Hybrid BCS Part 5 – Validation

Now that you have created an external list or deployed an app for SharePoint in SharePoint Online, you need to test the security you put in place. Every account that will be accessing and manipulating the external data must have three properties:

  1. It must have user or greater permissions to the SharePoint Online site and the external list or app for SharePoint.
  2. It must be a federated account.
  3. It must be a member of the on-premises global security group that you are using to control access to the OData service endpoint. For example, it must be a member of ODataGroup.

In this procedure, you will open the SharePoint Online site and the external list or app for SharePoint with four different accounts.

To validate security on the BCS hybrid

  1. Identify or create one account for each of the account types listed in the following table.

Account

Expected outcome

Troubleshooting step

Account A

  1. Has site/list/app permissions.
  2. Is federated.
  3. Is a member of the on-premises global security group (ODataGroup).

External data displayed and editable.

If the external data does not display or you cannot edit it, check the site permissions, your federation setup, and the membership of your on-premises global security group; for example, the ODataGroup.

Account B

  1. Does not have site/list/app permissions.
  2. Is federated.
  3. Is a member of the on-premises global security group (ODataGroup).

External data does not display.

If the external data does display and you can edit it, check the site/list/app permissions.

Account C

  1. Has site/list/app permissions.
  2. Is not federated (is an Office 365 account only).
  3. Cannot be added to the on-premises global security group (ODataGroup).

External data does not display.

If the external data does display and you can edit it, check your federation setup and membership of your on-premises global security group (Odata Group).

Account D

  1. Has site/list/app permissions.
  2. Is federated.
  3. Is not a member of your on-premises global security group (ODataGroup).

External data does not display.

If the external data does display and you can edit it, check the membership of your on-premises global security group (ODataGroup) and the permissions that you set on the OData service endpoint that you configure in Prepare the SharePoint Online environment for the Business Connectivity Services hybrid scenario

 

  1. Open (by using In-Private browsing if possible) the SharePoint Online site that contains the external list or app for SharePoint by using each of the accounts in turn. Be sure to completely log out and close your browser in between tests.
  2. If you don’t see the expected outcome, refer to the troubleshooting step in the previous table, fix the issue, and repeat all four tests until you achieve the expected outcome.

If you see the error message:

ResourceBudgetExceeded, sending throttled status code. Exception=Microsoft.SharePoint.SPResourceBudgetExceededException: ResourceBudgetExceeded at Microsoft.SharePoint.SPResourceTally.Check(Int32 value) at Microsoft.SharePoint.SPAggregateResourceTally.Check(SPResourceKind kind, Int32 value) at Microsoft.SharePoint.Client.SPClientServiceHost.OnBeginRequest()

 

You can either remove the throttling:

$webapp = Get-SPWebApplication -Identity http://<URL of your on-premises farm>
$rule = $webapp.AppResourceTrackingSettings.Rules.Get([Microsoft.SharePoint.SPResourceKind]::ClientServiceRequestDuration)$rule.Remove()

 

Or change the throttling value:

$webapp = Get-SPWebApplication -Identity http://<URL of your on-premises farm>
$webapp. AppResourceTrackingSettings.Rules.Add([Microsoft.SharePoint.SPResourceKind]::ClientServiceRequestDuration, 150000, 150000)$webapp.AppResourceTrackingSettings.WindowCount = 10$webapp.AppResourceTrackingSettings.WindowSize = [System.TimeSpan]::FromSeconds(30)
$webapp.Update()

Note: 150000 is time in ms (ergo, 150 seconds).

 

Troubleshooting the hybrid configuration

  1. Verify that the external data source is running and accessible
  2. Verify that one-way outbound or two-way authentication is working
  3. Verify configuration steps presented earlier
  4. Check logs written by the Unified Logging Service (ULS logs or trace logs)

<< Previous – Part 4 – Connect to on-premises services

Configuring Hybrid Infrastructure

 

Setting up SharePoint on-premises requires that you meet basic SSO deployment requirements and then configure SharePoint 2013 services and inbound requests.

When you set up and enable SSO, users in your organization are able to use their corporate credentials to access the Office 365 service offerings. This removes the burden of managing multiple logon identities and passwords. Without SSO, an Office 365 user would have to maintain separate user names and passwords. For an even better end-user experience, you can create and deploy smart links, which can help speed user sign-in requests by reducing the number of redirects necessary for authentication.

In addition to user advantages, administrators and the organization can also benefit from SSO. For example, configuring SSO helps to enforce the organization’s password policies and account restrictions in both the on-premises directory and the Office 365 directory.

To prepare, you must make sure the environment meets the requirements for SSO and verify that the Active Directory and Azure Active Directory tenant is set up in a way that is compatible with single sign-on requirements. Also, Active Directory must be deployed and running in Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 with a functional level of mixed or native mode. If you plan to use AD FS as your STS, you will need to do one of the following:

  1. Download, install, and deploy AD FS 2.0 on a Windows Server 2008 or Windows Server 2008 R2 server.
  2. Deploy an AD FS 2.0 proxy, if users will be connecting from outside the company network.
  3. Install the AD FS role service on a Windows Server 2012 or Windows Server 2012 R2 server.

In addition, Active Directory must have certain settings configured to work properly with single sign-on. In particular, the UPN, or the user logon name, must be set up in a specific way for each user.

 

Configure SharePoint 2013 services

You need to configure the User Profile Service to synchronize user and group profiles from the on-premises Active Directory domain. When federated users access resources in a hybrid environment, the STS makes calls to the User Profile Service to obtain user account metadata, such as the UPN and email property values. This metadata is used by the STS to construct security tokens during the authentication process.

SharePoint Online presents claims to the on-premises SharePoint farm by using the Simple Mail Transfer Protocol (SMTP). To support this, you need to ensure that the SharePoint user profiles for all federated users are populated with the user’s email address by using the correct UPN.

This means that the work email field in the on-premises SharePoint User Profile Store needs to contain the user’s federated email address. For example, if a federated user logs on to the on-premises domain as contoso\karenb and the public domain for the hybrid environment is contoso.com, her federated email address is [email protected].

You must verify that the App Management and Microsoft SharePoint Foundation Subscription Settings services are started and configured. These services must be enabled to support certain configuration procedures, and to help register SharePoint Online as a high-trust application in SharePoint 2013.

 

Configure SharePoint 2013 for inbound requests

If the hybrid environment is configured for an inbound authentication topology, you must ensure that a single on-premises web application is configured to receive requests from SharePoint Online. This web application is referred to as the primary web application for the hybrid environment, and it accepts requests from the external endpoint URL. No specific web application configuration is required to support a one-way outbound authentication topology.

In a SharePoint Server 2013 hybrid environment, outbound connections can be made from any on-premises web application. A single SharePoint Server 2013 web application must be configured for inbound connections; it is used as the primary web application for accepting inbound connections and configuring services and connection objects for the hybrid features you deploy. You can either create a new web application and site collection or configure an existing web application for this purpose.

 

Configure SharePoint Online

Setting up SharePoint Online requires that you choose an application authentication topology and make additional configuration choices for the service.

 

Choose authentication topology

As shown in Figure 1, your choice of an authentication topology determines how certificates are configured and what capabilities are present in the hybrid solution.

Configuring Hybrid Infrastructure
Configuring Hybrid Infrastructure

Figure 1: Application authentication topologies

One-way outbound topology

One-way outbound topology is not supported with hybrid BCS. Only one-way inbound and two-way (bidirectional) topologies.

One-way inbound topology

A one-way inbound hybrid topology enables SharePoint Online to connect to SharePoint Server 2013 through a reverse proxy device (Figure 2). For example, users of a SharePoint Online Search portal can see both local and remote search results, but only local results are available in the SharePoint Server 2013 Search portal.

SharePoint Hybrid One Way Trust
SharePoint Hybrid One Way Trust

Figure 2: One-way inbound topology

A one-way inbound topology can be configured to let users access on-premises SharePoint search results from the Internet, as long as they have access to the intranet through a virtual private network or DirectAccess.

  1. On-premises SharePoint Server 2013 Enterprise Search portal: Local search results are available
  2. SharePoint Online Search portal: Local and remote search results are available
Two-way (bidirectional) topology

A two-way topology enables bidirectional hybrid service integration between the on-premises SharePoint Server 2013 farm environment and the Office 365 tenant (Figure 3). For example, search can be configured to allow federated users to see both local and remote search results in either SharePoint Server 2013 or SharePoint Online Search portals.

SharePoint Hybrid Two Way Trust
SharePoint Hybrid Two Way Trust

Figure 3: Two-way (bidirectional) topology

A two-way topology can be configured to let users access on-premises SharePoint search results from the Internet, as long as they have access to the intranet through a virtual private network or DirectAccess.

  1. On-premises SharePoint Server 2013 Enterprise Search portal and SharePoint Online Search portal: Local and remote search results are available.
  2. If extranet authentication services are configured, extranet users can log on remotely through an on-premises Active Directory account and use all available hybrid functionality.

 

Refer to these articles to configure your reverse proxy server and how to establish a secure connection between your Online and on-premises tenants.

Link to procedure Description of procedure
Configure a one-way inbound hybrid topology Learn how to configure the infrastructure for SharePoint 2013 hybrid environments that use a one-way inbound authentication topology.
Configure a two-way bidirectional hybrid topology Learn how to configure the infrastructure for SharePoint 2013 hybrid environments using a two-way authentication topology.

 

 

Hybrid BCS Part 3 – External Content Type Configuration

 

Next, you will need to create an External Content Type (ECT) based on the OData source. We need to reiterate here that Hybrid BCS implementation only work with OData source based ECT. The ECT can only be created with Visual Studio and not with SharePoint Designer.

To create an ECT, you need the following requirements:

  1. SharePoint Server 2013
  2. Visual Studio 2013
  3. Office Developer Tool for Visual Studio 2013
  4. OData service that can be accessed from the internet

Create new SharePoint App

Using Visual Studio 2013, create a new SharePoint App:

  1. Under the Office/SharePoint templates, select App for SharePoint to create a new projectNew SharePoint App
  2. Name your project and click OK
  3. Select your local on-premises SharePoint URL to debug your project
  4. Select SharePoint-hosted
    Note:     SharePoint-hosted apps, or apps where all components are hosted on either an on-premises or Office 365 SharePoint farm. SharePoint-hosted apps are installed on a SharePoint 2013 website, called the host web.
  5. Click Finish
  6. In the Solution Explorer, click on Add à Content Types for an External Data Source
  7. Enter the URL of your OData service you have published in the previous Section and choose a Name for it
  8. Click Next
  9. Select the one or more data entity
  10. Click Finish

This process will create the External Content Type for each of the entity you have selected.

Once you have created your External Content Type, you want to add the ECT to your Business Data Catalog (BDC) catalog so you can use it in your site collections.

In the previous section, we explain how you create an ECT, where each entity in the OData source represents a single ECT. However, the entities use a shared name in the ECT file, which will prevent you from uploading more than one entity to the BDC catalog. In order to fix this issue, you need to follow these steps to be able to use the entities in SharePoint:

  1. From Visual Studio, right click on the ECT file, and select Open with. Each entity will have its own .ect file located under “External Content Types\<folder name>”.
  2. Select XML (Text) Editor and click OK
  3. In the top of the document, within the Model element, you will see a Name attribute. This Name attribute is the name you have selected when you connected to the OData source. For example it can look like NorthwindCustomersModel. The value of this Name is the same in all of the ECT files created from the entities, but it has to be unique in order to use it in SharePoint. You will need to change the name based on the ECT you are using. For example, it will be something like Categories Table or Employees Table, etc…
  4. Change the name in each of the ECT file
  5. Change the name of the Namespace in the Entity element (optional)
  6. Save the ECT file

Upload ECT to the BDC Model

Once you have made the changes to all of your ECT files, you can upload all your entities to your BDC model. To do so:

  1. Go to your SharePoint Central Administration
  2. Navigate to Application Management à Manage service applications
  3. Click on your BDC Model
  4. Click on Import
  5. Navigate to your ECT file locations and import each ECT file; as an alternative solution, you can develop a PowerShell script to import all the files
  6. Click OK
  7. Repeat the above steps for all your models
  8. Once you have imported the BDC models, you will need to grant permissions for users to use them
  9. On each of the model, click on the dropdown menu and select Set Permissions
  10. Select the right permission you need to give for each group

<< Previous – Part 2 – Create an OData Source 

>> Next – Part 4 – Connect to on-premises services

Hybrid BCS – Part 2 – Create an OData Source

 

The BCS hybrid scenario supports connecting only to an Open Data protocol (Odata) source. If your external data already has an OData service endpoint, then you can skip the creation of an OData service endpoint portions of this procedure.

Using Visual Studio 2013, create an empty ASP.NET web application calling it NorthwindWeb, and follow these steps:

Add an ADO.NET Entity Data Model

 

  1. Right click on the project and choose Add >> New Item
  2. Select Data under Visual C#
  3. Select ADO.NET Entity Data Model
  4. Call it NorthwindModel.edmx
  5. Click Add
  6. Select Generate from database in the Entity Data Model Wizard
  7. Click Next
  8. Choose New Connection if you do not have an existing connection, or connect to an existing one
  9. Click Next
  10. Select Entity Framework 5.0
  11. Select all the tables
  12. Click Finish
  13. Compile the project.

Add a WCF Data Service

  1. Right click on the project and choose Add >> New Item
  2. From the Web node choose the WCF Data Service 5.6 item
  3. In the Name text box, enter Northwind
  4. Click on Add
  5. Edit the code for Northwind to update the following: 

     

     

     

    1. public class NorthwindCustomers : DataService <NorthwindEntities>
    2. Replace the comments in the InitializeService event handler with the following: config.SetEntitySetAccessRule(“*”, EntitySetRights.All);
  6. Compile the project.

This should be for creating an OData Source.

<< Prevoius – Part 1 – Introduction to Hybrid BCS Architecture

>> Next – Part 3 – External Content Type Configuration