(This article was first published in the Bamboo Team Blog.)
SharePoint Joel here with the first in a series of posts to walk through the challenges of extranets. The first challenge is getting the authentication and secure infrastructure deployment put together, second is the actual service provisioning which *very* often is some type of workflow or portal for provisioning sites, and third is user management. I've found that often there are free point solutions for say things like delete capture, or a simple site creation workflow, but the full management solutions which have thought through it end-to-end are in management suites. So, in this post, the first in a three part series, I introduce the challenges with authentication and infrastructure with a few "How to" samples and resources including a bit on pricing and licensing with Bamboo's pricing tool. Then in the second post, I follow up with freeware user management, extranet point solutions, and finally, in part three I give you the third party full off the shelf solutions and management suites.
How do you provision users, or how do you put that power in the hands of the project managers, or at least your internal users wanting to collaborate externally... possibly with an approval routing process to ensure it's all setup. Since really 2/3 or even 3/3's of what I'm talking about often requires custom development to get those processes in place. I'm going to explore all the third party solutions I've come across that will help simplify your life in purchasing an off the shelf solution which will minimize or eliminate any custom development that might be required (focused on the deployment side).
Extranet Overview
One of the coolest uses of SharePoint is for collaboration in extranets. What do I mean by this? Well, an extranet is a network setup in a special place outside (or with special boundaries or rules) from the corporate network.
Extranet is one of those things that I find some people disagree with my definition of, so here's a couple more:
Webopedia
"A buzzword that refers to an intranet that is partially accessible to authorized outsiders. Whereas an intranet resides behind a firewall and is accessible only to people who are members of the same company or organization, an extranet provides various levels of accessibility to outsiders. You can access an extranet only if you have a valid username and password, and your identity determines which parts of the extranet you can view.
Extranets are becoming a very popular means for business partners to exchange information."
Wikipedia:
"An extranet is a private network that uses Internet protocols, network connectivity, and possibly the public telecommunication system to securely share part of an organization's information or operations with suppliers, vendors, partners, customers or other businesses. An extranet can be viewed as part of a company's intranet that is extended to users outside the company"
I've found SharePoint to be an awesome fit for extranets, and in my time have heard stories from many large enterprises which use it as the main means of communicating with partners in the extranet. More recently, I've found companies where SharePoint is synonymous with extranet in their companies as THE defacto platform for sharing information.
Microsoft has been using SharePoint in the extranet since I first began working there. I remember in my first week on the job, I was with Gabe Bratton, then a PM in the Office team that would later become the WSS team. We were troubleshooting the security and connectivity for a partner site running an early build of Office Web Server. So what I'm saying is SharePoint has had its roots in the extranet and even with that handful of early early sites SharePoint was breaking down the barriers and establishing itself as a solid platform where users could securely share information with each other across company boundaries.
In those days, it was all active directory, well at least NT Account based. (STS actually used server local groups to secure information stored on the file system.) Now we have an extremely flexible and open authentication mechanism through .NET that allows SharePoint to use multiple authentication providers and directories outside of the typical NT or AD arenas, such as Forms Based Authentication (FBA), LDAP, ADAM, and even third party SSO (Single Sign On) Solutions such as Tivoli. The ability to use FBA was exciting. I suggest starting with this article: Forms Authentication in SharePoint Products and Technologies (Part 1): Introduction. Another must read is Andrew Connell's Publishing site with dual providers, you might think that's Internet, but I often find that B2B vs. B2C are both extranet possibilities, and publishing should not be excluded. When you're setting up a portal across multiple repeat or valued customers or partners for consuming common information that still may or may not require a login. Think about a portal for getting hotfixes from MS if it's not generally available, but only to OEMs then now you've got multiple OEMs logging in looking for special information.
Since the "12" wave, WSS 3.0 and SharePoint Server 2007... I see a much greater number of extranets pushing those challenges of going after an LDAP solution or a solution based on SQL accounts, or integration with the authentication providers in other third party solutions. I don't say it's easy or will be easy to upgrade, but I find the diversity in the extranet space fascinating. Tons more diversity in just this area than any of the other spaces.
One company I was talking to had put so much work into building custom authentication providers and membership providers that they were doing things I didn't think were possible. I knew it was open, but they built so much. They had started to touch a lot of the user management pages in the box and started to touch the authorization schema... Ouch. That's where I started to get really concerned. Why not go with the .NET membership providers and .NET FBA examples and use those things? They were going in a dangerous direction and based on their development experience in the past working with .NET NUKE they were just getting started. Upgrade was going to be a real challenge for them... Did I mention they did all this on WSS 2.0? Ouch.
Fast forward to today... What is available off the shelf to help a customer that wants to do SharePoint in the extranet? How do we make sure that we're building stuff that is easily upgradeable and easy to swap out. What do they get out of the box and what do they need to consider purchasing, or what's out there for free in places like Codeplex or from the Solution Accelerator team? Doesn't SharePoint Solutions have something... Yes, yes, yes. Let's get into that.
What's in the box for SharePoint in the Extranet
SharePoint out of the box will run in the extranet if you do nothing and it is in an AD forest and you use AD accounts for your partners and AD accounts for your users. Now comes the challenge.
What if you have 3 forests? One in the extranet for your farm, one for your corporate domain, and one for your partner. If you have two-way trusts between all those, you won't have any problems.
If you setup a true resource forest type model with one-way trusts, you'll need to run some special stsadm commands for the people picker, and your profile import will need some special setup. Bill Baer in MS IT has spent some time with this, as did Venky in his designs for the people picker. There are a few challenges and you will bang your head on the wall at least 3 times to get this to work, but it is possible.
Now of course it is not typical to setup trusts with your partners unless you are in some massive organization and your partners are affilliates. There are some companies in which the departments or business units have trust issues where they each have their own ADs or own forests and minimal trusts may exist in a resource model. Maybe it's old school. Either way, trusts don't always exist. Even with a one-way trust there are some minimal things that may not work. I forget what they are.
So what do I do if I don't have a trust. ADFS with SharePoint is a scenario you can use. Active Directory Federation Services (ADFS) is really a promise for the future and helps out some of these scenarios, but a different kind of trust is required. Not AD trust, but a company that can agree with another company to setup hardware and configuration so they can do a similar type of contract with Web services. Not everything is fully functional in ADFS. The rich Office 2007 applications edit directly functionality, the redirect with the form when initiating a connection from an Office application... there is a list. In fact, there's a mode in SharePoint where you can essentially turn off interfaces that don't work so well in this fashion which also apply with FBA. There's a good SharePoint team article on turning SharePoint with ADFS into a "claims aware" application (Thanks Steve Peschka.) Also from that post:
"In addition, before you start you need to download and install a hotfix for ADFS. Without this hotfix, the information below will not work. You can find information about this hotfix at http://support.microsoft.com/kb/920764/en-us."
Configure Web SSO authentication by using ADFS (for Office SharePoint Server 2007)
Configure Web SSO authentication by using ADFS (for Windows SharePoint Services 3.0)
Before you get all excited about setting up ADFS, I highly recommend coming back down to earth and reading this KB article which gives you the dirt on what really works and is supported with ADFS (Updated as recently as June 30, 08.) http://support.microsoft.com/default.aspx?scid=kb;en-us;912492
If you're looking for "HOW TO" type content, the Tech Library for ASP.NET has a ton of help.
Need to write something for your connection? Start with samples and How To's
ASP.NET 2.0
Including some articles related to configuration and security:
How To: Create a Custom Account To Run ASP.NET
How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
How To: Perform a Security Deployment Review for ASP.NET 2.0
So if you don't find your answer in WSS, you need to jump over to ASP.NET (MOSS comes with a provider). There's also a large number of blogs you'll run into that provide workarounds and guidance. Don't be afraid to search for help. FBA has been setup a LOT. There's even a lab in Shane Young's SharePoint Admin course where you setup a Web app with FBA and SQL.
Pricing & Licensing
I don't know if the people reading this care. Sometimes you do, sometimes you don't, but a few quick resources on licensing: People totally get stuck on how to license WSS or MOSS in the extranet. In fact this whole article I've just been talking about "SharePoint" ... do you want WSS or MOSS? This article on Windows ITPro on SharePoint Extranets WSS or MOSS? Tim compares the two in a brief article. Dan Holme does a good job walking through that challenge, in an article "License to Fill, Licensing WSS for the Extranet" but with any licensing and pricing, I do recommend involving a Microsoft Account rep. I also recomend the SharePoint Team blog announcement on MOSSFIS (An Internet sites licensing update). Spence (SharePoint MVP) spends some time on Extranet Licensing as well. I do say, Don't be afraid to challenge your Rep. SharePoint Licensing is TOTALLY confusing especially in the extranet. Internally at TechReady they had sessions and chalk talks just on licensing for SharePoint that were, let's say, *very well attended.*
Bamboo Solutions recently released a NEW FREE SharePoint Licensing tool for MOSS (purely Web-based) so you can estimate your costs.
Nice try, guys. I love the first stab. I love seeing all of the possible licenses, but you need to add some text around the check boxes or hover over. We need a drop down at the top that has the options. I really don't want to see forms server even as an option. Let that be a QFE you never listen to. Seeing the external connector next to Internet server kind of just exposes how complex and confusing it is. I'd like to see it as a drop down with explanations that change as you change the product. For example you shouldn't be able to choose Internet Server and Standard CALS. Right? Help us out. Love the concept and really love the idea of compare, although Server1 vs. Server2 is confusing since you put it as Option1 and Option 2 above. I know it's not parallel. - (Joel with his analyst hat on, feel free to give them your feedback... hey, it's free, we can't complain too much but I know they want to make it better.)
In my next post I'll share some freeware solutions and then we'll get to the more fully-featured off the shelf solutions and how they address these user and site management challenges.
Joel Oleson
Sr. SharePoint Architect, Consultant and Trainer
Posted
Oct 30 2008, 03:22 PM
by
Joel Oleson