Lately I have followed the "least privileges" rule while deploying SharePoint 2010 for a MCS customer. Immediately after core installation followed by a creation of BI site, I decide to apply June CU update first before provisioning the User Profile Sync service application. Without any second thought, I just kept using the same setup account to install CU. The setup account has only dbcreator and securityAdmin roles, based on "least privileges" rule. The result is very "surprising": each server's status is hanging with "upgrade available", and CU is not applied as it is indicated by Sharepoint version.
What is wrong? the setup account unfortunately doesn't have any access to sharepoint content database under least privileges, but which account should be used then? A farm account certainly has all accesses to every sharepoint database, but again by least privilege rule, it is not supposed to be a local admin, otherwise you get warnings from Sharepoint Health Analyzer. Actually, the farm account, as a service account, might not even be given the right to log on locally. So what is the workaround? the answer to this dilemma: break the least privilege rule by giving setup account a SA server role in the database, and then re-run the configuration wizard to fix the problem.
Aug 11, 2010
some notes on BCS, ECT authentication mode and SSO
SharePoint Business Connectivity Service, just like Excel service, is to get external data source into sharepoint, but its logic authentication is quite different from Excel Services, and it doesn't use C2WTS:
External Content Types in SPD have 4 types of authentications for external data source :
BDC Identity is to use Sharepoint application pool id to connect to external data ( it was called revertToSelf). no security enforcement.
Both Impersonate Window Identity and Impersonate Custom Identity are to use SSO:
The difference between those two is, the first one requires SSO application using window account and the second one use sql account as shown below:
To use ECT object, users need an execute permission which can only be set from central admin:
- User's Identity
- BDC Identity
- Impersonate Window Identity
- Impersonate Custom Identity
BDC Identity is to use Sharepoint application pool id to connect to external data ( it was called revertToSelf). no security enforcement.
Both Impersonate Window Identity and Impersonate Custom Identity are to use SSO:
The difference between those two is, the first one requires SSO application using window account and the second one use sql account as shown below:
Aug 2, 2010
SharePoint 2010 Excel Services and External Data Refresh
Excel Services Configurations
Two most important configurations in Excel Services Application are:
Workbook Data Connection Properties:
Data Connection properties include usage and definition. The usage is per workbook, its setting is not saved in the configuration file. The connection can either use sql authentication or window authentication. Another import property for each connection definition is "Excel Services Authentication", which will be addressed in another post.
Ways to Refresh Data:
Some Refresh Problems:
Two most important configurations in Excel Services Application are:
- Trusted File Locations: the whole sharepoint farm is pre-configured as trusted location.
- Trusted Data Connection Libraries: it is still required in sharepoint 2010 (folder name can not be skipped).
Workbook Data Connection Properties:
Data Connection properties include usage and definition. The usage is per workbook, its setting is not saved in the configuration file. The connection can either use sql authentication or window authentication. Another import property for each connection definition is "Excel Services Authentication", which will be addressed in another post.
Ways to Refresh Data:
manual refresh (data connection) refresh on open or periodic:
Some Refresh Problems:
- Table not refreshable, only pivot table and pivot chart can be refreshed from external data.
- Browser (IE) can cache old connection string. Close IE before testing new connection.
periodic refresh won;t happen after excel service session timeout:
Excel service create a session (memory/disk) for each workbook and release them after timeout. Periodic refresh can't happen without a ongoing session.
References:
SharePoint 2010 Excel Services Authentication Mode
One of properties in any workbook's connection is called "Excel Services Authentication". Its default choice is "Windows Authentication"
As stated in its description, this mode is supposed to use logon user's credential to connect to external data source. However this happens only if kerberos and delegation are configured correctly for both SharePoint and Excel Services, if not, excel services connect to external data source anonymously, which nevertheless doesn;t necessarily mean the failure of Excel Services data accessing. Why? since it largely depends on the connection definition in your connection file:
It is C2WTS that will take initial client kerberos token to external data sources. In order for that to happen, the following 2 accounts need to have delegation right to external datasoure:
OOB SharePoint 2010 use "local system" to run C2WTS, but it is considered as the best practices to replace with a domain account. That will need some extra configurations:
As stated in its description, this mode is supposed to use logon user's credential to connect to external data source. However this happens only if kerberos and delegation are configured correctly for both SharePoint and Excel Services, if not, excel services connect to external data source anonymously, which nevertheless doesn;t necessarily mean the failure of Excel Services data accessing. Why? since it largely depends on the connection definition in your connection file:
- if sql authentication is used and sql account/password are available in the connection string, excel service can still fetch external data.That explains why excel services can work OOB without any kerberos configuration even if its authentication is set as "window authentication".
- if window authention is used in the connection string, and external data is not allowed anonymous access, you will get access deny error
- Alternatively SSO can be used such as ProjectServer sample connection all use SSS ID called "ProjectServerApplication"
- the "None" option requries unattended service account setup. by default, Excel service application doesn't create unattended account for itself.
To use logon user's credential to access external data source by using Excel Service, there are 3 subsystems involved: sharepoint, Excel Service, and external Data source.
Normally for scenario like that, all of 3 subsystems are required to be kerberos enabled (registering SPNs) and both sharepoint and Excel Service should have delegation rights. However, SharePoinit 2010 Excel Service is claim aware, i.e, it is claim that will be used for communication, thus no kerberos or SPN for Excel service is needed, nor SharePoint WFE service account (application pool id) needs the delegate right to Excel Services.
It is C2WTS that will take initial client kerberos token to external data sources. In order for that to happen, the following 2 accounts need to have delegation right to external datasoure:
- service account running Excel Services Application.
Find the application pool id from IIS:
- service account running C2WTS (which is a window service), or, computer account where C2WTS is running if "local system" instead of a domain account is used to run C2WTS
OOB SharePoint 2010 use "local system" to run C2WTS, but it is considered as the best practices to replace with a domain account. That will need some extra configurations:
- register a trivial SPN for this domain service account (to trigger "delegation" option)
- add to local admin group (need to reboot server)
- In local security policy (secpol.msc) under user rights assignment give the service account the following permissions:
- Act as part of the operating system
- Impersonate a client after authentication
- Log on as a service
add this domain account into c2wtshost.exe.config as "allowedCallers"- add this domain account as sharepoint managed account and change c2tws service account from sharepoint central administration site
- re-start the C2WTS service. for details see this white paper
Jul 29, 2010
Performance Point Server in SharePoint 2007
The installation of PPS creates a site in IIS called PPSMonitoring which include webservice and preview sub directory. Webservice is called to connect datasource, and Preview is used to deploy and preview dashboards instead of having to deploy to sharepoint every time.
if you get the following error when working in Dashboard Designer:
That most likely means PPS Monitoring web service is not running (due to app pool id password expired in some cases). and also make sure the specific user has the read permission to web.config and other physical files or use "pass-through" option
if you get the following error when working in Dashboard Designer:
"Unable to connect to the specified server. Make sure the address is correct"or:
"the requested item cannot be found. Verify that it exists and that you have access permission"
That most likely means PPS Monitoring web service is not running (due to app pool id password expired in some cases). and also make sure the specific user has the read permission to web.config and other physical files or use "pass-through" option
PSMonitoringWebService App Pool id is used for Dashboard Designer to connect the datasource. PPSMonitoringPreview App pool id is used during preview dashboard, and Sharepoint application pool id is used to connect to datasource once dashboard is deployed on sharepoint site.
Those application pool ids need to have appropriate access to data source. They also need to have permissions to PPS Monitoring system database (BPMdeveloper role), but this role is normally granted during installation/configuration except for sharepoint application pool if it is different. see this for details. In case application pool ids change, you need to manually add it to this BPMdeveloper role. Otherwise you will get "unable to connect data source" error.
Jul 9, 2010
IIS 7 Kernel Mode Authentication, Kerberos and DNS Alias (CNAME)
The main idea of IIS 7 Kernel Mode Authentication is to allow HTTP.sys to handle authentication, which means the computer account running HTTP.sys (not application pool account) will be used during authentication negotiation (see this post for negotiation details). If site URL is constructed from server name, kerberos will work automatically regardless of app pool account, since Host/servername is registered when servers join domain. If site URL is not constructed from server name, negotiation will choose NTLM unless SPN is registered correctly with the server computer account. If SPN is register by mistatke with any other account, the negotiation chooses Kerberos, but authentication can never go through.
This is a huge improvment over IIS 6.0 with its infamous 401.1 deny issue when site URL is constructed from NetBIOS and IIS pool account is a domain account.
CNAME is generally considered not good for kerberos (particulary for IIS 6), since the kerberos client is not to ask SPN with CNAME. For instance, if intranet.company.com is an alias to server1.company.com, the client is going to ask KDC for http/server1.company.com, not http/intranet.company.com. This doesn't necessarily mean CNAME will break kerberos: in case of kernel mode, CNAME actually make kerberos work without the need to registering any SPN (in contrast, if it is an "A" record in DNS, SPN, http/intranet.company.com, will have to be registered to the server machine account)
Does this mean Kernel Mode is a silver bullet for kerberos? No, kernel mode won;t work for Load Balance situation with multiple WFEs: it is impossible to register the same SPN for more than 1 server machine account.
So for system designed to be multiple server farm such as SharePoint, Kernel Model has to be unchecked in order to configure Kerberos.
As best practice, for multiple server system, turning off Kernel Mode and then handling authentication the same way as IIS 6. For single server, don't truning Kernel Mode off (instead registering SPN correctly when needed to configure Kerberos). If site URL is server name, truning off Kernel Mode will result in authenticatin fail. See this http://support.microsoft.com/kb/871179 for details.
Note: even though Authentication works, it doesn't mean delegation work as well. computer account is NOT granted delegation right by default.
Even though the kernel mode in IIS as well as CNAME record in DNS make debugging kerberos very difficult, but the basic rules still stand:
This is a huge improvment over IIS 6.0 with its infamous 401.1 deny issue when site URL is constructed from NetBIOS and IIS pool account is a domain account.
CNAME is generally considered not good for kerberos (particulary for IIS 6), since the kerberos client is not to ask SPN with CNAME. For instance, if intranet.company.com is an alias to server1.company.com, the client is going to ask KDC for http/server1.company.com, not http/intranet.company.com. This doesn't necessarily mean CNAME will break kerberos: in case of kernel mode, CNAME actually make kerberos work without the need to registering any SPN (in contrast, if it is an "A" record in DNS, SPN, http/intranet.company.com, will have to be registered to the server machine account)
Does this mean Kernel Mode is a silver bullet for kerberos? No, kernel mode won;t work for Load Balance situation with multiple WFEs: it is impossible to register the same SPN for more than 1 server machine account.
So for system designed to be multiple server farm such as SharePoint, Kernel Model has to be unchecked in order to configure Kerberos.
As best practice, for multiple server system, turning off Kernel Mode and then handling authentication the same way as IIS 6. For single server, don't truning Kernel Mode off (instead registering SPN correctly when needed to configure Kerberos). If site URL is server name, truning off Kernel Mode will result in authenticatin fail. See this http://support.microsoft.com/kb/871179 for details.
Note: even though Authentication works, it doesn't mean delegation work as well. computer account is NOT granted delegation right by default.
Even though the kernel mode in IIS as well as CNAME record in DNS make debugging kerberos very difficult, but the basic rules still stand:
- if kerberos client won't be able to get the SPN either because SPN is not registered or is duplicated, the negotiation falls back to NTLM.
- if Kerberos client can get the SPN, negotiation ends with Kerberos (see negotiation process here)
- If the SPN is registered to a wrong account,
A SPN must be registered to a correct account: either server computer account (in case of kernel mode) or application pool domain account. If it is registered to a different account, the kerberos authentication will fail, normally you get prompted indefinitely and can nerve get in. - If the SPN is registered to the right account, either server computer account (in case of kernel mode) or application pool domain account, authentication succeed then.
Jun 16, 2010
a misleading "Access Denied" error when joining a existing sharepoint farm
Lately I have tried to join a new Report Server to an existing sharepoint 2007 farm as it is required for SSRS in integrated mode, but the configuration wizard fails at the step 2, i,e, connecting to configuration database, and I got the following error from window event log:
As the error message indicates, all my thoughts are on the database connection, for that, I first check if the sql server is ping-able, and then the permission on config database, and then whether window firewall is open etc... everything is fine, I can even create a new farm with the same sql server, but I could not join!
At last, i found i have it is caused by different sharepoint versions: one with April 2010 CU and the other is just SP2. This is nothing to do with database. After installing the CU, the error disappears, and join is successful. I hope this can save me or someone else several frustrating hours next time.
Failed to connect to the configuration database.
An exception of type System.Security.SecurityException was thrown. Additional exception information: Access denied.
System.Security.SecurityException: Access denied.
at Microsoft.SharePoint.Administration.SPPersistedObject.Update()
at Microsoft.SharePoint.Administration.SPServer.Update()
at Microsoft.SharePoint.Administration.SPFarm.Join()
As the error message indicates, all my thoughts are on the database connection, for that, I first check if the sql server is ping-able, and then the permission on config database, and then whether window firewall is open etc... everything is fine, I can even create a new farm with the same sql server, but I could not join!
At last, i found i have it is caused by different sharepoint versions: one with April 2010 CU and the other is just SP2. This is nothing to do with database. After installing the CU, the error disappears, and join is successful. I hope this can save me or someone else several frustrating hours next time.
Jun 14, 2010
Create a persistent alias in PowerShell
Often times, I need to query sharepoint cmdlets as I am starting to use Powershell, normally i wrote something like this:
get-command where {$_.name -like "get-sp*"}
It works, but would it be nice to have this defined as an alias as I need to run it very often. Sure you can do this by using set-alias cmdlet, but it won;t survive another session, in other words, after you close powershell, it is gone.
the workaround is to define a function or alias in profile:
get-command where {$_.name -like "get-sp*"}
It works, but would it be nice to have this defined as an alias as I need to run it very often. Sure you can do this by using set-alias cmdlet, but it won;t survive another session, in other words, after you close powershell, it is gone.
the workaround is to define a function or alias in profile:
- Open Powershell ISE from Programs>Accessories>PowerShell folder
- Run the following code from the immediate window in ISE to create a new profile for all users
- Run the following code to edit the new profile
- When profile1.ps1 opens, add the following code:
- save and exit ISE
- relaunch ISE and type "getspcmd"
Jun 3, 2010
Logon restriction on service accounts
Lately I ran into the same problem several times, so I decide to blog this to save someone else a couple, if not more, frustrating hours.
The problem is, during sharepoint or sql server installation we need to enter several service account and their passwords, and even though I use those passwords many times without any problem, I keep getting an error saying "invalid password or username", or sql service (or any other window service) can't start with the password I enter. Someone must change the password without letting anyone else know?!
Not really, generally for those service accounts, network or server guys like to impose a log on restriction:
make sure your new server is in the list! and check the spell (no typo. windows don't check that for you).
The problem is, during sharepoint or sql server installation we need to enter several service account and their passwords, and even though I use those passwords many times without any problem, I keep getting an error saying "invalid password or username", or sql service (or any other window service) can't start with the password I enter. Someone must change the password without letting anyone else know?!
Not really, generally for those service accounts, network or server guys like to impose a log on restriction:
where is SSRS 2008 web service?
When you configure SSRS's web service URL in RS Configuration Manager:
Have you ever wondered where this web service is or tried to go to IIS and look for a virutal directory called ResportServer? I did, but could not find it of course. As the RS server is also a SharePoint WFE (in sharepoint integrate mode), could it be a Managed Path defined in the sharepoint? No, it is not either. Then how could this url be resolved?
The answer is, this url is reserved in HTTY.sys, and SSRS 2008 is not using IIS any more, for more details see this post.
Have you ever wondered where this web service is or tried to go to IIS and look for a virutal directory called ResportServer? I did, but could not find it of course. As the RS server is also a SharePoint WFE (in sharepoint integrate mode), could it be a Managed Path defined in the sharepoint? No, it is not either. Then how could this url be resolved?
The answer is, this url is reserved in HTTY.sys, and SSRS 2008 is not using IIS any more, for more details see this post.
Why SSRS server need to have SharePoint installed?
It sounds odd at first that we need to install sharepoint on Report Server. The installation actually makes RS as one of SP WFEs even though it normally doesn't actually handle any sharepoint web requests (no AAM configuration for RS server)
The reason that SSRS need sharepoint is that RS extension use sharepoint object model to do security checking (see here for details), and SP OM can only be available on a sharepoint server.
The fact that SSRS use OM to check permission essentially makes it possible to use "Trusted Account" when configuring report server from SharePoint Central Admin:
With "Trusted Account" setting, you don't need to enable kerberos for either sharepoint site or RS web server. The downside however is, you won't be able to get a security trimmed reports. Data access is through either sql authentication or through a credential mapping.
The reason that SSRS need sharepoint is that RS extension use sharepoint object model to do security checking (see here for details), and SP OM can only be available on a sharepoint server.
The fact that SSRS use OM to check permission essentially makes it possible to use "Trusted Account" when configuring report server from SharePoint Central Admin:
Installation of SSRS 2008 add-in for Sharepoint 2007 is interrupted
SSRS add-in for Sharepoint need to be installed in every sharepoint server, but not required for RS server (even technically it is one of WFE). If you use SSRS 2008 R2, you need to install SSRS R2 add-in for SharePoint. At this time, this add-in is yet to RTM. SharePoint 2010 prerequisite installer will install the SSRS 2008 R2 Add-in for SharePoint 2010, so you don't need any extra install. this article is a must read on how to configure sharepoint 2010 SSRS integration.
When I working on a single server scenario, the installation is seamless, just click the .msi file. But when I scale the single server to a medium farm:
1 WFE
1 AS
1 RS
1 SQL
The installation was always interrupted and rolled back. The workaround documented in readme.htm, it requires a 2 steps command line. Weird but works.
When I working on a single server scenario, the installation is seamless, just click the .msi file. But when I scale the single server to a medium farm:
1 WFE
1 AS
1 RS
1 SQL
The installation was always interrupted and rolled back. The workaround documented in readme.htm, it requires a 2 steps command line. Weird but works.
what Sharepoint need to know about SSRS?
After SSRS provision a web service, all sharepoint need to know is its url as specified in this setting:
Like any web service, Equally important is how authentication is chosen (also shown above).
The interesting part is "Trusted Account" choice which makes service calls under user context without configuring kerberose. For this reason another setting, "grant database access", is a required configuration for SSRS. It essentially grant SSRS's service account a "full control" to all sharepoint web applications and some access to central administration ( as a proof, even though there is no place in UI where permission is specified for the SSRS service account, you can certainly log as this service account to any sharepoint site). Also this account is granted a "WSS Content Application Pool" permission to sharepoint Config db. The reason to grant those permission for RS service account is because SSRS web service will need to invoke sharePoint Object Model to check user permission in case of "trusted account" authentication.
Sharepoint 2010 simplify the 2 settings in one place:
Like any web service, Equally important is how authentication is chosen (also shown above).
The interesting part is "Trusted Account" choice which makes service calls under user context without configuring kerberose. For this reason another setting, "grant database access", is a required configuration for SSRS. It essentially grant SSRS's service account a "full control" to all sharepoint web applications and some access to central administration ( as a proof, even though there is no place in UI where permission is specified for the SSRS service account, you can certainly log as this service account to any sharepoint site). Also this account is granted a "WSS Content Application Pool" permission to sharepoint Config db. The reason to grant those permission for RS service account is because SSRS web service will need to invoke sharePoint Object Model to check user permission in case of "trusted account" authentication.
Sharepoint 2010 simplify the 2 settings in one place:
Error when selecting "windows Authentication" for Reporting Service Integraion
In Sharepoint 2007, you might get this error when configuring reporting service authentication mode:
it can be caused by either
1) you are not inside the server where the central administration is hosted
or
2) the kerberos authentication in report server web service is not enabled. See this post on how to enable kerberos for RS
[Update] Sharepoint 2010 will not give this error in either way, but in order to get a security trimmed report, kerberos authentication still needs to be enabled manually.
"The request failed with HTTP status 401: Unauthorized"
it can be caused by either
1) you are not inside the server where the central administration is hosted
or
2) the kerberos authentication in report server web service is not enabled. See this post on how to enable kerberos for RS
[Update] Sharepoint 2010 will not give this error in either way, but in order to get a security trimmed report, kerberos authentication still needs to be enabled manually.
Enable Kerberos authentication for SSRS 2008
Starting from SQL 2008, IIS is elminated from Reporting Service. RS web service authenitcation mode is defined in rereportserver.config located in C:\Program Files\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Service\Report Server\
If SSRS is running under localsystem account, Kerberos is enabled by default, if SSRS is running under a domain account, NTLM is enabled by default. In that case, to enable kerberos you first need to make the follwoing modification:
<authenticationtypes>
< rswindowsnegotiate >
< /authenticationtypes >
Notice: Use rswindowsnegotiate, DON'T Use rswindowKerberos, otherwise the RS service will immediately become non-accsible.
After that, you need to register SPN for SSRS servic account in Domain Controller, and also grant Delegation right for this account ( if it is localsystem account, grant the server computer delegation right instead)
Now the RS service is Kerberos enabled, but in order to use "Window Authentication (Integrated)" in data source configuratoin, the user database must be kerberos enabled too:
To do that, you need to register SPN for sql service account running at user sql server, but delegation for this account is NOT necessary as it is the last hop in the chain.
You can certainly don't choose "Window Authentication", but only the window authentication can give you security trimmed reports, while other option can't not.
At this point, you should be able to view a report from RS web serive, but if you view reports from Sharepoint document library or Report Viewer web part, you may get a 401 error
If SSRS is running under localsystem account, Kerberos is enabled by default, if SSRS is running under a domain account, NTLM is enabled by default. In that case, to enable kerberos you first need to make the follwoing modification:
<authenticationtypes>
< rswindowsnegotiate >
< /authenticationtypes >
Notice: Use rswindowsnegotiate, DON'T Use rswindowKerberos, otherwise the RS service will immediately become non-accsible.
After that, you need to register SPN for SSRS servic account in Domain Controller, and also grant Delegation right for this account ( if it is localsystem account, grant the server computer delegation right instead)
Now the RS service is Kerberos enabled, but in order to use "Window Authentication (Integrated)" in data source configuratoin, the user database must be kerberos enabled too:
To do that, you need to register SPN for sql service account running at user sql server, but delegation for this account is NOT necessary as it is the last hop in the chain.
You can certainly don't choose "Window Authentication", but only the window authentication can give you security trimmed reports, while other option can't not.
At this point, you should be able to view a report from RS web serive, but if you view reports from Sharepoint document library or Report Viewer web part, you may get a 401 error
The reuest failed with HTTP status 401: UnauthorizedIn order to make it work from SharePoint, SharePoint web applications have to be Kerberos enabled, and "window authentication" is selected in the setting of "Reporting Services Integration"
Permission to view reports for SSRS 2008 in SharePoint 2007 integrated mode
we know one of nice things about SSRS in SharePoint integrated mode is that user permission is managed by sharepoint site or library, in other words, to grant a user the permission to view report is as simple as to grant a read permission to sharepoint site or library where reports sit. It is very user friendly!
But one exception is, if you log in as sharepoint farm account or application pool id account, even though both accounts are marked as "System Account" and have access to absolute everything, it seems SSRS is not aware of them. You will get the following error when trying to view reports from sharepoint:
The workaround is to add them explicitly in site or library, and the problem is gone.
But one exception is, if you log in as sharepoint farm account or application pool id account, even though both accounts are marked as "System Account" and have access to absolute everything, it seems SSRS is not aware of them. You will get the following error when trying to view reports from sharepoint:
[update] this problem only occurs to sharepoint 2007 when kerberos is enabled for both sharepoint and RS, and data connectin uses window authentication. Sharepoint 2010 has this problem fixed.
The permissions granted to user 'SP\spFarm' are insufficient for performing this operation. ---> Microsoft.ReportingServices.Diagnostics.Utilities.AccessDeniedException: The permissions granted to user 'SP\spFarm' are insufficient for performing this operation.
The workaround is to add them explicitly in site or library, and the problem is gone.
Jun 1, 2010
another error when configuring sharepoint 2007 integration with Reporting Service
when I try to configure "Grant database access" of reporting service in Sharepoint Central Administration, I keep getting the following error:
As I was able to do this for another Report Server where SSRS 2008 R2 is installed, so the first thing I was thinking of is to upgrade SSRS 2008 SP1 with CU#5, but it made no difference.
The 2 servers are in the same domain, and can ping each other. Then i found the interesting thing is, i got the same error no matter what credential i put in, which lead me to think it might be a window firewall issue. I went to check the RS server's window firewall, it is ON! I turned it off, the problem went away immediately.
It turns out the following exception should be made: Window Management Instrument (WMI). Sharepoint did give out a very useful error message! Don't blame SharePoint.
Unable to connect to the Report Server WMI provider.
As I was able to do this for another Report Server where SSRS 2008 R2 is installed, so the first thing I was thinking of is to upgrade SSRS 2008 SP1 with CU#5, but it made no difference.
The 2 servers are in the same domain, and can ping each other. Then i found the interesting thing is, i got the same error no matter what credential i put in, which lead me to think it might be a window firewall issue. I went to check the RS server's window firewall, it is ON! I turned it off, the problem went away immediately.
It turns out the following exception should be made: Window Management Instrument (WMI). Sharepoint did give out a very useful error message! Don't blame SharePoint.
May 25, 2010
sharepoint anonymous users: what they can do?
When a web application is anonymous enabled, each site collection can define whether anonymous users can access whole site or just lists/libraries or nothing. Anonymous users will assume "limited access" permission role. This special permission role is not configurable, but it does have 2 flavors: with or without LockDown mode. The most significant difference is the lockdown mode takes away the following 2 permissions from anonymous users:
Anonymous users will be challenged or prompted when they try to access resources which are not granted by the "limited access" role. Anonymous users can access sharepoint resource only by server object model, not by web service (either asmx or wcf) regardless whether site is anonymous enabled or whether lockdown mode is turned on. The only workaround is for readonly web service as described in the following 2 posts:
exception: for readonly and SOAP version 1.1(asmx): modify SOAPAction Header:
http://mdasblog.wordpress.com/2010/03/18/allowing-anonymous-access-with-sharepoint-web-services-and-spservices/
http://weblogs.asp.net/jan/archive/2009/05/25/quot-the-security-validation-for-this-page-is-invalid-quot-when-calling-the-sharepoint-web-services.aspx
Otherwise web service call must carry a valid credential. However if web services doesn't involve any object model, anonymous users can call those kinds of web service even if those web services are hosted inside sharepoint.
WCF services add another level of security with security binding configurations for each endpoint. WCF endpoint security along with hosting IIS authentication setup together will determine if anonymous users can invoke WCF services. See here for details.
If the web service is custom web service and using sharepoint object model, the web service need to be in viti_bin, or sharepoint CAS policy need to change. As any web service with sharepoint object model involved, they are not open to anonymous users any way.
In sharepoint 2010, at web application level, there are 2 new policies: Users Policy and Anonymous Policy, which can deny individual uses or all anonymous user's access to an anonymous web application.
Anonymous users can't access to sharepoint application pages under _layouts folder as most sharepoint application pages inherit from LayoutPageBase which is a secure page, nevertheless some application pages inherit from UnsecuredLayoutPageBase such as searchresults.aspx, login.aspx etc, which are open to anonymous users.
- Site permissions: Use Remote Interfaces. It will prevent web service (SOAP), WebDav and SPD connection to sharepoint sites;
- List permissions: View Application Pages. It will prevent anonymous users from view list form pages such as allitems.aspx, edititem.aspx etc
Anonymous users will be challenged or prompted when they try to access resources which are not granted by the "limited access" role. Anonymous users can access sharepoint resource only by server object model, not by web service (either asmx or wcf) regardless whether site is anonymous enabled or whether lockdown mode is turned on. The only workaround is for readonly web service as described in the following 2 posts:
exception: for readonly and SOAP version 1.1(asmx): modify SOAPAction Header:
http://mdasblog.wordpress.com/2010/03/18/allowing-anonymous-access-with-sharepoint-web-services-and-spservices/
http://weblogs.asp.net/jan/archive/2009/05/25/quot-the-security-validation-for-this-page-is-invalid-quot-when-calling-the-sharepoint-web-services.aspx
Otherwise web service call must carry a valid credential. However if web services doesn't involve any object model, anonymous users can call those kinds of web service even if those web services are hosted inside sharepoint.
WCF services add another level of security with security binding configurations for each endpoint. WCF endpoint security along with hosting IIS authentication setup together will determine if anonymous users can invoke WCF services. See here for details.
If the web service is custom web service and using sharepoint object model, the web service need to be in viti_bin, or sharepoint CAS policy need to change. As any web service with sharepoint object model involved, they are not open to anonymous users any way.
In sharepoint 2010, at web application level, there are 2 new policies: Users Policy and Anonymous Policy, which can deny individual uses or all anonymous user's access to an anonymous web application.
Anonymous users can't access to sharepoint application pages under _layouts folder as most sharepoint application pages inherit from LayoutPageBase which is a secure page, nevertheless some application pages inherit from UnsecuredLayoutPageBase such as searchresults.aspx, login.aspx etc, which are open to anonymous users.
May 22, 2010
SharePoint 2010 Reusable Workflow and Enterprise Content Type
we know SharePoint 2010 reusable workflow can be reused because it can be associated with a content type, and a content type can be deployed in multiple lists or libraries. So a reusable workflow can be used automatically in a site scope.
We also know a content type is scoped at a site collection level, does that mean reusable workflow can be used cross all site collection? Yes, but you need to "Publish Globally" (in SharePoint Designer ribbon) to make it be reusable in a whole site collection.
SharePoint 2010 has a new feature called Enterprise Content Type which allow content type to be reused beyond a site collection scope . See this article on Technet for a completed guidance on how to setup a ECT. If the content type is published from content type hub and subscribed by another site collection or even another web application, The content type can be reused in a farm scope. The question is, can its associated workflow be reused? The answer is No at this time.
To summary up:
We also know a content type is scoped at a site collection level, does that mean reusable workflow can be used cross all site collection? Yes, but you need to "Publish Globally" (in SharePoint Designer ribbon) to make it be reusable in a whole site collection.
SharePoint 2010 has a new feature called Enterprise Content Type which allow content type to be reused beyond a site collection scope . See this article on Technet for a completed guidance on how to setup a ECT. If the content type is published from content type hub and subscribed by another site collection or even another web application, The content type can be reused in a farm scope. The question is, can its associated workflow be reused? The answer is No at this time.
To summary up:
Apr 28, 2010
Install SharePoint 2010 RTM with a named sql Instance
I am installing a sharepiont 2010 farm with its configuration database in a remote sql server, and am using a named sql instance for its configuration database. During running SharePoint Product Configuration Wizard, I keep getting the following clueless error message:
In SQL server, I run sql profile and found no connection even being attempted from the sharepoint wizard, so it seems most likely a firewall issue. As a testing, I turned off window firewall, and it works immediately!
But I can't leave the firewall off, so I have to find out what else I need to open in the firewall. After some googling, I understand how sql named instance works differently from default instance: the named instances need handshaking when a connection is requested (as client requests normally don;t include port number, but just instance name), and it is SQL Browse Service which helps client find port number at which the named instance is running at. The service name is sqlbrowser.exe and it is running at UDP port 1434.
With that, opening firewall for either .exe or UDP port 1434, the problem goes away, and I got a first look at SharePoint 2010 RTM after so many months with Beta. It is so exciting!
Cannot connect to database master at SQL server at ..... The database might not exist, or the current user does not have permission to connect to it.This happened even after I opened firewall exceptions for sqlservr.exe or whatever port the named instance is running at! As that was what I did to the default instance and I never had problem connecting to the default instance. So what is the issue with the named instance?
In SQL server, I run sql profile and found no connection even being attempted from the sharepoint wizard, so it seems most likely a firewall issue. As a testing, I turned off window firewall, and it works immediately!
But I can't leave the firewall off, so I have to find out what else I need to open in the firewall. After some googling, I understand how sql named instance works differently from default instance: the named instances need handshaking when a connection is requested (as client requests normally don;t include port number, but just instance name), and it is SQL Browse Service which helps client find port number at which the named instance is running at. The service name is sqlbrowser.exe and it is running at UDP port 1434.
With that, opening firewall for either .exe or UDP port 1434, the problem goes away, and I got a first look at SharePoint 2010 RTM after so many months with Beta. It is so exciting!
Subscribe to:
Posts (Atom)
