SharePoint Notes

Bleeding on the cutting edge …

Archive for March, 2008

SharePoint Extranet Solutions with ISA Server 2006 – Part 4: LDAP authentication in SharePoint

Posted by Christian Dam on March 30, 2008

In this post we will configure our Extranet Web Application to authenticate users in the Extranet Zone using LDAP.  However, not any LDAP server can be used since it must be supported by ISA Server 2006, so we are using a Active Directory in the DMZ.

The trick is to configure web.config files are the Central Administration IIS site as well as all IIS sites for that is part of the Extranet Web Application. When that is done, the Authentication Provider for the extended web application must be changed to use the new provider. Finally, we add some Site Collection Administrators and users.

Still with me? Good, let’s go!

Oh, BTW, the web.config for a SharePoint Web Application is normally located at this location:

     C:\Inetpub\wwwroot\wss\VirtualDirectories\xxx

where xxx is the directory for the Web Application. If the exact location is not known, use the Internet Information Services (IIS) Manager to locate it:

  1. Start Internet Information Services (IIS) Manager(Start -> Administrative Tools -> Internet Information Services (IIS) Manager)
  2. Navigate to <Server> -> Web Sites
  3. Right-click the Web Application in question and select Properties
  4. Select the Home Directory tab
  5. The Local Path setting is the Web Application path

Step 1: Edit Web.config for Central Administration
Modifying the web.config for Central Administration is needed in order to add a Site Collection administrator or to add users in a Policy for Web Application.

  1. Open Web.config for Central Administration
  2. Between the </configSections> and <SharePoint>tags, create a LDAP connection string.
  3. <connectionStrings>
      <add name=”ADConnectionString
        connectionString=
          “LDAP://dmz.dmzad.local:389/CN=Users,DC=DMZAD,DC=local“/>

    </connectionStrings>

  4. Between <system.web> and <securityPolicy> tags add the following:
  5. <membership defaultProvider=”LDAP“>
      <providers>
        <add
          name=”LDAP
          connectionStringName=”ADConnectionString
          connectionUsername=”DMZAD\administrator
          connectionPassword=”password
          enableSearchMethods=”true”
          attributeMapUsername=”userPrincipalName”
          type=”System.Web.Security.ActiveDirectoryMembershipProvider,
            System.Web, Version=2.0.0.0,
            Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” />
      </providers>
    </membership>
  6. The settings in bold are provided as an example and are customizable. The settings must be changed to match the settings in your environment. Under normal circumstances these settings are the same as the ones used for the Extranet Web Application below.

Step 2: Edit Web.config for the Extranet Web Application
Modifying the web.config for Extranet Web Application is needed in order to add a Site Collection administrator or to add users in a Policy for Web Application. Modifying web.config for the extended web application (dmz.extranet.sharepointnotes.local) is necessary for authenticating external users. Modifying the web.config in the Default Zone will allow a site administrator in that zone to add users in the Extranet Zone.

  1. Open Web.config for the (Extended) Extranet Web Application
  2. Between the </configSections> and <SharePoint>tags, create a LDAP connection string.
  3. <connectionStrings>
      <add name=”ADConnectionString
        connectionString=
          “LDAP://dmz.dmzad.local:389/CN=Users,DC=DMZAD,DC=local“/>

    </connectionStrings>

  4. Between <system.web> and <securityPolicy> tags add the following:
  5. <membership defaultProvider=”LDAP“>
      <providers>
        <add
          name=”LDAP
          connectionStringName=”ADConnectionString
          connectionUsername=”DMZAD\administrator
          connectionPassword=”password
          enableSearchMethods=”true”
          attributeMapUsername=”userPrincipalName”
          type=”System.Web.Security.ActiveDirectoryMembershipProvider,
            System.Web, Version=2.0.0.0,
            Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” />
      </providers>
    </membership>
  6. Again, the settings in bold are provided as an example and are customizable. The settings must be changed to match the settings in your environment. Under normal circumstances these settings are the same as the ones used for Central Administration above.

Step 3: Change the Authentication Provider the Extranet Zone
Follow these instructions to chance the authentication provider:

  1. Go to the Application Management section of Central Administration
  2. In the Application Security section click Authentication Providers
  3. Select the Extranet Web Application
  4. Click the Extranet Zone
  5. In the Authentication Type section select Forms
  6. In the Membership Provider Name enter the same provider name that was used in step 1 and 2, for example LDAP
  7. Click Save
  8. Verify that the Membership Provider Name for the Extranet Zone has changed from Windows to the new name, for example LDAP

Step 4: Add Site Administrators
Follow these instructions to add LDAP user as a Site Administrator:

  1. Go to the Application Management section of Central Administration
  2. In the SharePoint Site Management section click Site collection administrators
  3. In the Site Collection section select the Extranet Web Application
  4. In the Secondary Site Collection Administrator add a user account from the DMZ Active Directory. Remember that the format is: *@dmzad.local
  5.  Click OK

Site Collection administrators can also be added through the Site Settings interface:

  1. Log on to http://extranet.sharepointnotes.local as a site administrator
  2. Navigate to Site Actions -> Site Settings
  3. In the Users and Permissions section click Site collection administrators
  4. In the Site Collection Administrators section, add the user or group you want to add and select the Check Names-icon (or press CTRL+K). Verify that the user/group was found.

Step 5: Add Users to the Extranet Web Application
Follow these instructions to add users to the Extranet Web Application

  1. Log on to http://extranet.sharepointnotes.local as a site administrator
  2. Navigate to Site Actions -> Site Settings
  3. In the Users and Permissions section click People and groups
  4. Select the group that suite the user or groups of users you want to add
  5. Select New -> Add users
  6. In the Add Users section, add the user or group you want to add and select the Check Names-icon (or press CTRL+K). Verify that the user/group was found.
  7. In the Give Permission section check the correct permission level is granted and click OK

This completes the configuration on the SharePoint site of thing. In the coming posts, we’ll install the Root CA, issue and install some certificates, create some ISA User Sets and finally publish the Extranet Web Application through ISA Server.

Posted in Extranet, ISA Server, MOSS | 5 Comments »

SharePoint Extranet Solutions with ISA Server 2006 – Part 3: Configuring Alternate Access Mappings

Posted by Christian Dam on March 30, 2008

In part 2 of this series, we created and exended the Extranet Web Application. In this part we will configure the Alternate Access Mapping to be able to access the Web Application from multiple locations using the same URL.

  1. Go to the Operations section of Central Administration
  2. In the Global configuration section click Alternate access mappings
  3. Click Add Internal URLs
  4. Select the Extranet Web Application and the host header for the extended web application, in this case http://dmz.extranet.sharepointnotes.local
  5. Assign the Internal URL to the Extranet zone and click Save

The Alternate Access Mappings should now be the following for the extranet.sharepointnotes.local Web Application:

 

Internal URL

Zone Public URL for zone
http://extranet.sharepointnotes.local Default http://extranet.sharepointnotes.local
https://extranet.sharepointnotes.local Extranet https://extranet.sharepointnotes.local
https://dmz.extranet.sharepointnotes.local Extranet https://extranet.sharepointnotes.local

Posted in Extranet, ISA Server, MOSS | Comments Off on SharePoint Extranet Solutions with ISA Server 2006 – Part 3: Configuring Alternate Access Mappings

Quick Tip: Allowing Site Collection administrators to track storage usage

Posted by Christian Dam on March 29, 2008

If you assign a Quota Template when creating a Site Collection, your site administrators get the possibility of tracking the storage consumption.

The option can be found in Site Administration: Setting Settings -> Storage space allocationor via the direct link <site>/_layouts/storman.aspx.

storagespaceallocation.png

(Click for a bigger picture)

Posted in MOSS, Quick Tips, WSS | Comments Off on Quick Tip: Allowing Site Collection administrators to track storage usage

Performance boost when upgrading Hyper-V to RC0

Posted by Christian Dam on March 26, 2008

I just upgraded Hyper-V on my labtop from Beta to Release Candidate 0. Everything went smooth, as long as you remember to follow the instructions provided from Microsoft.

The performace seems to to be boosted quite a lot. Before the upgrade, I timed the start-up time one one my images running MOSS + SQL Server 2005 to approx. 3 minutes. After the upgrade the startup-time is reduced to 1 minute 40 secs!

Posted in Windows Server | Comments Off on Performance boost when upgrading Hyper-V to RC0

Hyper-V RC0 now available

Posted by Christian Dam on March 22, 2008

Microsoft has released Hyper-V Release Candidate 0. Grab it here.  Unfortunately, migrating virtual machine configurations from Hyper-V Beta (the version that shipped with Windows Server 2008 RTM) to RC0 is not supported. Fortunately, there’s a migration procedure available here.

I haven’t yet found the time to perform the upgrade, but I should find time to do it early next week. I’ll let you know how it went 🙂

Posted in Windows Server | Comments Off on Hyper-V RC0 now available

External Collaboration Toolkit for SharePoint Released

Posted by Christian Dam on March 22, 2008

I got this email today, stating that the External Collaboration Toolkit for SharePoint has been released. No big surprise, really, since it has been available on TechNet since February 28, but still good news:

I’m happy to announce that the External Collaboration Toolkit for SharePoint has been released and is now available on Microsoft TechNet at http://www.microsoft.com/collabkit. This accelerator helps you easily deploy a SharePoint-based external collaboration facility at your organization. Once this facility is in place, end users can quickly create a new collaboration site (using a SharePoint site collection) and add internal and external users to that site. Both these process can be workflow enabled so that an administrator must approve both site and user creation.

The toolkit runs on both MOSS 2007 and Windows SharePoint Services 3.0. It also leverages SQL Server 2005 and ADAM. All external users are created in the ADAM directory so they are segregated from your primary user store.

Thank you for your help during development of the External Collaboration Toolkit for SharePoint. If you have any questions, please let me know.

Bill Canning
Senior Program Manager
Solution Accelerators

I find it slightly odd that ADAM has been chosen as a user repository for an External solution since ISA Server 2006 does not support ADAM, not even when using LDAP. The people within Microsoft I have talked to about ISA/ADAM support cannot even confirm if ADAM is supported when the next version of ISA is released in Q1 2009.

Posted in Extranet, MOSS, WSS | 3 Comments »

Web Application Monitoring with System Center Operations Manager

Posted by Christian Dam on March 17, 2008

System Center can emulate end user experience by monitoring a Web Application. Here’s how to monitor a Web Application, even if it is require credentials, and how to record a browser session

Create a Web Application Monitor
How to create an end-to-end monitoring for a Web Application:

  1. Log on to the computer with an account that is a member of the Operations Manager Authors role for the Operations Manager 2007 Management Group
  2. In the Operations Console, click the Authoring button
  3. Expand Management Pack Templates and right-click Web Application. Select Add monitoring wizard
  4. Select Web Application and click Next
  5. Enter Name and Description and click Next
  6. Enter and test the URL and click Next
    The test will fail in the web site requires credentials but they can be provided later
  7. Select the node that will act as the watcher node and enter time time interval at which the test will run. Click Next
    The Watcher Node must be an agent managed computer and have access to the web site
  8. Click Create
  9. If the web site doesn’t require credentials or you don’t want to record a browser session, you’re done

Enter credentials for the Web Application
If the Web Application requires credentials to be displayed, here is how to configure it:

  1. Log on to the computer with an account that is a member of the Operations Manager Authors role for the Operations Manager 2007 Management Group
  2. In the Operations Console, click the Authoring button
  3. Expand Management Pack Templates and click Web Application and select Web Application Monitor that should be modified
  4. In the Actions pane on the right side, select Edit web application settings
  5. On the Web Application Editor page click Configure settings
  6. In the Select Authentication Settings select the same Authentication Methodas is being used by the Web Application you’re monitoring. For SharePoint sites using Active Directory this is normally NTLM
  7. Set the User Account to one of you previously defined Run As Accounts and click OK and Apply
    If you haven’t yet defined an account to test your Web Site, you can create one in the Administration part of the Operations Console. The accounts are defined in the Security section
  8. That’s it. The web site is now being monitored using the credentials defined for the Run As Account

The Web Application Properties are also useful for defining other parameters, such as:

  • Retry Count
  • Watcher Node(s)
  • Query interval
  • Performance Criteria
  • Performance Counters 

Record a browser session
If the Web Application requires credentials to be displayed, here is how to configure it:

  1. Log on to the computer with an account that is a member of the Operations Manager Authors role for the Operations Manager 2007 Management Group
  2. In the Operations Console, click the Authoring button
  3. Expand Management Pack Templates and click Web Application and select Web Application Monitor that should be modified
  4. In the Actions pane on the right side, select Edit web application settings
  5. On the Web Application Editor page click Start capture
  6. If you see an error message about third party extensions being disabled for Internet Explorer, follow these steps:
    • Click Tools->Internet Options
    • Click the Advanced tab
    • Under Browsing, select Enable third party browser extensions (requires restart)
    • Close Internet Explorer, and then click Start capture to start the browser again.
  7. If the Web Recorder Explorer bar doesn’t show on the left side of Internet Explorer, click View -> Explorer Bar -> Web Recorder
  8. Browse you web site and record the user session you want to be part of the test. When the session is complete, click Stop in the Web Recorder Explorer bar. The Internet Explorer will close.
  9. Click Apply to include the browser session in the test. Optionally, you can click Run Test to verify the test run is successful

Posted in MOSS, Operations Manager 2007, System Center, WSS | 9 Comments »

Upgrading System Center Operations Manager 2007 to SP1

Posted by Christian Dam on March 6, 2008

SP1 for System Center Operations Manager has been out for a while now and I finally got around to upgrading my environment. Here’s how I did it:

  1. Close the System Center Operations Manager console should it be open
  2. Download and run the SP1 Upgrade Package. It is pretty big, though – 436MB
  3. Click OK followed by Unzip to install the package. Click OK when the the unzipping is done
  4. Select to apply SP1 to Operations Manager 2007
  5. Click Yes to install the the software update package needed
  6. Check Upgrade to Operations Manager 2007 SP1 and click Next
  7. Accept the license agreement and click Next
  8. Hit Install
  9. Click Finish when the installation completes

To check if the upgrade was successful:

  1. In the System Center Operations Manager Console click Help and then About.
    • If the version has changed from 6.0.5000.0 to 6.0.6278.0 the upgrade was OK
  2. In the SQL Server Management Studio on the database server, navigate to INSTANCE\Databases\Operations Manager\Tables
    • Right click dbo.__MOMManagementGroupInfo__ and select Open Table
    • If DBVersion has changed from 6.0.5000.0 to 6.0.6278.0 the upgrade was OK 

The agents are not upgraded automatically. Follow these steps to upgrade through the System Center Operations Manager Console:

  1. In the Administration pane, expand Device Management, and then click Pending Management
  2. In the Pending Management pane, expand Type: Agent Requires Update, right-click each agent-managed computer listed, and then click Approve
  3. In the Update Agents dialog box, enter the administrator account credentials, and then click Update. The upgrade status is displayed in the Agent Management Task Status dialog box
  4. When the upgrade is complete, click Close

Use the registry editor to verify the agent upgrade:

  1. On the computer hosting an agent, click Start, and then click Run
  2. Type regedit and then click OK
  3. Navigate to the HKey_Local_Machine\Software\Microsoft\Microsoft Operations Manager\3.0\Setup key. If the value of the AgentVersion entry is 6.0.6278.0 your agent upgraded successfully.

Posted in Operations Manager 2007 | 2 Comments »

SharePoint Extranet Solutions with ISA Server 2006 – Part 2: Creating the Extranet Web Application

Posted by Christian Dam on March 2, 2008

Update: The previous post was a bit too complex. It has been modified a bit so now it should actually work 😉 

Let’s create and extend the Extranet Web Application. Since we need to access it in three different ways, the web application will be extended so it covers two zones:

  • Default Zone: extranet.sharepointntes.local. This zone is used for access by internal corporate users as well as services like search. Will use Windows authentication.
  • Extranet Zone: dmz.extranet.sharepointnotes.local. This zone is used for external partners. Will use a DMZ AD for authentication

Step 1: Create the Extranet Web Application

  1. In Central Administration navigate to Application Management 
  2. In the SharePoint Web Application Management section select Create or extend Web application
  3. Select Create a new Web application
  4. In the IIS Web Site section opt to Create a new IIS web site and enter the required information, e.g:
    • Description: SharePoint Extranet – 80
    • Port: 80
    • Host Header: extranet.sharepointnotes.local
    • Path: use default
  5. Keep the default selections for Security Configuration
  6. In the Load Balanced URL change the URL to http://extranet.sharepointnotes.local (remove :80)
  7. In the Application Pool section select to Create new application pool. Name the new application pool and enter user name and password.
  8. In the Database Name and Authentication section, enter the Database server and  Database Name.Is is recommended not to accept the suggested database name, but rather to name your database something that is specific related to your Web Application, e.g WSS_Content_Extranet
  9. Finally, select which Search Server that should be used if you have more than one
  10. Click OK to create the Web Application.
  11. Click Create Site Collection to create the site collection to be hosted by the new Web App. Use the template and quota settings that are applicable in your environment, This Web Application will be used to host an partner collaboration site, so the Collaboration Portal-template is used.
  12. Once the Site Collection is created, test that it can be accessed using the Host Header name you specified when the Web Application was created

Step 2: Extend the Web Application to facilitate external access for partners

  1. In Central Administration navigate to Application Management 
  2. In the SharePoint Web Application Management section select Create or extend Web application
  3. Select Extend an existing new Web application
  4. In the IIS Web Site section opt to Create a new IIS web site and enter the required information, e.g:
    • Description: SharePoint Extranet (Extranet Zone) – 80
    • Port: 80
    • Host Header: dmz.extranet.sharepointnotes.local
    • Path: use default
  5. For now, go with the default selections for Security Configuration
  6. In the Load Balanced URL change the URL to https://extranet.sharepointnotes.local and set the zone to Extranet
  7. Click OK to extend the Web Application.
  8. The external partners will authenticate using AD and LDAP, but we’ll configure that in a later post
  9. Go to the Operations section of Central Administration 
  10. In the Global configuration section click Alternate access mappings 
  11. Click Add Internal URLs
  12. Select the Extranet Web Application and the host header for the extended web app, in this case http://dmz.extranet.sharepointnotes.local/
  13. Assign the Internal URL to the Extranet zone and click Save

So far so good. Now we have the web application created and extended to use different zones. Next step is to use ISA Server 2006 to publish the Extranet for corporate users across the Internet.

Posted in Extranet, ISA Server, MOSS | 16 Comments »