Friday, May 14, 2010

2nd Commerce Server User Group Meeting - Commerce Server Staging

Great user group meeting. Especially enjoyed the practical tone of the questions.

Here are the links I mentioned in my talk:
Using SQL instead of Access
http://blogs.msdn.com/charles/archive/2008/09/15/how-to-configure-css-to-log-to-sql-database.aspx

We will have the next meeting on November 5, subject will be CS and SharePoint 2010.

Monday, May 3, 2010

Sychronizing SharePoint Profiles with Active Directory

There are a lot of urban myths about importing profiles from AD, particularly on some blogs where it is claimed that deleted users are only erased from SharePoint on the third try.

Here are the steps when a user is deleted from Active Directory:

1. When the profiles are synchronized with Active Directory, the bDeleted flag is set to true in the SSP's UserProfile_Full table.

2. Every hour the MySiteCleanup job runs.
If bDeleted is true the job deletes the profile from UserProfile_Full table and adds it to the deleted users.
The manager gets a email and ownership of the MySite.

3. Every five minutes each Content DataBase sychronizes its UserInfo table with the SSP. This is the Quick Profile Synchronization (WSSSweepSynch).

4. Every hour there is a complete synchronization Profile Sychronization (WSSProfileSych).
This is bidirectional, in the up direction the Profiles are updated with the site collection membership list. In the down direction, the UserInfo table is updated with the Profile information. If a user flagged as deleted in the UserProfile_Full table, he is also marked as such in the UserInfo table. It is not be deleted in the UserInfo table, as it is needed for Auditing.

The procedure is the same in SharePoint 2010.

(With thanks to Chris Gideon, I based this on discussions with him at MCM training and Ignite. All mistakes are my misunderstandings, not his)

Recipe:RSS Viewer in MOSS 2007


1. To add a feed for a list or document library.
Go to list, actions, rss feed. Save address.
Go to page, add web part, copy address into url.

2. To set refresh for rss feed.
Site collection rss settings.
Settings for web part.
But...refresh is hard coded at 60 minutes!

Kerberos Authentication, needed even if sql on same box.

Kerberos debugging tips:
NETDIAG /TEST:KERBEROS /DEBUG >KERBTEST.TXT

Add the following registry value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Registry Value: LogLevel
Value Type: REG_DWORD
Value Data: 0x1

But you will get some false errors.

Kerbtray gives the tickets for the current logged in user only. See great blog.

When cross forest trust, make sure that forest and domains are 2003 level, otherwise will only have external trusts which will not use kerberos. Make sure the web site is trusted site to see RSS feed.

Sunday, May 2, 2010

Recipe: Using Kerberos with MOSS 2007 and Windows 2003

1. SPN for SQL
Install ADSIEdit on DC from W2003 Support Tools.
Change SPN of SQL Service Account to:
MSSQLSvc/sql1.litware.com:1433
MSDN also says add not just FQDN but NetBIOS name also:
MSSQLSvc/sql1:1433
Don't understand why this is necessary.
If the SQL is on the same machine as MOSS Kerberos will not be used. Ditto named pipes are used. See blog.
You can also check your work by using the SetSPN -L SQLService
From the the W2003 Resource kit you can use Klist and Kerbtray
To list or purge the Tickets use Klist tickets or Klist purge.

2. SPN for Central Admin
Add SPNs to Central Admin App Pool Identity.
HTTP/moss01:12345
HTTP/moss01.litware:12345
Change Central Admin to negotiate
Use this link to get to stsadm
stsadm -o authentication -url http://moss01:12345 -type windows -usewindowsintegrated
Browse to site.

If you get following error
Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Caller User Name: -
Caller Domain: -

This is because the browser does not send the port number with the spn.
For 32 bit I used the following registry change to ie6. Details are here, but the hotfix dlls were an older version than my dlls. Still needed the registry change.

If you need to check if the iis virtual directory has kerberos enabled you can say
adsutil.vbs get w3svc/1998432558/root/NTAuthenticationProviders or set it with
adsutil.vbs set w3svc/1998432558/root/NTAuthenticationProviders "Negotiate,NTLM"
(get Vir Dir Id from log file directory name)

3. SPN for main sharepoint site
Add SPNs to App Pool Identity.
HTTP/moss01
HTTP/moss01.litware.com
Change SharePoint app to negotiate
Use this link to get to stsadm
stsadm -o authentication -url http://moss01 -type windows -usewindowsintegrated
Browse to site.