New and Improved Architecture Guidance for SharePoint 2013 Hybrid Features

This post is an update to the original architectural guidance I published previously at  If you read that post then you’ll recall that we had a “scenario problem” with hybrid search when SharePoint 2013 released.  The problem, which I explain more fully in that post, is that there wasn’t a good way to publish both an endpoint for hybrid search as well as users outside of your firewall to access a SharePoint farm.

IMPORTANT:  The features described in this post require that you install the April 2014 CU or later for SharePoint 2013.  That introduced one breaking change that you will also need to fix for everything to work.  Please see this post for details and the fix:

The good news is that the team has been able to add some new functionality to the hybrid features such that we can now support this scenario.  In short what needs to be done is:

  • Create a new AAM mapping for a SharePoint zone
  • Configure DNS for your AAM mappings
  • Publish the AAM mappings through your reverse proxy
  • Modify your farm configuration to have the hybrid features use the AAM lookup for inbound queries instead of basing it on the Public Url

Here’s a few more details on these steps.  To help illustrate, let’s assume you have a SharePoint zone with a Url of and it is reachable on your corporate network at IP address  You have a reverse proxy in your DMZ and it is configured to listen for incoming requests on IP address  Now let’s see how this scenario would be implemented.


Create a New AAM Mapping for a SharePoint Zone

When was created it was added to the default zone.   We’re going to add another incoming Url for the zone that will be used for hybrid search, so I’ll call it  Now in terms of how you add the incoming Url I’ll just say that there are a few ways of doing it, and a lot of documentation out there for how to do it.  For my purposes I created my web application with this in mind, so I used as the Host Header value and as the Public Url.  After the web app was created I had to a) go add an incoming Url for the zone of and b) add another HTTPS binding in IIS on my web application so that it listens for  Since I used as the Host Header value when I created the web application, that HTTPS binding was already created in IIS.  I used the SNI feature in IIS so I could set both host header values and still use SSL.


Configure DNS for Your AAM Mappings

Configuring DNS for users to access the Public Url of the zone can be done in one of two ways:

  • Single DNS – everyone uses the same IP address for the Public Url.  That means that even users in your corporate network will be sent outside to the proxy server and their request will then get routed back into your network to access SharePoint.  Naturally all users accessing the Public Url from outside of your corporate network would also go through the proxy server.  So in this case you end up with a single DNS A record of for the hostname “”.
  • Split DNS – in this scenario the DNS used for users on your corporate network resolves “” to the internal IP address for the Public Url.  The external DNS resolves “” to the reverse proxy server.  So in this case your internal DNS has an A record of for “”, and your external DNS has an A record of for “”.

Configuring DNS for the incoming Url for the SharePoint zone is much easier; you’re just going to create one A record in your external DNS for “” and it will use the IP address of the reverse proxy server, which is


Publish the AAM Mappings through Your Reverse Proxy

The exact details of how you publish endpoints in a reverse proxy are going to vary by the proxy product being used.  For an example of how to use WAP in Windows Server 2012 R2 you can see one of my prior posts here:  At a high level though there’s really just a couple of concepts you need to know when you publish the endpoints:

  1. You’re going to publish one endpoint for the Public Url of  That endpoint does not require any pre-authentication (although you can do that if you choose to); the request can just be redirected to the internal IP address for the site which is  This is the endpoint that users will reach when they are outside the corporate network and trying to access the farm.  If you only use a single DNS then internal users will also get routed here.
  2. You’re going to publish one endpoint for the incoming Url of  This published endpoint needs to require client certificate authentication, and it should use the certificate that you configure your Result Source in o365 to use for hybrid search.  The request should retain the original host header and also forward it onto the internal IP address for the site of

The goal here is to have two unique hostnames for the same SharePoint content.  By using the AAM feature, when the request comes in for, any search results that it returns will be rendered using the Public URL for the zone, which is  When a user clicks on a search result then they will be sent to whatever IP address resolves for and they will be able to access the SharePoint content using their credentials, without having to provide a client certificate like hybrid search does.  In your Office 365 tenant that also means that when you create the Result Source for the on premises farm, you need to configure the Url to be so that it gets routed to the correct published application on the reverse proxy server.


Modify Your Farm Configuration to use AAM for Hybrid Search

This is the last and most important step, which was provided by the April 2014 CU.  A new property was added to both the SPSecurityTokenServiceConfig as well as SPWebApplication.  The property is called UseIncomingUriToValidateAudience and is set to False by default.  In order to get the hybrid features to use the AAM lookup as we’ve configured above you need to set it to true.  To make this change farm wide, use the SPSecurityTokenServiceConfig object; to set it on just one web application use the SPWebApplication.  Here’s an example of the PowerShell needed to set it at the farm level:

$cfg = Get-SPSecurityTokenServiceConfig

$cfg.UseIncomingUriToValidateAudience = $true



Once you’ve completed all of these steps you should be able to have Office 365 issue inbound queries to your on premises farms and get search results back that are rendered using the Public Url of your SharePoint zone.  This request will be securely authenticated using the client certificate you configure the Office 365 Result Source to use.  You will also be able to have users outside your corporate network access the SharePoint zone using their corporate credentials, and they will not be required to present a client certificate to get to the SharePoint farm.  This is a really nice improvement in the hybrid features so I hope you find it useful.  For more details on the new property that was added please see this article on TechNet:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s