View
109
Download
1
Tags:
Embed Size (px)
DESCRIPTION
In this session we will go through new and extended functions in the User Profile area. We will cover the planning and implementation from the organizational to the technical perspective, not only in theory but also in the live demo. Aleksandar Drašković
Citation preview
SHAREPOINT AND PROJECT CONFERENCE ADRIATICS 2013
ZAGREB, NOVEMBER 27-28 2013
IDENTITY MANAGEMENT IN SHAREPOINT 2013
ALEKSANDAR DRAŠKOVIĆ, MCM SHAREPOINT 2010
sponsors
Aleksandar Drašković
• Microsoft Certified Master for SharePoint 2010• Over 6 years in SharePoint business• Over 15 years in the Enterprise IT• Expertise in various other products and technologies• Active Directory• Exchange• TMG / UAG• Etc.
Solution Architect
Agenda• Identity Management• User Profile Service• User Profile Synchronization• Approach for a successful implementation
IDENTITY MANAGEMENT
Identity management• Handling with user profiles is not only configuring
SharePoint• Work with and talk to the administrators of the identity
management system• Most time identity management is not really a technical
challenge, it often is more a political one• Improper handling might break the social networking
functionality in the SharePoint environment
Data quality
Who is the owner of the data?
Is the data up to date?
Can we get the necessary data?
Connect to the data
• Are the IDM systems accessible?
• How can we connect to the IDM system?
• Do we have to connect to any other external system?
• Are we able to write back information to the IDM system?
USER PROFILE SERVICE
User Profile Service in SharePoint 2013
Important for all social featuresWorkflow Manager 1.0 (SharePoint 2013 Workflows)Translation Service ApplicationWork Management Service
Needs an associated Managed Metadata Service Application
Databases • Profile Database• User profile data, activities, audiences
• Social Database• Social stuff, e.g. ratings, tags and comments
• Sync Database
Create a User Profile Service Application• Think about how to handle the site names for the My
Content sites of the users• Create the MySite host and check the Managed Path for
the MyContent sites• Do not use more than one User Profile Service
Application in your farm• As best practice approach use PowerShell scripting to
create the User Profile Service Application, but be aware of the database schema
Active Directory import
One-way
No write-back to the Active Directory
No BCS connections for synchronization Very fast
Active Directory to SharePoint
It ist just an import Only connections to Active Directory
Due to the direct connection to Active Directory
User Profile Synchronization• Set "Replicating Directory Changes" permission• Configure synchronization settings• Configure synchronization connection(s)• Start a synchronization• Configure incremental synchronization
APPROACH FOR THE SUCCESSFULL IMPLEMENTATION
Start of the implementation process
Sit down and THINK!
Think about the source system and source information
Think about how the data should be represented in
SharePoint
Think about writing data back
Think about operating the profile synchronization
Configure and start UPA
Prerequisites PowerShell Separate TestHave the Managed Metadata Service Application up and running
Use a PowerShell script to configure and start the user profile service application
Separate adding and starting user profile service application from configuring and starting sychronization
Test this step before the synchronization is configured and started
Set permissions
Replicating Directory Changes
Local Adminstrator Write back Reboot
Set the "Replicating Directory Changes" permission for the sync account in the domain
Make the farm account local administrator on the machine, where the synchronization should be started
Set the "Create Child Objects" and "Write All Properties" permission for the sync account, when write back is necessary
Reboot the machine that was choosen as the sync host, so that the new permissions become active
Domain permissions
Replicating Directory Changes
Windows 2003 domain controller
NetBIOS domain name not FQDN
Need to export to Active Directory
Must be set in the domain, no matter which Windows version the domain controller is using
Add synchronization account to the Pre-Windows-2000 Compatible Access group
Grant Replicating Directory Changes permission to the synchronization account to the cn=configuration container
Grant the synchronization account the Create Child Objects and the Write All Properties permissions on the organization unit you are synchronizing
Optional: NetBIOSDomainNamesEnabled• Necessary, when the NetBIOS name of the domain is
not equal to the full qualified domain name
Example: full qualified domain name: corporation.intNetBIOS domain name: CORP
Configure and start UPS
Powershell Use farm accountRun as Administrator Be patient
Use a PowerShell script to configure and start the user profile synchronization service
Log in as the farm account, before you try to start the synchronization
Run the SharePoint Management Shell as Administrator
Even under normal circumstances this operation might take some time
Profile properties and timer job• Configure any additional profile properties you need• Configure export of profile properties if necessary
(remember the "Create Child Objects" permission)• Use Central Administration to configure synchronization
connection, not the PowerShell cmdlets• Configure all necessary connections
Profile properties and timer job (contd.) • From Central Administration run a full synchronization
• Set the interval in which the incremental sync should run
• Denote the farm account from the local admin role on the sync host
ADDITIONAL TIPS
Best practices• Clean up your directory service• Specify the domain controller to synchronize with• Make friends with the directory service administrator• Restart the sync service after installing updates• Check timer job settings
Troubleshooting
• Check permissions • Most problems when deploying user profile synchronization are caused by
wrong permission settings
• Event Log• The Windows Event Log might contain additional information about what is
going wrong
• ULS Log• Use the ULS logs (in conjunction with an ULS Viewer) to find proper error
messages
• MIISClient• Use C:\Program Files\Microsoft Office Servers\15.0\Synchronization Service\
UIShell\miisclient.exe on the synchronization host to see FIM messages.
A couple of things you should you never do...
• Use the Farm Configuration Wizard to configure and start the user profile service application in STAGE and PROD environments• Start or stop the FIM services manually• Do any changes to the FIM services using the services
applet• Use the MIISClient to do any changes• Use farm account as a synchronization account
Summary
• Identity Management• Is the starting point for the implementation of the User Profile
Synchronization.
• User Profile Service Application• Depends on the Managed Metadata Service Application and is
necessary lot of services and functionalities in SharePoint 2013
• User Profile Synchronization• All in all a straight forward process, but depends on the correct
permission settings and the account you are using to activate synchronization.
• Best practices
questions?
WWW.ADRIT.DE/BLOG
@ADRASKOVIC
thank you.
SHAREPOINT AND PROJECT CONFERENCE ADRIATICS 2013
ZAGREB, NOVEMBER 27-28 2013