Export (0) Print
Expand All

Plan a one-way outbound hybrid topology

SharePoint 2013
 

Applies to: SharePoint Server 2013, SharePoint Online

Topic Last Modified: 2014-06-19

Summary: Plan and prepare to deploy a one-way outbound SharePoint Server 2013 hybrid environment.

Applies only to one-way outbound configurations

This article is designed to help you plan and prepare to deploy a one-way outbound SharePoint Server 2013 hybrid environment. We give you the information you need to know, such as prerequisites and a worksheet to collect necessary information before you begin the configuration process.

Before using this topic, you should read Overview of hybrid SharePoint 2013 for technical decision makers.

This topic helps you to do the following:

  • Understand the prerequisites and requirements of a one-way outbound hybrid topology

  • Plan your web application configuration

  • Plan SSL certificates

  • Plan your identity management strategy

  • Record key decisions and information

WarningWarning:
To configure a hybrid SharePoint environment, you need a combination of expert skills and significant hands-on experience with several products, including SharePoint Server 2013, SharePoint Online, and related products and technologies. If this skill and expertise is not available in-house, we recommend that you engage Microsoft Consulting Services to provide technical guidance and support during the design and deployment of your hybrid environment.

A one-way outbound hybrid authentication topology enables hybrid service integration in one direction only. In this topology, your on-premises SharePoint Server 2013 farm can consume content and resources from your Office 365 tenant. For example, search can be configured to allow federated users to see both local and remote search results in a SharePoint Server 2013 search portal, but only local results will be available in the SharePoint Online search portal.

ImportantImportant:
A one-way outbound hybrid topology can be used only for outbound search solutions.
A one-way outbound topology does not support hybrid solutions for Business Connectivity Services (BCS), SAP with Duet Enterprise Online, or bidirectional Search.
NoteNote:
If you are still unsure what environment is right for your needs, see the poster What hybrid topology should I use?.

A one-way outbound SharePoint Server 2013 hybrid solution requires the following three phases to deploy:

This figure illustrates hybrid deployment with no reverse proxy
  • Phase 1: Configure a hybrid topology.

  • Phase 2: Not applicable to this topology.

  • Phase 3: Configure the hybrid identity management infrastructure.

  • Phase 4: Configure a hybrid solution.

    NoteNote:
    A one-way outbound hybrid topology can be used only for outbound search solutions.

For a glossary of terms specific to hybrid SharePoint Server 2013 environments, see Glossary for hybrid SharePoint 2013.

This section lists by phase the prerequisites that you have to have before you’ll be ready to deploy a one-way outbound SharePoint hybrid environment.

  • An operational on-premises AD DS domain in a forest that is running at the Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 forest functional level

  • An Internet domain (such as https://adventureworks.com) and the permission to create or edit DNS records for that domain

  • An Office 365 for enterprises subscription provisioned with SharePoint Online with one of the following subscription plans: E1 (supports outbound search solutions only), E3, or E4

  • An operational on-premises SharePoint Server 2013 Enterprise Edition farm

NoteNote:
For more information about the supported plans, see the Plans & pricing page on the Office 365 site.
For more information about the SharePoint Online features supported for different Office 365 plans, see SharePoint Online feature availability across Office 365 plans.

  • This phase does not apply to a one-way outbound topology.

  • An on-premises server for Active Directory Federation Services (AD FS) 2.0 (minimum version). This is required only if you deploy SSO with ADFS.

  • An on-premises server for the Azure Active Directory Synchronization Tool (DirSync).

  • An SSL certificate to replace the default Security Token Service (STS) certificate (either self-signed or issued by a public or enterprise certification authority).

Worksheet. During the planning process, you have to collect information and files. It is important to use the hybrid deployment worksheet to track planning and deployment information for reference and to share with other members of your deployment team. We can’t stress enough the importance of using this worksheet to organize your information before you begin the configuration process.

Create a build log. As in any complex implementation project, a detailed record of every design decision, server configuration, procedure, command output, and error is an extremely important reference for troubleshooting, support, and awareness. We highly recommend that you thoroughly document your deployment process.

WarningWarning:
For security reasons, store the worksheet and the build log in a security-enhanced place, such as a secured file share or SharePoint document library, and grant permissions only to administrators who are involved in the deployment process and must know this information.

This section helps you plan how to configure your SharePoint Server 2013 web application to support hybrid functionality.

Outbound requests to SharePoint Online can be made from any web application in the on-premises SharePoint farm that uses Integrated Windows authentication using NTLM, as shown in the following image.

Claim authentication types for SharePoint hybrid

If your existing web application is not configured to use Integrated Windows authentication using NTLM, you must either create a web application or extend your existing web application and configure it to use Integrated Windows authentication using NTLM.

If you have to create a new web application to configure for hybrid functionality, you have two choices:

  • Extend an existing web application to connect to an existing content database. This creates a new website in Internet Information Services (IIS) with a unique URL and authentication configuration. The extended web application can be used to access the same site collections and content as the original web application by using the new URL.

    This is the best choice if you want users to go to an enterprise search portal in an existing site collection to use hybrid search.

  • Create a new web application and a new content database. This creates a new web application that has a new, empty content database in which you can create a new site collection with an enterprise search portal.

    This is the best choice if you want users to go to an enterprise search portal in a new site collection to use hybrid search.

In a one-way outbound hybrid topology, the on-premises SharePoint Server 2013 farm requests content and resources from the SharePoint Online tenant. Unlike the one-way inbound and two-way topologies, SharePoint Online does not have to access the SharePoint Server 2013 farm in a one-way outbound- topology.

Integrated Windows authentication using NTLM is required to allow the SharePoint Authentication service to pass user claims to SharePoint Online using OAuth.

For more information about how to create a claims-based web application, see Create claims-based web applications in SharePoint 2013.

For more information about how to extend a web application, see Extend claims-based web applications in SharePoint 2013.

For more information about site collections, see Overview of sites and site collections in SharePoint 2013.

All hybrid SharePoint Server topologies require you to replace the default STS certificate.

The Security Token Service (STS) of the on-premises SharePoint farm requires a default certificate to validate incoming tokens. In a SharePoint hybrid environment, Azure AD acts as a trusted token signing service for SharePoint Server and uses the STS certificate as the signing certificate. But Azure AD can’t use the default STS certificate from SharePoint Server as a signing certificate.

Therefore, you must replace the default STS certificate on each server in the on-premises SharePoint farm with one of the following:

  • A certificate issued by a public certification authority (CA) that’s trusted by Azure AD

  • A self-signed certificate

Best practice: Always use a certificate from a CA in a production environment. Self-signed certificates should be used only for test and pilot environments.

You’ll replace the default STS certificate later when you configure the identify management infrastructure.

ImportantImportant:
  • This certificate must be at least 2048 bits.

  • You’ll have to replace the STS certificate on each web and application server in the SharePoint Server 2013 farm.

  • Certificates typically expire at one-year intervals. So, it’s important to plan in advance for certificate renewals to avoid service interruptions.

If you choose to use a self-signed certificate, it will be created during the deployment configuration. The steps for creating a self-signed certificate are included in Configure identity management for a hybrid topology in SharePoint Server 2013.

Create your STS certificate before you begin the configuration process.

 

Edit icon

Record the following information in Table 4a of the worksheet:

  • STS Certificate Friendly Name

  • STS Certificate path\file name (*.pfx)

  • STS Certificate Password

  • STS Certificate path\file name (*.cer)

  • STS Certificate Subject

  • STS Certificate End Date

You can choose between two identity management strategies: Password Sync in the Azure Active Directory Synchronization Tool (DirSync) and single sign-on (SSO).

The Azure Active Directory Synchronization Tool (DirSync) is required to sync your on-premises users to the Office 365 user directory. If you don’t want to implement SSO, you can configure the Password Sync feature in DirSync to synchronize passwords instead. Be aware that Password Sync isn’t a single sign-on solution. Users are prompted for their credentials again when they access SharePoint Online. For additional information about Password Sync in the Azure Active Directory Synchronization Tool, see Implement Password Synchronization (http://go.microsoft.com/fwlink/?LinkId=392303).

Single sign-on (SSO) using Active Directory Federation Services (AD FS) 2.0 lets users who have an Active Directory domain account use their domain usernames and passwords to access sites on-premises and in Office 365 without being prompted for credentials when they access a SharePoint Online resource. After a user is authenticated, Active Directory Federation Services (AD FS) 2.0 provides an authentication token when a federated user accesses a relying-party trust service, such as the corporate Office 365 tenant.

ImportantImportant:
ADFS 2.0 and later versions are supported by Office 365.
ImportantImportant:
You must configure either SSO or Password Sync.

If you’re not completely sure whether to use Password Sync or SSO, review the following diagram.

Process to configure identity management for SharePoint hybrid

 

Password Sync with DirSync SSO with ADFS

Passwords

DirSync synchronizes user accounts and password hashes to Azure AD (password hashes can’t be reversed to produce a plaintext password).

SSO with ADFS intercepts authentication requests and provides the user’s credentials from Active Directory.

Prompts

No token exchanges are involved, although users can log on to Office 365 with their Active Directory credentials. Users may be prompted when they access services and resources in Office 365.

Prompts for credentials can be decreased by clicking the ‘Keep me signed in’ check box when users log on.

Tokens issued to clients by ADFS can be shared with services such as Azure AD to allow single sign-on from anywhere. Users do not have to enter their credentials again when they use services and resources in a relying-party trust service.

Security

Although passwords are synchronized more often than other user data, the user may remain logged on in a session with an old password. There may be some lag between password change and sync.

Passwords are stored in Active Directory.

 

Edit icon

Record your choice of identity management in the Identity Management Type row in Table 2 of the worksheet:

  • SSO using ADFS

  • DirSync with Password Sync

A SharePoint hybrid environment setup requires several user accounts in both your on-premises Active Directory and the Office 365 directory (a Windows Azure active directory that is surfaced in the Office 365 directory). These accounts have different permissions and group or role memberships. Some of the accounts are used to deploy and configure software, and some are needed to test specific functionality to help guarantee that security and authentication systems are working as expected.

  • Go to Accounts needed for hybrid configuration and testing for a complete explanation of the required user accounts that includes notes about roles and identity providers.

  • Record the required account information in the worksheet as instructed.

  • Return to this planning article after you complete this step.

At this point, you should have completed filling out the required worksheet for your one-way outbound hybrid topology and be ready to start the configuration process. Your next step is to follow the instructions in Configure a one-way outbound hybrid topology.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft