1 / 41

ScaryPoint Ghosts and Ghouls of SharePoint Administration

hua
Download Presentation

ScaryPoint Ghosts and Ghouls of SharePoint Administration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. ScaryPoint Ghosts and Ghouls of SharePoint Administration Raymond Mitchell (www.iwkid.com) Senior Consultant, SharePoint911 (www.SharePoint911.com) kid@iwkid.com, @iwkid

    2. Introduction Ghosting Kerberos web.config / IIS / AAM Troubleshooting Resources Q & A Agenda

    3. Raymond Mitchell Senior SharePoint Consultant http://www.SharePoint911.com Author Dad Information Worker Kid http://www.iwkid.com Quick Intro

    4. 4 virtual machines, VMware Player 1 Active Directory (Server 2008) SQL Server 2008 R2 2 SharePoint 2010 (ENT) WFE w/NLB 1 Windows 7 with IE 8, SPD 2010 Please cross your fingers! Demo Environment

    6. Ghosting What is it?

    7. Ghosting What is it? State of a file: Customized = UnGhosted Uncustomized = Ghosted Why should I care? Used to be really bad Can be an issue for upgrades Is good to help you understand how SP works

    8. Ghosting SharePoint Page Request http://msdn.microsoft.com/en-us/library/cc406685.aspxhttp://msdn.microsoft.com/en-us/library/cc406685.aspx

    9. Ghosting SharePoint Designer Nice icon when customized Reset to site definition Customized pages can cause issues during migration

    10. Ghosting Browser Notification when browsing customized page Revert to template option

    11. Ghosting PowerShell Gary Lapointe re-ghosting cmdlet: http://blog.falchionconsulting.com/index.php/2007/09/re-ghosting-pages

    13. Kerberos What is it? Ok, not really…

    14. Kerberos What is it? Authentication Protocol Why should I care? More secure than NTLM Fewer HTTP / authentication requests DOUBLE-HOP

    15. Kerberos Requirements: Start with a happy, 2010 Farm Ensure Proper Service Accounts DNS Active Directory configuration (SPN, Delegation) SharePoint configuration IIS configuration (Kernel Mode)

    16. Kerberos DNS A records only, NO CNAMES A records only, NO CNAMES A records only, NO CNAMES A records only, NO CNAMES A records only, NO CNAMES A records only, NO CNAMES A records only, NO CNAMES

    17. Kerberos Active Directory – SPNs Service Principal Name Command-line tool: SETSPN -A, -D, -L, -Q, -X PROTOCOL/HOST:Port HTTP/portal.demo.local:80 MSSQLSvc/sql.demo.local:1433 Port not required if using default for protocolPort not required if using default for protocol

    18. Kerberos Active Directory - Delegation Required for double-hopping Configured in Active Directory Users and Computers Not required to run SharePoint in Kerberos – only for additional functionality (SSRS, BCS, custom code)Not required to run SharePoint in Kerberos – only for additional functionality (SSRS, BCS, custom code)

    19. Kerberos SharePoint Configuration Claims vs. Classic Enable Kerberos Web Application Authentication Provider Configured by Zone CA / STSADM / PowerShell Commands

    20. Kerberos IIS Configuration Kernel Mode Authentication Good thing – just not with SharePoint Disabled by default on Web Apps in SharePoint 2010

    21. Kerberos Scenario Build an External Content Type (BCS) and use an External List to display data from SQL Server (AdventureWorks) authenticating with the current user’s credentials

    22. Kerberos Steps: Create DNS entry Build a Web Application / Site Collection Classic Authentication, NTLM Confirm site works with NTLM Fiddler

    23. Kerberos Steps: Configure SharePoint to run in Kerberos SETSPN for HTTP Confirm site works with Kerberos Kerbtray, Fiddler setspn -a HTTP/portal2.demo.local DEMO\sp_webappsetspn -a HTTP/portal2.demo.local DEMO\sp_webapp

    24. Kerberos Steps: Review SPNs for MSSQLSvc Review auth_scheme for active SQL sessions When SQL Server is running under the local system account or under a domain administrator account, the instance will automatically register the SPN in the following format when the instance starts: MSSQLSvc/FQDN:tcpport Only a domain administrator account or the local system account has the required permissions to register an SPN. setspn -q MSSQLSvc/dc1.demo.local Select s.session_id, s.login_name, s.host_name, c.auth_scheme from sys.dm_exec_connections c inner join sys.dm_exec_sessions s on c.session_id = s.session_id http://support.microsoft.com/kb/909801setspn -q MSSQLSvc/dc1.demo.local Select s.session_id, s.login_name, s.host_name, c.auth_scheme from sys.dm_exec_connections c inner join sys.dm_exec_sessions s on c.session_id = s.session_id http://support.microsoft.com/kb/909801

    25. Kerberos Steps: Configure SQL permissions Configure BCS permissions Create External Content Type Create External List Login Failure? Configure Delegation for App Pool account

    27. web.config / IIS / AAM What is he TALKING about? Farm safety Disaster Recovery / Additional WFEs

    28. web.config / IIS / AAM web.config SharePoint is an ASP.NET Application Don’t touch my web.config Don’t touch my web.config Don’t touch my web.config Don’t touch my web.config Unless you HAVE to…

    29. web.config / IIS / AAM web.config Might have to add things like connection strings, application settings, Providers for FBA, etc SPWebConfigModification Can create in PowerShell $keyName = "MyAwesomeApplicationConnectionString"; $keyValue = "Data Source=SQLSERVER\Instance;Initial Catalog=FancyDatabase;User Id=user1;Password=bob;"; $configMod1 = New-Object Microsoft.SharePoint.Administration.SPWebConfigModification $configMod1.Path = "/configuration/appSettings"; $configMod1.Name = [system.string]::format("add[@key=""{0}""]", $keyName); $configMod1.Value = [system.string]::format("<add key=""{0}"" value=""{1}"" />", $keyName, $keyValue); $configMod1.Sequence = 0 $configMod1.Owner = "SharePoint" ## SPWebConfigModificationType.EnsureChildNode -> 0 ## SPWebConfigModificationType.EnsureAttribute -> 1 ## SPWebConfigModificationType.EnsureSection -> 2 $configMod1.Type = 0 $webapp = get-spwebapplication http://portal2.demo.local $webapp.WebConfigModifications.Add($configMod1) $webapp.Update() $webapp.Parent.ApplyWebConfigModifications() #================================================== $keyName = "MyAwesomeApplicationConnectionString"; $keyName = [system.string]::format("add[@key=""{0}""]", $keyName); $webapp = get-spwebapplication http://portal2.demo.local $item = $webapp.WebConfigModifications | ? { $_.Name -eq $keyName } $webapp.WebConfigModifications.Remove($item) $webapp.Update() $webapp.Parent.ApplyWebConfigModifications()$keyName = "MyAwesomeApplicationConnectionString"; $keyValue = "Data Source=SQLSERVER\Instance;Initial Catalog=FancyDatabase;User Id=user1;Password=bob;"; $configMod1 = New-Object Microsoft.SharePoint.Administration.SPWebConfigModification $configMod1.Path = "/configuration/appSettings"; $configMod1.Name = [system.string]::format("add[@key=""{0}""]", $keyName); $configMod1.Value = [system.string]::format("<add key=""{0}"" value=""{1}"" />", $keyName, $keyValue); $configMod1.Sequence = 0 $configMod1.Owner = "SharePoint" ## SPWebConfigModificationType.EnsureChildNode -> 0 ## SPWebConfigModificationType.EnsureAttribute -> 1 ## SPWebConfigModificationType.EnsureSection -> 2 $configMod1.Type = 0 $webapp = get-spwebapplication http://portal2.demo.local $webapp.WebConfigModifications.Add($configMod1) $webapp.Update() $webapp.Parent.ApplyWebConfigModifications() #================================================== $keyName = "MyAwesomeApplicationConnectionString"; $keyName = [system.string]::format("add[@key=""{0}""]", $keyName); $webapp = get-spwebapplication http://portal2.demo.local $item = $webapp.WebConfigModifications | ? { $_.Name -eq $keyName } $webapp.WebConfigModifications.Remove($item) $webapp.Update() $webapp.Parent.ApplyWebConfigModifications()

    30. web.config / IIS / AAM IIS Web Server, hosts SharePoint Don’t touch my IIS Don’t touch my IIS Don’t touch my IIS Don’t touch my IIS Unless you HAVE to…

    31. web.config / IIS / AAM IIS Host Headers* Only in the case of host header site collections Don’t ever do this to have SharePoint listen on another URL or I’ll hunt you down myself… you’ve been warned so don’t do it please thanks SSL Crazy stuff like HTTP Response Headers

    32. web.config / IIS / AAM AAM Alternate Access Mappings Helps SharePoint understand when you access it by another name Always always always extend your web applications to add a new URL

    34. Troubleshooting Fiddler is awesome Kerbtray is cool IIS HTTP Response Headers trick PowerShell Event Viewer SharePoint ULS $SysEvent = Get-Eventlog -logname application -newest 2000 $SysError = $SysEvent |where {$_.entryType -match "Error"} $SysError | sort eventid | ` Format-Table EventID, Source, TimeWritten, Message -wrap | out-file -filepath "C:\log.txt" Function Get-SPError([string]$id) { Get-SPLogEvent | ? { $_.Correlation -eq $id } | Out-GridView }$SysEvent = Get-Eventlog -logname application -newest 2000 $SysError = $SysEvent |where {$_.entryType -match "Error"} $SysError | sort eventid | ` Format-Table EventID, Source, TimeWritten, Message -wrap | out-file -filepath "C:\log.txt" Function Get-SPError([string]$id) { Get-SPLogEvent | ? { $_.Correlation -eq $id } | Out-GridView }

    36. Ghosting http://msdn.microsoft.com/en-us/library/cc406685.aspx http://www.a2zdotnet.com/View.aspx?Id=87 http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.spcustomizedpagestatus.aspx Resources

    37. Kerberos SharePoint 2010 Service Accounts http://www.toddklindt.com/blog/Lists/Posts/Post.aspx?ID=237 http://www.harbar.net Specifically: http://www.harbar.net/archive/2008/05/18/Using-Kerberos-with-SharePoint-on-Windows-Server-2008.aspx http://www.harbar.net/archive/2010/03/31/sharepoint-2010-and-kerberos.aspx Resources

    38. Kerberos 2010 Kerberos Guide: http://download.microsoft.com/download/B/B/F/BBF0C6F3-6E36-4979-8C43-DE165AD7AE34/SP2010%20Kerberos%20Guide.docx Troubleshooting Kerberos Errors: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=21820 Resources

    39. web.config SPWebConfigModification http://msdn.microsoft.com/microsoft.sharepoint.administration.spwebconfigmodification AAM Configuring: http://technet.microsoft.com/en-us/sharepoint/Video/ff679917 Resources

    40. Troubleshooting Fiddler http://www.fiddler2.com Kerbtray http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=23018 Resources

    41. My Site / Blog / Twitter http://www.iwkid.com @iwkid Minnesota SharePoint User Groups http://www.SharePointMN.com http://www.MNDEVSPUG.com SharePoint911 http://www.SharePoint911.com Resources

More Related