tag:blogger.com,1999:blog-31031495757423516032023-11-15T22:15:41.105-05:00link to sharepointYang Lihttp://www.blogger.com/profile/16181366204094649958noreply@blogger.comBlogger105125tag:blogger.com,1999:blog-3103149575742351603.post-55431716041577115102012-01-12T15:16:00.000-05:002012-01-12T15:16:08.217-05:00SharePoint Workflow: "Failed on Start"I ran into this infamous "failed on start" error when running SharePoint OOB workflow, and it took me quite a while figuring out before I nearly gave up. So I think it is worth a blog.<br />
<br />
Sympton: <br />
<br />
1) any publishing workflow failed with the same error, but none of non-publish workflow failed<br />
2) they failed on every site collection in the web application<br />
3) they did not fail to another web application even when the site is also a publishing template<br />
<br />
So those symptons make me think the problem is at web application level, and maybe publishing features related. For that reason, I deactived and reactived all features at applicaion level, and also tried deactivate/reactivate publishing features at site collection level (even it doesn;t make sense, but you are willing to try everything when desparate, aren't you?). I also made both applications share same application pool. But none of those effort as well as server reboots helped me find any clue. <br />
<br />
The ULS viewer showing the following 2 errors:<br />
<br />
<blockquote>RunWorkflow: Microsoft.SharePoint.SPException: error compilererror Line="1" Column="1" Text="The root activity type is invalid." /Error <br />
at Microsoft.SharePoint.Workflow.SPNoCodeXomlCompiler.LoadXomlAssembly </blockquote><br />
<br />
<blockquote>Microsoft.SharePoint.SPException: error compilererror Line="1" Column="1" Text="The root activity type is invalid." /Error </blockquote><br />
<br />
Which doesn't really help after spending hours on Bin.com.<br />
<br />
<br />
Finally another ULS error shed light on me:<br />
<br />
<blockquote>Microsoft.SharePoint.SPException: An error occurred creating the configuration section handler for System.Workflow.ComponentModel.WorkflowCompiler/authorizedTypes: Could not load type 'System.Workflow.ComponentModel.Compiler.A uthorizedTypesSectionHandler' from assembly 'System.Workflow.ComponentModel, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'. (C:\inetpub\wwwroot\wss\VirtualDirectories\80\web.config line 20) </blockquote><br />
<br />
The resolution is then very simple: open web.config and fix the typo there.<br />
<br />
The question I need to ask myself is, how can I miss this ULS error earlier? The reason turns out to be, this error occurs when a workflow is created, not when the workflow is running.Yang Lihttp://www.blogger.com/profile/16181366204094649958noreply@blogger.com128tag:blogger.com,1999:blog-3103149575742351603.post-8952242351815287052011-10-21T12:16:00.002-04:002011-10-21T12:43:09.865-04:00SSL certificate handshake and web service error: The Underlying Connection Was Closed. Could Not Establish Trust Relationship with Remote Server<div class="separator" style="clear: both; text-align: left;">In SSL, Client and Server authenticate each other's certificate. The handshake process is illustrated as follows:</div><div class="separator" style="clear: both; text-align: center;"></div><div></div><div class="separator" style="clear: both; text-align: center;"></div><div></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5lP2cNtEVdu0n3IzzH0UviS5U1VMuNNFy5qH2trmROZenCLO5FyMjj6Tt9CbFFA4rMWseYSSvfU3m7j-yndFwKwPpSz0WW9Zk19uNyce6mq035-P_cQFrf9oSic2q7c6T2dvpz_AxAMxz/s1600/sy10660a.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300px" rda="true" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5lP2cNtEVdu0n3IzzH0UviS5U1VMuNNFy5qH2trmROZenCLO5FyMjj6Tt9CbFFA4rMWseYSSvfU3m7j-yndFwKwPpSz0WW9Zk19uNyce6mq035-P_cQFrf9oSic2q7c6T2dvpz_AxAMxz/s320/sy10660a.gif" width="320px" /></a></div><div class="separator" style="clear: both; text-align: center;"></div><div></div><div class="separator" style="clear: both; text-align: left;">Note: It is optional for Server to authenticate Client's certificate. It is configurable in IIS site->SSL Settings. By default it is "ignore". In a rare occasion client certificate is "required", the handshake will fail if client certificate is not present and you will get "403.7 Forbidden " error in browser. In ASP .Net Web code, <a href="http://www.kerrywong.com/2006/12/01/using-x509-certificate-with-web-service-in-aspnet/" target="_blank">some people</a> suggest getting around this by sending client certificate to server, but I have not tried it.</div><div class="separator" style="clear: both; text-align: left;"><br />
</div><div class="separator" style="clear: both; text-align: left;">On the other side, Client is always required to authenticate server's certificate. Browser will popup a security alert when server certificate is not valid/trusted. you can depress the alert by installing the certificate into both "Personal" and "Trusted Root Certificate Authority" locations in client machine's certificate store.</div><div class="separator" style="clear: both; text-align: left;"><br />
</div><div class="separator" style="clear: both; text-align: left;">you can check the store by MMC->Add Snap-in->Certificate-> My User(Computer) Account.</div><div class="separator" style="clear: both; text-align: left;"><br />
</div><div class="separator" style="clear: both; text-align: left;"><br />
</div><div class="separator" style="clear: both; text-align: left;">Things are different if you call SSL web service from .Net ASP Web. you often get this error:</div><blockquote>The Underlying Connection Was Closed. Could Not Establish Trust Relationship with Remote Server <br />
<div></div></blockquote><br />
The reason is the computer maintains two different certificate stores: <br />
<ul><li><b>The local machine store</b>: An ASP.NET Web application looks in this store to locate client certificates. </li>
<li><b>The local user store</b>: An interactive user application looks in this store to locate client certificates.</li>
</ul><span style="font-family: inherit;">So, in order to solve above error in .Net code, you will need to import the same server certificate into Local Machine Store on both "Personal" and "Trusted Root Certificate Authority" location. Also you need to grant the service account running ASP .Net Web has sufficient right to access the Local Machine Store. ( using local admin right is not good idea, but good enough to run a test). See <a href="http://support.microsoft.com/kb/901183" target="_blank"><span style="font-family: inherit;">here</span></a><span style="font-family: inherit;"> for details. </span></span><br />
<br />
<br />
<span style="font-family: inherit;">Another workaround which are quite "popular", but bad, is to </span><span style="font-family: inherit;">bypass security handshake totally. See </span><a href="http://msdn.microsoft.com/en-us/library/bb408523.aspx" target="_blank"><span style="font-family: inherit;">here</span></a><span style="font-family: inherit;"> for details. the killer is System.Net.<span style="color: #2b91af;"><span style="color: #2b91af;"><span style="color: #2b91af;">ServicePointManager</span></span></span>.ServerCertificateValidationCallback += <span style="color: blue;"><span style="color: blue;"><span style="color: blue;">delegate</span></span></span> { <span style="color: blue;"><span style="color: blue;"><span style="color: blue;">return</span></span></span> <span style="color: blue;"><span style="color: blue;"><span style="color: blue;">true</span></span></span>; }; </span><br />
<span style="font-family: inherit;"></span><br />
<div></div><div></div><div></div><div></div><div></div>Yang Lihttp://www.blogger.com/profile/16181366204094649958noreply@blogger.com1tag:blogger.com,1999:blog-3103149575742351603.post-84651870324720508602011-08-15T21:30:00.000-04:002011-08-15T21:30:58.723-04:00Another SharePoint 2010 deployment errorIf you run into this error when deploying a sharepoint solution from Visual Studio 2010:<br />
<blockquote><br />
Error occurred in deployment step 'Retract Solution': The language-neutral solution package was not found.</blockquote><br />
The chance is this solution wasn't properly retracted, and SharePoint still thinks it is installed. A simple way to fix is to change solution GUID. The GUID and wsp name is defined in the Package\Package.package, but you need to open this file in text editor such as Notepad (not in Visual Studio), and restart Visual Studio.<br />
Yang Lihttp://www.blogger.com/profile/16181366204094649958noreply@blogger.com0tag:blogger.com,1999:blog-3103149575742351603.post-85261336155595513962011-07-24T23:23:00.001-04:002011-07-24T23:33:18.783-04:00what rights needed to view sharepoint sites associated with TFS Team ProjectsGiven the scenario that you have TFS integrated with SharePoint and Report Server, each TFS team site can have an associated SharePoint site which display info such as reports and Team projects work items. To view this sharepoint site, what rights need to be granted:<br />
<ul><li>sharepoint permission</li>
<li>TFS team project readers right (via TFS Administration Console)</li>
<li>Report Server "Browser" right (via Report Manager site)</li>
</ul>One of very confusing service account required for TFS is Report Reader Account. The MSFT document says :<br />
<blockquote>The report reader account is the identity that is used to gather information for reports</blockquote>It has nothing to do with Report Server access, it is the account that will be granted access to one of database called TFS_WareHouse. So it is the identity utilized to retrieve data for reports, not access reports themselves.Yang Lihttp://www.blogger.com/profile/16181366204094649958noreply@blogger.com0tag:blogger.com,1999:blog-3103149575742351603.post-20847395235448079772011-06-16T16:59:00.000-04:002011-06-16T16:59:53.785-04:00Redesign an infopath template from sharepoint siteIf you publish an infopath template directly to a sharepoint library, you can design (redesign) it later with InfoPath client, but what if you publish the template as a content type or as administrator approved form? you will NOT be able to do the same thing as direct publish by browsing sharepoint library.<br />
<br />
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">Instead, go to Site Settings-><span class="ms-sitemapdirectional">Site Content Type Gallery</span> ->select content type-><span class="ms-sitemapdirectional">Advanced Settings</span> -> Edit Template:</div><br />
<br />
<div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgt9T4UkNdvoeZVRA2-ZhYaO7ShI9CqIRSTvQmnLEN6RAfBGj3HjtnYjsiPDkSNoBbUTbwSQdyWSOi8zWc6VKY4IGLr7gDvNIPNkOZzGA-gyWoBAzbavHS_VWtSzTgGnuZKh5hFQhQx33PU/s1600/Untitled.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="197px" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgt9T4UkNdvoeZVRA2-ZhYaO7ShI9CqIRSTvQmnLEN6RAfBGj3HjtnYjsiPDkSNoBbUTbwSQdyWSOi8zWc6VKY4IGLr7gDvNIPNkOZzGA-gyWoBAzbavHS_VWtSzTgGnuZKh5hFQhQx33PU/s400/Untitled.jpg" t8="true" width="400px" /></a></div>Yang Lihttp://www.blogger.com/profile/16181366204094649958noreply@blogger.com0tag:blogger.com,1999:blog-3103149575742351603.post-37262534900405238282011-06-16T16:09:00.002-04:002011-06-25T16:45:53.741-04:00access denied error with SPD workflowLately running into a problem when any user with "designer" permission level failed to save workflow from SPD with an error saying " Server Error: Access Deny". Further, users with designer permission can't manually start this workflow from browser with a similar access deny error. The workflow startup page is one of four files listed for each workflow in SPD, and it is missing from designer view:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhV2nw56AknrkFs1oZNeVqoXnbwwNNmeV4wVTVNJUTZiAwE9V6pUcg29zNxyjDNIc9VnYO79gDUPVtIRa5b43IcB0uQEPHtOMoQyAfboqlowBGodeOMDP0oZfLxlfmuAJptTrozUhunkNJ/s1600/Untitled.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="106px" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhV2nw56AknrkFs1oZNeVqoXnbwwNNmeV4wVTVNJUTZiAwE9V6pUcg29zNxyjDNIc9VnYO79gDUPVtIRa5b43IcB0uQEPHtOMoQyAfboqlowBGodeOMDP0oZfLxlfmuAJptTrozUhunkNJ/s400/Untitled.jpg" t8="true" width="400px" /></a></div><div class="separator" style="clear: both; text-align: center;"><br />
</div><br />
<div class="separator" style="clear: both; text-align: left;">Check out and check this file back in, the error goes away. </div>Yang Lihttp://www.blogger.com/profile/16181366204094649958noreply@blogger.com0tag:blogger.com,1999:blog-3103149575742351603.post-18215326665319246802011-05-27T12:39:00.001-04:002011-06-15T14:38:43.270-04:00Implement AJAX & Backend ServicesWay to implement Ajax:<br />
<ul><li>use Sys.Net.WebRequest to call backend service (ASPX, ASMX or <a href="http://blogs.msdn.com/kaevans/archive/2009/03/24/consuming-sharepoint-lists-via-ajax.aspx">ASHX</a>)</li>
<li> server side ajax enabled WCF service</li>
<ul><li>use asp:servicereference to emit script proxy for client script to call WCF service </li>
</ul><li>client side Ajax Library: <a href="http://microsoftpdc.com/Sessions/FT29">http://microsoftpdc.com/Sessions/FT29</a></li>
<li>Ajax Toolkit (server side Ajax controls)</li>
</ul><br />
<br />
What backend services to call?<br />
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_RT3WHh85ziqgh9tC_I18Ptfuvg6N8LlVVpYmtoC87Oi_GBeqAUB4F4a3jkAAcN-Q8Y0rNRoXE7BSFrdaRDiqWkIwx6iph25NFidGS6ANPk49PiXRPYt4y-_OAsNpiEH1sqX62jDOECUh/s1600/Untitled.jpg" imageanchor="1" style="clear: left; cssfloat: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="105px" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_RT3WHh85ziqgh9tC_I18Ptfuvg6N8LlVVpYmtoC87Oi_GBeqAUB4F4a3jkAAcN-Q8Y0rNRoXE7BSFrdaRDiqWkIwx6iph25NFidGS6ANPk49PiXRPYt4y-_OAsNpiEH1sqX62jDOECUh/s400/Untitled.jpg" t8="true" width="400px" /></a></div><div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;"><br />
<br />
<br />
<br />
<br />
<br />
WCF or ASMX?</div><ul><li style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">WCF/REST: Async friendly, abstract complexity (serialization/deserialization etc) web friendly, Binary, format of choice (Json/xml/image etc.), end to end</li>
<li>Session Http cookies</li>
<li>SOAP based web service asmx: overhead, xml only, computing distribution</li>
</ul>Yang Lihttp://www.blogger.com/profile/16181366204094649958noreply@blogger.com0tag:blogger.com,1999:blog-3103149575742351603.post-52830715753455774212011-05-20T17:07:00.005-04:002011-06-15T14:46:39.307-04:00configure ASP.NET impersonation authentication in IIS 7 and forward user credentialsIf you just add <identity impersonate="true"> in web.config aiming to configure impersonation for a IIS 7 web site, the site will be broken immediately with a HTTP 500 error.<br />
<br />
The reason is that Application Pools in IIS 7 have "Managed Pipeline Mode" defaulted as "Integrated", under which impersonation doesn't work. Changing from "Integrated" to "Classic" is the fix. If you check all application pools for sharepoint application, they are all set as "Classic". <br />
<br />
Since IIS 7 use Kernel Mode for authentication, and if you are using server BIOS name as URL, you get Kerberos authentication for free (see this <a href="http://sharepointlink.blogspot.com/2010/07/iis-7-kernel-mode-authentication.html">blog</a> for details). Does this mean, with impersonation in place, you can forward logon user's credential to next hop? for example, setting credential before calling web service such as: <br />
<br />
<span style="font-family: Consolas; font-size: x-small;"><span style="font-family: Consolas; font-size: x-small;">svc.Credentials = System.Net.</span></span><span style="color: #2b91af; font-family: Consolas; font-size: x-small;"><span style="color: #2b91af; font-family: Consolas; font-size: x-small;"><span style="color: #2b91af; font-family: Consolas; font-size: x-small;">CredentialCache</span></span></span><span style="font-family: Consolas; font-size: x-small;"><span style="font-family: Consolas; font-size: x-small;">.DefaultCredentials;</span></span> <br />
<br />
You still need delegation right for your service account (or machine account?) to make that hop happen. Otherwise you simply forward a empty credential to the web service, and if the web service is not anonymous, the call will fail. <br />
<br />
<br />
In case of NTLM authentication, logon users' credential can not be forwarded by any means.Yang Lihttp://www.blogger.com/profile/16181366204094649958noreply@blogger.com0tag:blogger.com,1999:blog-3103149575742351603.post-1284924772047260542011-05-18T16:17:00.000-04:002011-05-18T16:17:55.416-04:00Change SharePoint Application Binding, easier than thoughtRecently I need to install Fiddle on one of my test servers to trace down an authentication issue, the server has SSP hosting application running at 8888, which blocks Fiddler. So I want to see how difficult to move this application to a different port.<br />
<br />
I know I have to change port number on IIS and also have to change AAM, but surprisingly that is all needs to be done. SSP picks up automatically its new hosting app and everything runs like a champion.Yang Lihttp://www.blogger.com/profile/16181366204094649958noreply@blogger.com0tag:blogger.com,1999:blog-3103149575742351603.post-56283144834574391612011-03-31T14:49:00.001-04:002011-03-31T14:50:48.801-04:00Browser-enabled InfoPath Form with web servicesIt is common for InfoPath Form to utilize web services as secondary data sources. Normally there is no problem if InfoPath forms are opened in a InfoPath Client application, but problems occur when InfoPath forms are opened in browser, i,e, using InfoPath Form Service.<br />
<br />
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">There are 2 options to workaround brows-enabled Form with web services: one is to set form "Full Trust":</div><div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;"></div><div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">This option will require Administrator-approved publishing option.</div><div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOUvaJTYpFbmCBPVdGWRNu5ZPEjWpyT5DZKGTVqc11fYp7q11jLD-tQEdBmxQirjOc2SO0GdIQsfsMNXH5SXrRrhaWJQbeVYpqyDmSzgO_Pfm75zA8cJEkdJTevaTXInnSrCDa6Kj9zmFG/s1600/Untitled.jpg" imageanchor="1" style="clear: left; cssfloat: left; cssfloat: right; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="352" r6="true" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOUvaJTYpFbmCBPVdGWRNu5ZPEjWpyT5DZKGTVqc11fYp7q11jLD-tQEdBmxQirjOc2SO0GdIQsfsMNXH5SXrRrhaWJQbeVYpqyDmSzgO_Pfm75zA8cJEkdJTevaTXInnSrCDa6Kj9zmFG/s400/Untitled.jpg" width="400" /></a> <br />
</div><div class="separator" style="clear: both; text-align: center;"></div><br />
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;"><div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">and the other is to convert data sources into data connection: </div></div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXrMho986QBNDJ0j1wRCI0ynnqbFmJLRxIFxyyIc8BDDl8q920556bORbHBQPtTa_SuptAZ5lnPFB9NNij-_3X3pzJfKF_myjHvrRBcdHNhiOEEbZRN4THBcAi90Ws44c0poGCGd1J_oYC/s1600/Untitled.jpg" imageanchor="1" style="clear: right; cssfloat: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="320" r6="true" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXrMho986QBNDJ0j1wRCI0ynnqbFmJLRxIFxyyIc8BDDl8q920556bORbHBQPtTa_SuptAZ5lnPFB9NNij-_3X3pzJfKF_myjHvrRBcdHNhiOEEbZRN4THBcAi90Ws44c0poGCGd1J_oYC/s400/Untitled.jpg" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"></div><div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;"> This option will allow form trust at Domain level, and with other publishing options available, but this option will require "Cross-Domain Access" checked for InfoPath Service from Central Admin:</div><br />
<br />
<br />
<div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1NfoaOQd-_3Ag0_8Emki6433EpC8_MQnoctyXKmgfH8R07kuiuO20O0VrPLjnbExWcaPQUEyUahdNXSocDXL13mRx7UNYuOjNHHvzcHP-hGb8nN8IejA6wO2I86pSQwHcNCaKzds2NmtB/s1600/Untitled.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="303" r6="true" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1NfoaOQd-_3Ag0_8Emki6433EpC8_MQnoctyXKmgfH8R07kuiuO20O0VrPLjnbExWcaPQUEyUahdNXSocDXL13mRx7UNYuOjNHHvzcHP-hGb8nN8IejA6wO2I86pSQwHcNCaKzds2NmtB/s400/Untitled.jpg" width="400" /></a></div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both;"><br />
</div>For browser-enabled Infopath form, web services are called from sharepoint server, sometimes the network communication problem between sharepoint server and web service server can block services for browser-enabled forms, but could have no impact when InfoPath Client applications open the same form, or have no impact on web service configuration at design time.Yang Lihttp://www.blogger.com/profile/16181366204094649958noreply@blogger.com0tag:blogger.com,1999:blog-3103149575742351603.post-77036763159269551502011-03-08T12:29:00.001-05:002011-03-31T14:47:04.871-04:00SharePoint 2007 List Event ItemAdding fire twicewhen you cancel the event in ItemAdding Handler, like:<br />
<br />
public override void ItemAdding(SPItemEventProperties properties)<br />
<br />
{<br />
<span style="font-family: Consolas; font-size: x-small;"><span style="font-family: Consolas; font-size: x-small;"></span></span><span style="color: #2b91af; font-family: Consolas; font-size: x-small;"><span style="color: #2b91af; font-family: Consolas; font-size: x-small;"><span style="color: #2b91af; font-family: Consolas; font-size: x-small;"> SPUtility</span></span></span><span style="font-family: Consolas; font-size: x-small;"><span style="font-family: Consolas; font-size: x-small;">.SendEmail(properties.OpenWeb(), </span></span><span style="color: blue; font-family: Consolas; font-size: x-small;"><span style="color: blue; font-family: Consolas; font-size: x-small;"><span style="color: blue; font-family: Consolas; font-size: x-small;">true</span></span></span><span style="font-family: Consolas; font-size: x-small;"><span style="font-family: Consolas; font-size: x-small;">, </span></span><span style="color: blue; font-family: Consolas; font-size: x-small;"><span style="color: blue; font-family: Consolas; font-size: x-small;"><span style="color: blue; font-family: Consolas; font-size: x-small;">true</span></span></span><span style="font-family: Consolas; font-size: x-small;"><span style="font-family: Consolas; font-size: x-small;">, to, subject</span></span><span style="font-family: Consolas; font-size: x-small;"><span style="font-family: Consolas; font-size: x-small;">, </span></span><span style="color: #a31515; font-family: Consolas; font-size: x-small;"><span style="color: #a31515; font-family: Consolas; font-size: x-small;"><span style="color: #a31515; font-family: Consolas; font-size: x-small;">body</span></span></span><span style="font-family: Consolas; font-size: x-small;"><span style="font-family: Consolas; font-size: x-small;">);</span></span> properties.Cancel = true;<br />
}<br />
you will get 2 email messages.<br />
Other senario that list events fire more than once, largely becuase the event handlers are registered more than once. Use <a href="http://vspug.com/keutmann/2006/11/01/sharepoint-manager-2007/">SPM </a>to find out, and write code to un-regisgter. <a href="http://blogs.msdn.com/b/ketaanhs/archive/2008/04/01/how-to-un-register-an-event-handler-on-a-list-sharepoint-2007-moss.aspx">http://blogs.msdn.com/b/ketaanhs/archive/2008/04/01/how-to-un-register-an-event-handler-on-a-list-sharepoint-2007-moss.aspx</a>Yang Lihttp://www.blogger.com/profile/16181366204094649958noreply@blogger.com0tag:blogger.com,1999:blog-3103149575742351603.post-28585014949996120512011-02-01T15:42:00.000-05:002011-02-01T15:42:27.172-05:00Beware of SPWeb.GetFolder(URL)After a call to SPWeb.GetFolder(URL), you better check if it exists by spFolder.Exists(), since the GetFolder() call won't return error even if the folder doesn't exist. What is more, even if it doesn't exist, you can still get some properties (like spFolder.Url etc) out of it. But all of sudden, you get the following error when you try to get Item out of the folder object:<br />
<br />
<br />
<em><blockquote><em>The object specified does not belong to a list. at Microsoft.SharePoint.SPWeb.GetItem(String strUrl, Boolean bFile, Boolean cacheRowsetAndId) </em><br />
<em><br />
</em><br />
<em>at Microsoft.SharePoint.SPFolder.get_Item() </em></blockquote><br />
This seems to me a bug, but is documented in <a href="http://msdn.microsoft.com/en-us/library/ms461547.aspx">http://msdn.microsoft.com/en-us/library/ms461547.aspx</a><br />
<br />
<em><blockquote><em>If the folder does not exist, an SPFolder object is returned, but any attempt to access its properties throws a FileNotFoundException exception.</em></blockquote><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
</em></em>Yang Lihttp://www.blogger.com/profile/16181366204094649958noreply@blogger.com0tag:blogger.com,1999:blog-3103149575742351603.post-57660396953264261172011-01-21T13:43:00.007-05:002012-06-09T23:05:10.462-04:00Create a single Search Scope for SharePoint site, File Shares and PeopleYou might wonder why not just use "All Sites"? A large SharePoint Farm normally includes multiple sharepoint applications with distinct users, users in one application are only interested in finding contents from their own application, not all contents in the farm. Also SharePont search scope generally confuse regular users even though it sounds well technically. So it is often desired to use only single scope which can cover all and only contents for a particular business unit, and those contents normally include file shares and also people in the whole organization.<br />
<br />
How to do this?<br />
<br />
<ul>
<li>First create a content source from Search Service Application for file share</li>
<li>Create a search scope at Search Service Application Level with a custom "target results page", like <a href="http://yoursharepointsite/SearchCenter/Pages/SearchTransport.aspx">http://yourSharePointSite/SearchCenter/Pages/SearchTransport.aspx</a></li>
<li>Add the following rules for the scope created above:</li>
<ul>
<li><a href="http://www.blogger.com/matchingrule.aspx?appid={a4a112a1-0cc6-4f33-8ad2-d5b8c77dfdf3}&scope=4&rule=4">ContentSource = file shares</a> </li>
<li>Folder = <a href="http://yoursharepointsite/">http://yoursharepointsite/</a> </li>
<li><a href="http://www.blogger.com/matchingrule.aspx?appid={a4a112a1-0cc6-4f33-8ad2-d5b8c77dfdf3}&scope=4&rule=7">contentclass = urn:content-class:SPSPeople</a></li>
</ul>
</ul>
this scope has to be created at service level, rather than site collection level since it includes file shares<br />
<ul>
<li style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;"> In Site collection, Search Setting, choose "enable Custom scope" and drop down Mode as:</li>
</ul>
<br />
<div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNfk-lB6okDiBI_GQ7cmE5l9sdlvsbQ2WtXZ1Rtfa8VV65Im4rS8J2_0qCv7gtwFygwGEiGePy7w-nVzSSeVrpK5D2mVDA-yXwbJIg6pcr_EWHj_LFFtZtByb4rCFOgjbFFAwJl2UOidDH/s1600/untitled.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="115" s5="true" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNfk-lB6okDiBI_GQ7cmE5l9sdlvsbQ2WtXZ1Rtfa8VV65Im4rS8J2_0qCv7gtwFygwGEiGePy7w-nVzSSeVrpK5D2mVDA-yXwbJIg6pcr_EWHj_LFFtZtByb4rCFOgjbFFAwJl2UOidDH/s320/untitled.bmp" width="320" /></a></div>
<div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: center;">
<br /></div>
<div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: left;">
</div>
<ul>
<li>In Site Collection, Search Scope, Modify Search Dropdown Display Group to display only one single search scope created in the above step</li>
<li>Create a Search Result Pages:</li>
<ul>
<li>use Search Result Page Layout (only avaiable in Enterprise Search center site template) , which gives you most web parts on the page </li>
<li>Edit "Search Box" web part as follows:</li>
</ul>
</ul>
<br />
<ul><ul><div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWqD0_EUrOZQkntSkmNBYwcmrjuP9IEppRK3lPnRVVNocQxq0H6LQW-9GcHdKmRb_w_HByXUOCRSeMoUlaafYKINYGviu_KZVx_INy3EgNrLPQkfFCo-Qb459L2P6kNFVPl7L9T_WaC_8k/s1600/untitled.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="134" s5="true" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWqD0_EUrOZQkntSkmNBYwcmrjuP9IEppRK3lPnRVVNocQxq0H6LQW-9GcHdKmRb_w_HByXUOCRSeMoUlaafYKINYGviu_KZVx_INy3EgNrLPQkfFCo-Qb459L2P6kNFVPl7L9T_WaC_8k/s320/untitled.bmp" width="320" /></a></div>
<li>Edit "Search Core Results" as follows:</li>
</ul>
</ul>
<br />
<ul><ul><div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioPq6ydStw0R__SdHBBiyGJjYI3LlbLPwHRq0MNZN_IFm7rqTMUKixo5fbzQo0CS9wPBlbhRSUAQiuNHzljRuI9mfd7jJLuOxxhEnn1aN3uhSDIrPoTWibE6DmEEtHn0RPYXcOE__S2pzK/s1600/untitled.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" s5="true" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioPq6ydStw0R__SdHBBiyGJjYI3LlbLPwHRq0MNZN_IFm7rqTMUKixo5fbzQo0CS9wPBlbhRSUAQiuNHzljRuI9mfd7jJLuOxxhEnn1aN3uhSDIrPoTWibE6DmEEtHn0RPYXcOE__S2pzK/s320/untitled.bmp" width="140" /></a></div>
<li>insert "Refinement Panel" Web part and Customize it. see this <a href="http://www.sharepointanalysthq.com/2010/06/sharepoint-2010-search-refinement-panel-options/" target="_blank">blog</a> for details</li>
<li>insert "People Search Core Results" and modify "cross-web part query id" property</li>
</ul>
</ul>
<br />
<ul><ul><div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3zIZRIc2lbLiSOiKf1xf2JCT1eZLxBsMiL1tQuGU7W96l3aGFW3ZjY0LAEgt_wnBPukc1ZgGjecx_zT9sogPij6eivQwp2sojbJcTAZXuzjcSYrhkoo-SVE3rDemt9TtqP8F5JgZXCeWz/s1600/untitled.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" s5="true" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3zIZRIc2lbLiSOiKf1xf2JCT1eZLxBsMiL1tQuGU7W96l3aGFW3ZjY0LAEgt_wnBPukc1ZgGjecx_zT9sogPij6eivQwp2sojbJcTAZXuzjcSYrhkoo-SVE3rDemt9TtqP8F5JgZXCeWz/s320/untitled.bmp" width="156" /></a></div>
<li>insert another "Search Paging"web part and modify its "cross-web query id" property</li>
</ul>
<li>Modify Tab in search results</li>
<ul>
<li>go to <a href="http://yoursharepointsite/SearchCenter/SearchResults/AllItems.aspx">http://yourSharePointSite/SearchCenter/SearchResults/AllItems.aspx</a></li>
<li>modify "All Site" tab to use search result page created in the above step and also modify Tab name to reflect your scope name.</li>
</ul>
</ul>
By now, your single search goal is accomplished, but you might notice that the search center has no branding and navigation, as it is using minimal.master. Don't try to replace its master page as described in this <a href="http://www.sharepoint911.com/blogs/john/archive/2010/05/12/sharepoint-search-center-uses-minimal-master-–-and-why-you-should-care-about-that.aspx" target="_blank">blog</a>.<span id="goog_1876520845"></span><span id="goog_1876520846"></span>Yang Lihttp://www.blogger.com/profile/16181366204094649958noreply@blogger.com5tag:blogger.com,1999:blog-3103149575742351603.post-60489713476983144392011-01-11T17:14:00.001-05:002011-05-20T09:41:16.851-04:00Some notes on SharePoint 2010 Session StateSharePoint 2010 have Session State disable by default, in contrast, SharePoint 2007 has Session State enabled by default.<br />
<br />
why? does not SharePoint 2010 need any session state?<br />
<br />
but first, what is the session state? Session state is a part of state management. State management is the information that ASP .Net need before processing page request, i,e, what is the values of controls or variable on the page? Those infomation is normally handled by mechanics such as View State, Query String, Hidden Fields.. Those are called client side mechanics because the data is stored at client side. Session State is different in that it is server side (only session id is sent to client via cookie or query string) and its main purpose is to remember if a request is a new or existing one by session ID.<br />
<br />
So why SharePoint 2010 don't need session id? SharePont Form service needs session state (SP State Service) in the scenario of multi-page forms, other than that SharePoint doesn't need to track session ID in general. Turning on Session state can potentially degrade performance as SharePoint does not automatically remove old session state records from the session state database tables, and there is only one session database for sharepoint farmwise. see <a href="http://todd-carter.com/post/2010/04/30/A-Session-State-By-Any-Other-Name.aspx" target="_blank">Todd Carter's blog</a> for cautions while using SharePoint Session.<br />
<br />
what is the implication of this new setting in sharepoint 2010? It now becomes recommendation that affinity or Sticky session be set for Load Balancer. See <a href="http://www.sharepointjoel.com/Lists/Posts/Post.aspx?ID=166" target="_blank">this blog from SharePoint Joe</a>.Yang Lihttp://www.blogger.com/profile/16181366204094649958noreply@blogger.com0tag:blogger.com,1999:blog-3103149575742351603.post-35331120512507623412011-01-07T17:11:00.001-05:002011-01-07T17:12:18.434-05:00data in Managed Meta Column won't updateIf you change managed meta data term in the central admin, and you will find the data in Managed Meta Column won;t update until up to one hour. By now,you should be easily guess that it is controlled by a hourly timer job. Yes and its name is Taxonomy Update Scheduler. This did take me some time finding out, so I hope blogging it here can save someone one hour.Yang Lihttp://www.blogger.com/profile/16181366204094649958noreply@blogger.com0tag:blogger.com,1999:blog-3103149575742351603.post-36318683797864420532011-01-05T16:28:00.000-05:002011-01-05T16:28:33.898-05:00Visual Studio 2010 deployment: Error occurred in deployment step 'Activate Features': Feature with Id '320ed40e-cf38-493b-9bc3-7fd3b01e8524' is not installed in this farm, and cannot be added to this scope.If you get this error while deploying from Visual Studio 2010, the chances are you have a multiple-servers farm, and Visual Studio can only deploy the solution to its local server.Yang Lihttp://www.blogger.com/profile/16181366204094649958noreply@blogger.com0tag:blogger.com,1999:blog-3103149575742351603.post-15842692798357500432010-10-20T22:23:00.035-04:002010-11-04T19:53:25.635-04:00Debug PowerPivot Errors<strong>1) "Unknown Error" on Server Health:</strong><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiapN-B3SKzpBiVPbCpqneWYeb9edY7ys8loGVg4jgKzyGHpuBRydYPSe7gwb_L79nAlvYVePyFwpKvXaQTcSACyc-Qcu_YpcOeahcyTlGXLoHvYycJwoDATyIOMFt7Re0PpEjo50OiYWkm/s1600/Untitled.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" ex="true" height="251" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiapN-B3SKzpBiVPbCpqneWYeb9edY7ys8loGVg4jgKzyGHpuBRydYPSe7gwb_L79nAlvYVePyFwpKvXaQTcSACyc-Qcu_YpcOeahcyTlGXLoHvYycJwoDATyIOMFt7Re0PpEjo50OiYWkm/s320/Untitled.png" width="320" /></a></div><br />
<br />
This is a excel calculation service problem: its service account is not granted a db_owner role in Central Admin Content Database.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYC90EvsfH8V6tvFGhP7mTPu1L3tBtuDxXEU0GHK802q-7H7uhlpPWcQNht-qu5WfYjA-hxr4Ly8iPNW0HPwu7qg4M2EaWRgqYeGEC3vaffCx70V7IwCmfb-GzF01hbtF0ZuI4QLeho4P6/s1600/Untitled.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" ex="true" height="252" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYC90EvsfH8V6tvFGhP7mTPu1L3tBtuDxXEU0GHK802q-7H7uhlpPWcQNht-qu5WfYjA-hxr4Ly8iPNW0HPwu7qg4M2EaWRgqYeGEC3vaffCx70V7IwCmfb-GzF01hbtF0ZuI4QLeho4P6/s320/Untitled.jpg" width="320" /></a></div><br />
<br />
See this <a href="http://sharepointlink.blogspot.com/2010/10/do-service-application-pool-accounts.html" target="_blank">post</a> for explanation why this needs to be done.<br />
<br />
<strong>2) Window Authentication Error:</strong> <br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzw-5IuNWS0zs_AXPc5V4hfTIc6v2v0jMQ79rr4DoYXrM-588QRgPsqEbparaWqnIRkJ-q8jkpEh0HcQ7IuqrWTaOHCGJ0gwrLP97gPWXk3I_o-nxF_U_SDZKaL8_iehQjjPqxNINW0pMy/s1600/UserCredentialsCouldNotBeDelegated.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" ex="true" height="217" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzw-5IuNWS0zs_AXPc5V4hfTIc6v2v0jMQ79rr4DoYXrM-588QRgPsqEbparaWqnIRkJ-q8jkpEh0HcQ7IuqrWTaOHCGJ0gwrLP97gPWXk3I_o-nxF_U_SDZKaL8_iehQjjPqxNINW0pMy/s320/UserCredentialsCouldNotBeDelegated.png" width="320" /></a></div><div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">This error occurs randomly after Excel Server reboot. It is because Claim to Window Token Service is not running, starting it from Service Management Console will make this error go away.<br />
<br />
<br />
<br />
<strong>3) Red X Error in the bubble chart web part</strong> <br />
check the version of <strong>Microsoft® SQL Server® 2008 R2 ADOMD.NET </strong></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQSMSI3QXGex4QLuaftGTqXlnGDNHjb9P2mJYBmKWtHABTAWcR3omgf9ZFDVVRLFo8YWTT8u6HH-JZQULBhQoAZyV-DdCF02W-76aUU6yGxeRMPv84w4VTjYZeXQsbnqUk459XPw6YlhRx/s1600/Untitled.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" ex="true" height="191" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQSMSI3QXGex4QLuaftGTqXlnGDNHjb9P2mJYBmKWtHABTAWcR3omgf9ZFDVVRLFo8YWTT8u6HH-JZQULBhQoAZyV-DdCF02W-76aUU6yGxeRMPv84w4VTjYZeXQsbnqUk459XPw6YlhRx/s320/Untitled.png" width="320" /></a></div><div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;"><br />
notice: sometimes the version from control panel is misleading, so it is better to check physical file's version:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2oISXPqfwAuocUmWFFrEo0MG_Fch_a4Vp_q9TgbIz1S6vN8ePxkgYz1eTZ4hGhHMwIeDEjDbT1vrg2MnlJbfpni_i4oyaVK_SZNaZ7UQoa9TPAg67VrS-Sb8pFwCDXcEo-vKYeryxDIb8/s1600/Untitled1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" ex="true" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2oISXPqfwAuocUmWFFrEo0MG_Fch_a4Vp_q9TgbIz1S6vN8ePxkgYz1eTZ4hGhHMwIeDEjDbT1vrg2MnlJbfpni_i4oyaVK_SZNaZ7UQoa9TPAg67VrS-Sb8pFwCDXcEo-vKYeryxDIb8/s320/Untitled1.png" width="320" /></a></div><br />
</div><div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">To get this version, download SQL 2008 R2 <a href="http://www.microsoft.com/downloads/en/details.aspx?familyid=CEB4346F-657F-4D28-83F5-AAE0C5C83D52&displaylang=en" target="_blank">Feature Pack</a>.</div><div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;"><br />
</div><div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;"><strong>4) Red X error on PowerPivot Workbook in PowerPivot Gallery</strong></div><div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">Disabling loopback on the WFE should resolve this problem, this is best available fix so far. See this <a href="http://support.microsoft.com/kb/2361559" target="_blank">KB</a> for details.</div><div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;"><br />
</div><div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;"><span style="color: #1f497d; font-family: "Calibri", "sans-serif";"><strong><span style="color: #1f497d; font-family: "Calibri", "sans-serif";"><strong><span style="color: black;">5) Window Event Log error on Orphan database associated with PowerPivot Application</span></strong></span></strong></span></div><div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;"><span style="color: #1f497d; font-family: "Calibri", "sans-serif";"><span style="color: #1f497d; font-family: "Calibri", "sans-serif";"><span style="color: black;">This one happens if you created a powerpivot application and deleted it later. Even though the database was deleted, but somehow it still stays in sharepoint metadata. Use PowerShell get-spdatabase to verify and delete it.</span></span></span></div><div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;"><br />
<span style="font-family: Calibri;"><strong>6)PowerPivot Workbook Data Refresh "Access Denied" error</strong></span></div><div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;"><span style="font-family: Calibri;">this one occurs when </span></div><ul><li><span style="font-family: Calibri;">Unattended Account is not granted "contributor" permission from sharepoint site, or</span></li>
<li style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;"><span style="font-family: Calibri;">SSS application's owner is not set as Farm Account (don't know why....)</span></li>
</ul><div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;"><br />
</div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaY7RV3Z62MupCYtAE30VUnbK0MyHiIgmIrQnJjwIjZ6nmVXU-RXhJ_EMNiFyV_DBFF6jsMSCbhLpHJWb7qzalfFc8vTg0uh_Gl0FJr3xhdRafj-amsEUpWmZmXDpNDSA6nc2F6jVj8yEp/s1600/Untitled.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="160" nx="true" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaY7RV3Z62MupCYtAE30VUnbK0MyHiIgmIrQnJjwIjZ6nmVXU-RXhJ_EMNiFyV_DBFF6jsMSCbhLpHJWb7qzalfFc8vTg0uh_Gl0FJr3xhdRafj-amsEUpWmZmXDpNDSA6nc2F6jVj8yEp/s400/Untitled.png" width="400" /></a></div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: center;"><br />
</div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: center;"><br />
</div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: center;"><br />
</div>Data Refresh is triggered by Timer Job, which first fire request to SSS for unattended account credential, and on success, use the unattended account to open data source. In case datasource is sharepoint resource such as a integrated mode report, unattended account need sharepoint permissoin to do that. Notice, all those happen without PowerPivot service getting involved at all at this point.<br />
<br />
<strong>7) Data Refresh Error when use SSRS report as datasource:</strong> <br />
<div><blockquote><strong>Errors in the high-level relational engine. The following exception occurred while the managed IDbCommand interface was being used: The remote server returned an error: (403) Forbidden..</strong></blockquote></div>This error occurs when powerpivot Analysis Service try to access embedded SSRS report data. This call is made directly to SSRS by <strong>PowerPivot Analysis Service.</strong> As SSRS needs to check sharepoint permission of caller credential (which credential? when kerberos is implemented, it is PowerPivot Analysis Service Account. see this <a href="http://sharepointlink.blogspot.com/2010/10/sharepoint-authentication-mode-to.html">post</a> for details), it throws the above error when the PowerPivot AS service account doesn't have sharepoint read permission. Notice: in this case, it is PowerPivot Analysis Service Account that will be ultimately passed to SSRS reporting data, not unattended account.Yang Lihttp://www.blogger.com/profile/16181366204094649958noreply@blogger.com0tag:blogger.com,1999:blog-3103149575742351603.post-70939232292306904732010-10-20T12:59:00.036-04:002010-10-29T21:11:49.033-04:00PowerPivot Data Refresh and Excel RefreshPowerPivot Workbook has 2 kinds of data sources, one is from its Pivot table cache, and the other is from PowerPivot Analysis Cubs. Then what about Data Refresh? PowerPivot Data Refresh is to refresh Analysis Cubs from external data sources, and as part of this refresh process, the workbook is updated as well. <br />
<br />
The credential used for data refresh can be: Unattended account, embedded window credential, or SSS<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3kXvVQ8C2-ul-6l0n1LaBuress5Hf2-8SZvbBgh8VF2d-btwaX-ke2ysg0G-Yz4ll4x6jOu8KQ9QybbH8N8Cp9XxMAaGu-6a04MWkDW1nOYuO5mmPg8gL6Gq8u-_tkE2MR0UjcjSf4BSd/s1600/Untitled.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" ex="true" height="165" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3kXvVQ8C2-ul-6l0n1LaBuress5Hf2-8SZvbBgh8VF2d-btwaX-ke2ysg0G-Yz4ll4x6jOu8KQ9QybbH8N8Cp9XxMAaGu-6a04MWkDW1nOYuO5mmPg8gL6Gq8u-_tkE2MR0UjcjSf4BSd/s400/Untitled.png" width="400" /></a></div>Notice, there is no window authentication listed above, which means the logon user credential is never used for data refresh. So obviously data in Analysis Service is not security trimmed.<br />
<br />
Also notice, it is PowerPivot System Service which retrieves data refresh credential and then sends to Analysis Service, since both PowerPivot and Analysis Service are guaranteed running on the same server, Analysis Service can delegate this credential further to external datasource without need of kerberos delegation.<br />
<br />
Not to confuse PowerPivot data refresh with Excel refresh. Excel refresh happens when users click slicer or manually do data refresh. The result is, its cached pivot table get refreshed from .abf file or AS cubs ultimately. PowerPivot functions as Excel data source in this case.<br />
<br />
As both Excel Service and PowerPivot service are claim aware, it is claim token that flow from Excel to PowerPivot System service. From PowerPivot to Analysis Service which is not claim aware, it is window token that flows thanks to Claim to Window Token Service. But the most interesting thing is, PowerPivot use PowerPivot Service Application account, not logon user account to connect to Analysis Service:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAku2VLtMNcoIFrWGop5gFV9r9zq3OhGRub5AXnNbiL-kyexBug2B7SNxuC25kExeZoYvc-smaidvz09lY9A60m_mmXbyuKben1OwKA1L9_q3A1rGNS4pdlxagjIcfWdT_H6_opuKAHt43/s1600/Untitled.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="230" nx="true" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAku2VLtMNcoIFrWGop5gFV9r9zq3OhGRub5AXnNbiL-kyexBug2B7SNxuC25kExeZoYvc-smaidvz09lY9A60m_mmXbyuKben1OwKA1L9_q3A1rGNS4pdlxagjIcfWdT_H6_opuKAHt43/s320/Untitled.jpg" width="320" /></a></div><br />
<div>This is why there is no need to configure security in PowerPivot Analysis Service, but the question is, what is the security enforcement at Analysis Service level even with the note <span></span>"PowerPivot System Service immediately downgrade the connection"?</div><div></div><br />
<strike>the answer is it doesn't need to be, since the data refresh is just to refresh data in AS cubs, and they don't need to be security trimmed. Excel Service will enforce security when it connects to AS Cubs to fetch data.</strike> <br />
<br />
<strike>The follow-up question is, does Excel Service account need kerberos delegation to AS? The answer depends, if Excel Service and Power Pivot run on the same server as they should, there is no hop and Kerberos is not required, if Excel Service and Power Pivot run on different server, Excel Service account should be granted a delegation right to AS and logon users should have read access to AS Cubs if window authentication in Excel workbook is chosen.</strike>Yang Lihttp://www.blogger.com/profile/16181366204094649958noreply@blogger.com1tag:blogger.com,1999:blog-3103149575742351603.post-1976612803139888542010-10-10T00:26:00.000-04:002010-10-10T00:26:44.310-04:00Dilema: which account to run SPUserCodeV4?If you want to run sandbox solution, you have to run "Microsoft SharePoint Foundation Sandboxed Code Service", which is a SharePoint service wrapper for window service "SharePoint 2010 User Code Host", and has no service application associated with it.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh32PycLCohhwqPVDgreI4Y_GDTepJom4WJh5cZOOTTIk_bP3dUJ7gs2_HUV0bEMoUX1nAUPeyPGAHdCHYXZuXvJ4MbFMxXcGZXqD-sXcNXy_5PjAgSqjLgtDSAOkOz4kGyVzKiOLeYfuBj/s1600/untitled.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" ex="true" height="48" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh32PycLCohhwqPVDgreI4Y_GDTepJom4WJh5cZOOTTIk_bP3dUJ7gs2_HUV0bEMoUX1nAUPeyPGAHdCHYXZuXvJ4MbFMxXcGZXqD-sXcNXy_5PjAgSqjLgtDSAOkOz4kGyVzKiOLeYfuBj/s320/untitled.bmp" width="320" /></a></div><br />
By default, this service is run under sharepoint farm account, and results in a warning from SharePoint Health Analyzer. <br />
<br />
You can certainly change it to run as a different managed account to suppress the warning, but you should be aware of its ramification: the managed account running this sandbox service will be granted some privileges similar to farm account, such as db_owner roles for all WSS Content databases! And this role won't be reversed on later service account changes. This certainly violate least privilege rule.Yang Lihttp://www.blogger.com/profile/16181366204094649958noreply@blogger.com0tag:blogger.com,1999:blog-3103149575742351603.post-91838929871944086012010-10-09T23:59:00.003-04:002011-01-17T23:43:57.588-05:00other service accounts' database right and sharepoint permission: issues related with Excel, PerformancePoint and People SearchAs recommended by this <a href="http://technet.microsoft.com/en-us/library/cc678863.aspx#Section4" target="_blank">technet article</a>, running sharepoint 2010 portal application under one service account, and running all other service applications such as Excel, PPS etc under other application pool accounts, if so, does any service application pool account have access to the portal's Content Database? Does any of them even have permission to sharepoint portal site?<br />
<br />
Quoted in the same technet article:<br />
<blockquote><strong>Other application pool accounts</strong> <br />
<br />
<span style="font-size: x-small;">The other application pool account must be a domain user account. This account must not be a member of the administrators group on any computer in the server farm.</span><br />
<span style="font-size: x-small;"><br />
</span><br />
<span style="font-size: x-small;"><strong>The following machine-level permission is configured automatically</strong>: This account is a member of WSS_WPG.</span><br />
<span style="font-size: x-small;"><br />
</span><br />
<strong><span style="font-size: x-small;">The following SQL Server and database permissions are configured automatically:</span></strong><br />
<span style="font-size: x-small;">This account is assigned to the <span style="color: red;">db_owner role for the content databases</span>.</span><br />
<br />
<span style="font-size: x-small;">This account is assigned to the db_owner role for search databases associated with the Web application.</span><br />
<span style="font-size: x-small;">This account must have read and write access to the associated service application database.</span><br />
<span style="font-size: x-small;">This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the farm configuration database.</span><br />
<span style="font-size: x-small;">This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the SharePoint_Admin content database</span></blockquote>The one in red is questionable: actually none of application service accounts has been granted db_owner for Content Database! This is the root problem of "The workbook cannot be opened" Error as described in this <a href="http://blogs.msdn.com/b/jjameson/archive/2010/05/04/the-workbook-cannot-be-opened-error-with-sharepoint-server-2010-and-tfs-2010.aspx" target="_blank">blog</a>.<br />
<br />
The same problem occurs to Performance Point Service, but PPS even has another anomaly: its service account has to be granted a "read" permission for "Data Connections" as described in this <a href="http://blogs.prodata.ie/?tag=/PerformancePoint" target="_blank">blog</a>. Somehow PPS invoke RunWithElevatedPrivilge call to check user's permission on "Data Connections" library, and get access denied error. The error tells us that those service accounts don't even have sharepoint portal access! <br />
<br />
Search Service Account and default content Account(crawl account) are generally granted full read access in the web application's "user policy", but even so, it doesn't mean either of them has content database owner right. Also notice that default content account needs to have "<strong>Retrieve</strong> People Data for Search Crawlers" right on Profile Service Application in order to crawl people profile or sps3://mysite. If you change the default content account, this right needs to be update manually.Yang Lihttp://www.blogger.com/profile/16181366204094649958noreply@blogger.com0tag:blogger.com,1999:blog-3103149575742351603.post-60791282032803156562010-10-06T01:32:00.006-04:002010-10-06T14:31:30.975-04:00SharePoint 2010: The Security Token Service is not available<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwJycFkQ3KhebdNUdvp75_22S0PnRVtDw91WHDaIltV0mvOa8R4GmUwB4r78_71hn9p1FZAM6lI5H4tQZXJjedXJZYlDfiHhf_9iePmMm_wTKirVJhABJuYjpTon8DQfjXXAILtCqXogPQ/s1600/Untitled.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" ex="true" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwJycFkQ3KhebdNUdvp75_22S0PnRVtDw91WHDaIltV0mvOa8R4GmUwB4r78_71hn9p1FZAM6lI5H4tQZXJjedXJZYlDfiHhf_9iePmMm_wTKirVJhABJuYjpTon8DQfjXXAILtCqXogPQ/s320/Untitled.png" width="320" /></a></div>This problem has been reported mostly from SharePoint 2010 <strong>beta</strong> 2 due to the missing of Hotfix KB 976462. SharePoint 2010 RTM has this hotfix included in the prerequisite as you can see it from window updates off control panel. so don't bother to download and install again:<br />
<br />
<div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiso2d3ypforuYQMCBP8FkCRPYdmLPqzmESd3esd-VTMKhfJmScXgBPzwq0whiBBxuqd8IkEON9FmiEX22BEWXErbWM2JFbE1ewSJWWisURDrkfc9JetEfkBNQNhG3clzgBk_IQIMs9Ripc/s1600/Untitled.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" px="true" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiso2d3ypforuYQMCBP8FkCRPYdmLPqzmESd3esd-VTMKhfJmScXgBPzwq0whiBBxuqd8IkEON9FmiEX22BEWXErbWM2JFbE1ewSJWWisURDrkfc9JetEfkBNQNhG3clzgBk_IQIMs9Ripc/s320/Untitled.png" width="320" /></a></div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: center;"><br />
</div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: left;">But occasionally this problem occurs even to RTM sharepoint 2010. The sharepoint Health Analyzer report it only as warnings, but it is actually a fatal error as it results in failure of all claim aware services such as search service, for example: When a user start searching, WFE needs to talk to Search query componet, and if the Search query is hosted in a different server, WFE needs its local STS to collect claim, and then sends the claim to Search query component Server. Obviously unavailability of STS on WFE will break things totally.</div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: left;"><br />
</div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: left;"><br />
</div><br />
<div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: left;">What is the fix then? STS is neither a SharePoint service, nor a window service, but actually a WCF web service, so first to check IIS if this web service or its application pool is running, and if they are, try to restart and if that still does not solve the problem. You need to re-provision STS service application. The STS service application is provisioned during sharepont configuration, and is not clickable from UI:</div><div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: left;"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJiyehWmF9hBHTthPvMn4hsp8-pDvQf1gCakGT3-UAn4hAzNmtFTgHTuLYte_0huVquaZ8qiY1gmSIXZsqz2JkOOR8V4bNPfNLCZYSXjJqZAX7V0tyQjmY-x0-eAV8zuqxHLOfmRHz13lh/s1600/Untitled.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="221" px="true" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJiyehWmF9hBHTthPvMn4hsp8-pDvQf1gCakGT3-UAn4hAzNmtFTgHTuLYte_0huVquaZ8qiY1gmSIXZsqz2JkOOR8V4bNPfNLCZYSXjJqZAX7V0tyQjmY-x0-eAV8zuqxHLOfmRHz13lh/s320/Untitled.png" width="320" /></a></div><br />
But it can be re-provisioned from Powershell:<br />
$sts = get-spserviceapplication -identity {id of sts}<br />
$sts.status <br />
online<br />
$sts.provision()<br />
<br />
Additionally, disconnecting servers from farm and rejoining them can also fix this STS problem.Yang Lihttp://www.blogger.com/profile/16181366204094649958noreply@blogger.com0tag:blogger.com,1999:blog-3103149575742351603.post-8752707204887909252010-10-04T00:29:00.002-04:002010-10-04T00:35:00.798-04:00SharePoint authentication mode to Reporting ServivceSharePoint can use either "window authentication" or "Trusted Accont" authentication mode to connect its report services (essentially a web service). <br />
<div class="separator" style="clear: both; text-align: center;"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhijce7kYksIBDAUIJkWS5QCDEFxa32uPsaiPPVrXAtb6Le6Y6Z7rpKe1hYJLiKBELHlMiYHrjP094zkVnGbcpKXbmxFiDB4erqlV9xgh2WNXqFnbWSLx2Ixkht3kBJylwewUYUpOR3xhlV/s1600/Untitled.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="241" px="true" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhijce7kYksIBDAUIJkWS5QCDEFxa32uPsaiPPVrXAtb6Le6Y6Z7rpKe1hYJLiKBELHlMiYHrjP094zkVnGbcpKXbmxFiDB4erqlV9xgh2WNXqFnbWSLx2Ixkht3kBJylwewUYUpOR3xhlV/s320/Untitled.jpg" width="320" /></a></div><div class="separator" style="clear: both; text-align: left;"><br />
</div>in case of window authentication, it is logon user's credential flowing to RS, which is easy to understand, but implement window authentication/kerberos is generally mis-considered as difficult. For that reason, "Trusted Account" is provided as another option.<br />
<br />
In case of trusted account, it is credential of application pool id that is passed over to RS. As RS by default allow all users, the authentication is not a problem. The challenge is, RS needs to check if the current logon user has permission to access report (essential a sharepoint list item in document library). RS doesn't have logon user's credential as it has never been passed in, but it does have SPUser object which Sharepoint impersonate on behalf of logon user. RS can achieve permission checking by using sharePoint object model.<br />
<br />
At this point, RS can determine if the logon user has access to reports, but not report data itself. The report data access is enforced by each report's datasource:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhs8nqUCLq_Ln3FBwxYahlyU78nTwHKXmTh950IN4nI2RbSBsVR5qVBly1mb6s2eTQZbJjOj6H2JD5pL5TSXFd0-0mcM9RbpS6WJeV9XJEsMWtX8a0SM0fjJwscof7_ZJ06iClbPeMcjbu9/s1600/untitled.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="241" px="true" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhs8nqUCLq_Ln3FBwxYahlyU78nTwHKXmTh950IN4nI2RbSBsVR5qVBly1mb6s2eTQZbJjOj6H2JD5pL5TSXFd0-0mcM9RbpS6WJeV9XJEsMWtX8a0SM0fjJwscof7_ZJ06iClbPeMcjbu9/s320/untitled.bmp" width="320" /></a></div>As "trusted account" mode doesn't pass the logon user credential, the report's credential can't use "window authentication/integrated" as shown above. In other word, only "window authentication" mode can use report's credential as "window authentication/integrated".Yang Lihttp://www.blogger.com/profile/16181366204094649958noreply@blogger.com0tag:blogger.com,1999:blog-3103149575742351603.post-41080019441755321022010-10-01T22:45:00.002-04:002010-10-01T22:47:55.538-04:00Don't install Sql Reporting Service with its service account as a built-in accountWhen you plan to integrate SSRS 2008 R2 with SharePoint 2010, it is a common scenario that DBA install SSRS and Sharepoint administrator does the configuration for integrate mode. Often times DBA just let SSRS run under a built-in account such as LocalSystem or NetworkService, and let a poor sharepoint guy do the rest of work. In order to run SSRS in an integrated mode, the first thing to do is to change its service account to a domain account. Then here comes the problem: in the sharepoint central admin, when you try to configure "Reporting Service Integration", you get an error saying failure to connect to RS!<br />
<br />
Don't doubt about your typing skills or about your memory of your password or anything else (of course you need to check network communication between your sharepoint server and RS server, such as firewall etc). The problem is: if you ever run SSRS under a built-in account, the RS is automatically configured to run in a Kerberos authentication, and it stays that way even after the service account is changed into a domain account. Kerberos works by default if the service is running under a built-in account, but it breaks when service is running under a domain account unless you register the SPN. <br />
<br />
As now you know why it breaks, the solution is simply, either manually change the authentication type to "RSWindowsNTLM" in reportserver.config. or register SPN to the domain service account. see this <a href="http://sharepointlink.blogspot.com/2010/06/enable-kerberos-authentication-for-ssrs.html" target="_blank">post</a> for details.Yang Lihttp://www.blogger.com/profile/16181366204094649958noreply@blogger.com0tag:blogger.com,1999:blog-3103149575742351603.post-3541090961114232542010-09-24T08:59:00.003-04:002011-01-16T00:05:45.895-05:00Thoughts on Installing Sharepoint with least privilegesLately I have followed the "least privileges" rule while deploying SharePoint 2010 for a MCS customer. Immediately after core installation followed by a creation of BI site, I decide to apply June CU update first before provisioning the User Profile Sync service application. Without any second thought, I just kept using the same setup account to install CU. The setup account has only dbcreator and securityAdmin roles, based on "least privileges" rule. The result is very "surprising": each server's status is hanging with "upgrade available", and CU is not applied as it is indicated by Sharepoint version.<br />
<br />
What is wrong? the setup account unfortunately doesn't have any access to sharepoint content database under least privileges, but which account should be used then? A farm account certainly has all accesses to every sharepoint database, but again by least privilege rule, it is not supposed to be a local admin, otherwise you get warnings from Sharepoint Health Analyzer. Actually, the farm account, as a service account, might not even be given the right to log on locally. So what is the workaround? the answer to this dilemma: break the least privilege rule by giving setup account a SA server role in the database, and then re-run the configuration wizard to fix the problem.<br />
<a name='more'></a><br />
By setup account, i mean the log on window account when running Sharepoint Wizard. During wizard configuration, this account is used to connect to sql and setup sql privilege of farm account, which in turn setup other service accounts in sql. The following infamous error occurring during wizard configuration is simply saying, the setup account needs to have sql privilege:<br />
<br />
<blockquote>"Cannot connect to database master at SQL server at SERVER-SQL. The database might not exist, or the current user does not have permission to connect to it."</blockquote>Yang Lihttp://www.blogger.com/profile/16181366204094649958noreply@blogger.com0tag:blogger.com,1999:blog-3103149575742351603.post-36715250932651050812010-08-11T13:04:00.001-04:002010-08-18T14:04:44.611-04:00some notes on BCS, ECT authentication mode and SSOSharePoint Business Connectivity Service, just like Excel service, is to get external data source into sharepoint, but its logic authentication is quite different from <a href="http://sharepointlink.blogspot.com/2010/08/sharepoint-2010-excel-services.html">Excel Services</a>, and it doesn't use C2WTS:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEv4WMXDpH2_e5BBEWerU57822IBbIE7IemlwQzKJhN5jpV2JJWRwcignluKrX6_s1qgkPKtXBEzBi0SSrqhHkfEvRBzXP4ivxG_wOjMpPxFXNw_hSX0DDQpl9_IMo1SKclIXDZGo7fN8K/s1600/Untitled.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" ox="true" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEv4WMXDpH2_e5BBEWerU57822IBbIE7IemlwQzKJhN5jpV2JJWRwcignluKrX6_s1qgkPKtXBEzBi0SSrqhHkfEvRBzXP4ivxG_wOjMpPxFXNw_hSX0DDQpl9_IMo1SKclIXDZGo7fN8K/s320/Untitled.jpg" /></a></div>External Content Types in SPD have 4 types of authentications for external data source :<br />
<ul><li>User's Identity</li>
<li>BDC Identity</li>
<li>Impersonate Window Identity</li>
<li>Impersonate Custom Identity</li>
</ul>User's Identity is to use logon window user's identity to connect to external data, which requires Kerberos implemented for both sharepoint and external data source (no configuration needed for BCS application)<br />
<br />
BDC Identity is to use Sharepoint application pool id to connect to external data ( it was called revertToSelf). no security enforcement.<br />
<br />
Both Impersonate Window Identity and Impersonate Custom Identity are to use SSO:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgugnLLbLQoeD-GfYEEu1dGu4QUSN9ZduAjCE0MgLQeHvBlK2prdwl6KPICYxA_D1kQfaea0xwkhA7XE7wxsmHRSmyA4nkd1I7ObbAFfMI8NfM6M4mbiGUuaiR3vggriXS3ToRD8W5uSC9c/s1600/Untitled.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" ox="true" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgugnLLbLQoeD-GfYEEu1dGu4QUSN9ZduAjCE0MgLQeHvBlK2prdwl6KPICYxA_D1kQfaea0xwkhA7XE7wxsmHRSmyA4nkd1I7ObbAFfMI8NfM6M4mbiGUuaiR3vggriXS3ToRD8W5uSC9c/s320/Untitled.png" /></a></div><br />
The difference between those two is, the first one requires SSO application using window account and the second one use sql account as shown below:<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPZc3bmW2txLlBwJtUToq9jntLA3j3oO09t3fpi45uxs3l7p1x7LyZouPMRl1UJcF2udBw-EPWCyK0JtcCoI2wBoQKf6l63y5QYJ9pcUPaeBOb8W5R5jVwvaGvgfvDL-dUMb0VprT6U9lZ/s1600/Untitled.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" ox="true" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPZc3bmW2txLlBwJtUToq9jntLA3j3oO09t3fpi45uxs3l7p1x7LyZouPMRl1UJcF2udBw-EPWCyK0JtcCoI2wBoQKf6l63y5QYJ9pcUPaeBOb8W5R5jVwvaGvgfvDL-dUMb0VprT6U9lZ/s320/Untitled.png" /></a></div>To use ECT object, users need an execute permission which can only be set from central admin:<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnoi6a2PhhJAk5Zy736LMuPX_StkiJZ6cJyn90DhihngywfOGOHXW0ZrCeIGMjPduqopKWeaTGZzYmv_2vVobCtWsjfFoLoAR-gaoqwmwIpJxcVMvh9NdJ1gRmxro_fUq3olXXUPzxfy2T/s1600/Untitled.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" ox="true" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnoi6a2PhhJAk5Zy736LMuPX_StkiJZ6cJyn90DhihngywfOGOHXW0ZrCeIGMjPduqopKWeaTGZzYmv_2vVobCtWsjfFoLoAR-gaoqwmwIpJxcVMvh9NdJ1gRmxro_fUq3olXXUPzxfy2T/s320/Untitled.png" /></a></div>Yang Lihttp://www.blogger.com/profile/16181366204094649958noreply@blogger.com0