Now that you have created an external list or deployed an app for SharePoint in SharePoint Online, you need to test the security you put in place. Every account that will be accessing and manipulating the external data must have three properties:
In this procedure, you will open the SharePoint Online site and the external list or app for SharePoint with four different accounts.
To validate security on the BCS hybrid
Account |
Expected outcome |
Troubleshooting step |
Account A
|
External data displayed and editable. |
If the external data does not display or you cannot edit it, check the site permissions, your federation setup, and the membership of your on-premises global security group; for example, the ODataGroup. |
Account B
|
External data does not display. |
If the external data does display and you can edit it, check the site/list/app permissions. |
Account C
|
External data does not display. |
If the external data does display and you can edit it, check your federation setup and membership of your on-premises global security group (Odata Group). |
Account D
|
External data does not display. |
If the external data does display and you can edit it, check the membership of your on-premises global security group (ODataGroup) and the permissions that you set on the OData service endpoint that you configure in Prepare the SharePoint Online environment for the Business Connectivity Services hybrid scenario |
If you see the error message:
ResourceBudgetExceeded, sending throttled status code. Exception=Microsoft.SharePoint.SPResourceBudgetExceededException: ResourceBudgetExceeded at Microsoft.SharePoint.SPResourceTally.Check(Int32 value) at Microsoft.SharePoint.SPAggregateResourceTally.Check(SPResourceKind kind, Int32 value) at Microsoft.SharePoint.Client.SPClientServiceHost.OnBeginRequest()
You can either remove the throttling:
$webapp = Get-SPWebApplication -Identity http://<URL of your on-premises farm>
$rule = $webapp.AppResourceTrackingSettings.Rules.Get([Microsoft.SharePoint.SPResourceKind]::ClientServiceRequestDuration)
$rule.Remove()
Or change the throttling value:
$webapp = Get-SPWebApplication -Identity http://<URL of your on-premises farm>
$webapp. AppResourceTrackingSettings.Rules.Add([Microsoft.SharePoint.SPResourceKind]::ClientServiceRequestDuration, 150000, 150000)
$webapp.AppResourceTrackingSettings.WindowCount = 10
$webapp.AppResourceTrackingSettings.WindowSize = [System.TimeSpan]::FromSeconds(30)
$webapp.Update()
Note: 150000 is time in ms (ergo, 150 seconds).
Setting up SharePoint on-premises requires that you meet basic SSO deployment requirements and then configure SharePoint 2013 services and inbound requests.
When you set up and enable SSO, users in your organization are able to use their corporate credentials to access the Office 365 service offerings. This removes the burden of managing multiple logon identities and passwords. Without SSO, an Office 365 user would have to maintain separate user names and passwords. For an even better end-user experience, you can create and deploy smart links, which can help speed user sign-in requests by reducing the number of redirects necessary for authentication.
In addition to user advantages, administrators and the organization can also benefit from SSO. For example, configuring SSO helps to enforce the organization’s password policies and account restrictions in both the on-premises directory and the Office 365 directory.
To prepare, you must make sure the environment meets the requirements for SSO and verify that the Active Directory and Azure Active Directory tenant is set up in a way that is compatible with single sign-on requirements. Also, Active Directory must be deployed and running in Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 with a functional level of mixed or native mode. If you plan to use AD FS as your STS, you will need to do one of the following:
In addition, Active Directory must have certain settings configured to work properly with single sign-on. In particular, the UPN, or the user logon name, must be set up in a specific way for each user.
You need to configure the User Profile Service to synchronize user and group profiles from the on-premises Active Directory domain. When federated users access resources in a hybrid environment, the STS makes calls to the User Profile Service to obtain user account metadata, such as the UPN and email property values. This metadata is used by the STS to construct security tokens during the authentication process.
SharePoint Online presents claims to the on-premises SharePoint farm by using the Simple Mail Transfer Protocol (SMTP). To support this, you need to ensure that the SharePoint user profiles for all federated users are populated with the user’s email address by using the correct UPN.
This means that the work email field in the on-premises SharePoint User Profile Store needs to contain the user’s federated email address. For example, if a federated user logs on to the on-premises domain as contoso\karenb and the public domain for the hybrid environment is contoso.com, her federated email address is [email protected].
You must verify that the App Management and Microsoft SharePoint Foundation Subscription Settings services are started and configured. These services must be enabled to support certain configuration procedures, and to help register SharePoint Online as a high-trust application in SharePoint 2013.
If the hybrid environment is configured for an inbound authentication topology, you must ensure that a single on-premises web application is configured to receive requests from SharePoint Online. This web application is referred to as the primary web application for the hybrid environment, and it accepts requests from the external endpoint URL. No specific web application configuration is required to support a one-way outbound authentication topology.
In a SharePoint Server 2013 hybrid environment, outbound connections can be made from any on-premises web application. A single SharePoint Server 2013 web application must be configured for inbound connections; it is used as the primary web application for accepting inbound connections and configuring services and connection objects for the hybrid features you deploy. You can either create a new web application and site collection or configure an existing web application for this purpose.
Setting up SharePoint Online requires that you choose an application authentication topology and make additional configuration choices for the service.
As shown in Figure 1, your choice of an authentication topology determines how certificates are configured and what capabilities are present in the hybrid solution.
Figure 1: Application authentication topologies
One-way outbound topology is not supported with hybrid BCS. Only one-way inbound and two-way (bidirectional) topologies.
A one-way inbound hybrid topology enables SharePoint Online to connect to SharePoint Server 2013 through a reverse proxy device (Figure 2). For example, users of a SharePoint Online Search portal can see both local and remote search results, but only local results are available in the SharePoint Server 2013 Search portal.
Figure 2: One-way inbound topology
A one-way inbound topology can be configured to let users access on-premises SharePoint search results from the Internet, as long as they have access to the intranet through a virtual private network or DirectAccess.
A two-way topology enables bidirectional hybrid service integration between the on-premises SharePoint Server 2013 farm environment and the Office 365 tenant (Figure 3). For example, search can be configured to allow federated users to see both local and remote search results in either SharePoint Server 2013 or SharePoint Online Search portals.
Figure 3: Two-way (bidirectional) topology
A two-way topology can be configured to let users access on-premises SharePoint search results from the Internet, as long as they have access to the intranet through a virtual private network or DirectAccess.
Refer to these articles to configure your reverse proxy server and how to establish a secure connection between your Online and on-premises tenants.
Link to procedure | Description of procedure |
Configure a one-way inbound hybrid topology | Learn how to configure the infrastructure for SharePoint 2013 hybrid environments that use a one-way inbound authentication topology. |
Configure a two-way bidirectional hybrid topology | Learn how to configure the infrastructure for SharePoint 2013 hybrid environments using a two-way authentication topology. |
Next, you will need to create an External Content Type (ECT) based on the OData source. We need to reiterate here that Hybrid BCS implementation only work with OData source based ECT. The ECT can only be created with Visual Studio and not with SharePoint Designer.
To create an ECT, you need the following requirements:
Using Visual Studio 2013, create a new SharePoint App:
This process will create the External Content Type for each of the entity you have selected.
Once you have created your External Content Type, you want to add the ECT to your Business Data Catalog (BDC) catalog so you can use it in your site collections.
In the previous section, we explain how you create an ECT, where each entity in the OData source represents a single ECT. However, the entities use a shared name in the ECT file, which will prevent you from uploading more than one entity to the BDC catalog. In order to fix this issue, you need to follow these steps to be able to use the entities in SharePoint:
Once you have made the changes to all of your ECT files, you can upload all your entities to your BDC model. To do so:
The BCS hybrid scenario supports connecting only to an Open Data protocol (Odata) source. If your external data already has an OData service endpoint, then you can skip the creation of an OData service endpoint portions of this procedure.
Using Visual Studio 2013, create an empty ASP.NET web application calling it NorthwindWeb, and follow these steps:
This should be for creating an OData Source.
<< Prevoius – Part 1 – Introduction to Hybrid BCS Architecture