HttpCode

I’ve been working with a client this week getting Kerberos working on their SharePoint farm. As you would expect I spent most of my time working out what SPN’s needed to be created.

I created a simple little tool that will help you sort out the basic SPN’s:  SharePoint Kerberos SPN Creation Tool

The idea is that you enter the details about your farm and the tool will generate the SPN’s that you need to create (you can copy / paste from this site into your console window).

The client I was working with had a much more complex farm that included reporting services, analysis services and proxy servers that all needed SPN’s, this tool doesn’t cover those types of farms, but it will help you get the base portal services up and running, then you can work out what SPN’s to create in order to get the rest of the services functioning.

Don’t forget that you’ll also need to set up delegation for each of the accounts. By far the best SharePoint Kerberos reference is: http://blogs.msdn.com/martinkearn/archive/2007/04/23/configuring-kerberos-for-sharepoint-2007-part-1-base-configuration-for-sharepoint.aspx

I’ve written a web part that can help you insert JavaScript into a SharePoint page. Currently there is nothing stopping you using a content editor web part, but it has a few limitations. First is the fact that the JavaScript doesn’t stand out, people may think that the content inside the editor is blank, when in fact it contains JavaScript.

By having a dedicated web part for JavaScript it becomes clearer that JavaScript lives on the page, also we can add a few features that make working with JavaScript a little easier.

I’ve made the chrome state set to None by default, so you won’t see the web part at all during normal render time (only design time).

The properties:

Page load JavaScript: This can be any JavaScript that you want to run when JQuery loads, that is any code you want to live inside of:

$(document).ready(function(){});

Something cool to try out (from EndUserSharePoint) try adding: $('#LeftNavigationAreaCell').toggle();  This will remove the left hand navigation.

Page level JavaScript: This is JavaScript that you just want to live on the page, it could be globally scoped variables or some functions that you have defined.

Script Includes: Each new line can be the URL to a JavaScript file to be included in the page, this is particularly useful for including JQuery plugins.

Use Google Libraries: Just a little novelty, it will use the Google Ajax API’s to load JQuery instead of the embedded JQuery resource.

You can have multiple web parts on the same page, the best bit about this is that all the code will be output into one place, so if you have one web part with some page load JavaScript that has say: alert(‘load’);  and anther that includes the left nav cell hide from above, the result in the page would be:

$(document).ready(function(){alert’load’); $('#LeftNavigationAreaCell').toggle();  });

After you deploy the solution, be sure to activate the feature under ‘site features’:

You can download the solution package from here.

A while ago I wrote a little tag cloud web part,  I’ve updated that web part so that it has its own solution package and can be used stand alone.

After you install and deploy the solution, make sure you activate the tag cloud feature in ‘site features’

Lets take the example of adding tags to a standard events calendar.

First add a new column named ‘tags’ to the events list.

Add the tag cloud web part to the page and set the following properties:

You can specify the link that each tag will link to as well. By default it will link to the search center and try to search on the metadata property of the tag field. i.e: "/SearchCenter/Pages/Results.aspx?k={tagfield}:{tag}", using this format however you could link to any page and then maybe use a query string filter web part to pull the tag from the url.

The final web part looks like:

You can download the solution from here.

This week I ran into an interesting problem. When adding a workflow to a content type we saw the following error:

Unable to validate data. at System.Web.Configuration.MachineKeySection.GetDecodedData(Byte[] buf, Byte[] modifier, Int32 start, Int32 length, Int32& dataLength) at System.Web.UI.ObjectStateFormatter.Deserialize(String inputString)

I did the normal thing at searched on Google, only to find this KB (http://support.microsoft.com/kb/928028) which describes the error message, it gives the solution as ensuring that SharePoint is installed with the same path on each of the server. This seemed odd, since all our servers have a standard build.

The error message indicated that the view state has been modified between postbacks, so it was back to the drawing board looking for a solution that involved some change that could possibly have some effect on the view state. After talking with the designer it turned out that he had made some changes to the application.master page. We replaced the altered file with a backed up version of the application.master and sure enough the workflow could be added without any issues.

After a bit more experimentation it turned out that the problem was with this:

<SharePoint:DelegateControl ID="MyDelegateControl" runat="server" controlId="SmallSearchInputBox" />

It seems that the small search box alters the view state in some way to cause it not to validate on postback.

Hopefully this will save someone else the hassle of this error.

I’ve been setting up Kerberos for a client that is using Windows Server 2008, I’ve found the following:

Since Windows Server 2008 uses http.sys which is a kernel mode driver designed to intercept web requests at the kernel level (thus improving performance) it required a little more configuration. By default http.sys will handle the authentication request using the local system account not the application pool account, this will cause problems if you want to use Kerberos. The solution is the following:

In the application.host file (located at: <system drive>/windows/System32/inetsrv/applicationHost.config )

Find the following xml fragment:

<configuration><system.webServer><security><authentication>

Change the windows authentication node:

<windowsAuthentication enabled=”true” useKernelMode=”true” useAppPoolCredentials=”true”/>

This just tells the http.sys kernel module to use the application pool credentials.

Enable Kerberos logging:

Run regedit:

Find: HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / LSA / Kerberos / Parameters

Add a new DWORD entry named: LogLevel and set it’s value to 1.

On windows server 2008 this will take effect immediately.

Now that logging has been turned on, you might want to reference the Common Kerberos Error Codes: http://support.microsoft.com/kb/230476

These error messages will show up in the System Tab of the Event Viewer.

Of course there are a few more steps involved in setting up Kerberos, but hopefully this will help with the windows server 2008 specific problems.

The latest patch Tuesday includes the following for SharePoint:

Executive Summary

This security update resolves a privately reported vulnerability. The vulnerability could allow elevation of privilege if an attacker bypasses authentication by browsing to an administrative URL on a SharePoint site. A successful attack leading to elevation of privilege could result in denial of service or information disclosure.

You should seriously consider this patch and apply it.

I was recently asked a question around this scenario:

If you log into a SharePoint Portal by using the ‘Sign in as Different User Button’ as User2 it works fine, however when you click on the ‘MySite’ link it will show the MySite of User1 not User2 as you would expect.

I should also point out that the MySite and Portal are running in separate web applications (this should give away the answer).

So what is happening here is that when you click on the MySite link, this web applications asks the browser for the users authentication details, since it is a different URL (i.e. because its running in a separate web application, it will be a subdomain or even a different domain name) the browser will forward the logged in users credentials i.e. User1 (provided that it is in the local intranet zone), the browser will not keep User2’s credentials and will not forward them on. So the end effect is the scenario described above which may seem odd to the end user.

The only way to get around this is to user the ‘RunAs’ command from windows and run the browser process as User2.

What we’ve normally found is that the ‘Sign in as Different User’ option is normally only used by power users, these people will generally understand the problem if you explain it to them.

Just a quick note to point out the following link: http://www.visifire.com/

They provide open source Silverlight and WPF charts:

Worth remembering next time you want to add a rich chart to your applications