Thursday, 28 June 2012

SharePoint 2010 Kerberos

SharePoint 2010 Kerberos

Business objective for us was to resolve the authentication prompt in Safari browser for MAC users. We have got more than 100 users on MAC it’s a challenge for them and kind of annoying to see the prompt for login credentials in MAC from a user experience perspective. And, also due to some security concerns we wanted to use Kerberos. Single Sign on was the call of the day for MAC users. It’s imperative to understand your business objective before thinking of implementing Kerberos.

Though there is keychain in MAC which stores the password but that doesn’t always work when accessing /editing MS Office documents from SharePoint in Safari. There are ways to configure config file in Mozilla on MAC but it’s daunting to manage this with new releases etc. And, again IT Policies may prohibit users from using Mozilla or something else as supported on MAC is Safari with limitations.

We don’t use PerformancePoint, Power Pivot, SSRS, Excel; services i.e. BI components in SharePoint. It was a straight forward process to implement Kerberos integration with SharePoint 2010.

Initially Idea was to test this and have a proof of concept to move this to the next stage.  Below are the steps to test this:

1)       Understand what service accounts are required.

Service Accounts:

Contoso\spkerberos for the web application
Contoso\sqladmin for the SQL Server
Contoso\spc2wts for Claims to windows service account

2)      In our case I wanted to test this by creating a test service application in test environment

Created a staging web application with claims based authentication: NTLM

3)      In DNS, created a host entry called staging.portal pointing to the WFE Server IP address

Note: Recommendation was don’t use CNAME that will cause serious issues as I learnt from the TechNet documentation, it’s a must read and helps a lot to plan for Kerberos.

Spencer Harbar has a fantastic article on SharePoint 2010 and Kerberos, must read would say

4)      Created the following script to create the SPNs for the service accounts from the SharePoint WFE server and SQL Server

Run this to create service principal names for the service account for web app, claims to windows, sql server

SETSPN -S HTTP/staging.portal Contoso\spkerberos
SETSPN -S HTTP/ Contoso\spkerberos
ECHO ---------------------------------------------------------------
ECHO Setting Service Principal Name on SQLDB Service Account
ECHO ---------------------------------------------------------------
SetSPN -S MSSQLSVC/databseserver01 Contoso\sqladmin
SetSPN -S MSSQLSVC/ Contoso\sqladmin
ECHO ---------------------------------------------------------------
ECHO Setting Service Principal Name on C2W Token Service Account
ECHO ---------------------------------------------------------------
SetSPN -S  SP/C2WTS Contoso\spc2wts

5)      Check the SPNS in the attribute editor of the service Accounts in Active Directory
6)      Change web application authentication from ntlm to negotiate Kerberos
7)      Start claims to windows service
8)      Go to AD and look for delegation properties for all service accounts and delegate trust
9)      Look for event ids 4744 for Kerberos authentication
10)   Use fiddler to track whether it’s using negotiate (Kerberos) or ntlm

Once changes done initially will prompt the login credentials on three of four occasions

Voila now on MAC’S, when accessing SharePoint goes through with ease and without login prompts Nice!

There are other blogs which contains screenshot I just wanted to capture this for a high level understanding of what is required.

Monday, 18 June 2012

SharePoint Foundation Web Application Service Stuck Starting

One of the developers was looking to debug the solution package on a web application from a server which wasn’t hosting the web application as it had visual studio on it. 

Started the Web Application service and it stuck at starting

IISRESET didn’t come to rescue; I had to run the stsadm command by changing the command prompt path to the 14 hives to resolve the service stuck at starting .

stsadm -o provisionservice -action start -servicetype spwebservice

Note: this has to run from the server where you intend to host the web application


There is a KB Article which talks at great length why this happens and how to overcome this:

Thursday, 14 June 2012

SharePoint 2010 Port Numbers in DMZ

SharePoint 2010 Port Numbers in DMZ
There is TechNet article to plan security hardening for SharePoint which talks at great length about what port numbers used, for which protocol and for what type of communication.
In this case, we have a single Web Front End server in DMZ/perimeter zone and a database server in the database layer /network. I hope this picture can be a starting point but it’s a must to read Securtiy Hardening article on TechNet before you decide to place your WFE/s in DMZ.
Placing the WFE servers can have an impact especially in performance as there are some limits set for the bandwidth in most of the organizations i.e. for inbound and outbound communication using some packet shaping tools or some other mechanism. And also considerations should be made whether you intend to have your query component of search on WFE’s (in DMZ) or have them on dedicated application servers depending upon the usage. There are various thing from file size , how many times its accessed on a daily basis, updates happening etc.

Ideally, Forefront TMG can change the rules of the game. Forefront TMG will be placed in DMZ and you mayn't need to place WFE/s in DMZ which may improve the performance specially accessing the portal.  
There is a Visio on external access topology for SharePoint which you can download from here but end of the day it all depends on what are the IT policies you have in your company whether a tool like Forefront TMG is affordable or use of it restricted to SharePoint.
Start a discussion around the table with Network/Firewall Consultant, Security Consultant, SharePoint infrastructure, Application manager to start the proceedings.

Friday, 8 June 2012

Expired sessions are not being deleted from the ASP.NET Session State database

Expired sessions are not being deleted from the ASP.NET Session State database

Sometimes you get this in Health Analyser and this one doesn't have an automatic repair option.

Here is how you can fix this:

There is a timer job called State Service Delete Expired Sessions

Run this manually

Give it 5 minutes and refresh the central admin the warning/error should not be there

Please note this job is set to run every hour unless the scheduled has been altered.

If that doesn't work, launch the SQL Server Management Studio
Connect to Your Database Engine
Select State Service Database (you will have proper name if your have taken care off the GUID while provisioning the State Service App or else stateservice_someguid)

Run this query to see any expired sessions

Select * from session against the State Service Database

If  any, run the procedure to clear this: proc_DeleteExpiredItems

Make sure SQL Server Agent is started

You can also create a job as a part of maintenance plan  in SQL Server if required to automate it but the timer job is there to handle this.

Wednesday, 6 June 2012

The service manager data warehouse SQL reporting services is currently unavailable. You will be able to execute reports until this server is available. Please contact your system administrator. After the server becomes available please close your console and re-open to view reports SCSM 2012

Error: The service manager data warehouse SQL reporting services is currently unavailable. You will be able to execute reports until this server is available. Please contact your system administrator. After the server becomes available please close your console and re-open to view reports SCSM 2012
We encountered this error in our SCSM 2012 test environment. On further diagnosis figured out the SSRS box had some serious issues, after fixing one issue it was going in cycles other issue popped in. finally decided to reinstall SSRS but when you do that you lose SSRS configuration changes, encryption key.
I would suggest to take a backup of Report Server and Report Server Temp databases via management studio or scripts whatever you prefer and the encryption key from SSRS Configuration Manager before performing any steps
In our case the backup of encryption wasn’t available. Here is what we did to resolve the issue.
1)       Backup of Report Server and Report Server Temp Databases from SCSM 2012 Production environment
2)      Back up Encryption key from SSRS Configuration Manager Production Environment
3)      Restored the Report Server and Report Server Temp Databases as ReportServerNew and RepoertServerNewTemp DB’s on SCSM 2012 Test environment
4)      From SSRS Configuration manager, associated the new two databases
5)      Restored the encryption key from Production into Test environment via SSRS Configuration Manager
Note: This is the tricky part, when you restore the encryption key; it creates an entry of the Production and Test instance in your restored Report Server Database on Test Environment.
6)      To overcome this, Launch Management Studio, Connect to the Database Engine
Expand ReportServerNew Database, Navigate and Select KEYS Table
Expand KEYS table, edit and delete the entry mapped to Production Instance.
7)      Follow the steps from here to copy Microsoft.EnterpriseManagement.Reporting.Code.dll and edit Rssrvpolicy.config  to add segment code
8)      When that’s done, stop and Start the SSRS Service
Launch SCSM console you should see the reports there provided the ReportGroup has permissions on SSRS Report Manager URL.  In our case ReportGroup is an AD Group that contains the list of users who can run reports in SCSM 2012 Console.
This resolved the issue for me and happy jolly days.
Key thing is to have the backup of your report server databases and encryption , configuration file, without that it’s difficult to make this working.