SharePoint Tricks and Tips

http://www.sharepointpitstop.com/search/label/Sharepoint%20Tricks%20and%20Tips

Step by Step SharePoint 2013 Installation and Configuration

http://stevegoodyear.wordpress.com/sharepoint-2013-build-guide/
http://stevegoodyear.wordpress.com/sharepoint-2013-build-guide/prerequisites/

by
Steve Goodyear's

Step by Step Kerberos Authentication for SharePoint 2010

Introduction

Kerberos authentication, created at MIT and named after Hades’ three-headed guard dog Cerberus (according to Wikipedia), has been around for decades.  The latest version 5, implemented currently by Active Directory, was released in 1993.  The protocol is designed to provide rapid, secure authentication to users on a multi-system network, or “farm” as we like to call them.

Advantages over Traditional Windows Authentication

The main advantage of Kerberos over NTLM or forms-based authentication is the ability for a user’s identity to securely traverse multiple servers without requiring a re-key of the user’s credentials.  This concept is referred to as single sign-on: login once to access everything.

A secondary advantage is speed.  Authenticating connections with Kerberos tokens is considerably faster than other methods.

Platform Uniformity

Another advantage is platform uniformity.  Any application, that you wrote, or Microsoft wrote, or anyone wrote, which uses Windows Authentication can automatically use Kerberos.  It’s built in to Windows and Active Directory.  It doesn’t require custom code like a forms-based or claims-aware provider.  Enabling it is as simple as telling the web.config to use it.

Necessity

Many farm scenarios do not warrant Kerberos authentication.  How can you tell if yours does?  There is a simple test: the double-hop.  Draw a quick diagram of your farm topology.  If you have any servers which are more than two degrees of separation away from your client, you will need Kerberos authentication only if you need to delegate access to those resources.  The figure below shows the double-hop scenario.

Figure 1: The Double-Hop

Each connection, or “hop,” must be authenticated.  Thus, the SharePoint server must establish a secure, authenticated connection to SQL in order to return data for the user.  If the data connections above need to impersonate the user, the connections must use delegation.  Kerberos authentication allows SharePoint and SQL Server to implement delegation.

Real-World Examples

The most common example of Kerberos in practice involves Reporting Services.  A user browses to a SharePoint document library to run a Report with data in a SQL Server database.  SharePoint and SQL Server both implement Kerberos authentication to allow the user to view the Report using the user’s own credentials.  No login prompts, no proxy accounts, no stored credentials.

Setup

Setting up Kerberos authentication for SharePoint and SQL Server takes only a few minutes.  Follow the steps below to get it running in your farm.  We will assume that SharePoint requires classic mode authentication for the Web Application.  (Obviously, you will need to change CONTOSO to your Domain name and use your actual service accounts.)

1. Configure SQL Server

Configuring SQL Server to use Kerberos is easy.  Create a Service Principal Name for your SQL Server by running the setspn.exe utility from the command-line.  NOTE: you will need to be a Domain Administrator to do this:

Figure 2: setspn.exe Syntax

Service Principal Names

You will need to become familiar with Service Principal Names to setup Kerberos.  They are composed of the following pieces:

Service			Principal
Service Class	Endpoint	Port	Domain	User
MSSQLSvc	DB-SRV-01	1433	CONTOSO	SqlServer
This is the unique class name of the service. It differs between different types of services.	This is the DNS address where the service is accessed. In this case, it’s the server name, but it can also be the fully-qualified domain name like: db-srv-01.contoso.local - or an alias like - database.contoso.local	The port is needed if it is not a standard port for the Service Class.	This is the NetBIOS domain name of the Active Directory where the service account resides.	This is the login name for the service account itself.

As far as I know, the Service Class is case-sensitive.

For good measure, Microsoft recommends creating multiple Service Principal Names.  The reason why: the client application creates the Service Principal Name when it sends it to the server.  If the client application choses to include the port number, or not include the port number, you should be ready.  The solution: create all of the following SPNs for SQL Server:

·         MSSQLSvc/DB-SRV-01 CONTOSO\SqlServer

·         MSSQLSvc/DB-SRV-01:1433 CONTOSO\SqlServer

·         MSSQLSvc/DB-SRV-01.contoso.local CONTOSO\SqlServer

·         MSSQLSvc/DB-SRV-01.contoso.local:1433 CONTOSO\SqlServer

Note the variation in the Endpoint and Port.  We do this to ensure that we cover all the possible combinations that a client application could throw at SQL Server.  This is the best practice.

2. Create a Web Application

Create a new Web Application in SharePoint 2010 to use with Kerberos authentication.  Pick Classic Mode Authentication and make sure NTLM is used.  This Web Application will be created as the Default Zone.  We want to put this on a non-standard port and use NTLM authentication to ensure that we can always access it from the SharePoint server itself.

Note: you must use a Domain Account for the application pool identity.

Figure 3: New Web Application

3. Extend the Web Application to use Kerberos Authentication

Extend the Web Application you just created.  Set the Zone to Intranet and put the site on Port 80.  Use the host header intranet.contoso.local:

Figure 4: Web Application Extension

When you click OK you will get a warning about Kerberos.  Don’t worry: the Service Principal Name can be created before or after the Web Application Extension.

6. Create the DNS Record

Your server needs a static IP address and a DNS record to be accessed by users.  When Kerberos is involved, you must be sure that you create an A (for address) record and not a CNAME (canonical name, or alias) record for the SharePoint Web Application Extension:

Figure 5: New DNS Record

Enter the IP address of the SharePoint server and hostname of the Web Application Extension into the box and click Add Host to save the new DNS record.  The automatically generated FQDN should read intranet.contoso.local.

4. Create a Service Principal Name

Just like we did for SQL Server, create a Service Principal Name for the SharePoint Web Application Extension:

Figure 6: SharePoint SPN

The SharePoint Service Principal Name breakdown is as follows:

Service			Principal
Service Class	Endpoint	Port	Domain	User
HTTP	intranet.contoso.local		CONTOSO	SP_WebApp
HTTP works for http and https connections.	This is the DNS address where SharePoint is accessed. In this case, it’s the URL of the Web Application Extension	80 is a standard port, therefore we don’t need to include it.	This is the NetBIOS domain name of the Active Directory where the service account resides.	This is the login name for the SharePoint Application Pool account.

5. Enable Constrained Delegation

If this were SharePoint 2007, we’d be done.  But SharePoint 2010 requires Constrained Delegation.  In order to enable constrained delegation you have to connect to the Domain Controller and enable Delegation on the account used to host the SharePoint Web Application Pool.

Remote Desktop into the Domain Controller, open Active Directory Users and Computers, then locate the SharePoint Web Application Pool account.  Double-click on the account and locate the Delegation tab:

Figure 7: Delegation

Pick Trust this user for delegation to any service and click OK.  SharePoint will now authenticate clients using Kerberos authentication to http://intranet.contoso.local

Workarounds

A common work-around to the Real-World Scenario above, when Kerberos authentication is not involved, is a proxy account: hard-code the Report Server credentials into the Report itself.  When the user accesses the Report, SharePoint connects to SQL using the stored credentials.  This is also what the Secure Store service does.  This is also a form a delegation, but does not pass the user’s actual credentials to the data store: it uses a proxy account.  Thus, all users get the same rights on the data store and the password is saved in clear-text in the Report’s connection string.  If this doesn’t meet your requirements, you need to call in Kerberos to handle the connection.

Looking Ahead

Even though Kerberos is not always needed, or possible like with extranets, the introduction of External Content Types in SharePoint 2010 as a reporting tool will greatly increase the need for it.  The increased maturity and new features in PerformancePoint, PowerPivot, and Reporting Services in SharePoint mode, if your data is not on the SharePoint server itself you will need to use delegation.  The best choice which provides the lowest maintenance overhead, the highest level of security, and the lowest processor overhead, is Kerberos authentication.  Try it out in a VM farm on your local computer.  It’s a great tool to have in your SharePoint architect’s toolbox.

Testing Kerberos

There are tools available for testing Kerberos but it’s quite easy to determine if it is running properly. 
When it’s enabled but not working the following symptoms may be present

1. Login prompts may appear when the previously did not under NTLM Authentication
2. Login Errors appear in the Windows Security Event Log typically stating that Kerberos authentication failed
3. Users are required to login using Office applications when their machines are domain members and the logged in user should have rights.

When Kerberos is first configured for the application pool account a message will appear in the Windows Security Logs stating that a ticket was requested.
Open SharePoint in a browser using the URL where Kerberos is now configured and then refresh the security log.  If Kerberos is running properly messages similar to the one below will appear in the logs on a regular basis. 
For particular users logged in, events will appear similar to the one below

In addition, many messages similar to the one below will appear in the event log.

By: Saravanan.J

Integrating Sharepoint 2010 and SQL Reporting Services 2008 in 6 easy steps

There are only 6 main steps to achieve this task assuming you already have an instance of SQL Server Reporting Services and SharePoint 2010.
I had created this starting from a clean installation of SQL Reporting Services so this guide will discuss the steps on configuring your SQL Reporting Services 2008 for integration with SharePoint 2010.

Step 1: Configuring SQL Reporting Services – Web Service URL

Simply go to Reporting Services Configuration Manager and choose Web Service URL and populate the following needed information. The fields are named properly so I guess there is no need for further explanation. What this does is that it configures the IIS for you depending on what Virtual Directory names you had declared.

Step 2: Configuring SQL Reporting Services – Create a Report Database

Same here, fields need no further explanation except for one which is Native Mode and SharePoint Integrated mode which I will explain below.
Choose create a database or if you already have one choose an existing one. For this example, we will create a new one:

Connect to the database where you want your Report Data to be stored:

Give it a Name and a Report Server Mode.
With SharePoint Integrated Mode the report RDLs are stored on SharePoint and not in the Report Database. For this instance, we will use the SharePoint Integrated Mode:

Specify the credentials that the report server will use to connect to the database.

Review your configuration.

Then wait while it's configured.

Step 3: Configuring SQL Reporting Services – Create a Report Manager URL

What this does is that it configures the IIS for you depending on what Virtual Directory names you had declared.

That’s it. At this point, your report server is configured for SharePoint Integration 2010.

Step 4: SharePoint Integration Configuration – Reporting Services Integration

Simply go to SharePoint 2010 Central Administration, then General Application Settings, then choose Reporting Services Integration.

Now populate the fields using the Web Service URL you had configured a while ago on Step 2 of this guide.

Once done, you will see the Activation State message.

Step 5: SharePoint Integration Configuration – Add a Report Server to the Integration

Now add the report server by putting the Server Name and the Server instance.

At this point it's all done, all you have to do now is try it out.

Step 6: Verify by Checking the Server and Uploading a Report

To verify if it's now integrated, go to Site Settings on your SharePoint Site, then Site Collection Features.


Check if the Report Server Integration Feature is Active, if not just click activate:

Now try to use the SQL Server Reporting Services Webpart:


Or you can also upload a report from a library.

That's it, so simple!

To create a SiteCollection with a host header irrespective of the WebApplication host header

To create a SiteCollection with a host header irrespective of the WebApplication host header

(even if the WebApplication did not have a host header)

Solution:

In PowerShell: New-SPSite http://host.header.site.url -OwnerAlias DOMAIN\username -HostHeaderWebApplication http://servername

Need to add a A record in the DNS.

**If you want to make this work in your dev machine then add a entry in the Hosts file of your SharePoint server.

C:\Windows\System32\drivers\etc\hosts.txt

for example:

127.0.0.1          intranet.c2il.com

Using PowerShell to Calculate SharePoint database size

Method 1:

Get-SPDatabase | Sort-Object disksizerequired -desc | Format-Table Name, @{Label ="Size in MB"; Expression = {$_.disksizerequired/1024/1024}} 

This lists all of your databases, from largest to smallest and their size in MBs. Its output looks like this:

Name Size in MB

---- ----------

WSS_Logging 1657

SharePoint_Config 505

Search_Service_Application_PropertyS... 158

SharePoint_AdminContent_9cdc3220-ff2... 99

Search_Service_Application_DB_79408a... 99

WSS_Content 74

WSS_Content_OOTB_upgrade 46

WSS_Content_ac5e33ae4e354dd493b6da17... 26

wss_content_upgrade 26

WSS_Content_portal 24

Search_Service_Application_CrawlStor... 17

User Profile Service Application_Pro... 7

Bdc_Service_DB_a95c44b879ef48f8a5307... 6

WebAnalyticsServiceApplication_Repor... 6

WebAnalyticsServiceApplication_Stagi... 5

Application_Registry_Service_DB_2f70... 4

Managed Metadata Service_c23b61fed61... 3

managed_metadata_the_truth 3

User Profile Service Application_Soc... 3

User Profile Service Application_Syn... 2

StateService_783e168d26fd498b9be3061... 2

Secure_Store_Service_DB_89dc97ed2262... 2

PerformancePoint Service Application... 2

WordAutomationServices_00a4e73d0d734... 2 

That's pretty helpful, but it doesn't answer that burning question, how much space is needed. I came up with this to answer that question:

Get-SPDatabase | ForEach-Object {$db=0} {$db +=$_.disksizerequired; $_.name + " - " + $_.disksizerequired/1024/1024} {Write-Host "`nTotal Storage (in MB) =" ("{0:n0}" -f ($db/1024/1024))}

Its output looked this this:

StateService_783e168d26fd498b9be3061299862269 - 2

Secure_Store_Service_DB_89dc97ed22624025ae6e9a69f2684978 - 2

WordAutomationServices_00a4e73d0d7341cdac915e8247da5211 - 2

User Profile Service Application_SocialDB_f2c646049bfd4456b612e454ac1a73fd - 3

Bdc_Service_DB_a95c44b879ef48f8a53070abd98a9d03 - 6

WebAnalyticsServiceApplication_StagingDB_51bf4216-80fa-45d5-b580-b5d419c8e269 - 5

SharePoint_Config - 505

PerformancePoint Service Application_c575f52198844d46a6c2d29c69a6594a - 2

Search_Service_Application_CrawlStoreDB_6c608154693c412bb9fc1e35235e502f - 17

Search_Service_Application_PropertyStoreDB_d7726abcc15f425eb39428f3d6d983d4 - 158

Application_Registry_Service_DB_2f70cb1bdc274522ac5ca345df9de86e - 4

SharePoint_AdminContent_9cdc3220-ff2c-4b52-abcf-ad9ce1ba463d - 99

WSS_Content - 74

WSS_Content_ac5e33ae4e354dd493b6da176e9e6c84 - 26

WSS_Content_OOTB_upgrade - 46

WSS_Content_portal - 24

wss_content_upgrade - 26

Search_Service_Application_DB_79408a739be74c18ac0b44630382b13c - 99

Managed Metadata Service_c23b61fed6114e88af70931a2add3c36 - 3

managed_metadata_the_truth - 3

User Profile Service Application_ProfileDB_15a709d2085741fb9ed182d6e77e2a4f - 7

WSS_Logging - 1654

User Profile Service Application_SyncDB_9ff01258380945d99a5c9e8e110b6835 - 2

WebAnalyticsServiceApplication_ReportingDB_c7b9b6b2-f3d7-40c4-b72f-70a47e78deec – 6

Total Storage (in MB) = 2,775 

Method 2:

#Get SharePoint Content database sizes Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue $date = Get-Date -Format "dd-MM-yyyy" #Variables that you can change to fit your environment $TXTFile = "D:\Reports\SPContentDatabase_$date.txt" $SMTPServer = "yourmailserver" $emailFrom = "SharePointReports@company.com" $emailTo = "youradmin@company.com" $subject = "Content Database size reports" $emailBody = "Daily/Weekly/Monthly report on Content databases" $webapps = Get-SPWebApplication foreach($webapp in $webapps) {     $ContentDatabases = $webapp.ContentDatabases     Add-Content -Path $TXTFile -Value "Content databases for $($webapp.url)"     foreach($ContentDatabase in $ContentDatabases)     {     $ContentDatabaseSize = [Math]::Round(($ContentDatabase.disksizerequired/1GB),2)     Add-Content -Path $TXTFile -Value "-     $($ContentDatabase.Name): $($ContentDatabaseSize)GB"     } } if(!($SMTPServer) -OR !($emailFrom) -OR !($emailTo)) { Write-Host "No e-mail being sent, if you do want to send an e-mail, please enter the values for the following variables: $SMTPServer, $emailFrom and $emailTo." } else { Send-MailMessage -SmtpServer $SMTPServer -From $emailFrom -To $emailTo -Subject $subject -Body $emailBody -Attachment $TXTFile }

The result

Scheduling the script
Save the script (In my example: C:\Install\Get-SPContentDatabaseSize.ps1)
Start the Task scheduler: Start –> Run: taskschd.msc Create a new task:

General

- Make sure the account running the task has sufficient permissions to access the databases
- “Run whether user is logged on or not” should be checked.
- Run with highest privileges has to be checked.
Triggers

The triggers can be set to your requirements, in this example I scheduled the task weekly at 6PM.
Actions To run a PowerShell script as a scheduled task, you cannot simply add the C:\Install\Get-SPContentDatabaseSize.ps1 in the “Program/script” field.
You should do the following:

Program/script: %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe
Add arguments (optional): -Command C:\Install\Get-SPContentDatabaseSize.ps1
 

SharePoint Server 2010 Service Pack 2 has been released (Updated July 31st, 2013)

Service Pack 2 for the SharePoint 2010 Product Family has been released today.
Below you can find the KB and download links:

SharePoint Server 2010 SP2	KB2687453		64-bit
Office Server Language Pack SP2	KB2687462		64-bit
SharePoint Foundation 2010 SP2	KB2687464		64-bit
SharePoint Foundation 2010 Language Pack SP2	KB2687466		64-bit
FAST Search Server 2010 for SharePoint SP2	KB2687446		64-bit
Office Web Apps 2010 SP2	KB2687470		64-bit
Project Server 2010 SP2	KB2687452		64-bit
Search Server 2010 SP2	KB2687461		64-bit
SharePoint 2010 Indexing Connector for Documentum SP2	KB2687459		64-bit
SharePoint Designer 2010 SP2	KB2687463	32-bit	64-bit
SharePoint Foundation 2010 Client Object Model Redistributable SP2	KB2687467	32-bit	64-bit

Apply August 2010 Cumulative Update on SharePoint Server 2010

Time to patch up… 

Aug CU 2010 released, it is very simplified form this time than the June CU 2010. There are full packages available for each product.

Check our KB articles for getting more information about what are the fixes available and the modified files information.

• KB 2352346 - SharePoint Foundation 2010
• KB 2352342 - SharePoint Server 2010
• KB 2352345 - SharePoint Server 2010 with Project Server

As you see there is a separate Full Server Package for SharePoint Server 2010 with Project Server which simplifies patching of this common installation.

The Full Server Packages for August 2010 CU can be downloaded here:

• Download SharePoint Foundation 2010 August 2010 CU
• Download SharePoint Server 2010 August 2010 CU
• Download SharePoint Server 2010 with Project Server August 2010 CU

In this post, I am going to walkthrough how we can install August CU 2010 in our SharePoint Server 2010 farm. I have a very small farm (test environment)

1 WFE , 1 Application Server and another server with DC and SQL Server. (OS : Windows 2008 R2 Ent Edition)

RTM Version : 14.0.4763.1000

Once we apply August CU 2010 the new version would be: 14.0.5123.5000

I have installed 4 language packs (Hindi, Arabic, Spanish & Japanese) and Office Web Access in my SharePoint Server 2010 Farm.

As you can see SharePoint Server 2010 CU full package coming with patches for SharePoint Foundation 2010, so no need to install SharePoint Foundation 2010 August CU before applying SharePoint Server 2010 August CU.

If you are applying the patch in the production farm, plan it properly and backup the DBs before applying the patch.

Let’s start….

1.       Install the bits in all SharePoint servers by double clicking office-kb2352342-fullfile-x64-glb.exe , do not run the Post Setup Configuration immediately after the installation in a server farm. If installation of bits are not completed in all servers, once we try to run the PSConfig wizard it will detect that and it won’t continue. So make sure that all servers are installed with the Aug CU 2010 bits.

 

2.       After installing the bits in each server, run the Post Setup Configuration Wizard in the Application server. In SPS 2010 you can even run the PSConfig wizard parallel in all SharePoint Servers. In behind it is not updating each server parallel, instead each server will wait for other servers to complete the update by making a lock in it, once other servers are done with the update the lock will release and it will continue with the upgrade.  

Eg: see the screen shot below: 

    

3.       After completing all tasks of PSConfig setup in all servers it will open the SharePoint central administration website. In my test environment the PSConfig failed at 10^th step with an error says that it can’t get the resource information of one language pack. I was able to fix it by running the PSConfig in the command line. 

14\Bin>PSConfig.exe –cmd upgrade –inplace b2b –wait -force 

Whenever we use PSConfig wizard , it will issue a timer job to do the upgrade, notice that in the command line version there are two parameters –wait and –force, -wait means do not issue a timer job instead do the upgrade directly, -force will remove any timer jobs stuck while running PSConfig wizard previously.  

Below screenshot is how it will look like. 

    

If there are any issues you will get more information about the exact exception from the PSConfig Setup logs from the 14/logs/ folder.

4.       Next step is validating the installation. First check the version number of your SharePoint Server farm. 

a)       Open Central Administration à System Settings à Manage Servers in this farm (under servers ) 

Like the below screen shot, this page will list out all servers with the details of language packs, services and the configuration database version which will be: 14.0.5123.5000. Status column will inform you whether we need any further action or not in any of the servers (eg: if you haven’t run the PSConfig wizard) 

                         

b)       Next step is checking the upgrade status.

Central Administration à Upgrade and Migration à Check upgrade status.

We can see that my app server was failed once but succeeded later.  

 

c)       Next step is review the database status  

Central Administration à Upgrade and Migration à Check upgrade status.  

Here we can double check and confirm whether any databases are need to be upgraded.  

 

d)       Next step is check the product and patch installation status  

Central Administration à Upgrade and Migration à Check product and patch installation status. This is really new status page in 2010 and here we can see the old version and new version of each installed components.

                        

e)       Run Stsadm –o localupgradestatus to get the complete information for successful upgraded site collections. You have to run it as an administrator in all SharePoint Servers in the farm.

                       

f)        Once all tests are done then test SharePoint sites, service applications etc.  

For more information:  

Verify the upgrade status and do a smoke test : http://technet.microsoft.com/en-us/library/cc424972.aspx

strongly recommend to follow the link for planning and installing updates for SharePoint 2010 : http://technet.microsoft.com/en-us/sharepoint/ff800847.aspx 

Happy patching...

-Saravanan.J