Oct 21, 2011

SSL certificate handshake and web service error: The Underlying Connection Was Closed. Could Not Establish Trust Relationship with Remote Server

In SSL, Client and Server authenticate each other's certificate. The handshake process is illustrated as follows:
Note: It is optional for Server to authenticate Client's certificate. It is configurable in IIS site->SSL Settings. By default it is "ignore". In a rare occasion client certificate is "required", the handshake will fail if  client certificate is not present and you will get "403.7 Forbidden " error in browser. In ASP .Net Web code, some people suggest getting around this by sending client certificate to server, but I have not tried it.

On the other side, Client is always required to authenticate server's certificate. Browser will popup a security alert when  server certificate is not valid/trusted. you can depress the alert by installing the certificate into both "Personal" and "Trusted Root Certificate Authority" locations in client machine's certificate store.

you can check the store by MMC->Add Snap-in->Certificate-> My User(Computer) Account.


Things are different if you call SSL web service from .Net ASP Web. you often get this error:
The Underlying Connection Was Closed. Could Not Establish Trust Relationship with Remote Server

The reason is the computer maintains two different certificate stores:
  • The local machine store: An ASP.NET Web application looks in this store to locate client certificates.
  • The local user store: An interactive user application looks in this store to locate client certificates.
So, in order to solve above error in .Net code, you will need to import the same server certificate into Local Machine Store on both "Personal" and "Trusted Root Certificate Authority" location. Also you need to grant  the service account running ASP .Net Web has sufficient right to access the Local Machine Store. ( using local admin right is not good idea, but good enough to run a test). See here for details.


Another workaround  which are quite "popular", but bad, is to bypass security handshake totally. See here for details. the killer is System.Net.ServicePointManager.ServerCertificateValidationCallback += delegate { return true; }; 

Aug 15, 2011

Another SharePoint 2010 deployment error

If you run into this error when deploying a sharepoint solution from Visual Studio 2010:

Error occurred in deployment step 'Retract Solution': The language-neutral solution package was not found.

The chance is this solution wasn't properly retracted, and SharePoint still thinks it is installed. A simple way to fix is to change solution GUID. The GUID and wsp name is defined in the Package\Package.package, but you need to open this file in text editor such as Notepad (not  in Visual Studio), and restart Visual Studio.

Jul 24, 2011

what rights needed to view sharepoint sites associated with TFS Team Projects

Given the scenario that you have TFS integrated with SharePoint and Report Server, each TFS team site can have an associated SharePoint site which display info such as reports and Team projects work items. To view this sharepoint site, what rights need to be granted:
  • sharepoint permission
  • TFS team project readers right (via TFS Administration Console)
  • Report Server "Browser" right (via Report Manager site)
One of very confusing service account required for TFS is Report Reader Account. The MSFT document says :
The report reader account is the identity that is used to gather information for reports
It has nothing to do with Report Server access, it is the account that will be granted access to one of database called TFS_WareHouse. So it is the identity utilized to retrieve data for reports, not access reports themselves.

Jun 16, 2011

Redesign an infopath template from sharepoint site

If you publish an infopath template directly to a sharepoint library, you can design (redesign) it later with InfoPath client, but what if you publish the template as a content type or as administrator approved form? you will NOT be able to do the same thing as direct publish by browsing sharepoint library.

Instead, go to Site Settings->Site Content Type Gallery ->select content type->Advanced Settings -> Edit Template:


access denied error with SPD workflow

Lately running into a problem when any user with "designer" permission level failed to save workflow from SPD with an error saying " Server Error: Access Deny". Further, users with designer permission can't manually start this workflow from browser with a similar access deny error. The workflow startup page is one of four files listed for each workflow in SPD, and it is missing from designer view:



Check out and check this file back in, the error goes away.

May 27, 2011

Implement AJAX & Backend Services

Way to implement Ajax:
  • use Sys.Net.WebRequest to call backend service (ASPX, ASMX or ASHX)
  •  server side ajax enabled WCF service
    • use asp:servicereference to emit script proxy for client script to call WCF service
  • client side Ajax Library:  http://microsoftpdc.com/Sessions/FT29
  • Ajax Toolkit (server side Ajax controls)


What backend services to call?






WCF or ASMX?
  • WCF/REST: Async friendly, abstract complexity (serialization/deserialization etc) web friendly, Binary, format of choice (Json/xml/image etc.), end to end
  • Session Http cookies
  • SOAP based web service asmx: overhead, xml only, computing distribution

May 20, 2011

configure ASP.NET impersonation authentication in IIS 7 and forward user credentials

If you just add  in  web.config aiming to configure impersonation for a IIS 7 web site, the site will be broken immediately with a HTTP 500 error.

The reason is that Application Pools in IIS 7  have  "Managed Pipeline Mode" defaulted as "Integrated", under which impersonation doesn't work. Changing from "Integrated" to "Classic" is the fix. If you check all application pools for sharepoint application, they are all set as "Classic".

Since IIS 7 use Kernel Mode for authentication, and if you are using server BIOS name as URL, you get Kerberos authentication for free (see this blog for details). Does this mean, with impersonation in place,  you can forward logon user's credential to next hop? for example, setting credential before calling web service such as:

svc.Credentials = System.Net.CredentialCache.DefaultCredentials; 
 
You still need delegation right for your service account (or machine account?) to make that hop happen. Otherwise you simply forward a empty credential to the web service, and if the web service is not anonymous, the call will fail.
 
 
In case of NTLM authentication, logon users' credential can not be forwarded by any means.

May 18, 2011

Change SharePoint Application Binding, easier than thought

Recently I need to install Fiddle on one of my test servers to trace down an authentication issue, the server has SSP hosting application running at 8888, which blocks Fiddler. So I want to see how difficult to move this application to a different port.

I know I have to change port number on IIS and  also have to change AAM, but surprisingly that is all needs to be done. SSP picks up automatically its new hosting app and everything runs like a champion.

Mar 31, 2011

Browser-enabled InfoPath Form with web services

It is common for InfoPath Form to utilize web services as secondary data sources. Normally there is no problem if InfoPath forms are opened in a InfoPath Client application, but problems occur when InfoPath forms are opened in browser, i,e, using InfoPath Form Service.

There are 2 options to workaround brows-enabled Form with web services: one is to set form "Full Trust":
This option will require Administrator-approved publishing option.


and the other is to convert data sources into data connection:
 This option will allow form trust at Domain level, and with other publishing options available, but this option will require "Cross-Domain Access" checked for InfoPath Service from Central Admin:




For browser-enabled Infopath form, web services are called from sharepoint server, sometimes the network communication problem between sharepoint server and web service server can block services for browser-enabled forms, but could have no impact when InfoPath Client applications open the same form, or have no impact on web service configuration at design time.

Mar 8, 2011

SharePoint 2007 List Event ItemAdding fire twice

when  you cancel the event in ItemAdding Handler, like:

public override void ItemAdding(SPItemEventProperties properties)

{
                SPUtility.SendEmail(properties.OpenWeb(), true, true, to, subject, body);           properties.Cancel = true;
}
you will get 2 email messages.
Other senario that list events fire more than once, largely becuase the event handlers are registered more than once. Use SPM to find out, and write code to un-regisgter. http://blogs.msdn.com/b/ketaanhs/archive/2008/04/01/how-to-un-register-an-event-handler-on-a-list-sharepoint-2007-moss.aspx

Feb 1, 2011

Beware of SPWeb.GetFolder(URL)

After a call to SPWeb.GetFolder(URL), you better check if it exists by spFolder.Exists(), since the GetFolder() call won't return error even if the folder doesn't exist. What is more, even if it doesn't exist, you can still get some properties (like spFolder.Url etc) out of it. But all of sudden, you get the following error when you try to get Item out of the folder object:


The object specified does not belong to a list. at Microsoft.SharePoint.SPWeb.GetItem(String strUrl, Boolean bFile, Boolean cacheRowsetAndId)


at Microsoft.SharePoint.SPFolder.get_Item()

This seems to me a bug, but is documented in http://msdn.microsoft.com/en-us/library/ms461547.aspx

If the folder does not exist, an SPFolder object is returned, but any attempt to access its properties throws a FileNotFoundException exception.











Jan 21, 2011

Create a single Search Scope for SharePoint site, File Shares and People

You might wonder why not just use "All Sites"? A large SharePoint Farm normally includes multiple sharepoint applications with distinct users, users in one application are only interested in finding contents from their own application, not all contents in the farm. Also SharePont search scope generally confuse regular users even though it sounds well technically. So it is often desired to use only single scope which can cover all and only contents for a particular business unit, and those contents normally include file shares and also people in the whole organization.

How to do this?

this scope has to be created at service level, rather than site collection level since it includes file shares
  •    In Site collection, Search Setting, choose "enable Custom scope" and drop down Mode as:


  • In Site Collection, Search Scope, Modify Search Dropdown Display Group to display only one single search scope created in the above step
  • Create a Search Result Pages:
    • use Search Result Page Layout (only avaiable in Enterprise Search center site template) , which gives you most web parts on the page
    • Edit "Search Box" web part as follows:

    • Edit "Search Core Results" as follows:

    • insert "Refinement Panel" Web part and Customize it. see this blog for details
    • insert "People Search Core Results" and modify "cross-web part query id" property

By now, your single search goal is accomplished, but you might notice that the search center has no branding and navigation, as it is using minimal.master. Don't try to replace its master page as described in this blog.

Jan 11, 2011

Some notes on SharePoint 2010 Session State

SharePoint 2010 have Session State disable by default, in contrast, SharePoint 2007 has Session State enabled by default.

why? does not SharePoint 2010 need any session state?

but first, what is the session state? Session state is a part of state management. State management is the information that ASP .Net need before processing page request, i,e, what is the values of controls or variable on the page? Those infomation is normally handled by mechanics such as View State, Query String, Hidden Fields.. Those are called client side mechanics because the data is stored at client side. Session State is different in that it is server side (only session id is sent to client via cookie or query string) and its main purpose is to remember if a request is a new or existing one by session ID.

So why SharePoint 2010 don't need session id? SharePont Form service needs session state (SP State Service) in the scenario of multi-page forms, other than that SharePoint doesn't need to track session ID in general. Turning on Session state can potentially degrade performance as SharePoint does not automatically remove old session state records from the session state database tables, and there is only one session database for sharepoint farmwise. see Todd Carter's blog for cautions while using SharePoint Session.

what is the implication of this new setting in sharepoint 2010? It now becomes recommendation that affinity or Sticky session be set for Load Balancer. See this blog from SharePoint Joe.

Jan 7, 2011

data in Managed Meta Column won't update

If you change managed meta data term in the central admin, and you will find the data in Managed Meta Column won;t update until up to one hour. By now,you should be easily guess that it is controlled by a hourly timer job. Yes and its name is Taxonomy Update Scheduler. This did take me some time finding out, so I hope blogging it here can save someone one hour.

Jan 5, 2011

Visual Studio 2010 deployment: Error occurred in deployment step 'Activate Features': Feature with Id '320ed40e-cf38-493b-9bc3-7fd3b01e8524' is not installed in this farm, and cannot be added to this scope.

If you get this error while deploying from Visual  Studio 2010, the chances are you have a multiple-servers farm, and Visual Studio can only deploy the solution to its local server.