Enable remote access to Share. Point with Azure AD App Proxy – Application Proxy Blog. Hello folks,Azure AD App proxy is a simple secure way to facilitate remote access to on- prem applications. Share. Point sites continue to be the top applications that customers integrate with Azure AD application proxy. And given Share. Point's native Kerberos support, users accessing internal sites remotely through the Azure AD application proxy, can get a seamless single sign- on experience. ![]() ![]() ![]()
Given the popularity of this setup and considering how many of you can benefit from doing this, I decided to dedicate this blog post to a step- by- step guide on how to integrate Share. Point server on- premises to Azure AD application proxy- -- so more numbers of you could get all the phenomenal value that comes with it. A lot of other customers have already done this successfully to great benefit. With this guide, hopefully, you can do so quickly as well. Ross Adams, a Senior Program Manager in the team, decided to put together a setup on this against which we based the write- up below. Go on, give this a try! Symantec helps consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more. · Describes the requirements for Exchange Server 2013 with Lync Server 2013, Skype for Business Online, or a Lync Server 2013 hybrid deployment. Also. And as always, if you have any feedback on this please send us a note at aadapfeedback@microsoft. We look forward to hearing from you. Thanks,Girish Chander.@chander_girish. Alright, let’s walkthrough how to setup an existing Share. Point 2. 01. 3 server with Azure AD Application proxy. Before we begin. I’m going to assume that you have Share. Point 2. 01. 3 already setup and running just like you want in your corporate environment, so I’m not going to walk through the actual setup of Share. Point. On the Share. Point server, there are a few configuration changes we’re going to have to make. So if you have a staging environment, follow this guide on the staging server, to understand any impacts before you go to production. I’m also going to assume that you have setup SSL for Share. Point as we require SSL on the published url. You will need to have SSL enabled on the internal site, to ensure links are sent/mapped correctly. If you haven’t configured SSL, then take a look at this blog that has instructions for setting it up. Make sure that the connector machine trusts the cert you issue, but it need not be a publicly issued certificate. Now that we have the disclaimers and pre- requisites out of the way, let’s get into the details. To the fun part.. At a high level, these are 6 steps that we need to perform: Part A: Configure Single Sign- on. Ensure Share. Point server is running as a service account. Configure Share. Point for Kerberos. Set an SPN for the account that Share. Point is running under. Ensure the Connector is trusted to delegate to Share. Point. Part B: Enable secure remote access: 5. Publish the Share. Point farm to Azure AD App proxy. Part C: Ensure Share. Point knows about the External URL: 6. Set Alternate Access Mappings in Share. Point. Part A: Setting up Single Sign- on to Share. Point. We are targeting getting the best single sign- on experience to the back- end application, Share. Point server in this case. In this scenario, the user authenticates once in Azure AD and is not prompted for authentication again. For on- premises applications that require or use Windows authentication, this can be achieved using the Kerberos authentication protocol and a feature called Kerberos constrained delegation or KCD for short. KCD, when configured, allows the application proxy connector to obtain a windows ticket/token for a given user, even if the user hasn’t logged into Windows directly. You can learn more about Kerberos Constrained delegation here. Let’s see how we can set this up for our Share. Point server. Step 1: Ensure Share. Point is running under a service account, not local system, local service or network service. The first thing we need to do is to make sure that Share. Point is running under a defined service account. We need this so we can attach SPNs (service principal names) to a valid account. Service principal names are how the Kerberos protocol identifies different services. And we’ll use it later to configure KCD. To ensure your sites are running under a defined service account do the following: Open the Share. Point 2. 01. 3 Central Administration site. Under Security select Configure service accounts. Select Web Application Pool – Share. Point – 8. 0, it may be slightly different based on the name of your Web pool and if it uses SSL by default. If the Select an account for this component is local service or Network Service then you need to create an account, if not your all done and can move to the next step. Click on Register new managed account. You will need to have a pre- created AD account for the service and the best suggestion is to allow for automatic password change. You can find out more details about the full set of steps and troubleshooting issue here. In my case, I created an account called Demo\sp_svc. Once created you should set the Web Application Pool to use it. Step 2: Configure Share. Point for Kerberos. As I said before, we use KCD to perform single sign- on to the Share. Point server and this only works with Kerberos. So let’s make sure that the site is configured for Kerberos authentication. Open the Share. Point 2. Central Administration site. Under Application Management click on Manage web applications and select your Share. Point site “Share. Point – 8. 0” in my case. Next click on Authentication Providers in the tool bar above. In the dialog box titled Authentication Providers click on the Default zone to view the settings. In the dialog box Edit Authentication, scroll down to you see Claims Authentication Types and ensure that both Enable Windows Authentication and Integrated Windows Authentication are both checked and the drop down box is configured to Negotiate (Kerberos). Scroll to the very bottom and click on Save. Step 3: Setting an SPN for the Share. Point Service Account. Before we can configure Kerberos Constrained delegation we need to be able to identify the Share. Point service running as the service account we configured above. We do this by setting a service principal name (SPN). You can read more about SPNs here if you like,The SPN format: The typical format for an SPN is: < service class> /< host> :< port> Where: < server class> is a unique name for the service. For Share. Point we will use ‘HTTP’< host> is the fully qualified domain name or Netbios name of the host the service is running on. In the case of a Share. Point site, this may need to be the URL of the site as well depending on the version of IIS that is being used.< port> is an optional. If the FQDN of the Share. Point server is: sharepoint. SPN would be: HTTP/ sharepoint. However, in addition to this, you may also need to set SPNs for specific sites in your server. For more details, see this article here, paying special attention to the section called “Create Service Principal Names for your Web applications using Kerberos authentication”The easiest way to do all this may be to follow the SPN formats that may already be present for your site. And copy those SPNs to register against the service account. To do this: Browse to the site from another machine. When you do, the relevant set of Kerberos tickets are cached on the machine. These tickets contain the SPN of the target site that you browsed to. We can pull the SPN for that site using a tool called Klist>. In a command window running in the same context as the user who accessed the site in the browser run the following command: Klist. It will return the set of target service SPNs. In my case, the highlighted value is the SPN I need: Now that we have the SPN we need to make sure that it is configured correctly on the service account we set for the Web Application earlier. Follow the steps below: Setting the SPN: To set the SPN, just run the command below from the command prompt as an Administrator of the domain: setspn - S http/sharepoint. This command sets the SPN for the Share. Point service account running as demo\sp_svc. Remember to replace ‘http/sharepoint. SPN for your server and ‘demo\sp_svc’ with the service account in your environment. The setspn command will search for the SPN before it adds it so you may see a “Duplicate SPN Value” error. If you see this make sure that the value is associated with the service account. You can read more about the setspn tool here. You can verify the SPN was added by running the setspn command with the - l option, as described in the link earlier. Share. Point Foundation vs Server 2. Blogs Blogs – Blogs are similar to Wikis as they allow users to add information, but unlike a Wiki, a blog’s entries are dated and arranged in reverse chronological order (newest first). Under Share. Point, blogs can contain any type of information including text, links, pictures, and other multimedia files.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
November 2017
Categories |