harbar.net

SharePoint Evolution Conference 2013

Spence — Sun, 31 Mar 2013 14:03:09 GMT

In just over two weeks time we are back in London, for the fifth year, with the SharePoint Evolution Conference 2013. Simply the best SharePoint event outside of North America, with the best speakers, the best content, and the best entertainment, this year’s conference promises to live up to past events.

It will be a little less stressful this year, returning to a regular content schedule with a few surprises thrown in! Aside from mature content on both SharePoint 2013 and SharePoint 2010, the conference features four of the five MCAs, twelve MCMs and a boatload of MVPs. It promises to be a lot of fun, and I encourage you to think about attending this, the best SharePoint conference of 2013.

I’ll be presenting the following sessions, which will all feature brand new content exclusively for the Evolution conference:

IT104: Request Management with SharePoint 2013
SharePoint 2013 includes a compelling new Request Management service, which gives much greater control over how incoming requests are processed. Learn about how Request Management enables request routing to ensure server health, request prioritization, and the implementation of server machine pools for large deployments. Understand the key components of the Request Manager and RM Routing, RM Pools and Execution Groups. This session will demonstrate how to configure Request Management for a number of key deployment scenarios.

IT110: Understanding Service Application Federation for SharePoint 2013 (with Bill Baer)
SharePoint 2013 provides architects with a compelling model for service publishing and federation, opening up exciting new approaches to farm design. This session will cover what’s new in SharePoint 2013 and how Service Application Federation plays out in the real world, based upon early enterprise adopters. Learn how to approach the design of a enterprise services farms, provide true scalability and discover the constraints for each service application which can be published, including global deployment considerations. Related aspects such as Security, High Availability and performance will also be covered. This session will be split 60/40 between lecture and demonstrations.

IT115: Rational Guide to User Profile Synchronization in SharePoint Server 2013
Discover the changes and new capabilities in the foundational service for Social deployments of SharePoint Server 2013 and get the real deal on configuring User Profile Synchronization in this demo and best practices heavy session. This session will cover the architecture of the User Profile Service Application, the new AD Direct Mode and provide a walkthrough of the configuration requirements and setup. Understand the key architectural considerations in terms of high availability, scalability and geographic deployments. Also covered will be general UPA related best practices in terms of synchronization, policy and privacy and leveraging social features inside the enterprise This session will be split 60/40 between demonstrations and lecture.

I look forward to seeing you in London at the event, and remember, Tuesday night is NOT to be missed! :)

Antivirus and SharePoint 2013

Spence — Fri, 22 Feb 2013 18:44:11 GMT

With the discontinuation of Forefront Protection for SharePoint, Microsoft no longer provides a streaming antivirus solution for SharePoint. This has lead to an ever increasingly common customer question, “what do I use for SharePoint antivirus?”. This post aims to detail the options (right now there is only one) as opposed to answering the question repeatedly. It is NOT intended to be a discussion on why you need a streaming antivirus solution for SharePoint, which is potentially a post for another day. For now, assume you have that requirement, so what are the options?

SharePoint 2013 introduces NO CHANGES to the SharePoint Antivirus API (a.k.a SharePoint Portal Server Virus Scanning Application Programming Interface (VS API)). Therefore any product that works with SharePoint 2010, in principal, will work with SharePoint 2013.

However 3rd party vendors in this space have always been extremely slow to implement support for the latest version of SharePoint or the host operating system. In some cases it’s the ability to run, in other cases it’s simply a matter of official support.

Let’s take a look at the usual suspects in this space, such as they are. Right now it’s not a good state of affairs.

Forefront Protection for SharePoint 2010
Yes, we can continue to use this and it will work just fine with SharePoint 2013. However as the product is discontinued, this is not a wise choice. Furthermore you cannot actually buy it. So unless you already have it purchased you are out of luck. If you already have it, it will continue to be supported until December 31st 2015. You will receive AV definition updates until that date as well. After that you need to migrate to something else.
AvePoint DocAve Antivirus for SharePoint
This product is also discontinued. Not an option.
TrendMicro PortalProtect
Does NOT currently support SharePoint 2013 or Windows Server 2012. Both are “coming” in Q3 2013. Won’t install, won’t work. Not an option.
BitDefender
This product is discontinued. Not an option.
Symantec Protection for SharePoint
Does not support SharePoint 2013. Can install, but won’t detect SharePoint 2013 without a registry hack. Not an option.
McAfee Security for SharePoint
Does not support SharePoint 2013 or Windows Server 2012. Won’t install, won’t work. Not an option.
Sophos Antivirus Protection for SharePoint
Does not support SharePoint 2013 or Windows Server 2012. Can install, but won’t detect SharePoint 2013 without hacks. Not an option.
Kapersky Security for SharePoint Server
Does not support SharePoint 2013. Can’t detect SharePoint 2013 without registry hack. Not an option.

Great so far huh? The usual suspects are really doing a stand up job!

The good news is there is another option. ESET. A very good company and you may be familiar with their work for client OS AV. This is the only vendor who has had the smarts to step into the void left by the discontinuation of Forefront.

ESET Security for Microsoft SharePoint Server http://www.eset.com/beta/sharepoint/

The only downside is it’s currently a “beta” but the RTM is coming very soon. But it works great, and has a number of nifty features. The performance reporting is especially useful.

So there you have it. Right now the only option is ESET Security for SharePoint. Hopefully the other vendors will get their act together, but time will tell. If you happen to work for those companies and have news for me, please get in touch and I can update this page (which I will review and update once a month).

Default Active Directory Import User Profile Property Mappings in SharePoint Server 2013

Spence — Mon, 18 Feb 2013 17:00:18 GMT

When using the Active Directory Import (ADI) mode of the SharePoint 2013 User Profile Service, you may be wondering what the default Profile Property Mappings are. Whilst the capability is neat, the use of a shared UI with User Profile Synchronization (UPS) leaves a *lot* to be desired.

Manage User Properties won’t display the mapped attributes, as you can see from the example below. The highlighted rows are some of the properties which are mapped by default.

Similarly when we edit a property, the Edit User Profile Property page does not display the mapped attribute:

Thus by default, there is no way to view the default property mappings from Manage User Profile Service in Central Administration.

Now of course the idea is that you will plan out your property mappings and then implement them, rather than just accepting the default mappings. Once you add a mapping it will be correctly displayed in Manage User Properties:

But of course it would be nice to be able to quickly understand which properties are mapped by default and to which attributes in Active Directory. So here, for your planning pleasure, are the default out of the box profile property mappings for ADI:

AD DS Attribute	SharePoint Profile Property
department	Department
givenName	FirstName
title	SPS-JobTitle (Term Set: Job Title)
sn	LastName
physicalDeliveryOfficeName	Office
displayName	PreferredName
department	SPS-Department (Term Set: Department)
title	Title
mail	WorkEmail
telephoneNumber	WorkPhone

Also watch out for the Edit User Profile page, which also uses a shared UI and the icons denoting a mapped property do not align with the actual mappings by default when using ADI. In the example below the three highlighted properties have the “mapped” icon, but of course these properties are not mapped by default.

Luckily this UI is NOT used for the the end user profile editing experience on the My Site Host.

For more comedy, check out the default mapping of the Work email property, this time when using UPS:

Ooops! :)

Quick and dirty test results: Active Directory Import versus User Profile Synchronization

Spence — Mon, 18 Feb 2013 13:12:01 GMT

One of the most common questions I get regarding the Active Directory Import mode in the SharePoint 2013 User Profile Service is "just how quick is it?" As previously detailed Active Directory Import (ADI) is very fast, especially in comparison to User Profile Synchronization (UPS). But saying it is quick doesn't really mean anything. Each time I present on the topic, the question comes up, "do you have any numbers".

Sadly it's still early, too early, to provide real, solid proven numbers across a range of deployments. In lieu of such appropriate data I put together a very quick and dirty test to give you an idea of the speed of ADI versus UPS.

This simple test used the same machines to perform an import 23,362 user profiles, using the default user profile property mappings using sample attributes in Active Directory (not all attributes mapped were populated). In addition, one of the mapped properties wrote to the Job Title Term Set. No connection filters were used.

No database tuning, or other additional configuration was performed to improve the import time. All settings for both ADI and UPS were left at their default configuration. The tests were performed using a 4Gb single CPU Domain Controller, a 6Gb two CPU SQL Server and a 16Gb four CPU SharePoint Server. All machines run Windows Server 2012 as the host operating system.

Here are the results:

Mode	Full Sync Time
Active Directory Import (ADI)	34 minutes
User Profile Synchronization (UPS)	50 minutes

A 68% difference. Pretty conclusive.

Of course these numbers are not representative of a real deployment, as there were no groups imported. Group processing is one of the biggest influencers of sync time. In a real world AD there would be a number of groups, and of course their membership would vary.

Nether the less, this quick and dirty test gives you an indication of the key benefit of Active Directory Import in SharePoint 2013. It's Usain Bolt, by a mile.

Article: Configuring SharePoint 2013 for the Forefront Identity Manager 2010 R2 Service Pack 1 Portal

Spence — Sun, 17 Feb 2013 05:08:03 GMT

Recently Service Pack 1 for Forefront Identity Manger (FIM) 2010 R2 shipped. For IdM heads, this is really good news. Along with a bunch of interesting updates and new bits and bobs it is now possible to run FIM on Windows Server 2012 and also to run the FIM Portal component on SharePoint 2013.

This article discusses why this is important in a FIM deployment along with the key design considerations. We will also cover how to prepare SharePoint 2013 for the deployment of the FIM Portal, and finally the installation of the Portal itself.

Configuring SharePoint 2013 for the Forefront Identity Manager 2010 R2 Service Pack 1 Portal

Using SSL for Central Administration with SharePoint 2013

Spence — Wed, 13 Feb 2013 01:34:37 GMT

One of the most common requests I get is for an update to my article SharePoint Central Administration: High Availability, Load Balancing, Security & General Recommendations to cover SharePoint 2010 and 2013. Most folks are interested in the SSL parts, which has changed a little bit mainly due to the introduction of Windows PowerShell management in SharePoint 2010.

This reasonably short post will walkthrough the configuration steps necessary. It’s all very straightforward, however there are a couple of critical considerations which I will point out as we go through the steps.

Updated 14/02/2013 to include Windows PowerShell for configuring the IIS bindings with a certificate.

Why run Central Administration on SSL?

Fundamentally it’s to protect credentials. In numerous places in Central Administration we are asked for the credentials of an account and these will be passed back to the server in plain text in a regular installation. CA will actually warn us about that if we can be bothered to read the red warning text in the pages which ask for credentials:

In order to protect the credentials we need to implement some form of Transport Layer Security, and Secure Sockets Layer (SSL) is the most appropriate approach.

Running CA over SSL should definitely be considered a “best practice” and it’s very easy to implement. However the large majority of SharePoint deployments will not bother and the documentation here is non existent (until now).

Configuring the Port used by Central Administration

SSL basically means port 443. We can choose to use another port but it’s a very bad idea to use non default ports so I am not going to cover that in this article, and you shouldn’t be doing it either!

Therefore the first step is to change the port used by CA. When we initially create the farm using PSConfig(UI).exe we are provided with a randomly generated “high port” or we can choose one of our liking. If we are planning ahead we can simply enter 443 in PSConfig(UI).exe:

Similarly if we use Windows PowerShell to create the farm we can specify a port with the New-SPCentralAdministration cmdlet.

New-SPCentralAdministration -Port 443 -WindowsAuthProvider NTLM

Both of these approaches will appear to work just fine, however the result will be that the CA web site in IIS will be stopped. Although we used port 443, the binding used is http! Because there is no host header on this site, and the default web site also has no host header, the CA web site cannot start. Bottom line here, is that PSConfig and New-SPCentralAdministration haven’t been implemented very well from this perspective and simply don’t understand SSL! Ooops!

Therefore a better approach is to create CA using a “high port” and then enable SSL afterwards. We can use port 443 if we wish but we will still have to do the following steps to fix up the binding so that it is https rather than http.

In this example we have originally used port 8080, and we now want to make CA use SSL, so we need to change the port to be 443.

It’s a trivial operation using the Set-SPCentralAdministration cmdlet. Note that we cannot make this change using Central Administration itself so Windows PowerShell is our only option.

Set-SPCentralAdministration -Port 443

In the past we used STSADM to set the port used by CA:

stsadm -o setadminport -port 443 -ssl

In fact we can still use this legacy approach, but we probably shouldn’t as it’s not clear how much longer this guy will be around (hopefully not long!). So we should consider Set-SPCentralAdministration as a direct replacement for the STSADM setadminport operation. However, note that Set-SPCentralAdministration does not include a –ssl switch and there is no means of telling SharePoint that this is a SSL site like there is when creating other web apps (-SecureSocketsLayer).

The good news is that this does NOT present a problem as the Set-SPCentralAdministration cmdlet is smart enough to know that 443 is the port for SSL and will configure the binding correctly in IIS:

Similarly, this cmdlet will update the Central Administration URL in the registry so that the shortcut uses the correct URL (https://servername) without a port.

In short this means we don’t have to care about explicitly telling SharePoint this is an SSL site and we don’t need to run STSADM (for this at least).

At this stage – no matter how we got here (using 443 originally or changing to it afterwards) – the CA site will be inaccessible until we obtain an SSL certificate and further configure bindings in IIS. IIS cannot respond to HTTPS requests unless there is a certificate configured in the bindings of that web site.

Obtaining an SSL Certificate

Before we can use CA over SSL we will need an SSL Certificate. Before we obtain one we should make a decision on how we wish to address CA. In other words, which DNS name we want to use. This is important as in order to avoid certificate warnings, the DNS name used should match the Common Name (cn) used on the certificate.

By default, CA will be running on a single server in the farm, usually the first server in the farm. In that case the address for CA can be a machine name. However if we later move CA to another server, or wish to run CA on more than one machine this address won’t work, and neither will our certificate.

Thus it is sensible to choose a “fully qualified name”, for example spca.corp.contoso.com. That address can then be used throughout the lifecycle of the farm no matter which machine runs CA, or how many. We must also ensure that this address exists in DNS and points to the correct IP address, either an individual server or the virtual IP address of a load balancer. In this example our CA name will be spca.corp.contoso.com and a DNS record points to 10.0.0.50, the address of our server running CA.

Now we have the addressing sorted out, we can go ahead and obtain an SSL certificate. There are a number of options here, and the right choice will always be environment specific.

We can use self signed certificates, which are often considered the easiest. However these certificates will not be trusted and will therefore present warnings when accessing CA.

We could also choose a “real” certificate from a public authority. These cost money and involve paperwork. Not cool!

Another, and perhaps the best, option is to use a certificate from a Domain Certificate Authority should one exist in the environment where our SharePoint farm is at. This of course is a wider conversation that just central administration, but there are numerous advantages of having one of these for SharePoint 2013. I will cover wider SSL considerations for SharePoint in a future post.

For this example we will use an existing Certificate Authority in the domain.

On a machine running CA, we will open up Internet Services Manager and select the computer node in the Connections pane. Then double click the Server Certificates icon in the Features view:

From the Actions pane, click Create Domain Certificate…

On the Distinguished Name Properties page of the Create Certificate dialog, enter the Common Name (which matches the address we decided upon earlier). This is the only value that really matters, we can enter any old values for the others. Click Next.

On the Online Certification Authority page, click the Select button, and then select the Certificate Authority followed by OK. The CAs available in the domain will be automatically displayed.

On the Online Certification Authority page, enter a Friendly name for the certificate. Again this isn’t actually that important, but a good practice is to use the common name, or something else meaningful (e.g. SPCA). Click Finish.

After a few moments the certificate will be issued for us by the CA and will be displayed in IIS. We can double click it to view the certificate.

Now we have a certificate in IIS we can configure the bindings of the IIS Web Site which hosts Central Administration.

Configuring IIS bindings for the CA Web Site

SharePoint is ignorant of SSL settings in IIS so we need to configure these manually. Whilst it is possible to do this via IIS Windows PowerShell cmdlets, SSL bindings are a little complicated so we will first use Internet Services Manager for this example. Afterwards we will look at the Windows PowerShell to achieve the same end result.

Click the Sites folder in the Connections pane and double click on the Web Site, SharePoint Central Administration v4.

In the Actions pane, click Bindings…

In the Site Bindings dialog, select the https binding and click Edit…

In the Edit Site Binding dialog, enter spca.corp.contoso.com as the Host name, check the Require Server Name Indication check box, and select the spca.corp.contoso.com in the SSL Certificate combo box. These settings will be explained in a moment. Click OK followed by Close.

We have now completed the IIS configuration, and we can go ahead and test we can access CA from a browser by navigating to https://spca.corp.contoso.com. If we navigate to one of the pages that accepts credentials (e.g. Register Managed Accounts) the red warning text will not be displayed.

Let’s take a moment to talk about the SSL binding settings we used.

Firstly the Host name (aka Host Header). This isn’t strictly required at this point, as CA is the only SSL Web Application in our farm. However as such it will prevent the creation of any new SSL Web Applications on port 443. Just like with “regular” web apps, SharePoint does a very bad job of dealing with IIS settings. In order to create future web apps using SSL via CA or Windows PowerShell we will need to use the –HostHeader option.

There is nothing we can do about this other than live with it as when creating CA we cannot specify a host header. Unless we resort to using an IP address for each web app, we must use host headers in the same way we do for web apps on port 80.

Next is Server Name Indication (SNI) aka Server Name Identification. For a long time it was the case that it was impossible to have multiple SSL web sites using different certificates on the same IP Address/Port. Therefore a wildcard certificate would be needed. SNI is an extension to SSL implemented in recent versions of IIS which allows the server to present multiple certificates on the same IP Address/Port. We don’t strictly need to check this box but again if we add additional web apps using SSL to this farm in the future it will likely be needed. I will be covering SSL web apps with SharePoint 2013 in much more depth in a future article. For now however, be aware that this setting requires a compatible browser as well as the web server. Recent versions of all the main web browsers support SNI.

The SSL Certificate setting is fairly obvious, we simply select the certificate we obtained in the earlier step. If all we want is CA on SSL and we don’t care about other SSL web apps, then this is the only setting needed.

We can also perform the exact same configuration using Windows PowerShell. IIS bindings are a snap thanks to the *.WebBinding cmdlets, however working with and applying certificates is a little more tricky. It’s not a huge stretch once you are familiar with the IIS:\ provider and the syntax of various binding properties, but it does take a bit of getting used to.

Import-Module WebAdministration

# Name of Web Site in IIS we want to modify the bindings for
$iisSiteName = "SharePoint Central Administration v4"

# Host header
$iisHostHeader = "spca.corp.contoso.com"

# Friendly Name of certificate
$certName = $iisHostHeader

# Remove the existing binding as we cannot update SSLFlags for an existing binging via PoSH
Get-WebBinding -Name $iisSiteName | Remove-WebBinding

# Create new binding with correct SSLFlags, 1 == SNI
New-WebBinding -Name $iisSiteName -HostHeader $iisHostHeader -Protocol "https" -Port 443 -SslFlags 1

# Grab the Certificate
$cert = Get-ChildItem -Path "Cert:\LocalMachine\My" | where-Object {$_.FriendlyName -like $certName}

# Update the binding with the certificate
$cert | New-Item -Path "IIS:\SslBindings\!443!$iisHostHeader"

We first set up some variables for later use, we need the name of the Web Site in IIS, along with the Host Header and the friendly name of our certificate. Now it should be clear why it’s a good idea to use the same name for both!

We then remove the existing binding as the Set-WebBinding cmdlet doesn't allow us to modify the SslFlags directly and create another one using the Host Header and the important SslFlags value of 1, which means SNI. More on the various options here in a future post.

Now we have a binding we need to attach the certificate to it. This is where it gets a little weird as we need to leverage the IIS:\ and Cert:\ providers.

First we grab the certificate by retrieving it from the local store via the Cert:\ provider by means of it’s Friendly name.

We pipe the certificate into a new item using the IIS:\ provider. The path we pass in here is constructed based upon the IP Address, the Port and the Host Header. We leave the IP Address empty because in this example we are using All Unassigned.

The syntax of this path in particular is where most problems arise when working with certificates in IIS via Windows PowerShell, I will be covering this in more depth in a future post. For now the above is all we need to know!

The final step will produce an orange warning in the output, suggesting that our host header and certificate subject don’t match. That’s OK, we can safely ignore the warning as our common name is correct and what really matters here.

You may see on the ‘net lots of examples that use the certificate thumbprint to do these last two steps, like below.

# Grab the Certificate thumbprint
$certThumb = Get-ChildItem -Path "Cert:\LocalMachine\My" | where-Object {$_.FriendlyName -like $certName} | Select-Object -ExpandProperty Thumbprint

# Grab the Certificate and update the binding
Get-Item -Path "cert:\localmachine\my\$certThumb" | New-Item -Path "IIS:\SslBindings\!443!$iisHostHeader"

This approach will work just fine but includes a redundancy as it retrieves the certificate twice. It is not necessary to do this.

Configuring the Internal URL for Central Administration

At this point the URL for CA stored in the registry and used by the CA shortcut and the Internal URL have not been updated. In this example they remain https://sps:

In order to update the registry key and internal URL, we simply update the Internal URL to be the one we desire (https://spca.corp.contoso.com/).

Central Administration –> System Settings –> Alternate Access Mappings

Click the existing Internal URL, edit it and click OK.

Or by using the following Windows PowerShell:

Set-SPAlternateURL -Identity "https://sps" -Url "https://spca.corp.contoso.com"

Now our CA shortcut will open the correct URL, as the value is updated in the registry.

Conclusion

That’s it. It’s actually very simple stuff. We effectively perform four steps:

Configure the port used for Central Administration
Obtain an SSL Certificate
Configure IIS bindings for the Central Administration Web Site
Configure the Internal URL for Central Administration

Simple enough to mean that everybody should be using SSL for CA!

Like most things SharePoint however there are a couple of key planning considerations. Addressing CA, i.e. the name used to access CA and whether or not we will have more SSL web apps in the future. We should also decide which type of certificate we will use and where to obtain it from.

Article: Request Management in SharePoint Server 2013

Spence — Mon, 12 Nov 2012 00:03:18 GMT

SharePoint Server 2013 introduces a new capability called Request Management. Request Management allows SharePoint to understand more about, and control the handling of, incoming requests. Request Management employs a rules based approach, which enables SharePoint to take the appropriate action for a given request based upon administrator supplied configuration.

This new article series will provide comprehensive coverage of the new Request Management capability in three parts:

Feature Capability and Architecture Overview
Example Scenario and Configuration Step by Step
Deployment Considerations and Recommendations

Please note that this article applies to SharePoint Server 2013 RTM.

Speaking Engagements – Autumn 2012

Spence — Wed, 26 Sep 2012 21:34:25 GMT

It’s once again silly season with SharePoint conferences (when isn’t it? :)) but this autumn it’s a bit more fun as we are able to discuss SharePoint 2013. I’ll be doing a few events over the next couple months.

SharePoint and Exchange Forum 2012 – Stockholm, Sweden. October 22-23.
This is a great event in a very cool place. Looking forward to going back to Stockholm for a few days and catching up again with some good friends and meeting some new ones. I’ll be presenting a couple of breakouts:

Host Named Site Collections: The Path to the Cloud
IT-Pro, level 300
The single most important change from an infrastructure perspective in SharePoint 2013. Yes really, even thou it's not really a change, for those of you who have been using them for ages...
But for the majority of SharePoint practitioners it's a significant step change, in terms of how you think about logical architecture design, how you talk to customers, and how you implement site collections. This session will cover the improvements to Host Named Site Collections in SharePoint 2013 along with the design rationale and key consideration points for your deployment
Request Management in SharePoint 2010
IT-Pro, level 300
SharePoint 2013 includes a compelling new Request Management service, which gives much greater control over how incoming requests are processed. Learn about how Request Management enables request routing to ensure server health, request prioritization, and the implementation of server machine pools for large deployments. Understand the key components of the Request Manager and RM Routing, RM Pools and Execution Groups. This session will demonstrate how to configure Request Management for a number of key deployment scenarios.

SharePoint Conference 2012 – Las Vegas, Nevada. November 12-15.
The big daddy. Promises to be *the* community event of the year. I’ll be doing various activities related to the MCSM and MCA programs as well as customer events and I’ll also be presenting a couple of breakouts:

User Profile Synchronization Best Practices in SharePoint Server 2013
Discover the changes and new capabilities in the foundational service for Social deployments of SharePoint Server 2013 and get the real deal on configuring User Profile Synchronization in this demo and best practices heavy session. This session will cover the architecture of the User Profile Service Application, the new AD Direct Mode and provide a walkthrough of the configuration requirements and setup. Understand the key architectural considerations in terms of high availability, scalability and geographic deployments. Also covered will be general UPA related best practices in terms of synchronization, policy and privacy and leveraging social features inside the enterprise This session will be split 60/40 between demonstrations and lecture.
Request Management in SharePoint 2013
SharePoint 2013 introduces a powerful new capability called Request Management, which allows SharePoint to understand more about, and control the handling of incoming requests within the farm and across farms. Learn how Request Management enables request throttling and routing to ensure server health, request prioritization, and the implementation of server machine pools for large deployments. Understand the key components of the Request Manager and RM Routing, RM Pools and Execution Groups. This session will also demonstrate how to configure Request Management for a number of key deployment scenarios.

SharePoint Connections Amsterdam 2012 – Amsterdam, Netherlands. November 20-21.
Right after we return home from SPC we’ll be in Amsterdam for a new event (albeit with a familiar name). I’ll be presenting a couple of breakouts:

Rational Guide to SharePoint Server 2013 User Profile Synchronization
Discover the changes and new capabilities in the foundational service for Social deployments of SharePoint Server 2013 and get the real deal on configuring User Profile Synchronization in this demo and best practices heavy session. This session will cover the architecture of the User Profile Service Application, the new AD Direct Mode and provide a walkthrough of the configuration requirements and setup. Understand the key architectural considerations in terms of high availability, scalability and geographic deployments. Also covered will be general UPA related best practices in terms of synchronization, policy and privacy and leveraging social features inside the enterprise This session will be split 60/40 between demonstrations and lecture.
Request Management in SharePoint 2013
SharePoint 2013 includes a compelling new Request Management service, which gives much greater control over how incoming requests are processed. Learn about how Request Management enables request routing to ensure server health, request prioritization, and the implementation of server machine pools for large deployments. Understand the key components of the Request Manager and RM Routing, RM Pools and Execution Groups. This session will demonstrate how to configure Request Management for a number of key deployment scenarios.

I hope to see some of you at these events. We are also in the middle of planning out additional SUGUK meetings for the north and Scotland. Stay tuned for more on that in the near future.

What's new in SharePoint 2013 for IT Professionals: Critical Path SharePoint 2013 Office Hours

Spence — Wed, 12 Sep 2012 17:23:21 GMT

Critical Path Training have been running a series of SharePoint 2013 Office Hours, where you get a chance to ask your burning questions regarding the new version.

I’m happy to be doing one of these along with my good friend Andrew Connell on September 18th at 2pm Eastern – that’s 7pm GMT or 8pm CET. The subject is What’s new in SharePoint 2013 for IT Professionals.

Ask your infrastructure and operations questions about the new version of SharePoint here! We'll look at the highlights for IT Pros in the 2013 release along with coverage of the new concepts critical to successful SharePoint 2013 deployments.

Make sure you register and login early & submit your questions!

» CPT Office Hours: What’s New in SharePoint 2013 for IT Professionals (register here)

The best cloud app, ever, by a country mile

Spence — Sun, 02 Sep 2012 09:58:44 GMT

I’m always being asked about tools. Tools to help me cheat, tools to help me be quicker, tools to avoid the need for thinking. Tools that make a SharePoint person’s life better. That sorta thing. Often times tools I will mention have nothing to do with SharePoint, but are simply what I consider to be core elements of operating a Windows based infrastructure.

One set of those tools are the Sysinternals utilities from Microsoft. Since day dot of my life as a Windows NT monkey, I’ve used these. Every box has them. I was using Windows Live Mesh to make sure I had them on all my client machines, and they are baked into my sysprepped server images. But what about when Mark or someone else comes along and updates one of them?

Well my buddy and fellow MCA, Wictor Willén put down his Visio and PowerPoint for the weekend and has created the answer. What is easily, by far and away the most useful “cloud” app ever created (at least so far!).

It’s a little system notification tray app, which will automagically sync the Sysinternals distribution with a folder on your hard disk. I’ve set mine to sync with a folder in SkyDrive. So I only really need to run it one machine.

Ahh, it’s a thing of beauty. Wouldn’t it be nice if SkyDrive has this sort of capability baked in? For example, “subscribe to Sysinternals”.

Get the app here.

Word! That’s how a real architect rolls! :)

Four months with the Cambridge Audio Stream Magic 6

Spence — Wed, 29 Aug 2012 18:31:10 GMT

In July 2011 I purchased the Cambridge Audio Sonata NP30, a network music player. After about six months of use I posted a detailed review, which was somewhat surprisingly popular. Often people I meet in work related situations will want to talk more about tune streamers than some facet of SharePoint! :) In early May I got me the Stream Magic 6, and again here is a review after a period of extensive use (roughly four months), as opposed to the claptrap you will read in “hi-fi” rags that only used the thing for half a day!

The Stream Magic 6 (SM6) is Cambridge Audio’s first foray into the mid market for network music players. £300 more than the NP30, at £700 it competes with the likes of Yamaha and Pioneer, but not of course the likes of Linn etc. It certainly is a welcome step up from the NP30. In some ways the SM6 could be considered a combination of the NP30 and a DacMagic+. However that is a slightly unfair statement, and there’s more too it than just combining the two capabilities in a single box.

I’ve been using it for approximately four months and have it hooked up to a Sony STR-DA5600ES using the RCA outs and 2 Channel Direct thru to a pair of Sony SSK-70EDs. Here’s the SM6 in situ (in my rather awful rack):

click to view full size image

Industrial Design

It’s immediately clear the SM6 is a step up in terms of design and construction from the NP30. Obviously the SM6 is a full width component which makes it much more at home with “serious” gear (the NP30 is really designed to be coupled with other Sonata components). Build quality and finish are far superior. Different (better) materials are used for the front panel and it’s also much weightier. Whilst it’s somewhat similar to the NP30 it just looks and feel more professional and the differences are significant. Alongside the addition of the filter controls (more on that later) the jog shuttle is really good, with excellent tactile operation. Much better than the one on the SM6. And then there’s the display which was one of my biggest gripes about the NP30:

click to view full size image

Whilst it’s still the same overall size this display is MUCH better. A much higher “resolution” is used making it seem a lot less dot matrix, and it is much more readable from reasonable distances. Also it’s a much cooler blue, and in fact it very closely matches my receiver display (and that of a CA One+). When the unit boots there is even some “artwork” which points to this display being able to do more interesting things than what it’s used for on the SM6.

There is also an additional row on the display. This makes a huge difference to usability from the front panel or supplied remote control. One of the biggest drawbacks to the NP30 was the inability of the display to show enough information leading to an almost constant scrolling of the display and having to wait for the scroll. This is now much less frequent as more characters can be shown and the extra row means navigation and selection is far easier. It would be nice if the display was slightly wider for sure, but whereas the NP30 display was just cheap and nasty, this display is quality.

Another of my complaints about the NP30 was the inability to turn the display off when listening. This has been addressed with the SM6 by allowing three levels of brightness, one of which is “off”. It’s not actually off but it’s so dim that from more than about 3 feet you can’t see it:

click to view full size image

So not off off! Which would be nice, but good enough to prevent the display being annoying when seriously listening.

Hook Ups and DAC

Alongside the basics (WLAN, LAN, RCA outputs and SPDIF and TOSLink digital inputs) the SM6 acts as an up sampling DAC for all sources. It effectively has the same feature set here as the DAC Magic+. On the rear is a USB input, which can handle up to 24/192 from a computer (for Windows via a CA driver). I guess this is seen as a neat feature, but I haven’t used it other than to test that it functions. For my needs I don’t care about this capability at all! I won’t be connecting this guy to my laptop very often! There are also XLR outputs should those be your bag.

You can also enable the unit to act as a pre-amplifier for active speakers if you so wish (I don’t). As with the NP30 there is also a USB port on the front to allow the use of memory sticks and so on.

Sound Quality, Formats and Performance

Now for the real stuff. It sounds superb. The majority of my library is 16/44.1 and it really does shine. The ATF2 up sampling is used for all sources. You can clearly tell that a rip of a CD is not quite up to the quality of my SACD player, but it’s also clearly better than the NP30. For £700 this unit seriously kicks ass. It’s very tight, there’s no drop off either at the low end. Extremely good spacing, and vocals and strings are simply stunning.

Feed it some good 24/96 and it gets even better. Anything over that is a bit tenuous especially given today’s mastering approaches, but this player can’t play them anyway. Only the Computer USB input can do 24/192. I would like the unit to support this over the stream, but I only have a very small amount of music in this format. I really don’t yet buy that 24/192 is of any practical use for stereo recordings at present.

Give it some crap MP3 or whatever it also does a great job of making them sound half decent. But if that’s your source material you should just do Sonos anyway! The unit also has some “streaming services” such as BBC etc that I don’t really use. I have setup a bunch of ‘net radio thou for the odd things I like (e.g Candy Dulfer’s friday nite funkathon).

Performance wise it is rock solid, like a brick house. Much better over the WLAN than the NP30 although I use the LAN, and actually this stuff is more to do with firmware updates than the unit itself.

Whilst not initially available, firmware updates provided gapless playback, which really should be considered a pre-requisite feature for a player of this ilk. Thankfully almost immediately after I got the unit I was able to use betas of the firmware. Gapless works just right, no missing stuff, unless you play via digital outs, which you shouldn’t be doing anyway!

The up sampler has three filters, similar again to the DacMagic+ and found on high end CD players etc. The differences are clearly audible and deserve experimentation depending upon the source material. I have mine set using the minimum filter as the default.

Usability

As mentioned above front panel and remote control usability is significantly improved. The Android and IOS app is also improved, and now uses the name Stream Magic. I have only used the IOS version on an iPad. It’s a lot better than the previous UuVol. I still wish however that CA would open up application development. I can’t use a UPnP control app like Kinsky, and in the near future I definitely want to control this bad boy using a Microsoft Surface. In the meantime, the IOS app still suffers the odd mishap when it gets confused but overall it’s much more usable.

Conclusion

The SM6 is the best mid market network music player. At a fantastic price it really delivers the goods. The focus on sound quality is very pleasing, other players have better controls/apps, but they simply don’t sound as good. And that is what it’s all about (or at least should be). I’m sure plenty of people will also like the Computer USB feature but that’s not for me.

Here’s a summary of the pros and cons.

Pros

stunning sound quality and musical performance
exceptional FLAC handling over the LAN
very high quality build
great value for money
zero server side lock in

Cons

no open control app development
no track remaining time display
no support for above 24/96 for streamed content
filter/phase led stays on when display is turned “off” (minor gripe)

If you are in the market for a good value network player, and you care about musical performance I strongly encourage you to listen to the Stream Magic 6!

What have I done with the “old” NP30? Well that’s now in the bedroom hooked up to CA One+ system which is a very nice combination, although perhaps a new version of One+ will be introduced with the capabilities built in. It certainly seems as if CA are leveraging the streaming and DAC stuff across their components more and more over time.

Seventh edition of the free DIWUG SharePoint Magazine

Spence — Thu, 23 Aug 2012 11:54:46 GMT

The best free SharePoint magazine published online, the DIWUG SharePoint e-Magazine, have released their seventh edition. As usual this is a great edition with a mix of articles written by SharePoint community members.

I contributed a two part article series, of which part two is featured in this magazine:

Real World Service Application federation with SharePoint 2010 Part Two
In the 6th edition of DIWUG eMagazine (#6) Part One of this article covered the basic capability of Service Application Federation along with the required configuration. Following on from part one, this article turns its attention to high availability, security, enterprise deployment considerations and the design constraints which are fundamental to successful implementation of Service Application Federation.

Whilst the article is focused on SharePoint 2010, almost all of the content is also applicable to SharePoint 2013. Also in this edition are articles by Ton Stegeman, Bert Jan van der Steeg and Joe Capka.

Check it out over at the DIWUG site!

Article: Request Management in SharePoint Server 2013 Part Two: Example Scenario and Configuration Step by Step

Spence — Wed, 08 Aug 2012 05:45:43 GMT

In the first part of this article series I covered the feature capability and provided an architecture overview of Request Management, a new capability introduced with SharePoint Server 2013. Request Management allows SharePoint to understand more about, and control the handling of incoming requests. This second part details an example scenario and provides a step by step of the necessary configuration.

Please note that this article applies to SharePoint Server 2013 RTM.

Feature Capability and Architecture Overview
Example Scenario and Configuration Step by Step (this article)
Deployment Considerations and Recommendations

Enabling Office Web Apps Preview editing with SharePoint 2013 Preview Licensing

Spence — Mon, 30 Jul 2012 02:50:36 GMT

As you maybe aware there are a veritable ton of cool new capabilities in the latest release of Office Web Apps Preview. It really is a killer piece of tech. This post walks you through how to configure Office Web Apps editing in your SharePoint farm, which is not as “automatic” as you may imagine. We’ll also take a look at an interesting new capability in SharePoint 2013 Preview for license enforcement.

Please note that this article applies to the Office Web Apps Server and SharePoint 2013 Preview release. Things are likely to change between now and the final releases. I will update this article shortly after RTM.

Some background on Office Web Apps Server Preview

With this release Office Web Apps (OWA) is no longer a set of SharePoint Service Applications, and the deployment of a separate OWA farm is necessary. This is a good thing! Despite the need for “more” servers than before, it allows OWA to provide it’s services to things other than SharePoint, avoids the common pitfall of resource scrimping deployment and fundamentally allows OWA to be revved independently from SharePoint. Take a look at task manager from a newly minted OWA server which has just been booted and is not responding to any requests:

The highlighted processes are all OWA related (with a couple more below the second image). Probably not a good idea to have all that running alongside SharePoint and it’s Velocity and NodeRunner gubbins!

So we need a OWA farm. OWA installation will be blocked if SharePoint is already installed. It’s no big shakes, we need a few prerequisites installed (including the Ink and Handwriting Support Windows Feature if we are using the same base image as we do for a SharePoint box). Once we’ve installed the bits, we run a Windows PowerShell cmdlet (New-OfficeWebAppsFarm) to create the OWA farm. Then we configure a connection between the SharePoint Farm and the OWA Farm using the New-SPWOPIBinding cmdlet and the Set-SPWopiZone cmdlet. Head on over to Steve’s blog for the details of this stuff.

Also check out my buddy Ali’s post on leveraging Microsoft Translation Services with OWA.

Viewing in Browser from SharePoint Server 2013 Preview

Great. So far so good. As this point we can now use OWA from our SharePoint sites to open files in the browser by choosing View In Browser from the item’s context menu. Also note the uber cool preview provided.

It’s worth noting there is no longer any Site Collection scoped feature for this stuff as in SharePoint 2010 with OWA. We still have the library options to control the defaults for a library and the Site Collection scoped feature for opening documents in the client apps.

As you would expect when we click the View in Browser option, OWA opens the file in view mode.

Awesomeness. But as cool as it is, we want to be able to edit that sucker. The only menu we see is OPEN IN EXCEL. We want to see the EDIT menu, and also be able to choose the Edit in Browser context menu option. And yes, those really are all caps menus!

If we try and open up a file in Edit mode, we will see a dialog similar to the below:

Enabling Edit in Browser

In order to allow editing we need to configure our OWA Farm to allow editing. This is a simple additional configuration step in Windows PowerShell. We could also have added this switch to the initial command when we created the OWA farm.

Set-OfficeWebAppsFarm -EditingEnabled

Easy peasy, lemon squeezy. Now we can go ahead and use the edit mode and also the EDIT DOCUMENT menu item is available when viewing.

However, what if we want to allow editing via OWA to only a distinct set of users?

SharePoint Licensing to the rescue!

Which brings us to a new capability in SharePoint Server 2013 Preview named Licensing. All you all thought I was about to start on a rant about licensing SKUs and cost and what not!

As you are probably aware for many years now it is an incredibly common customer request to be able to deploy a single SharePoint farm but have only a certain group of users be able to access Enterprise features. Thus saving money (at least until the deployment is widely adopted) on those premium Enterprise CALs. The only way to do it properly from the technical side was to deploy two separate farms (one Standard and one Enterprise) which from a collaboration point of view sucked!

In SharePoint 2013 Preview, administrators can now assign licenses to users and enable license checks. W00t! These checks are effectively enabled by leveraging claims. The canonical example here of course is by using an AD Security Group.

Once again this new capability has no user interface whatsoever and it’s all configured and managed by Windows PowerShell cmdlets.

Unsurprisingly OWA also can leverage the SharePoint Licensing capability. SharePoint is “aware” of OWA (and Project Server) and it includes these in the set of licenses. We can check this out by executing the following Windows PowerShell which will list the license types.

Get-SPUserLicense


License                                                                                                                                                                                                                                                          
-------                                                                                                                                                                                                                                                          
Enterprise                                                                                                                                                                                                                                                       
Standard                                                                                                                                                                                                                                                         
Project                                                                                                                                                                                                                                                          
OfficeWebAppsEdit

The one we are interested in of course is OfficeWebAppsEdit. Let’s go ahead and add (for the purposes of demonstration only) Domain Users to that license. The first thing we do is create a license mapping which connects the security group to the type of license. Then we add that mapping to the current configuration. Then we turn on Licensing (the capability is off by default).

# create a license mapping and add it to the current mappings. we could of course pipebind these together
$lmap = New-SPUserLicenseMapping -SecurityGroup "Domain Users" -License OfficeWebAppsEdit
$lmap | Add-SPUserLicenseMapping

# turn on licensing
Enable-SPUserLicensing

Note that if we use the –SecurityGroup parameter, the group’s existence is validated when we execute the cmdlet as is the license. We can also use the –Role parameter, or custom claim types and values.

We can also view the current license mappings.

Get-SPUserLicenseMapping


Identity       : 6593aea1-efa8-4d1c-839b-13e5ae9e9f5a
License        : OfficeWebAppsEdit
Name           : Domain Users
ClaimValue     : S-1-5-21-3910503199-1739462322-41582061-513
ClaimType      : http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
OriginalIssuer : Windows
ValueType      : http://www.w3.org/2001/XMLSchema#string

Sweet, huh? License enforcement my means of user claims all automatically handled for us by SharePoint 2013. All of this is a another very good reason why you want to use SSL for the WOPI Binding.

Article: Multi Tenancy with SharePoint 2013: What’s new and changed

Spence — Sat, 28 Jul 2012 18:40:00 GMT

SharePoint 2013 Preview introduces a number of new elements and considerations for multi tenancy deployments. This article is intended as a companion to my Rational Guide to Multi Tenancy with SharePoint 2010 article series and will cover what’s new and changed in this release with respect to configuration and functionality. It is assumed you are familiar with the material in the article series.

This article is verified against SharePoint 2013 RTM.

Multi Tenancy with SharePoint 2013: What’s new and changed