I will be part of a panel called “Stump the SharePoint Consultant” between 10:45 am to 11:30 am – Track 3 SharePoint Ecosystem
I know a few of these panelist also and I am sure it will be a great discussion forum. Looking forward to seeing you there.
NB. In an effort to make this page load better I am breaking this Blog up into Parts, this is Part 1
Part 2: – Configuring Service Applications, Sites, and Verifying our Work
Part 3: – Configuring and Executing Search, Using Web Parts and Communicating Securely across Web Applications with Kerberos
I felt a compelling need to write this blog post because with the advent of SharePoint 2010, a whole new world opens up for access to information. With that comes the challenge of managing access and security. An area that I spend most of my time is in Business Connectivity Services (BCS) and one of the challenges that I personally face is with the “Double Hop”; whereby, I have a desktop client that is using a Web Front End (WFE) via SharePoint to connect to an SharePoint Server in an Application Server Role to in-turn retrieve and consume information from a Line of Business (LOB) back-end database, Kerberos mitigates that problem through its protocol handling and service delegation. Secondly, I have clients who’s desktop environment is heterogeneous in that they have a mixture of Windows XP [yes still XP], Macs running Safari, with a need to avoid login prompts for authentication.
My colleagues out there constantly here me asking for an ‘Authoritative’ document/guidance when it comes to standing up SharePoint 2010 Features. After looking out there for something like that as it relates to getting Kerberos, i found quite a bit of information but nothing really end to end. I think that is because depending on your need, you may start in one area and end up in the next. In this document my approach is:
- A Brand New SharePoint 2010 Installation that will use Kerberos for the Authentication everything being x64
- Active Directory built on Windows Server 2008 R2
- SQL Server is 2008 R2
In my quest I pulled information from the following sites and fellow SharePoint mates
- There is a really good article that Kathryn Birstein turned me on to when I met her at SharePoint Saturday in New York a few weeks ago. It is truly the Holy Grail for Kerberos – found here — Configuring Kerberos Authentication for Microsoft SharePoint 2010 Products and Technologies (http://go.microsoft.com/fwlink/?LinkId=196600) (7.3 MB)
- For Registering a Service Principal Name for SQL Server I got a great piece of article here — http://msdn.microsoft.com/en-us/library/ms191153.aspx
- In terms of How to Implement Kerberos Constrained Delegation with SQL Server 2008 see this — http://technet.microsoft.com/en-us/library/ee191523(SQL.100).aspx
- Now, if you are going to be creating sites and you want them to be crawled, it suits you best to have your Search Service Application already configured before you create that Web Application; for that I checked out Bill Baer’s Twitter Handle: williamsbaer blog — http://blogs.technet.com/b/wbaer/archive/2009/11/23/step-by-step-provisioning-the-search-service-application.aspx
- Another good article that covers a good portion of SharePoint 2010 using Kerberos is here http://technet.microsoft.com/en-us/library/ee806870.aspx and it gives a good Scenario based example
- I also have a few Blog Post at https://fabiangwilliams.wordpress.com and my new SharePoint 2010 FPWeb Hosted Site http://www.sharepointfabian.com/blog which outlines how to Install and Configure SharePoint 2010, in light of that I take leaps over those items already covered and hope that you will use those blogs as a source of reference.The one thing I want to emphasize and it is a good segway into item number 6 is that I now DO NOT use the Farm Configuration Wizard (FCW) to create my service applications after a SharePoint 2010 Install; Spencer Harbar Twitter handle @harbars constantly preaches that unless you are doing a POC or a Demo Environment.. DO NOT USE IT… so I now dont.
- The last two articles are from Spencer Harbar, in my opinion, one of the most Solid SharePoint gurus out there, I used his blogs for guidance not only in this example but for setting up User Profile Service which I also bring into this blog post — SharePoint 2010 and Kerberos and Rational Guide to implementing SharePoint Server 2010 User Profile Synchronization
So how are we going to work this and make it flow?
- Create the Service Accounts we need for SQL and SharePoint
- I used a GPO that my work colleague and MVP Aaron Tiensivu twitter handle @atiensivu to restrict NTLM traffic to servers so that if Kerberos wasnt successful then audits and errors would be thrown, I will call this out later on
- Tackle Installing SQL Server 2008 R2 and getting Kerberos Working there first—why
- we need Service Principal Names (SPN) set for the MSSQLSvc under the Service Account SQL Server is running under if we intend to secure our communications with SQL Server with Kerberos
- I went further by limiting the Network Transport (Protocol Name) to TCP and Named Pipes because I know in in SQL Server 2008 / Windows Server 2008 enhancements have been made for Named Pipes and typically I use TCP for communications anyway
- I tested this by logging onto the SharePoint box and using the SQL Management Studio to connect back to the SQL Box, run a query to see what the Network Transport is and also the Authentication Scheme
- Install SharePoint 2010 bits and set the Authentication to Negotiate(Kerberos) – Configure for Kerberos thereafter
- Create the Managed Service Accounts for the Web Applications and other Service Applications
- Set the SPN’s for the Web Application Service Accounts for the Portal, Team, and MySites
- Create the Web Applications, Site Collections, and validate that Kerberos is the method used for connectivity
- More Test and Verifications
My Envrionment (Lab) – VMWare on my Lenovo T61p [dual core single proc with 8 GB RAM]
- DC Box
- Windows 2008 r2 x64 Ent
- Active Directory in 2008 mode
- SQL 2008 r2
- ArgoSoft Mail Server
- 1 GB Ram Allocated
- SharePoint Box (Application Role)
- Windows 2008 r2 x64 Ent
- SharePoint with all Service Enables
- 3 GB Ram Allocated
- SharePoint Box (Web Server Role)
- Windows 2008 r2 x64 Standard
- WFE Role Only (so I can really test kerberos from another box other than the app box)
- 1GB Ram Allocated
- Guest System
- Windows 7 x86
- 1 GB Ram Allocated
Yes… this is pushing it to the limit, in fact my CPU is pegged constantly and my memory is tapped. But I dont run with the big dogs out there with SSD’s and 16 GB RAM, not yet.. 🙂
Part 1: SQL Server Squaring Away
After Installing SQL Server 2008 R2, the fist step I do is manage the Protocols under which SQL Server will run, this time because I am focusing on Kerberos I am only enabling TCP and Named Pipes for the reason I mentioned above. I also enabled a GPO to restrict and/or audit NTLM traffic between the servers as seen below
As seen below the service that SQL Service runs under is ADOTOBLAB\SqlSvc and this is what we will create a SPN for
Screen clipping taken: 8/14/2010 3:27 AM
Screen clipping taken: 8/14/2010 3:26 AM
Below is where we create the SPN for the MSSQLSvc under the service account; it is also best practice to do both the FQDN and the NetBIOS names when doing SPN. I used the command line tool for one and the ADSI Edit tool for the second.
Screen clipping taken: 8/14/2010 12:06 AM
Below we also use the tool to validate the entries made.
Screen clipping taken: 8/14/2010 3:25 AM
Part 2: Installation and Configuration of SharePoint 2010 (Accelerated)
Installation of the bits for SharePoint 2010 comes next, I just want to call out the differnces that you will do if you DO NOT use NTLM, see my other blogs for details on installation of SharePoint
Screen clipping taken: 8/14/2010 2:27 AM
Here is your last chance to back out 🙂 — nah — so all this dialog box is telling you is that you need to make arrangements with the Domain Admins if you do not have the access to set up SPN’s for your Service Accounts that you will be using in the creation of Service Applications and Web Applications.
Screen clipping taken: 8/14/2010 2:30 AM
Screen clipping taken: 8/14/2010 2:30 AM
Screen clipping taken: 8/14/2010 2:30 AM
Screen clipping taken: 8/14/2010 2:39 AM
Above is verification that you are using Negotiate(Kerberos) as the Authentication Provider in this Installation of SharePoint 2010
Part 3: Validate that Kerberos is working
FROM THE SHAREPOINT MACHINE AND USING SQL MANAGEMENT STUDIO I RUN THE BELOW TO TEST. THE KEY HERE IS THAT YOU ARE USING WINDOWS AUTH AND LOGGED IN AS THE SHAREPOINT INSTALL ACCOUNT
FROM THE SQL BOX I CHECK THE EVENT LOG AND VERIFY
Part 4 – Configure Accounts (Service Accounts, Managed Service Accounts) and Service Principal Names (SPN)
First Register Managed Service Accounts
Screen clipping taken: 8/14/2010 10:15 AM
For User Profile Service and Search and just to Kick off Provisioning of UPS you will need to have Local Admin Righs set on a few accoutns
Screen clipping taken: 8/14/2010 10:17 AM
Make sure that the UPS account also has Replicate Changes and Create Child Objects in AD
Next I am going to create A Records for my Sites (Team, Intranet and MySite )
Screen clipping taken: 8/14/2010 10:30 AM
At this time I set SPN’ for the Service Accounts to be used for the Portal Site, Team Site and MySite. Again ensure that you do both NetBIOS and FQDN for SPNs
Screen clipping taken: 8/14/2010 10:40 AM
Screen clipping taken: 8/14/2010 10:40 AM
When Setting SPN’s ensure that you do both NetBIOS and FQDN
Screen clipping taken: 8/14/2010 10:42 AM
Screen clipping taken: 8/14/2010 10:43 AM
We do the same for :
However Teams and MY will be on port 4444 and 5555 respectively so we will do two entries because of a known issue with setting SPNS for SharePoint
Screen clipping taken: 8/14/2010 10:50 AM
Screen clipping taken: 8/14/2010 10:51 AM
Screen clipping taken: 8/14/2010 11:12 AM
Do the same thing for Service Account for the Team Site (svcAppPoolSites)
NEXT – Part 2
Part1: Full Installation on Small Farm up to Managing Service Applications
Synopsis: This is a two part blog, I will be focusing on the General Installation and configuration, then I will discuss how to set up User Profile Services which I know gives a few folks he willies in part 2.
In this blog we will run through the process of installing SharePoint 2010 in a small Farm Environment. In this topology we have two servers and a Windows 7 Guest. The roles are below:
Server 1: VMWare Windows Server 2008 Standard
Role: Domain Controller and Mail Server
Specs: Windows 2008 Standard 2048 MB Ram, 80 GB HDD
Server 2: VMWare Windows Server 2008 Enterprise
Role: SharePoint 2010 Server
Specs: Windows 2008 Standard 3072 MB Ram, 80 GB HDD
Additional Software: Visual Studio 2010 Professional
Workstation: VMWare Windows 7 Ultimate
Specs: Windows 7 Ultimate 2048 MB Ram, 60 GB HDD
Additional Software: Microsoft Office 2010 Professional Plus, Visio 2010, Project 2010, Adobe Acrobat
The first thing that i advise clients and something that I do even for my environment is prepare whats know as a Farm Preparation Guide which details the Physical Architecture, Logical Architecture, Specs, Accounts Username and Passwords, License keys, etc. I also go as far and moving the installation bits locally on the server to reduce I/O. Once I am satisfied, I run setup…
Above: Launching Setup
Once setup is launched, the very first thing you need to do is “Install software Prerequisites”
N.B. I thoroughly advise you to Uninstall any items that maybe on your computer that constitutes one of the prerequisites that you will be installing in this section I specifically call out “Windows Identity Foundation” which will blow up your installation if already installed. Click the link to install pre-reqs
Above: Splash screen with Options for Installation
Below are the items that will be installed as prerequsites for SharePoint 2010, if any of these fail, you MUST correct it before moving forward even though the installation may allow you to continue. I have seen instances where my “Microsoft SQL Server 2008 Analysis Service ADOMD.NET” failed to install and it allowed me to continue then blew up later on. Click Next to begin…
Above: SharePoint Pre-Reqs
Above: Accept the Terms and Proceed
Above: Status Bar as the Pre-reqs are installed
Below here is an instance where I had a failure and I installed the Pre-Req directly by downloading it of MSDN and applying it myself, w/out doing it in the tool. That is why you see that some of the items are set to “no action taken”
Above: All Pre Reqs installed
Next you need to provide the appropriate license key. I am often asked if the build installs anything different based on the Key. The answer is the build installs everything but features are disabled or not available based on the key, but can be later turned on by providing the necessary key.
Above: Enter your License key here
Above: Accept the Terms…
Personally, I will tell you that I have NEVER chosen “Standalone”; I always do Server Farm, because I want the extensibility ‘yes even in my lab environment’ to add Servers and Roles Later on. So in this Instance I choose “Server Farm” and continued.
Above: Options for Installation
Yeah, you want to select “Complete” here if you have your own instance of SQL already and want more options for configuration later on.
Above: Determining the role of the Server you are installing
Above: Installation Progress
Once the Installation is complete (assuming that there is only one server in the Farm) if there are more than one server then stop here and complete the installation of the other servers and then run the “Products and Configuration Wizard” on the sever that will be doing Central Administration Duties.
Above: Once the installation of the bits are complete, the Configuration of the Farm Begins once you click close and the check box is enabled.
Make sure that you have your Farm Prep guide (previously mentioned in this post) with all your information before moving forward, you will need account names, server names, etc
Above: This begins the configuration phase of the Farm
As part of the configuration, a few services has to be stopped and restarted.
Above: Installation about to begin.
If this is the first server then you choose “Create a new Farm” if it isnt then you must choose the other.
Above: Choosing whether you are creating our adding to a farm
Above: My DC is also hosting my SQL Server
New to SharePoint 2010 is the concept of a Passphrase for configuration; this passphrase is used for such things as
- Adding additional severs to the farm
- Acting as the Public Key in your Secure Store Configuration
Above: Applying the passphrase
Here you will get a random port number to begin with, typically i use 9999 in my installations. and here is where you will choose NTLM or Kerberos as your authentication provider. If you are using Kerberos see this techNet article http://technet.microsoft.com/en-us/library/ee806870.aspx
Above: Configuring SharePoint
Above: Configuring SharePoint
Above: Progress bar in part of the Configuration
Above: Configuration Complete
The next steps in the Configuration is done in the Central Administration page. The wizard is pretty good here, I would highly recommend you use it, even for as much as going back afterwards and making changes to the Service Applications or deleting and/or recreating to suit your needs, it is invaluable in teaching you how the configuration should be
Above: the initial configuration page in Central Admin
Point to note here is that the Wizard driven configuration uses the Farm Account for all the Service Applications, you will need to go to the “Services on Server” or “Service Applications” themselves to change the relationship of the Default App Pool and Service Accounts to which you want to run your specific Service Application under. Obviously, before you do that you create your Managed Accounts first.
Above: the conclusion of the Wizard Driven Configuration
Above: Just a demonstration of what the Service Application and Service Account looks like
Next, I am going to register a few Managed Accounts to run some of my Service Applications. Things I want to run separately are:
- User Consumable Web Application/ Sites
- User Profile Service
- Search/ Crawl
- Secure Store
to name a few
Above: Registering a Managed Account
Above: Consuming that Managed Account for a specific Service Application
Below I am setting up all my Managed Account so you can see which ones i separate out
Above: All the Managed Accounts that I configured. This assumes that you have these accounts configured in Active Directory
Below is an example of me changing not only the Managed Account but also the Application Pool that a Service Application runs under. I want my Secure Store Service to run under its own App Pool and its own Managed Account
Above: by NOT clicking on the word “Secure Store Service” but clicking on the blue bar between the words, then clicking on Properties in the Ribbon..
Above: This is the properties window of the Service App
Above: I am creating a new Application Pool and associating it with my Managed Account.
Above: the progress bar for the activity i am doing
Once completed you will see the display window below
Above: A successful change to a Service Application
Above: the new Properties window for the Secure Store Service Application
Conclusion and Prelude to Part 2 of the Blog
So after you finish the initial configuration and before you get into the Managed Accounts as I did, you are prompted to create a Top Level Site, you can either elect to do it or skip, choice is your; I omitted that from this blog for brevity. Next we will go into Configuring User Profile Service.
Hope this was useful, as always, comments, critiques are welcomed.
According to Apan Shah, Director, SharePoint
Excerpt below taken from… http://blogs.msdn.com/sharepoint/archive/2010/03/05/sharepoint-2010-office-2010-launch.aspx
Today, we officially announced that May 12th, 2010, is the launch date for SharePoint 2010 & Office 2010. In addition, we announced our intent to RTM (Release to Manufacturing) this April 2010.
It’s an exciting time for us! We hope you can virtually join us on May 12th at 11am EST to listen to Stephen Elop, President of the Microsoft Business Division, announce the launch. You can register for the event @ http://sharepoint.microsoft.com/businessproductivity/proof/pages/2010-launch-events.aspx.
Published Friday, March 05, 2010 2:52 PM by arpans
So the idea here is to prepare to move my work I had in SharePoint 2010 Beta to Release Candidate. I spent quite a bit of time in SharePoint Saturdays, Conferences, and just figuring stuff out just to ditch it as I upgrade my environment. That said, I wanted to backup as much as i can from my work especially my solutions i created for BCS and the LOB System Databases I used in my Demos. What I will outline below is the methods Out of Box (OOB) that you can use in SharePoint 2010 Beta [hopefully noting much changes in RTM, unless they make it better] to backup your solutions and web apps. I can certainly do this while i build out my next environment which will be after much consideration:
- A Portable Solution i.e. my IBM Lenovo T61P Dual Core 2.33 with 8 GB RAM
- Windows 7 x64 Professional
- Virtual Box
- One Host as Windows Server 2008 R2 Core
- Active Directory
- SQL Server
- Some kind of SMTP Server
- One Host as SharePoint Server 2010 RC
- Squeeze Every Bit of Service App as possible on it
- One Host as Windows Server 2008 R2 Core
- Virtual Box
- Office 2010 RC
- Visual Studio 2010 RC
Step 1 – Identify the items you want to Backup/Preserve
I identified the following items to keep as i move forward with the some prioritization
- Must Have
- Backups of My Visual Studio Solutions as a part of a SharePoint Solution
- Backups of my Content Database
- Backups of my Other Databases for Demo Purposes
- Nice to Have
- Actual MDF and LDF from SQL because i am a meticulous person; some call it anal
- The Solution Folder under My Documents for Visual Studio 2010, so I can have my code source files
- Everything Else
- All my files along the way worth saving especially drivers, pictures, sample docs to mess with
Step 2 – Perform the Backups in a few Flavors
Using Central Administration in SharePoint 2010 Beta
The first thin I did was to open Central Admin. For our purposes today we will be working with the “Backup and Restore” section; second column second row
After you click Backup and Restore you have a few options, we are actually going to use both of them so we can get the experience. Obviously that is overkill but this serves as a tutorial for us later on. First we will tackle the Farm Backup and Restore then the Granular Backup
Once you click “Perform a Backup” under “Farm Backup and Restore” you get the window below
First we will option to backup all the solutions we have created and at least have saved thus far in the Solution Gallery in SharePoint
Once you have finished selecting the files; in this case only solutions to backup. We also have a directory configured for the drop spot for for our backup files. We then will click next…
We can Monitor the process by clicking the Refresh Button/Link
We can see the processing is Preparing Below
Now the process is running
Finally, the process finishes…
Once we are done, we can inspect the results. Below you will see the status, elapsed time, and location.
Next we will backup using Full Backup process the Web App and all items for Port 80
See status below…
Below you will see the folders that are created by default when using the OOB tool and “Farm Backup and Restore”
The second option available to us in SharePoint 2010 Beta for backup is the Granular Backup which allows you to do a “Site Collection” backup. We have two SC’s under a managed path that we will backup.
I goofed with the nomenclature here below, but i wanted you to see the error handling now in SP 2010; very descriptive.
Once the SC is identified, you must provide a path and a File Name, unlike the previous method where you had to just determine the folder, here just as in STSADM commands, you must specify the file name.
Below you will see the Site Collections available; we did BCSAlpha first, now we do Charlie…
As you will note below; there is a backup file created for both BCSAlpha and Charlie
Next, just for show I will do the same backup by using STSADM commands. What i found interesting is that the file sizes were different using this method. You should also notice the “SharePoint Root” folder is now “14”
And now for Charlie….
Next I opened up SQL Management Studio and made a backup of my Databases
There you have it….
Creating a SharePoint 2007 Backup Strategy using STSADM commands complimented by Windows Scheduled Task (AT) commands
I am on a project where we will have to rely on the out of box (OOB) Backup Strategies from Office SharePoint Server. I am wearing my IT Pro hat, but the developer in me… says when you do something once… Automate it for future use, Blog it so you can remember it…. SO here goes.. There are two flavors of OOB Backup Strategies in Office SharePoint Server 2007:
1. Using Central Administration –> Operations –> Backup and Restore
2. Using STSADM –> – o backup –url [site path] –filename [where to save the file]
The Central Administration route is, in my opinion an ineffective way to do backups if your goal is to be a long term strategy; it is a one-time deal through a wizard with limited options. Certainly if you are in need to do a backup because of a pressing circumstance, this is in-fact a viable option, but outside of that, STSADM provides more flexibility and it may be scripted and scheduled for future recurring operations.
HOW TO: Implementing a Backup Strategy with OOB STSADM commands
STSADM Backup Syntax:
For site collection backup
stsadm -o backup
Things to look out for when using STSADM to perform backups
As your site grows, logically does your content databases, and if you are employing STSADM as the tool for backup, a bi-product of that will be “longer backup times”. If your environment will be taking longer to backup, your risk of someone updating a file/document/asset as you are performing your backup increases; as a result if a backup is in running and a file is open, that backup is at risk of failure. How do we combat that problem? We use yet another STSADM command to lock the Site in effect the database to read-only; we do this with the SiteLock command, there are two in particular, getsitelock and setsitelock see below for the full command syntax.
stsadm -o getsitelock
stsadm -o setsitelock
Automate your Backup Solution
Certainly you can navigate to the SharePoint 12-Hive and execute these commands as a single action; however, a more consistent action is to script the job with error handling and user feedback.
Script your Backup
Save the above to a .bat file in a preferred location.
Automate your Backup
Create a new Windows Scheduled Task by going to Start–> Control Panel –> Scheduled Tasks –> Add Scheduled Task
Follow the wizard and schedule the .bat file created above to run at a frequency of your own choosing.
 A complete reference of STSADM commands are located on Jose Barreto’s blog http://blogs.technet.com/josebda/archive/2007/03/22/complete-reference-of-all-stsadm-commands-with-options-in-moss-2007.aspx
 Example of creating the filename so it changes daily and thus does not have to overwrite itself. http://www.zorbathegeek.com/153/batch-file-to-append-date-to-file-name.html
I strongly encourage all my blog readers to “attend” and where possible to present as speakers at one of these SharePoint Saturdays coming up (see below). It is a FREE event to attend, all you have to do is register in time; the speaker panel is always star-studded, and you will be surprised just how much knowledge can be soaked up in one Saturday.
- SharePoint Saturday Iceland – Saturday, February 19th, 2010
- SharePoint Saturday Boston – Saturday, February 27th, 2010
- SharePoint Saturday New Orleans – Saturday, February 27th, 2010
- SharePoint Saturday Michigan – Saturday, March 13th, 2010
- SharePoint Saturday Twin Cities – Saturday, March 20th, 2010
- Live Online SharePoint Saturday Arabia – Saturday, March 27th, 2010
Have fun! Stay Strong..