SharePoint 2013: ADFS and Custom People Picker
Transcript of SharePoint 2013: ADFS and Custom People Picker
SharePoint 2013: ADFS and Custom People Picker
In part with:
By
Tim Tait
Pat Manning
John Wannemacher
Report Submitted
In Partial Fulfillment of the Requirements for
The Degree of Bachelor of Science
In Information Technology
At the University of Cincinnati
College of Education, Criminal Justice, and Human Services
© Copyright 2014 Tim Tait Pat Manning John Wannemacher
Students: Tim Tait, Pat Manning, John Wannemacher Date
Advisor(s): Mark Stockman Date Great American Project Lead: Cherie Shroyer-Matchan Date
Page | i
Acknowledgements
We would like to thank everyone who assisted in making this project possible. Without them this project would not have been possible. All contributions led to the successful completion of this project.
Special thanks go out to Jason Gerst for his assistance with the CECH Sandbox Environment and troubleshooting all issues we encountered.
Special thanks go out to Chris Toelke, who provided a vast amount of technical knowledge during the development of our project. Without his help we would not have been able to get through some of the issues we encountered.
Finally, we would like to formally thank Great American Insurance Group for providing us the opportunity to work on this project and for providing resources we could utilize during the process. Special thanks go to Justin Runevitch, Cherie Shroyer-Matchan, and Kinu Patel for their assistance during the project.
Page | ii
Abstract This project provided Great American Insurance with a consultative study for implementing SharePoint 2013. Great American Insurance has 27 different business units in its Property and Casualty division. These business units do not always centralize their IT services within GA to keep their independence from the corporation. This business strategy is not uncommon, but administration and support of services becomes more difficult. This study provides recommendations around best practices for SharePoint 2013, a project plan/work breakdown structure, and a live demo Proof of Concept. Our PoC and recommendation explain the benefits to ADFS and the integration with MS Office. A unified user experience, easier server side and site administration, and more functionality in their SharePoint environment was a result of this study.
Table of Contents
Acknowledgements ........................................................................................................................................ i
Abstract ......................................................................................................................................................... ii
Introduction ................................................................................................................................................... 1
Problem Statement .................................................................................................................................... 1
Description of the Solution ....................................................................................................................... 2
Design Protocols ........................................................................................................................................... 3
Deliverables ................................................................................................................................................ 13
Project Planning .......................................................................................................................................... 14
Budget ..................................................................................................................................................... 14
Timeline .................................................................................................................................................. 15
Deliverables for Great American Insurance ............................................................................................ 16
Software Used ......................................................................................................................................... 19
Hardware Specifications ......................................................................................................................... 19
Proof of Design ........................................................................................................................................... 20
Testing ........................................................................................................................................................ 21
Conclusion .................................................................................................................................................. 26
List of Figures ............................................................................................................................................. 28
References ................................................................................................................................................... 29
Page | 1
Introduction
Problem Statement Great American Insurance was in need of an overhaul to their SharePoint environment.
The goal was to upgrade the current 2010 infrastructure to the newest 2013 SharePoint platform.
As a result of this upgrade, Great American wanted to implement new features of SharePoint to
streamline the business. A unified and friendly login experience was needed across their 27
business units within a various number of domains. A single login URL was also requested to
unify the login experience. The reasoning behind the change was because the number of login
sites was causing issues, which was remediated with this project. Overall, the users will be
provided a consistent and cohesive experience no matter where they are within the company.
Great American also wanted the ability to add on new and remove old businesses more
efficiently. Their previous set up was not ideal at provisioning resources and was solved by
deploying Active Directory Federation Services (ADFS). ADFS gives the business single sign-
on access to systems and applications located across the entire organization. Under their previous
architecture, Great American was leveraging both CA Technologies SiteMinder® and Active
Directory. To meet all the business requirements, ADFS must be provisioned in the
recommended SharePoint Environment. Another problem addressed, while setting up ADFS
within the SharePoint environment, was not having the ability to search users, groups, and claims
when a site owner needs to assigns permissions in SharePoint 2013. By implementing and
configuring a custom People Picker we were able to provide Great American with the ability to
search users, groups, and claims. Some custom code was written for this function to operate the
way Great American needed. The ability to incorporate SAML with People Picker was a must,
Page | 2
as well as having the code return the preferred attributes so, everyone will have a positive and
similar user experience.
Description of the Solution Our solution to Great American’s issues/problems was to provide them with three pieces
of information that they could reference to assist in the implementation of their SharePoint 2013
Environment. GA asked that we provide them with the following; an easy to follow project plan,
giving a step by step view of the teams involved and their role in the implementation, a
recommendation document for the best practices and approach, along with, some reasoning
behind our decisions, and a working demonstration, showcasing the features and coding
requested. The plan detailed out the advantages and disadvantages of the best practices and our
recommendations, as well as, the other implementation options. Our overall plan was to provide
documentation for Great American to ease the implementation of SharePoint 2013 and the
features they desired. We also wanted to allow our documentation to be adoptable by other
companies for the same purpose. The demo provides a visual reference to the companies to
verify their outcome is successful.
Page | 3
Design Protocols The design protocols shown below showcase backend and frontend architecture, use cases,
authentication protocols, and before and after shots of the features we implemented and modified
during our project. This section can be utilized by companies to learn about the SharePoint Architecture,
as well ass, reference to ensure the implementation was a success.
Use Case Diagram
Figure 1: Use Case Diagram
Firewalls
Active Directory Federated Service
SQL Service
SQL Databases
Server Hardware
Server OS
Server Features/Roles
BACKEND
SharePoint Cental Admin
People Picker
Active Directory
Corporate Identity Management
Web Page Code
FRONTEND
Web Pages
Security Enablement
Database Administration
Hosting
Data Center Operations
Networking
Enterprise Storage/Backup
Infrastructure Architect
SharePoint Administration
SharePoint Developers
Load Balancers (VIP)
Corporate Users
SharePoint 2013Great American Insurance Group
Use Case
Page | 6
ADFS 1 User requests a web page.
SharePoint sends a redirect and the user loads a login page from the AD FS server.User sends user credentials and requests a SAML security token. AD FS validates the user credentials with AD DS (the authentication provider).AD FS sends a SAML security token.User sends a new web page request containing the SAML security token.SharePoint creates a SharePoint security token, sends the FedAuth cookie, and the requested web page.
2
34
5
6
7
12
3
4
6
7
7
7
5
AD DS AD FS
Figure 4: ADFS Authentication Protocol
Page | 8
Before
Figure 6: LDAPCP Configuration Link - Before
After
Figure 7: LDAPCP Configuration Link - After
Page | 11
User Profiles
There will be a small group of users that will need expertise regarding setting up a full
SharePoint environment for the enterprise. Great American’s SharePoint environment will have
two major user groups; internal and external users. The internal users include both business and
IT users, and the external users include only agents. The technical experience needed to use
SharePoint is very basic. Business users and agents will need to be able to navigate files, browse
the Internet, and only need limited Microsoft Office experience to work in the SharePoint
environment. Advanced SharePoint settings are available to the users under the designer and
page settings, if they choose to take advantage of them.
SharePoint Administrators and Service users from the Package Administration team will
need to have the knowledge of both how the users use SharePoint and have the ability to
navigate the Central Admission panel for administration tasks. Administrators will also need to
have strong troubleshooting skills to support both user issues and system errors that could
negatively impact the system. SharePoint Developers from the Enterprise Portal team not only
need to know how to use SharePoint’s advanced user interface but also an in depth knowledge of
all areas of SharePoint. A developer will not only need to have the ability to modify the
configuration for the look and feel of the interface but they will also have the ability to add,
modify, and delete additional functionality. Modification will allow users to view or manipulate
external data from within the SharePoint Environment.
Security Enablement takes care of all things related to authorization and authentication at
the corporate level. In the SharePoint environment, they have the ability to enable and disable
firewalls and control corporate account authentication. SharePoint Administrators will have to
request modifications to infrastructure outside of the SharePoint environment required for stable
Page | 12
operation. Authorization to a SharePoint site is not determined by the security team but by the
site’s owner(s) which are typically advanced business users. Groups through Active Directory
can be leveraged within SharePoint to avoid granular user administration.
The Application Database Administration team will have the ability to setup the
Microsoft SQL environment for SharePoint servers based on company policies. This ensures a
smooth running SQL environment and proper configuration of SQL backups according to
corporate policies. Windows Hosting Administrators will configure the Windows OS
environments based on the recommended requirements needed to perform day to day actions.
Data Center Operations personnel will install the physical hardware in the data center based on
company policies. The Network Services Team will enable the server to access the network
according to configurations developed by the Infrastructure Architect. The environment will be
constructed based on recommendations from the architect following company policies. Load
balancing will be enabled for the respective web applications so that the servers are utilized to
their fullest potential and can be easily scaled out for expansion. The Enterprise Backup and
Storage team will configure storage and backup locations during the initial phases of the project.
Location and access will be based on company policies and standards.
Page | 13
Deliverables 1) Recommended Best Approach and Reasoning
Requirements: Explanation of all implementation options and the advantages and disadvantages for each.
2) Project Plan
Requirements: Step-by-step plan for implementation of SharePoint and ADFS
A step-by-step Gantt chart created in Microsoft Project reflecting the amount of time it would take to build out 3 environments (development, quality assurance, and production).
3) Demo
Requirements: Provide a unified experience for all users by providing one URL to all customers/employees, using a user’s corporate username and password, and one login method. Have the ability to use people picker without having to reference address book provided by custom claim provider.
A corporate wide unified experience is made possible by implementing a single authentication domain with ADFS as the authentication method. A fully functional SharePoint environment with the LDAPCP claim provider code package provides the required people picker experience.
Page | 14
Project Planning
Budget
Great American Insurance was estimating the installation to be between 250k and 300k,
for both hardware and software. Labor and additional expenses were estimated to be an
additional 250k, bringing the total around 500k. This budget would have SharePoint 2013 fully
operational with all customizations by April 2014. The proposed budget for our involvement in
the project was of non-monetary value. The project was solely research based to provide Great
American with the information they needed to get their environment to 2013. Our research
focused on recommendations, planning, and demonstrating that our proposed solution was the
best route for meeting the requirements. None of the tasks or deliverables Great American asked
for cost us or the company any money, other than what they had already planned for.
As for our group’s own budget, there were no costs involved. Our deliverables were
written in Office software that we all already owned and that most companies already purchase.
The demonstration of the prototype environment is hosted on the CECH vCloud Sandbox. We
applied for a grant and we were awarded $750 of service on Amazon Web Services. The Web
Service was planned to be utilized if the CECH vCloud Sandbox environment did not meet our
needs, which it did. No money was spent on hardware or software since we were able to utilize
amenities offered by the university and evaluation licensing.
Page | 15
Timeline
This project will consist of the following timeline which will run the entire academic year
and will be presented to Great American Insurance by March 31st, 2014 and at Tech Expo on
April 15th, 2014. The recommendation document was finished on February 15, 2014. The demo
environment was complete on March 22, 2014. The project plan was finished March 29, 2014.
Anyone planning to replicate the implementation of this project, please refer to our
project plan/ work breakdown structure. This document shows the appropriate time it should take
to implement this design for those not familiar with end to end construction of a complete
SharePoint farm and all of the appropriate features plus, ADFS, and LDAPCP.
Page | 19
SoftwareUsed
Four different software suites were used when completing our Senior Design
project. Microsoft SharePoint 2013 Enterprise is a content management system (CMS) running
in Internet Information Services and SQL server. SharePoint 2013 Enterprise has more features
than its lower tiered counterparts. Microsoft SQL server 2012 was used in the backend for data
storage. For Active Directory and Active Directory Federation Services, we utilized Windows
Server 2012. In order to incorporate user lookup against Active Directory, LDAPCP was
configured to resolve data entered into our people picker to meet one of our deliverables for GA.
HardwareSpecifications
For hardware purposes, we utilized the CECH VMware vCloud Director for the
environment. The Web Front End and Application server used a 4 core processor and 8GB of
memory in each. ADFS and Domain Control servers had a 2 core processor and 4GB of
memory. The last system in the environment was the SQL server. It used a 4 core processor and
12GB of memory.
Page | 20
Proof of Design
Our recommendation document goes through each topic we think is important for Great
American’s SharePoint implementation a success. We first recommend that Great American
should implement an on premise 3-tiered SharePoint architecture with ADFS as the
authentication method. Backup and recovery will be mostly taken care of by company policy on
the OS level but the SQL server instance will be utilizing the always-on feature for replication.
Upgrading from SharePoint 2010 we recommend using the database detach/attach method for the
appropriate SharePoint databases. Search functionality is important and out recommendation is
to start with the initial app server as the search server and when ready to build another
SharePoint application server and move all search function to that dedicated server. Office web
application companion has to be on a dedicated server per the prerequisites of the application.
This service should be built as a farm implementation so that horizontal scalability can happen.
Other SQL recommendations and utilizing the SP installer for quick SharePoint installs make
implementation faster and easier. The project plan document shows in a work breakdown
structure and Gantt chart how much time it should take Great American to build out this
implementation for development, certification (quality assurance), and production and be up and
running live for users. Our demo environment is running on the CECH sandbox which is a
VMware vCloud Director environment hosted by the CECH IT department. Our VM’s were
hosted in a private vApp on a private vApp network. The operating system for all of the VM’s
Windows Server 2012. SharePoint 2013 Enterprise Edition is the version of SharePoint that has
the capabilities needed by Great American. SQL Server Enterprise Edition was also used because
of the features required not available from SQL Server Standard Edition.
Page | 21
Testing Roles for Functional Requirements
Server System Administration Role Site Administrator User Role
Functional Requirements
1. The environment will use DNS.
1.a. DNS Services.
1.b. Client configuration.
1.c. Host configuration.
1.d. DNS entries.
2. The environment will be using ADFS “SSO” as authentication method.
2.a. ADFS services.
2.b. DNS entry for ADFS.
2.c. SPN entry.
2.d. ADFS relying party configuration.
2.e. ADFS claims configuration.
3. The environment will utilize SharePoint.
3.a. IIS services.
3.b. Web application.
3.c. Web application extended.
4. The environment will incorporate a Custom People Picker (LDAPCP) to return preferred
attributes.
4.a. Add WSP file.
Page | 22
4.b. Deploy WSP file.
4.c. Configure mappings.
4.d. Configure LDAPCP.
5. The environment will utilize the “Search” feature within SharePoint.
5.a. Create service.
5.b. Enter “Search Term.”
6. The environment with utilize Microsoft Office services.
6.a. Create service.
6.b. Upload document.
6.c. Open document.
Req
No: Item No:
Test Case No: Role Input
Expected Output
Actual Output
Pass/Fail
Reason for Failure/Success
1
1a 1
Server System Admin net start dns
DNS services enabled.
DNS enabled. Pass
Command completed successfully.
1b 2
Server System Admin
interface ip set dns "Local Area Connection" static x.x.x.x
Static DNS enabled.
Static DNS enabled. Pass
Client DNS configured correctly.
1c 3
Server System Admin
interface ip set dns "Local Area Connection" static 127.0.0.1
Static DNS enabled.
Static DNS enabled. Pass
Host DNS configured correctly.
1d 4
Server System Admin
DNS forwarding enabled. Able to access Internet. Fail
Command not ran. DNS forwarding not enabled.
1d 5
Server System Admin
dnscmd spdc01 /ZoneAdd CONTOSO.com /Forwarder 8.8.8.8 /TimeOut 5
DNS forwarding enabled. Able to access Internet.
DNS forwarding enabled. Able to access Internet. Pass
Command completed successfully.
1e 6
Server System Admin
dnscmd spdc01 /RecordAdd CONTOSO.com portal A 192.168.2.106
DNS entry added.
DNS entry added. Pass
Command completed successfully.
1e 7
Server System Admin
dnscmd spdc01 /RecordAdd CONTOSO.com logon A 192.168.2.100
DNS entry added.
DNS entry added. Pass
Command completed successfully.
Page | 23
1e 8
Server System Admin
dnscmd spdc01 /RecordAdd CONTOSO.com mysite A 192.168.2.106
DNS entry added.
DNS entry added. Pass
Command completed successfully.
1e 9
Server System Admin
dnscmd spdc01 /RecordAdd CONTOSO.com mysite‐default A 192.168.2.106
DNS entry added.
DNS entry added. Pass
Command completed successfully.
1e 10
Server System Admin
dnscmd spdc01 /RecordAdd CONTOSO.com portal‐default A 192.168.2.106
DNS entry added.
DNS entry added. Pass
Command completed successfully.
1e 11
Server System Admin
dnscmd spdc01 /RecordAdd CONTOSO.com spsql01 A 192.168.2.103
DNS entry added.
DNS entry added. Pass
Command completed successfully.
1e 12
Server System Admin
dnscmd spdc01 /RecordAdd CONTOSO.com sqlalias A 192.168.2.107
DNS entry added.
DNS entry added. Pass
Command completed successfully.
1e 13
Server System Admin
dnscmd spdc01 /RecordAdd CONTOSO.com sso A 192.168.2.100
DNS entry added.
DNS entry added. Pass
Command completed successfully.
2
2a 14
Server System Admin net start adfssrv
ADFS service is enabled.
ADFS service is enabled. Pass
Command completed successfully.
2b 15
Server System Admin
dnscmd spdc01 /RecordAdd CONTOSO.com sso A 192.168.2.100
DNS entry added.
DNS entry added. Pass
Command completed successfully.
2c 16
Server System Admin set spn ‐s host/spadfs.contoso.com spadfs
SPN entry added.
SPN entry added. Fail
Wrong host entry in command.
2c 17
Server System Admin set spn ‐s host/sso.contoso.com spadfs
SPN entry added.
SPN entry added. Pass
Command completed successfully. Entered correct host name.
2d 18
Server System Admin
Add relying party trust (config wizard). Parameters:Display Name <Name>Relying Party Passive URL <https://xxx.com>Relying Party Trust Identifier <urn:sp:portal>
Config wizard starts and ends.
Config wizard completed. Pass
Configuration successful.
2e 19
Server System Admin
Add transform claim rule wizard.Parameters: Claim Rule Template <Send LDAP attributes as claims> Claim Rule Name <Contoso AD> Attribute Store <Active Directory> LDAP Attribute <e‐mail‐addresses> Outgoing Claim Type <e‐mail address>
Config wizard starts and ends.
Config wizard completed. Pass
Configuration successful.
3
3a 20
Server System Admin net start w3svc
IIS service started
IIS enabled. Pass
Command completed successfully.
3b 21
Server System Admin
New‐SPWebApplication ‐Name $siteName ‐Port $port ‐HostHeader $hostHeader ‐URL $url ‐ApplicationPool $appPoolName ‐ApplicationPoolAccount (Get‐SPManagedAccount “$managedAccount”) ‐DatabaseName $dbName ‐DatabaseServer $dbServer ‐AllowAnonymousAccess: $allowAnonymous ‐AuthenticationMethod $authenticationMethod ‐SecureSocketsLayer:$ssl
Web application created.
Web application created. Pass
Command entered/ran successfully.
3c 22
Server System Admin
Get‐SPWebApplication ‐Identity http://sitename | New‐SPWebApplicationExtension ‐Name <Name> ‐HostHeader <HostHeader> ‐Zone <Zone> ‐URL <URL> ‐Port <Port> ‐AuthenticationProvider $ap
Web application extended.
Web extension created. Pass
Command entered/ran successfully.
Page | 24
4
4a 23
Server System Admin
Add‐SPSolution ‐C:\LDAPCP.wsp
WSP file has been added to farm.
WSP added successfully Pass
Command entered/ran successfully.
4b 24
Server System Admin Install‐SPSolution ‐Identity "LDAPCP"
Solution installed successfully
Solution deployed global successfully Pass
Command entered/ran successfully.
4c 25
Server System Admin Click new item.
Add new item page loaded successfully.
Item page loaded successfully. Pass
LDAPCP installed correctly via GUI.
4c 26
Server System Admin
Select "Query user input on this LDAP attribute and create permission with specified claim type" radio button. Claim Type: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress Type of Permission Metadata: eMail LDAP Attribute Name: eMail Attribute LDAP Object Class: USER
eMail claim creates successfully. Success Fail
LDAP onbect class entered incorrectly.
4c 27
Server System Admin
Select "Query user input on this LDAP attribute and create permission with specified claim type" radio button. Claim Type: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress Type of Permission Metadata: eMail LDAP Attribute Name: eMail Attribute LDAP Object Class: AFGUSERACCOUNT
eMail claim creates successfully. Success Pass
LDAP onbect class entered correctly.
4d 28
Server System Admin
Select "Manually specify LDAP connection" radio button.LDAP Connection String: LDAP://gadc01/DC=ga,DC=comUser Name: GA\upsPassword: pa$$w0rdSelect "Always use a specific LDAP attribute" radio button.LDAP attribute to use for the display text: Name
Central Admin Main Page
Return to Central Admin Main Page. No error notifications. Pass
Entered parameters correctly.
5
5a 29
Server System Admin
*Leave all dropdowns default. Service Application Name: Search Service Service App Application Pool for Search Admin Web Service: Search Service App Pool Application Pool for Search Query Web Service: Search Query App Pool
Service application created successfully notification.
Notification received. Pass
Entered parameters correctly.
Page | 25
5b 30
Server System Admin Site Admin User Enter search term "Information Technology."
Word document displays in results.
Document found Pass
Search functional. Set up correctly.
6
6a 31
Server System Admin
*Leave all dropdowns default. Service Application Name: Word Service App Application Pool Name: Word Service App Pool Check: "Add to Default Proxy List"
Continue install to next screen.
Next Screen loaded. Pass
Entered parameters correctly.
6a 32
Server System Admin
Database Name: Word_wordservice_db Click: Finish
Service application created successfully notification.
Notification received. Pass
Entered parameters correctly.
6b 33
Server System Admin Site Admin User
Click "Add New Document." Browse for Document Click "OK" Click "Save"
Document uploaded successfully notification.
Notification received. Pass
Document uploaded correctly.
6c 34
Server System Admin Site Admin User Click on Document to Open
Document opens in Web Application instead of client program.
Opened Successfully in Web app Pass
Document in library. Can be accessed.
Chart 3: Testing Documentation
Page | 26
Conclusion At the end of the day, our project for Great American Insurance was a success. Our
accomplishment was not easy though. Many problems did occur over the past two semesters and
some were major setbacks. We gained first-hand experience doing a project for a
company. Great American initially wanted us to do a SharePoint 2010 to SharePoint 2013
migration project. After the first semester, they no longer needed our support. We had to
redefine our scope an assist them on another project they wanted complete.
Sandbox was used heavily in this project. We encountered many errors, one even
causing the environment to crash. Jason Gerst was always available to assist us and help
troubleshoot the errors, getting us up and running again.
Another difficulty we had to overcome was the complexity of ADFS. None of us had
prior knowledge in this area. It is a very not-so-simple Single Sign On option and it does take
quite a bit of time to configure if inexperienced like we were. Chris Toelke provided us with
valuable information that enabled us to progress on with the project.
Skills acquired for this project fell in many different areas. SharePoint, SQL, ADFS, and
Custom Claims were all pieces to the final product we delivered to Great American
Insurance. We all learned a great amount in each area. We also learned how projects in the real
world work and if setbacks arise, you have to manage through them.
Great American Insurance asked us for a total of three deliverables. First, a
Recommended Best Approach and Reasoning document covering SharePoint 2103 architecture
and ADFS. Second, a project plan describing a step-by-step plan for SharePoint and
ADFS implementation. And finally, a working demo environment showing a unified user
Page | 27
experience, the ability to add/remove domains/users easily, and present the power of Custom
Claims based authentication.
Page | 28
ListofFiguresFigure 1 – Use Case Diagram………………………………………………………………………………………….3
Figure 2 – Three Tier SharePoint Architecture………………………………………………………………………...4
Figure 3 – Corporate Network Architecture…………………………………………………………………………...5
Figure 4 – ADFS Authentication Protocol……………………………………………………………………………..6
Figure 5 – SAML Definition…………………………………………………………………………………………...7
Figure 6: LDAPCP Cofiguration Link – Before……………………………………………………………………….8
Figure 7: LDAPCP Cofiguration Link – After………………………………………………………………………...8
Figure 8: People Picker – Before………………………………………………………………………………………9
Figure 9: People Picker – After………………………………………………………………………………………...9
Figure 10: LDAPCP Command – Before…………………………………………………………………………….10
Figure 11: LDAPCP Command – Before…………………………………………………………………………….10
Chart 1: Project Tasks - SharePoint Testing Table…………………………………………………………………...17
Chart 2: Gantt Chart – SharePoint……………………………………………………………………………………17
Chart 3: Testing Documentation……………………………………………………………………………………...21
Page | 29
References Jason. "SharePoint 2013 How to Install and Configure ADFS
2.0."Sharepointobservations.wordpress.com. WordPress, 19 Aug. 2013. Web. 25 Aug.
2013. <http://sharepointobservations.wordpress.com/2013/08/19/sharepoint-2013-how-
to-install-and-configure-adfs-2-0/>.
Microsoft. "Active Directory Federation Services." Technet.microsoft.com. Microsoft, n.d. Web.
20 Nov. 2013. <http://msdn.microsoft.com/en-us/library/bb897402.aspx>.
Microsoft. "AD FS 2.0 Step-by-Step and How To Guides." Technet.microsoft.com. Microsoft, 09
June 2010. Web. 20 Nov. 2013. <http://technet.microsoft.com/en-us/library/adfs2-step-
by-step-guides(v=ws.10).aspx>
Microsoft. "Administer the User Profile Service in SharePoint Server
2013."Technet.microsoft.com. Microsoft, 11 Oct. 2012. Web. 27 Oct. 2013.
<http://technet.microsoft.com/en-us/library/ee721050.aspx>.
Microsoft. "Technical Diagrams for SharePoint 2013." Technet.microsoft.com. Microsoft, 19
Nov. 2013. Web. 20 Nov. 2013. <http://technet.microsoft.com/en-
us/library/cc263199.aspx>.
Microsoft. "Windows Server 2012 AD FS Deployment Guide." Technet.microsoft.com.
Microsoft, 02 Feb. 2012. Web. Autumn 2013. <http://technet.microsoft.com/en-
us/library/dd807092.aspx>.
Pirooz, Shahin. "ADFS Exposed: The Reality About This Not-So-Simple Single Sign-
On."Tmcnet.com. Technology Marketing Corporation, 09 Jan. 2013. Web. 20 Nov. 2013.
Page | 30
<http://it.tmcnet.com/topics/it/articles/2013/01/09/322118-adfs-exposed-reality-this-not-
so-simple-single.htm>.
Rouse, Margaret, and Colin Steele. "Active Directory Federation Services (AD Federation
Services)." Searchconsumerization.techtarget.com. TechTarget, July 2013. Web. 1 Nov.
2013. <http://searchconsumerization.techtarget.com/definition/Active-Directory-
Federation-Services-AD-Federation-Services>.
Vochten, Thomas. "SharePoint 2013 with ADFS." Slideshare.com. SlideShare Inc, 12 Nov.
2013. Web. 20 Nov. 2013. <http://www.slideshare.net/thomasvochten/spsuk2013-adfs-
sp2013>.
Yvand. "LDAP/AD Claims Provider For SharePoint 2013." Ldapcp.codeplex.com. Microsoft, 22
Oct. 2013. Web. 01 Nov. 2013. <http://ldapcp.codeplex.com/>.
SharePoint 2013 Best Practices: Recommendation Documentation
By: Tim Tait
Pat Manning John Wannemacher
2 | P a g e
SharePoint 2013 is a very large product and in order for it to run efficiently and effectively we
have pieced together, from various sources, what the best solution for Great American Insurance Group
is. We will cover the recommended best practices for the following; platform, architecture, service
account(s), authentication method, backup/recovery methods (on the various levels), search
architecture, Office web application companion architecture, SQL settings, and various SharePoint
solutions and open source software that ease administration and installation.
Before any hardware and software can be installed, a plan needs to be composed where the
hardware and software will be installed. For Great American, their interests reside in protecting
customer data and abiding by the many policies, procedures, audits and laws they are bound to. This is
very important and has to be taken into consideration before thinking about utilizing bleeding edge
technology. As for SharePoint platforms, Great American has a few different options, as displayed in
Figure 1. The options are; Office 365, an On Premise/Cloud Hybrid, IaaS Cloud (Azure), and On Premise.
To fully protect customer data, GA has dismissed any third party options because the company will not
have full control of their data. Using the Windows Azure platform is being considered for the near future
as the transition from any virtual solution to Azure can be fairly simple. The process includes uploading
the virtual machines to the cloud and attached as an identical copy. This leaves GA with options for a
cloud solution that can integrate other products they are interested in as well.
Figure 1 (Microsoft SharePoint 2013 Platform Options, 2012)
SharePoint 2013 Platform Options.vsd
3 | P a g e
Since GA will be staying On Premise, they will have to decide what type of architecture will work
best for their SharePoint 2013 environment. According to TechNet, “A three‐tier topology provides the
most efficient physical and logical layout to support scaling out or scaling up, and it provides better
distribution of services across the member servers of the farm” (“SharePoint 2013 across”, 2012). This
architecture will also create a familiar administration solution for the company. Since they also want a
unified user experience from all user domains of the company, a separate SharePoint resource domain
will be the best way to provide this experience. All users will then access the web applications using the
same URL and authentication method. We recommend using Active Directory Federation Services
(ADFS) since it does not have a per‐user license cost and is included in every Windows Server license.
Ping Federate is used heavily at Great American and can be integrated with SharePoint too, but it will
result in more configuration than ADFS, if the company moves to a cloud solution.
Figure 2 (Three‐tier farm configuration, 2012)
4 | P a g e
To make the single URL/unified experience possible, there must be a single authentication
method established. This means that the user will not have to make a choice or remember a different
URL depending on where they are at (internal or external) when trying to access SharePoint resources.
Currently Ping Federate from Ping Identity® is being utilized for most corporate applications. For
SharePoint and other Microsoft products such as Lync and Exchange a move to ADFS is recommended.
Ping Federate was tested for SharePoint but more configurations were required initially. Using ADFS on
the other hand, will ease setup and administration. The problem that arises for Great American is that
CA SiteMinder® is used to protect the service bus and ADFS does not receive a SiteMinder® token
because its authentication provider is Active Directory. Alternatively, Ping Federate®’s authentication
provider is Enterprise Directory (Sun One Directory) which does provide a SiteMinder® token. This does
not mean that it is impossible to use ADFS and get a SiteMinder® token later but will require a little
more work.
Best case scenario, the service bus should move away from CA SiteMinder® and be made a
claims aware application. This way the company can save money and not corner themselves by only
using proprietary access software. Now any SAML claims user can access the service bus without having
to be tied to a single authentication source. This allows Great American to be ultimately flexible when
absorbing smaller companies who do not want to merge IT infrastructure fully. The smaller companies
can access resources by being able to authenticate using any SAML federation they choose whether it be
ADFS, Ping Federate, Google, Microsoft, as long as their claim is accepted by the service bus they are
able to access data. This however is out of scope for this project but is tied to the overall success of the
goals for the company.
Realistically, for the scope of this project Great American will have to choose more
configurations now with Ping and have SiteMinder® tokens automatically generated or less
configurations now with ADFS and figuring out a way to generate a SiteMinder® token. We recommend
that Great American chooses ADFS to ultimately reduce cost and aim toward moving away from
SiteMinder®.
5 | P a g e
To have the smoothest upgrade from 2010 to 2013 Great American is planning on using the
“Attach‐Detach” method. We also recommend using this method for a couple of reasons. First, the 2010
databases do not need to go offline. They can be set to read‐only for assurance and so users can still
access content until the 2013 site is brought online. Second, depending on the timeline set for the
upgrade of sites, each content database can be brought over separately or all together for maximum
flexibility. Third, some of the service application databases can also be upgraded. This includes Business
Data Connectivity, Managed Metadata, Performance Point, Secure Store, Search (Admin_db only), and
User Profile (Profile, Social, and Sync db). Some cons of using this method is that any farm wide
settings/customizations will have to be manually transferred and the search indexes will have to be
rebuilt. For the complete instruction on this methodology visit http://technet.microsoft.com/en‐
us/library/cc263026.aspx.
Figure 3 (The sequence of upgrade stages, 2012)
6 | P a g e
Search enables users to find information more quickly and lets them find significant information
a lot easier. We recommend Great American to implement a single search companion server in each
SharePoint farm. Search in SharePoint 2013 has various ways you can scale and implement it so that it is
flexible to suit all types and sizes of companies. Our recommendation is based off Great American’s
search frequency and amount of searchable data. Currently Great American holds about 3,000 internet
searchable items and the intranet sites hold about a half‐million items. This recommendation saves
money and scales the search service appropriately for the number of items per environment.
Microsoft’s smallest recommendation from the “Enterprise Search Architectures for SharePoint Server
2013” scales to about 10 million items (Enterprise Search, 2012). Condensing the separated VM’s should
handle Great American’s needs until millions of items are needed to be searchable. Figure 5 shows how
the modified search service companion server should be setup in each environment with the SQL
databases included (Search SQL databases are utilized on same SharePoint SQL servers).
Note: Other foundation SharePoint environment servers are not included in picture (WFE, APP, & WAC)
Figure 5 – Modified Search Service Companion for Great American
7 | P a g e
The Office Web Application Companion or “WAC” enables users of SharePoint to view and/or
edit documents over a web browser without having to install a local copy of Microsoft Office. “A single
Office Web Apps Server farm can support users who access Office files through SharePoint 2013, Lync
Server 2013, Exchange Server 2013, shared folders, and websites” (Office Web Apps, 2012). In
SharePoint 2013 this service has been reconstructed and is now separated from the rest of the
SharePoint services. This means that it cannot share the same server with SharePoint any more. It must
be installed on its own server separate from any SharePoint server but it will serve all of the SharePoint
servers and even Lync and Exchange (when configured correctly). Figure 6 shows how Office Web Apps
has worked in the past and how it will now work in 2013. We recommend Great American to implement
a WAC farm as they build their SharePoint 2013 farm. This provides the simplest setup and plenty of
room for expansion. We recommend having at least 2 WAC servers for load balancing for all SharePoint
environments. Great American may want to consider 3 servers when traffic becomes heavier and
performance lag is noticeable.
Figure 6 – Office Web Apps then and now
8 | P a g e
Here is a list of a few last additional suggested tools, techniques, and settings from developers
and experts in the field.
1) A presentation from Dog Food Conference 2013 from Veenus Maximiuk called SharePoint & SQL
Server Working Together Efficiently. This presentation talked about streamlining SQL server and its
resources so that SharePoint and SQL will work more efficiently. This information can be located at
http://www.slideshare.net/vmaximiuk/share‐point‐sql‐server‐working‐together‐efficiently or
http://spvee.wordpress.com/2013/12/13/dogfood‐conference‐2013‐optimize‐sql‐server‐for‐
sharepoint/.
2) Code for a claims provider developed by Yvan Duhamel. This code resolves typical behavior with the
people picker that responds with filtered results of real users in the people picker when searching using
the SAML authentication method. This code can save time because the code used LDAP (Lightweight
Directory Access Protocol) calls so it can be used against any directory store not just Active Directory.
More information can be found at http://www.ldapcp.codeplex.com/. Also, from Kirk Evans from
Microsoft MSDN, he explains thoroughly how to write and deploy your own claims provider if you wish
to write your own. This article can be found at
http://blogs.msdn.com/b/kaevans/archive/2013/05/26/fixing‐people‐picker‐for‐saml‐claims‐users‐
using‐ldap.aspx.
9 | P a g e
Works Cited
Enterprise Search Architectures for SharePoint Server 2013. Visio Drawing. Technical diagrams for
SharePoint 2013. Microsoft TechNet, 16 July 2012. Web. 29 December 2013.
"Install SharePoint 2013 across Multiple Servers for a Three‐tier Farm." Microsoft TechNet. Microsoft, 16
July 2012. Web. 19 December 2013.
Microsoft SharePoint 2013 Platform Options. Visio Drawing. Technical diagrams for SharePoint 2013.
Microsoft TechNet, 16 July 2012. Web. 12 December 2013.
"Office Web Apps Server Overview." Microsoft TechNet. Microsoft, 16 July 2012. Web. 09 Jan. 2014.
Office Web Apps then and now. Digital Image. Office Web Apps Server overview. Microsoft TechNet, 16
July 2012. Web. 29 December 2013.
The sequence of upgrade stages. Digital Image. Overview of the upgrade process to SharePoint 2013.
Microsoft TechNet, 16 July 2012. Web. 29 December 2013.
Three‐tier farm configuration. Digital Image. Install SharePoint 2013 across multiple servers for a three‐
tier farm. Microsoft TechNet, 16 July 2012. Web. 12 December 2013.
ID Task Mode
Task Name Duration Start Finish
1 Plan SP + other domains 8 days Mon 12/30/13 Wed 1/8/14
2 SharePoint Design 3 days Mon 12/30/13 Wed 1/1/14
3 Physical Architecture 1 day Mon 12/30/13 Mon 12/30/13
4 Network Architechture 1 day Mon 12/30/13 Mon 12/30/13
5 SharePoint Licensing 1 day Tue 12/31/13 Tue 12/31/13
6 Service Account Design 1 day Tue 12/31/13 Tue 12/31/13
7 Web App Architechture (scheme, URL's) 1 day Wed 1/1/14 Wed 1/1/14
8 DB Architechture 1 day Wed 1/1/14 Wed 1/1/14
9 Forest Design 3 days Thu 1/2/14 Mon 1/6/14
10 Resource Domain Design 1 day Thu 1/2/14 Thu 1/2/14
11 User Domain Design 1 day Thu 1/2/14 Thu 1/2/14
12 DNS Design 1 day Fri 1/3/14 Fri 1/3/14
13 Organizational Unit Design 1 day Fri 1/3/14 Fri 1/3/14
14 Plan Trusts 1 day Mon 1/6/14 Mon 1/6/14
15 Plan Users 1 day Mon 1/6/14 Mon 1/6/14
16 Plan MSFT Licensing 1 day Mon 1/6/14 Mon 1/6/14
17 ADFS Design 2 days Tue 1/7/14 Wed 1/8/14
18 Plan ADFS Certificates 1 day Tue 1/7/14 Tue 1/7/14
19 Plan ADFS Login URL's 1 day Tue 1/7/14 Tue 1/7/14
20 Plan/Choose Claims 1 day Wed 1/8/14 Wed 1/8/14
21 New Server Installation ‐ (Dev) 3 days Thu 1/9/14 Mon 1/13/14
22 Create VM's 1 day Thu 1/9/14 Thu 1/9/14
23 Install OS (Windows 2012) 1 day Thu 1/9/14 Thu 1/9/14
24 Configure OS to Baseline 1 day Thu 1/9/14 Thu 1/9/14
Package Admins,Hosting,Infrastructure Architecture
Package Admins,Networking,Infrastructure Architecture
Package Admins,Assest Management
Package Admins
Package Admins
Package Admins,SQL DBAs
Domain Admins
Domain Admins
Networking
Domain Admins
Domain Admins,Security
Domain Admins,Security
Assest Management
Security,Domain Admins
Domain Admins,Security
Domain Admins,Security,Package Admins
Hosting
Hosting
Domain Admins
W S TJan 5, '14
Page 1
ID Task Mode
Task Name Duration Start Finish
25 Configure Security/Firewall 1 day Fri 1/10/14 Fri 1/10/14
26 Install Roles (DC, ADFS, DNS,SQL) 1 day Fri 1/10/14 Fri 1/10/14
27 Create AD Accounts (Service, Import Users) 1 day Fri 1/10/14 Fri 1/10/14
28 Configure DNS 1 day Mon 1/13/14 Mon 1/13/14
29 Configure SQL 1 day Mon 1/13/14 Mon 1/13/14
30 Configure ADFS ‐ (Dev) 1 day Mon 1/13/14 Mon 1/13/14
31 New Claims Provider (user domain) 1 day Mon 1/13/14 Mon 1/13/14
32 New Relying Party (SharePoint) 1 day Mon 1/13/14 Mon 1/13/14
33 SharePoint ‐ (Dev) 4 days Tue 1/14/14 Fri 1/17/14
34 Install SharePoint 1 day Tue 1/14/14 Tue 1/14/14
35 Install WAC 1 day Tue 1/14/14 Tue 1/14/14
36 SharePoint Initial Configuration 1 day Tue 1/14/14 Wed 1/15/14
37 SharePoint Config (Dev) 4 days Tue 1/14/14 Fri 1/17/14
38 Install SP Services 2 days Tue 1/14/14 Wed 1/15/14
39 Create Web Application(s) ‐ (portal + mysite) 1 day Tue 1/14/14 Tue 1/14/14
40 DNS Entry(s) 1 day Tue 1/14/14 Tue 1/14/14
41 Configure SP Services 1 day Wed 1/15/14 Wed 1/15/14
42 SharePoint New IdentityProvider 1 day Thu 1/16/14 Thu 1/16/14
43 Extend Web Application(s) to ADFS 1 day Thu 1/16/14 Thu 1/16/14
44 Tie Web Application to ADFS Auth Provider 1 day Thu 1/16/14 Thu 1/16/14
45 UPS Configuration + Attributes 1 day Fri 1/17/14 Fri 1/17/14
46 Implement Custom Claims Provider ‐ (Dev) 1 day Fri 1/17/14 Fri 1/17/14
47 Download ldapcp.wsp 1 day Fri 1/17/14 Fri 1/17/14
48 Edit ldapcp code if necessary 1 day Fri 1/17/14 Fri 1/17/14
Domain Admins,Security
Domain Admins
Domain Admins
Networking,Security
SQL DBAs
Domain Admins,Security
Domain Admins,Security
Package Admins
Package Admins
Package Admins
Package Admins
Package Admins
Package Admins
Package Admins
Package Admins
Package Admins
Package Admins
Package Admins
Package Admins
Enterprise Portal
W S TJan 5, '14
Page 2
ID Task Mode
Task Name Duration Start Finish
49 Install ldapcp.wsp 1 day Fri 1/17/14 Fri 1/17/14
50 Configure ldapcp claims 1 day Fri 1/17/14 Fri 1/17/14
51 Test (Dev) 5 days Mon 1/20/14 Fri 1/24/14
52 Test Cases 5 days Mon 1/20/14 Fri 1/24/14
53 New Server Installation ‐ (Cert) 3 days Mon 1/27/14 Wed 1/29/14
65 SharePoint ‐ (Cert) 4 days Thu 1/30/14 Tue 2/4/14
83 Test (Cert) 5 days Wed 2/5/14 Tue 2/11/14
85 New Server Installation ‐ (Prod) 3 days Wed 2/12/14 Fri 2/14/14
97 SharePoint ‐ (Prod) 4 days Mon 2/17/14 Thu 2/20/14
115 Test (Prod) 5 days Fri 2/21/14 Thu 2/27/14
Package Admins
Package Admins
Enterprise Portal,Package Admins
W S TJan 5, '14
Page 3