Alexander Anikin's blog

My personal blog

Archive for December 2010

How to create Certificate for Sharepoint 2010 Web Application with SSL

leave a comment »


  1. First of all you should create certificate which will be using in web application

    1. Go to sharepoint web front server and open IIS manager

    2. Click on web server, find and open server certificates in properties

    3. Click on “Create Certificate Request…”

    4. Provide “Distinguished Name Properties” (common name is name of certificate in store) and then click “Next” button

    5. Select “Cryptographic service provider” and “Bit length” and then click “Next” button

    6. Specify a file name and save certificate request

    7. Go to Active Directory Certificate Services: enter in browser http://<domain_controler>/certsrv

    8. Click on “Request a certificate”, then click on “advanced certificate request”, then click on “Submit a certificate request by using a base-64-encoded CMC or PKCS#10 file, or submit a renewal request by using a base-64-encoded PKCS#7 file ”

    9. Copy base-64-encoded request from the file which was created on step f

    10. Paste it in “Saved Request” text area, select “Web Server” item in “Certificate Template” drop down list and then click “Submit” button

    11. Check “Base 64 encoded” radio button and then click “Download certificate”

    12. Install certificate to “Trusted Publishers” store

    13. Then go to server certificates in IIS manager again and click on “Complete Certificate Request”, specify the path to certificate and the friendly name (site host header), click “OK” button

Result: certificate was successfully created and added to IIS server certificates (the name of certificate is site host header)

Note: repeat all steps for all web front end servers to create certificates on each machine

 

  1. Second one you should create sharepoint web application

    1. Go to central administration, then click manage web applications

    2. Click “New” to create new web application

    3. Select “Claims based authentication” option

    4. Specify port 443

    5. Specify host header (should be equal certificate name)

    6. Select “Use SSL” option

    7. Select Negotiate (Kerberos) or NTLM (do not know differences )

    8. Use managed account for application pool (like “SPAdmin”. It is important because we will make configurations for this account in AD and etc.)

    9. Click “OK” button

    10. Create site collection

Advertisements

Written by Alex Anikin

December 21, 2010 at 1:44 pm

Posted in Security, Sharepoint

Sharepoint Service Account’s Permisions for Office Web Apps

with one comment

I had some  investigations about Sharepoint account permissions and rights.

What I have: Windows Server 2008 R2 (included in AD, with Service Packs), SharePoint Foundation 2010 (very important – with update kb2394323) , Office Web Applications (very important – with update KB2346411  – this update has a lot for changes for OWA, and big changes in PowerPoint) .

I have simple account’s configuration:
domain\ow_site – web-applicaiton pool
Domain Groups Member Of: Domain Users, and rights for reading other users account if needed.
Local Server: Administrators (WSS_WPG and others adding automatically at creation time of managed accounts)
Local policies (if needed for any reasons – ex. specific authentication with http-module): Act as part of operating system, Logon as service  

domain\ow_services – services pool (by default: SharePoint Services Default Pool: Word, PowerPoint, Excel and etc.; we can definitely do separate account for services)
Domain Groups Member Of: Domain Users, and rights for reading other users account if needed.
Local Server: Administrators, (WSS_WPG and others adding automatically at creation time of managed accounts)
Local policies(if needed for any reasons – ex. specific authentication with http-module): Act as part of operating system, Logon as service

Comments:

1. Excel Services account should be in local Administrators when it’s working in File Access Method – Impersonation. (more info https://aanikin.wordpress.com/2010/11/13/excel-services-file-access-method-impersonation/)

2. After Security  Update KB2346411 PowerPoint Service needs thats web-applications pool acoount must be member of Local Administrators group. (As i think something with local policies.)

3. After Security  Update KB2346411 PowerPoint service account must have rights for writing to web-application content db:

Adding ow_services account db_owner role for  web-application content DB
a. Getting database name in Central Administration->Application Management->Manage content database – choose created Office Web Application at upper right corner. Copy DB_NAME for this application
b. Create config.sql file:
use [DB_NAME]
go
create user [DOMAIN\svc_ow_services] from login [DOMAIN\svc_ow_services]
go
sp_addrolemember ‘db_ownew’, ‘DOMAIN\svc_ow_services’
c. Run the command as administrator in the same folder with config.sql:
“C:\Program Files\Microsoft SQL Server\100\Tools\Binn\”sqlcmd –S localhost\SHAREPOINT –i config.sql
d. Do iisreset /noforce

Written by Alex Anikin

December 21, 2010 at 1:41 pm

Claims To Windows Token Service(C2WTS) Problems During Restarts

leave a comment »

Setup service start dependency for Claims to Windows Token Service (c2wts).  This service is part of SharePoint 2010 but it has problems during restarts.  To fix this so it starts properly on server restart, run the following from command line (don’t forget to run as administrator):

sc config c2wts depend= cryptsvc

Written by Alex Anikin

December 16, 2010 at 10:07 pm

Posted in Security, Sharepoint

How to Clear Office Web Applications Cache

leave a comment »

For testing purposes(ex. performance tests) sometimes we need need to clear Office Web Applications Cache. 

PowerShell: Remove-SPOfficeWebAppsCache -WebApplication <web_app_name>

Warning: Performing operation “Remove-SPOfficeWebAppsCache” on Target “Removing the Office Web Apps cache could result in degraded performance of Word Web App and PowerPoint Web App.”.

More info about OWA Cache: http://blogs.technet.com/b/wbaer/archive/2010/09/01/the-office-web-applications-cache.aspx

Written by Alex Anikin

December 13, 2010 at 12:34 pm

Perfect article – (Almost) Everything In Active Directory via C#

leave a comment »

Great thanks to author for this article:

http://www.codeproject.com/KB/system/everythingInAD.aspx

Written by Alex Anikin

December 6, 2010 at 9:23 am

Posted in Active Directory

Using peoplepicker-searchadcustomfilter to Limit the People Picker

leave a comment »

I need to  limit the SharePoint 2010 People Picker to only pull users from a single OU in Active Directory. This OU contains all users and groups for one single company.

This needs of our multi-tenancy platform –  there are many different companies working in big SharePoint farm.

My working filter is like this:
stsadm -o setproperty -url http://site -pn peoplepicker-searchadcustomfilter -pv “”(|(&(objectClass=user)(cn=*.company))(&(objectClass=group)(|((cn=*.company)(cn=*.company.Department)))))””

Big thanks to Matthew McDermott, MVP and his post , but this way is not useful for me.

Notes: when I’m testing it – I got some users and groups that souldn’t be filtered. I think they was cached before.

PS: Useful utility for creating filters like this is LDIFDE. Usage:
ldifde -f usersindomain.txt -r “(&(objectCategory=Person)(objectClass=User))“
Good article about: http://mindsharpblogs.com/wayne/archive/2005/06/15/497.html

Written by Alex Anikin

December 3, 2010 at 3:19 pm