Pages

Monday, January 14, 2008

I don't want to have Site Collections other than my portal...[MOSS 2007]

Now with MOSS converting all the SPS2003 Portal Areas in to Sub Sites we can take advantage of all the features that a site can have. Consistant security, features, STSADM commands etc. Yes you can Export a Site Collection and Import as Sub Site under the MOSS Portal and bind to your global navigation! How cool is that..

Now my user wants to get rid of all the site collection under the /Sites or any such managed path and place them under the Portal. So that it looks like one nice Portal and you can navigate anywhere.

I said, well you are going to have one big bloated site collection and other repurcation of such approach. Here I wanted to share my thoughts on this design approach:

by default all the sites that any user creates, under the umbrella of portal, gets created under the portal with the respective url.

Pros:

  • Every site is a sub site and is stitched to the global navigation.
  • Thus is easier to navigate.
  • Consistent branding.
  • Consistent security and easy to manage by creating a global SharePoint Groups.
  • Easy to administer and enforce governance/policy.

Cons:

  • Single site collection cannot be split across multiple content databases.
  • Limits future growth for potential content heavy portal.
  • My introduce longer time to back up and restore, thus requiring a longer SLA for backup and restore.

Recommendation:

  • Content Databases should fit your Backup/Restore SLA in case of disaster.
  • With single portal site collection “stsadm export” can be scripted out to implement individual backups. These scripts can be for critical data sub sites. The scripts can be then ran as regular scheduled jobs.
  • Sites with confidential data and heavy on content can be segregated as separate site collection and stored on a separate content databases with appropriate site quota templates applied.

Kerberos Configuration [MOSS 2007]

Introduction

I know you want to stay away from Kerberos configuratio. But belive me once you are past Kerberos, it usualy gets much easier. Some of the integrations with MOSS such as SSRS and other native features such as RSS web part would work well when you have Kerberos configured.

While configuring Kerberos for MOSS, I have come across some interesting topics. I wanted to put all the bits and pices together and give one single chapter on Kerberos Configuration for MOSS. Ok, lets give it a try..

Introduction to Kerberos

What is Kerberos?

The name "Kerberos" is derived from Greek mythology. Cerberus is the Latin variant of Kerberos. Kerberos the three-headed watchdog that guards the entrance to the lower world or Hades. It is a child of the giant Typhon and Echidna, a monstrous creature herself, being half woman and half snake. Originally, the dog was portrayed having fifty or hundred heads but was later pictured with only three heads (and sometimes with the tail of a serpent). Cerberus permitted new spirits to enter the realm of dead, but allowed none of them to leave. Only a few ever managed to sneak past the creature, among which Orpheus, who lulled it to sleep by playing his lyre, and Heracles, who brought it to the land of the living for a while (being the last of his Twelve Labors.)

  • Like the mythical creature, the Kerberos security system guards electronic transmissions that are sent across the Internet.
  • Kerberos is a mature network authentication protocol designed to provide strong authentication for client/server applications by using shared secret-key cryptography.
  • Kerberos authentication is a form of Windows Authentication that allows delegation of credentials through multiple application layers and across multiple servers – unlike NTLM, which will pass user credentials through one layer only.
Implementing Kerberos

Kerberos authentication can either be implemented in a constrained delegation model (i.e trusting specific user/service accounts for delegation and using these accounts to run the applications) or in a full delegation model (i.e trusting machines for delegation and using the Local System or Network Service accounts to run the applications). It is however, the responsibility of each individual client to determine the best delegation model, whether it is constrained delegation or full delegation, that will satisfy the needs and constraints for their respective organizations.

What is “double-hop” issue?
  • Double-hop” is where a user authenticates to a web server and that web server then needs to impersonate the user against another service.
  • When this happens, the user’s authentication ticket is ‘hopping’ across two services; this is not allowed in NTLM and you will have to user Kerberos to do this.
Why implement Kerberos in MOSS?
  • Kerberos authentication is faster
  • Kerberos security resolves the 'double hop' authentication issue in MOSS when integrating with more than one application that requires the user impersonation.
  • Integrating or adding more services such as Excel Services, BDC, SQL Server 2005 Analysis Services/ Reporting Services and so on will require extra steps.
High level Steps for implementing Kerberos in MOSS
  • Preparation for setting up Kerberos.
  • Setting up SPN for the service accounts
  • Setting up SPN for the URLs
  • Configuring Service Accounts for Trust for Delegation
  • Enabling Kerberos for the MOSS Web Applications.
  • Configuring COM+ for web application pool account.
  • Testing the Kerberos Setup.
Detailed Steps for implementing Kerberos in MOSS
Preparation for setting up Kerberos
  • Make sure all the servers in the loop (MOSS, SQL and Domain Controllers) have the same time set
  • Inconsistent time settings are one of the primary causes of Kerberos related issues.
  • Keep the following handy.
  • All the service account names.
  • Access to AD with administrator login.
  • SetSPN utility from Windows Resource Kit.
  • Access to MOSS servers with login that has local administrator permission.
  • Names of MOSS related web applications and their application pools.
  • Client user with client computer to test post Kerberos setup.
Setting SPNs for Service Accounts
  • The first step in enabling Kerberos for SharePoint is to configure Service Principle Names (SPNs) for your SharePoint service accounts in Active Directory.
  • Consider ‘least privilege account principle'; this basically means that each distinct service inside the SharePoint farm will have its own domain user account
  • In summary, you should have the following accounts:
    • SQL Server Service Account: Account used by SQL to run all SQL services
    • Server Farm Account
    • SSP Service Account
    • Office SharePoint Server Search Account
    • Default Content Access Account
    • User Profile and Properties Content Access Account
    • Excel Services Unattended Account
    • One account per application pool: This is typically three accounts; SSPAdministration, MySite and your main 'Portal' or 'Intranet'.
  • SPNs are used by Kerberos to ensure that only certain accounts have permission to delegate a specific service on a user's behalf.
  • An SPN needs to be configured for each service and address that the account needs to delegate for. SPNs are configured by using SetSPN.exe (download here) which a command line is provided as part of the Windows 2003 resource kit.
  • This table outlines the commands that are required to create the right SPNs for each of the relevant SharePoint service accounts, however please bear the following points in mind:
  • Some services require the fully qualified domain name (FQDN) even if your users only use the host name. For example if user type http://portal to get to you main portal and you Active Directory is called Domain.local then the FQDN is Portal.Domain.Local
  • Some SPNs require the host name which is the FQDN without the .domain.local bit on the end. In the example above, this would simply be portal
    • For all user accounts you must include the domain prefix.
    • Below is an example for a single server farm in a domain called ‘domain.local’ where the MOSS server is called 'Server'.
    • The example assumes three host headers for web applications which are called 'My Site', 'Portal' and 'SSPAdmin'.
    • The 'least privilege account principle' has been used in this example and the accounts are fairly descriptively named.

Setspn.exe -A HTTP/%SHAREPOINTSERVERFQDN% %SERVERFARMACCOUNT%

%SHAREPOINTSERVERFQDN% = the FQDN of your SharePoint server's NetBIOS name (local machine name)

%SERVERFARMACCOUNT% = Server Farm Account


Example: Setspn.exe -A HTTP/server.domain.local domain\serverfarm

Setspn.exe -A HTTP/%MYSITEURLFQDN% %MYSITEAPPPOOLACCOUNT%

%MYSITEURLFQDN% = the FQDN of the host header for the My Site Web Application

%MYSITEAPPPOOLACCOUNT% = The application pool account that the My Site web application uses

Example: Setspn.exe -A HTTP/mysite.domain.local domain\mysiteapppool

Setspn.exe -A HTTP/%MYSITEURLHOST% %MYSITEAPPPOOLACCOUNT%

%MYSITEURLHOST% = the host name (i.e. without the .domain.local bit) for the My Site web application

%MYSITEAPPPOOLACCOUNT% = The application pool account that the My Site web application uses

Example: Setspn.exe -A HTTP/mysite domain\mysiteapppool

Setspn.exe -A HTTP/%PORTALURLFQDN% %PORTALAPPPOOLACCOUNT%

%PORTALURLFQDN% = the FQDN of the host header for the main portal or intranet Web Application

%MYSITEAPPPOOLACCOUNT% = The application pool account that the Portal web application uses

Example: Setspn.exe -A HTTP/portal.domain.local domain\portalapppool

Setspn.exe -A HTTP/%PORTALURLHOST% %PORTALAPPPOOLACCOUNT%

%PORTALURLHOST % = the host name (i.e. without the .domain.local bit) for the Portal web application

%MYSITEAPPPOOLACCOUNT% = The application pool account that the Portal web application uses

Example: Setspn.exe -A HTTP/portal domain\portalapppool

Setspn.exe -A HTTP/%SSPADMINURLFQDN% %SSPADMINAPPPOOLACCOUNT%

%SSPADMINURLFQDN % = the FQDN of the host header for the SSP Administration Web Application
% SSPADMINAPPPOOLACCOUNT % = The application pool account that the SSP Administration web application uses

Example: Setspn.exe -A HTTP/sspadmin.domain.local domain\sspadminapppool

Setspn.exe -A HTTP/%SSPADMINURLHOST% %SSPADMINAPPPOOLACCOUNT%
% SSPADMINURLHOST % = the host name (i.e. without the .domain.local bit) for the SSP Administration web application
% SSPADMINAPPPOOLACCOUNT % = The application pool account that the SSP Administration web application uses

Example: Setspn.exe -A HTTP/sspadmin domain\sspadminapppool

Additionally you can test the current SPNs configured by running the below command.

Setspn.exe -L

Setting Service Accounts for ‘Trust for Delegation’
  • In addition to setting the SPNs for each of your service accounts, you also need to trust each of the computer accounts and some of the service accounts for delegation.
  • In order to trust for delegation you need to open Active Directory Users and Computers as a user with domain administration rights and follow these instructions
  • Repeat the process for each of the following
    • MOSS Server (Computer Account)
    • SQL Server (Computer Account)
    • FarmService (User Account)
    • MySiteAppPool (User Account)
    • SSPAdminAppPool (User Account)
    • PortalAppPool (User Account)
  • Locate the account and click 'properties'
  • Navigate to the 'Delegation' tab
  • Choose 'Trust this user/computer for delegation to any service (Kerberos)'

Enabling Kerberos for the web applications:

Method 1: In MOSS 2007, if you are creating your farm from scratch the switch between Kerberos and NTLM can be set a as part of the 'SharePoint Products and Technologies Configuration Wizard'.

Method 2: Option If the farm is pre-created you can easily enable Kerberos by following these steps:

  • Open Central Administration
  • Navigation to Application Management > Authentication Providers
  • Choose the web application you wish to configure from the drop-down in the top right corner (this includes the Central Administration web application)
  • Click on 'Default'
  • Set the authentication to Negotiate (Kerberos)
  • You will receive the below warning message, click ok.

  • Perform IISRESET from the command prompt

Method 3: You can also enable Kerberos from command prompt using the cscript command.

  • Right click on My Computer, Manage. Scroll down to Servers and Applications, Internet Information Service (IIS). Click on Web Sites
  • Note the Identifier of the SharePoint Central Administration V3. The Identifier is 626419873.
  • Open the command prompt from Start, Run, CMD
  • Go to the C:\inetpub\adminscripts directory
  • Enter the following command (Substitute the value of identifier in for ##)
    cscript adsutil.vbs set w3svc/<#>/NTAuthenticationProviders Negotiate,NTLM
  • After the command has been run, ensure that they are no errors are reported.
  • IIS needs to be reset in order for the above command to take effect.
  • From the command prompt, type IISRESET. Press Enter.
  • The IIS services will be reset. Ensure that all web sites are visible from the IIS management
  • To confirm the above setting you can run the below command, the result should show that “Negotiate,NTLM” is set.
    cscript adsutil.vbs get w3svc/##/root/NTAuthenticationProviders
Setting COM+ permissions
  • This step is undocumented.
  • Open Component Services on the MOSS server
  • Navigation to Component Services > Computers > My Computer
  • Click on Properties (for My Computer) > Default Properties > Default Impersonation Level = Delegate (see http://support.microsoft.com/kb/917409)
  • Navigate to Component Services > Computers > My Computer > DCOM Config > IIS WAMREG Admin Service
  • Click on Properties (for IIS WAMREG Admin Service) and navigate to the Security tab
  • Edit Launch and Activate Permissions
  • Grant all three of your application pool account 'Local Activation' permissions (see http://support.microsoft.com/kb/920783).
  • These accounts would be domain\MySiteAppPool, domain\SSPAdminAppPool, domain\PortalAppPool
4.6 Testing the Kerberos settings.
  • Test your web application from a client computer.
  • Monitor System event log on both your MOSS and SQL servers. Kerberos related errors are logged here.
  • Trouble shooting references:
    • http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
    • How to configure a Windows SharePoint Services virtual server to use Kerberos authentication and how to switch from Kerberos authentication back to NTLM authentication: http://support.microsoft.com/?kbid=832769
    • How to use Kerberos authentication in SQL Server: http://support.microsoft.com/kb/319723/

Thursday, January 10, 2008

Why Edit Page disabled? [MOSS 2007 Publishing Site Collection]

When you trying to edit page by going to Site Settings, butEdit Page is disabled even though you have permission to edit?



Probably the page is check out to some one. Navigate to All Contents>Look for Pages library. Your page in question may be checked out by some body. Have them checked in before it is Editable by you.

Tuesday, January 8, 2008

Navigation with no landing page [MOSS 2007 Publishing Site Collection]

You want to create a top nav element with no landing page, but to inlcude sub sites as drop down in the Navigation as in below picture:



Here is how you create navigation for "No Landing Page"

1. From the Home page (Root) create the Sub Sites for the content that goes under the "No Landing Page"
2. From the root, perform Site Settings>Modify Navigation.
3. From the Navigation click on Add Header and give only title ex “No Landing Page” with no link. Click Ok.
4. Stay in the Modify Navigation page. now choose each of the sub sites and Move Down until they cross the "No Lanindg Page". As the nav item crosses the "No Landing Page" the item will be sub indented within the "No Landing Page"
5. Now re-arrange the Navs as you see necessary.

The URL for the items under the "No landing page" remain intact and you still get all the flexibility of MOSS free flow navigation.

Monday, January 7, 2008

Installing SSRS add-in for MOSS in Farm [MOSS 2007 and SSRS]

In a Farm environment, install the SSRS Add-in for MOSS on the server that is hosting the Central Administration site.

Where is ReportViewer Webpart (RSWebParts.cab) in x64 SQL Server 2005 Install? [MOSS 2007 and SSRS]

When you installed SSRS on MOSS (Front-end or stand alone) server and you are looking to install Report Viewer Web part you may not find the webpart cab file (RSWebParts.cab) under

C:\Program Files\Microsoft SQL Server\90\Tools....

Instead look under

C:\Program Files (x86)\Microsoft SQL Server\90\Tools\Reporting Services\SharePoint