Friday, 6 December 2013

How to publish SharePoint 2013 using Web Application Proxy and AD FS 3.0

When I read about Web Application Proxy, I told myself that I can now get rid of the TMG server. I was looking for a TMG server replacement which can offer Form-Based authentication to my SharePoint 2013 server, plus the ability to filter allowed user from external source.

This article will discuss on how to publish SharePoint 2013 using Kerberos constrained delegation. I find that it works better than claimed-based authentication as users logged in using claimed-based authentication are identified by their email address instead of their actual name. Before publishing SharePoint 2013, we need the following components ready:
  • At least one AD FS server installed on the Windows Server 2012 R2 operating system.
  • At least one Web Application Proxy server installed on the Windows Server 2012 R2 operating system.

Configuring AD FS server

To configure a AD FS server, please read Deploying a Federation Server Farm. The installation and configuring of AD FS server is rather straight forward and simple. However, when I first try to deploy one, I find it hard to understand the certificate requirement as I can't actually picture the deployment scheme discussed.

To simplify the understanding of AD FS deployment, I come up with the following list:
  • You need a public FQDN for your AD FS server. The certificate used to on your AD FS server must be enrolled with the public FQDN.
  • Since the AD FS server will be enrolled with a certificate with a public subject name, it is recommend that you configure a split DNS infrastructure if you are hosting external DNS internally. Split DNS infrastructure can be configured using DNS Manager by creating a zone for each of the public FQDN and add an unnamed host to the internal IP for each zone.
    • Zone: company.com
    • Zone: fs.company.com
      • Host A: (same as parent folder) - 192.168.20.1
    • Zone: enterprise.company.com
      • Host A: (same as parent folder) - 192.168.20.1
    • Zone: sharepoint.company.com
      • Host A: (same as parent folder) - 192.168.20.2
  • The Web Application Proxy server must be enrolled with the same certificate used by the AD FS. Since it would be facing the Internet, it will be publishing itself using the AD FS server FQDN.
  • Do not assign the certificate in IIS. AD FS 3.0 does not use IIS anymore.

Configuring Web Application Proxy server

To configure a Web Application Proxy server, please read Step 1 and Step 2 of Configure Publishing Applications through Web Application Proxy.

Preparing SharePoint 2013 for Kerberos constrained delegation

Step 1: Service Principle Name (SPN)

Before configuring the SPN for the SharePoint server, you'll need to figure out the account used to run the site by following the steps below:
  1. Start IIS Manager.
  2. Expand the IIS server.
  3. Expand Sites.
  4. Click on your SharePoint site.
  5. On the right panel, click Advanced Settings...
  6. Make a note on the Application Pool, and press Cancel.
  7. Click on Application Pools on the left panel.
  8. Look for the application pool from step 6 and make a note on its Identity. This is the name of the account used to run the site.
 Before configuring the SPN, we need to make sure that we won't be creating duplicates.
  1. Run "cmd" as Administrator.
  2. Execute, setspn -q http/<SharePoint internal FQDN>
  3. If nothing is returned then we can continue with setting the SPN. Else, you'll need to delete the existing record using the -d option.
To set the SPN,
  1. Run "cmd" as Administrator.
  2. Execute, setspn -a http/<SharePoint internal FQDN> <account>
    • setspn -a http/sharepoint.mydomain.local mydomain\spWebPool
  3. Execute, setspn -a http/<SharePoint internal host> <account>
    • setspn -a http/sharepoint mydomain\sbWebPool
  4. To verify, execute, setspn -q http/<SharePoint internal FQDN>
    • setspn -q http/sharepoint.mydomain.local
  5. You should see two records.

Step 2: Trust for delegation

You now need to configure the SharePoint server for trust for delegation.
  1. Start Active Directory Users and Computers on your Domain Controller.
  2. Browse to the SharePoint server account.
  3. Right click on it and choose Properties.
  4.  Click on the Delegation tab and select Trust this computer for delegation to any service (Kerberos only).
  5. Click OK.

Step 3: SharePoint site authentication

On the SharePoint 2013 server,
  1. Start SharePoint 2013 Central Administration.
  2. Click on Application Management followed by Manage web applications.
  3. Click on your site and click Authentication Providers in the Security ribbon.
  4. Click the available zone.
  5. Navigate to Claim Authentication Types and change the Integrated Windows authentication to Negotiate (Kerberos).
  6. Click Save.
  7. It'll take some time for SharePoint to reload the services, so the form would stay there. It will eventually closed after all the services being reloaded. While waiting for it to close, you can continue with the next step.
  8. Start IIS Manager.
  9. Select your SharePoint site and double-click on Authentication in the IIS section.
  10. Select Windows Authentication and click Providers...
  11. Add Negotiate into the Enabled Providers list and move it to the top.
  12. Click OK

Step 4: Verify Kerberos is working

On the SharePoint 2013 server,
  1. Start Event Viewer.
  2. Expand Windows Log and select Services.
  3. On any machine, browse to you SharePoint site.
  4. Back to the Event Viewer, refresh the view and look for Event ID 4624.
  5. A successful logged on with Kerberos in both Logon Process and Authentication Package indicate the successful configuration.
Now, you SharePoint 2013 is ready to perform Kerberos constrained delegation.

Creating Relaying Party Trusts

On the AD FS server,
  1. Start AD FS Management.
  2. Expand Trust Relationships and select Relaying Party Trusts.
  3. On the right panel, click on Add Non-Claims-Aware Relaying Party Trust...
  4. Proceed to Configure Identifiers.
  5. You can practically enter any string you like but to be on the safe side, enter the internal URL to your SharePoint site.
    • https://sharepoint.mydomain.local
  6. Complete the wizard.
  7. Click Edit Issuance Authorization Rules... on the right panel.
  8. To permit all users, choose Permit All Users.
  9. To permit selected groups, choose Permit or Deny Users Based on an Incoming Claims and select Group SID for the Incoming claim type.
  10. After completing the form, click Finish.

Publish the SharePoint site

On the Web Application Proxy server,
  1. Start Remote Access Management Console.
  2. Select Web Application Proxy on the left panel.
  3. Click Publish on the right panel.
  4. On the Preauthentication page, select Active Directory Federation Services (AD FS).
  5. On the Relying Party page, select the relying party you've created.
  6. On the Publishing Settings page,
    • External URL: Enter the external URL
    • External Certificate: Select the certificate that correspond to the external URL
    • Backend server URL: Enter the internal URL. (Preferable the same as External URL. You'll need to configure split DNS for this to work properly.)
    • Backend server SPN: Enter the SPN using the SharePoint server internal name. Example, http/sharepoint.internaldomain.local
  7. Complete the wizard

 
Posted by at No comments:
Subscribe to: Posts (Atom)