sharepoint 2013: adfs and custom people picker

SharePoint 2013: ADFS and Custom People Picker

In part with:

By

Tim Tait

Pat Manning

John Wannemacher

Report Submitted

In Partial Fulfillment of the Requirements for

The Degree of Bachelor of Science

In Information Technology

At the University of Cincinnati

College of Education, Criminal Justice, and Human Services

© Copyright 2014 Tim Tait Pat Manning John Wannemacher

Students: Tim Tait, Pat Manning, John Wannemacher Date

Advisor(s): Mark Stockman Date Great American Project Lead: Cherie Shroyer-Matchan Date

Page | i

Acknowledgements

We would like to thank everyone who assisted in making this project possible. Without them this project would not have been possible. All contributions led to the successful completion of this project.

Special thanks go out to Jason Gerst for his assistance with the CECH Sandbox Environment and troubleshooting all issues we encountered.

Special thanks go out to Chris Toelke, who provided a vast amount of technical knowledge during the development of our project. Without his help we would not have been able to get through some of the issues we encountered.

Finally, we would like to formally thank Great American Insurance Group for providing us the opportunity to work on this project and for providing resources we could utilize during the process. Special thanks go to Justin Runevitch, Cherie Shroyer-Matchan, and Kinu Patel for their assistance during the project.

Page | ii

Abstract This project provided Great American Insurance with a consultative study for implementing SharePoint 2013. Great American Insurance has 27 different business units in its Property and Casualty division. These business units do not always centralize their IT services within GA to keep their independence from the corporation. This business strategy is not uncommon, but administration and support of services becomes more difficult. This study provides recommendations around best practices for SharePoint 2013, a project plan/work breakdown structure, and a live demo Proof of Concept. Our PoC and recommendation explain the benefits to ADFS and the integration with MS Office. A unified user experience, easier server side and site administration, and more functionality in their SharePoint environment was a result of this study.

Table of Contents

Acknowledgements ........................................................................................................................................ i

Abstract ......................................................................................................................................................... ii

Introduction ................................................................................................................................................... 1

Problem Statement .................................................................................................................................... 1

Description of the Solution ....................................................................................................................... 2

Design Protocols ........................................................................................................................................... 3

Deliverables ................................................................................................................................................ 13

Project Planning .......................................................................................................................................... 14

Budget ..................................................................................................................................................... 14

Timeline .................................................................................................................................................. 15

Deliverables for Great American Insurance ............................................................................................ 16

Software Used ......................................................................................................................................... 19

Hardware Specifications ......................................................................................................................... 19

Proof of Design ........................................................................................................................................... 20

Testing ........................................................................................................................................................ 21

Conclusion .................................................................................................................................................. 26

List of Figures ............................................................................................................................................. 28

References ................................................................................................................................................... 29

Page | 1

Introduction

Problem Statement Great American Insurance was in need of an overhaul to their SharePoint environment.

The goal was to upgrade the current 2010 infrastructure to the newest 2013 SharePoint platform.

As a result of this upgrade, Great American wanted to implement new features of SharePoint to

streamline the business. A unified and friendly login experience was needed across their 27

business units within a various number of domains. A single login URL was also requested to

unify the login experience. The reasoning behind the change was because the number of login

sites was causing issues, which was remediated with this project. Overall, the users will be

provided a consistent and cohesive experience no matter where they are within the company.

Great American also wanted the ability to add on new and remove old businesses more

efficiently. Their previous set up was not ideal at provisioning resources and was solved by

deploying Active Directory Federation Services (ADFS). ADFS gives the business single sign-

on access to systems and applications located across the entire organization. Under their previous

architecture, Great American was leveraging both CA Technologies SiteMinder® and Active

Directory. To meet all the business requirements, ADFS must be provisioned in the

recommended SharePoint Environment. Another problem addressed, while setting up ADFS

within the SharePoint environment, was not having the ability to search users, groups, and claims

when a site owner needs to assigns permissions in SharePoint 2013. By implementing and

configuring a custom People Picker we were able to provide Great American with the ability to

search users, groups, and claims. Some custom code was written for this function to operate the

way Great American needed. The ability to incorporate SAML with People Picker was a must,

Page | 2

as well as having the code return the preferred attributes so, everyone will have a positive and

similar user experience.

Description of the Solution Our solution to Great American’s issues/problems was to provide them with three pieces

of information that they could reference to assist in the implementation of their SharePoint 2013

Environment. GA asked that we provide them with the following; an easy to follow project plan,

giving a step by step view of the teams involved and their role in the implementation, a

recommendation document for the best practices and approach, along with, some reasoning

behind our decisions, and a working demonstration, showcasing the features and coding

requested. The plan detailed out the advantages and disadvantages of the best practices and our

recommendations, as well as, the other implementation options. Our overall plan was to provide

documentation for Great American to ease the implementation of SharePoint 2013 and the

features they desired. We also wanted to allow our documentation to be adoptable by other

companies for the same purpose. The demo provides a visual reference to the companies to

verify their outcome is successful.

Page | 3

Design Protocols The design protocols shown below showcase backend and frontend architecture, use cases,

authentication protocols, and before and after shots of the features we implemented and modified

during our project. This section can be utilized by companies to learn about the SharePoint Architecture,

as well ass, reference to ensure the implementation was a success.

Use Case Diagram

Figure 1: Use Case Diagram

Firewalls

Active Directory Federated Service

SQL Service

SQL Databases

Server Hardware

Server OS

Server Features/Roles

BACKEND

SharePoint Cental Admin

People Picker

Active Directory

Corporate Identity Management

Web Page Code

FRONTEND

Web Pages

Security Enablement

Database Administration

Hosting

Data Center Operations

Networking

Enterprise Storage/Backup

Infrastructure Architect

SharePoint Administration

SharePoint Developers

Load Balancers (VIP)

Corporate Users

SharePoint 2013Great American Insurance Group

Use Case

Page | 4

SharePoint Architecture

Figure 2: Three Tier SharePoint Architecture

Page | 5

Network Architecture

Figure 3: Corporate Network Architecture

Page | 6

ADFS 1 User requests a web page.

SharePoint sends a redirect and the user loads a login page from the AD FS server.User sends user credentials and requests a SAML security token. AD FS validates the user credentials with AD DS (the authentication provider).AD FS sends a SAML security token.User sends a new web page request containing the SAML security token.SharePoint creates a SharePoint security token, sends the FedAuth cookie, and the requested web page.

2

34

5

6

7

12

3

4

6

7

7

7

5

AD DS AD FS

Figure 4: ADFS Authentication Protocol

Page | 7

Definition of SAML Sequence

Figure 5: SAML Definition

Page | 8

Before

Figure 6: LDAPCP Configuration Link - Before

After

Figure 7: LDAPCP Configuration Link - After

Page | 9

Before

Figure 8: People Picker - Before

After

Figure 9: People Picker - After

Page | 10

Before

Figure 10: LDAPCP Command – Before

After

Figure 11: LDAPCP Command - After

Page | 11

User Profiles

There will be a small group of users that will need expertise regarding setting up a full

SharePoint environment for the enterprise. Great American’s SharePoint environment will have

two major user groups; internal and external users. The internal users include both business and

IT users, and the external users include only agents. The technical experience needed to use

SharePoint is very basic. Business users and agents will need to be able to navigate files, browse

the Internet, and only need limited Microsoft Office experience to work in the SharePoint

environment. Advanced SharePoint settings are available to the users under the designer and

page settings, if they choose to take advantage of them.

SharePoint Administrators and Service users from the Package Administration team will

need to have the knowledge of both how the users use SharePoint and have the ability to

navigate the Central Admission panel for administration tasks. Administrators will also need to

have strong troubleshooting skills to support both user issues and system errors that could

negatively impact the system. SharePoint Developers from the Enterprise Portal team not only

need to know how to use SharePoint’s advanced user interface but also an in depth knowledge of

all areas of SharePoint. A developer will not only need to have the ability to modify the

configuration for the look and feel of the interface but they will also have the ability to add,

modify, and delete additional functionality. Modification will allow users to view or manipulate

external data from within the SharePoint Environment.

Security Enablement takes care of all things related to authorization and authentication at

the corporate level. In the SharePoint environment, they have the ability to enable and disable

firewalls and control corporate account authentication. SharePoint Administrators will have to

request modifications to infrastructure outside of the SharePoint environment required for stable

Page | 12

operation. Authorization to a SharePoint site is not determined by the security team but by the

site’s owner(s) which are typically advanced business users. Groups through Active Directory

can be leveraged within SharePoint to avoid granular user administration.

The Application Database Administration team will have the ability to setup the

Microsoft SQL environment for SharePoint servers based on company policies. This ensures a

smooth running SQL environment and proper configuration of SQL backups according to

corporate policies. Windows Hosting Administrators will configure the Windows OS

environments based on the recommended requirements needed to perform day to day actions.

Data Center Operations personnel will install the physical hardware in the data center based on

company policies. The Network Services Team will enable the server to access the network

according to configurations developed by the Infrastructure Architect. The environment will be

constructed based on recommendations from the architect following company policies. Load

balancing will be enabled for the respective web applications so that the servers are utilized to

their fullest potential and can be easily scaled out for expansion. The Enterprise Backup and

Storage team will configure storage and backup locations during the initial phases of the project.

Location and access will be based on company policies and standards.

Page | 13

Deliverables 1) Recommended Best Approach and Reasoning

Requirements: Explanation of all implementation options and the advantages and disadvantages for each.

2) Project Plan

Requirements: Step-by-step plan for implementation of SharePoint and ADFS

A step-by-step Gantt chart created in Microsoft Project reflecting the amount of time it would take to build out 3 environments (development, quality assurance, and production).

3) Demo

Requirements: Provide a unified experience for all users by providing one URL to all customers/employees, using a user’s corporate username and password, and one login method. Have the ability to use people picker without having to reference address book provided by custom claim provider.

A corporate wide unified experience is made possible by implementing a single authentication domain with ADFS as the authentication method. A fully functional SharePoint environment with the LDAPCP claim provider code package provides the required people picker experience.

Page | 14

Project Planning

Budget

Great American Insurance was estimating the installation to be between 250k and 300k,

for both hardware and software. Labor and additional expenses were estimated to be an

additional 250k, bringing the total around 500k. This budget would have SharePoint 2013 fully

operational with all customizations by April 2014. The proposed budget for our involvement in

the project was of non-monetary value. The project was solely research based to provide Great

American with the information they needed to get their environment to 2013. Our research

focused on recommendations, planning, and demonstrating that our proposed solution was the

best route for meeting the requirements. None of the tasks or deliverables Great American asked

for cost us or the company any money, other than what they had already planned for.

As for our group’s own budget, there were no costs involved. Our deliverables were

written in Office software that we all already owned and that most companies already purchase.

The demonstration of the prototype environment is hosted on the CECH vCloud Sandbox. We

applied for a grant and we were awarded $750 of service on Amazon Web Services. The Web

Service was planned to be utilized if the CECH vCloud Sandbox environment did not meet our

needs, which it did. No money was spent on hardware or software since we were able to utilize

amenities offered by the university and evaluation licensing.

Page | 15

Timeline

This project will consist of the following timeline which will run the entire academic year

and will be presented to Great American Insurance by March 31st, 2014 and at Tech Expo on

April 15th, 2014. The recommendation document was finished on February 15, 2014. The demo

environment was complete on March 22, 2014. The project plan was finished March 29, 2014.

Anyone planning to replicate the implementation of this project, please refer to our

project plan/ work breakdown structure. This document shows the appropriate time it should take

to implement this design for those not familiar with end to end construction of a complete

SharePoint farm and all of the appropriate features plus, ADFS, and LDAPCP.

Page | 16

DeliverablesforGreatAmericanInsurance

Page | 17

Chart 1: Project Tasks - SharePoint

Page | 18

Chart 2: Gantt Chart (Dev Iteration) - SharePoint

Page | 19

SoftwareUsed

Four different software suites were used when completing our Senior Design

project. Microsoft SharePoint 2013 Enterprise is a content management system (CMS) running

in Internet Information Services and SQL server. SharePoint 2013 Enterprise has more features

than its lower tiered counterparts. Microsoft SQL server 2012 was used in the backend for data

storage. For Active Directory and Active Directory Federation Services, we utilized Windows

Server 2012. In order to incorporate user lookup against Active Directory, LDAPCP was

configured to resolve data entered into our people picker to meet one of our deliverables for GA.

HardwareSpecifications

For hardware purposes, we utilized the CECH VMware vCloud Director for the

environment. The Web Front End and Application server used a 4 core processor and 8GB of

memory in each. ADFS and Domain Control servers had a 2 core processor and 4GB of

memory. The last system in the environment was the SQL server. It used a 4 core processor and

12GB of memory.

Page | 20

Proof of Design

Our recommendation document goes through each topic we think is important for Great

American’s SharePoint implementation a success. We first recommend that Great American

should implement an on premise 3-tiered SharePoint architecture with ADFS as the

authentication method. Backup and recovery will be mostly taken care of by company policy on

the OS level but the SQL server instance will be utilizing the always-on feature for replication.

Upgrading from SharePoint 2010 we recommend using the database detach/attach method for the

appropriate SharePoint databases. Search functionality is important and out recommendation is

to start with the initial app server as the search server and when ready to build another

SharePoint application server and move all search function to that dedicated server. Office web

application companion has to be on a dedicated server per the prerequisites of the application.

This service should be built as a farm implementation so that horizontal scalability can happen.

Other SQL recommendations and utilizing the SP installer for quick SharePoint installs make

implementation faster and easier. The project plan document shows in a work breakdown

structure and Gantt chart how much time it should take Great American to build out this

implementation for development, certification (quality assurance), and production and be up and

running live for users. Our demo environment is running on the CECH sandbox which is a

VMware vCloud Director environment hosted by the CECH IT department. Our VM’s were

hosted in a private vApp on a private vApp network. The operating system for all of the VM’s

Windows Server 2012. SharePoint 2013 Enterprise Edition is the version of SharePoint that has

the capabilities needed by Great American. SQL Server Enterprise Edition was also used because

of the features required not available from SQL Server Standard Edition.

Page | 21

Testing Roles for Functional Requirements

Server System Administration Role Site Administrator User Role

Functional Requirements

1. The environment will use DNS.

1.a. DNS Services.

1.b. Client configuration.

1.c. Host configuration.

1.d. DNS entries.

2. The environment will be using ADFS “SSO” as authentication method.

2.a. ADFS services.

2.b. DNS entry for ADFS.

2.c. SPN entry.

2.d. ADFS relying party configuration.

2.e. ADFS claims configuration.

3. The environment will utilize SharePoint.

3.a. IIS services.

3.b. Web application.

3.c. Web application extended.

4. The environment will incorporate a Custom People Picker (LDAPCP) to return preferred

attributes.

4.a. Add WSP file.

Page | 22

4.b. Deploy WSP file.

4.c. Configure mappings.

4.d. Configure LDAPCP.

5. The environment will utilize the “Search” feature within SharePoint.

5.a. Create service.

5.b. Enter “Search Term.”

6. The environment with utilize Microsoft Office services.

6.a. Create service.

6.b. Upload document.

6.c. Open document.

Req

No: Item No:

Test Case No: Role Input

Expected Output

Actual Output

Pass/Fail

Reason for Failure/Success

1

1a 1

Server System Admin net start dns

DNS services enabled.

DNS enabled. Pass

Command completed successfully.

1b 2

Server System Admin

interface ip set dns "Local Area Connection" static x.x.x.x

Static DNS enabled.

Static DNS enabled. Pass

Client DNS configured correctly.

1c 3

Server System Admin

interface ip set dns "Local Area Connection" static 127.0.0.1

Static DNS enabled.

Static DNS enabled. Pass

Host DNS configured correctly.

1d 4

Server System Admin

DNS forwarding enabled. Able to access Internet. Fail

Command not ran. DNS forwarding not enabled.

1d 5

Server System Admin

dnscmd spdc01 /ZoneAdd CONTOSO.com /Forwarder 8.8.8.8 /TimeOut 5

DNS forwarding enabled. Able to access Internet.

DNS forwarding enabled. Able to access Internet. Pass


1e 6

Server System Admin

dnscmd spdc01 /RecordAdd CONTOSO.com portal A 192.168.2.106

DNS entry added.

DNS entry added. Pass


1e 7

Server System Admin

dnscmd spdc01 /RecordAdd CONTOSO.com logon A 192.168.2.100

DNS entry added.



Page | 23

1e 8

Server System Admin

dnscmd spdc01 /RecordAdd CONTOSO.com mysite A 192.168.2.106

DNS entry added.



1e 9

Server System Admin

dnscmd spdc01 /RecordAdd CONTOSO.com mysite‐default A 192.168.2.106

DNS entry added.



1e 10

Server System Admin

dnscmd spdc01 /RecordAdd CONTOSO.com portal‐default A 192.168.2.106

DNS entry added.



1e 11

Server System Admin

dnscmd spdc01 /RecordAdd CONTOSO.com spsql01 A 192.168.2.103

DNS entry added.



1e 12

Server System Admin

dnscmd spdc01 /RecordAdd CONTOSO.com sqlalias A 192.168.2.107

DNS entry added.



1e 13

Server System Admin

dnscmd spdc01 /RecordAdd CONTOSO.com sso A 192.168.2.100

DNS entry added.



2

2a 14

Server System Admin net start adfssrv

ADFS service is enabled.

ADFS service is enabled. Pass


2b 15

Server System Admin

dnscmd spdc01 /RecordAdd CONTOSO.com sso A 192.168.2.100

DNS entry added.



2c 16

Server System Admin set spn ‐s host/spadfs.contoso.com spadfs

SPN entry added.

SPN entry added. Fail

Wrong host entry in command.

2c 17

Server System Admin set spn ‐s host/sso.contoso.com spadfs

SPN entry added.

SPN entry added. Pass

Command completed successfully. Entered correct host name.

2d 18

Server System Admin

Add relying party trust (config wizard). Parameters:Display Name <Name>Relying Party Passive URL <https://xxx.com>Relying Party Trust Identifier <urn:sp:portal>

Config wizard starts and ends.

Config wizard completed. Pass

Configuration successful.

2e 19

Server System Admin

Add transform claim rule wizard.Parameters: Claim Rule Template <Send LDAP attributes as claims> Claim Rule Name <Contoso AD> Attribute Store <Active Directory> LDAP Attribute <e‐mail‐addresses> Outgoing Claim Type <e‐mail address>

Config wizard starts and ends.

Config wizard completed. Pass

Configuration successful.

3

3a 20

Server System Admin net start w3svc

IIS service started

IIS enabled. Pass


3b 21

Server System Admin

New‐SPWebApplication ‐Name $siteName ‐Port $port ‐HostHeader $hostHeader ‐URL $url ‐ApplicationPool $appPoolName ‐ApplicationPoolAccount (Get‐SPManagedAccount “$managedAccount”) ‐DatabaseName $dbName ‐DatabaseServer $dbServer ‐AllowAnonymousAccess: $allowAnonymous ‐AuthenticationMethod $authenticationMethod ‐SecureSocketsLayer:$ssl

Web application created.

Web application created. Pass

Command entered/ran successfully.

3c 22

Server System Admin

Get‐SPWebApplication ‐Identity http://sitename | New‐SPWebApplicationExtension ‐Name <Name> ‐HostHeader <HostHeader> ‐Zone <Zone> ‐URL <URL> ‐Port <Port> ‐AuthenticationProvider $ap

Web application extended.

Web extension created. Pass


Page | 24

4

4a 23

Server System Admin

Add‐SPSolution ‐C:\LDAPCP.wsp

WSP file has been added to farm.

WSP added successfully Pass


4b 24

Server System Admin Install‐SPSolution ‐Identity "LDAPCP"

Solution installed successfully

Solution deployed global successfully Pass


4c 25

Server System Admin Click new item.

Add new item page loaded successfully.

Item page loaded successfully. Pass

LDAPCP installed correctly via GUI.

4c 26

Server System Admin

Select "Query user input on this LDAP attribute and create permission with specified claim type" radio button. Claim Type: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress Type of Permission Metadata: eMail LDAP Attribute Name: eMail Attribute LDAP Object Class: USER

eMail claim creates successfully. Success Fail

LDAP onbect class entered incorrectly.

4c 27

Server System Admin

Select "Query user input on this LDAP attribute and create permission with specified claim type" radio button. Claim Type: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress Type of Permission Metadata: eMail LDAP Attribute Name: eMail Attribute LDAP Object Class: AFGUSERACCOUNT

eMail claim creates successfully. Success Pass

LDAP onbect class entered correctly.

4d 28

Server System Admin

Select "Manually specify LDAP connection" radio button.LDAP Connection String: LDAP://gadc01/DC=ga,DC=comUser Name: GA\upsPassword: pa$$w0rdSelect "Always use a specific LDAP attribute" radio button.LDAP attribute to use for the display text: Name

Central Admin Main Page

Return to Central Admin Main Page. No error notifications. Pass

Entered parameters correctly.

5

5a 29

Server System Admin

*Leave all dropdowns default. Service Application Name: Search Service Service App Application Pool for Search Admin Web Service: Search Service App Pool Application Pool for Search Query Web Service: Search Query App Pool

Service application created successfully notification.

Notification received. Pass


Page | 25

5b 30

Server System Admin Site Admin User Enter search term "Information Technology."

Word document displays in results.

Document found Pass

Search functional. Set up correctly.

6

6a 31

Server System Admin

*Leave all dropdowns default. Service Application Name: Word Service App Application Pool Name: Word Service App Pool Check: "Add to Default Proxy List"

Continue install to next screen.

Next Screen loaded. Pass


6a 32

Server System Admin

Database Name: Word_wordservice_db Click: Finish

Service application created successfully notification.



6b 33

Server System Admin Site Admin User

Click "Add New Document." Browse for Document Click "OK" Click "Save"

Document uploaded successfully notification.


Document uploaded correctly.

6c 34

Server System Admin Site Admin User Click on Document to Open

Document opens in Web Application instead of client program.

Opened Successfully in Web app Pass

Document in library. Can be accessed.

Chart 3: Testing Documentation

Page | 26

Conclusion At the end of the day, our project for Great American Insurance was a success. Our

accomplishment was not easy though. Many problems did occur over the past two semesters and

some were major setbacks. We gained first-hand experience doing a project for a

company. Great American initially wanted us to do a SharePoint 2010 to SharePoint 2013

migration project. After the first semester, they no longer needed our support. We had to

redefine our scope an assist them on another project they wanted complete.

Sandbox was used heavily in this project. We encountered many errors, one even

causing the environment to crash. Jason Gerst was always available to assist us and help

troubleshoot the errors, getting us up and running again.

Another difficulty we had to overcome was the complexity of ADFS. None of us had

prior knowledge in this area. It is a very not-so-simple Single Sign On option and it does take

quite a bit of time to configure if inexperienced like we were. Chris Toelke provided us with

valuable information that enabled us to progress on with the project.

Skills acquired for this project fell in many different areas. SharePoint, SQL, ADFS, and

Custom Claims were all pieces to the final product we delivered to Great American

Insurance. We all learned a great amount in each area. We also learned how projects in the real

world work and if setbacks arise, you have to manage through them.

Great American Insurance asked us for a total of three deliverables. First, a

Recommended Best Approach and Reasoning document covering SharePoint 2103 architecture

and ADFS. Second, a project plan describing a step-by-step plan for SharePoint and

ADFS implementation. And finally, a working demo environment showing a unified user

Page | 27

experience, the ability to add/remove domains/users easily, and present the power of Custom

Claims based authentication.

Page | 28

ListofFiguresFigure 1 – Use Case Diagram………………………………………………………………………………………….3

Figure 2 – Three Tier SharePoint Architecture………………………………………………………………………...4

Figure 3 – Corporate Network Architecture…………………………………………………………………………...5

Figure 4 – ADFS Authentication Protocol……………………………………………………………………………..6

Figure 5 – SAML Definition…………………………………………………………………………………………...7

Figure 6: LDAPCP Cofiguration Link – Before……………………………………………………………………….8

Figure 7: LDAPCP Cofiguration Link – After………………………………………………………………………...8

Figure 8: People Picker – Before………………………………………………………………………………………9

Figure 9: People Picker – After………………………………………………………………………………………...9

Figure 10: LDAPCP Command – Before…………………………………………………………………………….10

Figure 11: LDAPCP Command – Before…………………………………………………………………………….10

Chart 1: Project Tasks - SharePoint Testing Table…………………………………………………………………...17

Chart 2: Gantt Chart – SharePoint……………………………………………………………………………………17

Chart 3: Testing Documentation……………………………………………………………………………………...21

Page | 29

References Jason. "SharePoint 2013 How to Install and Configure ADFS

2.0."Sharepointobservations.wordpress.com. WordPress, 19 Aug. 2013. Web. 25 Aug.

2013. <http://sharepointobservations.wordpress.com/2013/08/19/sharepoint-2013-how-

to-install-and-configure-adfs-2-0/>.

Microsoft. "Active Directory Federation Services." Technet.microsoft.com. Microsoft, n.d. Web.

20 Nov. 2013. <http://msdn.microsoft.com/en-us/library/bb897402.aspx>.

Microsoft. "AD FS 2.0 Step-by-Step and How To Guides." Technet.microsoft.com. Microsoft, 09

June 2010. Web. 20 Nov. 2013. <http://technet.microsoft.com/en-us/library/adfs2-step-

by-step-guides(v=ws.10).aspx>

Microsoft. "Administer the User Profile Service in SharePoint Server

2013."Technet.microsoft.com. Microsoft, 11 Oct. 2012. Web. 27 Oct. 2013.

<http://technet.microsoft.com/en-us/library/ee721050.aspx>.

Microsoft. "Technical Diagrams for SharePoint 2013." Technet.microsoft.com. Microsoft, 19

Nov. 2013. Web. 20 Nov. 2013. <http://technet.microsoft.com/en-

us/library/cc263199.aspx>.

Microsoft. "Windows Server 2012 AD FS Deployment Guide." Technet.microsoft.com.

Microsoft, 02 Feb. 2012. Web. Autumn 2013. <http://technet.microsoft.com/en-

us/library/dd807092.aspx>.

Pirooz, Shahin. "ADFS Exposed: The Reality About This Not-So-Simple Single Sign-

On."Tmcnet.com. Technology Marketing Corporation, 09 Jan. 2013. Web. 20 Nov. 2013.

Page | 30

<http://it.tmcnet.com/topics/it/articles/2013/01/09/322118-adfs-exposed-reality-this-not-

so-simple-single.htm>.

Rouse, Margaret, and Colin Steele. "Active Directory Federation Services (AD Federation

Services)." Searchconsumerization.techtarget.com. TechTarget, July 2013. Web. 1 Nov.

2013. <http://searchconsumerization.techtarget.com/definition/Active-Directory-

Federation-Services-AD-Federation-Services>.

Vochten, Thomas. "SharePoint 2013 with ADFS." Slideshare.com. SlideShare Inc, 12 Nov.

2013. Web. 20 Nov. 2013. <http://www.slideshare.net/thomasvochten/spsuk2013-adfs-

sp2013>.

Yvand. "LDAP/AD Claims Provider For SharePoint 2013." Ldapcp.codeplex.com. Microsoft, 22

Oct. 2013. Web. 01 Nov. 2013. <http://ldapcp.codeplex.com/>.

SharePoint 2013 Best Practices: Recommendation Documentation

By: Tim Tait

Pat Manning John Wannemacher

2 | P a g e

SharePoint 2013 is a very large product and in order for it to run efficiently and effectively we

have pieced together, from various sources, what the best solution for Great American Insurance Group

is. We will cover the recommended best practices for the following; platform, architecture, service

account(s), authentication method, backup/recovery methods (on the various levels), search

architecture, Office web application companion architecture, SQL settings, and various SharePoint

solutions and open source software that ease administration and installation.

Before any hardware and software can be installed, a plan needs to be composed where the

hardware and software will be installed. For Great American, their interests reside in protecting

customer data and abiding by the many policies, procedures, audits and laws they are bound to. This is

very important and has to be taken into consideration before thinking about utilizing bleeding edge

technology. As for SharePoint platforms, Great American has a few different options, as displayed in

Figure 1. The options are; Office 365, an On Premise/Cloud Hybrid, IaaS Cloud (Azure), and On Premise.

To fully protect customer data, GA has dismissed any third party options because the company will not

have full control of their data. Using the Windows Azure platform is being considered for the near future

as the transition from any virtual solution to Azure can be fairly simple. The process includes uploading

the virtual machines to the cloud and attached as an identical copy. This leaves GA with options for a

cloud solution that can integrate other products they are interested in as well.

Figure 1 (Microsoft SharePoint 2013 Platform Options, 2012)

SharePoint 2013 Platform Options.vsd

3 | P a g e

Since GA will be staying On Premise, they will have to decide what type of architecture will work

best for their SharePoint 2013 environment. According to TechNet, “A three‐tier topology provides the

most efficient physical and logical layout to support scaling out or scaling up, and it provides better

distribution of services across the member servers of the farm” (“SharePoint 2013 across”, 2012). This

architecture will also create a familiar administration solution for the company. Since they also want a

unified user experience from all user domains of the company, a separate SharePoint resource domain

will be the best way to provide this experience. All users will then access the web applications using the

same URL and authentication method. We recommend using Active Directory Federation Services

(ADFS) since it does not have a per‐user license cost and is included in every Windows Server license.

Ping Federate is used heavily at Great American and can be integrated with SharePoint too, but it will

result in more configuration than ADFS, if the company moves to a cloud solution.

Figure 2 (Three‐tier farm configuration, 2012)

4 | P a g e

To make the single URL/unified experience possible, there must be a single authentication

method established. This means that the user will not have to make a choice or remember a different

URL depending on where they are at (internal or external) when trying to access SharePoint resources.

Currently Ping Federate from Ping Identity® is being utilized for most corporate applications. For

SharePoint and other Microsoft products such as Lync and Exchange a move to ADFS is recommended.

Ping Federate was tested for SharePoint but more configurations were required initially. Using ADFS on

the other hand, will ease setup and administration. The problem that arises for Great American is that

CA SiteMinder® is used to protect the service bus and ADFS does not receive a SiteMinder® token

because its authentication provider is Active Directory. Alternatively, Ping Federate®’s authentication

provider is Enterprise Directory (Sun One Directory) which does provide a SiteMinder® token. This does

not mean that it is impossible to use ADFS and get a SiteMinder® token later but will require a little

more work.

Best case scenario, the service bus should move away from CA SiteMinder® and be made a

claims aware application. This way the company can save money and not corner themselves by only

using proprietary access software. Now any SAML claims user can access the service bus without having

to be tied to a single authentication source. This allows Great American to be ultimately flexible when

absorbing smaller companies who do not want to merge IT infrastructure fully. The smaller companies

can access resources by being able to authenticate using any SAML federation they choose whether it be

ADFS, Ping Federate, Google, Microsoft, as long as their claim is accepted by the service bus they are

able to access data. This however is out of scope for this project but is tied to the overall success of the

goals for the company.

Realistically, for the scope of this project Great American will have to choose more

configurations now with Ping and have SiteMinder® tokens automatically generated or less

configurations now with ADFS and figuring out a way to generate a SiteMinder® token. We recommend

that Great American chooses ADFS to ultimately reduce cost and aim toward moving away from

SiteMinder®.

5 | P a g e

To have the smoothest upgrade from 2010 to 2013 Great American is planning on using the

“Attach‐Detach” method. We also recommend using this method for a couple of reasons. First, the 2010

databases do not need to go offline. They can be set to read‐only for assurance and so users can still

access content until the 2013 site is brought online. Second, depending on the timeline set for the

upgrade of sites, each content database can be brought over separately or all together for maximum

flexibility. Third, some of the service application databases can also be upgraded. This includes Business

Data Connectivity, Managed Metadata, Performance Point, Secure Store, Search (Admin_db only), and

User Profile (Profile, Social, and Sync db). Some cons of using this method is that any farm wide

settings/customizations will have to be manually transferred and the search indexes will have to be

rebuilt. For the complete instruction on this methodology visit http://technet.microsoft.com/en‐

us/library/cc263026.aspx.

Figure 3 (The sequence of upgrade stages, 2012)

6 | P a g e

Search enables users to find information more quickly and lets them find significant information

a lot easier. We recommend Great American to implement a single search companion server in each

SharePoint farm. Search in SharePoint 2013 has various ways you can scale and implement it so that it is

flexible to suit all types and sizes of companies. Our recommendation is based off Great American’s

search frequency and amount of searchable data. Currently Great American holds about 3,000 internet

searchable items and the intranet sites hold about a half‐million items. This recommendation saves

money and scales the search service appropriately for the number of items per environment.

Microsoft’s smallest recommendation from the “Enterprise Search Architectures for SharePoint Server

2013” scales to about 10 million items (Enterprise Search, 2012). Condensing the separated VM’s should

handle Great American’s needs until millions of items are needed to be searchable. Figure 5 shows how

the modified search service companion server should be setup in each environment with the SQL

databases included (Search SQL databases are utilized on same SharePoint SQL servers).

Note: Other foundation SharePoint environment servers are not included in picture (WFE, APP, & WAC)

Figure 5 – Modified Search Service Companion for Great American

7 | P a g e

The Office Web Application Companion or “WAC” enables users of SharePoint to view and/or

edit documents over a web browser without having to install a local copy of Microsoft Office. “A single

Office Web Apps Server farm can support users who access Office files through SharePoint 2013, Lync

Server 2013, Exchange Server 2013, shared folders, and websites” (Office Web Apps, 2012). In

SharePoint 2013 this service has been reconstructed and is now separated from the rest of the

SharePoint services. This means that it cannot share the same server with SharePoint any more. It must

be installed on its own server separate from any SharePoint server but it will serve all of the SharePoint

servers and even Lync and Exchange (when configured correctly). Figure 6 shows how Office Web Apps

has worked in the past and how it will now work in 2013. We recommend Great American to implement

a WAC farm as they build their SharePoint 2013 farm. This provides the simplest setup and plenty of

room for expansion. We recommend having at least 2 WAC servers for load balancing for all SharePoint

environments. Great American may want to consider 3 servers when traffic becomes heavier and

performance lag is noticeable.

Figure 6 – Office Web Apps then and now

8 | P a g e

Here is a list of a few last additional suggested tools, techniques, and settings from developers

and experts in the field.

1) A presentation from Dog Food Conference 2013 from Veenus Maximiuk called SharePoint & SQL

Server Working Together Efficiently. This presentation talked about streamlining SQL server and its

resources so that SharePoint and SQL will work more efficiently. This information can be located at

http://www.slideshare.net/vmaximiuk/share‐point‐sql‐server‐working‐together‐efficiently or

http://spvee.wordpress.com/2013/12/13/dogfood‐conference‐2013‐optimize‐sql‐server‐for‐

sharepoint/.

2) Code for a claims provider developed by Yvan Duhamel. This code resolves typical behavior with the

people picker that responds with filtered results of real users in the people picker when searching using

the SAML authentication method. This code can save time because the code used LDAP (Lightweight

Directory Access Protocol) calls so it can be used against any directory store not just Active Directory.

More information can be found at http://www.ldapcp.codeplex.com/. Also, from Kirk Evans from

Microsoft MSDN, he explains thoroughly how to write and deploy your own claims provider if you wish

to write your own. This article can be found at

http://blogs.msdn.com/b/kaevans/archive/2013/05/26/fixing‐people‐picker‐for‐saml‐claims‐users‐

using‐ldap.aspx.

9 | P a g e

Works Cited

Enterprise Search Architectures for SharePoint Server 2013. Visio Drawing. Technical diagrams for

SharePoint 2013. Microsoft TechNet, 16 July 2012. Web. 29 December 2013.

"Install SharePoint 2013 across Multiple Servers for a Three‐tier Farm." Microsoft TechNet. Microsoft, 16

July 2012. Web. 19 December 2013.

Microsoft SharePoint 2013 Platform Options. Visio Drawing. Technical diagrams for SharePoint 2013.

Microsoft TechNet, 16 July 2012. Web. 12 December 2013.

"Office Web Apps Server Overview." Microsoft TechNet. Microsoft, 16 July 2012. Web. 09 Jan. 2014.

Office Web Apps then and now. Digital Image. Office Web Apps Server overview. Microsoft TechNet, 16

July 2012. Web. 29 December 2013.

The sequence of upgrade stages. Digital Image. Overview of the upgrade process to SharePoint 2013.

Microsoft TechNet, 16 July 2012. Web. 29 December 2013.

Three‐tier farm configuration. Digital Image. Install SharePoint 2013 across multiple servers for a three‐

tier farm. Microsoft TechNet, 16 July 2012. Web. 12 December 2013.

ID Task Mode

Task Name Duration Start Finish

1 Plan SP + other domains 8 days Mon 12/30/13 Wed 1/8/14

2 SharePoint Design 3 days Mon 12/30/13 Wed 1/1/14

3 Physical Architecture 1 day Mon 12/30/13 Mon 12/30/13

4 Network Architechture 1 day Mon 12/30/13 Mon 12/30/13

5 SharePoint Licensing 1 day Tue 12/31/13 Tue 12/31/13

6 Service Account Design 1 day Tue 12/31/13 Tue 12/31/13

7 Web App Architechture (scheme, URL's) 1 day Wed 1/1/14 Wed 1/1/14

8 DB Architechture 1 day Wed 1/1/14 Wed 1/1/14

9 Forest Design 3 days Thu 1/2/14 Mon 1/6/14

10 Resource Domain Design 1 day Thu 1/2/14 Thu 1/2/14

11 User Domain Design 1 day Thu 1/2/14 Thu 1/2/14

12 DNS Design 1 day Fri 1/3/14 Fri 1/3/14

13 Organizational Unit Design 1 day Fri 1/3/14 Fri 1/3/14

14 Plan Trusts 1 day Mon 1/6/14 Mon 1/6/14

15 Plan Users 1 day Mon 1/6/14 Mon 1/6/14

16 Plan MSFT Licensing 1 day Mon 1/6/14 Mon 1/6/14

17 ADFS Design 2 days Tue 1/7/14 Wed 1/8/14

18 Plan ADFS Certificates 1 day Tue 1/7/14 Tue 1/7/14

19 Plan ADFS Login URL's 1 day Tue 1/7/14 Tue 1/7/14

20 Plan/Choose Claims 1 day Wed 1/8/14 Wed 1/8/14

21 New Server Installation ‐ (Dev) 3 days Thu 1/9/14 Mon 1/13/14

22 Create VM's 1 day Thu 1/9/14 Thu 1/9/14

23 Install OS (Windows 2012) 1 day Thu 1/9/14 Thu 1/9/14

24 Configure OS to Baseline 1 day Thu 1/9/14 Thu 1/9/14

Package Admins,Hosting,Infrastructure Architecture

Package Admins,Networking,Infrastructure Architecture

Package Admins,Assest Management

Package Admins

Package Admins

Package Admins,SQL DBAs

Domain Admins

Domain Admins

Networking

Domain Admins

Domain Admins,Security


Assest Management

Security,Domain Admins


Domain Admins,Security,Package Admins

Hosting

Hosting

Domain Admins

W S TJan 5, '14

Page 1

ID Task Mode


25 Configure Security/Firewall 1 day Fri 1/10/14 Fri 1/10/14

26 Install Roles (DC, ADFS, DNS,SQL) 1 day Fri 1/10/14 Fri 1/10/14

27 Create AD Accounts (Service, Import Users) 1 day Fri 1/10/14 Fri 1/10/14

28 Configure DNS 1 day Mon 1/13/14 Mon 1/13/14

29 Configure SQL 1 day Mon 1/13/14 Mon 1/13/14

30 Configure ADFS ‐ (Dev) 1 day Mon 1/13/14 Mon 1/13/14

31 New Claims Provider (user domain) 1 day Mon 1/13/14 Mon 1/13/14

32 New Relying Party (SharePoint) 1 day Mon 1/13/14 Mon 1/13/14

33 SharePoint ‐ (Dev) 4 days Tue 1/14/14 Fri 1/17/14

34 Install SharePoint 1 day Tue 1/14/14 Tue 1/14/14

35 Install WAC 1 day Tue 1/14/14 Tue 1/14/14

36 SharePoint Initial Configuration 1 day Tue 1/14/14 Wed 1/15/14

37 SharePoint Config (Dev) 4 days Tue 1/14/14 Fri 1/17/14

38 Install SP Services 2 days Tue 1/14/14 Wed 1/15/14

39 Create Web Application(s) ‐ (portal + mysite) 1 day Tue 1/14/14 Tue 1/14/14

40 DNS Entry(s) 1 day Tue 1/14/14 Tue 1/14/14

41 Configure SP Services 1 day Wed 1/15/14 Wed 1/15/14

42 SharePoint New IdentityProvider 1 day Thu 1/16/14 Thu 1/16/14

43 Extend Web Application(s) to ADFS 1 day Thu 1/16/14 Thu 1/16/14

44 Tie Web Application to ADFS Auth Provider 1 day Thu 1/16/14 Thu 1/16/14

45 UPS Configuration + Attributes 1 day Fri 1/17/14 Fri 1/17/14

46 Implement Custom Claims Provider ‐ (Dev) 1 day Fri 1/17/14 Fri 1/17/14

47 Download ldapcp.wsp 1 day Fri 1/17/14 Fri 1/17/14

48 Edit ldapcp code if necessary 1 day Fri 1/17/14 Fri 1/17/14


Domain Admins

Domain Admins

Networking,Security

SQL DBAs



Package Admins

Package Admins

Package Admins

Package Admins

Package Admins

Package Admins

Package Admins

Package Admins

Package Admins

Package Admins

Package Admins

Package Admins

Enterprise Portal

W S TJan 5, '14

Page 2

ID Task Mode


49 Install ldapcp.wsp 1 day Fri 1/17/14 Fri 1/17/14

50 Configure ldapcp claims 1 day Fri 1/17/14 Fri 1/17/14

51 Test (Dev) 5 days Mon 1/20/14 Fri 1/24/14

52 Test Cases 5 days Mon 1/20/14 Fri 1/24/14

53 New Server Installation ‐ (Cert) 3 days Mon 1/27/14 Wed 1/29/14

65 SharePoint ‐ (Cert) 4 days Thu 1/30/14 Tue 2/4/14

83 Test (Cert) 5 days Wed 2/5/14 Tue 2/11/14

85 New Server Installation ‐ (Prod) 3 days Wed 2/12/14 Fri 2/14/14

97 SharePoint ‐ (Prod) 4 days Mon 2/17/14 Thu 2/20/14

115 Test (Prod) 5 days Fri 2/21/14 Thu 2/27/14

Package Admins

Package Admins

Enterprise Portal,Package Admins

W S TJan 5, '14

Page 3

sharepoint 2013: adfs and custom people picker

Documents