E N D
1. ScaryPointGhosts and Ghouls of SharePoint Administration Raymond Mitchell (www.iwkid.com)
Senior Consultant, SharePoint911 (www.SharePoint911.com)
kid@iwkid.com, @iwkid
2. Introduction
Ghosting
Kerberos
web.config / IIS / AAM
Troubleshooting
Resources
Q & A Agenda
3. Raymond Mitchell
Senior SharePoint Consultant
http://www.SharePoint911.com
Author
Dad
Information Worker Kid
http://www.iwkid.com Quick Intro
4. 4 virtual machines, VMware Player
1 Active Directory (Server 2008)
SQL Server 2008 R2
2 SharePoint 2010 (ENT) WFE w/NLB
1 Windows 7 with IE 8, SPD 2010
Please cross your fingers! Demo Environment
6. Ghosting What is it?
7. Ghosting What is it?
State of a file:
Customized = UnGhosted
Uncustomized = Ghosted
Why should I care?
Used to be really bad
Can be an issue for upgrades
Is good to help you understand how SP works
8. Ghosting SharePoint Page Request
http://msdn.microsoft.com/en-us/library/cc406685.aspxhttp://msdn.microsoft.com/en-us/library/cc406685.aspx
9. Ghosting SharePoint Designer
Nice icon when customized
Reset to site definition
Customized pages can cause issues during migration
10. Ghosting Browser
Notification when browsing customized page
Revert to template option
11. Ghosting PowerShell
Gary Lapointe re-ghosting cmdlet:
http://blog.falchionconsulting.com/index.php/2007/09/re-ghosting-pages
13. Kerberos What is it?
Ok, not really…
14. Kerberos What is it?
Authentication Protocol
Why should I care?
More secure than NTLM
Fewer HTTP / authentication requests
DOUBLE-HOP
15. Kerberos Requirements:
Start with a happy, 2010 Farm
Ensure Proper Service Accounts
DNS
Active Directory configuration (SPN, Delegation)
SharePoint configuration
IIS configuration (Kernel Mode)
16. Kerberos DNS
A records only, NO CNAMES
A records only, NO CNAMES
A records only, NO CNAMES
A records only, NO CNAMES
A records only, NO CNAMES
A records only, NO CNAMES
A records only, NO CNAMES
17. Kerberos Active Directory – SPNs
Service Principal Name
Command-line tool: SETSPN
-A, -D, -L, -Q, -X
PROTOCOL/HOST:Port
HTTP/portal.demo.local:80
MSSQLSvc/sql.demo.local:1433
Port not required if using default for protocolPort not required if using default for protocol
18. Kerberos Active Directory - Delegation
Required for double-hopping
Configured in Active Directory Users and Computers Not required to run SharePoint in Kerberos – only for additional functionality (SSRS, BCS, custom code)Not required to run SharePoint in Kerberos – only for additional functionality (SSRS, BCS, custom code)
19. Kerberos SharePoint Configuration
Claims vs. Classic
Enable Kerberos
Web Application Authentication Provider
Configured by Zone
CA / STSADM / PowerShell Commands
20. Kerberos IIS Configuration
Kernel Mode Authentication
Good thing – just not with SharePoint
Disabled by default on Web Apps in SharePoint 2010
21. Kerberos Scenario
Build an External Content Type (BCS) and use an External List to display data from SQL Server (AdventureWorks) authenticating with the current user’s credentials
22. Kerberos Steps:
Create DNS entry
Build a Web Application / Site Collection
Classic Authentication, NTLM
Confirm site works with NTLM
Fiddler
23. Kerberos Steps:
Configure SharePoint to run in Kerberos
SETSPN for HTTP
Confirm site works with Kerberos
Kerbtray, Fiddler setspn -a HTTP/portal2.demo.local DEMO\sp_webappsetspn -a HTTP/portal2.demo.local DEMO\sp_webapp
24. Kerberos Steps:
Review SPNs for MSSQLSvc
Review auth_scheme for active SQL sessions
When SQL Server is running under the local system account or under a domain administrator account, the instance will automatically register the SPN in the following format when the instance starts:
MSSQLSvc/FQDN:tcpport
Only a domain administrator account or the local system account has the required permissions to register an SPN. setspn -q MSSQLSvc/dc1.demo.local
Select
s.session_id,
s.login_name,
s.host_name,
c.auth_scheme
from
sys.dm_exec_connections c
inner join
sys.dm_exec_sessions s
on c.session_id = s.session_id
http://support.microsoft.com/kb/909801setspn -q MSSQLSvc/dc1.demo.local
Select
s.session_id,
s.login_name,
s.host_name,
c.auth_scheme
from
sys.dm_exec_connections c
inner join
sys.dm_exec_sessions s
on c.session_id = s.session_id
http://support.microsoft.com/kb/909801
25. Kerberos Steps:
Configure SQL permissions
Configure BCS permissions
Create External Content Type
Create External List
Login Failure?
Configure Delegation for App Pool account
27. web.config / IIS / AAM What is he TALKING about?
Farm safety
Disaster Recovery / Additional WFEs
28. web.config / IIS / AAM web.config
SharePoint is an ASP.NET Application
Don’t touch my web.config
Don’t touch my web.config
Don’t touch my web.config
Don’t touch my web.config
Unless you HAVE to…
29. web.config / IIS / AAM web.config
Might have to add things like connection strings, application settings, Providers for FBA, etc
SPWebConfigModification
Can create in PowerShell $keyName = "MyAwesomeApplicationConnectionString";
$keyValue = "Data Source=SQLSERVER\Instance;Initial Catalog=FancyDatabase;User Id=user1;Password=bob;";
$configMod1 = New-Object Microsoft.SharePoint.Administration.SPWebConfigModification
$configMod1.Path = "/configuration/appSettings";
$configMod1.Name = [system.string]::format("add[@key=""{0}""]", $keyName);
$configMod1.Value = [system.string]::format("<add key=""{0}"" value=""{1}"" />", $keyName, $keyValue);
$configMod1.Sequence = 0
$configMod1.Owner = "SharePoint"
## SPWebConfigModificationType.EnsureChildNode -> 0
## SPWebConfigModificationType.EnsureAttribute -> 1
## SPWebConfigModificationType.EnsureSection -> 2
$configMod1.Type = 0
$webapp = get-spwebapplication http://portal2.demo.local
$webapp.WebConfigModifications.Add($configMod1)
$webapp.Update()
$webapp.Parent.ApplyWebConfigModifications()
#==================================================
$keyName = "MyAwesomeApplicationConnectionString";
$keyName = [system.string]::format("add[@key=""{0}""]", $keyName);
$webapp = get-spwebapplication http://portal2.demo.local
$item = $webapp.WebConfigModifications | ? { $_.Name -eq $keyName }
$webapp.WebConfigModifications.Remove($item)
$webapp.Update()
$webapp.Parent.ApplyWebConfigModifications()$keyName = "MyAwesomeApplicationConnectionString";
$keyValue = "Data Source=SQLSERVER\Instance;Initial Catalog=FancyDatabase;User Id=user1;Password=bob;";
$configMod1 = New-Object Microsoft.SharePoint.Administration.SPWebConfigModification
$configMod1.Path = "/configuration/appSettings";
$configMod1.Name = [system.string]::format("add[@key=""{0}""]", $keyName);
$configMod1.Value = [system.string]::format("<add key=""{0}"" value=""{1}"" />", $keyName, $keyValue);
$configMod1.Sequence = 0
$configMod1.Owner = "SharePoint"
## SPWebConfigModificationType.EnsureChildNode -> 0
## SPWebConfigModificationType.EnsureAttribute -> 1
## SPWebConfigModificationType.EnsureSection -> 2
$configMod1.Type = 0
$webapp = get-spwebapplication http://portal2.demo.local
$webapp.WebConfigModifications.Add($configMod1)
$webapp.Update()
$webapp.Parent.ApplyWebConfigModifications()
#==================================================
$keyName = "MyAwesomeApplicationConnectionString";
$keyName = [system.string]::format("add[@key=""{0}""]", $keyName);
$webapp = get-spwebapplication http://portal2.demo.local
$item = $webapp.WebConfigModifications | ? { $_.Name -eq $keyName }
$webapp.WebConfigModifications.Remove($item)
$webapp.Update()
$webapp.Parent.ApplyWebConfigModifications()
30. web.config / IIS / AAM IIS
Web Server, hosts SharePoint
Don’t touch my IIS
Don’t touch my IIS
Don’t touch my IIS
Don’t touch my IIS
Unless you HAVE to…
31. web.config / IIS / AAM IIS
Host Headers*
Only in the case of host header site collections
Don’t ever do this to have SharePoint listen on another URL or I’ll hunt you down myself… you’ve been warned so don’t do it please thanks
SSL
Crazy stuff like HTTP Response Headers
32. web.config / IIS / AAM AAM
Alternate Access Mappings
Helps SharePoint understand when you access it by another name
Always always always extend your web applications to add a new URL
34. Troubleshooting Fiddler is awesome
Kerbtray is cool
IIS HTTP Response Headers trick
PowerShell
Event Viewer
SharePoint ULS $SysEvent = Get-Eventlog -logname application -newest 2000
$SysError = $SysEvent |where {$_.entryType -match "Error"}
$SysError | sort eventid | `
Format-Table EventID, Source, TimeWritten, Message -wrap | out-file -filepath "C:\log.txt"
Function Get-SPError([string]$id) { Get-SPLogEvent | ? { $_.Correlation -eq $id } | Out-GridView }$SysEvent = Get-Eventlog -logname application -newest 2000
$SysError = $SysEvent |where {$_.entryType -match "Error"}
$SysError | sort eventid | `
Format-Table EventID, Source, TimeWritten, Message -wrap | out-file -filepath "C:\log.txt"
Function Get-SPError([string]$id) { Get-SPLogEvent | ? { $_.Correlation -eq $id } | Out-GridView }
36. Ghosting
http://msdn.microsoft.com/en-us/library/cc406685.aspx
http://www.a2zdotnet.com/View.aspx?Id=87
http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.spcustomizedpagestatus.aspx Resources
37. Kerberos
SharePoint 2010 Service Accountshttp://www.toddklindt.com/blog/Lists/Posts/Post.aspx?ID=237
http://www.harbar.net
Specifically:
http://www.harbar.net/archive/2008/05/18/Using-Kerberos-with-SharePoint-on-Windows-Server-2008.aspx
http://www.harbar.net/archive/2010/03/31/sharepoint-2010-and-kerberos.aspx Resources
38. Kerberos
2010 Kerberos Guide:
http://download.microsoft.com/download/B/B/F/BBF0C6F3-6E36-4979-8C43-DE165AD7AE34/SP2010%20Kerberos%20Guide.docx
Troubleshooting Kerberos Errors:
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=21820 Resources
39. web.config
SPWebConfigModification
http://msdn.microsoft.com/microsoft.sharepoint.administration.spwebconfigmodification
AAM
Configuring:
http://technet.microsoft.com/en-us/sharepoint/Video/ff679917
Resources
40. Troubleshooting
Fiddler
http://www.fiddler2.com
Kerbtray
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=23018
Resources
41. My Site / Blog / Twitter
http://www.iwkid.com @iwkid
Minnesota SharePoint User Groups
http://www.SharePointMN.com
http://www.MNDEVSPUG.com
SharePoint911
http://www.SharePoint911.com
Resources