june-2018.jpg

June 2018 Office 365 Updates


June 2018 Office 365 Updates

Information

YouTube

Each installment of the series is published on YouTube to the Office 365 Update Series Playlist (https://aka.ms/o365update-youtube) which is part of the Office Videos Channel (https://www.youtube.com/user/officevideos).

Blog

The companion blog at http://aka.ms/o365update-blog hosts this document and articles related to this video series.

Transcript

Introductory Comments

Welcome to the Office 365 update for June 2018.

In the next few minutes I’ll be giving you a quick rundown of the latest Office 365 updates, with goal of helping you get the most out of the service.

Training Services

Source:       The SharePoint Community Blog: Introducing Microsoft Training Services

Newsflash! New capabilities in any product or service do nobody any good unless people actually use them. For Office 365, one challenge to using new capabilities is knowing they exist and what value they provide. That’s the focus of in this video. Another hurdle, and one I frequently hear from listeners, is training users on how to use Office 365 capabilities, both new and existing, to get work done. While I’ve touched on some great training already available in past videos, and provided links to training resources in the companion blog, there is also news on that front.

On May 21st, Microsoft announced Microsoft Training Services, a digital, customized learning service for Office 365 and Windows 10. The training is designed to help customers leverage learning to transform their organizations without investing heavily in training and change management resources.

To date, 25 organizations have participated in the pre-pilot phase, helping to develop and test the service, which includes:

  • Customizable, always up-to-date content,
  • Experiences right-sized to an organization’s needs, and
  • Metrics on training materials users consume and the types of custom playlists they create and share.

Microsoft Training Services will be available as a pilot in late July 2018. To be added to the pilot waitlist or to learn more, register at https://aka.ms/mtspilot.

Outlook

Source:       Microsoft 365 Blog: New Calendar, Mail, and mobile Outlook features help you get things done

New Outlook features across Windows, Mac, web, and mobile, help you manage your time and keep what matters most front and center.

Adding a new meeting or a location for an event just got easier and faster in Outlook for iOS. Even before you start typing, Outlook offers suggestions for your meeting location, including recently used conference rooms and other common locations such as “my office.” Once you start to type in the location field, Outlook suggests options, powered by Bing, and then autocompletes your meeting location with the necessary information, including the full address for public locations.

In iOS, Outlook will use your current location, your destination address, and traffic updates to send you a notification to let you know when it is time to leave for your next meeting. Note that this feature will be coming soon to Outlook for Windows.

Let’s face it. Some meetings are more important than others. Don’t tell my boss, but one criterion I sometimes use to determine if I’m going to attend a meeting is who else is going to be there. Up until recently, determining who would be attending a meeting could be challenging because meeting invitation responses were only visible to the meeting organizer.

Now, Outlook allows you to see the tracked responses and RSVPs for the meetings you’re invited to, even when you’re not the organizer. This insight enables you to better manage your time and decide if you should attend based on the plans of others. For example, if I’m invited to two meetings that overlap, and I can see that one of my colleagues is attending one of the meetings, I could elect to attend the other meeting and then sync with my colleague afterwards.

If you are planning a meeting that requires tight control of the attendee list, Outlook now gives you the option to allow or prevent the forwarding of your calendar invitation.

Do you collaborate with people in different time zones? I do, every day. That’s why I was thrilled when the Outlook team added more time zone functionality to Outlook. This has become indispensable when I’m planning meetings and looking for “time zone friendly” meeting times.

In Windows, you can now display up to three time zones in your calendar grid. Just click on File, then Options, then on the Calendar section. Under Time Zones,  you can add whichever Time Zones you would like to see.

In Outlook for Mac, you can add one additional Time Zone under Outlook Preferences.

Now, at a glance, you can understand what’s happening and when around the globe with Outlook.

The April 30th Office Blog post has additional details on all these features, as well as a preview of new features coming soon to Outlook on iOS and Android, including:

  • The ability to sync your drafts folder from your desktop to your mobile device,
  • Office Lens functionality for adding captured whiteboards, documents, and photos directly to new Outlook messages, and
  • the ability to tag your favorite people to keep your key contacts front and center in your mobile search experience, and more.

I’ll keep you posted on when these new features become available in future videos.

OneDrive and SharePoint

Source:       OneDrive Blog: New Capabilities for OneDrive Announced Today at SharePoint Conference North America

Microsoft 365 Blog: SharePoint innovations transform content collaboration with mixed reality and AI

At the May SharePoint Conference in Las Vegas, several exciting features were announced for both SharePoint and OneDrive. Here are some of the highlights.

First, improvements in the built-in scan feature in the OneDrive mobile app for both iOS and Android. It’s now accessed from the dedicated icon in the tab bar making it easy to add images, multiple page files, and annotations right to your OneDrive.

There’s also improved upload support in OneDrive for Business with automatic uploads for photos and videos captured to your phone’s camera roll.

Another new feature is the ability to set and require a password when you share a file or folder with other people. This prevents others from accessing your files if your intended recipient accidentally forwards or shares the link. Note that this feature is independent from the secure external sharing controls managed by IT administrators.

In addition, you now have the ability to prevent users from downloading files shared via view-only links. This enables you to share Office documents in the cloud while preventing people from downloading and keeping offline copies.

There are several feature enhancements specific to Office 365 Administrators, including the ability to automatically connect and synchronize SharePoint team sites as part of a OneDrive deployment or upgrade process. For all the details and additional news, read the OneDrive blog post I link to in the transcript and resources document.

One news item that generated a lot of buzz at the SharePoint Conference was Microsoft’s unveiling SharePoint Spaces. Leveraging Microsoft’s investment in artificial intelligence and mixed reality, SharePoint Spaces are immersive, mixed reality experiences that enables users to view and interact with content from every angle. They can also visualize and manipulate data and product models in real-time.

With this innovation, SharePoint will become the first unified content collaboration and services solution to span files, websites, and soon, mixed reality spaces. Customers and partners can apply to be part of an early, limited preview of SharePoint spaces by clicking on the link in the May 21st Microsoft Blog post.

Windows Title Bar

The Title Bar has been a fixture in the Windows interface since the first version released to manufacturing 32 years ago. I’m happy to report title bar functionality in Office 365 has taken a huge leap forward in the name of productivity improvement.

Click on the title bar and a new drop-down enables you to take several actions, including:

  • quickly re-name the current document,
  • open the document’s location,
  • share the document via an invitation or a link, and
  • quickly access the document’s version history.

Truth be told, I sort of stumbled across this hidden gem in the Windows version of Office recently myself. But since doing so, I’ve particularly found the ability to open the document’s location to be a big productivity booster. Give it a try and I’m sure you’ll find how much it can speed up your work.

Security

Source:       Trust Center: How our products help with GDPR compliance

Trust Center: Preparing for a new era in privacy regulation

Trust Center: Office 365 helps enable data privacy for GDPR compliance

On May 25th of this year, enforcement began on a European privacy law, the General Data Protection Regulation, better known as GDPR.

This law imposes new rules on companies, government agencies, non-profits, and other organizations that offer goods and services to people in the European Union, or that collect and analyze data tied to EU residents, regardless of where the organization is physically located.

GDPR is obviously a huge topic that we cannot adequately address in the time we have together, but we can at least get you started.

One essential step to meeting the GDPR obligations is discovering and controlling what personal data the organization holds and where it resides. Many Office 365 solutions can help you identify and manage access to personal data, including:

  • Data Loss Prevention,
  • Advanced Data Governance,
  • Office 365 eDiscovery, and
  • Customer Lockbox.

A second core requirement of the GDPR is protecting personal data against security threats. Current Office 365 features that safeguard data and identify when a data breach occurs include:

  • Advanced Threat Protection
  • Advanced Security Management, and
  • Office 365 Audit logs.

I’ve provided links in the transcript and resources guide to pages in the Microsoft Trust Center that address GDPR and what Microsoft is doing to safeguard individual privacy with the Microsoft Cloud.

Close

That’s all we have time for. Remember to send your feedback or success stories to [email protected]

I’m Jim Naroski, thanks for watching, and I’ll see you again soon!

read more
empty.authorJune 2018 Office 365 Updates
may-2018.jpg

May 2018 Office 365 Updates


May 2018 Office 365 Updates

Information

YouTube

Each installment of the series is published on YouTube to the Office 365 Update Series Playlist (https://aka.ms/o365update-youtube) which is part of the Office Videos Channel (https://www.youtube.com/user/officevideos).

Blog

The companion blog at http://aka.ms/o365update-blog hosts this document and articles related to this video series.

Transcript

Introductory Comments

Welcome to the Office 365 update for May of 2018. In the next few minutes I’ll be giving you a quick rundown of the latest Office 365 updates, with the goal of helping you get the most out of the service.

Excel

Source: Office Blog: New in March—rich data types, intelligent search, and expanded datacenters

Excel Blog: Preview of Stocks and Geography, New Data Types in Excel

Excel Blog: Experience the newest set of features and fast performance in Excel for Mac Version 16

Insights in Excel

Every day, millions of Office 365 subscribers rely on Excel to perform complex analysis for their organizations’ data. For many, however, extracting key insights from a new data set can be time consuming and even a little intimidating.

Microsoft recently announced the preview of Insights in Excel, a new service that automatically highlights patterns in your data. When you have any cell highlighted in an Excel data table, simply click the Insights button from the Insert ribbon. Powered by machine learning, Insights quickly identify trends, outliers, and other useful visualizations, providing new perspectives on data.

In this example, insights delivered over 30 suggested results that you can quickly scroll through.

When you find insights you like, just drop them into your workbook with one click. A new tab is created with PivotChart controls that enable you to further modify the chart if you need to.

New Data Types

Another new Excel feature, currently available only to Office Insiders, is support for new data types. These new data types are fundamentally different than the traditional cell contents which hold values, formulas, and text labels. The first two, new data types in preview are Stocks and Geography.

Say you have a list of countries, you can convert it to the new Geography data type by clicking on the command in the Data ribbon. Now the cell isn’t holding just the name of each country. It now contains a rich set of additional information behind the scenes. Clicking on the icon next to each item shows a data card displaying all the extra information in that cell.

Better yet, if you have the data in an Excel table, you can see a widget that lets you pull the additional data into a column of its own. In this case, I’ll add the population for each country.

Note that Excel didn’t just copy that data out of the cell. It actually created a formula for you. All the data available in this new data type is calculation enabled. This means that you can write your own formulas referencing any of the fields available in the new data type’s cell.

It’s not just States or Countries either. The new data types support things like postal codes, cities, as well as stocks, index funds, and other financial data. The Excel team plans to add more data types over time, including the ability to extend this capability to data unique to your organization. I’ll keep you posted in future updates. For now, I encourage you to read the March 29th Excel blog post I link to in the transcript and resources document available in the Office 365 Guy Blog. And remember, it’s only available to Office Insiders right now.

Excel for Mac

I know we have some passionate, and vocal, Excel for Mac enthusiasts in the audience. While Excel for Mac 2016 version 16.9.0 has been live since January, there have been several feature updates since then. An April 10th Excel Blog post covers eight Excel for Mac feature improvements, including the addition of more functions and charts; collaborative editing, more robust support for PivotTable Charts, and more. Be sure to check the blog post and continue to make your voice heard via the Excel virtual suggestion box at excel.uservoice.com.

Outlook

Source: HowTo Outlook: Outlook 2016 Update for May 2018

Office Support: Listen to your email messages

Prompt Before “Reply All”

Say you need to send an important or sensitive email to a colleague and you want to keep your manager informed. But for whatever reason, you don’t want the mail recipient to know you’re also sending it to your manager.

Enter the email bcc feature, which stands for blind carbon copy, a term actually borrowed from when we wrote business correspondence on typewriters, or heaven-forbid, by hand, using a copy medium called carbon paper.

Only the person that was “blind carbon copied” on the memo then, and the email now would know they received it.

“Replying All” to an email you are bcc’d on it usually defeats the purpose of the reason for the bcc in the first place. Outlook’s new “Prompt before replying all” feature was designed to help ensure discretion when replying to emails when you’re a bcc recipient. If you’re on the bcc line and you click Reply All, Outlook will alert you with the message, “Your address was hidden when this message was sent. If you Reply All, everyone will know you received it.”

This helps ensure you don’t accidentally reveal that you received the original message unbeknownst to the other recipients, and perhaps more importantly, saves the sender from a potentially awkward conversation with the other recipients.

I’ve added a link to learn more about this new feature in the resource guide. And for the more inquisitive millennials in the audience who want to learn a little bit more about the fascinating history of carbon paper and all its uses, consider doing a search using your preferred web browser.

Read Emails Aloud

As voice-enabled virtual assistants like Cortana take on more-and-more tasks, the ability listen to my emails rather than read them is a natural progression. Another new Outlook feature being rolling out to Office Insiders enables you to listen to your emails.

If you’re an Office Insider, you can enable this feature by clicking on File, then Options, then click on the Ease of Access section. Add a check to Show Read Aloud, and the option will appear on the Home ribbon.

Planner

Source: Planner Blog: View Planner tasks on your Outlook calendar

Office Support: View your tasks on a calendar

In the March update, I covered several Planner enhancements, including new Group and Filter options. I also mentioned that, coming soon, a new iCalendar format feed would enable you to quickly publish Planner tasks to your Outlook calendar.

I’m happy to announce that on April 11th, the Planner team released that feature and it couldn’t be simpler to set up. In Planner, go to My Tasks, click on the ellipses and then on “Add ‘My Tasks’ to Outlook calendar,” then click on the Add to Outlook link. Your Planner tasks will be visible on your Outlook calendar and you can easily toggle their visibility on and off.

This integration will ensure that you don’t miss any task deadlines. For additional details, read the Planner blog post I link to in the transcript and resources guide.

SharePoint Search

Source: Office Blog: New in March—rich data types, intelligent search, and expanded datacenters

Office Support: What’s new in search in SharePoint Online

Last September at Microsoft Ignite, we announced new search capabilities in SharePoint Online that enable the discovery of people, information, and expertise from across your organization. This personalized experience is now rolling out to all Office 365 subscribers.

Now, wherever you start your search in SharePoint or Office.com, you’ll see consistent, personalized results powered by the Microsoft Graph. The search results are arranged into sections: Sites, Files, People, and News.

You can expand the search results to see more information before opening the item, and you have the choice of opening the item or going to the location where the file is stored. That’s huge!

When you exit a search results page, you return to the page where you started your search. Try this new search capability today and I think you’ll find, as I did, how powerful and flexible it is.

Microsoft 365 Security & Compliance Center

Source: Office Blog: Security, Privacy and Compliance Blog: Introducing the Microsoft 365 Security and Compliance Center

Microsoft 365 brings together Office 365, Windows 10, and Enterprise Mobility + Security. The new Microsoft 365 Admin Center, which I covered last month, is a single place for admins to get started with Microsoft 365 and discover the breadth of management capabilities and experiences available.

In early April, Microsoft rolled out the first of two key components I mentioned last month: the Security & Compliance Center. It maintains the centralized experience, intelligence, and customization that Office 365 security and compliance center offers today. It gives data administrators, compliance officers, and security administrators robust security and compliance controls across Office 365, Enterprise Mobility + Security, and Windows, all in a single place.

Over the coming months, Microsoft will continue to add new capabilities to help admins deploy and manage security and compliance solutions, helping organizations optimize their resources.

For Microsoft 365 customers, the new admin experience will be available automatically, once rolled out to your tenant.

Microsoft Score

Source: Security, Privacy and Compliance Blog: Office 365 Secure Score is now Microsoft Secure Score

Secure Score analyzes your Office 365 organization’s security based on your regular activities and security settings, and then assigns a score. Many people think of it as a credit score but for organizational security, only you can’t use Secure Score to get a loan.

Back in the February update video, I made this promise:

Coming soon, Microsoft will be introducing an industry average score in Secure Score. This will show how your score compares to other organizations that have designated the same industry.

That day has arrived, but first I have some important news regarding the service overall. A common piece of feedback Microsoft heard was that is great for Office 365, but what about other Microsoft solutions? To address that feedback, on April 17th Microsoft announced that Office 365 Secure Score is now Microsoft Secure Score. Microsoft Secure Score builds on top of what was in Office 365 Secure Score and adds even more.

One new feature you will notice as soon as you log in is the new Microsoft score which is made up of your Office 365 Secure Score and your Windows Secure Score. The Windows score come from Windows Defender Advanced Threat Protection, or ATP, which provides information about the status of your antivirus, operating system security updates, firewall status, and other controls. To get the details of your Windows score, you can click on the “Windows Defender Security Center” link below your Windows score to go directly to the dashboard in Windows Defender ATP.

Beyond adding Windows to Secure Score, Microsoft Secure Score now supports Intune. This surfaces though the existing mobile device management controls.

Lastly, you’ll be able to compare your Secure Score against the scores of organizations in the same industry based on what industry you designate in the Service Assurance section of the Office 365 Security and Compliance Center.

To try out Microsoft Secure Score now you can go to securescore.microsoft.com and log in with your administrative credentials, or click on the Secure Score widget on the Office 365 Security and Compliance Center home page.

Close

That’s all we have time for. Remember, send your feedback or success stories to [email protected].

I’m Jim Naroski, thanks for watching, and I’ll see you again soon!

read more
empty.authorMay 2018 Office 365 Updates
threewill-webinars-2017.jpg

Free ThreeWill Webinars for 2017

Danny serves as Vice President of Marketing at ThreeWill. His primary responsibilities are to make sure that we are building partnerships with the right clients and getting out the message about how we can help clients.

We’re excited to announce our Webinar Schedule for 2017 (all times in EST)…

  1. Moving from SharePoint Online Dedicated to Multi-Tenant – 1/26/17 @ 1:00pm – Listen Now
  2. Migrating from Jive to Office 365 – 2/23/17 @ 1:00pm – Listen Now
  3. Complex SharePoint Online/2016 Migrations – 3/30/17 @ 1:00pm – Listen Now
  4. Creating Award-Winning SharePoint Intranets – 4/27/17 @ 1:00pm – Watch Now
  5. Find Anything in SharePoint with Amazon-Like Faceted Search – 6/29/17 @ 1:00pm – Watch Now
  6. Budgeting for 2018 SharePoint Initiatives – 10/26/17 @ 1:00pm – Register
  7. Successful SharePoint Farm Assessments – 11/30/17 @ 1:00pm – Register

The schedule is subject to change (especially if presenters get overloaded on projects). Let us know in the comments if you have other topics that you would like us to cover.

Sign up below to get notified about upcoming events or follow us on twitter.


SharePoint is a web application platform in the Microsoft Office server suite. Launched in 2001, SharePoint combines various functions which are traditionally separate applications: intranet, extranet, content management, document management, personal cloud, enterprise social networking, enterprise search, business intelligence, workflow management, web content management, and an enterprise application store. SharePoint servers have traditionally been deployed for internal use in mid-size businesses and large departments alongside Microsoft Exchange, Skype for Business, and Office Web Apps; but Microsoft’s ‘Office 365’ software as a service offering (which includes a version of SharePoint) has led to increased usage of SharePoint in smaller organizations.

While Office 365 provides SharePoint as a service, installing SharePoint on premises typically requires multiple virtual machines, at least two separate physical servers, and is a somewhat significant installation and configuration effort. The software is based on an n-tier service oriented architecture. Enterprise application software (for example, email servers, ERP, BI and CRM products) often either requires or integrates with elements of SharePoint. As an application platform, SharePoint provides central management, governance, and security controls. The SharePoint platform manages Internet Information Services (IIS) via form-based management tooling.

Since the release of SharePoint 2013, Microsoft’s primary channel for distribution of SharePoint has been Office 365, where the product is continuously being upgraded. New versions are released every few years, and represent a supported snapshot of the cloud software. Microsoft currently has three tiers of pricing for SharePoint 2013, including a free version (whose future is currently uncertain). SharePoint 2013 is also resold through a cloud model by many third-party vendors. The next on-premises release is SharePoint 2016, expected to have increased hybrid cloud integration.

Office 365 is the brand name used by Microsoft for a group of software plus services subscriptions that provides productivity software and related services to its subscribers. For consumers, the service allows the use of Microsoft Office apps on Windows and OS X, provides storage space on Microsoft’s cloud storage service OneDrive, and grants 60 Skype minutes per month. For business and enterprise users, Office 365 offers plans including e-mail and social networking services through hosted versions of Exchange Server, Skype for Business Server, SharePoint and Office Online, integration with Yammer, as well as access to the Office software.

After a beta test that began in October 2010, Office 365 was launched on June 28, 2011, as a successor to Microsoft Business Productivity Online Suite (MSBPOS), originally aimed at corporate users. With the release of Microsoft Office 2013, Office 365 was expanded to include new plans aimed at different types of businesses, along with new plans aimed at general consumers wanting to use the Office desktop software on a subscription basis—with an emphasis on the rolling release model.

read more
Danny RyanFree ThreeWill Webinars for 2017
reset.png

Reset a SharePoint 2013 Service Account Password

Caroline Sosebee is a Software Engineer at ThreeWill. She comes to us with 20+ years of software development experience and a broad scope of general IT support skills.

Most companies these days have fairly strict password reset rules which can wreak havoc on a smoothly running SharePoint farm, if not planned for properly. Here are the steps to take in order to get the password for a SharePoint service account reset cleanly.

  1. Active Directory – Change the password for the appropriate service account.
  2. IIS (Internet Information Services) – Update the password for each Application Pool that is using the account. The password is buried within Advanced Settings, under the ‘Identity’ field. Click on the ellipsis and then the ‘Set …’ button to enter the new password.
  3. Services – Open Services on the appropriate server(s) and find all that use the specified service account (you can sort by the ‘Log On As’ column to find them all). Update each to use the new password (Properties / Log On tab) and then restart the service to make sure the password change is active.
  4. Scheduled Tasks – Open Task Scheduler on the appropriate server(s) and check for any jobs that use the service account, updating the password for each job.
  5. Central Administration – Go into Security / General Security, click on the ‘Configure managed accounts’ link. Find the account to update and click the Edit link to reset the password.
  6. Central Administration – Go into General Application Settings / Search, click on the ‘Farm Search Administration’ link. Click on the ‘Search Service Application’ link to bring up the Search Administration screen. Check the account being used for the ‘Default content access account’. Verify that it is using the service account being updated, click on the name and enter the new password, then click OK.

That should do it for resetting a service account password being used by SharePoint.

read more
Caroline SosebeeReset a SharePoint 2013 Service Account Password
key-entry.jpg

Authenticating SharePoint with Azure Access Control Service (ACS)

Lane is a Senior Software Engineer for ThreeWill. He is a strong technology expert with a focus on programming, network and hardware design, and requirements and capacity planning. He has an exceptional combination of technical and communication skills.

The Situation

We recently had a customer who had some specific requirements regarding an extranet they wanted to create with SharePoint. They wanted external users to be able to access their SharePoint site without having to maintain external user accounts, internal users to be able to access SharePoint with BYOD phones and tablets, and internal domain joined devices to maintain the Integrated Authentication experience. SharePoint Online/Office 365 might have been a good fit, but it wasn’t an option for them. Our customer’s customers were spread far and wide with little to no IT support, so ADFS federation wasn’t an option either. Anyone who has ever setup an extranet with SharePoint knows that we can use Forms authentication for some of this, but running a mixed mode authentication strategy has enough minor annoyances to make it less than ideal, and the requirement that the customer did not want to have to maintain external user accounts (namely passwords) pretty much negated Forms auth (and also using a pure Active Directory solution).

With Forms auth pretty much eliminated we started looking at alternatives. The customer mentioned that ideally what they would have liked is using the customer’s Live ID as the login. This brings me to a design element I haven’t mentioned yet: the customer’s SharePoint farm was to be run on VM’s in Azure. While this had little to do with the ultimate implementation, it did lay some of the needed groundwork to make us wonder ‘what’if? Since the customer had already setup Azure AD Sync with their local Active Directory and we knew Azure could provide SAML tokens for Live ID accounts, we looked at setting up a Claims-based SharePoint web app that would trust SAML tokens signed by Azure Access Control System (ACS). This solution would work just as well for a pure on-prem deployment, though.

The first thing we discovered is that while setting up Live ID authentication from ACS is pretty simple, it’s not very useful. The reason is best covered by this Jeremy Thake blog post, but to put it simply Live does not provide any meaningful means of translating “Lane Goolsby” to a Live account. This makes people pickers all but useless. Couple that with the requirement that internal users on domain-joined devices should maintain the Windows SSO experience – we decided to keep looking.

By this point we were starting to have a decent understanding of how Azure ACS worked. Specifically we noticed that ACS can be configured as both an issuing party (IP) and a relying party (RP). In the SAML world that means (in theory) ACS could be configured to trust tokens signed by any SAML provider we wanted, such as ADFS. ADFS can be configured for Windows Integrated Auth, so that solves the domain-joined devices requirement. I also noticed that ACS can authenticate users that are from Live ID and users that were created in Azure AD directly (I have seen conflicting statements on this point, actually, but it worked with the use cases we cared about; your mileage may vary). Since ACS could authenticate Live ID accounts and Azure AD accounts and we could get ACS to trust tokens signed by ADFS that means we could handle external users with Live ID’s, Office 365 accounts (an added bonus), and internal users with a single Trusted Identity Provider in SharePoint.

So How Did We Do It?

First, you need to get Azure AD synchronized with your on-prem AD. There are a number of quality blog posts on this, and it’s a rapidly changing technology area so I won’t walk you through it. This step is important as it works as a trigger for Azure AD to know when a user has “@customername.com” in their domain they belong to your organization.

Second, you need to get ACS to trust your ADFS instance. There are a couple of infrastructure steps that need to be performed in your organization before you can start this, though. The ADFS instance you are going to have ACS use needs to be publicly addressable and available over HTTPS, and it needs to use a trusted, externally signed SSL certificate. You will also need to create an access control namespace through the Azure management portal. While it is possible to use HTTP, it is strongly discouraged.

With the infrastructure legwork done, its time to configure ACS. There needs to be two Identity Providers configured: one for Azure and one for ADFS. From the ACS management page go to “Identity Providers” and click Add. Select WS-Federation and Next. On the “Add WS-Federation Identity Provider” page fill in these fields:

Azure

  • Display Name: Anything you want (e.g. Azure AD)
  • WS-Federation metadata: https://accounts.accesscontrol.windows.net/[your Azure AD name]/FederationMetadata/2007-06/FederationMetadata.xml (where [your Azure AD name] is something like customername.onmicrosoft.com)
  • Login link text: Something that would be meaningful to your users (they won’t see this in normal circumstances, though)

ADFS

  • Display Name: Anything you want (e.g. ADFS)
  • WS-Federation metadata: https://[your adfs server]/FederationMetadata/2007-06/FederationMetadata.xml
  • Login link text: Something that would be meaningful to your users (they won’t see this in normal circumstances, though)

Once the Identity Providers are configured in ACS, it’s time to configure the Relying Party. This needs to be done for each web application in SharePoint that will be consuming tokens from ACS. From the ACS management page, click on ‘Relying party applications’ the click Add. Fill in the following values:

  • Name: Anything you want (e.g. ‘SharePoint’ or ‘Extranet RP’)
  • Realm: A URI string (e.g. ‘https://extranet.com’ or ‘urn:sharepoint:extranet’)
  • Return URL: https://[your SharePoint URL]/_trust/
  • Token format: SAML 1.1
  • Token lifetime (secs): 6000
  • Identity providers: ensure both IP’s created previously are selected

The final ACS step that needs to be done is to figure out your solution for a signing certificate to be used by ACS. In short, you have two choices: self-signed or the one that comes with ACS (note: in this case, self-signed means signed by an internal certificate authority such as Active Directory Certificate Services, not one created with makecert.exe). If you want to go with the certificate that comes with ACS, Steve Peschka has a tool on this blog for getting the cert. Otherwise, you have do tricks with tools like Fiddler to grab the public key string.

Third, a Service Principal needs to be created in Azure. This step is critical for the claims handshake between ACS and SharePoint. The following commands need to be ran on a server with the Azure AD PowerShell extensions installed.

Connect-MsolService

Import-Module MSOnlineExtended -Force

$replyUrl = New-MsolServicePrincipalAddresses –Address "https://[principal name].accesscontrol.windows.net/"

New-MsolServicePrincipal –ServicePrincipalNames @(“https://[principal name].accesscontrol.windows.net/”) -DisplayName “[principal name] Namespace” -Addresses $replyUrl

Finally, it is time to setup SharePoint to use ACS. This means running a couple PowerShell commands to configure claims mappings and then telling SharePoint that we trust tokens signed by ACS. I have basic examples below, but DO NOT RECOMMEND USING THEM. Each environment is going to be different, and frankly, this isn’t something that should be done blindly. In fact, if memory serves, these won’t work the first time because we had to edit the Rule Groups in ACS to provide email address as a UPN claim. You will need to examine your ADFS instance to see what claims it provides, what claims ACS will give you, which ones you want to use for the Identifier, etc. There are a couple of tools (like SAML Tracer for Firefox and your favorite search engine) that make this easier.

These commands will map the UPN claim from ACS as the identifier claim for SharePoint. After running these commands you will see an option in SharePoint when creating or editing a web application for the “ACS IdP” claims provider. When creating a new web app only select the option for the claims provider (in other words uncheck the NTLM auth option).

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\Temp\ACSSigningCert.cer")

$map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming

$realm = "[The realm defined in ACS]"

$ap = New-SPTrustedIdentityTokenIssuer -Name "ACS IdP" -Description "Azure ACS Identity Provider" -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map -SignInUrl "https://[principal name].accesscontrol.windows.net:443/v2/wsfederation" -IdentifierClaim "http://schemas.microsoft.com/ws/2005/05/identity/claims/upn"

If you have any questions feel free ask them in the comments section below.

read more
Lane GoolsbyAuthenticating SharePoint with Azure Access Control Service (ACS)
lets-do-this.jpg

Free Office 365 / Azure / Salesforce / SharePoint Webinars for 2015

Danny serves as Vice President of Marketing at ThreeWill. His primary responsibilities are to make sure that we are building partnerships with the right clients and getting out the message about how we can help clients.

We’re excited to announce our Webinar Schedule for 2015 (all times in EST)…

  1. OneDrive for Business – Tommy Ryan – 1/23/15 @ 1:00pm – Registration – https://attendee.gotowebinar.com/register/6546469505055148801
  2. Migrating to Office 365 – Chris Edwards – 4/17/15 @ 1:00pm – https://attendee.gotowebinar.com/register/8454863250773402114
  3. Moving from Full Trust Code to the New Cloud App Model – Pete Skelly – 5/22/15 @ 1:00pm – https://attendee.gotowebinar.com/register/6134409931049990657
  4. Get Up To Date on Microsoft’s BI Offering – Bo George – 6/26/15 @ 1:00pm – https://attendee.gotowebinar.com/register/8891692623419306753
  5. Integrating Office 365 and Salesforce – Eric Bowden – 7/17/15 @ 1:00pm – https://attendee.gotowebinar.com/register/2558996029615612417
  6. Getting Started with Salesforce Development – Tim Coalson – 8/21/15 @ 1:00pm – https://attendee.gotowebinar.com/register/4631765663484917249
  7. Moving from Office 365 Dedicated to Multi-Tenant – Kirk Liemohn – 9/25/15 @ 1:00pm – https://attendee.gotowebinar.com/register/3796349032119339521
  8. Integrating Visual Studio Online and Office 365 – Lane Goolsby – 12/11/15 @ 1:00pm – https://attendee.gotowebinar.com/register/5900541608798828801

The schedule is subject to change (especially if presenters get overloaded on projects). Let us know in the comments if you have other topics that you would like us to cover.

Sign up below to get notified about upcoming events or follow us on twitter.


SharePoint is a web application platform in the Microsoft Office server suite. Launched in 2001, SharePoint combines various functions which are traditionally separate applications: intranet, extranet, content management, document management, personal cloud, enterprise social networking, enterprise search, business intelligence, workflow management, web content management, and an enterprise application store. SharePoint servers have traditionally been deployed for internal use in mid-size businesses and large departments alongside Microsoft Exchange, Skype for Business, and Office Web Apps; but Microsoft’s ‘Office 365’ software as a service offering (which includes a version of SharePoint) has led to increased usage of SharePoint in smaller organizations.

While Office 365 provides SharePoint as a service, installing SharePoint on premises typically requires multiple virtual machines, at least two separate physical servers, and is a somewhat significant installation and configuration effort. The software is based on an n-tier service oriented architecture. Enterprise application software (for example, email servers, ERP, BI and CRM products) often either requires or integrates with elements of SharePoint. As an application platform, SharePoint provides central management, governance, and security controls. The SharePoint platform manages Internet Information Services (IIS) via form-based management tooling.

Since the release of SharePoint 2013, Microsoft’s primary channel for distribution of SharePoint has been Office 365, where the product is continuously being upgraded. New versions are released every few years, and represent a supported snapshot of the cloud software. Microsoft currently has three tiers of pricing for SharePoint 2013, including a free version (whose future is currently uncertain). SharePoint 2013 is also resold through a cloud model by many third-party vendors. The next on-premises release is SharePoint 2016, expected to have increased hybrid cloud integration.

Office 365 is the brand name used by Microsoft for a group of software plus services subscriptions that provides productivity software and related services to its subscribers. For consumers, the service allows the use of Microsoft Office apps on Windows and OS X, provides storage space on Microsoft’s cloud storage service OneDrive, and grants 60 Skype minutes per month. For business and enterprise users, Office 365 offers plans including e-mail and social networking services through hosted versions of Exchange Server, Skype for Business Server, SharePoint and Office Online, integration with Yammer, as well as access to the Office software.

After a beta test that began in October 2010, Office 365 was launched on June 28, 2011, as a successor to Microsoft Business Productivity Online Suite (MSBPOS), originally aimed at corporate users. With the release of Microsoft Office 2013, Office 365 was expanded to include new plans aimed at different types of businesses, along with new plans aimed at general consumers wanting to use the Office desktop software on a subscription basis—with an emphasis on the rolling release model.

read more
Danny RyanFree Office 365 / Azure / Salesforce / SharePoint Webinars for 2015
half-full.jpg

Do You See SharePoint As Half Full Or Half Empty?

Tim is a Senior Consultant at ThreeWill. He has 15 years of consulting experience designing and developing browser-based solutions using Microsoft technologies. Experience over the last 8 years has focused on the design and implementation of SharePoint Intranets, Extranets and Public Sites.

As a SharePoint Consultant who has consulted at many different companies small and large, I have often experienced negative initial reactions when mentioning SharePoint.

The reasons have ranged from things like “SharePoint is slow” to other things like the “SharePoint navigation is confusing”. And I have to admit, there have been times I have used SharePoint sites that were both slow and confusing. The good news is that both of these can be improved so that they do not need to become a roadblock to using an otherwise useful product. But beyond merely removing these barriers, the good news is that there are many features that SharePoint provides that many users have never come to understand and appreciate and my goal is to help raise awareness of these features.

What I have learned over time is that most users’ concept of SharePoint is that it is simply a document repository…

They see it as a ”a place my boss forces me to put my files that takes more time and effort than storing them locally or putting them on a file share”. SharePoint is generally a product that has been introduced to the organization by the IT department for work teams to collaborate and usually with little or no training on SharePoint provided. And while storing documents is certainly a valid use of SharePoint, there is so much more capability than most users realize or have been given the rights to leverage in their work group or department.

On occasion, I have the opportunity to sit down with motivated employees who like to learn and I describe to them some of the features within SharePoint that I think will interest them.

Most users are surprised to hear about these capabilities and are eager to figure out how they can begin to use them.

My goal in this blog series is to share a few of what I consider to be the most underutilized features of SharePoint that can be leveraged for both personal productivity and business process improvements.

These underutilized features include:

  • Custom Lists
  • Notifications and Workflow
  • Security

After discussing these features individually, I’ll conclude with a discussion of how these features can be combined together to create Business Applications that can help support and automate some of your current business processes.

And before you assume that you need a developer or technical person to take advantage of these features, know that all of these are available to end-users of SharePoint and are configurable through the SharePoint UI or through SharePoint Designer.

Stay tuned. I look forward to sharing more about these underutilized features with you and hearing from you about any questions or comments on these topics.

By the way…

always-full

We thought you would enjoy this take on how different people see the half full/empty glass (source)…

The optimist says the glass is half full.

The pessimist says the glass is half empty.

The project manager says the glass is twice as big as it needs to be.

The professional trainer does not care if the glass is half full or half empty, he just knows that starting the discussion will give him ten minutes to figure out why his powerpoint presentation is not working (@jbutweets – thought you would enjoy this one!)

The consultant says let’s examine the question, prepare a strategy for an answer, and all for a daily rate of…

The engineer says the glass is over-designed for the quantity of water.

The computer programmer says the glass is full-empty.

read more
Tim CoalsonDo You See SharePoint As Half Full Or Half Empty?
surprised.jpg

Publishing SharePoint using Kerberos Delegation

Lane is a Senior Software Engineer for ThreeWill. He is a strong technology expert with a focus on programming, network and hardware design, and requirements and capacity planning. He has an exceptional combination of technical and communication skills.

Intro

We recently wrapped up an engagement with a customer who wanted to publish SharePoint BI features, such as SSRS and PerformancePoint, through their firewall to their customers. These reports and dashboards would be pulling data from SSAS cubes. One of the key requirements was that they wanted to have the cube data security trimmed based off the user who was logged in. This meant passing the credentials of the end user all the way to the SSAS cubes. To make it more complex, their customers would be coming in from external computers that were not part of the domain and would be logging into SharePoint using a login form.

Options, options…

Given the requirements, we knew we had to use either Kerberos or Claims for authentication since NTLM wouldn’t handle the double hops. Forms authentication was an option, but would require some custom code to get SSAS to recognize the user’s ID and would have gotten complicated quickly. Claims might have worked, but SSAS 2008 R2 isn’t Claims aware so we would have been back to code to convert the claim token into a useable token for SSAS in the same way as we would have to do for Forms.

Kerberos to the rescue!

So that left only Kerberos, but how do you get a computer outside your firewall and not a member of your domain a Kerberos token? Luckily, Microsoft has included a feature in Internet Security Accelerator (ISA) server since 2006 called Protocol Transition (note: ISA was rebranded Threat Management Gateway in 2010. TMG will be used from this point on instead of ISA). With Protocol Transition, TMG can take a Forms session and convert it into a Kerberos session for communication to SharePoint (or Outlook Web Access, or anything else you wish to publish for that matter). This is just what the doctor ordered, but for those reading this, you probably already know that Kerberos can be tricky to setup, and there are a lot of moving pieces that need to be setup just right for it to work. This blog post will go over some of the gotchas we ran across and dispel a couple of misconceptions that seem prevalent on the web about TMG.

First Comes Planning

The first thing that needs to be done when planning for Kerberos is to figure out the service accounts that are to be used. For the sake of simplicity, I am going to keep the number of service accounts used to a minimum. You should read Microsoft’s documentation about service accounts carefully before you plan your accounts. You will need accounts for PerformancePoint, PowerPivot, Search, etc. The service accounts that apply to this post are as follows:

  • SPAppPool – SharePoint application pool account used for all web applications
  • SSRSAppPool – Service account that SSRS runs under
  • SQLUser – Service account used by SSAS

Also, we need to setup the servers that will constitute the farm. Again, to keep things simple I will keep the number of servers to a minimum:

  • SRV-SP – SharePoint web front end and application server
  • SRV-SSRS – SSRS server running in SharePoint integrated mode.
  • SRV-SSAS – SSAS server housing the cubes.
  • SRV-TMG – Threat Management Gateway server

The next step is to plan the DNS entries for the SharePoint sites. In this scenario, each customer will have its own vanity host created, so the DNS entries would look like http://customer1.threewill.com and http://customer2.threewill.com. This makes things much easier from a SharePoint security standpoint and provides a clear delineation for content. However, there are a finite number of web applications SharePoint can support. That number is subjective to hardware, traffic, and several other factors so only go this route if you plan on having a small number of published sites. When you create the DNS entries, make sure you choose Host (A) records.

Gotchas in the House

Once the DNS names have been decided on, the next step is to setup the Service Principle Names (SPN). This is where we ran into our first gotcha. There are several blog posts and even some articles from Microsoft that say that the external DNS names need to be different than the internal DNS names in order to create the SPN’s. This is not true as long as all your SharePoint and SSRS application pools run under the same accounts, which means they need to be AD accounts and not local system accounts. So we create a SPN for the SharePoint application pool and a SPN for SSRS. To create the SPNs, log onto a computer running Windows 7 or Windows 2008 Server as a domain administrator and open a CMD prompt and run the following commands:

  • Setspn.exe –A HTTP/customer.threewill.com domain\SPAppPool
  • Setspn.exe –A HTTP/srv-ssrs.threewill.com domain\SSRSAppPool

Next, we need to tell Active Directory that the two app pool accounts can present credentials to the downstream services on behalf of the user. To do this, log onto a machine that has Active Directory Users and Computers installed and find the two service accounts. First, make sure the radio button is set to say that the accounts can delegate to the specified services only and they can use any authentication protocol. This was another gotcha we ran into. Unconstrained delegation does not work with SharePoint-to-SSRS authentication. Next, double click on the SPAppPool account and click on the delegation tab. Click on Add and then click on Users and Computers and search for SSRSAppPool. In the list of services, click on the SPN for SRV-SSRS and click OK. Next, double click on the SSRSAppPool and perform the same steps, only this time search for SQLUser and choose the SPN for MSOLAPSvc.3 on SRV-SSAS. If MSOLAPSvc.3 does not appear you will need to set a SPN for it (many times SQL service accounts are set to create and maintain their own SPNs). The last of the Kerberos configuration is to perform the same steps above, only this time you will need to find the computer account for SRV-TMG. Because TMG running under an AD account is not supported, the constrained delegation must be configured for the computer account. Add the HTTP SPN from SPAppPool.

Now that the SPN’s are setup and the service accounts have been allowed to send delegated credentials, it is time to create the web application in SharePoint and create the SSRS SharePoint Integrated instance if they haven’t been already. There are a number of excellent posts online on how to do this, so we will move on to TMG.

Open the TMG management console and right click on the Firewall Policy node. Choose, New -> Web Site Publishing Rule or SharePoint Publishing Rule. From what I was able to gather, there is no difference between either rule wizard except for the fact that the SharePoint rule has some verbiage about making sure Alternate Access Mappings are configured, which are not needed since our internal and external DNS names will be the same. The wizard is pretty self-explanatory. The important settings are the internal server names, the public server names, and the authentication delegation. Make sure the server names are the same as the DNS records created earlier for both internal and external names. For the authentication delegation, make sure Kerberos Constrained Delegation is selected and verify the SPN displayed is the same as what was registered earlier. If you need to create a web listener, make sure the listener is set for HTML Authentication and not HTTP. It is highly recommended that HTTPS be used for external traffic.

Key Links

Everything you need to know about configuring Kerberos with anything SharePoint – http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=23176

Configuring PerformancePoint and TMG server for Constrained Delegation – http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=23176

More To Come

Look for more follow up posts…leave comments to show Lane some love if he saved you some time…

read more
Lane GoolsbyPublishing SharePoint using Kerberos Delegation
dog-food-e1425509605488.jpg

ThreeWill’s SharePoint Extranet

Tim is a Senior Consultant at ThreeWill. He has 15 years of consulting experience designing and developing browser-based solutions using Microsoft technologies. Experience over the last 8 years has focused on the design and implementation of SharePoint Intranets, Extranets and Public Sites.

Introduction

ThreeWill has been using SharePoint for our extranet since WSS v3 became available. I’d like to share some of the ways that we use our extranet to hopefully help you see areas where SharePoint can increase your productivity and communication with your clients or partners.

High Level Architecture

At ThreeWill, we maintain a separate site collection for each of our clients. At the root of the site collection is a customized client site where we store information about the client that is common across all projects. The information I use most at the client site level is the contact information that we gather for each person that we work with at the client. This includes their name, email and phone number.

Project Specific Sites

For each project that we engage in with the client, we create a separate project site. Project sites include areas for requirements, documentation, source code deliverables, issues, risks, calendars and discussions. The calendars and discussions are email-enabled so that we can include the project calendar and discussion with any meetings that are scheduled or any email correspondence that is shared among the team. This information can then be leveraged by those not directly included in the correspondence or other resources who join the project later and want to see what meetings or email correspondence have gone on prior to their joining the team. An issues list is maintained to track any issues that arise on the project. Issues can be assigned and various views of the issues list can be created including a “My Issues” list to track any issues assigned to you. Risks are also communicated and tracked through the issues list as well as mitigation and contingency plans.

Managing Successful Projects

With regards to requirements, ThreeWill leverages the Scrum methodology so we leverage SharePoint lists to capture appropriate information in places such as a Product Backlog, Sprint Backlog, Burndown Charts, etc. Clients are encouraged to capture new requirements in the Product Backlog so they can be reviewed at the beginning of each Sprint to be prioritized along with other features that have been captured for inclusion in the Sprint. Acceptance criteria for each Product Backlog is documented at the beginning of the Sprint and reviewed at the end of the Sprint to ensure that the backlog item has been implemented to the client’s satisfaction. Any documents that are handed over by the client to help clarify requirements or any documents produced by ThreeWill to validate requirements are captured in a document library located in the project site where ThreeWill and the Client can have secured access.

And Most Importantly, Security

With the release of WSS v3, forms-based authentication became possible. Prior to this release, all SharePoint users had to be given access through Active Directory which many IT Administrators opposed. With forms-based authentication, user credentials can be easily kept separate from company credentials as they are stored in a separate data store. In our case, we leverage a SQL data store and manage users using forms-based resources from the Community Kit for SharePoint that can be found in CodePlex. And with SharePoint 2010, both users authenticating with Active Directory (ThreeWill users) and users authenticating with forms-based authentication (Clients/Partners) use the same URL so sharing links among all users is no longer a challenge.

Conclusion

SharePoint extranets are a great way to leverage your existing investment in SharePoint to increase your communication and collaboration with clients.

Are you using SharePoint for your Extranet? Feel free to leave a comment with your experiences or contact us if you are interested in having us help you set up and configure your Extranet.

read more
Tim CoalsonThreeWill’s SharePoint Extranet
scope1.jpg

Viewing Scopes

Kirk Liemohn is a Principal Software Engineer at ThreeWill. He has over 20 years of software development experience with most of that time spent in software consulting.

I learned something yesterday while trying to understand a client issue with MOSS search.

With the work we did with the SharePoint Connector for Confluence, we created functionality to let you search Confluence from SharePoint. A lot of this work used out of the box features with MOSS 2007 Enterprise Search. However, we did have to create custom configuration screens to allow the user to create a crawl rule that used forms based authentication (FBA). In addition, we needed to create a custom security trimmer because crawling web sites does not allow for the indexing of ACLs.

What I learned yesterday was something interesting with the security trimmer. I knew that custom security trimmers are executed when an end user performs a query as opposed to when the search engine crawls and indexes the content. What I didn’t know is that simply viewing scopes within the search administration interfaces will also execute the security trimmer.

Within your shared service provider (SSP), you can view the scopes as shown below:

In my test environment, I had only crawled the “TW Confluence” content source which had an associated “TW Confluence” scope as shown above. My total index had 104 items, but no items were showing up in the scopes. I was expecting to see counts for both “All Sites” and “TW Confluence”.

What was happening was that simply viewing this page invokes the security trimmer assigned to my crawl rule for all items in the index that map to the crawl rule. In the case of the SharePoint Connector for Confluence security trimmer, it needs to ask Confluence if the current user has access to each URL. Unfortunately, if the security trimmer is invoked from the shared service provider (as it is done in this case) it does not know how to connect to Confluence because that configuration is available within a typical site collection, not within a SSP.

Interestingly, there is also a way to view scopes from within a typical site collection:

As you can see here, we do have counts for our “All Sites” and “TW Confluence” scopes. Once again, our security trimmer is executed when viewing this page, but this time it is able to find configuration data on how to connect to Confluence. The count of 9 is much less than what is in the index because the current user does not have access to all of the URLs; access to them was denied by the custom security trimmer.

Note that the only way I knew for sure that the security trimmer runs in these cases is through some tracing capability we have had in the product for quite some time.

If you have more interest in learning more about the SharePoint Connector for Confluence, check out the links above or visit http://www.atlassian.com/en/software/confluence-sharepoint-connector. If you are in the Atlanta area and want to learn more about MOSS 2007 Enterprise Search, keep an eye on our Event Calendar for upcoming presentations.

read more
Kirk LiemohnViewing Scopes
question-box-e1425575019953.jpg

Anonymous Access Gotcha

Kirk Liemohn is a Principal Software Engineer at ThreeWill. He has over 20 years of software development experience with most of that time spent in software consulting.

It’s a simple problem with a simple solution, but sometimes the little things hit you when you are deploying from one environment to another and they can take a lot longer than you’d like. So, hopefully this is a reminder and saves some people some time…

Recently I wrote a couple of web services to be hosted within SharePoint. This problem wouldn’t only occur with web services, though. It could happen with web parts, application pages, site pages, event handlers, etc.

One of my web services did not access the SharePoint object model, but needed to know who the current user was, so it used the following within its code:

HttpContext.Current.User.Identity.Name;

Another web service did use the SharePoint object model and it used the following:

this.Context.User.Identity.Name
SPContext.Current.Web.CurrentUser.Groups

The code above worked beautifully in my development environment and two other test environments. When it came time to deploy to test environment at the client, they didn’t work. I was perplexed.

Based on the exception I had, I ascertained that CurrentUser was null in the code above and asked the testers if they were logged in – assuming anonymous access must have been enabled and that they were not logged in. Well, they were logged in, but anonymous access was enabled – and that was the difference in the environments that worked and didn’t work.

It turns out that the problem was that the SharePoint web application (and therefore IIS) allowed anonymous access and the client to the web service calls (in this case InfoPath Forms Services) had negotiated to send as little credentials as possible (none).

So, the first two code snippets resulted in a null or empty string and the last code snippet blew up because CurrentUser was null.

The solution was simple… Require an IIS change to the asmx file or its containing folder to not allow (uncheck) anonymous access to the web service(s).

Another option might be to modify the code to return a 401 Unauthorized to see if the negotiation would begin. I didn’t take it that far, but would love to hear from someone if they have tried this.

read more
Kirk LiemohnAnonymous Access Gotcha
security.jpg

SharePoint List Security

Kirk Liemohn is a Principal Software Engineer at ThreeWill. He has over 20 years of software development experience with most of that time spent in software consulting.

Restricting access to a user on a public site can be important. One way to do this is to restrict access to the Group membership list in SharePoint.

  • Login to the site that you want to restrict access to and select people and groups.

  • Go to Settings -> List Settings

  • General Settings -> Advanced Settings
  • For Item-Level Permissions set Read access to only their own and Edit access to none, leave Attachments to the default of Enabled and for Search I would not allow items to appear in search results.

  • Now when a user tries to see other members of the site this is the error they get.

  • Now of course Site administrators can still see the information, but I would think that is something that you would want.

SharePoint is a web application platform in the Microsoft Office server suite. Launched in 2001, SharePoint combines various functions which are traditionally separate applications: intranet, extranet, content management, document management, personal cloud, enterprise social networking, enterprise search, business intelligence, workflow management, web content management, and an enterprise application store. SharePoint servers have traditionally been deployed for internal use in mid-size businesses and large departments alongside Microsoft Exchange, Skype for Business, and Office Web Apps; but Microsoft’s ‘Office 365’ software as a service offering (which includes a version of SharePoint) has led to increased usage of SharePoint in smaller organizations.

While Office 365 provides SharePoint as a service, installing SharePoint on premises typically requires multiple virtual machines, at least two separate physical servers, and is a somewhat significant installation and configuration effort. The software is based on an n-tier service oriented architecture. Enterprise application software (for example, email servers, ERP, BI and CRM products) often either requires or integrates with elements of SharePoint. As an application platform, SharePoint provides central management, governance, and security controls. The SharePoint platform manages Internet Information Services (IIS) via form-based management tooling.

Since the release of SharePoint 2013, Microsoft’s primary channel for distribution of SharePoint has been Office 365, where the product is continuously being upgraded. New versions are released every few years, and represent a supported snapshot of the cloud software. Microsoft currently has three tiers of pricing for SharePoint 2013, including a free version (whose future is currently uncertain). SharePoint 2013 is also resold through a cloud model by many third-party vendors. The next on-premises release is SharePoint 2016, expected to have increased hybrid cloud integration.

Office 365 is the brand name used by Microsoft for a group of software plus services subscriptions that provides productivity software and related services to its subscribers. For consumers, the service allows the use of Microsoft Office apps on Windows and OS X, provides storage space on Microsoft’s cloud storage service OneDrive, and grants 60 Skype minutes per month. For business and enterprise users, Office 365 offers plans including e-mail and social networking services through hosted versions of Exchange Server, Skype for Business Server, SharePoint and Office Online, integration with Yammer, as well as access to the Office software.

After a beta test that began in October 2010, Office 365 was launched on June 28, 2011, as a successor to Microsoft Business Productivity Online Suite (MSBPOS), originally aimed at corporate users. With the release of Microsoft Office 2013, Office 365 was expanded to include new plans aimed at different types of businesses, along with new plans aimed at general consumers wanting to use the Office desktop software on a subscription basis—with an emphasis on the rolling release model.

read more
Kirk LiemohnSharePoint List Security
cubes.jpg

Registering Security Trimmers

Kirk Liemohn is a Principal Software Engineer at ThreeWill. He has over 20 years of software development experience with most of that time spent in software consulting.

Background

When WSS and MOSS crawl content and store that content to an index, they can also store authorization information (ACL) to the data. This makes it easy for a search query to only provide results to which the search user has access. WSS search is limited to SharePoint sites, but MOSS search can go beyond that to web sites, file shares, exchange public folders, the BDC, and others. While some content such as SharePoint sites, file shares, and exchange public folders contain ACLs, others such as web sites and BDC do not.

The solution to trimming MOSS search results that do not contain ACLs is to use a security trimmer. A security trimmer is very simple; it takes a list of URLs and returns a BitArray indicating if the current user has access to each URL. A security trimmer runs at query time so there is a performance cost, but I’ve found that the story here isn’t too bad since the security trimmer gets called in batches based on the number of search results shown to the user on a page. Basically, if the ratio of allowed access to total possible results is high, the number of items to check for security trimming at a time should be kept to a minimum. In addition there is a way to specify a limit on the number of crawl URLs to check.

There is a BDC Security Trimmer or you can write your own Custom Security Trimmer. That last link has a good overview and walk-through of how to write, deploy, and register a custom security trimmer. I recommend it for further reading. However, the walk-through only shows how to register a security trimmer using stsadm. It does not show how to do it via code. In fact, on the stsadm command, you provide the crawl rule path indicating that the security trimmer references the crawl rule, which is not the case (it is the other way around).

I needed to do this via code as part of a custom shared service provider administration screen. Since I had a little bit of trouble figuring this out and couldn’t find anyone else that did it, I wanted to blog about it here once I found the solution.

Show Me Some Code!

OK, enough background, let’s see some code on how to do this.

  • First, your code will need to reference Microsoft.Office.Server.Search.dll which can be found in the ISAPI folder under the 12 Hive for a MOSS install. In addition, all of my code below uses the following using statement.

using SearchAdmin = Microsoft.Office.Server.Search.Administration;

  • Now you can register your security trimmer. You will need the fully qualified type name for your security trimmer or access to it via code (as I have done below). In addition you need to specify the security trimmer id (an Int32 of any value of your choice assuming another security trimmer is not already registered with that value). If you don’t have the context of the shared service provider, you’ll have to do a little more work.

// Get the security trimmer manager

// Note: no need to call SetSearchContextToUse as it is determined implicitly through HttpContext

SearchAdmin.Security.PluggableSecurityTrimmerManager manager = SearchAdmin.Security.PluggableSecurityTrimmerManager.Instance;

// Register the security trimmer

// No need to provide any custom properties (must provide an empty named value collection)

string fullyQualifiedTypeName = typeof(MyCustomSecurityTrimmer).AssemblyQualifiedName;

manager.RegisterPluggableSecurityTrimmer(securityTrimmerId, fullyQualifiedTypeName, new NameValueCollection());

  • Then you will need to create or update your crawl rule to give it the security trimmer id. The code below shows creating a crawl rule. If you don’t have the context of the shared service provider, you’ll have to do a little more work.

// This page is in the context of the shared service provider, so this call should get our search context

// otherwise we would need to use the ServerContext object instead and call SearchContext.GetContext(serverContext);

// Note that ServerContext is in the Microsoft.Office.Server namespace (Microsoft.Office.Server.dll)

SearchAdmin.SearchContext searchContext = SearchAdmin.SearchContext.Current;

// Get the content object which is needed for access to content sources and crawl rules

SearchAdmin.Content content = new SearchAdmin.Content(searchContext);

// Create crawl rule

SearchAdmin.CrawlRule crawlRule = content.CrawlRules.Create(SearchAdmin.CrawlRuleType.InclusionRule, rulePath);

// Set other crawl rule properties here…

// Set the security trimmer id and save the changes

crawlRule.PluggableSecurityTrimmerId = securityTrimmerId;

crawlRule.Update();

  • That’s it. Fairly simple, especially if you already have the appropriate context as my code does, since it runs within the context of the shared service provider.

As you can see, the crawl rule references the security trimmer id and the security trimmer does not reference the crawl rule.

Note that your security trimmer will not be in affect unless you crawl (probably a full crawl) after you register your security trimmer even though the security trimmer runs at query time.

read more
Kirk LiemohnRegistering Security Trimmers
report-pencil.jpg

SQL Server 2005 Reporting Services Add-in Primer

Tim is a Senior Consultant at ThreeWill. He has 15 years of consulting experience designing and developing browser-based solutions using Microsoft technologies. Experience over the last 8 years has focused on the design and implementation of SharePoint Intranets, Extranets and Public Sites.

The SQL Server 2005 Reporting Services Add-in provides the following functionality:

  • A Report Viewer Web Part, which provides report viewing capability, export to other rendering formats, page navigation, search, print, and zoom.
  • Web application pages so that you can create subscriptions and schedules, set model item security, and manage reports, models, and data sources.
  • Support for standard Windows SharePoint Services features including document management, collaboration, security, and deployment with report server content types. You can use alerts, versioning (check in/out), and Filter Web Parts with reports. You can add the Report Viewer Web Part to any page or dashboard on a SharePoint site and customize its appearance. You can use SharePoint permission levels and roles to control access to report server content. You can also use SharePoint forms authentication to support access over Internet connections.
  • Note
    The add-in is for reporting on SQL data not SharePoint data.

This walk through makes a few assumptions about your setup environment.

  • Active Directory 2003 domain running in native mode
  • The SharePoint server is on a separate box from the Reporting server
  • The reporting server and the SQL server are on the same box
  • The SPAdmin account is the SharePoint administration account and is the local administrator on the SharePoint server and the SQL server
  • SPSQL account runs the sql services and reporting services
  • SPSites account runs the application pool for the SharePoint web site.
  • Your SharePoint Server is set to use Kerberos authentication
SetSPN

SetSPN (set spin) is used to configure Active Directory user and computer accounts for Kerberos delegations. Kerberos delegation is necessary if you are running reporting services on a different server than your SharePoint server. If user A hits a website on computer B, computer B can forward the authentication to computer C. There are two benefits to configuring Kerberos; one, Kerberos is a more secure protocol than NTLM, two, Kerberos is necessary to correctly configure Reporting Services.

  1. Login to domain controller
  2. Download the setspn.exe from http://www.microsoft.com/downloads/details.aspx?familyid=5fd831fd-ab77-46a3-9cfe-ff01d29e5c46&displaylang=en
  3. Run setspn_setup.exe and install tool, click next
  4. Agree to the EULA
  5. Accept the default path and click install now
  6. Click start -> Run and enter cmd
  7. From the command prompt navigate to C:\Program Files\Resource Kit. You will need to use the setspn for the following three accounts. The SharePoint Service Account (SPAdmin), the Default site application pool account (SPSites) and the SQL Service account (SPSQL). Issue the following commands:
    1. setspn -A http/llqawss01 qalbapad\spadmin
    2. setspn -A http/llqawss01.qalbapad.qalocal qalbapad\spadmin
    3. setspn -A http/llqawss01 qalbapad\spsites
    4. setspn -A http/llqawss01.qalbapad.qalocal qalbapad\spsites
    5. setspn -A http/llqawss01 qalbapad\spsql
    6. setspn -A http/llqawss01.qalbapad.qalocal qalbapad\spsql
    7. setspn -A http/llqasql01 qalbapad\spadmin
    8. setspn -A http/llqasql01.qalbapad.qalocal qalbapad\spadmin
    9. setspn -A http/FQDN of server (www.ll.com) qalbapad\spsites
    10. setspn -A http/FQDN of server (www.ll.com) qalbapad\spadmin
    11. setspn -A http/FQDN of server (www.ll.com) qalbapad\spql
      You notice that you will need to setspn on each name the computer may use, the netbios name, the internal FQDN, if this machine uses another FQDN you will need to add this as well.(To be honest this is probably over-kill but this will cover all your bases)
  8. On the domain controller open active directory users and computers, We need to trust the computer accounts and Service accounts for delegation
    1. Find the SQL server in Active Directory Users and Computers (ADUC) right Click and go to properties and click the Delegation tab, then select Trust this computer for delegation to any service (Kerberos only)
    2. Find the WSS server in ADUC right Click and go to properties and click the Delegation tab then select Trust this computer for dlegation to any service (Kerberos only)
    3. Find the SharePoint Service account in ADUC go to properties and click the Delegation tab then select Trust this user for delegation to any service(Kerberos only)
    4. Find the SharePoint Site (SPSites) account in ADUC go to properties and click the Delegation tab then select Trust this user for delegation to any service(Kerberos only)
    5. Find the SQL Server Service (SPSQL) in ADUC go to properties and click the Delegation tab then select Trust this user for delegation to any service(Kerberos only)
On the SQL/Reporting Server
  1. Make SPAdmin local administrator of the SQL server computer
  2. Install Microsoft .NET Framework 2.0
  3. Microsoft .NET Framework 3.0
  4. Download the SharePoint install from Microsoft
  5. Execute SharePoint.exe
  6. Accept the licensing agreement, click continue
  7. Choose the advanced installation option
  8. For Server Type choose Web Front-End (WFE), click install now
  9. Click close to run the SharePoint Technology Configuration wizard
  10. Select Yes, I want to connect to an existing server farm, click next
  11. Enter the name of the database server and then click Retrieve Database Names. This will bring back the SharePoint Configuration database name.
  12. In the Specify Database Access account enter the SharePoint Service account (SPAdmin) and password information, click next
  13. Click Next
  14. Click Finish
  15. Download the reporting services add-in http://www.microsoft.com/downloads/details.aspx?familyid=1E53F882-0C16-4847-B331-132274AE8C84&displaylang=en
On the SharePoint Server

Install the SharePoint add in for Reporting services.

  1. SharePointRS.msi, click next
  2. Accept the Licensing agreement, click next
  3. Click next
  4. Click Install
  5. Click Finish when complete
  6. Login to the SQL Server computer, click start -> All Programs -> Microsoft SQL Server 2005 -> Configurations Tools -> Reporting Services Configuration
  7. Connect to the SQL Server
  8. Click on Database Setup
  9. Click on Change to change the server mode to SharePoint
  10. Click yes to create a new Reporting Services database
  11. Leave the defaults and enter a name for the new SharePoint integrated Reporting Services database, click OK.
  12. Click Apply
  13. Leave the defaults and click OK
  14. Now we need to configure the Reporting Services application pool to run as SPAdmin. Open IIS Manager and navigate to the Application Pool -> Report Server
  15. Right click on Report Server and click properties, click the Identity tab
  16. Configure the identity to be SPAdmin. This will allow the reporting server to access the SharePoint server for the SharePoint integration to work properly.
  17. In IIS manager under the Web Sites folder right click the default site (This is where reporting services web is located) and click properties
  18. In the Web Sites tab change the port to 8080, Click OK to apply
  19. Return to the Reporting Server configuration and refresh. In the Web Service Identity you will need to click apply to complete the change made to the application pool
  20. Click on SharePoint Integration
  21. Follow link to SharePoint Central Administration site
  22. From the Application tab click on Manage integration settings
  23. Enter the url for the report server plus the virtual directory for the report server. Most likely this will be http://machinename:port#/reportserver, Click OK
  24. Click on Grant database access, this will default to the local server. Change to the reporting server. Click OK
  25. You will be prompted to enter credentials for accessing the report server. Enter the SQL account (SPSQL), click ok
  26. Click on Set Server Defaults
  27. In Reporting Services Server Defaults accept the defaults and click OK
read more
Tim CoalsonSQL Server 2005 Reporting Services Add-in Primer