SharePoint 2016 Hybrid Setup
https://sharepoint.stackexchange.com/questions/185614
-
10-10-2020 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian質問
I am trying to setup hybrid environment using SharePoint 2016. One of the requirements of that is to create reverse proxy. I am using ADFS to setup reverse proxy. Now my question is do I need to use Kerberos authentication to set up reverse proxy for SharePoint?
解決
Looking at the 2013 Hybrid Setup, there are no traces of a requirement for using Kerberos authentication. However, you need to have your on-premises Web Application already accessible from the internet, preferably using the extranet zone of Alternate Access Mapping.
General reverse proxy requirements
In a hybrid SharePoint Server 2013 scenario, the reverse proxy must be able to:
- Support client certificate authentication with a wildcard or SAN SSL certificate.
- Support pass-through authentication for OAuth 2.0, including unlimited OAuth bearer token transactions.
- Accept unsolicited inbound traffic on TCP port 443 (HTTPS).
- Bind a wildcard or SAN SSL certificate to a published endpoint.
- Relay traffic to an on-premises SharePoint Server 2013 farm or load balancer without rewriting any packet headers.
Tip: No ports other than TCP 443 need to be opened on the external reverse proxy endpoint to support hybrid connectivity.
Reference: Configure a reverse proxy device for SharePoint Server 2013 hybrid
Looking at 2016 there is still no available info on reverse proxy settings for the Hybrid environment. However, there is an article discussing the outbound traffic (on-premises to Online) where standard NTLM authentication applies. NTLM and Kerberos are both claims authentications and it would be unlikely to require Kerberos in the reverse proxy scenario and not the outbound scenario.
Outbound requests to SharePoint Online can be made from any web application in the on-premises SharePoint farm that uses Integrated Windows authentication using NTLM...
Reference: Plan server-to-server authentication
My advice would be to go without Kerberos, and follow the guide of 2013 all the way through. But (as always) this may be changed in the future.
