A rather nice SharePoint feature for standard image libraries (type 109) is that when uploading a picture, it will automatically create a thumbnail and a compressed, web friendly version of the picture in the _t and _w hidden folders. Unfortunately the MOSS WCM PublishingImages list is not an image library, but rather a document library. This is so because the published start and end date/time feature depends on both versioning and approval being on, and this requires a list of type document library.
Some WCM sites try to use AssetUploader.aspx, which is used in the ootb computed field "Thumbnail" in the list content type, to generate the thumbnail, but as anonymous users have no rights on the \_layouts\ folder for secured publishing sites, this is a no go. A solution is to code an event receiver for the list and create _t and _w versions for added images. The no-code solution is to upload separate thumbnail images in a separate folder, and apply a naming convention when displaying thumbnails for the images in e.g. content query web-parts (CQWP).
Saturday, November 14, 2009
Wednesday, October 14, 2009
Secure External SharePoint Sites for Anonymous Access
As there is some blogging about exploiting unsecured SharePoint _layouts and _vti_bin pages out there, posts that don't tell you how to actually secure those pages and prevent the exploit, I thought why not just post the recommended lockdown method: Locking down Office SharePoint Server sites
It is not enough just to enable the SharePoint WCM publishing lockdown mode feature, as this only limits access to /forms/ application pages and to the web-services.
Finally, read this article by Andrew Connell on delay loading core.js and removing the Microsoft Name ActiveX control from your pages.
It is not enough just to enable the SharePoint WCM publishing lockdown mode feature, as this only limits access to /forms/ application pages and to the web-services.
Finally, read this article by Andrew Connell on delay loading core.js and removing the Microsoft Name ActiveX control from your pages.
Labels:
SharePoint
Thursday, October 01, 2009
SharePoint Farm using Kerberos on IIS7
Kerberos is recommended as the authentication mode in SharePoint due to security, performance and not least delegation (impersonation, double-hop) reasons. I won't go into details on the benefits here, but rather point to some good resources you will need when configuring Kerberos for SharePoint. Configuration of Kerberos is not part of the SharePoint installer, except for popup boxes warning you that your system administrator must perform some extra configuration for this to work. If you're lucky, that system admin is not you.
I recommend you follow these guides to ensure a working Kerberos environment:
After setting up all the SPNs, a strange problem affected our load balanced web-applications. We got 401 Unauthorized "the requested resource requires user authentication" and "access is denied due to invalid credentials" when browsing sites on the WFE servers.
Our servers run Windows Server 2008 and hosts the sites in IIS7. IIS7 use a new "kernel mode" by default for integrated Windows Authentication, and the computer account (NETWORK SERVICE) is used rather than the application pool identity by Kerberos to do SPN ticket decryption. This affects farm sites, as a domain account must be used rather than a local account to successfully decrypt SPN tickets across the farm. See Service Principal Name (SPN) checklist for Kerberos authentication with IIS 7.0 for further details.
So you have two options to make this work on IIS7: either disable kernel mode authentication, or use the undocumented useAppPoolCredentials in combination with useKernelMode in ApplicationHost.config. Add the attribute to the specific site's <windowsAuthentication> element so it looks like this:
<windowsAuthentication enabled="true" useAppPoolCredentials="true" useKernelMode="true">
...
</windowsAuthentication>
Do not use this setting across the board, only use useAppPoolCredentials on the sites on those servers that give a Kerberos 401 not authorized error. And always make a backup copy of the file before editing it.
The last step in the configure Kerberos guide is to turn on "negotiate" authentication for the SSP:
STSADM –o setsharedwebserviceauthn –negotiate
Click on "Office SharePoint Server Search" in Central Admin > Operations > Services on Server on the Query role (typically a farm WFE) to confirm that the SSP work correctly after enabling Kerberos. If the settings page opens all went well. If you get this message, it sure didn't:
An unhandled exception occurred in the user interface. Exception Information: Could not connect to server MOSS-WFE01. This error might occur if the firewall or proxy configuration is preventing the server from being contacted.
In addition, trying to open the SSP search settings page gave this error:
The search service is currently offline. Visit the Services on Server page in SharePoint Central Administration to verify whether the service is enabled. This might also be because an indexer move is in progress.
Don't panic. Diagnosing this is quite easy. SharePoint uses the Office Server Web Services when assigning roles to servers and to communicate between the servers. Browse the MOSS-WFE01 services from the MOSS-ADMIN server and vice versa:
First, ensure that all your SPNs are correctly configured for the server and app-pool accounts, including the HOST, HTTP and MSSP service classes. Then ensure that any SPN account involved in Kerberos is trusted for delegation in AD. This also applies to computer accounts used to run sites, typically as the NETWORK SERVICE local account.
If all else fails, change the application pool used to run the Office Server Web Services web-application. By default, this is OfficeServerApplicationPool running as NETWORK SERVICE. But you can't really change that application pool's identity. You can, but SharePoint will automatically set it back to NETWORK SERVICE. As you learnt above, using a local account for a farm service in IIS7 is not recommended.
So, reuse the SSP service application pool or create a new IIS "OfficeServerKerberosApplicationPool" using the domain account of the SSP service application pool and make the Office Server Web Services run using the new app-pool. Provided that the selected domain account has a valid SPN for the service, internal MOSS server-to-server calls should now work. Test and confirm that the "Configure Office SharePoint Server Search Service Settings" pages now opens.
Finally, check that the security event log contains audit success entries for logon of type Kerberos on the servers. Kerberos ticket decryption failures are shown in the client's system event log with event id 4 and error code KRB_AP_ERR_MODIFIED.
Note that if you're following the least privilege approach and have different accounts for the SSP host and the SSP service, then you might not be able to browse the web-services as the HTTP SPN is assigned to a different account than the MSSP account used to run the SSP service. Remember that an app-pool account cannot decrypt the Kerberos ticket if the SPN is registered on another domain account.
Still having problems? Read Jesper M. Christensen's excellent series Troubleshooting Kerberos in a SharePoint environment Part 1 / Part 2 / Part3.
End note: Turn off UAC on Windows Server 2008 if you get "access denied" errors when running STSADM commands.
I recommend you follow these guides to ensure a working Kerberos environment:
- Configure Kerberos Authentication MOSS 2007 (really long article)
- How to configure SharePoint for Kerberos authentication (much shorter)
After setting up all the SPNs, a strange problem affected our load balanced web-applications. We got 401 Unauthorized "the requested resource requires user authentication" and "access is denied due to invalid credentials" when browsing sites on the WFE servers.
Our servers run Windows Server 2008 and hosts the sites in IIS7. IIS7 use a new "kernel mode" by default for integrated Windows Authentication, and the computer account (NETWORK SERVICE) is used rather than the application pool identity by Kerberos to do SPN ticket decryption. This affects farm sites, as a domain account must be used rather than a local account to successfully decrypt SPN tickets across the farm. See Service Principal Name (SPN) checklist for Kerberos authentication with IIS 7.0 for further details.
So you have two options to make this work on IIS7: either disable kernel mode authentication, or use the undocumented useAppPoolCredentials in combination with useKernelMode in ApplicationHost.config. Add the attribute to the specific site's <windowsAuthentication> element so it looks like this:
<windowsAuthentication enabled="true" useAppPoolCredentials="true" useKernelMode="true">
...
</windowsAuthentication>
Do not use this setting across the board, only use useAppPoolCredentials on the sites on those servers that give a Kerberos 401 not authorized error. And always make a backup copy of the file before editing it.
The last step in the configure Kerberos guide is to turn on "negotiate" authentication for the SSP:
STSADM –o setsharedwebserviceauthn –negotiate
Click on "Office SharePoint Server Search" in Central Admin > Operations > Services on Server on the Query role (typically a farm WFE) to confirm that the SSP work correctly after enabling Kerberos. If the settings page opens all went well. If you get this message, it sure didn't:
An unhandled exception occurred in the user interface. Exception Information: Could not connect to server MOSS-WFE01. This error might occur if the firewall or proxy configuration is preventing the server from being contacted.
In addition, trying to open the SSP search settings page gave this error:
The search service is currently offline. Visit the Services on Server page in SharePoint Central Administration to verify whether the service is enabled. This might also be because an indexer move is in progress.
Don't panic. Diagnosing this is quite easy. SharePoint uses the Office Server Web Services when assigning roles to servers and to communicate between the servers. Browse the MOSS-WFE01 services from the MOSS-ADMIN server and vice versa:
- Browse https://moss-wfe01:56738/searchadmin.asmx from MOSS-ADMIN
- Browse https://moss-admin:56738/searchadmin.asmx from MOSS-WFE01
First, ensure that all your SPNs are correctly configured for the server and app-pool accounts, including the HOST, HTTP and MSSP service classes. Then ensure that any SPN account involved in Kerberos is trusted for delegation in AD. This also applies to computer accounts used to run sites, typically as the NETWORK SERVICE local account.
If all else fails, change the application pool used to run the Office Server Web Services web-application. By default, this is OfficeServerApplicationPool running as NETWORK SERVICE. But you can't really change that application pool's identity. You can, but SharePoint will automatically set it back to NETWORK SERVICE. As you learnt above, using a local account for a farm service in IIS7 is not recommended.
So, reuse the SSP service application pool or create a new IIS "OfficeServerKerberosApplicationPool" using the domain account of the SSP service application pool and make the Office Server Web Services run using the new app-pool. Provided that the selected domain account has a valid SPN for the service, internal MOSS server-to-server calls should now work. Test and confirm that the "Configure Office SharePoint Server Search Service Settings" pages now opens.
Finally, check that the security event log contains audit success entries for logon of type Kerberos on the servers. Kerberos ticket decryption failures are shown in the client's system event log with event id 4 and error code KRB_AP_ERR_MODIFIED.
Note that if you're following the least privilege approach and have different accounts for the SSP host and the SSP service, then you might not be able to browse the web-services as the HTTP SPN is assigned to a different account than the MSSP account used to run the SSP service. Remember that an app-pool account cannot decrypt the Kerberos ticket if the SPN is registered on another domain account.
Still having problems? Read Jesper M. Christensen's excellent series Troubleshooting Kerberos in a SharePoint environment Part 1 / Part 2 / Part3.
End note: Turn off UAC on Windows Server 2008 if you get "access denied" errors when running STSADM commands.
Labels:
IIS,
Kerberos,
SharePoint
Friday, September 18, 2009
SharePoint Site Structuring: Wide vs Deep (Part II)
In my last post, I presented a SharePoint site classification & structuring scheme for realizing the information architecture (IA) structural design of your information space to facilitate content organization. SharePoint has five main content containers that can be combined to best structure the content according to your IA:
Structures of top-level sites and subsites are generally labeled as wide or deep. A wide site structure uses multiple TLS sites (and hence multiple site-collections), while a deep site structure rather uses a single TLS site with multiple subsites with even more subsites. See the SharePoint site classification & structuring post for more details on this and the above five containers.
As you can see, it is not recommended to combine explicit site-collections with a wide site structure due to the limited set of explicit site-collections per SharePoint web-application. Using wildcard site-collections give the most flexibility as there is almost no limit on the number of site structures wildcard can hold. If you need a new top-level site, just create a new site-collection.
The SharePoint software boundaries on site structures per web-application is shown here (click to enlarge):
Steve Goodyear's decision diagram in the Determining Between SharePoint Site Collections and Sub-Sites post shows other important technical aspects when deciding between wide and deep.
- Root site-collections: container for portal, home sites
- Explicit site-collections: container for department, services, regional sites
- Wildcard site-collections: container for team, community, project sites
- Top-level sites: container for content and subsites and channels
- Subsites: container for content and even more subsites and channels
Structures of top-level sites and subsites are generally labeled as wide or deep. A wide site structure uses multiple TLS sites (and hence multiple site-collections), while a deep site structure rather uses a single TLS site with multiple subsites with even more subsites. See the SharePoint site classification & structuring post for more details on this and the above five containers.
However, not all combinations are viable due to SharePoint software boundaries for the containers. This especially applies to how to combine managed site-collections with wide and deep site structures. As outlined in my last post, each major category gives a recommendation on the usage of wide and deep site structures based on the site classification. The recommendation on how to combine wide/deep with explicit/wildcard site collections is shown here (click to enlarge):
As you can see, it is not recommended to combine explicit site-collections with a wide site structure due to the limited set of explicit site-collections per SharePoint web-application. Using wildcard site-collections give the most flexibility as there is almost no limit on the number of site structures wildcard can hold. If you need a new top-level site, just create a new site-collection.
The SharePoint software boundaries on site structures per web-application is shown here (click to enlarge):
Each SharePoint web-application can hold about 20 explicit site-collections and about 50000 wildcard site-collections. About, as these boundaries are not hard limits - but performance will suffer significantly should your site structure push beyond them. The recommended limits on subsite structures is about 125 second level subsites under a top-level site, each with about 2000 third level subsites, for a theoretical maximum of 250000 subsites per site collection. Theoretical, as the maximum recommended database size per site-collection is 100GB and with hundred thousand subsites there will be little room for content in each subsite.
Respect the SharePoint boundaries, and I recommend your never get close to pushing them. I once broke these recommendations myself for a wide site structure; a couple of years later the "client site" solution started behaving erroneously (mainly timeouts) because of more than 60000 clients being provisioned by then, pushing the 50000 TLS limit. The next time I designed a site structure to hold a million client sites, we did a proper information architecture LATCH (Location, Alphabet, Time, Category, Hierarchy) analysis. This resulted in a deep+wide site structure with the one million subsites (deep) hierarchically distributed based on the 9-digit customer number, across multiple site-collections (wide).
Labels:
Design,
IA,
SharePoint
Subscribe to:
Posts (Atom)
Posts
