Archive for category Uncategorized
SharePoint / ISA AAM and SSL Termination issue UPDATE
Posted by Brian in Uncategorized on October 6, 2009
UPDATE: Take a look HERE for an update.
I’m a blog stats junkie so I pay a lot of attention to what brings people to my site. Currently one of the most popular posts is this one: SharePoint / ISA AAM and SSL Termination issue. This really bothered me because I was never able to provide a solution. It wasn’t important enough to burn a Microsoft support incident since it has a simple solution.
This is a quick post to let you know that I gave up and went with the simple solution. I no longer do SSL termination on ISA to SharePoint. It is now completely SSL from the client browser, to ISA, and from ISA to the SharePoint front end servers. Since we own the switch and the internal network between them, it isn’t necessary from a security standpoint. The only reason we chose to terminate SSL at ISA is to save the administrative headache.
We used multiple host headers on a single IP on the SharePoint frontends. If we needed to add a new web application, it still had the same internal IP but SharePoint added in the new host header. In the new, non-SSL termination world, each front end has a dedicated internal private IP for each web application as well as one external public IP covering all front ends. As the envirnment grows, it is going to cause a few headaches. We have a dedicated subnet for all our internal stuff but it is possible we would eventually hit some limits. Especially as we begin moving other services behind ISA.
I feel bad that I wasn’t able to get this to work since my logs show other people are having this problem. Hopefully I’ll be able to pick the brains of some experts here in a couple weeks.
Executive buy-in and Governance for SharePoint
Posted by Brian in Uncategorized on August 18, 2009
Sorry for the absence in posting. Those of you that followed the old blog are probably used to it. Things have been incredibly nutty around here lately. But there is something on my mind I wanted to write a quick post about. Hopefully this will push me to write something a little more in depth in the future.
Having SharePoint governance is more than just a recommendation. Having governance in place is a necessity. They say that if your production SharePoint install is your only install, you don’t actually have a production environment. You only have a test environment.* The same thing goes for governance. You can’t have a true production environment without a governance plan. If you are an admin for a SharePoint environment without a governance plan, your life becomes incredibly difficult. You have no pull to get anything accomplished. You may be receiving pressure to move it forward or make changes but without someone with the power to make things happen, they don’t. You’re at a standstill. Unless you are willing to be the one stop shop for support, development, administration, end user training, and customization, you need to be able to bring others on board. You need someone that can force the developers to build a custom solution or can force the Support area to learn the product enough to help with end user needs.
I’m starting to ramble so I’ll cut this short. If you don’t have executive buy-in or a C-level evangelist, you don’t have a governance plan. In fact, I would go so far as to say you don’t have a production environment unless you are a very small shop and can handle it all yourself. I’ll butcher a quote and say “if you build SharePoint, they will come.” They don’t care if you have a governance plan. They’ll come anyway. They don’t care if there is an executive evangelist. They know what it is and they want it.
Before you put bit to disk, you need a governance plan. Before you can say you have a governance plan, you need executive backing. If you ignore it now, it will come back to bite you. Get it taken care of before you start and your job will be much easier.
Please feel free to include any governance stories you may have in the comments below. I would love to hear more of your experiences.
* I’ll credit that quote to Andrew Connell but I may be wrong.
SharePoint Quick Tip: Are you running MOSS 2007 Standard or Enterprise
Posted by Brian in Uncategorized on July 8, 2009
John Ferringer replied to a post on the Technet forums that I felt would make a good quick tip. I have seen this question come up numerous times on the forums. How can I tell if I am running MOSS 2007 Standard or Enterprise? There are two ways to answer this. I’ll show you both below.
The first way is to simply see what you have installed on your server. There are several ways to do this. The easiest is to open the Operations tab in Central Administration. Then open Enable Enterprise Features. Your answer to your question should be selected there. Note that if you check Enterprise, you can not go back to Standard.
If for some reason you have an aversion to Central Admin, you can also find this in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office Server\12.0. Find OfficeServerPremium. A 0 means standard and a 1 means enterprise. I would strongly recommend against changing anything here.
Now the other way to approach this question has to do with licensing. There are many times when what you are licensed for is not equal to what you have installed. To find this answer, you will need to find your media or your software license info. If you have the official media from Microsoft, it should say it on there. Mine is labeled Microsoft Office SharePoint Server 2007 For Enterprise. If you purchased it another way and don’t have the media, you should still have a license. It was either snail-mailed to you or you received it in an e-mail or download. If all else fails, talk with whoever handled the purchasing to see what they have. They should have records or, at the very least, know who to talk to to find out.
Again thanks to John Ferringer for part of the content of this post. You should all go out and buy his book: The SharePoint 2007 Disaster Recovery Guide.
SharePoint Quick Tip: Remove Outlook Connection to SharePoint
Posted by Brian in Uncategorized on June 26, 2009
The is the first in hopefully many Quick Tips. I would like to make this a weekly thing but we’ll have to wait and see how that goes.
One of the most asked questions I get from End Users about SharePoint is “How do I remove the connection from Outlook?” This is usually requested because they are receiving an excessive number of authentication prompts in Outlook due to not having their machine configured correctly or some other bug. In most cases, the prompting should end once they add the site to the Trusted Sites, allow IE to pass authentication, and setup the WebClient in the registry. Note: At my organization, we also have an installer that will do all of that for you. If that is too much and they just have to have it removed, here are the steps.
1. In Outlook, go to Tools and Account Settings
2. Click on SharePoint Lists
3. You could see multiple lists here if you have made more than one connection. Highlight one and then click Change.
4. If you have accessed SharePoint on multiple computers, it is possible that the others have a connection as well. To clear that up, you need to check the box “Don’t display this list on other computers I use.” If you don’t do that, it is possible the list will come back. Click OK and return to the List. You can repeat this process on any other lists you wish to remove.
5. Once you have checked that box for each list, click on Remove and then OK.
That’s all there is to it. One thing you can do in the future if you don’t want the list to show up on every instance of Outlook you touch is click that checkbox before you add the list. You’ll find it under Advanced when you try to add the list.
SharePoint 2007 SP2 Trial Expiration Fix
Posted by Brian in Uncategorized on June 26, 2009
Everyone else in the SharePoint is posting this so I might as well too.
Microsoft has released an update for the SP2 Expiration date issue. The MS SharePoint Team Blog has information about it HERE.
I’ll be installing it soon in test and will let you know how it goes. In production, I’ll do the manual fix I’ll include below.
One other quick thing to note is that they say they will be incorporating the hotfix into SP2 within the next few weeks. If you have an SP2 download stored, be sure to grab the new bits once they are available.
An alternative to installing this update is to fix it manually:
- Click the Operations tab in Central Administration
- Go to Convert License Type
- Enter your product key and hit OK. That is all it takes. It will update on every server in your farm.
BlackBerry Enterprise Server 5 (BES 5) Maintenance Release Upgrade process
Posted by Brian in Uncategorized on June 19, 2009
I was asked to step through the process I took to install Maintenance Release 1 for BES 5 last night. It was pretty basic but I made some pretty pictures I’ll post below. The process is mostly the same as in BES 4 but with the added benifit of being able to use failover servers.
Our environment has multiple primary servers as well as standby failover servers in a second datacenter. This allows us to keep functioning if one datacenter were to become unavailable. That also means I can update the BES without and loss in connectivity for clients.
I started by updating the failover servers. If I wanted to, I could have updated one failover server, made it the primary and check connectivity. If all went well, I could fail back and update the other servers. This might be overkill but it could also save me in the future. It is something I’ll consider next time.
Once I have the Maintenance Release on all the servers, I stop all of the BlackBerry services that are running. There are a bunch of them so I’ll probably write up a script to do it faster next time. Start the upgrade:
Enter your BESAdmin account and Password:
And now you wait:
Once you are done with the install, you need to restart the services. I prefer to restart the machine to make sure everything comes up cleanly but it isn’t necessary.
Now that the failovers are updated, you need to actually failover to them in order to patch the primary servers. This is accomplished in the BAS (BlackBerry Administration Service). Under Servers and components, expand High Availability, expand Highly available BlackBerry Enterprise Servers, and select the instance you want to update. Now you simply click Change primary instance to standby instance and confirm:
Update these servers like I wrote above and once you are done, make them the primary again. That’s all there is to it.
SharePoint 401.1 Authentication error when accessing from the local machine
Posted by Brian in Uncategorized on June 9, 2009
I know this has been posted all over but I’m adding my own since I can never seem to remember it. It tends to pop back up whenever I bring up a temporary server or a farm recovery server.
I believe it was in Windows Server 2003 SP1 that Microsoft released a security update that put a bunch of SharePoint admins into a minor panic. This update caused you to be denied access to your own farms from the local machine(s). You could browse just fine from a remote machine but if you tried to access it locally, you got the following error after a few failed authentication attempts:
You may also notice the following in the security event log:
The biggest problem with this wasn’t the fact that you could no longer access your machine locally. The likely reason you found about this is because your users told you that search was broken! Since SharePoint indexes itself by browsing to itself locally, it would no longer run either!
The update brings about a loopback security check for IIS 5 and IIS 6. It helps to prevent against reflection attacks. For more on reflection attacks, check out wikipedia. I admit I had to look it up.
Now we know what it is so how do we let it know it can trust us to access our own machines locally? Thankfully this is pretty easy. There are two ways to do this, you can either disable the loopback check completely or you can specify host names that it will allow. I would recommend the latter since having this in place would be a good security practice.
First off, open the registry* (REGEDIT) and browse to:
HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0
Create a new multi-string value called: BackConnectionHostNames and add the host names to it. After that, restart the IIS Admin service or better yet, restart the machine.
Now if you would rather disable the service, browse to:
HKLM\System\CurrentControlSet\Control\Lsa
Create a new DWORD value called DisableLoopbackCheck. Give it a value of 1 and restart. After that, you should be set.
Last thing I want to say is it’s probably a good idea to do this to all of your front end and application servers. It shouldn’t be necessary to do it on your SQL server unless it is on the SharePoint server or you are possibly experiencing the problem with SQL reporting.
Microsoft’s documentation on this feature is available at: http://support.microsoft.com/default.aspx/kb/896861
*It goes without saying but becareful in the registry. Take all necessary precautions before messing around in here
SharePoint / ISA AAM and SSL Termination issue
Posted by Brian in Uncategorized on June 5, 2009
UPDATE: Please click HERE for an update on this post.
UPDATE #2: Click HERE for another update.
I’m having a bit of a problem with Search on Microsoft Office SharePoint Server 2007. I’m writing this blog for a few reasons. First, it allows me to put to virtual paper, everything that is in my head before it gets replaced by useless baseball stats or what I have for dinner tonight. Second, hopefully someone out there will have a solution. Third, once (and if) I am able to solve it, other people experiencing this problem might stumble across this and use this information to fix it and eventually name their first born after me. If you are here for number 3, you may want to use my nickname instead: Bada$$ SharePoint MoFo.
Now the main problem here is with the search drop-down box on a site collection. Normally when you visit a list, the search drop-down will switch to “This List” for the search scope.
Handy if all you want to do is search the list. Unfortunately for me on both my production and test environments, it doesn’t work that way. All I see is the “This Site” search scope. It does correctly search the site but sometimes I want to narrow it down a bit more.
I believe the problem is related to the fact that we publish SharePoint behind ISA and we are using SSL termination. That means that you access ISA via SSL and it talks to the SharePoint farm via standard http without SSL. This was an architecture decision that we needed to make for a number of reasons. That means changing it isn’t an option. Please take a look at the image below for an idea of our setup:
As you can see, we aren’t doing anything too drastic and you would expect this to work. Unfortunately it doesn’t. Our AAM settings are as follows:
| Internal URL | Zone | Public URL |
| http://sharepoint.domain.com | Default | https://sharepoint.domain.com |
| https://sharepoint.domain.com | Default | https://sharepoint.domain.com |
From what I have read, this should all be correct. One interesting thing is if I enable SSL on the SharePoint front end and browse to it locally, bypassing ISA, the drop-downs work. If I use the exact same URL from outside and go through ISA, the drop-down no longer works! I have been commenting on Matthew McDermott’s blog about this and I’ve found one other person that appears to be having this problem as well. My machines are patched with SP2 and the April 2009 cumulative update.
Anyone have any thoughts before I escalate this to Microsoft? If I come up with a solution, I will post it as an update here.
BlackBerry Administration Service Thawte SSL Certificate install
Posted by Brian in Uncategorized on June 3, 2009
I ran into a couple of problems earlier while trying install a new certificate for our BlackBerry Enterprise Servers. We are running BES 5 and had been using the default self-signed certificate that is made during the install. We are still in pilot mode so that wasn’t a problem. Well we are now gearing up to go production so we needed to get a trusted cert.
I followed the instructions to make the request that RIM provides in the administration guide and sent the CSR off to our security group to get a cert issued from Thawte. The CSR was rejected! Thawte could not determine the key size. By default the keytool utility chooses 1024 and DSA but it couldn’t figure out the size. Even if I told it to use 1024 with the -keysize flag, it would still fail. Viewing the CSR in openssl also did not show the size. It was not until I chose RSA that it was able to determine the size. To do this I ran:
keytool.exe -genkey -keysize 1024 -keyalg “RSA” -alias <alias name> -keypass <password> -keystore “<location to web.keystore>
After that I was able to successfully create the certificate. Unfortunately I wasn’t done! Once I tried to import it, I got the error “keytool error: java.lang.Exception: Failed to establish chain from reply.” A quick Bing/Google search and I was able to find out that I needed to add the Thawte root CA to the keystore. I downloaded the CA and ran:
keytool.exe -import -trustcacerts -alias “Whatever you want” -file <location to thawte .cer> -keystore <location of keystore>
It gave me a warning that “Certificate already exists in system-wide CA keystore under alias <#####> Do you still want to add it to your own keystore?” I said yes and was then able to add our cert. I copied the web.keystore file to each BES server and restarted the BAS services.
This may be obvious to people more familiar with the keytool utility but I’m a Windows guy and usually handle certificates in IIS or the certificates MMC snap-in. This was new territory for me but thankfully we got it figured out. Now I need to start the process to move our users to the new environment.
Boy do I suck
Posted by Brian in Uncategorized on June 1, 2009
I had high hopes to put some good content on this blog but between craziness at work and losing a week at TechEd, I managed to not post a single thing to this blog since my initial introduction. I would apologize but since there isn’t any content here, I’m pretty sure that means I don’t have any readers here either. Maybe I should put another post on my other blog to let you know I’m still alive. Better yet, how about I actually post real content! Unless something blows up, I’ll have a post here shortly.