Export (0) Print
Expand All

Configure a one-way outbound hybrid topology

SharePoint 2013
 

Applies to: SharePoint Server 2013, SharePoint Online

Topic Last Modified: 2014-04-29

Summary: Learn how to configure the basic infrastructure for SharePoint Server 2013 hybrid environments that require the one-way outbound authentication topology.

This article provides guidance for Phase 1 of the SharePoint hybrid environment deployment process, which integrates SharePoint Server 2013 and SharePoint Online. Only the procedures that support a one-way outbound authentication topology are provided. This article also helps you gather the information that you’ll need during this configuration phase.

Phase 1: Configure a hybrid topology

This figure illustrates stage 1 of hybrid deployment that does not use reverse proxy

 

This figure represents steps to be completed

This is the first phase in the process to configure a SharePoint hybrid solution. The procedures in these articles must be completed in the following order:

  1. Configure a hybrid topology (this phase).

  2. Configure identity management for a hybrid topology in SharePoint Server 2013.

  3. Configure a hybrid solution for SharePoint Server 2013.

NoteNote:
You don’t need to configure a reverse proxy device for this hybrid topology.

For an overview of the whole process, see Plan a one-way outbound hybrid topology.

After you complete and validate the procedures in this article, you’ll then proceed to Configure identity management for a hybrid topology in SharePoint Server 2013.

Accessibility note: SharePoint supports the accessibility features of common browsers to help you administer deployments and access sites. For more information, see Accessibility for SharePoint 2013.

If you haven’t done so already, make sure that you’ve read Plan a one-way outbound hybrid topology before you start to configure anything. This is important because the planning article helps you make important decisions and record them on the SharePoint hybrid worksheet (http://go.microsoft.com/fwlink/?LinkId=391836), referred to in the rest of this article as the worksheet.

If you want to deploy a solution that requires only the one-way outbound authentication topology, you're in the right place. Otherwise, go to Install and configure SharePoint Server 2013 hybrid, and select the right article for the authentication topology you need.

Things will go a lot easier if all of the applicable information is entered in the worksheet (http://go.microsoft.com/fwlink/?LinkId=391836) before you start to configure anything. At a minimum, you need to know the following things to use this article.

Table: Decisions that should be already be recorded on the SharePoint hybrid worksheet

Decision Location on the worksheet

Administrator accounts

All the rows in Table 1

What’s the name of your public domain?

The Public Internet Domain name row of Table 3

Verify that these decisions are entered in the worksheet before you continue.

ImportantImportant:
We recommend that you thoroughly document your deployment strategy and maintain detailed work logs during the hybrid environment configuration process. A detailed record of every design decision, server configuration, procedure, and output provides a crucial reference for troubleshooting, support, and awareness.

This section tells you how to configure the SharePoint Server 2013 farm for use in a one-way outbound hybrid environment.

NoteNote:
The procedures in this section assume that you have an existing SharePoint Server 2013 farm with at least one web application and site collection that you intend to use for hybrid functionality.

For the most reliable outcome, complete the procedures in the order shown:

TipTip:
For the most reliable outcome, complete the procedures in the order they are shown in this article.

Verify that the following services are started and configured:

  • User Profile Service

  • App Management Service

  • Microsoft SharePoint Foundation Subscription Settings Service

TipTip:
You can use the Services on Server page in the SharePoint Central Administration website to see if these services are started.
To verify that a SharePoint service is started
  1. Confirm that the user account that will do this procedure is a member of the Farm Administrators SharePoint group.

  2. In Central Administration, in the Quick Launch, click Application Management.

  3. In the Application Management section, click Manage services on server. Applications that are started show Started in the Status column, as illustrated in the following figure.

    This figure illustrates the status of services in a SharePoint 2013 farm

You need to configure the User Profile Service to synchronize user and group profiles from your on-premises Active Directory domain. When federated users access resources in a hybrid environment, the STS Service makes calls to the User Profile Service to obtain user account metadata, such as the UPN and email property values. This metadata is used by the STS Service to construct security tokens during the authentication process.

TipTip:
The UPN domain suffix is listed in the UPN Domain Suffix row of Table 3 of the worksheet.

For information about how to configure user profile synchronization in the User Profile Service, see Synchronize user and group profiles in SharePoint Server 2013 (http://technet.microsoft.com/en-us/library/ee721049(v=office.15).aspx).

For complete information about how to administer the User Profile Service, see Administer the User Profile service in SharePoint Server 2013 (http://technet.microsoft.com/en-us/library/ee721050(v=office.15).aspx).

You have to verify that the App Management and Microsoft SharePoint Foundation Subscription Settings services are started and configured. These services must be enabled to support certain configuration procedures and to provide support to register SharePoint Online as a high-trust app in SharePoint 2013.

For more information, see the Configure the Subscription Settings and App Management service applications section of Configure an environment for apps for SharePoint (SharePoint 2013).

SharePoint Online presents claims to the on-premises SharePoint farm by using the Simple Mail Transfer Protocol (SMTP). To support this, you need to ensure that the SharePoint user profiles for all federated users are populated with the users’ email addresses by using the correct UPN.

This means that the Work email field in the on-premises SharePoint User Profile Store needs to contain the federated email address. For example, if a federated user logs on to the on-premises domain as adventureworks\karenb, and the public domain for the hybrid environment is adventureworks.com, the federated email address is karenb@adventureworks.com.

For more information, see Adding and Editing User Profile Properties (http://go.microsoft.com/fwlink/?LinkId=392213).

In a one-way outbound authentication topology, federated users can send requests to SharePoint Online from any web application that’s configured to use Integrated Windows authentication with NTLM.

For example, you have to make sure that the on-premises search center site(s) that you want to use in your solution are configured to use Integrated Windows authentication with NTLM. If they’re not, you have to either reconfigure the web application to use Windows authentication with NTLM or use a search center site on a web application that meets this requirement. You also have to make sure that the users who expect search results to be returned from SharePoint Online are federated users.

To verify that a web application meets the requirement
  1. Confirm that the user account that will do this procedure is a member of the Farm Administrators SharePoint group.

  2. In Central Administration, click Application Management > Manage web applications.

  3. In the Name column, select the web application that you want to verify, and then on the ribbon, click Authentication Providers.

  4. In the Authentication Providers dialog box, in the Zone column, click the zone the search center site is associated with.

  5. In the Edit Authentication dialog box, verify that Integrated Windows authentication and NTLM are selected as shown in the following picture.

    This figure illustrates the authentication type setting for a web application

You have to create a UPN domain suffix in your on-premises Active Directory domain that matches the public domain—for example, adventureworks.com. Then you have to assign the UPN domain suffix to each user account that you want to federate.

The following procedures show how to do these tasks manually. If you have many users whom you want to federate, we recommend that you put all federated user accounts into an OU and then create a script that will change the UPN domain suffix for each user account in that OU. For supported guidance on DirSync filtering, see Configure filtering for directory synchronization (http://go.microsoft.com/fwlink/?LinkID=392308). For information about how to create a script for this, see How Can I Assign a New UPN to All My Users (http://go.microsoft.com/fwlink/?LinkId=392242).

To create the UPN suffix in your on-premises DNS
  1. On the Active Directory server, open Active Directory Domains and Trusts.

  2. In the left pane, right-click the top-level node, and then click Properties.

  3. In the UPN suffixes dialog box, enter the domain suffix in the Alternative UPN suffixes box that you want for hybrid, and then click Add > OK.

     

    Edit icon

    Record the UPN suffix in the UPN Domain Suffix row of Table 3 of the worksheet.

For more information, see Add user principal name suffixes (http://go.microsoft.com/fwlink/?LinkId=392430).

To manually assign a UPN domain suffix to users
  1. In Active Directory Users and Computers, in the left pane, click the Users node.

  2. In the Name column, right-click the user account that you want to federate, and then click Properties.

  3. In the Properties dialog box, click the Account tab.

  4. Select the UPN domain suffix that you added in the previous procedure from the drop-down list, as shown in the following picture.

    This figure illustrates the UPN Suffix setting
  5. Repeat steps 2 through 4 for each additional user account that you want to federate.

After the UPN domain suffix is added to all the user accounts that you want to federate, you have to run SharePoint user profile synchronization to update the SharePoint User Profile Store with the new account UPNs that were entered in AD DS. For information about how to run profile sync, see Manage user profile synchronization in SharePoint Server 2013.

By default, OAuth in SharePoint Server 2013 requires HTTPS. If you configured your primary web application to use HTTP instead of SSL for connections with SharePoint Online, you have to enable OAuth over HTTP on every web server in your SharePoint Server 2013 farm.

NoteNote:
If you configured your primary web application to use SSL, this step is not required, and you can skip ahead to Create and configure a target application for the SSL certificate in SharePoint Online.

To enable OAuth over HTTP, run the following commands as a farm administrator account from the SharePoint 2013 Management Shell command prompt on each web server in your SharePoint Server 2013 farm.

$serviceConfig = Get-SPSecurityTokenServiceConfig
$serviceConfig.AllowOAuthOverHttp = $true
$serviceConfig.Update()

If you have enabled OAuth over HTTP for testing but want to reconfigure your environment to use SSL, you can disable OAuth over HTTP by running the following commands as a farm administrator account from the SharePoint 2013 Management Shell command prompt on each web server in your SharePoint Server 2013 farm.

$serviceConfig = Get-SPSecurityTokenServiceConfig
$serviceConfig.AllowOAuthOverHttp = $false
$serviceConfig.Update()

Because a one-way outbound authentication topology does not require a reverse proxy device, you can skip Phase 2 and go directly to Phase 3: Configure identity management for a hybrid topology in SharePoint Server 2013 (http://technet.microsoft.com/en-us/library/dn197169(v=office.15).aspx).

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft