Another quick sharepoint query

wedge1988 · 07-06-2009, 09:42 PM

Hi all,

Probably fed up with me now

but dont let that put you off

Ive boiled it down to either using the same domain name on both my extranet and internal network, or separating the extranet from the internal network but implementing ADFS for user authentication with sharepoint.

(For those that dont know what im on about see my previous posts!)

Help with Network Design (SharePoint)

its much easier to keep it under the same domain name and allow authentication, but implementing ADFS seems more secure, but is it worth the extra effort? any ideas? what about security?

thanks all!

RobertKaucher · 07-07-2009, 02:36 AM

Quote:

Originally Posted by wedge1988

Ive boiled it down to either using the same domain name on both my extranet and internal network...

I do not understand. How will systems that touch both be able to tell the difference between the two? Do you mean you are going to use the same Active Directory domain to authenticate users on both sides?

Quote:

Originally Posted by wedge1988

...or separating the extranet from the internal network but implementing ADFS for user authentication with sharepoint.

That sounds like a good plan to me. But Like I said in the previous post this all boils down to if you have users who would not normaly have Active Directory user accounts in your internal AD. For example, parents of students or governmental official who would never logon at the schools to the AD, but require access over the Internet to the SharePoint site. If that is the case then I would consider implementing ADFS. ADFS for cross forest authentication will mean more more hardware and a higher cost of administration. What it boils down to is more spending and more work for you...

wedge1988 · 07-07-2009, 07:28 AM

Quote:

I do not understand. How will systems that touch both be able to tell the difference between the two? Do you mean you are going to use the same Active Directory domain to authenticate users on both sides?

Yes, this is what i meant, but its not secure enough i think.

Quote:

That sounds like a good plan to me. But Like I said in the previous post this all boils down to if you have users who would not normaly have Active Directory user accounts in your internal AD. For example, parents of students or governmental official who would never logon at the schools to the AD, but require access over the Internet to the SharePoint site. If that is the case then I would consider implementing ADFS. ADFS for cross forest authentication will mean more more hardware and a higher cost of administration. What it boils down to is more spending and more work for you...

So if i use a separate domain on the permimiter network, your saying users on the internal network can authenticate from home? even if i dont have trusts in place?

I need everyone to have access to the extranet (Not everyone literally, just those in the building)

I thought this would solve the issue?

RobertKaucher · 02:11 AM

Quote:

Originally Posted by wedge1988

So if i use a separate domain on the permimiter network, your saying users on the internal network can authenticate from home? even if i dont have trusts in place?

No, you must have a trust in place. I assume you are talking about setting up a scenario like in the second graphic on this page:
Federation scenarios
(the one for A. Datum)

Quote:

Originally Posted by wedge1988

I need everyone to have access to the extranet (Not everyone literally, just those in the building)

I thought this would solve the issue?

Really if it is just those in the building, ADFS is over-kill IMHO. No matter which scenario you choose you are still exposing your network to the Internet and at some point an account COULD become compromised.

Notice how in the scenario shown on Microsoft's site they are talking about CUSTOMERS and EXTERNAL USERS. These are people who would not normally have user accounts in your Active Directory. Rather than create accounts for these external users it would be safer to create another forrest and use trusts and ADFS to allow them access. This is the only time I would consider using the scenario in the A. Datum image.

* You would need at least two additional servers (in addition to the ones publishing the apps).
* Another firewall.
* And the time to administer the new forest.

How will you manage the new user accounts? Your users will be confused about why they have to have two passwords... Or will you try to find some way to synch them? If you do that, then it cuts down on the security of having the two forests any way.

My issue with this setup is not that it is useless... You just have to compare the issues of complexity/security vs simplicity/useability. Only you know your environment and can make that call.

edit: As a compromise the third scenario on the MS page may work for you. It is a good compromise between the two forest adfs model and the single forest w/DMZ model.

wedge1988 · 07-08-2009, 10:20 AM

Ok, so i understand that ADFS is a little overkill now

Ill set up a separate forest for my DMZ, then ill set up a trust relationship, this will be on a 3-legged ISA server setup.

Im still a bit unsure how sharepoint will see the users login details on the extranet though? Unless i create a 2-way trust. (Which i dotn want to really as it makes the sepaarte forest sort of useless)

RobertKaucher · 07-08-2009, 02:12 PM

Quote:

Originally Posted by wedge1988

Ok, so i understand that ADFS is a little overkill now

Ill set up a separate forest for my DMZ, then ill set up a trust relationship, this will be on a 3-legged ISA server setup.

Im still a bit unsure how sharepoint will see the users login details on the extranet though? Unless i create a 2-way trust. (Which i dotn want to really as it makes the sepaarte forest sort of useless)

I believe adfs to be over-kill BECAUSE of the second domain. I was not aware of the web sso scenario that is shown in that MS article. I assumed you had to have a second forest to use adfs in the way you wanted to. What I believe is over kill is the creation of the second forest. But I have not done any research into that.

Here is what I see as the issue with two domains...

Let's imagine you have roughly 100 users in your school system who will be accessing the SharePoint and Exchange servers. In order to implement the second forest you will now need to create and manage a second AD infrastructure and have that second AD access resources in your primary AD (but only those serviced by Exchange and SharePoint). You have just doubled your management requirements for those servers. Now instead of managing Exchange and SharePoint for 100 user, you are doing it for 200 users. You will require your users to have separate AD user accounts in the second domain, correct? If not, why have it at all? Now you have to ensure that both user accounts can access the proper mailboxes and SharePoint sites/libraries. When will these users be using their second accounts? Between the hours of 3:00 and 10:00 is what I assume to be reasonable… How likely do you think they are to forget their passwords for this second user account, which they rarely use? Who will be there to reset that password? Since they will never be able to logon locally to this domain what are you going to do about expiring passwords? Not allow passwords to expire in the second domain? Then they will be writing passwords down and keeping them in non-secure locations like their homes AND the passwords will never expire. Very quickly management of this second domain becomes a nightmare.

What I suggest is that you implement ISA Server to publish the Exchange and SharePoint sites using the DMZ model. You have ISA1 and ISA2. ISA1 is between the DMZ and Internet. ISA2 is between the internal network and the DMZ. ISA1 is not joined to any domain but uses RADIUS over IPSec to authenticate domain users. It will only communicate with the RADIUS server in the internal network over IPSec. Any other ports from that server will be blocked. Now the ISA1 will communicate with the Edge and WFE servers for Exchange and SharePoint and they, in turn, will communicate with ISA2. ISA2 will be in charge of publishing the internal content to the Edge and WFE servers. They will not communicate directly with the internal network, only through this second ISA server (which could also be over IPSec). ISA1 will only have ports for SSL open on the Internet facing NIC. The only legit worry you should have at that point is if someone will find a web based attack that can bring down Exchange or SharePoint or that someone will perform some sort of DoS attack. But you would still worry about those issues with a second domain. Having the second Active Directory is only going to give you better security if you have external users accessing resources in you internal network, IMO. Just because something is “more secure” does not mean it applies in your situation.

wedge1988 · 07-09-2009, 07:34 PM

Ok Rob. Ill have to do what i can do. I wont be able to put a second ISA server in.

Ill either set up a one way trust with 2 domains (which is documented by ms) or set up ADFS with web SSO.

Thanks for your help. Ill have to let you know what i do and how i get on!

wedge1988 · 03:17 PM

Now i have another issue,

why the hell cant i install ADFS? Only the web components? This is really annoying me.

For some reason the role isnt available, and the server chacks out to the requirements. Ive tried it on a few servers and only the ADFS web role is available.

Whats going on???

I.. dont.. bl**dy believe it

You need the enterprise version of server 2008? WTF...