SharePoint Archives - Page 2 of 9 - Tristan Watkins on IT Infrastructure

How SharePoint 2010 Finds and Updates a User’s Work E-mail Address

In the first part of this series about the SharePoint 2010 IRM implementation, I provided an overview of the technology and why we might use it to enhance SharePoint’s access controls. In this second article, I’ll look closely at the key piece of information that bridges the gap between SharePoint and a Rights Management Server – namely, a user’s e-mail address. RMS relies on a user’s e-mail address in this way outside of the SharePoint world as well; this is an RMS requirement. SharePoint’s implementation attempts to work with this, even though SharePoint doesn’t require a user to have an e-mail address for most things to work.

IRM support has been built in to SharePoint as a WSS (now Foundation) technology. WSS/Foundation don’t have a User Profile Service, so the e-mail address information that RMS requires needs to come from somewhere else. As we’ll see below, it wouldn’t be optimal to query Active Directory for that value whenever RMS-protected content is requested, so SharePoint uses the value it (hopefully) already has in the lowest common denominator (WSS/Foundation) user information container. As we’ll see, reliably populating and updating that information is less straight-forward than it would appear at a glance.

Continue reading “How SharePoint 2010 Finds and Updates a User’s Work E-mail Address”

Protecting SharePoint 2010 with Information Rights Management

Overview

In recent weeks Information Rights Management (IRM) protections for SharePoint 2013 have received a fair amount of attention, as IRM is now configurable per-tenant, which brings the capabilities to SharePoint Online, supported by Windows Azure Active Directory Rights Management (AADRM). This is great, and I’ll have more to say about these new technologies, but I feel there’s a fair amount of missing public information about the way it’s been working on-premises for many years, which will prove to be foundational for the new stuff. I won’t go back in time to MOSS 2007 to describe that support, but I believe the Classic Windows Authentication scenarios that I will describe for SharePoint 2010 are largely the same as in the earlier implementation.

This first post focuses on the relationships of a few apparently-distinct topics and the effects that these considerations have for a user accessing Rights Managed content in SharePoint 2010. Namely:

How SharePoint publishes content with Rights Management protections using the User Information List’s Work E-mail value.
How that field gets initially loaded…
1. If an entry is added to the User Information List when a user is granted access to a SharePoint Site Collection by name.
2. If an entry is added to the User Information List when a user accesses a Site Collection for the first time, having been granted access by group or attribute previously.
3. How each of these events vary if the user is authenticated with a SAML Claim, and how Claim Mappings for a SAML Claim Provider’s Trust Relationship can alter this experience.
How the User Information List’s Work E-mail value can change after the User Profile to SharePoint Quick or Full Synchronisation Timer Jobs have run.
1. How the scope of users targeted by this timer job works by default.
2. How the scope of users targeted by this timer job can be modified and the possible effects of choosing to make this change.
How Active Directory Rights Management Server (AD RMS, or just RMS below) discovers and caches e-mail address values for a user.
How changes to an Active Directory user’s mail attribute can have an impact on access to RMS-protected content in SharePoint.

As is no doubt evident already, this is complicated stuff, but in my view, quite necessary to understand if using RMS with SharePoint. These considerations become more important if e-mail addresses are fluid, or at scale, and especially critical if authenticating SharePoint with SAML Claims while using RMS. I’ve produced a process diagram to explain these variations in a single view, but first I will provide background details.

Continue reading “Protecting SharePoint 2010 with Information Rights Management”

Failed Detection of PeopleILM Components and User Profile Synchronisation Service DCOM 10016 Errors

In my last post, I described some of the security considerations that influence an administrator’s response to event log clutter generated by DCOM errors. There are known remedial steps for most of these errors, but the impact of fixing them is often poorly understood, so I tried to clear some of that up. In this post, I’ll review how I’ve responded to the User Profile Synchronisation Service’s DCOM 10016 errors and the corollary MsiInstaller warnings with these security considerations in mind.

Failed Detection of PeopleILM Components

According to Microsoft KB article 2473430, these events occur, “while attempting to manage a User Profile Service Application”. To be more specific, the symptoms are described as:

When you attempt to manage the User Profile Service Application via Central Admin on a SharePoint Server 2010 with the User Profile Synchronization service started after an IISReset, the following warnings are logged in the application log of the SharePoint server…

Personally, I’ve never been able to pin down a firm cause of these events, so I’m happy to go with this Microsoft description, although I struggled to replicate this recently. Regardless, I’ve certainly seen the events in a large number, if not all User Profile Synchronisation Service instances I’ve encountered/built. One thing I find interesting is that these MsiInstaller warnings are accompanied by DCOM 10016 errors on the Windows Installer Service (DCOM component {000C101C-0000-0000-C000-000000000046}) and a few MsiInstaller warnings that closely resemble the Product Version Job DCOM permission errors I’ve spoken to before. This is what we’re looking at:

Continue reading “Failed Detection of PeopleILM Components and User Profile Synchronisation Service DCOM 10016 Errors”

DCOM Security for SharePoint Administrators

In a server administrator’s never-ending battle with log clutter, DCOM errors have proven to be some of the most persistent and poorly-understood events – especially with SharePoint. Our community has been building up remedial practices for the most common of these errors, but changes to the number and complexity of these fixes over the last few years call for a deeper look at what we’re changing, and the effects of these changes beyond a reduction in red and yellow icons in the event logs. In this post I’ll talk about some of the fundamental concepts from a Systems dude’s perspective and along the way I hope to convey a better understanding of Windows itself.

Continue reading “DCOM Security for SharePoint Administrators”

SharePoint 2010 Development Environment Performance: SSD, i5 vs. i7, WEI and Sandy Bridge

Late last year my colleagues and I tried to distil the tasks that impede SharePoint developer productivity. Then I ran those tests on EC2, Hyper-V and VMware Workstation, with the latter two virtualisation technologies running on a desktop, an older laptop and a newer laptop. In this post I hope to shed a bit of light on some follow-up testing that I’ve squeezed in to the odd hour here and there over the last six months. Unfortunately hardware availability and my schedule have not aligned to produce a further round of comprehensive tests and since I can’t see that occurring in the immediate future I’m going to fill in some gaps here with a couple of additional concrete findings, particularly regarding i5 vs. i7 testing and the impact of SSD on first page load times after application pool recycles. I’ll also talk less rigorously about a few related issues.

Continue reading “SharePoint 2010 Development Environment Performance: SSD, i5 vs. i7, WEI and Sandy Bridge”

Active Directory Account Creation Mode in SharePoint 2010

Earlier this week, I had the misfortune of generating an error I’d never seen before when building a new SharePoint Server 2010 farm. The error first emerged when the SharePoint installation process landed me at the Farm Configuration Wizard page. I wouldn’t have been running it (not advisable ever, really), but it’s the first page that loads after the Product Configuration Wizard completes, so my first Central Administration page was this error:

The page cannot be displayed because your server’s current configuration does not support it. To perform this task, use the command line operations in Stsadm.exe.

How odd, given the emphasis on PowerShell in SharePoint 2010! After a bit of head scratching and examining application and ULS logs, I navigated to the Central Admin home page and everything appeared to be fine, but then when I got around to creating a new Site Collection a bit later, I got the same error, even though I was able to create web/service applications. I had the same error when logged on as farm admin, farm admin + local admin rights, farm admin + SQL SysAdmin and farm admin + domain admin rights, so I was pretty sure it wasn’t a permission issue (and I should note my temporary fiddlery here is only really suitable for non-production environments). This error also occurred on some other Site Collection-specific pages.

Continue reading “Active Directory Account Creation Mode in SharePoint 2010”

SharePoint Server 2010 Search Scopes and Pre-Windows 2000 Compatibility Access

Back in the pre-release days of SharePoint 2010, one of the most reliable sources of information on infrastructure issues was Russ Maxwell’s SharePoint Brew blog. It’s still a great resource, although he’s posting less frequently now than he was during the beta. In this post I want to share my findings regarding Pre-Windows 2000 Compatibility Access group rights in Active Directory. Everything I have to say is supplementary to Russ’s foundational explanation of Why the tokenGroupsGlobalAndUniversal (TGGAU) attribute matters in SharePoint 2010. I’m picking the discussion up from his closing comment, “At a minimum, certain service accounts like the search service account need to be a member of this group.”

Continue reading “SharePoint Server 2010 Search Scopes and Pre-Windows 2000 Compatibility Access”

Amazon VPC and VM Import Updates

In the last couple of weeks I’ve received notification of two important updates regarding Amazon Web Services. I thought I’d share them here, as they are both relevant to use of SharePoint 2010 on EC2 and I’ve seen no mention of them elsewhere. If you’re interested in this broader topic, I’ve covered it in detail here:

My commentary here assumes some familiarity with these earlier posts. This is new functionality that enables new design options. These options should make SharePoint 2010 on EC2 more appealing for a few specific uses.

Continue reading “Amazon VPC and VM Import Updates”

People Search Result Organisation Browser Link Doesn’t Respect Alternate Access Mappings

My colleague Anthony Clegg and I have recently been working on a project together, for which I’ve designed and delivered the infrastructure, while he’s been delivering the solution. As part of my design, I extended the SharePoint Web Applications from the default HTTPS zones to new HTTP zones, exclusively for crawling. This approach has been around for some time, but there’s a new wrinkle on the SharePoint 2010 Enterprise Search Centre People Search results page, which I’ll discuss here:

Continue reading “People Search Result Organisation Browser Link Doesn’t Respect Alternate Access Mappings”

Exams 70-667 and 70-668

I’ve just completed exams 70-667 and 70-668 yesterday and today, making me an MCITP: SharePoint Administrator 2010. Woohoo! But this is not an own-horn-tooting exercise; I have a tip to offer on sitting these exams.

As I started preparing for these exams last week, I was under the misapprehension that there was very little in the way of guidance on the Microsoft Learning site. I think I perceived things this way because there wasn’t much to go on when the exams were first launched. But when I checked again last week I was happy to find a link to a learning plan from the Preparation Materials tab of the 70-667 page. Unfortunately, the 70-668 page does not contain a link to a learning plan (it’s listed but unlinked), but it does exist! I just searched for it on the Training Catalogue.

Continue reading “Exams 70-667 and 70-668”