3. AGENDA
• What is hybrid within Office 365
• Why hybrid
• Different setups
• Analysis of the building blocks
• Different Steps
• See The Results
• Resources
• Q&A
6. OFFICE 365 IS ATTRACTIVE
1. It saves me a lot of €€€€€
2. I always have the latest and greatest collaboration,
email and UC tools
3. Allows me to focus on my core business, not IT
4. Microsoft can run SP more reliably and efficiently than
I can
5. I can easily scale up/down according to demand
6. I can more easily work with customers, partners
outside of my company
7. But …. MY BUSINESS IS ON PREMISE
1. I have existing investments (customized SP deployments w/lots of
data and settings, custom solutions, LOB systems, etc)
2. I can’t do everything in the Cloud that I can do on premise
3. I want to protect my sensitive data by keeping it close
9. WHY HYBRID - MIGRATION
• Early Adopter: Move all data to the cloud ASAP.
• Risk Averse: Get a trial on SPO, Evaluate Risks, Numbers (ROI)
• Typical: Freeze on Premise Site Creation; start with new content
first.
10. WHY HYBRID - MIGRATION
• Same Sign On
• 1 URL to enter SP & SPO
• Use Hybrid Search
• Use Hybrid BCS
11. WHY HYBRID - BUSINESS DRIVEN
• Keep Sensitive Data on Premise -whatever sensitive may mean-
• Capacity Flexibility
• Intranet – Extranet
• Collaboration with External Partners
• Typically defined in your Information structure & governance plan.
• Geo Location
• …
16. FROM THEORY TO IMPLEMENTATION
• Reason of going Hybrid
• Choosing which Setup
• Configuring all Components
• Supporting Authentication
• Securing traffic
17. INGREDIENTS
• An operational on-premises AD DS domain in a single forest
• An on-premises server for AD FS 2.0.
• An on-premises server for the Windows Azure Directory Synchronization tool.
• Windows Azure PowerShell Cmdlets
• Internet Domain & DNS access
• Operation SharePoint 2013 Farm
• An X.509 wildcard or SAN certificate.
• Office 365 Enterprise Subscription with 15.0.0.4420 as the minimum build
number
• A supported on-premises reverse proxy device (only for inbound &
bidirectional communication).
18. ENVIRONMENT
CONFIGURATION
• NON SharePoint Tasks
Reverse Proxy and
Certificate Auth
Identity Provider
MSOL Tools
Dirsync
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
MSOL Tools
19. Reverse Proxy and Auth
• When using hybrid features Office 365 sends
requests from sites in the cloud to your on-
premise farm
• You need to establish a reverse proxy for these
calls to be channeled through to secure the
process
• Those requests can be authenticated at the
reverse proxy before they are forwarded to
SharePoint
• SharePoint supports using a certificate for
authenticating to the reverse proxy server when
sending a request
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
20. Reverse Proxy Requirements
• 2 network cards - one connected to the
Internet and the other to the internal
company network
• Route inbound SSL traffic to the on-premises
SharePoint farm without rewriting packet
headers
• Support SSL termination
• UAG, F5, …
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
21. Identity Provider
• In order to have a single-sign on experience, you need a federated identity
provider like ADFS
• 2 or more load balanced ADFS servers
• An SSL certificate for the ADFS site
• A proxy device, like the ADFS proxy server
• All users must have a UPN of a registered domain (i.e. “.local” or similar
suffixes will not work)
• Service Account: Logon as Batch Job & Logon as a Service
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
22. MSOL TOOLS
• Microsoft Online Sign In Assistant
• Windows Azure Active Directory PowerShell
Cmdlets (in portal)
• You need to run this on SharePoint Server to
configure trust with ACS
• You need to run this for SSO (usually run on own
server)
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
23. SSO
• Connect ADFS to Office 365
1. Connect-MSOLService
2. New-MSOLFederatedDomain
3. Update DNS
• OR
1. Add Domain via Office 365 Portal
2. Update DNS
3. Connect-MSOLService
4. Convert-MSOLDomainToFederated
• !!! USE SMARTLINKS !!!
• !!! Run this on your Primary ADFS Server !!!
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
24. DirSync
• Do Not Run it on an AD – Single Forest (at this time)
• Service accounts: svc_dirsync: Enterprise Admin on AD
• Global Administrator on Office 365
• Install DirSync and let the Wizard Run
• Syncs Users, Groups & Contacts
• !!! It doesn’t give your Users Licenses !!!
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
26. SharePoint 2013 Config
1. New STS Token Signing Certificate
2. Configuration of a Trust between SP on Premise & ACS
3. Configure Secure Store
4. Configure UPA
5. Try it !
27. STS Token Signing Certificate
• You need to replace the default token signing certificate for the SharePoint
STS because Access Control Service (ACS) will not trust it
• Replace it with
• A certificate issued by a public certificate authority
• A self signed certificate that you create in IIS Manager
• NOT: Domain-issued certificate
• Set-SPSecurityTokenServiceConfig with the ImportSigningCertificate flag.
28. Trust Between SP & ACS
• Now you need to create an OAuth trust for applications to
exchange data between o365 and on-prem
• Using MSOL PowerShell (on prem):
• Create an AppPrincipal using New-MsolServicePrincipalCredential
• Create a proxy to ACS using New-
SPAzureAccessControlServiceApplicationProxy
• Complete the trust using New-SPTrustedSecurityTokenIssuer
29. Configure Secure Store
• The Secure Store Service is used to create an application that stores the
certificate used to authenticate with the UAG HTTPS trunk
• In Office 365 create a new Secure Store Service target application
• Save the Target Application ID name because you will use that configuring a
result source
• In the credentials field configure it as a Certificate Password
• Click the Set button for the Credentials
• Browse to the certificate CER file that was used for the UAG HTTPS trunk; leave the password
fields blank
30. Configure UPA
• It’s critically important that you:
• Have a UPA up and running
• Have it populated with current data from Active Directory
• We use the UPA on the local farm to determine what rights a user has –
what claims they have, what groups they belong to, etc.
• With a hybrid solution, anything that you grant rights to needs to be in
the profile system
• E.g., if you augment claims on premise and use a custom claims provider to
grant rights to content using those claims, an office 365 user would not see
that data because those custom claims are not added when you login to office
365
31. RECAP Necessary Steps
• Install & Configure all necessary tools
• Replace STS Certificate
• Upload Certificate to Office 365
• Add Hostname of server to SP Principal object of Office 365
• Register SPO S2S Principal Object to On Premise
• Set SP Authentication Realm to Context ID of Office 365 Tenant
• Configure On Premise ACS Proxy and setup Trust with ACS.
32. Create A Result Source
• Create a new result source and:
• Use Remote SharePoint as the Protocol
• If you are on-prem and getting results from Office 365:
• Use the Url of your office 365 for the Remote Service Url
• Use Default Authentication for credentials
• If you are office 365 and getting results from on-prem :
• Use the HTTPS Url of the UAG HTTPS trunk for the Remote Service Url
• Use SSO id for credentials and enter the name of the SSO application definition you
created to store the UAG certificate
36. Create A Query Rule
• This is where you can do a “live” test to see if
everything is working
• Create a new query rule
• Remove the default Condition
• Click on Add Result Block
• Select your result source
• Click on the Test tab and then
• Click the “Show more” link
• Type some query terms in the “{subjectTerms}:” edit box
• Click the “Test query” button
• If you have configured everything correctly – Voila! – you will see
search results from the remote farm
39. TroubleshootTips
• If you aren’t getting data back between the two
environments here are some things that you can do to
narrow down the issue:
• In your on prem farm turn up the ULS logging
• Go into Central Admin, Monitoring, Configure diagnostic logging; expand
SharePoint Foundation and select:
• App Auth
• Application Authentication
• Authentication Authorization
• Claims Authentication
• Change the “least critical” dropdowns to Verbose and save changes
• Monitor the ULS logs each time you execute a query
40. Troubleshoot Tips (cont.)
• Use Fiddler as a reverse proxy on your SharePoint
server; this requires
• Installing Fiddler on the SharePoint server
• Write a Fiddler script rule as described in Option #2 here:
http://www.fiddler2.com/Fiddler/help/reverseproxy.asp
• Look at the TextView of the Response. Here’s an example of an
error that you can see in there:
41. Troubleshooting Tips (cont.)
• Be aware of latency in queries across the cloud and on-
premises
• When a query is executed, ALL results must come back before the result
is shown to the user
• Latencies can run 1200 to 1500 milliseconds
• Because of this you may want to put some thought into when you want
to fire a query at a remote source
• If you duplicate every single query you could introduce significant load on a farm
• Where you want results back ASAP then you wouldn’t want remote queries to fire
• You can also create a dedicated page that only queries the remote source
• In short – you can mix and match with query rules to decide what works best