Skip to content

SharePoint Search Operational Role (Job Responsibilities)

Robert Bogue August 7, 2008 No Comments

I was recently asked about what sort of things should be in a job description for a person who manages search in a SharePoint environment. I say all of the time that search isn’t a product — it’s a process. What I mean by that is the product will only get you so far. A human will have to be involved to make the tool really valuable. Here’s what I sent to the client as a final set of activities/skills/responsibilities:

  • Review and Resolve Crawl Logs for Errors and Warning
  • Review Crawl Logs for Performance and Heartbeat
  • Periodically review performance data for the search indexer to identify impending performance issues
  • Manage the indexing process
    • Review requests for new content sources
    • Develop, monitor, and tune content crawling schedules
    • Implement appropriate crawler impact rules
    • Implement and maintain crawl rules to control what content is in the index
    • Work with network operations to control permissions for the crawler account to manage what is in the index
    • Manage search scopes
  • Review usage reports and work with the organization to improve relevancy by leveraging out of the box tuning parameters including:
    • Changes to the noise words files
    • Changes to the thesaurus file
    • Changes to the authoritative sites list
    • Changes to keywords and best bets

Thanks to Spencer Harbar and Ben Curry for their contributions to this.

MOSS Single Sign On Setup Step-By-Step

Robert Bogue August 2, 2008 62 Comments

With a TechNet article titled “Configure single sign-on (Office SharePoint Server)” one might wonder why I’d feel the need to write a blog post on how to setup Single Sign-On. The answer is that the TechNet article is incomplete (as of this publishing) and obtuse. So my hope is to walk through the process with screen shots so that you can see exactly what to setup and what the values should be.

There are seven main activities that we need to do:

  1. Create the SSO service account — This is the account that the service will run under.
  2. Create the SSO groups — These groups are used to control who has the ability to administer SSO (export the master key) and who has the ability to manage it (add/remove application definitions.)
  3. Configure the SSO Service – Set SSO to start and get it to use the service account.
  4. Configure SQL Server – Authorize the SSO service account to SQL server.
  5. Manage SSO – Setup SSO in MOSS including the groups and the database.
  6. Manage the encryption key — Create the encryption key that will be used for protecting the username and password information on the system.
  7. Manage settings for enterprise application definitions — Define what initial applications SSO will be setup to manage passwords for.

In each of the next sections, I’ll walk you through dialog-by-dialog what you need to select and what to do in order to get a working setup.

Create the SSO Service Account

We need to create an account for the “Microsoft Single Sign-on Service” (SSO Service) to run as. This account has to be a domain account that has local administrative privileges for the front end web servers, must be a member of the SharePoint group Farm Administrators, must have db_creator and security administrator roles in SQL Server, and must be a member of the group that is defined as SSO administrators. Obviously this is a few requirements. We’ll work on the getting this account and the appropriate groups setup over the next several major steps. In this section we’ll concentrate on getting the account setup.

In the following steps I’m going to add the user to the Domain Admins group in order to get the local administrator privileges requirement met. If you are working on a production installation, I’d recommend creating a group for SharePoint Farm Administrators and add that group to the local administrators group of each of the front end web servers — as well as the index server. If you do this, use your farm administrators group rather Domain Admins in the steps below.

Let’s get started.

  1. From the Start Menu click Administrative Tools-Active Directory Users and Computers
  2. In the left hand pane on the Users folder right click and select New-User from the menu that appears. If your organization places service accounts in a different organizational unit (OU) you can certainly add this account to that location.
  3. Enter the First Name (SharePoint SSO), Last Name (Service), and User logon name (SharePointSSOSvc) fields and click the Next button. You can name the account anything you want, however, these values make it clear what the account is used for.
  4. Enter the a password into the Password and Confirm password fields. Uncheck the User must change password at next logon checkbox. Check the User cannot change password and Password never expires checkboxes. Click the Next button. This sets the account up to be a service account.
  5. Click the Finish button.
  6. On the user that was just created, right click and select Properties.
  7. Click the Member Of tab.
  8. Click the Add button
  9. Enter the group name Domain Admins and click Check Names then click OK. As mentioned above, if you’re using another group to provide local administrator access to the farm servers, use that group here.
  10. Click the OK button.

With the user account created and added to a group that will have administrative access to the farm servers. Next we need to create the groups that we’ll add the users capable of managing SSO into.

Create the SSO Groups

There are two important groups for SSO. The first group is the administrative group which includes those users capable of administering SSO. This includes the ability to backup and restore the encryption key — because of this they can effectively decrypt all user credentials in the SSO database and thus membership to this group should be severely limited. The second group, a managers group, is used to manage the application profiles in the SSO system. This group doesn’t directly have access to passwords but could inadvertently delete all of the stored passwords. In the following steps we’ll create both groups and add the SSO service account we created above into the administrators group.

  1. In Active Directory Users and Computers (still open from the last set of steps) from the left pane right-click Users and select New-Group. As before if your organization requires that groups be placed in a different OU, select that OU to create group in.
  2. Enter the Group Name (SharePoint SSO Administrators) and click the OK button.
  3. Left click the new group, and then right click the new group and select Properties.
  4. Click the Members tab.
  5. Click the Add button.
  6. Enter SharePointSSOSvc, click the Check Names button, and click the OK button.
  7. Click the OK button.
  8. In the left pane, right click Users and select New-Group. As before, if your organization requires a different location, use that location.
  9. Enter the Group Name (SharePoint SSO Managers) and click the OK button.
  10. Close Active Directory Users and Computers, we’re done with it.

With the groups created we’re ready to configure the service to automatically start.

Configure the SSO Service

By default the SSO service in SharePoint doesn’t start. In this activity we’re going to enable the SSO service. On each server in the farm and then once completed we’re going to change the account used for SSO in SharePoint Central Administration.

Let’s start by setting the service to start automatically and manually starting it.

  1. On the Start menu click Administrative Tools-Services
  2. In the Services application in the right hand pane scroll down to the Microsoft Single Sign-on Service, right click and click Properties.
  3. Change the Startup type from Manual to Automatic.
  4. Click the Start button.
  5. Click the OK button.
  6. Close the Services application. We’re done with it.
  7. Repeat steps 1-5 on each server in the SharePoint farm.
  8. On the Start menu click Administrative Tools-SharePoint 3.0 Central Administration
  9. Click the Operations tab.
  10. In the Security Configuration section, click the Service Accounts link
  11. In the Windows service drop down list select Single Sign-on Service.
  12. Enter the Username (DEMO\SharePointSSOSvc) and Password for the service account and click the OK button.

With that the SSO service is running, however, it doesn’t have access to SQL server so we need to fix that before managing the settings.

Configure SQL Server for the SSO Service Account

The SSO service account needs to create the SSO database and setup the correct permissions. In order to do that it needs the security administrator (securityadmin) and database creator (dbcreator) system roles. In the following steps we’ll get permissions setup for the service account.

  1. On the Start menu click All Programs -Microsoft SQL Server 2005 – SQL Server Management Studio.
  2. If your server name isn’t correct in the dialog select the correct server. Then click the Connect button to connect to your SQL server.
  3. Click on the plus sign to the left of Security to expand it. Click on the plus sign to the left of Logins to expand it.
  4. Right click on the SharePoint SSO service account (DEMO\SharePointSSOSvc) and click properties.
  5. In the Select a page (left) pane select Server Roles.
  6. Click the checkboxes to the left of dbcreator and securityadmin.
  7. Click the OK button.
  8. Close Microsoft SQL Server Management Studio, we’re done with it.

In these steps we corrected the permissions for the SSO service account so that it can work with SQL server. Next is to complete the activation in SharePoint by using the Manage settings for single sign-on link.

Manage Settings for Single Sign-on

In this step we’ll go through the process of creating the SSO database by using the Manage settings for single sign-on link on the central administration operations screen. The SharePoint central administration operations screen should be on your screen from the previous steps.

  1. On the SharePoint Central Administration Operations page in the Security Configuration heading select the Manage settings for single sign-on link.
  2. Click the Manage server settings link.
  3. In the far upper right corner, click the down arrow next to Welcome System Account (or whatever name is displayed.) From the menu that appears, select Sign in as a Different User.
  4. In the User name text box enter the SharePoint SSO Service Account (DEMO\SharePointSSOSvc) and in the Password text box enter the account’s password.
  5. Enter the administrators group name including the domain name (DEMO\SharePoint SSO Administrators)in the Single Sign-On Administrator Account section’s Account name textbox.
  6. Enter the managers group name including the domain name (DEMO\SharePoint SSO Managers) in the Enterprise Application Definition Administrator Account section’s Account name textbox.
  7. Click the OK button.

With that the SSO database will be created and we’re nearly done. We need only to get an encryption key created and to create an application definition.

Manage the Encryption Key

The next step is creating an encryption key for the credentials to be encrypted with. In order to do this, follow these steps:

  1. On the Manage Settings for Single Sign-on page click the Manage encryption key link
  2. Click the Create Encryption Key button.
  3. Click the OK button.
  4. In the breadcrumbs, click the Manage Single Sign-On link.

With an encryption key set, you’re ready to create an application definition.

Manage Settings for Enterprise Application Definitions

The final step is to define an application definition for SSO. This can be done with the following steps.

  1. On the Manage Settings for Single Sign-On for… page in the Enterprise Application Definition Settings, click the Manage settings for enterprise application definitions link.
  2. Click the New Item button.
  3. Enter a Display name (Demo Application), a Application name (Demo), and Contact e-mail address ([email protected]).
  4. Select the Account type. Generally this will be Individual. Note that this cannot be changed once the application has been defined.
  5. Click the OK button.
  6. Close the web browser with central administration — we’re done.

Special Thanks to Hollins University. This is documentation that I did for them that they agreed I could share with everyone.

 

My Name is Jerry

Robert Bogue July 31, 2008 1 Comment

During the course of my career I’ve run across a handful of truly amazing people. That’s one of the definite perks of being a consultant, you meet lots of people so statistically speaking at some point you’re going to find some really awesome people. One of those people for me is Rodger Smith. Rodger is perhaps the most creative guy that anyone will ever meet. Picking out his brilliance is as easy or as difficult as looking at the desktop on his Mac. The first time I saw it I was instantly in awe and confused at the same time. There was an insanely organized set of post it notes on his desktop. This was amazing because on the one hand we have unstructured information at its finest. Post it notes — how many of them do you lose in a year? I think I’m single handedly responsible for killing a forest with the ones I’ve lost. On the other hand, there’s an order and a symmetry to how they’re setup. It’s order woven through the chaos.

Why do I bring this up? Well, I got a note from Rodger today about an independent film he’s producing. The film is My Name is Jerry. I won’t pretend understand it other than what you can read for yourself — however, I can tell you that if Rodger’s involved it’s worth checking out. (So go there now.)

The True Cost of Windows Vista

Robert Bogue July 29, 2008 No Comments

I recently purchased a new laptop (Lenovo T61p) and as a part of that process I decided to finally take the leap to Vista. Since I don’t know how to do things half way, I decided that I’d go to Vista x64 — OK, that and I put 8GB of RAM in the system. I’ve been quite surprised with the experience. You see shortly after the launch I bought a laptop and tried to use it with Vista x64 — that was a miserable failure. Mostly because the drivers just weren’t present. I quite quickly reverted back to Windows XP and I’ve been running that ever since. However, the new machine created a new opportunity.

I’ve found that driver support has generally been pretty good with one very notable exception. I have a HP ColorJet 2840 integrated scanner, fax, and printer. It’s hooked to my server and does a decent if not perfect job of meeting my needs. However, I’ve realized that I can’t print in color to the 2840 from Vista 64 bit. Frankly, It’s got me wondering if HP is intentionally trying to flush their printer business. If you consider that Vista has been released for 18 months now and HP can’t get a set of printer drivers for the printer says one of two things: 1) The don’t care enough, or 2) they’re incompetent. I’ll choose to pick the former. Other than publically shame HP I’m not sure what to do — oh, well, I mean that and never buy another HP printer. The really tragic part of this is that the 2840 is still a current model printer that they’re trying to sell to small and medium businesses — oops.

So dealing with driver compatibility issues tops my list for the true cost of Vista. This isn’t Microsoft’s fault — it can’t be with 18 months in the market.

The other issue, is not quite as troubling but is pretty frustrating non-the-less. It seems like every application that I use has to have an update to work with Vista. Nero, Acrobat, QuickBooks, etc. OK, it isn’t every application, but it’s enough. Making things more interesting a few key features that I used don’t work in Vista. Nero has a feature called ImageDrive that allows you to mount an ISO like a drive on your system — and it doesn’t work on Vista. What’s the big deal? Well, because of my MSDN subscription I get most of my Microsoft software as an ISO. I don’t want to burn CDs or DVDs for everything that I want to install. With Image Drive I mounted the disk virtually and installed the software. Because of this limitation I ended up needing to license an ISO extractor tool.

So the second true cost to Vista is the software cost — not the cost of Vista itself but the cost of all of the software you have to relicense once you have Vista.

The final cost, and the only one in my list that Microsoft actually owns the whole problem for is the fact that I can’t get Vista SP1 to install. Actually, the core update that is the problem is 935509 — which is an update for BitLocker which is a prerequisite to SP1 installation. I also can’t install 930627 which Adobe claims is why the computer sometimes locks up. When I run the update for 930627 it says that it doesn’t apply to my system. So I do have a case open with Vista support. Support for issues installing SP1 are free. Of course the problem has been isolated (by me) to an issue with a manifest GUID conflict for the WinSXS (Windows Side-By-Side) component. Of course, what is causing the conflict or how to resolve it is beyond the folks I’ve been talking to.

So what’s the real cost of Vista? There’s a small software cost to it, most of which are the third party applications you use, but most of it is time. Time to get things reinstalled and working. Time to work on resolving your issues, and time to track down all of the things that you need to make it all work.

When you decide to take the plunge … make sure you have time on your hands … and a credit card.

Brain Rules: 12 Principles for Surviving and Thriving at Work, Home, and School

Book Review-Brain Rules

Robert Bogue July 24, 2008 No Comments

I can still remember the most astonishing and frightening moments in my son’s development. My brother had gotten married the day before in St. Louis and rather than head of directly to a honeymoon with his bride, they stuck around and showed us the town. If you’re in St. Louis it’s some sort of rule that you have to go to the Gateway Arch. Upon exiting the arch itself we returned to the underground museum with showed what an old shipyard might have looked like. What I heard was frightening. My newly minted sister-in-law asked my son if he could swing on the ropes like Tarzan. My brain clicked into emergency mode as it evaluated the situation. The ropes were too high for my son to reach so I settled back into normal mode and then it came. My son, four at the time, responded “Tarzan doesn’t swing on ropes, he swings on vines.” As my neurons fired up again I was pleased and then very scared. I realized quickly that my son had taken in information in the form of a question, converted it into factual data, compared it against what he already knew, identified the data didn’t match his understanding, validated that it was the wrong data and then communicated back this information to the person from whom the data came. I realized at that moment that I wasn’t going to be able to keep the upper hand intellectually on my child. I’ve got a few years of experience to lean on but at some point I’m going to have to accept that my son will be smarter than I am.

What does this have to do with a book titled Brain Rules by John Medina, as it turns out, quite a bit. I got a little glimpse into how little brains work. In his book John points out 12 simple rules about how the brain works, how it was put together, and the factors that influence it. He encourages a set of alternative ideas at the end of each rule so that we can ponder what things might be like if we actually paid attention to what we know about how we think and how our brain works.

I’m intently interested in how our brains work — mainly to figure out what’s happening to mine when it misfires. Some folks are interested in every aspect of how a car works. (He’s a spoiler, lots and lots of micro explosions). I’m interested in how PEOPLE work. Not just me but others as well. How is it that when I tell my wife something she hears something completely different? How can two people argue while saying the same thing?

John doesn’t have the answer to every question — however, I like the answers he does have to some fairly basic questions including how men and women’s brains function differently.

It’s worth reading Brain Rules — that is if you feel like you want to know more about how your brain — and the brains of those around you — really work.

The SharePoint Shepherd’s Guide for End Users: Screen Cast Edition

Robert Bogue July 9, 2008 No Comments

When I first released The SharePoint Shepherd’s Guide for End Users I was asked about all sorts of things. One of those things was if there were any screen shots available. At that point, I wasn’t able to say yes. But that’s changing. I was able to work with my technical editor for the book and he’s agreed to record the step-by-step instructions in the book into screen casts. The screen casts will have the same content as the book but available in a video format that some users prefer. We’re about 20% of the way done with the preproduction files and expect to do the packaging of the individual files in the next few weeks. We’re probably still more than 30 days out from having a complete screen cast offering set; however, it’s something that I feel good about starting to offer customers. If you’re interested in talking about pricing or learning more you can email my administrator for the project.

We’re also nearly complete with the SharePoint site option for licensing the content. This option allows you to get the book as a wiki that users can comment upon and link to in their emails. The beauty here is that it includes a limited license to the commenter web part that we’ve been developing which allows you to restrict edits to the wiki pages themselves – but allows folks to comment on the pages. This way you can have the sort of limited editing experience that many organizations have been looking for. If you’re interested in the wiki/site based license or purchasing the commenter web part for your own uses, email my administrator.

Web Casts Rerecorded

Robert Bogue July 8, 2008 No Comments

Shortly after recording the first two web casts of the series for MSSharePointDeveloper.com I was notified that the demos were unworkable because the recorded area of the screen was too small. Last week I rerecorded the web cast for Web Parts and the one for Data Lists so that the demos are now easier to see. They’re available on the same URLs, so nothing has changed on that end. If you have problems with these please don’t hesitate to let me know.

Article Listing back Online

Robert Bogue July 5, 2008 No Comments
I mentioned a few days ago that my books project listing was back online.  We’ll I’m pleased to announce that my article listing is almost completely back online as well.
Why almost?  Well, there are still a few entries that I know are missing — however, Most of them are available now.  You can look at a raw list of the articles, one nested by publisher, or by publication date year and month.
One of the future projects will be to get them tagged by topic.

Books History back on line

Robert Bogue July 3, 2008 No Comments
On my old web site (ASP-based) I had a listing of books that I had worked on.  It was one of those things that seemed to be a curiosity for folks as I always seemed to get comments on it.  Sometimes it was Netware being on the list, other times it was game programming.  In any case, due to some help, the list is finally back online.
We’re working on getting the article list put back together as well, maybe I’ll be able to announce that it is complete soon.

SharePoint User Management Web Cast Questions and Answers

Robert Bogue June 20, 2008 No Comments

There are so many things I didn’t get to talk about in the user management talk. There’s so much more to say about the stuff I did get to. Here are the questions – and some answers from the web cast on user management.

Q: When you extend SharePoint to multiple zones so you can have one with forms based authentication, do you have one IIS virtual server/web application or multiple?
A: Multiple. Forms based authentication requires a few different web.config file entries.

Q: Is there a way to secure data based on the relationship to the data? i.e. allow sales folks to only see their customers?
A: It’s technically possible but not included out of the box and can be technically challenging.

Q: Did you have to set anonymous access on the web site for forms based authentication?
A: Yes.

Q: Can I send alerts to exchange distribution groups or AD security groups?
A: Yes, any entity that has an email address can receive alerts.

Q: When using SPWeb.DoesUserHavePermissions how do you resolve a role?
A: You don’t. You can, however, use SPWeb.RoleAssignments.GetAssignmentsByPrincipal(SPContext.Current.Web.CurrentUser) to retrieve roles for the current user.

Q: Where is the provider logging project that I spoke about?
A: http://www.codeplex.com/providerlogging

Q: Is there a way to programmatically tell if you’re using FBA or Windows Authentication?
A: Yes. I’d recommend that you look at Professional ASP.NET 2.0 Security, Membership, and Role Management for a more complete discussion about forms based authentication, users, etc. It will give you all the background. The short of it is that you can check the HTTP context to see if it’s anonymous. If you have a user and it’s an anonymous request you’re using FBA.

Q: How do you extend permissions at runtime?
A: Use SPSecurity.RunWithElevatedPrivileges() method. This will allow you to behave as if you are the application pool account. I recommend caution with this method.

Q: What is the difference between user management in WSS and MOSS?
A: There isn’t any. MOSS offers additional functionality in the form of user profiles but fundamentally this is new functionality not a change to base functionality.

Q: Are there best practices for user management on a portal that has 2000 users?
A: There aren’t best practices that are that generic. You need to decide if you’re going to manage users through AD groups or SharePoint groups.

Q: Some user management code works fine outside of SharePoint but not as a SharePoint Web service, do you know why?
A: No, but I’d turn Off custom errors and set the callstack true in the SharePoint tag to try to see the real error and the location.

Q: How do I use SharePoint Designer if I’m using forms based authentication?
A: I setup another URL, port, and web application which uses windows authentication and I point SharePoint Designer to that URL/port combination.

Q: How long are the audit entries stored?
A: Indefinitely – until you clear them.

Q: Is there any way to do mixed mode authentication using the same URL?
A: Technically it’s possible but it’s not easy nor recommended. Essentially you would have forms based authentication and would have it determine if the user could log in via windows authentication and if so write the forms based authentication cookie.

Q: Can user attributes containing private information like a phone number be hid from SharePoint administrators?
A: No, in the demo in fact, I used policy for web applications to bypass all security for my forms based authorization user.

Q: What is the impact to SharePoint when auditing is enabled?
A: There’s no one answer. If you turn on auditing for views … it will be pretty big. If you enable for check ins, it won’t be that bad because check ins are a relatively small percentage of the overall transactions.

Q: Can we install SharePoint on Windows 2008?
A: Yes.

Q: Are there any good integrations with authorization manager (AzMan)?
A: None that I’ve seen.

Q: I’ve been having problems with people picker, are there any alternatives?
A: None that I know of. However, problems with people picker usually are caused by two things: 1) problems with active directory. It can’t resolve a global catalog server, there’s a DNS misconfiguration, etc. Stuff like having the server pointed at both external DNS and internal DNS causes all sorts of issues. 2) In a FBA mode the people picker wildcards need to be set.

Q: Can auditing be used to do usage reporting?
A: Yes, this is the way Nintex Reporting 2008 does it.

Q: How can you set anonymous access restrictions per list rather than per site?
A: You can’t. You can, however, put a web part on pages that you don’t want anonymous users to see that redirects them off the page. I do this in some situations where I want to discourage them from seeing certain pieces of a site but it’s not a security issue – it’s just a appearance issue. Technically the anonymous user would still have access to the data.

Q: Can you use a non-authenticated page for changing password, etc?
A: Yes, just treat it like a login page. See my article “Customize a SharePoint Login Page”

Q: If you have WSS 3 and it implements forms authentication and restricts content to specific users, do you have to have client access licenses?
A: I would have to refer you to a licensing specialist – however, I know that the most common license people forget when they expose WSS to the outside is a Windows Internet Connection license. (It’s bundled with Web Edition but not the other versions of Server)

Q: Can I have a list that contains permissions for a user?
A: No, you must use the permission constructs in the API.

Q: Can you extend auditing with your own events?
A: Yes.

Q: Can we use a different database for authentication?
A: Yes.

Q: Can we use a different database for authentication?
A: No.

Recent Posts

Book Review-Saving Our Sons: A New Path for Raising Healthy and Resilient Boys

Quick Tip: Microsoft Word: Breaks

Book Review-The Signal and the Noise: Why So Many Predictions Fail-but Some Don’t (Statistics and Models)

Quick Tip: Microsoft Word: Keyboard Movement and Selection

Book Review-The Signal and the Noise: Why So Many Predictions Fail-but Some Don’t (Predictions)

Public Speaking

See more