Pro Yearly is on sale from $80 to $50! »

Hybrid SharePoint deep dive and troubleshooting

Hybrid SharePoint deep dive and troubleshooting


Thomas Vochten

January 27, 2018


  1. Hybrid SharePoint Deep Dive & Troubleshooting @thomasvochten SPS Helsinki 2018

    IT PRO - Level 300
  2. Thank you to our sponsors!

  3. Thomas Vochten SharePoint architect. Microsoft MVP. Speaker. Trainer. Involuntary DBA.

  4. None
  5. Agenda 1. Hybrid features overview 2. Architecture & Setup 3.

    Troubleshooting, tips & tricks
  6. Who has already deployed hybrid SharePoint?

  7. Hybrid Features Overview No marketing or get your money back

  8. Hybrid Capabilities • Hybrid OneDrive • Hybrid Profiles • Hybrid

    Sites • Hybrid App Launcher • Hybrid Taxonomy & Content Types • Hybrid Auditing (Preview) • Hybrid Self Service Site Creation • Hybrid Search
  9. Demo A quick walkthrough of (almost) all Hybrid Features

  10. Architecture & Setup Building a solid foundation

  11. The Big Picture

  12. A server-to-server (S2S) trust needs to be created between your

    on-premises farm and Azure Access Control Services (ACS)
  13. “ACS is a cloud-based federation service that provides an easy

    way to authenticate users against identity providers and, most important of all, Azure Active Directory”
  14. It’s all about trust • ACS works as a trust

    broker between SharePoint on-premises and SharePoint Online / Office 365 • It generates security tokens which are trusted by both sides • These tokens are used to authorize actions on behalf of the user
  15. One small problem though…

  16. ACS is about to be deprecated • You can’t create

    any more namespaces since July 2017 • The future is Azure Active Directory • SharePoint still needs it for hybrid & add-ins • No official message yet on what will happen
  17. Trust creation | Tools Configuration Wizard PowerShell (Hybrid search only)

    (All hybrid features)
  18. Trust creation | Online • Office 365 already trusts ACS

    by default • The on-premises farm will be registered as a service principal • To sign the security token, a certificate needs to be created • The certificate will be registered as credential for the service principal
  19. Trust creation | On-Premises • Office 365 will be registered

    as an app principal • The farm’s authentication realm will be changed to your tenant id • A link to ACS will be created by adding a service application proxy • ACS will be registered as a Trusted Security Token Issuer
  20. Do we always need that trust? Feature Identity Sync Single

    Sign On Trust creation Reverse Proxy OneDrive Y O O N Profiles Y O O N Sites Y O Y N Search Y O Y O Trust is only needed for specific scenario’s
  21. Hybrid features vs SharePoint versions Table inspired by work by

    Nico Martens Feature SP 2013 SP 2016 Federated hybrid search RTM RTM Cloud hybrid search 01/2016 CU RTM Hybrid app launcher 07/2016 CU RTM Hybrid OneDrive & Profiles 09/2015 CU RTM Hybrid Sites 07/2016 CU RTM Hybrid Taxonomy 11/2016 CU FP1 (11/2016 CU) Hybrid Content Types 06/2017 CU 06/2017 CU Hybrid Auditing (preview) N/A FP1 (11/2016 CU) Hybrid self service site creation 03/2017 CU 11/2017 CU MySite creation defaults to OneDrive for Business 10/2017 CU N/A
  22. Required service applications App Management Service Subscription Settings Service User

    Profile Service You still need an on-premises User Profile configuration!
  23. Additional Requirements for Search • Azure Active Directory PowerShell •

    Microsoft Online Services Sign-In Assistant
  24. Getting ready for a hybrid setup • Decent internet connectivity

    (duh) • Office 365 Enterprise subscriptions • Identity synchronization & management is key • SharePoint Admin account for on-premises • Tenant Admin account for Office 365
  25. Introducing the SharePoint Hybrid Configuration Wizard

  26. None
  27. None
  28. None
  29. None
  30. None
  31. None
  32. Disclaimer: I (still) prefer PowerShell to create the search service

  33. None
  34. None
  35. None
  36. Visible changes to your farm Service Application Proxies

  37. Visible changes to your farm Registered trust certificates Note: in

    SharePoint 2013, you only have the ACS certificates
  38. Troubleshooting, tips & tricks Trouble in paradise

  39. Caution! Enabling hybrid features can break • Provider-hosted add-ins •

    Workflow Manager trust Recent versions of the configuration wizard are able to detect/fix this issue!
  40. None
  41. Manual Workaround Scripts to fix provider-hosted add-ins:

  42. Tip | Licenses & Identity Synchronization

  43. Tip | Licenses & Identity Synchronization • Make sure all

    users are synchronized • Make sure all users have an appropriate license Sync & give your admin accounts a license in Office 365!
  44. PowerShell to the rescue! • Setup the trust manually •

    Investigation & troubleshooting
  45. Install-Module MSOnline

  46. $cred = Get-Credential Connect-MSOLService -Credential $cred

  47. On-Premises cmdlets: Get-SPTrustedSecurityTokenIssuer Get-SPTrustedRootAuthority Azure cmdlets: Get-MsolServicePrincipal

  48. Networking-related issues • Internet connectivity (client & server) • Ports

    to be opened, sites to be reachable for search • Proxy servers! netsh winhttp import proxy source=ie netsh winhttp set proxy
  49. Tip | Direct link to the configuration wizard

  50. Tip | Run the wizard with admin privileges Important for

    things like starting the SharePoint Insights service in 2016 for hybrid auditing or when something just doesn’t work…
  51. Some feature-specific tips

  52. Tips | Hybrid search • Use the “IsExternalContent” managed property

    • Don’t forget to create an on-premises result source and set it as default More tips:
  53. Tips | Taxonomy & Content Types • Grant your farm

    account permissions on the term store • Watch the timer jobs! Taxonomy Groups Replication Content Type Replication • PowerShell to copy your on-prem termstore/ctypes to the cloud: Copy-SPTaxonomyGroups Copy-SPContentTypes More tips:
  54. Tips | App Launcher Not seeing your custom app icon?

    Use the developer tools console in your browser: ClearSuiteLinksCache()
  55. Tips | SRXCore • Search diagnostics tool • Can be

    used to diagnose some hybrid issues too
  56. Demo PowerShell to the rescue

  57. • Don’t skip the “obvious” prerequisites, like licensing and identity

    synchronization • Different hybrid capabilities have different requirements • Understand the key architecture, the trust model and their moving parts • Always use the latest version of the hybrid configuration wizard, it’s updated regularly • Develop a troubleshooting, learn the PowerShell cmdlets • Don’t skip the “obvious” prerequisites, like licensing and identity synchronization • Different hybrid capabilities have different requirements • Understand the key architecture, the trust model and their moving parts • Always use the latest version of the hybrid configuration wizard, it’s updated regularly • Develop a troubleshooting strategy, learn the PowerShell cmdlets
  58. Questions?

  59. @thomasvochten Please rate this session