Alexander Anikin's blog

My personal blog

Archive for the ‘Active Directory’ Category

Perfect article – (Almost) Everything In Active Directory via C#

leave a comment »

Great thanks to author for this article:

http://www.codeproject.com/KB/system/everythingInAD.aspx

Advertisements

Written by Alex Anikin

December 6, 2010 at 9:23 am

Posted in Active Directory

Using peoplepicker-searchadcustomfilter to Limit the People Picker

leave a comment »

I need to  limit the SharePoint 2010 People Picker to only pull users from a single OU in Active Directory. This OU contains all users and groups for one single company.

This needs of our multi-tenancy platform –  there are many different companies working in big SharePoint farm.

My working filter is like this:
stsadm -o setproperty -url http://site -pn peoplepicker-searchadcustomfilter -pv “”(|(&(objectClass=user)(cn=*.company))(&(objectClass=group)(|((cn=*.company)(cn=*.company.Department)))))””

Big thanks to Matthew McDermott, MVP and his post , but this way is not useful for me.

Notes: when I’m testing it – I got some users and groups that souldn’t be filtered. I think they was cached before.

PS: Useful utility for creating filters like this is LDIFDE. Usage:
ldifde -f usersindomain.txt -r “(&(objectCategory=Person)(objectClass=User))“
Good article about: http://mindsharpblogs.com/wayne/archive/2005/06/15/497.html

Written by Alex Anikin

December 3, 2010 at 3:19 pm

Excel Services – File Access Method: Impersonation

with 2 comments

When attempting to open an Excel Workbook stored on a file server (not joined to farm) and render this file in Excel File in Excel Services (with file access method set to Impersonation), the below message is thrown because user credentials are not being passed to the file server.

“Excel You do not have permissions to open this file in the browser”
 
Cause:
Kerberos was not properly setup to pass credentials from the Farm to the File Server.
 

Resolution:

If you want to use impersonation (via:) Central Administration > Manage Service Applications > Excel Services Application > Global Settings > Security: File Access Method > Impersonation (instead of Process Account) and have the ability to open Excel Files in Excel Services that are stored on a file server you must.

Make sure the Claims to Token Windows Service is running on any Server running Excel Calculation Services.  In this example it is only running on one server (Server001).
Locate the service account running the Excel Services Application > Central Administration > Security > Configure Service Accounts > Credential Management (Example of account running the Excel Services Application: Microsoft\ExcelSvcAccnt).
Set a dummy SPN for this service account via ADSIEdit.msc > ExcelSvcAccnt (example) > Properties > Service Principal Name > HTTP/C2WTS > Add > Ok

Trust the File Server (Server where files are stored; Example “Server002”) for Kerberos via:
Active Directory > Computers > Server002 (example) > Properties > Delegation > Trust this Computer for delegation to any service (Kerberos only).

Constrain the service account running the Excel Services Application to the file server (Server002) via:
Active Directory > Users > Microsoft\ExcelSvcAccnt  (example) > Properties > Delegation > Trust this user for delegation to specified services only > Use any authentication protocol > Add > SP002 (File Server) > Select All > OK

Constrain the machine running “Claims to Windows Token Service” and  “Excel Services Application” (Server001) to the file server (Server002) via:
Active Directory > Computers > SP001 (example) > Properties > Delegation > Trust this computer for delegation to specified services only > Use any authentication protocol > Add > SP002 (File Server) > Select All > OK

Authentication should now be properly set up.
Authorization to the File server must be properly given via NTFS Permissions.

Update:

What we need to do in AD:
1. Trust file Servers (ex tx2fs008)- Trust delegation for all services (Kerberos only)
For all file servers set AD attribute userAccountControl (need to add | TRUSTED_FOR_DELEGATION flag).  
2.  Constrain Excel Services account (ex. svc_ow_services)
Attribute msDS-AllowedToDelegateTo – add services of file-system server
 
3.  Constrain OW server account account (ex. tx2ow002$)
Attribute msDS-AllowedToDelegateTo – add services of file-system server
 
ps: i’m not sure but we can make Trust delegation for all services (Kerberos only) for 2 and 3 and not constrain it for file-servers only. It’s much simlper.

Written by Alex Anikin

November 13, 2010 at 10:33 am