registry till after install – see On-Premises site is - must allow OAuthOverHttp $STSconfig = Get-SPSecurityTokenServiceConfig $STSconfig.AllowMetadataOverHttp = $true $STSconfig.AllowOAuthOverHttp= $true $STSconfig.Update()

20 Configure on-premises Search
Create Custom Result Source Protocol = Remote SharePoint Remote Service URL = Address of Published Site on Reverse Proxy Credentials = Default Authentication Create Query Rule with Promoted Result Block Context = All Sources Result Block – Add Above other Results

21 Demo 2: Configure Outbound Search

22 Three Steps to Configure Outbound Hybrid Search
INbound Walkthrough Three Steps to Configure Outbound Hybrid Search Install Reverse Proxy Configure Secure Store Configure SharePoint On-Line Search

23 Supported Reverse Proxies
Forefront Threat Management Gateway – Obsolete Windows Server 2012 R2 Web Application Proxy – Free Requires ADFS server F5 Reverse Proxy Server Cisco Reverse Proxy Server

24 #Configure Server 2012 r2 - WAP $ExternalUrl = https://shpt. acmeman
#Configure Server 2012 r2 - WAP $ExternalUrl = $BackendUrl= $PFXCertificate = "C:\Install\stscert.pfx" #Get the thumbprint of the external URL certificate $externalcert = Get-pfxCertificate -FilePath $PFXCertificate #Get the thumbprint of the client pre-authentication certificate $clientcert = Get-pfxCertificate -FilePath $PFXCertificate Add-WebApplicationProxyApplication -Name "Hybrid Inbound Rule" -BackendServerUrl $BackendUrl ` -ExternalUrl $ExternalUrl -ExternalCertificateThumbprint $externalcert.Thumbprint ` -ExternalPreauthentication "ClientCertificate" -ClientCertificatePreauthenticationThumbprint $clientcert.Thumbprint If URLs are different enable Url Translation which is disabled by default Get-WebApplicationProxyApplication | Format-Table ID, Name, ExternalURL Set-WebApplicationProxyApplication –ID <application_ID> -DisableTranslateUrlInRequestHeaders:$false

25 Secure Store Group Target Application Two Fields Members Certificate
Certificate Password Members Everyone who will use Search

26 Configure on-Line Search
Almost same configuration as On-premises Create Custom Result Source Protocol = Remote SharePoint Remote Service URL = Address of Published Site on Reverse Proxy Credentials = SSO Id set to AppId in Secure Store Create Query Rule with Promoted Result Block Context = All Sources Result Block – Add Above other Results

27 Demo 3: Configure Inbound Search

28 Cloud search service A unified Search experience

29 Cloud Search Service Application
Crawl and parse on-premises content and then process and index it in Office 365 Content is encrypted while in transit from the on-premises crawler through to the content processing stages in Office 365 Search results from both on-premises and Office 365 content Crawling configuration, including the Search service application, content sources, crawl rules etc. is carried out in the on-premises environment Modification to search experiences, for example search schema changes, are performed at the Office 365 level Much Easier in SharePoint 2016

30 Getting started with cloud search
Mandatory Configuration Steps Sync users and groups to Azure AD Create Cloud Search service Application (on-premises) Create-CloudSSA.ps1 Install onboarding pre-requisites Execute onboarding script Onboard-CloudHybridSearch.ps1 Create on-premises content sources Configure outbound query federation Configure SharePoint Online search vertical New-SPEnterpriseSearchServiceApplication –Name “Cloud Search Service” -ApplicationPool “Cloud Search App Pool” -DatabaseServer “SomeDBAlias” -CloudIndex $true (Get-SPEnterpriseSearchServiceApplication).CloudIndex True Much Easier in SharePoint 2016!

31 Demo 4: Configure Cloud Search Service

32 Hybrid sites and onedrive
The total experience

33 Hybrid Picker Overview
Currently only available to First Release tenants Enables quick and easy server-to-server trust for hybrid scenarios Requires Global Administrator rights in Office 365, and Farm Administrator rights in on-premises SharePoint Farm Must be run from an on-premises SharePoint server Invokes the “click to run” installer Takes about ~37 seconds When done, only need to configure Secure Store Target Application appropriately

34 So how do I pick hybrids?

35 Hybrid OneDrive and Sites
On-Premises Redirect OneDrive only Redirect OneDrive and Sites Stay On-premises Limitations No Synchronization of Managed Metadata Content Types Followed Sites Unified Social feed

36 Additional Resources SharePoint 2013 Cloud Hybrid PowerShell Scripts
Bill Baer eBook Full Walkthrough Hybrid Picker Article Plan SharePoint Server 2013 hybrid Hybrid Resources Center

37 Questions? Contact Information Blog:

Download ppt "Building a Hybrid SharePoint Environment"

Similar presentations

Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Office 365 and SharePoint 2013 Hybrid Environments Rene Modery Singapore 1.

Office 365 and SharePoint 2013 Hybrid Environments Rene Modery Singapore 1.
Agenda AD to Windows Azure AD Sync Options Federation Architecture

Agenda AD to Windows Azure AD Sync Options Federation Architecture
Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.

Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.
Configuring SharePoint 2013 and Office 365 Hybrid – Part 1

Configuring SharePoint 2013 and Office 365 Hybrid – Part 1
Hybrid Search with SharePoint 2013 and Office 365 Brendan Griffin.

Hybrid Search with SharePoint 2013 and Office 365 Brendan Griffin.
Coming by end of 2015! Hybrid search sounds awesome! Ready to simplify search? Will Delve work for my fileshare content?

Coming by end of 2015! Hybrid search sounds awesome! Ready to simplify search? Will Delve work for my fileshare content?
Sessions about to start – Get your rig on!. Notes from the field – Implement Hybrid Search and OneDrive for Business Chris Zhong - Microsoft Aaron Dinnage.

Sessions about to start – Get your rig on!. Notes from the field – Implement Hybrid Search and OneDrive for Business Chris Zhong - Microsoft Aaron Dinnage.
Active Directory Integration with Microsoft Office 365

Active Directory Integration with Microsoft Office 365
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
Configuring Hybrid Exchange the Easy Way

Configuring Hybrid Exchange the Easy Way
Fraser Technical Solutions, LLC

Fraser Technical Solutions, LLC
TechEd 2013 4/20/2017 2:02 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.

TechEd /20/2017 2:02 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Introduction Please answer the survey questions posted at the end of this meeting. Let us know what sessions you want! Josh Topal at

Introduction Please answer the survey questions posted at the end of this meeting. Let us know what sessions you want! Josh Topal at
Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.

Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.
First Look Clinic: What’s New for IT Professionals in Microsoft® SharePoint® Server 2013 Sayed Ali (MCTS, MCITP, MCT, MCSA, MCSE )

First Look Clinic: What’s New for IT Professionals in Microsoft® SharePoint® Server 2013 Sayed Ali (MCTS, MCITP, MCT, MCSA, MCSE )
Timothy Heeney| Microsoft Corporation. Discuss the purpose of Identity Federation Explain how to implement Identity Federation Explain how Identity Federation.

Timothy Heeney| Microsoft Corporation. Discuss the purpose of Identity Federation Explain how to implement Identity Federation Explain how Identity Federation.
© 2011 PLANET TECHNOLOGIES, INC. Extending User Profiles with Line of Business Data Patrick Curran, MCT FEBRUARY 24, 2013.

© 2011 PLANET TECHNOLOGIES, INC. Extending User Profiles with Line of Business Data Patrick Curran, MCT FEBRUARY 24, 2013.
Module 8 Configuring and Securing SharePoint Services and Service Applications.

Module 8 Configuring and Securing SharePoint Services and Service Applications.
Julien “Superman” Stroheker and Nicolas “Batman” Georgeault Negotium

Julien “Superman” Stroheker and Nicolas “Batman” Georgeault Negotium

Similar presentations

Ads by Google