Kerberos and SharePoint 2007 notes

Recently we had cause to do a whole lot of research ourselves and end up calling Microsoft to get our implementation vetted and troubleshot (it was not working – all or almost all connections that should have been Kerberos connections were degrading back to NTLM).

Here are the salient notes and facts about troubleshooting and achieving the ultimate goal (having Kerberos working with our systems).

DCOM 10016 errors

Because my systems admin reminded me while cleaning out the logs for our new load test environment, here’s how you can fix them on your WSS box.

This is something an old colleague and I found out in October of last year, found on a blog entry from Søren Nielsen from April of last year.

It involves fixing your Component Services configuration on the offending server, but it’s not too hard.

Laptop/Notebook Hotfixes for MS Virtual PC 2004 SP1

So as you may know, Microsoft and many SharePoint dev houses swear by doing development on Virtual PCs/Virtual Servers. The reason for this boils down to the fact that when you are debugging a SharePoint Web Part with Visual Studio 2003, you have to connect to the active w3wp.exe process that IIS is using and have your debugger work with that. This single-threads that process and halts/pauses it as you explore the reflected data structure states/etc.

I.e. SharePoint development doesn’t share well. I.e. Two developers trying to share the same server, while one is debugging, is ugly and crass and doesn’t belong in Kindergarten.

So the fix is to give each developer her/his own VPC to do with as he/she likes.

Anyhow, if you are doing this via Microsoft VPC 2004 SP1 (free for download these days, by the way), and you happen to be using it on a laptop/notebook, you need a hotfix (Microsoft KB 889677). If you happen to be using a laptop/notebook that’s using Intel’s 915 Chipset (i.e. some forms of Centrino chipsets), you need an additional hotfix (Microsoft KB 899525). I hear that Tablet PC owners may need a different one.

Add to this pain that you have to either find some place to download the patches that’s illicit or ask Microsoft support for the patches (i.e. risk some idiot deciding to charge you for it). I managed to find a non-Microsoft source for the hotfixes, but if you do the same, do what you can to be paranoid and cautious about the hotfixes you didn’t get from Microsoft – the reason it’s a good idea to get it from Microsoft directly is that you’re reasonably sure someone isn’t slipping you a trojan horse or something worse instead of the actual patch.

Anyhow, after installing the additional patches, VPC is flying compared to previously.

Office 2007 Beta 2 Technical Refresh (B2TR) and the “The file is not available.” error.

After I applied the Technical Refresh updates to my Office 2007 Beta 2 installs, I started getting this error whenever I tried to open a file with an Office 2007 application (either by double-clicking within the Windows Explorer file list, or by opening the file from within the application):

The file Testing.docx is not available.

So I asked Uncles Google and Live and came up with the comments to Jensen Harris’ blog post about Office 2007 Beta 2 Technical Refresh. In it, a Phil Wright asks about this very same problem. In a comment immediately following is the answer. Apparently the Norton Antivirus Office Plugin is interfering, returning an error code on document scan, which Office then interprets as a virus detection. To fix it you can try to update Norton via Norton’s LiveUpdate (I tried, to no effect), or you can reduce your system’s overall security by disabling the Norton Office plugin. Instructions for older versions of Norton are available in Microsoft KB 329820. In Norton Internet Security 2006 (my version), I opened the Norton status window, then chose Options -> Norton Antivirus, and among the tabs found an option to disable the Office plugin.
This worked fine for me.

What is wrong with you Microsoft Only people? – Checksum utilities for verifying large files

So today I am downloading the 2007 Office Beta 2 installs (and whoever heard of paying $1.50 for 5 download tries? I sort of understand, but if it were really just covering bandwidth fees, I should think it would be a lot lower). I note that the download listings/product key e-mails do not come with checksums for these large files.

The files are all in the 75 MiB – 250 MiB range. In UNIX-land, people would as part of the normal posting process just provide checksums. But in Windows-land apparently this is not done. Why not?

Checksums are extremely useful for making sure that the bits you expected to transfer over the network are the ones you got. You can see that this would be useful for both file content verification in the sense of “did I lose any bits along the way that would corrupt my install and can I know it before trying to install and have it fail?” But it’s also useful in the sense of making sure that the bits you want me to download are the same ones I want to get, and assuring that no 3rd party attackers did a man-in-the-middle attack, substituting trojan horses and other nasty things into the install instead. Okay, granted, private key encryption technology would be better than a simple checksum, but a checksum would still be better than nothing, which is what I get when I pay $1.50 to download the damned things.

With that in mind, let me introduce you to NullRiver’s winMd5Sum. This is a free and easy to use utility that allows you to create MD5 checksums on files and also to compare pre-generated checksums to the ones you generate on your end to check the download. Go use it. You’ll like it. While you’re at it, tell your download hosts (Microsoft too, please) that you’d like it if they’d start using it or some similar process to help you verify your large file downloads.

For posterity, I’m going to post the MD5 checksums I’ve got so far for my Office 2007 Beta 2 downloads (from Microsoft via the License Technology Group) [This assumes that each binary isn’t especially constructed for each product key – I guess we’ll see]:

  • Microsoft Office Forms Server 2007 – OFS32-EN.IMG – 14,796,544 bytes – MD5: 4ba65c890b6c86158666b41c3652d2bb
  • Microsoft Office Groove 2007 – OG-EN.EXE – 220,111,048 bytes – MD5: ba497c8610ae774b4f3af92755e83bf7 [Works fine]
  • Microsoft Office OneNote 2007 – OON-EN.EXE – 231,814,328 bytes – MD5: 95750f6b8c48c602b39c4b1271913398 [Works fine]
  • Microsoft Office Outlook 2007 with Business Contact Manager – BCM-EN.EXE – 252,769,672 bytes – MD5: 9cb44475cfbbbebb7c84eced9ef6e437 [Works fine]
  • Microsoft Office Professional Plus 2007 – OPPLUS-EN.EXE – 461,881,224 bytes – MD5: 7fc65a38b6bd9dce0563afea2c5b9a93 [Works fine]
  • Microsoft Office Project Professional 2007 – OPP-EN.EXE – 210,237,736 bytes – MD5: 50c1f917637de95c9aa72114e6385acb [Works fine]
  • Microsoft Office SharePoint Designer 2007 – SPD-EN.EXE – 236,994,544 bytes – MD5: 94fe6551b52ef1d38556d76677966073 [Works fine]
  • Microsoft Office SharePoint Server 2007 – Enterprise – SPS32-EN.IMG – 308,555,776 bytes – MD5: 0db4750dd73faca499fc5df95c7f63b3
  • Microsoft Office SharePoint Server 2007 for Search – OSS-EN.IMG – 231,387,136 bytes – MD5: c1c2b5ed9c0a31c48fb59afe3fb29919
  • Microsoft Office Visio Professional 2007 – OVP-EN.EXE – 293,966,312 bytes – MD5: 4259e1f323509e8392143e20416490f5 [Works fine]
  • Microsoft Windows SharePoint Services [v3] – SharePoint_setup.exe – 78,849,224 bytes – MD5: 51cd9f824bb5b6bfc90b96f0de956a1b

This is the complete list of the downloads I paid for.

Also, FYI, here is the link for the Beta 2 Technical Refresh download.

Here’s the file info for that download:

  • Microsoft Office 2007 Beta Two Technical Refresh – office2007b2tr-kb000000-fullfile-en-us.exe – 518,733,856 bytes – MD5: 9ad077c27fb279516b8636e43c3e0463 [Works fine]

I haven’t verified that all of these files work, but I have verified that the total file size is the same as was originally reported when I initiated the download, which is as close as you can get without MD5 or other checksum tools. I’ll note by striking the item out if for some reason the download is corrupt. Also, when I say [Works fine], I mean that it installed fine with all options installed to run on the drive. I won’t say that the actual programs installed worked fine, as they are in Beta.

Full Text Search and Account Permissions

This is a more extended writeup of running Windows SharePoint Services 2003 and SQL Full Text Search on a Database box where Local Administrators (BUILTIN\Administrators) don’t have System Admin access in SQL Server 2000. (I mentioned this briefly in the Changing SharePoint Service Accounts article.)

Essentially, you’ll run up against this security policy requirement in some environments. It’s a sensible policy to make in situations/operations where the Local Administrators (of whom many are also Domain Administrators) are folks who are different from the folks who own, run and are responsible for the SQL Servers.

Part of the motivation for this separation is, of course, political. In some organizations you’ll find that folks in one team don’t want to share permissions/rights with other teams who aren’t directly responsible for the upkeep or maintenance of the bit of the sandbox they have dominion over.

The Sensible Computer Security Policy reason is the principle of Least Privileges. When the question, “Do these people/does this group need permissions to this resource?” is answered “No.”, then the principle of Least Privileges dictates that they not be given the access they don’t need. This Security Principle falls under the overall category of Risk Management. The fewer potential risks (i.e. fewer accounts sitting around waiting to be hacked that have permissions they don’t necessarily need), the fewer potential security vulnerabilities sit around waiting to be exploited by Joe Q. Attacker.

It should be noted that in the annals of computer attackers, the long-neglected account that just happens to be a local or domain administrator and just happens to have a really easy to guess password is the holy grail, and almost every computer system has at least one. So do what you can to manage your risks and reduce the number of holy grails that attackers can use to compromise your system.

Anyway, so for whatever reasons, you’ve decided that you wish to implement the policy that Local Administrators on the SQL Server are not allowed to be System Administrators (aka sa) within the SQL Server/Application itself. Note that while it appears that Microsoft “supports” this configuration, it’s not specifically allowed for in Microsoft’s relevant Knowledge Base articles, so if you do go this way, be on the lookout for potential complications. See that other article I mentioned and linked to above for an example of an unexpected consequence.

If you remove BUILTIN\Administrators from your SharePoint 2003 server’s SQL Server Logins, or remove the sa permissions from that group, you will hose up your Full Text Search in SQL Server, which of course (say it with me) will screw up your Full Text Search in your Windows SharePoint Services 2003 sites. (Because Windows SharePoint Services 2003 uses SQL Full Text Search to do its searching.)

How do you fix this?

According to KB Article 317746, if you don’t wish to add BUILTIN\Administrators back to the SQL Server Logins, you still have an out. You must:

  • Add the System Administrators Server Role to the account you are using as the Service Account for SQL Server.
  • Add the Local System account (NT AUTHORITY\System) to the SQL Server Logins.
  • Add the System Administrators Server Role to the Local System account (NT AUTHORITY\System).

You should not have to restart SQL Server after making this change. But you may also need to fix Full Text Search for other reasons, which I will elucidate in a (shortly to follow) article.

Old Security Articles

It’s on my professional site (where my resume would be if I were looking hard for another job), but I wrote a bunch of articles (Security notes, Best Practices, etc.) for Adobe, back before it was Adobe, and before even it was Macromedia, but when it was Allaire, and I was Product Security Manager/Security Response Team Coordinator there.

It was a nice job. Had some drawbacks in that QA/Security reported to Marketing on the Organizational Chart instead of, you know, IT, but it was a good job

I note, looking at these articles now, that the ones that are still credited to me (I wrote a number of security advisories that I’ll try to find too) are credited to me as a Consultant, though at the time I was a salaried employee with the title “Product Security Manager” or “Security Response Team Coordinator” instead. I am still a bit more pleased with being credited as a consultant. It is a title not undeserved.

Anyway, if you want to look at the old writing (from 2001/2002), here are the links (these open in your same window):

Here is a sampling of the Security Bulletins I wrote (None of them are credited) or significantly updated (I was there from 2001 – 2002):