September 2nd, 2010
by Tristan Watkins
In my post yesterday on User Profile Picture Export Permissions I reviewed the requirements to export the SharePoint PictureURL profile property to the Active Directory thumbnailPhoto user attribute. Where I left off, I had identified a certificate error on our SSL-secured MySite’s wildcard certificate. You may recall that the User Profile synchronisation exported the mobile number property successfully. Given that this mobile number was updated by the end-users though the same MySite host as the User Profile picture, you may wonder why one exported successfully if there were certificate errors that interfered with the other.
Fundamentally, it’s irrelevant that this data was updated by these users in their MySites. The property could have been updated by an administrator in the User Profile Service Application. However, it appears that the User Profile export is not just exporting the URL as a string, it is actually copying the image on export; the User Profile Service Application is browsing to the SSL-secured site to pick up the image and writes it to the user’s thumbnailPhoto attribute. In this post I’ll review the evidence and explain the additional certificate trust configuration required to export an SSL-secured User Profile picture.
read more »
Security, SharePoint | 
15 Comments »
September 1st, 2010
by Tristan Watkins
Most IT Professionals with SharePoint 2010 experience will be familiar with the initial configuration complexities of the User Profile Service Application but it’s probably less well-known that there are additional requirements to set up profile property export, and that some properties have further requirements still. SharePoint 2010 allows properties to either be imported or exported (but not both, out of the box). The most basic of these requirements for Active Directory export are the Write All Properties and Create Child Objects permissions on the OUs where data will be written by SharePoint.
We initially followed Matthew McDermott’s Profile Image Export suggestions but in our case these steps were insufficient, as detailed below. That article was written while SharePoint 2010 was a beta product. The User Profile Service Application changed since that release and is now configured differently, so it doesn’t surprise me that our experience differs.
You might wonder why we spent this much effort just to get a picture in Active Directory (of all places). While we think it’s important to have this knowledge for our clients and delegating photo selection to end users can drive SharePoint adoption, it is also used by the Outlook 2010 Social Connector. When you start using this great new social computing front-end, it just feels incomplete without a photo.
read more »
Security, SharePoint | 5 Comments »
March 29th, 2010
by Tristan Watkins
With SharePoint 2010 RTM looming, I’ve stumbled across an architectural change that may surprise some people – namely, that SharePoint 2010 no longer supports multiple-server farms without a domain infrastructure. In SharePoint 2007 it was possible to create SharePoint farms in a Workgroup, so long as all of the user accounts for the services and application pool identities were named the same and had the same password. You could even manage users with an Active Directory Lightweight Directory Services (AD LDS) or Active Directory Application Mode (ADAM) LDAP directory (albeit with some fairly limiting restrictions). However, it was possible to use these farms for testing or when an Active Directory infrastructure was undesirable (as some people see it in a DMZ). Now, it is still possible to do a Simple installation on a single server without full domain services, but it is no longer supported on multiple servers, and the Simple installation comes with its own planning considerations, to which I’ll return in a bit. First, there’s another wrinkle regarding the single server Complete installation.
read more »
Consultancy and Design, SharePoint, Virtualisation, Windows | 13 Comments »
January 18th, 2010
by Tristan Watkins
We’ve identified that the user profile import in the SharePoint 2010 public beta can’t handle hyphens in domain names. The import will succeed but the portion of the domain name preceding the hyphen will get trimmed. When a user logs on a new profile is created but it is orphaned from the imported data. In principal we’ve been able to work around this by migrating the user profiles with STSADM (thanks to my colleague Martin Hatch for the suggestion) but we haven’t put this approach to the test over a sufficient period of time to be able to recommend it firmly yet. We also don’t have a mechanism for triggering the update for newly-imported users but it shouldn’t be rocket science to come up with a solution to that problem for the duration of the beta.
Microsoft have confirmed this is a problem in the SharePoint 2010 public beta and that a fix will be included in the next release. Their response was on a closed beta forum, so I can’t include that detail here, but this is my description from MSDN: read more »
SharePoint | 1 Comment »
