Archive for the ‘Authentication’ Category

Sharepoint 365 Initial Talking Points

Thursday, July 31st, 2014

Sharepoint 365 Initial Talking Points

V: 1.0

With Office 365, Microsoft introduced the SharePoint Online aka SharePoint 365 version. Recently I’ve been going through lots of information on SharePoint 365 version. I came up with few initial talking points to give a good start with the Office 365 SharePoint.

There are many things to consider when thinking of migration:

  • User experience
  • Identity management
  • Data Security
  • Feature set
  • Integration with internal systems
  • Even how you budget your dollars for next year

Suggestions:

  1. Role Based Access Control
  2. Two Factor Authentication
  3. Combine Search results from On-Premise and Office 365 SharePoint
  4. Multiple Authentication Options

a. MS Online ID        Example: faisal.masood@softvative.onmicrosoft.com
b. MS assigned Org ID AD Login Example: ADDomainfmasood
c. MS assigned Org ID ADFS Login Example: faisal.masood@softvative.onmicrosoft.com accessing partner organization’s resources

AD Integration Options:

a. Directory Sync OnlyDirSync. Runs every 3 hr and uses SQLExpress for less than 50K AD objects. For more objects, use full SQL. No Full SSO or 2FA
b. Directory Sync and SSO Suited for large orgs. Needs HA for ADFS. 2FA possible. Identities managed on-premises.

AD Integration Requirements:

a. Requires your AD forest at 2003 level
b. Use x64 bit DirSync tool. 32bit deprecated
c. For ADFS setup Win 2008 or 2012 server. Can be virtual
d. Dirsync tool can be setup with one-way or two-way sync. Two-way sync required for hybrid scenarios and can’t be switched back to one-way.
e. Use Office 365 deployment readiness tool to check your on-premises AD
f. Have the AD DC, ADFS, DirSync on separate servers

Reference Links:

1. Steps to configure Single Sign On for Office 365
http://blogs.msdn.com/b/sharepoint__cloud/archive/2011/12/07/steps-to-configure-single-sign-in-for-office-365.aspx

2. Using multiple federated domains in Office 365 with Okta

https://community.okta.com/docs/DOC-1266

3. Microsoft Office 365 Deployment Readiness Tool

https://technet.microsoft.com/en-us/library/hh852475.aspx

4. ADFS with Office 365


5. Description of Update Rollup 1 for Active Directory Federation Services (AD FS) 2.0

http://support.microsoft.com/kb/2607496

6. Support for Multiple Top Level Domains

https://support.microsoft.com/en-us/help/2797939/supportmultipledomain-switch–when-managing-sso-to-office-365

7. 10 things you should know about Office 365 before signing up

http://www.bfcnetworks.com/blogs/alexpearce/10-things-you-should-know-about-office-365-before-signing-up/

8. Use third-party identity providers to implement single sign-on

http://technet.microsoft.com/en-us/library/jj679342.aspx

9. How To Install ADFS 2012 R2 For Office 365

http://blogs.technet.com/b/rmilne/archive/2014/04/28/how-to-install-adfs-2012-r2-for-office-365.aspx

10. Remote Authentication in SharePoint Online Using Claims-Based Authentication

http://msdn.microsoft.com/en-us/library/hh147177.aspx

11. Ignite Office 365


12 SharePoint Online Service Description

https://technet.microsoft.com/en-us/library/jj819267.aspx

13. Multi-Factor Authentication for Office 365

http://blogs.office.com/2014/02/10/multi-factor-authentication-for-office-365/

 

SharePoint 2010 Kerberos Delegation

Monday, May 5th, 2014
Kerberos Delegation Can Cross Domain Boundry Can Cross Forest Boundary
Basic Yes No
Constrained No No
Note:
Have the SharePoint and external data on same Active Directory Domain
SharePoint Service Application Kerberos Delegation Type
Excel Services Constrained Delegation
Performance Point Services Constrained Delegation
InfoPath Forms Services Constrained Delegation
Visio Services Constrained Delegation
BDC / BCS Basic or Constrained Delegation
Access Services Basic or Constrained Delegation
SQL Reporting Services SSRS Basic or Constrained Delegation
MS Project Server Basic or Constrained Delegation
Note:
1. Kerberos delegation method can only change from basic to constrained as identity travels between services to services
2. Services require translation of claims based credentials to Windows credentials. The Process of translation uses C2WTS service
3. C2WTS must be constrained

Excerpt from:

Configuring Kerberos Authentication for Sharepioint 2010 Products