Welcome to Atlanta .NET Regular Guys Sign in | Join | Help

SharePoint 2007 - How to Rollup Content from multiple Site Collections (1 way)

I am currently designing & building a sizeable intranet for a global shipping company.  They will have multiple site collections with multiple subsites and lots of lists and libraries scattered throughout the site structure.  One of the site collections is the "parent" site collection to all the others and will function as the entry point for most of the users.

We had a need to rollup content from all of the different site collections and sites to the "parent" site.  The first thing that crossed my mind was the Content Query Web Part.  After playing around with it for about 10 seconds, and then doing a little bit of research to make sure, it was clear that this web part was limited to only rolling up content from a single site collection (see below).  Also, it requires that you activate the publishing feature.  Although the publishing feature may be useful, it creates a lot of management overhead if you are not using it so I needed an alternate solution.

Well, after some thought, SharePoint Search came to the rescue.

Here is my scenario.  On the "parent" site collection there is a Sales subsite.  Throughout the various regional site collections and their respective local or country specific subsites, there may be many Sales related libraries.  These scattered libraries may contain various types of Sales documents including PowerPoint presentations, Excel workbooks, Word documents or Adobe PDF's.  My challenge was to determine how to identify all of this material.  Although there are alternative (and undoubtedly better) ways to do what I did, the general idea holds true and the methodology would be the same.

In each of the site collections I added a yes/no site column called IsSalesMaterial and defaulted its value to "yes".  I then added this site column to all of the libraries that contained sales material.  Now all sales material would be flagged and more importantly, be searchable using this column.  I also added some content to these libraries so that I would get some results.

I flipped over to Shared Services Administration to make a couple of necessary changes.  The first change was to perform a full crawl so that my new property would be visible to SharePoint Search.  I need to make it a managed property and allow it to be used in scopes.

After performing a full crawl of all of your content (I am assuming that the content that you want to surface using this method is already included in an existing content source) navigate to Crawl Setting and click on Metadata property mappings.

Click on New Managed Property.

Name the yes/no property SalesMaterial and add a mapping to ows_IsSalesMaterial(Yes/No).  Be sure to check Allow this property to be used in scopes so that we will be able to use this property in a custom scope.

After saving the property, find it in the list and click on the appropriate mapping in the Mappings column.  If you wanted this property to be included in your index automatically, check the Include values for this property in the search index checkbox.  We do not, since we are only using it for a custom scope.  Checking this checkbox on too many properties can degrade performance, so check wisely!

Now we need to create a custom scope.  Create a new scope named Sales Material.  Add a single rule to include all items that have the SalesMaterial property set to Yes.  Update your scopes.

I then went to the front end web site of my "parent" site collection.  I added a Search Core Results web part to the page and made the following changes to return to me all sales related PowerPoint presentations.

  1. Under Results Display/Views change Default Results View to Modified Date.
  2. Under Results Query Options, change Cross-Web Part query ID to Query 2.
  3. Under Fixed Keyword Query, change Fixed Keyword Query to FileExtension:pptx FileExtension:ppt
  4. Under Miscellaneous, change Scope to Sales Material.
  5. Under Appearance, change the Title to Sales Presentations and change the Chrome Type to Title.

You should now see all of the PowerPoint presentations retrieved from the Sales Material scope.  You can now add another Search Core Results web part to your page to return all Excel Workbooks or any other type of query you want to fix.  Just be sure to set the Cross-Web Part query ID to another value to group all your search web parts together.  For example if you add a Search Paging web part below this Search Core Results web part, be sure to set its Cross-Web Part query ID to the same value as the Search Core Results web part that it will be paging.

Happy Searching!

posted by Dan Attis | 12 Comments
Filed Under:

How to programmatically add a field to all views in a SharePoint list

Today I had a need to add a new field to multiple lists each with multiple views and to group by the new column in each of the views.  There were about 6 lists and 12 or so views on each list and doing this through the interface, although possible, would have been tedious, error prone and very boring (especially for the client since he was doing it).  So I decided to automate the process.  I added the field to each of the lists manually, although I could have automated that too :).  I then wrote a simple console application that accepts a few parameters, namely the new fields internal name, the site collection URL, the web path, the list or library name, the position of the field, whether or not to group by that field, and whether or not to collapse the groups (if grouped).

Here is the main function.  I have a few helper functions that gather input but this is the meat an potatoes.

 

static void Main(string[] args)
{
  // if all input is valid then proceed
  if (true == GatherInput())
  {
    // get a reference to the site collection
    using (SPSite site = new SPSite(siteUrl))
    {
      // get a reference to the site
      using (SPWeb web = site.OpenWeb(webPath))
      {
        // get a reference to the list or library
        SPList list = web.Lists[listLibName];

        // iterate though all the views in a list
        for (int i = 0; i <= list.Views.Count - 1; i++)
        {
          // get a reference to a view
          SPView view = list.Views[i];

          // only do this for visible views and ignore the useless explorer view :)
          if (view.Hidden == false && !(view.Title == "Explorer View"))
          {
            // retrieve the names of all of the fields used in the view
            StringCollection viewFields = view.ViewFields.ToStringCollection();

            // remove all of the fields from the view
            view.ViewFields.DeleteAll();

            // create the new field to insert
            SPField newField = new SPField(list.Fields, newFieldName);

            // add each of the fields back into the view
            // while adding the new field at the desired location
            for (int k = 0; k < viewFields.Count; k++)
            {
              SPField field = new SPField(list.Fields, viewFields[k]);

              if (k == Convert.ToInt32(fieldOrdinal))
              {
                view.ViewFields.Add(newField);
              }
              view.ViewFields.Add(field);
            }

            if (true == groupByField)
            {
              // group by the new column, collapsing the group if necessary
              string query = string.Empty;
              query += "<GroupBy Collapse=\""
              if (true == collapseGroup)
              {
                query += "TRUE"
              }
              else
              {
                query += "FALSE"
              }
              query += "\">"
              query += "<FieldRef Name=\"" + newField.InternalName + "\" />"
              query += "</GroupBy>"
              view.Query += query;
            }

            // update the view
            view.Update();
          }
        }
      } 
      site.RootWeb.Dispose(); //this was opened implicitly when we referenced SPSite and needs to be disposed.
    }
  }
}

posted by Dan Attis | 41 Comments
Filed Under:

Where in the world is the RSS Viewer Web Part

I needed to put an RSS Viewer web part on a page but could not find it.  I opened the feature folder and did a search for rssviewer to see if anything came back.

I am a minimalist when it comes to SharePoint and would rather not activate features that are not being used.  This web part becomes available when you activate the Office SharePoint Server Standard Site Collection features Site Collection feature (I needed it available for all sites).  This feature actually activates a lot of features, too many too mention, but if you need the RSS viewer web part you need to activate this feature or its Site Feature counterpart (for a single site only), the Office SharePoint Server Standard Site features feature.

These features are not activated by default, which is very pleasing to me. :)

Now if I could just get it to work through a proxy server!  Ideas welcome!

[EDIT] - Well I actually looked a little harder and found this post by Adam Hems.

[EDIT] - That post would probably work if the proxy server did not require authentication (mine does); that said, ideas welcome!

 

RSS Viewer

posted by Dan Attis | 3 Comments
Filed Under:

SharePoint 2003 - SharePoint 2007 Migration Tool Recommendation

I started on a project here in Greenville, SC this week.  The project has 2 primary goals.  Goal #1 is to migrate the existing WSS v2 content to the new Office SharePoint Server 2007 platform.  Goal #2 is to create a site for the internal legal team to use that has a few requirements, most of which are provided by SharePoint 2007 out of the box.  I have not dived into the implementation of goal #2 yet but am well into goal #1.

In the process of planning the migration I have had the opportunity to research and compare a bunch of 3rd party tools, as well as give some of the "upgrade" paths some thought.  Personally, I am not a big fan of the "upgrade" paths for this particular project.  An in-place upgrade is out of the question since my client only has a single server and if this process were to fail we would have to rebuild from backups.  A side by side migration is possible, but I simply do not trust the concept.  I have not tried it yet but again, I have that "gut" feeling if you know what I mean.  After looking at these, and a few other options, and discussing the clients needs, it became apparent to me that all the client really cared about was the actual content.

So my search began for a tool that could move all of our content and leave the look and feel alone.

Enter Metalogix and their List And Library Migration Manager for SharePoint tool.  I contacted them, discussed our needs and explained that I would like to evaluate their product.  It seemed, in my mind anyway, that it did exactly what I wanted, move content only.  I was promptly provided with an evaluation license key and started my evaluation.

This tool does exactly what it says it does.  It moves lists and libraries, including all the meta data columns, to and from both 2003 and 2007.  It has batch capability so that you can "queue" up a number of lists and libraries, and execute the migration all at once.  It logs any errors, warnings or issues it finds.  The tool allows you to view and edit the individual items in the lists and libraries as well as the properties of the lists and libraries themselves.  The tool also has the capability to retain the ModifiedBy and CreatedBy users (assuming both servers are in the same domain), as well as the Created and LastModified dates, with the installation of an additional service on the target machine (that they supply).

Perhaps the BEST and most enticing feature in my opinion is that the tool uses ONLY the SUPPORTED API's supplied by each of the products (of course, I could not prove this since I do not have access to the source code, but that is what they advertise).  It uses a combination of both the web service and RPC calls to perform its work.  What that means is you DO NOT have to install this tool on any of your SharePoint servers (the service to maintain the Created and LastModified dates does need to be installed on the target machine however), it can be installed on your laptop or workstation and work remotely, so long as you have access to the SharePoint servers involved in the migration.  Actually, the best feature is probably the fact that they are a Canadian company. :)

To top it all off I gotta say that the people I spoke with at Metalogix were exceptionally friendly and very helpful.  They are also very receptive to new feature ideas and if any bugs or issues arise to immediately call them.  Apparently there is quite a large demand for their product and they are releasing updates quite regularly that include additional features and functionality as well as the occasional bug fix I am sure.  Every product has bugs!  If I had to complain about something, it would be performance.  It is not as fast as I would like, but given that it has to moved each and every document and/or item remotely from one server to another, I don't expect it to be done with 2GB of content in 5 minutes.  I have been informed that they are trying to improve this in future releases.

So if you need to move content (lists and libraries) and don't care about look and feel, this tool is for you and in my opinion is worth every penny given the amount of time and money you and more importantly, your client, will save.

posted by Dan Attis | 8 Comments
Filed Under:

Windows SharePoint Services 3.0 Tools: Visual Studio 2005 Extensions RTM

Finally, the extensions are RTM.  You can get them here.

Get them while they are hot!

 

Overview

This release of the Visual Studio 2005 Extensions for Windows SharePoint Services contains the following tools to aid developers in building SharePoint applications:

Visual Studio 2005 Project Templates

  • Web Part
  • Team Site Definition
  • Blank Site Definition
  • List Definition

Visual Studio 2005 Item Templates (items that can be added into an existing project)
  • Web Part
  • Custom Field
  • List Definition (with optional Event Receiver)
  • Content Type (with optional Event Receiver)
  • Module

SharePoint Solution Generator
  • This stand-alone program generates a Site Definition project from an existing SharePoint site. The program enables developers to use the browser and Microsoft Office SharePoint Designer to customize the content of their sites before creating code by using Visual Studio.
posted by Dan Attis | 2 Comments
Filed Under:

The Tragically Hip - Atlanta - March 13th, 2007

Tonight Jody and I went out for a very rare and hard to come by date night.  The occasion you may ask was to see The Tragically Hip concert at the Roxy theatre.  We are both HUGE Hip fans and go see them each and every time they come to Atlanta, which is pretty much every other year or so.  The best part about the shows in Atlanta are the venues.  For those who don't know, the Roxy is not very big, I'm guessing that there were less than 1000 people there, plus half of the Atlanta Thrashers hockey team (I wonder why that is).  We got there just in time to completely miss the opening act, since we weren't interested, plus Lily (our daughter) was being stubborn with respect to going to bed tonight.  We were paying for our beer at the bar as the concert started.  It wasn't very long, lasting only about 2 hours.

It really is neat seeing so many Canadians all in one place.  Flags were waving and it was quite a sight, since to me, this band really reminds me of my roots.  I of course made the traditional phone calls to many people while I was there, holding up the phone and letting people listen.

On our way out, we walked by the sound guy and my eye caught his set list and I pointed it out to Jody.  She asked me if I wanted it and I said sure, so she went and asked him for it with a big smile on her face, and of course, since no one can really say no to her smile, she got it.

Here it is if anyone is interested!

Now off to bed to try and get some sleep!  I still have to work in the morning.

 

posted by Dan Attis | 2 Comments
Filed Under:

SharePoint 2007 - Master Page Picker

Ever wonder how to change the master page on a site or better yet, on a site collection and all of its subsites?  If you do it with SPDesigner they will each get stuffed into the content database (Yuk!).  Well I have certainly given it some thought and thankfully, Renaud Comte has as well and wrote a Feature that will do it for us.  It eliminates the need to customize (a la SPDesigner) by programmatically pointing your site(s) to a file system master page.

It's published on codeplex so be sure to check it out.

posted by Dan Attis | 1 Comments
Filed Under:

Office SharePoint Server 2007 - Forms Based Authentication (FBA) w/MySites Walk-through - Part 2

As promised, here is part 2 of my series on hooking up Forms based authentication on a SharePoint 2007 site AND integrating your web application with MySites and the Personalization features of Office SharePoint Server 2007.

I am going to assume that you have read and gone through all of the steps in part 1 of the series.  The steps below ARE dependent on part 1 and I will be making some references to it.  If you have not gone through part 1, I encourage you to read this entire post before trying to implement the solution.  There are quite a few caveats and very UNINTUITIVE steps.  Since none of this is documented (to my knowledge), I have to say that since it is undocumented, it may be unsupported as well.  What I can say for certain, that in my 2 or 3 support calls to Microsoft regarding this issue, I had given up on them helping me.  Essentially I was told on more than one occasion that "it's not supposed to work" or "it does not work".  Of course after those answers, I had to prove to myself that either it does work or support was right.  They do after all claim that this is "pluggable" authentication, and other than the obvious features, like Office integration, or SharePoint Designer integration, I expected all of the functionality to work.  The following is the fruit of my labor.  As a side note, this effort, although it may seem simple after you go thru the steps, took me about 5 weeks of nights and weekends trying to get the sequence of steps and the steps themselves defined.

One major disappointing caveat is MySite search.  Search works fine against the FBA site to which we have a "mirror" intranet version, like we do in our example, but unfortunately we do not have a Windows authentication version of each and every MySite.  I guess we could, technically, but really, that's not going to happen.  I have heard however, through a very reliable source that Microsoft is working VERY VERY hard on getting the SharePoint search crawler to be able to penetrate forms based authentication sites and just maybe, might have a solution in Q2.  I am optimistic about this and can't wait, then we really have a fully searchable FBA solution.

So here goes...

Assumptions

Like any good assumer, I am going to list all of my assumptions here.  If you think that anything is missing, please do let me know and I will update this list.

  • You have created and configured a Shared Services Provider (SSP) and can link to its setting page using either of the following two methods.
    • Click on the Share Services Provider's link in the left navigation in Central Administration.


    • Click on the Create or configure this farm's shared services link in the Office SharePoint Server Shared Services section of the Application Management tab in Central Administration, then select Edit Properties from the dropdown menu that appears when you hover over its name.




  • The SSP Administrative Site URL and the MySite Location URL are each on their own web applications.

     

    It is possible and sometimes desirable for some to locate their MySite site collections within the same Web Application of the site to which they are associated.  What I mean by this is that there are two very different ways in which to setup MySites and they are as follows.  Let's pretend for the sake of conversation, that our site is www.microsoft.com.

    Method #1 - The site www.microsoft.com is its own Web Application.  In turn, www.microsoft.com/mysite is where the MySites site collection is located.  The main benefit to this design is that since we are using FBA as our authentication method, the same cookie will work for both sites and we will not have to log into our MySite independently of logging into the main site.  The main drawback is that MySites will now be created in the same content database(s) that the www.microsoft.com Web Application is using.  This may be an issue when it comes to scaling and capacity planning.  Chris Johnson has outlined the steps needed to produce this scenario here.

    Method #2 - The site www.microsoft.com is its own Web Application.  In turn, my.microsoft.com is where your MySites site collection is located.  The main benefit to this is that MySites are stored in a separate Web Application and can be managed independently.  The main drawback is that since we are using FBA as out authentication method, we will have to log into our MySite separately, the cookie will not be shared.

    Microsoft's best practice dictates that you use Method #2, so that is what I have done in my walkthrough.
  • As indicated above, for the purpose of this post, my SSP Administrative Site URL is http://ossdev:23456/ssp/admin.
  • As indicated above, for the purpose of this post, my MySite Location URL is http://ossdev:23457.
  • You will NOT access the URL in the previous bullet until instructed to do so.  This has the potential to create problems, so please resist the urge.
  • You will NOT click on the MySite link until instructed to do so.  This also has the potential to create problems, so please resist the urge.

Update the Shared Service Provider Administrative Site's web.config File

The web.config file of the Shared Service Provider needs to be updated with the same information you placed into the web.config of your FBA web application.

Determine File Path to web.config.

  1. Open Internet Information Services (IIS) Manager.
  2. Expand Web Sites and select the Shared Service Provider's website, in my case, SharePoint_SSP_Default1 - 23456.  Yours will most likely be different so be sure you select the right site.
  3. Right click on the above website and select Properties.
  4. Select the Home Directory tab.
  5. In the Local path textbox take note of the entire string.  This is the folder on the file system that contains the web.config for the http://ossdev:23456/ssp/admin web application.  We will be updating this file next.
  6. Open Windows Explorer and browse to the folder noted in step 5.
  7. Make a backup copy of the web.config file.

Add Connection String

  1. Add the following connection string snippet immediately above the <system.web> tag.  Be sure to replace the bolded text with the appropriate values from your environment.

    <connectionStrings>
      <add name="AspNetDbFBADemoConnectionString" connectionString="Data Source=OSSDEV;Initial Catalog=AspNetDb_FBADemo;Integrated Security=True" />
    </connectionStrings>

Add Providers

  1. Add the following membership provider and role manager elements immediately inside the <system.web> element.  Again, be sure to replace the bolded text with the appropriate values from your environment.

    <!-- membership provider -->
    <membership defaultProvider="FBADemoMember">
      <providers>
        <add
          connectionStringName="AspNetDbFBADemoConnectionString"
          enablePasswordRetrieval="false"
          enablePasswordReset="true"
          requiresQuestionAndAnswer="false"
          applicationName="/"
          requiresUniqueEmail="false"
          passwordFormat="Hashed"
          maxInvalidPasswordAttempts="5"
          minRequiredPasswordLength="1"
          minRequiredNonalphanumericCharacters="0"
          passwordAttemptWindow="10"
          passwordStrengthRegularExpression=""
          name="FBADemoMember"
          type="System.Web.Security.SqlMembershipProvider,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
    </membership>

    <!-- role provider -->
    <roleManager enabled="true" defaultProvider="FBADemoRole">
      <providers>
        <add
          connectionStringName="AspNetDbFBADemoConnectionString"
          applicationName="/"
          name="FBADemoRole"
          type="System.Web.Security.SqlRoleProvider,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
    </roleManager>
  2. Save and close the web.config file.
  3. Perform an IISReset and verify that you can still access the SSP.

Update the MySite Host Web Application's web.config File.

The web.config file of the MySite Host Web Application needs to be updated with the same information you placed into the web.config of your FBA web application.

Determine File Path to web.config.

  1. Open Internet Information Services (IIS) Manager.
  2. Expand Web Sites and select the MySite Host website, in my case, SharePoint_MySite_Default1 - 23457.  Yours will most likely be different so be sure you select the right site.
  3. Right click on the above website and select Properties.
  4. Select the Home Directory tab.
  5. In the Local path textbox take note of the entire string.  This is the folder on the file system that contains the web.config for the http://ossdev:23457 web application.  We will be updating this file next.
  6. Open Windows Explorer and browse to the folder noted in step 5.
  7. Make a backup copy of the web.config file.

Add Connection String

  1. Add the following connection string snippet immediately above the <system.web> tag.  Be sure to replace the bolded text with the appropriate values from your environment.

    <connectionStrings>
      <add name="AspNetDbFBADemoConnectionString" connectionString="Data Source=OSSDEV;Initial Catalog=AspNetDb_FBADemo;Integrated Security=True" />
    </connectionStrings>

Add Providers

  1. Add the following membership provider and role manager elements immediately inside the <system.web> element.  Again, be sure to replace the bolded text with the appropriate values from your environment.

    <!-- membership provider -->
    <membership defaultProvider="FBADemoMember">
      <providers>
        <add
          connectionStringName="AspNetDbFBADemoConnectionString"
          enablePasswordRetrieval="false"
          enablePasswordReset="true"
          requiresQuestionAndAnswer="false"
          applicationName="/"
          requiresUniqueEmail="false"
          passwordFormat="Hashed"
          maxInvalidPasswordAttempts="5"
          minRequiredPasswordLength="1"
          minRequiredNonalphanumericCharacters="0"
          passwordAttemptWindow="10"
          passwordStrengthRegularExpression=""
          name="FBADemoMember"
          type="System.Web.Security.SqlMembershipProvider,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
    </membership>

    <!-- role provider -->
    <roleManager enabled="true" defaultProvider="FBADemoRole">
      <providers>
        <add
          connectionStringName="AspNetDbFBADemoConnectionString"
          applicationName="/"
          name="FBADemoRole"
          type="System.Web.Security.SqlRoleProvider,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
    </roleManager>
  2. Save and close the web.config file.
  3. Perform an IISReset and close all your browser windows, but DO NOT try and access this URL yet.

Assign FBA Admin User Personalization services permissions.

Remember in part 1, we created a handful of FBA users.  One of those users (spadmin) was created to be used as an administrator for our FBA site.  We are going to re-use that user here to manage the SSP once we "flip" it to Forms Authentication.  Yes, that's right, we are going to switch the authentication method of our SSP Administration site to Forms!  How else did you think it would wok with FBA users?  Ideally, you should probably go and create another user for this, maybe sspadmin or something similar.

  1. Browser to your SSP Administration Site.
  2. Click on Personalization services permissions in the User Profile and My Sites section.


  3. Click on the Add Users/Groups link.


  4. Type spadmin into the Users/Groups textbox and click the Check Names button , watch SharePoint resolve the user, then check all of the permissions and click Save.  This will ensure that when we make the switch to Forms Authentication on the SSP site, that our FBA admin user will actually be able to perform the operations listed here.


  5. Perform an IISReset and close all your browser windows.

 

Switch Authentication Providers for SSP and MySites

  1. Click on the Authentication providers link in the Application security section on the Application Management tab in Central Administration.


  2. Verify that the SSP Web Application is selected in the Web Application dropdown in the top right hand corner of the page.


  3. Click on Default.


  4. Select Forms as the Authentication Type, and enter the appropriate values for the Membership provider name and the Role manager name as they exist in this web application's web.config, then click OK.


  5. Perform steps 1 to 4 again for the MySite Web Application.

Update Site Collection Administrator for SSP and MySites

We now need to update the Site Collection Administrators of the SSP and MySite host so we can go make some more changes.

  1. Click on the Site collection administrators link in the SharePoint Site Management section of the Application Management tab in the Central Administration.


  2. Switch the Site Collection dropdown to the SSP admin Site Collection.  Remember, you may have to switch the Web Application to get the correct list of Site Collections (this is done in the popup).  I know of some people who are not too fond of this user interface, myself included).  Notice that since we switched the Authentication Type of our SSP to Forms, we will see a squiggly under the Windows account that was previously the Site Collection Administrator.


  3. Delete the squigglied name (is that a word?) and replace it with spadmin, the FBA admin user we discussed earlier.  Click the Check Names button  and watch SharePoint resolve the FBA admin user, then click OK.

     
  4. Repeat steps 1 to 3 for the MySite Host Site Collection.

Assign My Site Host Permissions to FBA Users

The following steps were the most unintuitive steps ever, in my opinion, and if anyone can tell me why it is required for FBA/MySite integration, but not for Windows/MySite integration I would love to know.  That said, here are the steps.

  1. Browse to your SSP Administration site.
  2. You will be prompted with the standard out of the box FBA login form.  Log in as spadmin.
  3. Click on the My Site settings link in the User Profiles and My Sites section on the SSP Home page.


  4. Click on the My Site Host Permissions link in the loft navigation.


  5. You will be prompted with the standard out of the box FBA login form.  Log in as spadmin.  You will be directed to the People and Groups page.


  6. Click on the Site Permissions link in the left navigation.


  7. Click on Add Users under the New menu item.


  8. Add the 3 roles we created in part 1, Administrator, Manager and Employee.  Ideally we would have created a role that holds all of the FBA users (maybe call it Everyone).  Had we done that in part 1 (we did not and I apologize), we would only have had one role to add here and so long as we always assigned new users to the Everyone role we would never have to come to this page again.  As it stands now, if we were to create another user and place them in a new role, they would not be able to create a MySite.  I think you get my drift here.  Give them Read permission directly and click OK.

    Actually, doing this doesn't actually give users permission to create a MySite, but permission to use the MySite Host site should they already have the permission to create a MySite.  The next section will grant users permission to create MySites.


  9. Close all your browser windows.

Grant Personalization Services Permissions

The next set of steps, as mentioned above is to grant our FBA users the appropriate permission to allow them to create MySites and use the personalization features of Office SharePoint Server 2007.

  1. Browse to your SSP Administration site.
  2. You will be prompted with the standard out of the box FBA login form.  Log in as spadmin.
  3. Click on the Personalization services permissions link in the User Profiles and My Sites section of the SSP Home page.


  4. Click on the Add Users/Groups link.


  5. Type Administrator;Manager;Employee into the Users/Groups textbox and click the Check Names button , watch SharePoint resolve the roles, check only the Create personal site and Use personal features permission, and click Save.  This grants these roles the permission to create a MySite and to use the personalization features.

     
  6. Your screen should resemble the following screen shot.


  7. Perform an IISReset and close all your browser windows.

Assign Roles to Default Reader Site Group

Ideally, we don't want users to have to assign other users Read permission just to view the public areas of their MySites.  When using Windows authentication, the default is to allow all authenticated users to read other users MySites.  Such a group does not exist when using FBA.  Had we created some sort of Everyone role, as suggested earlier in this post, in part 1 of the series, we could have leveraged that role, however, since we did not, we will have the same scenario as before manifest itself should we decide to add a new role in the future, after making the following changes.  So lesson learned #1 would be to create an Everyone role in your role manager and place all of your users in it.

  1. Browse to your SSP Administration site.
  2. You will be prompted with the standard out of the box FBA login form.  Log in as spadmin.
  3. Click on the My Site Settings link in the User Profiles and My Sites section on the SSP Home page.


  4. Scroll down to the Default Reader Site Group section and type or append Administrator; Manager; Employee into the textbox.  You can leave NT AUTHORITY\authenticated users in the textbox or remove it, it does not matter at this point, then click OK.


  5. Close all your browser windows.

 

Test You Solution!

Remember, I made allot of assumptions at the beginning of this post.  One of those assumptions was that you had completed part 1 of this series.  Under the assumption that you have completed part 1, test your solution using these steps.

  1. Browse to http://fbaextranet.attis.org and first login as spadmin.  You should see a My Site link in the top right hand corner of the page.  DO NOT CLICK ON IT YET.
  2. Verify that the Employee role is in the pre-created Visitor SharePoint group and that the Manager role is in the pre-created Member SharePoint group (I have to assume you know how to do this!).
  3. As I mentioned earlier, since we set our My Site Host site collection up on a separate Web Application than our website, we will need to log to our My Site independently of this site.  You may now click on the My Site link!
  4. Login as spadmin and watch the MAGIC!


  5. Check it out!

     
  6. Close your browser, open a new one and browse to http://fbaextranet.attis.org again.
  7. Login as Employee1.  You should see a My Site link in the top right hand corner of the page.  Remember, this user was created in part 1.  Click on the My Site link, logon as Employee1 and again, watch the MAGIC!

     

Caveats

Of course, this solution has a couple of caveats.  The biggest issue I have come across is Search.  At present time, the crawler simply cannot deal with Forms Authentication yet.  This is not a problem for the main website as the crawler simply enters through another zone.  The following TechNet article explains how the crawler interacts with multiple zones and authentication modes in great detail.  I encourage you to read it.  With that said, MySite Search does not work OOB (I say OOB because I am sure someone will come up with a clever solution at some point) because all of the MySites lie behind Forms Authentication.

Now go forth and integrate your Forms Authentication Solutions with MySites and your SSP's.  it will be interesting to see if there is going to be a supported or documented solution put forth by Microsoft.  I guess we will just have to wait and see!

posted by Dan Attis | 456 Comments
Filed Under:

Microsoft Office 2007 System Search Training, Day 1

As you may have read already, I am in DC for some way cool Enterprise Search training.  It's 3 days of intense search training centered around SharePoint's search capabilities as well as many of the integration points available to us with some of the office tools.

We started the day off looking at some of the differences between the various versions of SharePoint. Most of day 1 is intended to be light material with the real meat of the training taking place late today and tomorrow and Thursday.  Without going into too much detail, I would say the biggest takeaway for me here was that the ability to search the BDC (Business Data Catalog) does not exist in the Standard Search SKU.  This kind of makes sense tough considering the BDC itself is only made available with the Enterprise SKU of Office SharePoint Server.

We talked about many of the improvements made in this version with respect to the end user experience like Relevance and Line of Business (LOB) and People search.  We also discussed some of the administrative improvements that were made in areas like Indexing Scopes, Properties, Customization, Query Logging and Performance.  This all sounds very dry on paper, I know, but it really is very interesting.

We also discussed Security with respect to query time trimming, pluggable authentication (I am skeptical here), some of the new features and Reporting.

At this point we dove right into Search Architecture and Topology.  With respect to architecture we talked about the query engine, the indexing engine, protocol handlers, ifilters, ranking, keywords, best bets, schemas, scopes, crawl log, content sources, word breakers, stemmers and content indexes.  Lots and lots of talking points here, this section took an hour and a half.  The topology discussion was great.  Apparently there is one unsupported topology.  I was under the impression that any topology was supported.

We talked about how WSS search and MOSS search are the same, but different.  Supported topologies for both were discussed as well.  The concept of the Shared Service Provider was discussed at length and a conversation about having multiple ones ensued.  There is a debate around when to use multiple SSP's vs. when to use multiple farms.  Remember, there is only one physical index per SSP and that seems to be the crux of the confusion.

We then dove into exactly how the crawl process works as well as how the query process works.  It was very enlightening.

That's it for day 1, we were supposed to have a module on relevancy, but we ran over, so we will be starting there on day 2.

posted by Dan Attis | 3 Comments

Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1

A while back a client asked me to set up Forms Based Authentication (FBA) for them.  I said sure (of course) and started to research the steps required to accomplish this.  In my oodles and oodles of research I had found many useful but somewhat partial posts.  What I mean by this is that not one of the posts I have encountered in my research had ALL of the steps required to get this to work, I was left to aggregate steps from different areas.  Most posts assumed you were running as an administrator, maybe even that your SharePoint application pools were running as system accounts with unlimited privileges (on both the operating system and in the database), no "real world" scenarios if you will.  Also, all of the posts never made mention of Office SharePoint Server, they all centered around Windows SharePoint Services (more on that later).  My aim here is to provide a series of posts that include the following:

  1. Each and every step required to setup FBA using the built in Asp.Net Membership and Role providers (Part 1).  I will demonstrate one way to accomplish this.  There are others and they will be mentioned, but not looked at in any detail.
  2. How to enable MySites and the Personalization features included with Office Server and have them actually work with a site using (FBA).
  3. A natural extension of 1 and 2 that will demonstrate how to hook into the ADAM membership provider, and get it functioning with MySites and the Personalization features as well.

Initially, after setting FBA up successfully (Part 1), my client then asked me to enable MySites.  That's when all hell broke loose.  Not only did this not work right away, but after 3 unsuccessful calls to Microsoft support (they could not get it to work and kept parading me in circles, and still are for that matter, maybe they will read this and call me back), and quotes from Microsoft employees saying "it's not supposed to work" or "it does not work", I am pleased to say that it does in fact work and I will show you how (Part 2).

Before we begin I have to say that since I have been told that "it's not supposed to work" or "it does not work", and since I have not found any reliable documentation indicating how to do this, I must add a disclaimer that if it does not work for you, something is different between our environments, or to please call Microsoft <shrug>.  I will do my best to be as detailed as possible about my environment and all of the steps involved.  If anything is unclear, please leave a comment and I will do my best to make it a little clearer.  One last thing I would like to mention is that I have successfully implemented MySite functionality as well as the other Personalization features of Office SharePoint Server 2007 with Forms Authentication using both the built in Asp.Net Membership and Role providers as well as with an ADAM Membership provider.  I have recently received an ADAM Role provider from Adam Buenz and plan on testing that soon but fully expect it to integrate seamlessly (with his help if needed, I hope).

So here we go, this is going to be a long one so bear with me.  In the end of the series you will have MySite and the Personalization features working seamlessly with Forms Authentication in your Office SharePoint Server 2007 environment!  Good Luck!

One assumption I have made in this process is that you have already created a Shared Services Provider and started the Office SharePoint Server Search service.  Also, I am logged on to the development machine as a domain administrator.  The term browser in this series means Internet Explorer 7.  All of the below steps are to be performed on the Guest machine.

Environment

My environment is as follows.  Keep in mind that any variation from this could produce different results.  Again, if I forget to mention something obvious, please let me know and I will update the list.

Host Machine

  1. Intel(R) Pentium(R) M processor 1.86GHz 1.86GHz
  2. 2.00 GB of RAM
  3. Microsoft Windows XP Professional, Version 2002, Service Pack 2
  4. VMWare Workstation, Version 5.5.3 build-34685

 

Guest Machine

  1. Intel(R) Pentium(R) M processor 1.86GHz 1.86GHz
  2. 1.00 GB of RAM
  3. Microsoft Windows Server 2003, Standard Edition, Service Pack 1
  4. Active Directory (Domain Controller)
  5. Microsoft SQL Server 2005, Service Pack 1
  6. Microsoft Visual Studio 2005
  7. Microsoft Office Server 2007, Version 12.0.0.4518

 

FBA User & Role Store

Database Creation

We need a place to put our users.  The Asp.Net 2.0 Membership and Role providers include a database.  The steps to install the database are as follows:

  1. Open up a command prompt by clicking Start...Run, then typing cmd and pressing Enter.
  2. Switch to the Asp.Net 2.0 Framework directory by typing
      cd c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727
    and pressing Enter.
  3. Type aspnet_regsql to launch the ASP.NET SQL Server Setup Wizard.


  4. Click Next.
  5. Choose Configure SQL Server for application services (the default choice) on the Select a Setup Option screen and click Next.

     
  6. Specify the SQL Server name (your machine name), database name to create (I used AspNetDb_FBADemo), and the credentials to use for this process (database creation).  I generally prefix my Membership and Role provider databases with AspNetDb_ such that they appear together in Microsoft SQL Server Management Studio and are easily identifiable should I need to access them, such as to update Security (Step 10).  Click Next.


  7. Confirm your settings on the Confirm Your Settings screen and click Next.


  8. The process takes a few seconds and then The database has been created or modified screen appears.  Click Finish to close the wizard.


  9. Open Microsoft SQL Server Management Studio and confirm that the database was successfully created.
  10. One step that I have not seen mentioned ANYWHERE is to make sure that the account that is running the application pool that will be used by the sites you create below have access to the database we just created.  This step is critical as SharePoint will NOT be able to find your users and roles if it does not have the permissions to look for them.  This step is what I like to refer to as the MAGIC step that no one tells you about, so I am ruining the surprise and telling you the secret.  You will thank me later.

 

User and Role Creation

Microsoft has given us a great database schema to use as a membership and role provider data store but has not really supplied a "good" tool to manage its contents.  When you think about it, this actually makes sense.  The providers are intended to be used by other applications so maybe one of the assumptions made was that the tools to maintain the users and roles will be provided by the applications that consume them.

Thankfully, the Microsoft Visual Studio 2005 team had the foresight to create a somewhat rudimentary web application to help us manage the membership and role provider data store.  The caveat is that the tool must be launched from Microsoft Visual Studio 2005.  You can immediately see that this is not a very good option for those that will be managing the users and roles, i.e.: real users of your application.

I will now walk you thru a set of steps to create a few users and roles that we will be using later.

  1. Create a folder on your desktop called FBA Management Site.
  2. Open Microsoft Visual Studio 2005.
  3. Select File...Open...Web Site.
  4. In the Open Web Site dialog, choose the File System icon on the left side of the dialog, then browse to and select the FBA Management Site folder created in step 1.


  5. Click Open.
  6. In the Solution Explorer, right-click on the web site and select Add New Item.
  7. Select Web Configuration File and click Add.  There is no need to rename the file, web.config is fine.
  8. Replace the empty <connectionStrings/> element with the following snippet.  Be sure to replace both <server name> and <database name> with their appropriate values.

    <connectionStrings>
      <add
        name="AspNetDbFBADemoConnectionString"
        connectionString="Data Source=<server name>;Initial Catalog=<database name>;Integrated Security=True" />
    </connectionStrings>

    My connection string element looks like this:

    <connectionStrings>
      <add
        name="AspNetDbFBADemoConnectionString"
        connectionString="Data Source=OSSDEV;Initial Catalog=AspNetDb_FBADemo;Integrated Security=True" />
    </connectionStrings>

  9. Just below the <system.web> element, add the following membership and roleManager elements.  Be sure to update the connectionStringName attributes of each of the two providers to the name of the connection string name you created in step 8.  Also be sure to give both providers meaningful names, in my case, I used FBADemoMember and FBADemoRole.  Remember these names, we will need them later.  Save and close the web.config file.

    <!-- membership provider -->
    <membership defaultProvider="FBADemoMember">
      <providers>
        <add
          connectionStringName="AspNetDbFBADemoConnectionString"
          enablePasswordRetrieval="false"
          enablePasswordReset="true"
          requiresQuestionAndAnswer="false"
          applicationName="/"
          requiresUniqueEmail="false"
          passwordFormat="Hashed"
          maxInvalidPasswordAttempts="5"
          minRequiredPasswordLength="1"
          minRequiredNonalphanumericCharacters="0"
          passwordAttemptWindow="10"
          passwordStrengthRegularExpression=""
          name="FBADemoMember"
          type="System.Web.Security.SqlMembershipProvider,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
    </membership>

    <!-- role provider -->
    <roleManager enabled="true" defaultProvider="FBADemoRole">
      <providers>
        <add
          connectionStringName="AspNetDbFBADemoConnectionString"
          applicationName="/"
          name="FBADemoRole"
          type="System.Web.Security.SqlRoleProvider,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
    </roleManager>

  10. Click ASP.NET Configuration under Website.  The ASP.NET Web Site Administration Tool opens in a browser.  If the tool does not appear, or cannot connect, verify the connection string and provider information entered above.


  11. Click on the Security tab.  You are presented with the following.  From here we will create our users and roles.


  12. Click on the Select authentication type link in the Users box on the left.
  13. Select the From the internet radio button then click the Done button in the bottom right hand corner of the window.
  14. Create an Administrator, Manager and Employee role.  This step and the next three are intuitive enough that I am not going to spell them out.
  15. Create a single Administrator user, spadmin.  Be sure to assign the user to the Administrator role as you create it.
  16. Create two Manager users, Manager1 and Manager2.  Be sure to assign these users to the Manager role as you create them.
  17. Create 4 Employee users, Employee1, Employee2, Employee3 and Employee4.  Be sure to assign these users to the Employee role as you create them.
  18. When you are done you should have seven users and three roles defined.  This can be verified by clicking on the Security tab.  Your user and role counts may differ depending on if you followed my instructions to the letter.  It is not critical.  What is important is that you create some roles and users and assign some users to the roles.  This is what my Security screen looks like.

     
  19. Close the ASP.NET Web Site Administration Tool.
  20. Close Microsoft Visual Studio 2005.

 

SharePoint Setup

We cannot implement FBA without a SharePoint site.  The first thing we need to do is decide upon some url's.  For the sake of this example, I will be demonstrating how to expose the same site (content database(s)) to users with NT accounts thru one url and to our FBA users thru another url.  This setup is typical in an extranet scenario where we may want to expose some content to our customers but they may not have Active Directory accounts and their user information is either stored elsewhere (and custom Membership and Role providers written, which is well beyond the scope of this post), or stored in a SQL Database created using the steps earlier in this post and populated either thru your own interface or using the above steps.  I am choosing to create an internal site to be accessed via http://FBAextranet and an external site for my customers to be accessed via http://FBAextranet.attis.org.

 

Update hosts file

To make these url's accessible on our development machine, we need to add some hosts file entries.  Here are the steps.

  1. Open up Windows Explorer.
  2. Type C:\WINDOWS\system32\drivers\etc into the address bar and click Enter.
  3. Double click on the hosts file.
  4. Select Notepad and click OK.
  5. Add the following two lines to the bottom of the file, right below the localhost entry.

    127.0.0.1       FBAextranet
    127.0.0.1       FBAextranet.attis.org

  6. Save and close the hosts file.
  7. Close Windows Explorer.
  8. Opening up a browser and browsing to either of the above two entries should bring up the Under Construction page as shown below.

     

Create FBAextranet.attis.org

Try to keep the primary purpose of your content in mind.  I say this because it may make your life a little easier when making decisions later, primarily in Part 2 of this series when we setup MySites and Personalization.  In our case, the primary purpose of my site is to serve my customers.  With that said, we should create our external site first, http://FBAextranet.attis.org.  Here are the steps.

  1. Open Central Administration.
  2. Click on the Application Management tab.
  3. Click on Create or extend Web application under SharePoint Web Application Management.
  4. Click Create a new Web application.
  5. Choose to Create a new IIS web site.
  6. Enter 80 in the Port textbox.
  7. Enter FBAextranet.attis.org in the Host Header textbox.
  8. Do not make any changes in the Security Configuration section or the Load Balanced URL section.
  9. Depending on your environment, either create a new application pool or use an existing one.  In my case, I have one that I reuse for all sites on my development machine.
  10. Choose to Restart IIS Automatically.
  11. Ensure that the value in the Database server textbox is accurate.
  12. Enter a meaningful name for the content database.  I generally suffix the default name with an underscore (_) and the name of the primary url for my content (FBAextranet.attis.org), in this case, WSS_Content_FBAextranet.attis.org.
  13. Click OK.
  14. From the Application Created screen, click on the Create Site Collection link.
  15. Enter FBA Extranet in the Title textbox.
  16. Choose the Blank Site template.
  17. I mentioned at the beginning of this post that I was logged on to the development machine as a domain administrator.  Assuming you are as well, make this user the Primary Site Collection Administrator, otherwise, choose an appropriate user.
  18. Click OK.
  19. From the Top-Level Site Successfully Created page, click OK.
  20. Open a browser and browse to http://FBAextranet.attis.org.
  21. You will be prompted for your NT credentials, remember, we have yet to change the site's authentication mode to forms.

 

Update FBAextranet.attis.org web.config

  1. Open Internet Information Services (IIS) Manager.
  2. Expand Web Sites and select the SharePoint - FBAextranet.attis.org80 website.
  3. Right click on the above website and select Properties.
  4. Select the Home Directory tab.
  5. In the Local path textbox take note of the entire string.  This is the folder on the file system that contains the web.config for the http://FBAextranet.attis.org web application.  We will be updating this file next.
  6. Open Windows Explorer and browse to the folder noted in step 5.
  7. Make a backup copy of the web.config file.
  8. Copy the connection string and the membership and roleManager elements as described earlier in this post to the appropriate locations in the web.config file.
  9. Save and close the web.config file.

 

Create FBAextranet

  1. Open Central Administration.
  2. Click on the Application Management tab.
  3. Click on Create or extend Web application under SharePoint Web Application Management.
  4. Click Extend an existing Web application.
  5. In the Web Application section choose to extend http://FBAextranet.attis.org.
  6. Choose to Create a new IIS web site.
  7. Enter 80 in the Port textbox.
  8. Enter FBAextranet in the Host Header textbox.
  9. Do not make any changes in the Security Configuration section.
  10. In Load Balanced URL section, be sure the Zone is set to Intranet.
  11. Click OK.
  12. Open a browser and browse to http://FBAextranet.
  13. You will not be prompted for your credentials because the above url automatically falls into the Local Intranet security zone of your browser (unless you have changed your browser's default settings) and your NT credentials are simply passed thru to the site by Windows (Integrated Windows authentication).  This is the behavior we want at this url.

 

Update Central Administration web.config

We need to make Central Administration aware of our new membership and role provider.  Here are the steps.

  1. Open Internet Information Services (IIS) Manager.
  2. Expand Web Sites and select the SharePoint Central Administration v3 website.
  3. Right click on the above website and select Properties.
  4. Select the Home Directory tab.
  5. In the Local path textbox take note of the entire string.  This is the folder on the file system that contains the web.config for the Central Administration web application.  We will be updating this file next.
  6. Open Windows Explorer and browse to the folder noted in step 5.
  7. Make a backup copy of the web.config file.
  8. Copy the connection string and the membership and roleManager elements as described earlier in this post to the appropriate locations in the web.config file of the Central Administration site.
  9. Update the roleManager element from

    <roleManager enabled="true" defaultProvider="FBADemoRole">

    to this

    <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
  10. Save and close the web.config file.

Enable FBA on FBAextranet.attis.org

  1. Open Central Administration.
  2. Click on the Application Management tab.
  3. Click on Authentication providers in the Application Security section.
  4. Be sure to select the http://fbaextranet.attis.org Web Application in the top right hand corner of the screen.
  5. You should see two zones listed, a Default zone and an Intranet zone.  Click on the Default zone.  Remember, earlier we decided that serving our customers was the primary (default) purpose of this site.
  6. Select Forms in the Authentication Type section.  After the page posts back, Membership Provider Name and Role Manager Name textboxes appear.
  7. Enter the appropriate values from the previous sections into both the Membership Provider Name (in my case FBADemoMember) textbox and the Role Manager Name (in  my case FBADemoRole) textbox and click Save.
  8. Open a browser and browse to http://FBAextranet.attis.org.
  9. You will be presented with the stock FBA login form.

 

Add secondary Site Collection Administrator to FBAextranet.attis.org

  1. Open Central Administration.
  2. Click on the Application Management tab.
  3. Click on Site collection administrators in the SharePoint Site Management section.
  4. Make sure http://fbaextranet.attis.org is selected in the Site Collection dropdown at the top right corner of the screen.
  5. Type spadmin (the admin user we created earlier in this post) into the Secondary site collection administrator textbox, then click the person icon to resolve the user.  It will resolve to your FBA user.
  6. Click OK.

 

Browse http://FBAextranet.attis.org

  1. Open a browser and browse to http://FBAextranet.attis.org.
  2. On the FBA login screen, logon as spadmin.
  3. You can now add secure your securables using the users and roles stored in SQL Server!  Congratulations.
  4. Notice that MySites are not available.  Be on the lookout for Part 2 to walk you thru the steps to do that!  It's a doozie and apparently shouldn't work :)


 

I hope this post is useful.  It's an aggregation of many sources, coupled with my own experience, all into one, with many the lessons I have learned.  There are a couple of variations to this process, some involve policy.  I am of the thought that one should only use policy when it is absolutely necessary.  I finished writing this at 1 AM so there may be some errors, please let me know if you find any!

posted by Dan Attis | 48 Comments
Filed Under:

Office Developer How-to-Center

Check this out!

Office Developer How-to-Center

"Watch it, Code it, Read it, Explore it – New Office Visual How To’s!"

"Welcome to the Office Developer How-to Center on MSDN. This section of the portal compiles task-based samples that will help you learn the new features of the 2007 Microsoft Office system programs, servers, services, tools, and technologies. Each sample is a short walkthrough that showcases one feature. By integrating several of these code samples together, you can start building Office Business Applications on the Microsoft Office 2007 platform."

This is TONS of great information on what you can do AND best of all HOW to do it with Office 2007.

Enjoy!

posted by Dan Attis | 0 Comments

SharePoint 2007 - Business Data Catalog

I may have a need to use the Business Data Catalog (BDC) to import some data into SharePoint but don't really have the time to learn the syntax for the Application Definition file.  Todd Baginski and Nick Swan have created a tool called BDC MetaMan that can be used to generate these files.

I am going to try it out for my needs and will be posting more about what I am using it for soon (provided what I am trying to do works...)

Check it out!

posted by Dan Attis | 1 Comments
Filed Under:

Can you break 500 boards in 5 minutes?

Three weeks ago, I posted about the fact that it has been ten years since I quit smoking.  I explained that I had a made a 250 dollar bet with an old friend as incentive.  This is that friend.  It's 10 minutes long but worth every second, and all proceeds went to charity.

posted by Dan Attis | 122 Comments
Filed Under:

SharePoint 2007 - Add New User Bug

I am starting to wonder if my expectations are too high.  I have been working with this product since Beta 1.  Of course there were lots of bugs then.  Then Beta 2 came along, fewer bugs, but of course we have to remember, over the course of the betas, I didn't test everything.  Then they release Beta 2TR.  This build looked pretty darn good.  So good in fact that we started a project and were using the Beta 2TR as a development platform, with a release date of mid December (now), knowing (ummm, hoping) that we would be able to use the production build for deployment.  We knew it was Beta and we knew there would still be bugs.  So fine.  Well, now we have the "Gold" code and I am wondering, as stated earlier, if my expectations are to high.  If you have a virtual machine available, follow along in the steps below and tell me if you have a solution to my problem.  Essentially, we have automated the process of group management in SharePoint using MIIS and the SharePoint web services.  Something is terribly wrong with how the product is behaving as this problem manifests itself if the procedure is done thru the user interface as demonstrated below.

This is happening in production; we found this out as we deployed and did some final testing, although the issue will not manifest itself right away, I am confident it will eventually and need a solution and/or fix.

The specs for my virtual environment are as follows:

  • Windows Server 2003 SP1 with IIS, Active Directory
  • SQL Server 2005 SP1
  • Windows SharePoint Service v3 - production is Office SharePoint Server 2007, this issue is WSS related, so WSS will suffice.

Follow these steps:

  1. Open up Active Directory Users and Computers and add a user.  This user does not need to be in any group or have any special permission, just create a plain old vanilla user.
  2. Browse to your WSS site, go to Site Actions...Site Settings...People and groups.
  3. Under New, select Add Users.
  4. Use the picker to find your user, although this is not necessary.  Make sure that you are adding him/her to the correct group and click OK.
  5. Click the Home tab to get back to the home page of your site.
  6. Click Sign in as Different User from the links available when you click on your login name at the top right hand section of the page.
  7. Sign in as the new user.  You will log on successfully.  So far so good!
  8. Return to Active Directory Users and Computers and delete the user you created in the previous set of steps.
  9. Return to SharePoint and try to login as the user you just deleted.  As expected, you are denied access.  Great!

Scenario #1 - Use Existing

  1. Browse to your WSS site, go to Site Actions...Site Settings...People and groups.  Notice that your user is still there.  That's expected, since we did not remove him from the Site Collection.
  2. Return to Active Directory Users and Computers and add the exact same user; same First name, same Last name, same User logon name, same Password.
  3. Open a new browser and attempt to login as the new user.
  4. You will get the following Access Denied screen:
  5. I expected this behavior because the user I originally added to SharePoint is not the user I just created again in Active Directory.  Although they have the same User logon name, they most certainly have different SID's.

Scenario #2 - Replace

  1. Logon to WSS as an administrator, browse to your WSS site, go to Site Actions...Site Settings...People and groups.
  2. Under New, select Add Users.
  3. Use the picker to find your new (second) user, although this is not necessary.  Make sure that you are adding him/her to the correct group and click OK.  In theory, I would expect this process to "replace" the existing user in SharePoint with the new one.
  4. Open a new browser and attempt to login as the new user.
  5. As in step 13, you get the same Access Denied screen.  This is not expected, since I just "replaced" a user.

This is the point where we are going to branch and I am going to demonstrate an unusual phenomenon that I cannot explain.

Scenario #3 - Use New

  1. Logon to WSS as an administrator, browse to your WSS site, go to Site Actions...Site Settings...People and groups.
  2. Click All People in the Quick Launch navigation.
  3. Check the checkbox next to the user you had first added to SharePoint back in step 4.  Remember, this is the original user.
  4. Click Actions...Delete Users from Site Collection.  Click OK in the warning popup.  We do in fact want to completely remove this user from the Site Collection.  One would assume that this action does in fact completely remove the user.  Keep that in mind.
  5. Click on the group to which you originally had added the user to.  You will notice that the user is in fact gone.
  6. Under New, select Add Users.
  7. Use the picker to find your second user, although this is not necessary.  Make sure that you are adding him/her to the correct group and click OK.  Keep in mind that we have just deleted the user from the Site Collection in step 4, so I fully expect this step to add the new user correctly.
  8. Click the Home tab to get back to the home page of your site.
  9. Click Sign in as Different User from the links available when you click on your login name at the top right hand section of the page.
  10. As before, you get the same Access Denied screen.  This is not expected, since I just completely removed a user, then added a completely new one.
  11. Remove the user from the Site Collection by following the steps above.

I fully expected that to work as well.  So we can see that "replacing" a user with a user with the same user logon name (imagine John Smith quitting and Jane Smith being hired in the same day; a likely scenario, especially if your User logon name standard is first initial, last name), and completely removing a user and adding a "new" user with the same User logon name, does NOT play nice with SharePoint.  Now for the only "Solution" I could come up with.

Lame duck Solution

  1. At this point, SharePoint should not have either of the 2 users you created and added, and Active Directory should have only the 2nd user you created.  Restart your virtual environment web server (in my case everything is on one machine).
  2. Verify that the 2nd user you created is still in Active Directory and that the user is not a member of the Site Collection users.
  3. Logon to WSS as an administrator, browse to your WSS site, go to Site Actions...Site Settings...People and groups.
  4. Under New, select Add Users.
  5. Use the picker to find your new (second) user, although this is not necessary.  Make sure that you are adding him/her to the correct group and click OK.
  6. Open a new browser and attempt to login as the new user.  This will be successful.

Conclusion

All I can conclude is that something is being cached somewhere on the web server, or the user is not completely deleted from the Site Collection until some sort of timer job runs when the server gets rebooted.  I have tried IIS resets and they do not work.  Regardless, I think the "replace" that is happening in my first scenario should work as I expect it to, but it is not.

Please chime in with ANY ideas you may have.

posted by Dan Attis | 172 Comments
Filed Under: