Kerberos and SharePoint 2007 notes

Recently we had cause to do a whole lot of research ourselves and end up calling Microsoft to get our implementation vetted and troubleshot (it was not working – all or almost all connections that should have been Kerberos connections were degrading back to NTLM).

Here are the salient notes and facts about troubleshooting and achieving the ultimate goal (having Kerberos working with our systems).

Links

I’m doing research today to answer multiple questions.

Questions:

  1. I recreated my MOSS 2007 SSP a while back and now MySite creations aren’t working for anyone. It’s not working exactly like the discussion at Technet Forums. Still researching this one.
  2. On a related note, I need to nail down exactly how to create personalized MySite services scoped to a particular web application on the MOSS 2007 farm. No articles yet.
  3. How do we federate/rollup content (if possible, what’s best practice?) from multiple sites? Client has security policies that require internet/extranet servers/farms be separate from intranet servers/farms, but they also have a requirement (it’s thankfully more of a “nice to have”, since even they are not sure it’s possible) to make it so that a single user doesn’t have to go to multiple sites to see all of their content, especially their personalized content. I’m aware that this is possible in many ways in SharePoint, but not sure if any implementation is ideal. The first really helpful link I’ve found along these lines of thinking is Joel Oleson’s blog entry about managing Global and Multifarm deployments. Another good one from Mr. Oleson. I’m reading it right now.
  4. I have to do some research on the best ways to integrate outside LDAP, AD and custom-schema organizational directories for user information into MOSS 2007. No links there yet.
  5. I need to get on the stick and do Workflows in VS 2005 against WSS 3.0/MOSS 2007. I did try SharePoint Designer for my needs and while it does address most of them, one thing I couldn’t figure out how to do was to make a workflow that publishes documents across sites (up, down, sideways, between sites, subsites and unrelated sites). All I could figure out how to do was publish from one document library to another in the same site. There are other options:
    1. Major/Minor versions in Document Libraries: Probably the most elegant of the solutions, since it’s already built-in to SharePoint 2007, the major down-side is that this may be too complicated a new feature for users to learn given that check in/check out is already foreign to them (unless they’re developers). I know the pat answer is learn, but honestly that doesn’t cut any ice with client-focused business analysts. They have a point. The “learn” answer just offloads the effort on another group: either training or support. Not everyone is as technically focused as implementors are. Not everyone wants to learn a new feature every version upgrade just to do their jobs right.
    2. The Send-To->Other Location option on document libraries’ documents works just fine with Firefox 2.0 but barfs completely with IE7. See my discussion of it on the Microsoft Newsgroups (I think you’ll need a passport identity – alternate link via Google Groups) for more information. It’s possible I’ll call MS support about this, but only if the client says it’s critical path and means it. It’s too risky to burn a support call on a bug. I wish MS really provided other meaningful ways of reporting bugs.
  6. I also need to find out whether the helpful Weather and other free, useful, fuzzy good feelings web parts exist any more, like they do in SPS 2003. Weather’s a big request these days. If they’re a download/install I need to do that. No research here yet either.
  7. Finally, I asserted to a friend/co-worker a few days ago that from a programmer’s perspective, I can’t see why Perfmon would, as his manager asserted, bring a server to its knees. Given that in the programming I’ve done that does create Perfmon counter objects, I never check to see if any monitors are running, I just throw the stats over the wall for the OS to do with it as it will. The guy’s job would be made so much simpler if his manager relaxed about this, and I simply don’t have the resources myself to do the exhaustive system profiling and performance monitoring this might take to convince anyone. So maybe someone else has. No research here yet.

So what do you think? Do I have enough to do?

IE 7’s friendly HTTP messages are unfriendly if you want IIS To do custom error messages

So IE7, by default, overrides Web Servers’ custom error messages with very helpful “friendly” reinterpretations of error messages. To turn these off through the UI, go to Internet Options -> Advanced, and disable “Show friendly HTTP error messages”.

Thanks, Microsoft!

Also found at: HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Friendly http errors (according to the Vista GP excel spreadsheet)

Using UNC Paths to access the “directory structure” in SharePoint 2003 – Requires WebClient service running on your client computer

So for the longest time I couldn’t figure out why on some computers I could use a UNC path to get to SharePoint sites’ resources, and on others I could. Now I think I finally have the answer.

The mechanism is that if you have a WSS site (and Admin privs on that site) at a URL/URI like: http://server/sites/testsite1/, you should be able to open Windows Explorer (not Internet Explorer) and open its UNC path: \\server\sites\testsite1\. If you so so, in Explorer, you should be able to see the full “directory structure” (I put this in quotes because it doesn’t actually exist, but is a figment of your, SharePoint’s and SQL Server’s imaginations), including directory names like “_catalogs”, “_fpdatasources”, “_private”, the ever popular “images”, a directory for non-Document Library, non-Picture Library lists called “Lists”, a folder for each sub-site and a folder for each Document Library or Picture Library, various aspx pages, etc.

Using this UNC Path view, you can do normal file operations, but do be careful, since if you delete a file you probably can’t get it back.

Anyhow, I’d been finding that sometimes this UNC path worked in Explorer and sometimes it didn’t. It didn’t appear to be related to a particular user permissions set or domain login account, but changed computer to computer.

Here’s the error message I’d get when it didn’t work (click to see full size):

WebClient Error
Here’s the kind of folder structure I’d see when it did work (click to see full size):

UNC View
It turned out, after trial and error, that the real difference here was that one computer I was using was running the WebClient service (where the connection worked), and the other wasn’t (where the connection did not).

No, I couldn’t easily find it documented on Microsoft’s support sites.

IE7 Running Fine

Microsoft’s Internet Explorer 7 is out as of some time this week. It’s kinda slick. I don’t know if it’s necc’ly better than Firefox 1.5.0.7 (and I haven’t tried out Firefox’s 2.0 betas), but it seems to work pretty well and seems a bit more secure (esp. about expired/unverified SSL certs) with respect to explicitly helping users figure out whether where they’re going is where they think they’re going, and other such things.

Anyway, good start, despite already having a security vulnerability.

Works okay with SharePoint 2003 and with OWA 2003.

I’ll report more on it as I have the experience to do so.

Making Office document open in Office App instead of in an Office ActiveX Control in IE

I just wrote up this little Frequently Asked Question at work:

Assumptions:
  • You have Microsoft Office 2003 installed.
  • You are working with Windows XP Professional as your Operating System.
This is a setting that needs to be made/verified in your Windows settings.
To set the documents to open in their appropriate application:
  1. Open My Computer on your Desktop.
  2. Choose the Tools menu item, then choose Folder Options….
  3. In the Folder Options popup window, choose the File Types tab.
  4. In the Registered File Types list box, choose the file extensions for the application file types you’re interested in verifying/changing (i.e. DOC for Word, XLS for Excel, PPT for PowerPoint, etc.). Once the proper file type is selected, click the Advanced button.
  5. In the Edit File Type pop-up window, uncheck the Browse in same window checkbox.
  6. Click the OK button in the Edit file Type pop-up window.
  7. Click the Close button in the Folder Options pop-up window.

You’re done!

So the flip side is that if you want the document to open up in IE, you check the Browse in same window checkbox.

Sometimes this setting does/does not work. I’m still working on that bit, but also waiting to hear from the users a bit more about the versions of Office/OS they’re working with.