threewill-webinars-2017.jpg

Free ThreeWill Webinars for 2017

Danny serves as Vice President of Business Development at ThreeWill. His primary responsibilities are to make sure that we are building partnerships with the right clients and getting out the message about how we can help clients.

We’re excited to announce our Webinar Schedule for 2017 (all times in EST)…

  1. Moving from SharePoint Online Dedicated to Multi-Tenant – 1/26/17 @ 1:00pm – Listen Now
  2. Migrating from Jive to Office 365 – 2/23/17 @ 1:00pm – Listen Now
  3. Complex SharePoint Online/2016 Migrations – 3/30/17 @ 1:00pm – Listen Now
  4. Creating Award-Winning SharePoint Intranets – 4/27/17 @ 1:00pm – Watch Now
  5. Find Anything in SharePoint with Amazon-Like Faceted Search – 6/29/17 @ 1:00pm – Watch Now
  6. Budgeting for 2018 SharePoint Initiatives – 10/26/17 @ 1:00pm – Register
  7. Successful SharePoint Farm Assessments – 11/30/17 @ 1:00pm – Register

The schedule is subject to change (especially if presenters get overloaded on projects). Let us know in the comments if you have other topics that you would like us to cover.

Sign up below to get notified about upcoming events or follow us on twitter.


SharePoint is a web application platform in the Microsoft Office server suite. Launched in 2001, SharePoint combines various functions which are traditionally separate applications: intranet, extranet, content management, document management, personal cloud, enterprise social networking, enterprise search, business intelligence, workflow management, web content management, and an enterprise application store. SharePoint servers have traditionally been deployed for internal use in mid-size businesses and large departments alongside Microsoft Exchange, Skype for Business, and Office Web Apps; but Microsoft’s ‘Office 365’ software as a service offering (which includes a version of SharePoint) has led to increased usage of SharePoint in smaller organizations.

While Office 365 provides SharePoint as a service, installing SharePoint on premises typically requires multiple virtual machines, at least two separate physical servers, and is a somewhat significant installation and configuration effort. The software is based on an n-tier service oriented architecture. Enterprise application software (for example, email servers, ERP, BI and CRM products) often either requires or integrates with elements of SharePoint. As an application platform, SharePoint provides central management, governance, and security controls. The SharePoint platform manages Internet Information Services (IIS) via form-based management tooling.

Since the release of SharePoint 2013, Microsoft’s primary channel for distribution of SharePoint has been Office 365, where the product is continuously being upgraded. New versions are released every few years, and represent a supported snapshot of the cloud software. Microsoft currently has three tiers of pricing for SharePoint 2013, including a free version (whose future is currently uncertain). SharePoint 2013 is also resold through a cloud model by many third-party vendors. The next on-premises release is SharePoint 2016, expected to have increased hybrid cloud integration.

Office 365 is the brand name used by Microsoft for a group of software plus services subscriptions that provides productivity software and related services to its subscribers. For consumers, the service allows the use of Microsoft Office apps on Windows and OS X, provides storage space on Microsoft’s cloud storage service OneDrive, and grants 60 Skype minutes per month. For business and enterprise users, Office 365 offers plans including e-mail and social networking services through hosted versions of Exchange Server, Skype for Business Server, SharePoint and Office Online, integration with Yammer, as well as access to the Office software.

After a beta test that began in October 2010, Office 365 was launched on June 28, 2011, as a successor to Microsoft Business Productivity Online Suite (MSBPOS), originally aimed at corporate users. With the release of Microsoft Office 2013, Office 365 was expanded to include new plans aimed at different types of businesses, along with new plans aimed at general consumers wanting to use the Office desktop software on a subscription basis—with an emphasis on the rolling release model.

read more
Danny RyanFree ThreeWill Webinars for 2017
reset.png

Reset a SharePoint 2013 Service Account Password

Caroline Sosebee is a Software Engineer at ThreeWill. She comes to us with 20+ years of software development experience and a broad scope of general IT support skills.

Most companies these days have fairly strict password reset rules which can wreak havoc on a smoothly running SharePoint farm, if not planned for properly. Here are the steps to take in order to get the password for a SharePoint service account reset cleanly.

  1. Active Directory – Change the password for the appropriate service account.
  2. IIS (Internet Information Services) – Update the password for each Application Pool that is using the account. The password is buried within Advanced Settings, under the ‘Identity’ field. Click on the ellipsis and then the ‘Set …’ button to enter the new password.
  3. Services – Open Services on the appropriate server(s) and find all that use the specified service account (you can sort by the ‘Log On As’ column to find them all). Update each to use the new password (Properties / Log On tab) and then restart the service to make sure the password change is active.
  4. Scheduled Tasks – Open Task Scheduler on the appropriate server(s) and check for any jobs that use the service account, updating the password for each job.
  5. Central Administration – Go into Security / General Security, click on the ‘Configure managed accounts’ link. Find the account to update and click the Edit link to reset the password.
  6. Central Administration – Go into General Application Settings / Search, click on the ‘Farm Search Administration’ link. Click on the ‘Search Service Application’ link to bring up the Search Administration screen. Check the account being used for the ‘Default content access account’. Verify that it is using the service account being updated, click on the name and enter the new password, then click OK.

That should do it for resetting a service account password being used by SharePoint.

read more
Caroline SosebeeReset a SharePoint 2013 Service Account Password
key-entry.jpg

Authenticating SharePoint with Azure Access Control Service (ACS)

Lane is a Senior Software Engineer for ThreeWill. He is a strong technology expert with a focus on programming, network and hardware design, and requirements and capacity planning. He has an exceptional combination of technical and communication skills.

The Situation

We recently had a customer who had some specific requirements regarding an extranet they wanted to create with SharePoint. They wanted external users to be able to access their SharePoint site without having to maintain external user accounts, internal users to be able to access SharePoint with BYOD phones and tablets, and internal domain joined devices to maintain the Integrated Authentication experience. SharePoint Online/Office 365 might have been a good fit, but it wasn’t an option for them. Our customer’s customers were spread far and wide with little to no IT support, so ADFS federation wasn’t an option either. Anyone who has ever setup an extranet with SharePoint knows that we can use Forms authentication for some of this, but running a mixed mode authentication strategy has enough minor annoyances to make it less than ideal, and the requirement that the customer did not want to have to maintain external user accounts (namely passwords) pretty much negated Forms auth (and also using a pure Active Directory solution).

With Forms auth pretty much eliminated we started looking at alternatives. The customer mentioned that ideally what they would have liked is using the customer’s Live ID as the login. This brings me to a design element I haven’t mentioned yet: the customer’s SharePoint farm was to be run on VM’s in Azure. While this had little to do with the ultimate implementation, it did lay some of the needed groundwork to make us wonder ‘what’if? Since the customer had already setup Azure AD Sync with their local Active Directory and we knew Azure could provide SAML tokens for Live ID accounts, we looked at setting up a Claims-based SharePoint web app that would trust SAML tokens signed by Azure Access Control System (ACS). This solution would work just as well for a pure on-prem deployment, though.

The first thing we discovered is that while setting up Live ID authentication from ACS is pretty simple, it’s not very useful. The reason is best covered by this Jeremy Thake blog post, but to put it simply Live does not provide any meaningful means of translating “Lane Goolsby” to a Live account. This makes people pickers all but useless. Couple that with the requirement that internal users on domain-joined devices should maintain the Windows SSO experience – we decided to keep looking.

By this point we were starting to have a decent understanding of how Azure ACS worked. Specifically we noticed that ACS can be configured as both an issuing party (IP) and a relying party (RP). In the SAML world that means (in theory) ACS could be configured to trust tokens signed by any SAML provider we wanted, such as ADFS. ADFS can be configured for Windows Integrated Auth, so that solves the domain-joined devices requirement. I also noticed that ACS can authenticate users that are from Live ID and users that were created in Azure AD directly (I have seen conflicting statements on this point, actually, but it worked with the use cases we cared about; your mileage may vary). Since ACS could authenticate Live ID accounts and Azure AD accounts and we could get ACS to trust tokens signed by ADFS that means we could handle external users with Live ID’s, Office 365 accounts (an added bonus), and internal users with a single Trusted Identity Provider in SharePoint.

So How Did We Do It?

First, you need to get Azure AD synchronized with your on-prem AD. There are a number of quality blog posts on this, and it’s a rapidly changing technology area so I won’t walk you through it. This step is important as it works as a trigger for Azure AD to know when a user has “@customername.com” in their domain they belong to your organization.

Second, you need to get ACS to trust your ADFS instance. There are a couple of infrastructure steps that need to be performed in your organization before you can start this, though. The ADFS instance you are going to have ACS use needs to be publicly addressable and available over HTTPS, and it needs to use a trusted, externally signed SSL certificate. You will also need to create an access control namespace through the Azure management portal. While it is possible to use HTTP, it is strongly discouraged.

With the infrastructure legwork done, its time to configure ACS. There needs to be two Identity Providers configured: one for Azure and one for ADFS. From the ACS management page go to “Identity Providers” and click Add. Select WS-Federation and Next. On the “Add WS-Federation Identity Provider” page fill in these fields:

Azure

  • Display Name: Anything you want (e.g. Azure AD)
  • WS-Federation metadata: https://accounts.accesscontrol.windows.net/[your Azure AD name]/FederationMetadata/2007-06/FederationMetadata.xml (where [your Azure AD name] is something like customername.onmicrosoft.com)
  • Login link text: Something that would be meaningful to your users (they won’t see this in normal circumstances, though)

ADFS

  • Display Name: Anything you want (e.g. ADFS)
  • WS-Federation metadata: https://[your adfs server]/FederationMetadata/2007-06/FederationMetadata.xml
  • Login link text: Something that would be meaningful to your users (they won’t see this in normal circumstances, though)

Once the Identity Providers are configured in ACS, it’s time to configure the Relying Party. This needs to be done for each web application in SharePoint that will be consuming tokens from ACS. From the ACS management page, click on ‘Relying party applications’ the click Add. Fill in the following values:

  • Name: Anything you want (e.g. ‘SharePoint’ or ‘Extranet RP’)
  • Realm: A URI string (e.g. ‘https://extranet.com’ or ‘urn:sharepoint:extranet’)
  • Return URL: https://[your SharePoint URL]/_trust/
  • Token format: SAML 1.1
  • Token lifetime (secs): 6000
  • Identity providers: ensure both IP’s created previously are selected

The final ACS step that needs to be done is to figure out your solution for a signing certificate to be used by ACS. In short, you have two choices: self-signed or the one that comes with ACS (note: in this case, self-signed means signed by an internal certificate authority such as Active Directory Certificate Services, not one created with makecert.exe). If you want to go with the certificate that comes with ACS, Steve Peschka has a tool on this blog for getting the cert. Otherwise, you have do tricks with tools like Fiddler to grab the public key string.

Third, a Service Principal needs to be created in Azure. This step is critical for the claims handshake between ACS and SharePoint. The following commands need to be ran on a server with the Azure AD PowerShell extensions installed.

Connect-MsolService

Import-Module MSOnlineExtended -Force

$replyUrl = New-MsolServicePrincipalAddresses –Address "https://[principal name].accesscontrol.windows.net/"

New-MsolServicePrincipal –ServicePrincipalNames @(“https://[principal name].accesscontrol.windows.net/”) -DisplayName “[principal name] Namespace” -Addresses $replyUrl

Finally, it is time to setup SharePoint to use ACS. This means running a couple PowerShell commands to configure claims mappings and then telling SharePoint that we trust tokens signed by ACS. I have basic examples below, but DO NOT RECOMMEND USING THEM. Each environment is going to be different, and frankly, this isn’t something that should be done blindly. In fact, if memory serves, these won’t work the first time because we had to edit the Rule Groups in ACS to provide email address as a UPN claim. You will need to examine your ADFS instance to see what claims it provides, what claims ACS will give you, which ones you want to use for the Identifier, etc. There are a couple of tools (like SAML Tracer for Firefox and your favorite search engine) that make this easier.

These commands will map the UPN claim from ACS as the identifier claim for SharePoint. After running these commands you will see an option in SharePoint when creating or editing a web application for the “ACS IdP” claims provider. When creating a new web app only select the option for the claims provider (in other words uncheck the NTLM auth option).

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\Temp\ACSSigningCert.cer")

$map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming

$realm = "[The realm defined in ACS]"

$ap = New-SPTrustedIdentityTokenIssuer -Name "ACS IdP" -Description "Azure ACS Identity Provider" -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map -SignInUrl "https://[principal name].accesscontrol.windows.net:443/v2/wsfederation" -IdentifierClaim "http://schemas.microsoft.com/ws/2005/05/identity/claims/upn"

If you have any questions feel free ask them in the comments section below.

read more
Lane GoolsbyAuthenticating SharePoint with Azure Access Control Service (ACS)
lets-do-this.jpg

Free Office 365 / Azure / Salesforce / SharePoint Webinars for 2015

Danny serves as Vice President of Business Development at ThreeWill. His primary responsibilities are to make sure that we are building partnerships with the right clients and getting out the message about how we can help clients.

We’re excited to announce our Webinar Schedule for 2015 (all times in EST)…

  1. OneDrive for Business – Tommy Ryan – 1/23/15 @ 1:00pm – Registration – https://attendee.gotowebinar.com/register/6546469505055148801
  2. Migrating to Office 365 – Chris Edwards – 4/17/15 @ 1:00pm – https://attendee.gotowebinar.com/register/8454863250773402114
  3. Moving from Full Trust Code to the New Cloud App Model – Pete Skelly – 5/22/15 @ 1:00pm – https://attendee.gotowebinar.com/register/6134409931049990657
  4. Get Up To Date on Microsoft’s BI Offering – Bo George – 6/26/15 @ 1:00pm – https://attendee.gotowebinar.com/register/8891692623419306753
  5. Integrating Office 365 and Salesforce – Eric Bowden – 7/17/15 @ 1:00pm – https://attendee.gotowebinar.com/register/2558996029615612417
  6. Getting Started with Salesforce Development – Tim Coalson – 8/21/15 @ 1:00pm – https://attendee.gotowebinar.com/register/4631765663484917249
  7. Moving from Office 365 Dedicated to Multi-Tenant – Kirk Liemohn – 9/25/15 @ 1:00pm – https://attendee.gotowebinar.com/register/3796349032119339521
  8. Integrating Visual Studio Online and Office 365 – Lane Goolsby – 12/11/15 @ 1:00pm – https://attendee.gotowebinar.com/register/5900541608798828801

The schedule is subject to change (especially if presenters get overloaded on projects). Let us know in the comments if you have other topics that you would like us to cover.

Sign up below to get notified about upcoming events or follow us on twitter.


SharePoint is a web application platform in the Microsoft Office server suite. Launched in 2001, SharePoint combines various functions which are traditionally separate applications: intranet, extranet, content management, document management, personal cloud, enterprise social networking, enterprise search, business intelligence, workflow management, web content management, and an enterprise application store. SharePoint servers have traditionally been deployed for internal use in mid-size businesses and large departments alongside Microsoft Exchange, Skype for Business, and Office Web Apps; but Microsoft’s ‘Office 365’ software as a service offering (which includes a version of SharePoint) has led to increased usage of SharePoint in smaller organizations.

While Office 365 provides SharePoint as a service, installing SharePoint on premises typically requires multiple virtual machines, at least two separate physical servers, and is a somewhat significant installation and configuration effort. The software is based on an n-tier service oriented architecture. Enterprise application software (for example, email servers, ERP, BI and CRM products) often either requires or integrates with elements of SharePoint. As an application platform, SharePoint provides central management, governance, and security controls. The SharePoint platform manages Internet Information Services (IIS) via form-based management tooling.

Since the release of SharePoint 2013, Microsoft’s primary channel for distribution of SharePoint has been Office 365, where the product is continuously being upgraded. New versions are released every few years, and represent a supported snapshot of the cloud software. Microsoft currently has three tiers of pricing for SharePoint 2013, including a free version (whose future is currently uncertain). SharePoint 2013 is also resold through a cloud model by many third-party vendors. The next on-premises release is SharePoint 2016, expected to have increased hybrid cloud integration.

Office 365 is the brand name used by Microsoft for a group of software plus services subscriptions that provides productivity software and related services to its subscribers. For consumers, the service allows the use of Microsoft Office apps on Windows and OS X, provides storage space on Microsoft’s cloud storage service OneDrive, and grants 60 Skype minutes per month. For business and enterprise users, Office 365 offers plans including e-mail and social networking services through hosted versions of Exchange Server, Skype for Business Server, SharePoint and Office Online, integration with Yammer, as well as access to the Office software.

After a beta test that began in October 2010, Office 365 was launched on June 28, 2011, as a successor to Microsoft Business Productivity Online Suite (MSBPOS), originally aimed at corporate users. With the release of Microsoft Office 2013, Office 365 was expanded to include new plans aimed at different types of businesses, along with new plans aimed at general consumers wanting to use the Office desktop software on a subscription basis—with an emphasis on the rolling release model.

read more
Danny RyanFree Office 365 / Azure / Salesforce / SharePoint Webinars for 2015
half-full.jpg

Do You See SharePoint As Half Full Or Half Empty?

Tim is a Senior Consultant at ThreeWill. He has 15 years of consulting experience designing and developing browser-based solutions using Microsoft technologies. Experience over the last 8 years has focused on the design and implementation of SharePoint Intranets, Extranets and Public Sites.

As a SharePoint Consultant who has consulted at many different companies small and large, I have often experienced negative initial reactions when mentioning SharePoint.

The reasons have ranged from things like “SharePoint is slow” to other things like the “SharePoint navigation is confusing”. And I have to admit, there have been times I have used SharePoint sites that were both slow and confusing. The good news is that both of these can be improved so that they do not need to become a roadblock to using an otherwise useful product. But beyond merely removing these barriers, the good news is that there are many features that SharePoint provides that many users have never come to understand and appreciate and my goal is to help raise awareness of these features.

What I have learned over time is that most users’ concept of SharePoint is that it is simply a document repository…

They see it as a ”a place my boss forces me to put my files that takes more time and effort than storing them locally or putting them on a file share”. SharePoint is generally a product that has been introduced to the organization by the IT department for work teams to collaborate and usually with little or no training on SharePoint provided. And while storing documents is certainly a valid use of SharePoint, there is so much more capability than most users realize or have been given the rights to leverage in their work group or department.

On occasion, I have the opportunity to sit down with motivated employees who like to learn and I describe to them some of the features within SharePoint that I think will interest them.

Most users are surprised to hear about these capabilities and are eager to figure out how they can begin to use them.

My goal in this blog series is to share a few of what I consider to be the most underutilized features of SharePoint that can be leveraged for both personal productivity and business process improvements.

These underutilized features include:

  • Custom Lists
  • Notifications and Workflow
  • Security

After discussing these features individually, I’ll conclude with a discussion of how these features can be combined together to create Business Applications that can help support and automate some of your current business processes.

And before you assume that you need a developer or technical person to take advantage of these features, know that all of these are available to end-users of SharePoint and are configurable through the SharePoint UI or through SharePoint Designer.

Stay tuned. I look forward to sharing more about these underutilized features with you and hearing from you about any questions or comments on these topics.

By the way…

always-full

We thought you would enjoy this take on how different people see the half full/empty glass (source)…

The optimist says the glass is half full.

The pessimist says the glass is half empty.

The project manager says the glass is twice as big as it needs to be.

The professional trainer does not care if the glass is half full or half empty, he just knows that starting the discussion will give him ten minutes to figure out why his powerpoint presentation is not working (@jbutweets – thought you would enjoy this one!)

The consultant says let’s examine the question, prepare a strategy for an answer, and all for a daily rate of…

The engineer says the glass is over-designed for the quantity of water.

The computer programmer says the glass is full-empty.

read more
Tim CoalsonDo You See SharePoint As Half Full Or Half Empty?
surprised.jpg

Publishing SharePoint using Kerberos Delegation

Lane is a Senior Software Engineer for ThreeWill. He is a strong technology expert with a focus on programming, network and hardware design, and requirements and capacity planning. He has an exceptional combination of technical and communication skills.

Intro

We recently wrapped up an engagement with a customer who wanted to publish SharePoint BI features, such as SSRS and PerformancePoint, through their firewall to their customers. These reports and dashboards would be pulling data from SSAS cubes. One of the key requirements was that they wanted to have the cube data security trimmed based off the user who was logged in. This meant passing the credentials of the end user all the way to the SSAS cubes. To make it more complex, their customers would be coming in from external computers that were not part of the domain and would be logging into SharePoint using a login form.

Options, options…

Given the requirements, we knew we had to use either Kerberos or Claims for authentication since NTLM wouldn’t handle the double hops. Forms authentication was an option, but would require some custom code to get SSAS to recognize the user’s ID and would have gotten complicated quickly. Claims might have worked, but SSAS 2008 R2 isn’t Claims aware so we would have been back to code to convert the claim token into a useable token for SSAS in the same way as we would have to do for Forms.

Kerberos to the rescue!

So that left only Kerberos, but how do you get a computer outside your firewall and not a member of your domain a Kerberos token? Luckily, Microsoft has included a feature in Internet Security Accelerator (ISA) server since 2006 called Protocol Transition (note: ISA was rebranded Threat Management Gateway in 2010. TMG will be used from this point on instead of ISA). With Protocol Transition, TMG can take a Forms session and convert it into a Kerberos session for communication to SharePoint (or Outlook Web Access, or anything else you wish to publish for that matter). This is just what the doctor ordered, but for those reading this, you probably already know that Kerberos can be tricky to setup, and there are a lot of moving pieces that need to be setup just right for it to work. This blog post will go over some of the gotchas we ran across and dispel a couple of misconceptions that seem prevalent on the web about TMG.

First Comes Planning

The first thing that needs to be done when planning for Kerberos is to figure out the service accounts that are to be used. For the sake of simplicity, I am going to keep the number of service accounts used to a minimum. You should read Microsoft’s documentation about service accounts carefully before you plan your accounts. You will need accounts for PerformancePoint, PowerPivot, Search, etc. The service accounts that apply to this post are as follows:

  • SPAppPool – SharePoint application pool account used for all web applications
  • SSRSAppPool – Service account that SSRS runs under
  • SQLUser – Service account used by SSAS

Also, we need to setup the servers that will constitute the farm. Again, to keep things simple I will keep the number of servers to a minimum:

  • SRV-SP – SharePoint web front end and application server
  • SRV-SSRS – SSRS server running in SharePoint integrated mode.
  • SRV-SSAS – SSAS server housing the cubes.
  • SRV-TMG – Threat Management Gateway server

The next step is to plan the DNS entries for the SharePoint sites. In this scenario, each customer will have its own vanity host created, so the DNS entries would look like http://customer1.threewill.com and http://customer2.threewill.com. This makes things much easier from a SharePoint security standpoint and provides a clear delineation for content. However, there are a finite number of web applications SharePoint can support. That number is subjective to hardware, traffic, and several other factors so only go this route if you plan on having a small number of published sites. When you create the DNS entries, make sure you choose Host (A) records.

Gotchas in the House

Once the DNS names have been decided on, the next step is to setup the Service Principle Names (SPN). This is where we ran into our first gotcha. There are several blog posts and even some articles from Microsoft that say that the external DNS names need to be different than the internal DNS names in order to create the SPN’s. This is not true as long as all your SharePoint and SSRS application pools run under the same accounts, which means they need to be AD accounts and not local system accounts. So we create a SPN for the SharePoint application pool and a SPN for SSRS. To create the SPNs, log onto a computer running Windows 7 or Windows 2008 Server as a domain administrator and open a CMD prompt and run the following commands:

  • Setspn.exe –A HTTP/customer.threewill.com domain\SPAppPool
  • Setspn.exe –A HTTP/srv-ssrs.threewill.com domain\SSRSAppPool

Next, we need to tell Active Directory that the two app pool accounts can present credentials to the downstream services on behalf of the user. To do this, log onto a machine that has Active Directory Users and Computers installed and find the two service accounts. First, make sure the radio button is set to say that the accounts can delegate to the specified services only and they can use any authentication protocol. This was another gotcha we ran into. Unconstrained delegation does not work with SharePoint-to-SSRS authentication. Next, double click on the SPAppPool account and click on the delegation tab. Click on Add and then click on Users and Computers and search for SSRSAppPool. In the list of services, click on the SPN for SRV-SSRS and click OK. Next, double click on the SSRSAppPool and perform the same steps, only this time search for SQLUser and choose the SPN for MSOLAPSvc.3 on SRV-SSAS. If MSOLAPSvc.3 does not appear you will need to set a SPN for it (many times SQL service accounts are set to create and maintain their own SPNs). The last of the Kerberos configuration is to perform the same steps above, only this time you will need to find the computer account for SRV-TMG. Because TMG running under an AD account is not supported, the constrained delegation must be configured for the computer account. Add the HTTP SPN from SPAppPool.

Now that the SPN’s are setup and the service accounts have been allowed to send delegated credentials, it is time to create the web application in SharePoint and create the SSRS SharePoint Integrated instance if they haven’t been already. There are a number of excellent posts online on how to do this, so we will move on to TMG.

Open the TMG management console and right click on the Firewall Policy node. Choose, New -> Web Site Publishing Rule or SharePoint Publishing Rule. From what I was able to gather, there is no difference between either rule wizard except for the fact that the SharePoint rule has some verbiage about making sure Alternate Access Mappings are configured, which are not needed since our internal and external DNS names will be the same. The wizard is pretty self-explanatory. The important settings are the internal server names, the public server names, and the authentication delegation. Make sure the server names are the same as the DNS records created earlier for both internal and external names. For the authentication delegation, make sure Kerberos Constrained Delegation is selected and verify the SPN displayed is the same as what was registered earlier. If you need to create a web listener, make sure the listener is set for HTML Authentication and not HTTP. It is highly recommended that HTTPS be used for external traffic.

Key Links

Everything you need to know about configuring Kerberos with anything SharePoint – http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=23176

Configuring PerformancePoint and TMG server for Constrained Delegation – http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=23176

More To Come

Look for more follow up posts…leave comments to show Lane some love if he saved you some time…

read more
Lane GoolsbyPublishing SharePoint using Kerberos Delegation
dog-food-e1425509605488.jpg

ThreeWill’s SharePoint Extranet

Tim is a Senior Consultant at ThreeWill. He has 15 years of consulting experience designing and developing browser-based solutions using Microsoft technologies. Experience over the last 8 years has focused on the design and implementation of SharePoint Intranets, Extranets and Public Sites.

Introduction

ThreeWill has been using SharePoint for our extranet since WSS v3 became available. I’d like to share some of the ways that we use our extranet to hopefully help you see areas where SharePoint can increase your productivity and communication with your clients or partners.

High Level Architecture

At ThreeWill, we maintain a separate site collection for each of our clients. At the root of the site collection is a customized client site where we store information about the client that is common across all projects. The information I use most at the client site level is the contact information that we gather for each person that we work with at the client. This includes their name, email and phone number.

Project Specific Sites

For each project that we engage in with the client, we create a separate project site. Project sites include areas for requirements, documentation, source code deliverables, issues, risks, calendars and discussions. The calendars and discussions are email-enabled so that we can include the project calendar and discussion with any meetings that are scheduled or any email correspondence that is shared among the team. This information can then be leveraged by those not directly included in the correspondence or other resources who join the project later and want to see what meetings or email correspondence have gone on prior to their joining the team. An issues list is maintained to track any issues that arise on the project. Issues can be assigned and various views of the issues list can be created including a “My Issues” list to track any issues assigned to you. Risks are also communicated and tracked through the issues list as well as mitigation and contingency plans.

Managing Successful Projects

With regards to requirements, ThreeWill leverages the Scrum methodology so we leverage SharePoint lists to capture appropriate information in places such as a Product Backlog, Sprint Backlog, Burndown Charts, etc. Clients are encouraged to capture new requirements in the Product Backlog so they can be reviewed at the beginning of each Sprint to be prioritized along with other features that have been captured for inclusion in the Sprint. Acceptance criteria for each Product Backlog is documented at the beginning of the Sprint and reviewed at the end of the Sprint to ensure that the backlog item has been implemented to the client’s satisfaction. Any documents that are handed over by the client to help clarify requirements or any documents produced by ThreeWill to validate requirements are captured in a document library located in the project site where ThreeWill and the Client can have secured access.

And Most Importantly, Security

With the release of WSS v3, forms-based authentication became possible. Prior to this release, all SharePoint users had to be given access through Active Directory which many IT Administrators opposed. With forms-based authentication, user credentials can be easily kept separate from company credentials as they are stored in a separate data store. In our case, we leverage a SQL data store and manage users using forms-based resources from the Community Kit for SharePoint that can be found in CodePlex. And with SharePoint 2010, both users authenticating with Active Directory (ThreeWill users) and users authenticating with forms-based authentication (Clients/Partners) use the same URL so sharing links among all users is no longer a challenge.

Conclusion

SharePoint extranets are a great way to leverage your existing investment in SharePoint to increase your communication and collaboration with clients.

Are you using SharePoint for your Extranet? Feel free to leave a comment with your experiences or contact us if you are interested in having us help you set up and configure your Extranet.

read more
Tim CoalsonThreeWill’s SharePoint Extranet
scope1.jpg

Viewing Scopes

Kirk Liemohn is a Principal Software Engineer at ThreeWill. He has over 20 years of software development experience with most of that time spent in software consulting.

I learned something yesterday while trying to understand a client issue with MOSS search.

With the work we did with the SharePoint Connector for Confluence, we created functionality to let you search Confluence from SharePoint. A lot of this work used out of the box features with MOSS 2007 Enterprise Search. However, we did have to create custom configuration screens to allow the user to create a crawl rule that used forms based authentication (FBA). In addition, we needed to create a custom security trimmer because crawling web sites does not allow for the indexing of ACLs.

What I learned yesterday was something interesting with the security trimmer. I knew that custom security trimmers are executed when an end user performs a query as opposed to when the search engine crawls and indexes the content. What I didn’t know is that simply viewing scopes within the search administration interfaces will also execute the security trimmer.

Within your shared service provider (SSP), you can view the scopes as shown below:

In my test environment, I had only crawled the “TW Confluence” content source which had an associated “TW Confluence” scope as shown above. My total index had 104 items, but no items were showing up in the scopes. I was expecting to see counts for both “All Sites” and “TW Confluence”.

What was happening was that simply viewing this page invokes the security trimmer assigned to my crawl rule for all items in the index that map to the crawl rule. In the case of the SharePoint Connector for Confluence security trimmer, it needs to ask Confluence if the current user has access to each URL. Unfortunately, if the security trimmer is invoked from the shared service provider (as it is done in this case) it does not know how to connect to Confluence because that configuration is available within a typical site collection, not within a SSP.

Interestingly, there is also a way to view scopes from within a typical site collection:

As you can see here, we do have counts for our “All Sites” and “TW Confluence” scopes. Once again, our security trimmer is executed when viewing this page, but this time it is able to find configuration data on how to connect to Confluence. The count of 9 is much less than what is in the index because the current user does not have access to all of the URLs; access to them was denied by the custom security trimmer.

Note that the only way I knew for sure that the security trimmer runs in these cases is through some tracing capability we have had in the product for quite some time.

If you have more interest in learning more about the SharePoint Connector for Confluence, check out the links above or visit http://www.atlassian.com/en/software/confluence-sharepoint-connector. If you are in the Atlanta area and want to learn more about MOSS 2007 Enterprise Search, keep an eye on our Event Calendar for upcoming presentations.

read more
Kirk LiemohnViewing Scopes
question-box-e1425575019953.jpg

Anonymous Access Gotcha

Kirk Liemohn is a Principal Software Engineer at ThreeWill. He has over 20 years of software development experience with most of that time spent in software consulting.

It’s a simple problem with a simple solution, but sometimes the little things hit you when you are deploying from one environment to another and they can take a lot longer than you’d like. So, hopefully this is a reminder and saves some people some time…

Recently I wrote a couple of web services to be hosted within SharePoint. This problem wouldn’t only occur with web services, though. It could happen with web parts, application pages, site pages, event handlers, etc.

One of my web services did not access the SharePoint object model, but needed to know who the current user was, so it used the following within its code:

HttpContext.Current.User.Identity.Name;

Another web service did use the SharePoint object model and it used the following:

this.Context.User.Identity.Name
SPContext.Current.Web.CurrentUser.Groups

The code above worked beautifully in my development environment and two other test environments. When it came time to deploy to test environment at the client, they didn’t work. I was perplexed.

Based on the exception I had, I ascertained that CurrentUser was null in the code above and asked the testers if they were logged in – assuming anonymous access must have been enabled and that they were not logged in. Well, they were logged in, but anonymous access was enabled – and that was the difference in the environments that worked and didn’t work.

It turns out that the problem was that the SharePoint web application (and therefore IIS) allowed anonymous access and the client to the web service calls (in this case InfoPath Forms Services) had negotiated to send as little credentials as possible (none).

So, the first two code snippets resulted in a null or empty string and the last code snippet blew up because CurrentUser was null.

The solution was simple… Require an IIS change to the asmx file or its containing folder to not allow (uncheck) anonymous access to the web service(s).

Another option might be to modify the code to return a 401 Unauthorized to see if the negotiation would begin. I didn’t take it that far, but would love to hear from someone if they have tried this.

read more
Kirk LiemohnAnonymous Access Gotcha
security.jpg

SharePoint List Security

Kirk Liemohn is a Principal Software Engineer at ThreeWill. He has over 20 years of software development experience with most of that time spent in software consulting.

Restricting access to a user on a public site can be important. One way to do this is to restrict access to the Group membership list in SharePoint.

  • Login to the site that you want to restrict access to and select people and groups.

  • Go to Settings -> List Settings

  • General Settings -> Advanced Settings
  • For Item-Level Permissions set Read access to only their own and Edit access to none, leave Attachments to the default of Enabled and for Search I would not allow items to appear in search results.

  • Now when a user tries to see other members of the site this is the error they get.

  • Now of course Site administrators can still see the information, but I would think that is something that you would want.

SharePoint is a web application platform in the Microsoft Office server suite. Launched in 2001, SharePoint combines various functions which are traditionally separate applications: intranet, extranet, content management, document management, personal cloud, enterprise social networking, enterprise search, business intelligence, workflow management, web content management, and an enterprise application store. SharePoint servers have traditionally been deployed for internal use in mid-size businesses and large departments alongside Microsoft Exchange, Skype for Business, and Office Web Apps; but Microsoft’s ‘Office 365’ software as a service offering (which includes a version of SharePoint) has led to increased usage of SharePoint in smaller organizations.

While Office 365 provides SharePoint as a service, installing SharePoint on premises typically requires multiple virtual machines, at least two separate physical servers, and is a somewhat significant installation and configuration effort. The software is based on an n-tier service oriented architecture. Enterprise application software (for example, email servers, ERP, BI and CRM products) often either requires or integrates with elements of SharePoint. As an application platform, SharePoint provides central management, governance, and security controls. The SharePoint platform manages Internet Information Services (IIS) via form-based management tooling.

Since the release of SharePoint 2013, Microsoft’s primary channel for distribution of SharePoint has been Office 365, where the product is continuously being upgraded. New versions are released every few years, and represent a supported snapshot of the cloud software. Microsoft currently has three tiers of pricing for SharePoint 2013, including a free version (whose future is currently uncertain). SharePoint 2013 is also resold through a cloud model by many third-party vendors. The next on-premises release is SharePoint 2016, expected to have increased hybrid cloud integration.

Office 365 is the brand name used by Microsoft for a group of software plus services subscriptions that provides productivity software and related services to its subscribers. For consumers, the service allows the use of Microsoft Office apps on Windows and OS X, provides storage space on Microsoft’s cloud storage service OneDrive, and grants 60 Skype minutes per month. For business and enterprise users, Office 365 offers plans including e-mail and social networking services through hosted versions of Exchange Server, Skype for Business Server, SharePoint and Office Online, integration with Yammer, as well as access to the Office software.

After a beta test that began in October 2010, Office 365 was launched on June 28, 2011, as a successor to Microsoft Business Productivity Online Suite (MSBPOS), originally aimed at corporate users. With the release of Microsoft Office 2013, Office 365 was expanded to include new plans aimed at different types of businesses, along with new plans aimed at general consumers wanting to use the Office desktop software on a subscription basis—with an emphasis on the rolling release model.

read more
Kirk LiemohnSharePoint List Security
cubes.jpg

Registering Security Trimmers

Kirk Liemohn is a Principal Software Engineer at ThreeWill. He has over 20 years of software development experience with most of that time spent in software consulting.

Background

When WSS and MOSS crawl content and store that content to an index, they can also store authorization information (ACL) to the data. This makes it easy for a search query to only provide results to which the search user has access. WSS search is limited to SharePoint sites, but MOSS search can go beyond that to web sites, file shares, exchange public folders, the BDC, and others. While some content such as SharePoint sites, file shares, and exchange public folders contain ACLs, others such as web sites and BDC do not.

The solution to trimming MOSS search results that do not contain ACLs is to use a security trimmer. A security trimmer is very simple; it takes a list of URLs and returns a BitArray indicating if the current user has access to each URL. A security trimmer runs at query time so there is a performance cost, but I’ve found that the story here isn’t too bad since the security trimmer gets called in batches based on the number of search results shown to the user on a page. Basically, if the ratio of allowed access to total possible results is high, the number of items to check for security trimming at a time should be kept to a minimum. In addition there is a way to specify a limit on the number of crawl URLs to check.

There is a BDC Security Trimmer or you can write your own Custom Security Trimmer. That last link has a good overview and walk-through of how to write, deploy, and register a custom security trimmer. I recommend it for further reading. However, the walk-through only shows how to register a security trimmer using stsadm. It does not show how to do it via code. In fact, on the stsadm command, you provide the crawl rule path indicating that the security trimmer references the crawl rule, which is not the case (it is the other way around).

I needed to do this via code as part of a custom shared service provider administration screen. Since I had a little bit of trouble figuring this out and couldn’t find anyone else that did it, I wanted to blog about it here once I found the solution.

Show Me Some Code!

OK, enough background, let’s see some code on how to do this.

  • First, your code will need to reference Microsoft.Office.Server.Search.dll which can be found in the ISAPI folder under the 12 Hive for a MOSS install. In addition, all of my code below uses the following using statement.

using SearchAdmin = Microsoft.Office.Server.Search.Administration;

  • Now you can register your security trimmer. You will need the fully qualified type name for your security trimmer or access to it via code (as I have done below). In addition you need to specify the security trimmer id (an Int32 of any value of your choice assuming another security trimmer is not already registered with that value). If you don’t have the context of the shared service provider, you’ll have to do a little more work.

// Get the security trimmer manager

// Note: no need to call SetSearchContextToUse as it is determined implicitly through HttpContext

SearchAdmin.Security.PluggableSecurityTrimmerManager manager = SearchAdmin.Security.PluggableSecurityTrimmerManager.Instance;

// Register the security trimmer

// No need to provide any custom properties (must provide an empty named value collection)

string fullyQualifiedTypeName = typeof(MyCustomSecurityTrimmer).AssemblyQualifiedName;

manager.RegisterPluggableSecurityTrimmer(securityTrimmerId, fullyQualifiedTypeName, new NameValueCollection());

  • Then you will need to create or update your crawl rule to give it the security trimmer id. The code below shows creating a crawl rule. If you don’t have the context of the shared service provider, you’ll have to do a little more work.

// This page is in the context of the shared service provider, so this call should get our search context

// otherwise we would need to use the ServerContext object instead and call SearchContext.GetContext(serverContext);

// Note that ServerContext is in the Microsoft.Office.Server namespace (Microsoft.Office.Server.dll)

SearchAdmin.SearchContext searchContext = SearchAdmin.SearchContext.Current;

// Get the content object which is needed for access to content sources and crawl rules

SearchAdmin.Content content = new SearchAdmin.Content(searchContext);

// Create crawl rule

SearchAdmin.CrawlRule crawlRule = content.CrawlRules.Create(SearchAdmin.CrawlRuleType.InclusionRule, rulePath);

// Set other crawl rule properties here…

// Set the security trimmer id and save the changes

crawlRule.PluggableSecurityTrimmerId = securityTrimmerId;

crawlRule.Update();

  • That’s it. Fairly simple, especially if you already have the appropriate context as my code does, since it runs within the context of the shared service provider.

As you can see, the crawl rule references the security trimmer id and the security trimmer does not reference the crawl rule.

Note that your security trimmer will not be in affect unless you crawl (probably a full crawl) after you register your security trimmer even though the security trimmer runs at query time.

read more
Kirk LiemohnRegistering Security Trimmers
report-pencil.jpg

SQL Server 2005 Reporting Services Add-in Primer

Tim is a Senior Consultant at ThreeWill. He has 15 years of consulting experience designing and developing browser-based solutions using Microsoft technologies. Experience over the last 8 years has focused on the design and implementation of SharePoint Intranets, Extranets and Public Sites.

The SQL Server 2005 Reporting Services Add-in provides the following functionality:

  • A Report Viewer Web Part, which provides report viewing capability, export to other rendering formats, page navigation, search, print, and zoom.
  • Web application pages so that you can create subscriptions and schedules, set model item security, and manage reports, models, and data sources.
  • Support for standard Windows SharePoint Services features including document management, collaboration, security, and deployment with report server content types. You can use alerts, versioning (check in/out), and Filter Web Parts with reports. You can add the Report Viewer Web Part to any page or dashboard on a SharePoint site and customize its appearance. You can use SharePoint permission levels and roles to control access to report server content. You can also use SharePoint forms authentication to support access over Internet connections.
  • Note
    The add-in is for reporting on SQL data not SharePoint data.

This walk through makes a few assumptions about your setup environment.

  • Active Directory 2003 domain running in native mode
  • The SharePoint server is on a separate box from the Reporting server
  • The reporting server and the SQL server are on the same box
  • The SPAdmin account is the SharePoint administration account and is the local administrator on the SharePoint server and the SQL server
  • SPSQL account runs the sql services and reporting services
  • SPSites account runs the application pool for the SharePoint web site.
  • Your SharePoint Server is set to use Kerberos authentication
SetSPN

SetSPN (set spin) is used to configure Active Directory user and computer accounts for Kerberos delegations. Kerberos delegation is necessary if you are running reporting services on a different server than your SharePoint server. If user A hits a website on computer B, computer B can forward the authentication to computer C. There are two benefits to configuring Kerberos; one, Kerberos is a more secure protocol than NTLM, two, Kerberos is necessary to correctly configure Reporting Services.

  1. Login to domain controller
  2. Download the setspn.exe from http://www.microsoft.com/downloads/details.aspx?familyid=5fd831fd-ab77-46a3-9cfe-ff01d29e5c46&displaylang=en
  3. Run setspn_setup.exe and install tool, click next
  4. Agree to the EULA
  5. Accept the default path and click install now
  6. Click start -> Run and enter cmd
  7. From the command prompt navigate to C:\Program Files\Resource Kit. You will need to use the setspn for the following three accounts. The SharePoint Service Account (SPAdmin), the Default site application pool account (SPSites) and the SQL Service account (SPSQL). Issue the following commands:
    1. setspn -A http/llqawss01 qalbapad\spadmin
    2. setspn -A http/llqawss01.qalbapad.qalocal qalbapad\spadmin
    3. setspn -A http/llqawss01 qalbapad\spsites
    4. setspn -A http/llqawss01.qalbapad.qalocal qalbapad\spsites
    5. setspn -A http/llqawss01 qalbapad\spsql
    6. setspn -A http/llqawss01.qalbapad.qalocal qalbapad\spsql
    7. setspn -A http/llqasql01 qalbapad\spadmin
    8. setspn -A http/llqasql01.qalbapad.qalocal qalbapad\spadmin
    9. setspn -A http/FQDN of server (www.ll.com) qalbapad\spsites
    10. setspn -A http/FQDN of server (www.ll.com) qalbapad\spadmin
    11. setspn -A http/FQDN of server (www.ll.com) qalbapad\spql
      You notice that you will need to setspn on each name the computer may use, the netbios name, the internal FQDN, if this machine uses another FQDN you will need to add this as well.(To be honest this is probably over-kill but this will cover all your bases)
  8. On the domain controller open active directory users and computers, We need to trust the computer accounts and Service accounts for delegation
    1. Find the SQL server in Active Directory Users and Computers (ADUC) right Click and go to properties and click the Delegation tab, then select Trust this computer for delegation to any service (Kerberos only)
    2. Find the WSS server in ADUC right Click and go to properties and click the Delegation tab then select Trust this computer for dlegation to any service (Kerberos only)
    3. Find the SharePoint Service account in ADUC go to properties and click the Delegation tab then select Trust this user for delegation to any service(Kerberos only)
    4. Find the SharePoint Site (SPSites) account in ADUC go to properties and click the Delegation tab then select Trust this user for delegation to any service(Kerberos only)
    5. Find the SQL Server Service (SPSQL) in ADUC go to properties and click the Delegation tab then select Trust this user for delegation to any service(Kerberos only)
On the SQL/Reporting Server
  1. Make SPAdmin local administrator of the SQL server computer
  2. Install Microsoft .NET Framework 2.0
  3. Microsoft .NET Framework 3.0
  4. Download the SharePoint install from Microsoft
  5. Execute SharePoint.exe
  6. Accept the licensing agreement, click continue
  7. Choose the advanced installation option
  8. For Server Type choose Web Front-End (WFE), click install now
  9. Click close to run the SharePoint Technology Configuration wizard
  10. Select Yes, I want to connect to an existing server farm, click next
  11. Enter the name of the database server and then click Retrieve Database Names. This will bring back the SharePoint Configuration database name.
  12. In the Specify Database Access account enter the SharePoint Service account (SPAdmin) and password information, click next
  13. Click Next
  14. Click Finish
  15. Download the reporting services add-in http://www.microsoft.com/downloads/details.aspx?familyid=1E53F882-0C16-4847-B331-132274AE8C84&displaylang=en
On the SharePoint Server

Install the SharePoint add in for Reporting services.

  1. SharePointRS.msi, click next
  2. Accept the Licensing agreement, click next
  3. Click next
  4. Click Install
  5. Click Finish when complete
  6. Login to the SQL Server computer, click start -> All Programs -> Microsoft SQL Server 2005 -> Configurations Tools -> Reporting Services Configuration
  7. Connect to the SQL Server
  8. Click on Database Setup
  9. Click on Change to change the server mode to SharePoint
  10. Click yes to create a new Reporting Services database
  11. Leave the defaults and enter a name for the new SharePoint integrated Reporting Services database, click OK.
  12. Click Apply
  13. Leave the defaults and click OK
  14. Now we need to configure the Reporting Services application pool to run as SPAdmin. Open IIS Manager and navigate to the Application Pool -> Report Server
  15. Right click on Report Server and click properties, click the Identity tab
  16. Configure the identity to be SPAdmin. This will allow the reporting server to access the SharePoint server for the SharePoint integration to work properly.
  17. In IIS manager under the Web Sites folder right click the default site (This is where reporting services web is located) and click properties
  18. In the Web Sites tab change the port to 8080, Click OK to apply
  19. Return to the Reporting Server configuration and refresh. In the Web Service Identity you will need to click apply to complete the change made to the application pool
  20. Click on SharePoint Integration
  21. Follow link to SharePoint Central Administration site
  22. From the Application tab click on Manage integration settings
  23. Enter the url for the report server plus the virtual directory for the report server. Most likely this will be http://machinename:port#/reportserver, Click OK
  24. Click on Grant database access, this will default to the local server. Change to the reporting server. Click OK
  25. You will be prompted to enter credentials for accessing the report server. Enter the SQL account (SPSQL), click ok
  26. Click on Set Server Defaults
  27. In Reporting Services Server Defaults accept the defaults and click OK
read more
Tim CoalsonSQL Server 2005 Reporting Services Add-in Primer