SharePoint Notes

Bleeding on the cutting edge …

Archive for April, 2008

Site Provisioning Assistant for SharePoint 2007

Posted by Christian Dam on April 29, 2008

I have been evaluating some new tools and add-ons today. One of them actually impressed me so much and and can provide so much added value, that I feel compelled to share my findings.

I am talking about Site Provisioning Assistant for SharePoint 2007 from SharePoint Solutions. It may be well-known in the US but it’s the first time I see it in my neck of the woods ūüôā

Installation:

The installation is straightforward so I’ll skip the instructions for that. Just grab the trial version here¬†(requires registration)¬†and go for it. A couple of points about installing the license files, though:

  • the license¬†files must be installed prior to installing the product
  • there¬†is no separate license¬†file download for SPA, but it is included in the Trial License for Extranet Collaboration Manager.
  • the license file installation don’t work correctly on 64-bit architecture. on x64 the files are installed in C:\Program Files (x86)\Common Files\XHEO\SharedLicenses but the software is looking for them in C:\Program Files\Common Files\XHEO\SharedLicenses. SImply copy the files and you are good to go

Creating the provisioning site:

Once Site Provisioning Assistant is installed you get a new site template. Use it to create a new site:

  1. Go to the site or site collection of you choice
  2. Select Site Actions -> Create Site
  3. Enter Title, Description and URL
  4. In the Template Selection choose the Management tab and select Provisioning Management
  5. Finally, click Create

The Provisioning Site looks like this:

Initially no provisioning profiles are created, so we’ll create two different profiles, one Intranet Site Provisioning profile and a Extranet Site Collection Provisioning profile.

Creating the Intranet Site Provisioning Profile

  1. Select Site Actions -> Provisioning Settings -> Add Site Provisioning Profile
  2. Enter Title and Description
  3. Select Create new Category and name it Intranet Sites
  4. Leave the remaining settings and click Next
  5. Select the Web Application the new sites are created in
  6. If the Web Application have Site Collection(s) select which site collection will contain the new sites
  7. Select the Parent Site and click Next
  8. Select Language and Site Template and click Next
  9. Finally, select any of the Additional Input Fields and click Finish

Creating the Extranet Site Collection Provisioning Profile

  1. Select Site Actions -> Provisioning Settings -> Add Site Collection Provisioning Profile
  2. Enter Title and Description
  3. Select Create new Category and name it Extranet Sites
  4. Leave the remaining settings and click Next
  5. Select the Web Application the new sites collections are created in
  6. If you want the new site collections to have their own databases, select Creates site collection in a new database. Enter the required database information as well. I recommend to apply use some sort of naming convention to the database names, e.g. SPA_{SiteTitle}
  7. Click Next
  8. Select Language and Site Template
  9. Enter the Primary and Secondary Site Collection Administrators and click Next
  10. Finally, select any of the Additional Input Fields and click Finish

Our new Provisioning Profiles are now available for users.

Requesting a Site:

Users can now very easy request a site or site collection by using one the Provisioning profiles we just created:

  1. Click Request Site in the Extranet Sites section
  2. Enter Title, URL and any information required and click Finish. The URL is relative to the URL speficed as Location so no need to enter the http bits again
  3. The My Active Site Requests web part is now populated with the site request

Approving or rejecting a Site Request:

Approving or rejecting a site request is straight forward:

  1. Select All Site Requests (unless you are approving your own requests – in that case use the My Active Site Requests web part)
  2. Click Review Request
  3. Select Approve/Reject  Item
  4. Approve or Reject the request and click OK
  5. The site is now being created

Pretty cool, eh? Well, I think it is and I can think of a lot of ways where this can add value. I think it is especially useful when:

  • the IT staff is not necessarily highly skilled SharePoint Admins
  • Governance is an issue¬†
  • site creation can’t wait for an SharePoint administrator to become available

If Governance, self service, and site provisioning is important to you, I’d recommend you to take a look at the tool. The documentation is not that fantastic but there is a lot of information on the support web site.

One note about the licensing: it requires one license per Web Front-end and the cost is $3.595 per Web Front-end in your farm. A bit pricy for large farms but if you have a lot of users, chances are you will really benefit from the site provisioning capabilities.

 

Advertisements

Posted in MOSS, Tools and Add-ons, WSS | Comments Off on Site Provisioning Assistant for SharePoint 2007

MOSS Single SignOn with ISA Server

Posted by Christian Dam on April 28, 2008

If you publish multiple Web Applications through ISA Server you might have experienced that users are asked to re-validate when one published site is linking to another published site even thought the sites are using the same user repository to validate users.

Fortunately, there is an easy fix for that: ISA Server SSO

ISA SSO offers Single Sign-on between site in the same DNS domain, provided:

  • the published sites¬†share the same Web Listener
  • the same port number and protocol is used
  • the users must be validated in the same user repository using the same authentication method

This means that SSO between http://sales.contoso.com and http://marketing.contoso.com is possible but SSO between http://sales.contoso.com and http://sales.contoso.org is not.

ISA SSO is enabled on the SSO tab in the Web Listener.

More information:

Posted in Extranet, ISA Server, MOSS | Comments Off on MOSS Single SignOn with ISA Server

Quick Tip: No network connection after upgrading Hyper-V from Beta to RC0

Posted by Christian Dam on April 24, 2008

I upgraded my main VPC host from Hyper-V Beta to Hyper-V RC0 today. My VPC already had the Integration Services installed and I the Hyper-V RC0 update from Windows Update (949219) on the VPCs before upgrading the host.

Well, something must have gone wrong as my VPCs lost the NICs and thus all network connection. When I tried to Reinstall the Integration Services, I got the following error message:

“The Microsoft Hyper-V Integration Components are already installed. Please use Windows Update to upgrade the installation”

Good advise but pretty difficult to do when the NIC is gone …

The solution was pretty straight forward, however: delete the NIC in Device Manager and Scan for Hardware changes:

  1. Start Server Manager
  2. Navigate go Server Manager -> Diagnostics -> Device Manager
  3. Right-click the NIC and select Uninstall
  4. Chose to remove the device drivers if you have the option
  5. Right-click your Server Name and select Scan for hardware changes
  6. The NIC should now be recognized and have its drivers installed automatically

 Update:

One of my VPCs didn’t have the 949219-update installed and the remove-the-NIC-and-scan-for-hardware-changes trick didn’t work.

The solution to this problem was as follows:

  1. Create a new virtual HD
  2. Mount the VHD in a VPC with access – if you have one
  3. Download the update files and copy them to the VHD :
  4. Unmount the VHD
  5. Mount the VHD in the VPC with the missing update
  6. Install the update and reboot

Oh, and BTW – this problem is only related to VPCs running Windows Server 2008 as a Guest OS as far as I can tell.

Posted in Quick Tips, Windows Server | Comments Off on Quick Tip: No network connection after upgrading Hyper-V from Beta to RC0

SharePoint Extranet Solutions with ISA Server 2006 – Part 8: Publishing

Posted by Christian Dam on April 23, 2008

Finally, we’ve arrived at the last part of the series where everything should come together!

Let the SharePoint publishing begin!

  1. On the right pane, select the Tasks tab and click Publish SharePoint sites
  2. Name the publishing rule and click Next
  3. Select Publish a single Web site or load balancer and click Next 
  4. Use SSL to connect to the published Web server or server farm and click Next 
  5. Enter the Internal site name. The internal name is in this case the host header in the Extranet Web application that was extended to the Extranet zone: dmz.extranet.sharepointnotes.local
  6. If the ISA server cannot resolve the internal site name (e.g. if it is not created as a A record in DNS), specify the computer name or IP address. Click Next
  7. Accept requests for This domain name (type below), enter the Public name and click Next. The public name is the web site name, the clients will use to access the site. In this case extranet.sharepointnotes.local
  8. Select the Web listener to use. If you haven’t one already, here’s how to create one:
    • Click New¬†
    • Name the listener and click Next
    • Select Require SSL secured connection with clients and click Next
    • Select the External network interface and click Select IP Addresses
    • Select Specified IP Addresses on the ISA Server computer in the selected network and select the IP Address that is used to server internal users coming from the Internet. Click Add and OK
    • Back on the Web Listener IP Addresses page click Next
    • Select Assign a certificate for each IP address and click Select Certificate¬†
    • Choose the certificate issued to extranet.sharepointnotes.local and click Select and then¬†Next¬†
    • Use HTML Forms Authentication and let ISA validate using LDAP (Active Directory). Click Next
    • Do not enable SSO and click Next
    • Click Finish and OK to accept the warning
  9. Make sure the newly created listener is selected and click Next 
  10. Use Basic authentication and click Next 
  11. Select SharePoint AAM is already configured and click Next
  12. Remove All Authenticated users and click Add to add the User Set you created earlier. Click Next
  13. Click Finish and Apply the changes
  14. Right-click the new rule and select Properties
  15. Select the To tab. Since we are forwarding requests from one URL to another, make sure the Forward the original host header option is not selected.
  16. Select the Bridging tab
  17. Since we are redirecting from SSL to HTTP, make sure the Redirect requests to HTTP port 80 is selected and that Redirect requests to SSL port is not selected
  18. Click OK and Apply the changes

The rule is now created and out Extranet site is published and available for external users. Let’s test it:

  1. To test external access, browse to https://extranet.sharepointnotes.local
  2. Login using a administrative user in the format user@dmzad.local
  3. Once the credentials are validated by ISA Server, the request is forwarded to MOSS and the user is presented with a new Sign In page. Log in again using the same credentials.
  4. A good method to test access and especially Alternate Access Mappings is to create a new site:
    • From Site Actions select Create
    • In the Web Pages section select Sites and Workspaces
    • Enter a Title, URL name and select a site template.¬†
    • Leave other settings with their default values and click Create
  5. Verify the new site was created and displayed correctly. If that isn’t the case it normally indicates that the Alternate Access Mappings is configured incorrectly.¬†

Done! I hope you enjoyed the series. If so, drop me a note ūüôā Please also drop me a note, if you know how to avoid to enter crendetials twice (once on ISA and¬†again on MOSS)!

Posted in Extranet, ISA Server, MOSS | 12 Comments »

SharePoint Extranet Solutions with ISA Server 2006 – Part 7: Creating LDAP User Sets

Posted by Christian Dam on April 16, 2008

The last thing we need before we can create the SharePoint Publishing rules, are two ISA User Sets. ISA Server user sets are used to segment internal and external users into groups that the ISA Server uses when granting or denying access.

It is assumed that the following groups are created and populated with appropriate users:

  • External Extranet Users exists¬†in the DMZ Active Directory
  • Internal Extranet Users exists in the corporate domain

Creating a User Set for External users

  1. In the ISA Server Management Console navigate to Array -> <instance> -> Firewall Policy
  2. On the right pane select Toolbox and then Users. Select New to create a new user set
  3. Name the set and click Next
  4. Select Add -> LDAP
  5. Select the LDAP server set from the drop-down box. If a server set is not available, create one as described part 6
  6. In Specified group or user enter the External Extranet Users group created for External Access and click OK
  7. Enter credentials to the LDAP Server and click OK
  8. Verify the group is added to the list and click Next
  9. Click Finish and Apply

Creating a User Set for Internal users

  1. In the ISA Server Management Console navigate to Array -> <instance> -> Firewall Policy
  2. On the right pane select Toolbox and then Users. Select New to create a new user set
  3. Name the set and click Next
  4. Select Add -> Windows users and groups
  5. Click Locations…
  6. Expand Entire Directory and select the corporate domain. Click OK
  7. In the Enter the object names to select text box, enter Internal Extranet Users and click Check Names. Verify the group name is underlines and click OK
  8. Verify the group is added to the list and click Next. Note the group name is listed as a GUID and not the actual user name. Click Next
  9. Click Finish and Apply

Posted in Extranet, ISA Server, MOSS | Comments Off on SharePoint Extranet Solutions with ISA Server 2006 – Part 7: Creating LDAP User Sets

SharePoint Extranet Solutions with ISA Server 2006 – Part 6: Configuring ISA to use LDAP

Posted by Christian Dam on April 16, 2008

OK, let’s turn our attention to the ISA Server configurations again. It’s time to configure the LDAP connectivity!¬†

Create Connectivity Verifier
To test and verify the LDAP connection to the Active Directory in the DMZ, a Connectivity verifier can be created:

  1. In the ISA Server Management Console navigate to Array -> <Instance> -> Monitoring
  2. Select the Connectivity Verifiers tab
  3. On the right pane click Create New Connectivity Verifier
  4. Name the Verifier and click Next
  5. Enter the IP address or server name of the LDAP Server
  6. In Group type used to categorize the connectivity verifier select Active Directory
  7. Verify the Establish a TCP connection to port is set to LDAP and click Next
  8. Click Finish and Apply

The connectivity is now being verified and the Result should evaluate to Good in a few seconds. The status is also being propagated to the Dashboard view

Add LDAP Server

  1. In the ISA Server Management Console navigate to Array -> <Instance> -> Configuration -> General
  2. Click Specify RADIUS and LDAP Servers
  3. Select the LDAP Servers Tab
  4. Click Add
  5. Name the LDAP Set and click Add
  6. Enter Server name, Server description and Time-out and click OK. The Server name must either be an IP address or a name that is resolvable in DNS
  7. Enter the fully-qualified domain name (e.g. dmzad.local) and clear the option to Use Global Catalog
  8. Enter the User name and Password of the user account that is used to lookup users in the DMZ Active Directory Domain
  9. Click OK
  10. Back on the Authentication Servers page, click New
  11. Enter the Login expression and LDAP server set. The Login expression is the string that the users enters when they authenticate, is it usually in the form of a Active Directory login or an email address, for example:
         DMZAD\*
         *@dmzad.local
    Since we configured the MOSS LDAP connection the way we did, use *@dmzad.local
  12. It is possible to create several login expressions for the same LDAP server set if you want to allow for more flexibility
  13. Click OK
  14. Click Close
  15. Finally, Apply the changes

 

Posted in Extranet, ISA Server, MOSS | Comments Off on SharePoint Extranet Solutions with ISA Server 2006 – Part 6: Configuring ISA to use LDAP

Microsoft Forefront codename “Stirling” Beta

Posted by Christian Dam on April 10, 2008

The next version of ISA Server is available online.

Overview:

Microsoft¬ģ Forefront‚ĄĘ codename ‚ÄúStirling‚ÄĚ is an integrated security system that delivers comprehensive, coordinated protection across endpoints, messaging and collaboration servers and the network edge that is easier to manage and control.

By delivering simplified management and providing critical visibility into threats, vulnerabilities, and configuration risks, Forefront codename “Stirling” helps reduce costs and achieve greater insight into the enterprise security state.

At release, ‚ÄúStirling‚ÄĚ will include:

  • A central management console and dashboard for security configuration and enterprisewide visibility.
  • The next-generation versions of Forefront products: the next generation of Forefront Client Security, Forefront Security for Exchange Server, Forefront Security for SharePoint and the Internet Security & Acceleration Server (to be renamed the Forefront Threat Management Gateway).
  • Dynamic Response, an innovative Microsoft technology built into each component of “Stirling” that allows the entire system to share and use security information to dynamically respond to threats across multiple layers of the organization.

 

Posted in Extranet, ISA Server | Comments Off on Microsoft Forefront codename “Stirling” Beta

SharePoint Extranet Solutions with ISA Server 2006 – Part 5: Installing a Stand-alone root CA

Posted by Christian Dam on April 2, 2008

In part¬†three we created an Alternate Access Mapping¬†http://dmz.extranet.sharepointnotes.local/, and¬†assigned them the public URL https://extranet.sharepointnotes.local.¬†¬†This implies that our Extranet solution must support SSL from the client to the ISA Server, so let’s install the Stand-alone CA so we can issue some certificates:

  1. The Cerficate Services are installed through Add/Remove Programs (Start -> Control Panel -> Add or Remove Programs)
  2. Click Add/Remove Windows Components
  3. Select Cerficate Services (remember to select both Certificate Services CA and Certificates Services Web Enrollment support)
  4. Click Yes to continue and then Next
  5. Select Stand-alone root CA and click Next
  6. Enter the Common name for this CA and click Next 
  7. Select where to place the Certificate Database files and click Next
  8. Click Yes to stop the Internet Information Services 
  9. If prompted, select Yes to enable ASP
  10. Click Finish

Next, Let’s issue some certificates to extranet.sharepointnotes.local:

  1. Point your browser to http://localhost/certsrv
  2. Select Request a certificate
  3. Submit an Advanced certificate request
  4. Select Submit and submit an request to this CA
    • Name: the public name of the web site (extranet.sharepointnotes.local)
    • Type of Certificate Needed: Server Authentication Certificate
    • Mark keys as exportable
    • Store the certificate in the¬†local computer store
    • Friendly Name: same as Name
  5. Hit Submit
  6. Select Yes to request a certificate
  7. To issues the pending certificate, start Certification Authority (Start -> Administrative Tools -> Certification Authority)
  8. Select Pending Requests
  9. Right click the certificate and select All Tasks -> Issue
  10. Point your browser once again to http://localhost/certsrv
  11. Click View the status of a pending certificate request
  12. Click the server certificate link
  13. Select Install this certificate and Yes to confirm
  14. The certificate is now installed in the Personal certificate store of the local computer

Export the certificate (skip this part if the certificates are already installed on the ISA Server):

  1. Start a MMC console (Start -> Run -> mmc)
  2. Add/Remove Snapp-in (File -> Add/Remove Snapp-in)
  3. Click Add
  4. Select Certificates and click Add
  5. Select to manage the Computer account and click Next
  6. Select to manage the Local computer and click Finish
  7. Click Close and OK
  8. Navigate to Personal Certificates (Console -> Certificates -> Personal -> Certificates)
  9. Right click the certificate created above and select All Tasts -> Export
  10. In the Certificates Export Wizard click Next
  11. Export the private key and click Next
  12. Make sure Include all certificates in the certification path if possible and Enable strong encryption is selected and click Next
  13. Enter and confirm a Password and click Next
  14. Select a path and file name and click Next
  15. Click Finish and OK 
  16. Copy the certificate file to the ISA Server

Import the certificate (skip this part if the certificates are already installed on the ISA Server)

  1. On the ISA Server, perform steps 1 to 7 in the Export-section above
  2. Navigate to Personal (Console -> Certificates -> Personal)
  3. Right click Personal and select All Tasks -> Import
  4. In the Certificates Export Wizard click Next 
  5. Change the file type filter to All Files and browse to the location where the certificate is stored. Select the certificate and click Open and Next 
  6. Enter the password if the certificate is password protected and click Next
  7. Make sure the certificate is placed in the Personal certificate store and click Next
  8. Click Finish and OK

Posted in Extranet, ISA Server, MOSS | Comments Off on SharePoint Extranet Solutions with ISA Server 2006 – Part 5: Installing a Stand-alone root CA