Ian's SharePoint Blog

WSSDemo.com in need of a facelift and SharePoint Gives Back

Ian Morrish — Fri, 03 Jul 2009 20:31:00 GMT

WSSDemo first went live on a beta of WSS 3.0 on 20/05/2006 (based on this resource entry ) and has pretty much looked the same for the last 3 years. The only thing that has really changed is the amount of content on the site. One area in particular that has grown is the list of public web sites that are built on the Office SharePoint Server 2007 platform. This list has grown to over 640 sites and I have included a highlight of 100 sites that I thought were the top ones that people might want to check out.

I see that someone has copied my idea (who knows what their source was;-) and, although I could be annoyed by this, it has instead spurred me into action. Rather than filling my pages with Google adds to make money from other peoples content, I have decided to start a SharePoint Gives Back donation scheme (corny, I know, but here is my plan).

I will let partners who have built sites on SharePoint for customers have:

Their logo (160*160 px max) and hyperlink to any page, in the site list for each site they created.
A link to any case study they may have for a site in the list.
Listing in a new page showing donating partners who have built SharePoint sites with a preview of their created sites

All this in exchange for a US$100 or greater donation to https://donate.worldvision.org/.

The listing will be valid for 12 months from date of donation (email proof required). Partners can also be listed for Intranet sites so long as they can provide at least 1 screen shot of the Intranet (preferably 2 so that we can see some variety & MySite implementations) with the customers' permission for it to be used on WSSDemo.com (this will be another category in the site list).

If I get positive feedback from at least 10 partners then I will go ahead with this so please let me know via this form (no commitment at this stage but valid email address and partner name required) and lets raise some money for a good cause.

I hope to work on a graphical facelift for the site based on the VSeWSS 10 demo themes. I have used one of these themes on my NZ Community SharePoint Conference demo site http://templates.wssdemo.com/sites/community so anyone with some creative ability who can help would be much appreciated (content is king but if it don't look cool, someone else will make it look cooler).

Finally, thank you to everyone who keeps encouraging me that WSSDemo is a valuable resource.

Demo site for NZ Community SharePoint Conference

Ian Morrish — Thu, 02 Jul 2009 21:04:00 GMT

This is the demo site I built during my presentation on the Data View aka Data Form web part presentation at the New Zealand Community SharePoint Conference today. The PowerPoint deck is also on this site.
http://templates.wssdemo.com/sites/community/

Thanks to everyone who gave me feedback and the problem with one of the web parts in my demo was that I had select the wrong parameter value in the connection. That's what happens when you try and cram a 75 minute session into 45 minutes...

Reporting Services 2008 in SharePoint Integrated Mode

Ian Morrish — Thu, 18 Jun 2009 18:31:00 GMT

It seems that I have a different experience every time I install this configuration.

A few key points if you are thinking of doing this:

Integrated mode only works for SharePoint Web Applications on the Default Zone
Integrated mode will not work on a Web Application that has Anonymous access enabled

If you have a multiple SharePoint Server Farm:

Install the SSRS SharePoint Add-in on the server hosting Central Admin first
Instruction say that you only require a "Files Only" install of the add-in on the other WFE's but this is not enough.
copyappbincontent stsadm command must also be executed on each WFE
If using Kerberos and NLB, the DNS entry for the Web Application URL must be an A record, not CNAME
Even if you have configured Kerberos on your MOSS farm, clients might still be authenticating using NTLM if this is not an A record
(KerbTray and http://www.wssdemo.com/Blog/archive/2009/06/12/Testing-SharePoint-Kerberos-Configuration.aspx will help confirm/debug this)

I struck all of these problems across 2 customers in the last 2 days...
This is probably a session I should have submitted for the NZ Community SharePoint Conference 2009. Maybe I will change one of my TechED NZ sessions to this. Would anyone attending NZ TechED be interested in this?

Testing SharePoint Kerberos Configuration

Ian Morrish — Fri, 12 Jun 2009 10:09:00 GMT

I found this nice asp.net application by to test end-to-end Kerberos functionality.
http://blogs.iis.net/brian-murphy-booth/archive/2007/03/09/delegconfig-delegation-configuration-reporting-tool.aspx

By installing this application in a virtual directory of the IIS site hosting my SharePoint Web Application, I was able to confirm the SSRS reports hosted on the WFE would support integrated security through to the Reporting Server (SSRS not installed on the WFE) and that SSRS could connect to SQL or Analysis Services data sources also using integrated security (more on the enterprise deployment of SSRS on multi-server MOSS Integrated reporting solution using Kerberos in a future post). This required a triple hop impersonation.

Output from my test farm:

Process Identity

Domain Account?

DOMAIN\svc-moss-app is a valid domain account.

Explanation

Only accounts that are in Active Directory (domain user or computer accounts) can participate in Kerberos. This is because it is the domain controller (a.k.a. Key Distribution Center) that grants Kerberos Tickets. Local accounts are not recognized by Active Directory and cannot obtain Kerberos credentials. SYSTEM, Network Service, and Local Service are considered domain accounts as long as the server is part of a domain, however, Local Service cannot obtain network credentials for communicating with back-end servers.

Has a valid SPN?

A usable ServicePrincipalName of HTTP/Intranet.DOMAIN.org.net is configured on the DOMAIN\svc-moss-app account.

Explanation

This SPN will allow HTTP (Hyper Text Transfer Protocol) clients to connect to this particular service using Kerberos when:

The target process is running as DOMAIN\svc-moss-app

...And...

The host name portion of the URL or connection string is intranet.

Existing SPN's for DOMAIN\svc-moss-app:

HTTP/Intranet.DOMAIN.org.net

HTTP/Intranet

HTTP/mosswfe.DOMAIN.org.net

HTTP/mosswfe

An SPN (Service Principal Name) is much like a UPN (Universal Principal Name). UPN's are unique names for identifying a domain user account whereas SPN's are unique names that usually identify a domain computer account. An example of a UPN would be "myAlias@america.microsoft.com" instead of the standard "AMERICA\myAlias". Domain computers are granted two ServicePrincipalNames of type "HOST" by default when they are joined to the domain. Domain users are not granted any ServicePrincipalNames because their unique identifying name is generally a UniveralPrincipalName.

Duplicate SPNs?

There are no duplicates SPN's.

Explanation

Because an SPN is essentially a "username" for a service, a given SPN cannot be set on more than one account (user or computer account) at a time. If the same SPN is set on more than one Active Directory account, Directory Services will frequently create a ticket based on the account that has the "duplicate SPN". This "duplicate" is then sent to the server/service but the service will fail to decrypt the ticket propertly since it was created based on a different account.

Trusted for Delegation?

Account DOMAIN\svc-moss-app is Trusted for Delegation with Kerberos Only when connecting to any service

Explanation

			When selecting "Trust for delegation" or "Trust for delegation using Kerberos only" (Windows 2000 version of Kerberos) the trusted account will be able to pass credentials to any other server or workstation in the domain. For this reason it is much more secure to use "Constrained Delegation" in a Windows Server 2003 domain.
			It is NOT necessary to trust this account for delegation unless it needs to PASS credentials onto another server. "Trust for delegation" does not effect whether or not a user can connect to IIS with Kerberos. It only effects whether the user's token can be passed on to another backend computer from the IIS server. DO NOT trust this computer or any other account for delegation when attempting to get Kerberos working unless a process running under that account will also be passing credentials.
			By default when using "Integrated Windows Authentication" through IIS, the authenticated user is granted a "Network Token" that cannot be passed to any other computers. When using delegation, the Token then can be passed to other computers as long as the user successfully connected with Kerberos credentials. This can have security implications because trusting an account for delegation essentially means that the account is being granted authority to do some actions that normally only a domain controller would be able to do.
			The dictionary definition for "delegation" is when one is appointed to act on behalf of another. So in Windows terms when an account is trusted for delegation that means that the account is trusted to act on behalf of an authenticated user.

Backend Server

Domain Account?

DOMAIN\svc-moss-sql is a valid domain account.

Explanation

Has a valid SPN?

A usable ServicePrincipalName of MSSQLSVC/SQL.DOMAIN.org.net:1433 is configured on the DOMAIN\svc-moss-sql account.

Explanation

This SPN will allow SQL (Structered Query Language) clients to connect to this particular service using Kerberos when:

The target process is running as DOMAIN\svc-moss-sql

...And...

The host name portion of the URL or connection string is sql.

Existing SPN's for DOMAIN\svc-moss-sql:

MSSQLSVC/SQL.DOMAIN.org.net:1433

MSSQLSVC/SQL:1433

Duplicate SPNs?

There are no duplicates SPN's.

Explanation

Authenticated User

Domain Account?

DOMAIN\Administrator is a valid domain account.

Explanation

Authentication Method?

You have connected from your browser to IIS using Kerberos authentication.

Explanation

			Although IE has successfully connected to IIS using Kerberos it is still necessary to ensure the rest of the items in this list are properly configured in order for delegation to work also.
			View authorization header (this is for informational purposes only)

Overall Status

Will Delegation Succeed?

The current configuration is correct for Delegating credentials with Kerberos.

Explanation

All the necessary items for delegating Kerberos credentials are configured correctly.

Annoying Search Results Bug

Ian Morrish — Tue, 09 Jun 2009 22:13:00 GMT

I wasted a few hours on this last week and another couple of hours trying to confirm exactly under which circumstances the problem happens.

The Search Core Results web part returns some standard xml elements in the results. I wanted to get the document library name for documents returned in the search results. To do this you can use the <url> and <sitename> values with the substring-after XSLT function to trim the site name off the absolute URL which then lets you use substring-before / to get the document library part of the url (ignoring any folders that may exist in the file path).

The thing with XSLT string functions is that they are case sensitive and although the full item <url> in the results retains the case of any characters used when creating site and library names, the <sitename> element sometimes converts the site url to all lower case.

On one of my servers, if the document is in a folder of a document library of a site collection that has capital letter in the site name, the site url is converted to all lowercase. For all other documents in the root folder of libraries, the site url retains the correct case. On another server, any documents in a site collection under a managed path that has an upper case letter in the url suffers this problem.

The only thing I haven't tested is a search center sub site in the same site collection as a sub site with uppercase characters in the site name.

This means that I had to convert both the <url> and <sitename> values to lower case first (now that sounds like standard programming best practice anyway).

Three Pillars of SharePoint Governance

Ian Morrish — Mon, 08 Jun 2009 22:50:00 GMT

My thinking on this after a customer asked me to define SharePoint Information Architecture (IM on IM ;-).

SharePoint Governance

Most Microsoft solutions are governed by the standards and guidelines that are focused around operations and development. These have already been well defined by Microsoft and various people in the SharePoint community. A key component of the SharePoint platform is the ability to manage information which requires IM disciplines normally found in EDRMS or Data Warehouse (e.g. Master Data Management) practices. The IM pillar of a SharePoint governance strategy must be defined in order to design and maintain an effective enterprise SharePoint platform.

Information management

Information management responsibilities are often spread throughout an organization. Examples are:

Corporate Communications – Branding material
IT – Network file Shares
Applications – Database storage
Legal – Record retention/disposal
Web Master – Internet/Intranet content

(of these, the network shares are most out of control so best not have IT define the use of SharePoint ;-)

Figure 1: Three Pillars of SharePoint Governance

Microsoft is very good at providing documentation (timing aside) and certifications for the IT Pro and Development requirements for SharePoint but there is an equally if not higher importance to be placed on the business requirements of Information Management which is responsible for.

No substance here, that is reserved for the customer...

Upcoming events for which I have to create presentations

Ian Morrish — Sun, 07 Jun 2009 12:30:00 GMT

I have never been one for regurgitating old or other people's presentations which means I create a lot of work for myself. These are the presentations I'm working on:

NZ SharePoint Conference, July 2-3 (Building apps/smash-ups with Data View/Form web part)

USA TechReady, 9 July 27-31 (SharePoint 2010 Enterprise Taxonomy stuff)

NZ TechED, September 14-16 (2 sessions, TBA)

Not as impressive as Joel's list... but I also have consulting utilization targets to achieve at the same time.

SharePoint Content Type, Document Template and Default Metadata Choice in Custom DIP

Ian Morrish — Thu, 28 May 2009 22:14:00 GMT

Something new that I did today...

Scenario

A Document library with metadata column for DocumentType.
There are about 20 document types in the lookup and a site collection field that references this list.
A Base Content Type that includes this lookup field
5 Content Types that inherit from the base
Not all of the document types have an Office template which is why there are fewer content types.

When a user creates a new document from one of the content types that does have a 1:1 relationship with a document type (e.g. Fax) then I want the Document type value to be automatically selected in the Document Information Panel.

When you create the custom DIP form in InfoPath, under the Tools menu you will see a Default Values option which brings up this dialog box.

The default value is set to the item ID for the lookup value in the Document Types list.

When a new document is created using this content type, the correct metadata value is selected from the choice list

Building a Slipstream SharePoint Install for SP2 – the Fine Print

Ian Morrish — Sat, 09 May 2009 10:42:00 GMT

Just wanted to highlight an update to the instructions on http://technet.microsoft.com/en-us/library/cc261890.aspx that is not mentioned in many of the blog postings that also suggest how to build your MOSS slipstream install.

Important:

Delete Wsssetup.dll because it may conflict with Svrsetup.dll.
Having both Wsssetup.dll and Svrsetup.dll in the updates folder for a slipstreamed installation source is not supported.

I have to add a new WFE to an existing farm that is still running SP1 + the Infrastructure Update (nothing post that).
Should I:

Add the new WEF using the original SP1 + IU update install and then upgrade the entire farm to SP2
or
Upgrade the current farm to SP2 and then add the new WFE using the SP2 slipstream install

I would (and did) go for option 2. The main reason is that I want the most stable platform possible before introducing any architectural or application changes.

Installing SharePoint Server with .Net 3.5 SP1 pre-installed

Ian Morrish — Wed, 06 May 2009 08:20:07 GMT

There have been several problems caused by security changes in .Net 3.5 SP1 that affect .Net 2.0 & 3.0 functionality that MOSS relies.
These issues can now be prevented by installing the hot fix mentioned in http://support.microsoft.com/kb/959209/ before you install MOSS.

Note: the "local loopback" detection will still be an issue for host header address (or other DNS entries) that resolve to the local host.
See http://support.microsoft.com/kb/896861 (go with option 1 for productions systems).

SharePoint 2007 SP2

Ian Morrish — Tue, 05 May 2009 07:32:00 GMT

I have upgraded wssdemo.com to SP2 but not after trying the upgrade on several VPC's to ensure that all would go well. Of course there was one small problem. The Central Admin server installed WSS SP2 fine but the MOSS SP2 file failed with a generic MSI error 1603. A reboot of the server fixed this. The reboot however installed a number of other Windows Updates that were pending which caused search to stop working (I use a dedicated server for search so the loopback detection was blocking access). Next time I would reboot all servers in the farm before applying SP2 and then check the event & error logs for any issues before upgrading.

One of the fixes in SP2 means that the WSRP demo now works much better (once you authenticate) http://www.wssdemo.com/Pages/wsrp.asp

New STSADM commands with SharePoint SP2

Ian Morrish — Fri, 01 May 2009 10:15:00 GMT

Use the variationsfixuptool operation This article describes how to use the Stsadm variationsfixuptool operation, which lets farm administrators control and perform operations against variations.

Pre-upgrade scanning and reporting for future releases (Office SharePoint Server) This article describes how to use the Stsadm preupgradecheck operation to scan farm servers before starting an upgrade to ensure that some upgrade prerequisites are met and to detect known issues that can prevent the upgrade from completing successfully. The results of the scan enable you to address any issues that are identified.

Preupgradecheck: Stsadm operation (Office SharePoint Server) This operation runs rules that are intended to assist administrators in preparing for upgrade.

Enumallwebs: Stsadm operation (Office SharePoint Server) This operation displays the IDs and site map status for all site collections and subsites in the content database.

Variationsfixuptool: Stsadm operation (Office SharePoint Server) This operation lets an administrator control the different versions—or variations—of a publishing site or page.

Listqueryprocessoroptions: Stsadm operation (Office SharePoint Server) This operation displays the current values of the SharePoint Search query processor settings.

Setqueryprocessoroptions: Stsadm operation (Office SharePoint Server) This operation sets the current values of the SharePoint Search query processor settings.

Multiple SharePoint Site Collections in Baseline Site Hierarchies Visio Diagram

Ian Morrish — Wed, 29 Apr 2009 21:22:00 GMT

If you look at the SharePoint Products and Technologies Baseline Site Hierarchies Visio diagram http://go.microsoft.com/fwlink/?LinkID=73124&clcid=0x409 you will notice the Multiple Site Collections sections talks about the maximum number of site collections being 125.

This does not match the guidance here http://technet.microsoft.com/en-us/library/cc262787.aspx which suggests a theoretical limit of 150,000 site collections. It seems the diagram focuses on the host header configuration (perfectly valid for ISP's hosting multiple customer WSS sites on one server but I've never seen it used on an Intranet deployment) and doesn't seem to align with managed path based site collections. I would add the following points to each section:

Description

Site collections can be created under managed paths e.g. http://copany/projects/project1 where "/projects" is a managed path.

Recommendations

A single site collection storage requirements would exceed the recommended 100 Gb max content db size

Note

Multiple site collections can share a content db but the db should not exceed 100Gb.
A single site collection can't span content databases.
Managed path site collections is how My Sites are hosted.

Numbers

Under a managed path a Web Application can support up to 150,000 site collections (site collections are likely to be spread across multiple content databases)

Updated Picture

I have seen a recommendation that you don't have more than 10 or 15 managed paths and there was a note in WSS v2 that more than 100 managed paths would cause performance issues but I think the main thing to consider is that if you copy a content database to another farm you must have the same managed paths in the other environment or else you will not be able to resolve the sites.
I normally go with the following managed paths by default:

Sites (this one is OOTB if you turn on "Self service site creation")
Project
Customer
Team

Note: I think http://intranet/project/1001 looks better than http://intranet/projects/1001. You could change the default "sites" path to "site" or remove it all together. After all, everything is a site in SharePoint.

Custom SharePoint display item pages per content type

Ian Morrish — Mon, 27 Apr 2009 21:00:00 GMT

[Updated with more detail] My list of over 1,800 SharePoint resources uses content types to distinguish the metadata that is relevant to each type of resource (article, blog, download etc.)

If the content type is KB Article, I wanted the default display item page to be customised to render the Microsoft KB Article page in an iFrame within the list item page.
A list with content type management enabled has a folder per content in which you can place views. This helps organize all the content type specific forms (Display item, New item and Edit item) into folders.

Views created in the content type folders are not shown in the default list views drop-down

You can then specify the default item view per content type by right-clicking on the list folder in SharePoint Designer and select properties to set the supporting files value for the Display item form

Even though a url might link to the default page e.g. http://www.wssdemo.com/Lists/Resources/DispForm.aspx?ID=1534
it will redirect to the custom page automatically (try it...)

My custom view page uses a Data Form web part to display a single item.

To create this in SPD, just right click on the List name and select New/List View Page.

Edit the new view, delete the List View web part and insert a Data Form as a "Single Item View" of the list

Select the list item for which you are creating the view and select "Show Data" from the drop down

The web part is filtered by the ID Parameter that will be included on the URL.

Create the Parameter from the Data View properties

Then create a filter for the Data View

and substituted the row view template code withing the DAta View web part for this...

<xsl:template name="dvt_1.rowview">

<tr>

<td>

<xsl:variable name="urlprefix" select="substring-before(@URL, ', ')" />

<xsl:variable name="urlpostfix" select="substring-after(@URL, ', ')" />

</iframe>

</td>

</tr>

</xsl:template>

You can include this CSS style in the page to resize the iFrame height to match the current browser height (- sharepoint chrome height).

SharePoint becoming the Default Web UI

Ian Morrish — Sun, 19 Apr 2009 11:22:00 GMT

For Microsoft products anyway...
Adding to Project Server & Performance Point which use SharePoint for the Web UI comes Forefront Identity Manager 2010

(from http://blogs.msdn.com/imex/archive/2009/04/16/identity-lifecycle-manager-2-is-now-forefront-identity-manager-2010.aspx )