Tommy Segoro

INTRODUCTION

This is a series:
- Managing Risks in Sharepoint 1 – Aligning the Environments

In the previous article I mentioned about how quickly the content in our development/Test environments will be outdated. Sharepoint content database consists of:
- Sites
- User accounts added to Sharepoint
- Site Settings
- Pages
- Documents and list items
- Content types
- Meta-data
- Features activated
- etc

Within a day there may be a lot of activities happening in your Sharepoint farm including users uploading new documents, sub-sites are created, users are added/removed to/from SP, etc. In this opportunity I want to discuss about user permissions because if we are not careful, assigning correct permission to the wrong users will end up creating risks for your Sharepoint environment (or even breaking it).

Managing Risks in Sharepoint 2 – User Permissions

1. "Deny all then allow" rather than "allow all then deny"

By default I would deny EVERYONE then I would start giving permission to those who need to have access to Sharepoint.

2. Using AD Group and not "authenticated users"

Thou shall NOT give NT_AUTHORITYauthenticated_users a READ access to your portal. Why? Because it means that every domain user (ie. all users who have an AD account) will have read access to your portal. This can be dangerous.

For example, user A is a contractor, he has a temporary AD account. Logically, you would disable his account once his contract is finished but in this scenario you can't because you are using a third-party software or application that requires his AD account to be active. Since his AD account is still active, he will still be able access your portal. You want to remove him from everything else (including Portal) except the application that requires his AD account to be active. You can't do that, because at the moment you have "authenticated users" added as the Reader of your portal. If you remove "authenticated users" you would deny other people's access. I'm speaking from my own experience. At the moment, the farm I'm managing is a bit of a nightmare. We've had several complaints from people who suddenly lost their access simply because we tried to remove "authenticated users" from the Readers group.

So, if I'm given a second chance to rebuild the Portal, I would start with creating an Employees group in AD. Let's say it's called MYDOMAINEmployees. Within it I will add ALL employees' AD accounts (including contractors'). I would then add this domain group to Sharepoint. When there is a contractor who's just finished his contract, I can simply remove him from this AD group and he will no longer have access to the Sharepoint portal.

Note: Making sure that you "wrap" your AD group in a Sharepoint group. Sometimes you would have a nested AD Group within an AD group. Sharepoint will have problems (especially with the Audience functionality) if this is the case. There is a patch that Microsoft releases that will fix this nested AD group problem but for it to work you have to add the AD group (that has nested AD groups) into a Sharepoint group.

So, I would create an Employees Sharepoint group that has READ permission then I'll add the MYDOMAINEmployees group to this SP group.

3. Don't let user modifying your content types and meta-data

ALL custom meta-data and content-types HAVE TO BE – in some way – DOCUMENTED! It can be done either through manual documentation or deployed through Visual Studio using solutions/features deployment. I personally use feature and solution deployment for all of my custom content types and features. I will NOT give general users (even site/department owners/managers) permission to add content-types and meta-data. From my experience with Sharepoint, content-types and meta-data are the core part of your farm. I've had lots of problems before when content-types and meta-data are not defined correctly.

At this very moment, I can no longer use the "Add from existing site column" functionality from the GUI because I got an error message whenever I'm trying to do so. The error message is something like "An object cannot have the same ID" or something like that. At the moment, whenever I want to attach an existing site column to an existing content type, I have to use the object model.

Once again I'm speaking through my experience. I will not let general employees (unless SP developers/administrators) access to add custom content-type and meta-data.

4. Break permission inheritance

Based on the "deny all then allow" principal, I would not hesitant to break permission inheritance for departmental sites. This means that ALL other users (other than deparmental users) are denied access unless stated otherwise. For example, I created a HR site, I will deny ALL users but HR people. I will only give general users access to some (or little) part of HR site that are meant to be shown to public.

Once again, always use an AD group wrapped in a Sharepoint group. I would never add an individual user to Sharepoint unless it's very-very needed because security maintenance will not be easy (ie. you won't know/remember who has access to what if you start adding individual users to Sharepoint).

Note: It's better to accidentally hide public documents rather than deliberately – by default – show private documents. Your documentation (in terms of who has access to what) needs to also be very complete and tight.

CONCLUSIONS

So there you go. Please share your experience. On the next series I would talk more about the development side of things.

Cheers,
Tommy

INTRODUCTION

I just want to share with you my experience in managing Sharepoint environments (both server and custom code). Before, I came from a development background and purely think as a developer. As a developer, I used to think that as long as my code is bug-free and memory-leak-free then I'm safe.

Now, I've got some experience in managing the servers, I can share with you the things that we have to be aware of more than just having a bug-free and memory-leak-free code. This article will (as usual) come in series so if you're interested, please stay tuned and read the series. I also would also like to see comments and sharings from you so that we can all learn from each other.

MANAGING RISKS 1: KEEP YOUR ENVIRONMENTS ALIGNED

The Sharepoint environment I'm currently working on has the following server topology:

- 1 DB
- 2 WFE
- 1 Central Admin
- 1 Indexing Server

The same topology was also created for Test (yes, it's EXTREMELY important to have a Test environment for Sharepoint just like general .NET development). The goal is whenever we deploy things (code, solutions, features, etc) to Test, we would expect the same results in Production (ie. if it fails in Test then it will fail in Prod and vice-versa).

The idea is great but the problem is, this client's Test and Production weren't installed by the same person. One person setup the Prod and another person setup Test. Hence, we now have different settings and configurations in both Test and Prod.

This will create a huge risk, because if we deploy things in Test, we can never guarantee that the same would succeed in Production even if they successfully pass testings in Test.

Therefore, the very-very first step I would do is to ensure that both Test and Production are aligned. These are (and not limited to):
- The server topology
- The user accounts used to run MOSS/Sharepoint services (Search, SSP, etc etc)
- The configurations (SSP config, Central Admin config, email settings, etc)
- The solutions installed
- The features activated
- The code and DLL deployed (even third party DLLs such as stsadm extensions, etc)
- Web.config settings
- IIS settings
- SQL server settings
- AD settings for each user account used in Test and Prod
- The resource settings for both Prod and Test (RAM, Hard Disks, Processor Utilization, etc)

By ensuring that the settings above are the same for both Test and Prod, we can now expect that the deployment results will be exactly the same. If your deployment breaks in Test then it will most likely break in Production.

TAKE IT FURTHER

I would actually like to take this further. Even the developers' machine – although it's impossible to create the topology within each developer's machine - is at least installed using Test/Prod user accounts and configured using exactly the same configuration. This has worked really-really well for me. I can now be very confident that whatever fails on my machine will also fail in Test and Prod and vice versa (whatever succeeds on my machine will also succeed in Test and Prod).

DOCUMENTATION

This is the bit that I HATE! As a developer, there is nothing worse than writing a documentation. Anyway, it's EXTREMELY important to document the setup process for both Test and Prod. Take screenshots as you go through each step and document them. You can use MS Word to Copy Paste things easily or even OneNote with its screen clipping feature. It's really-really handy. Just like taking your wedding photographs for memory, that's how valuable documentation is for us.

From my experience, I will forget within one day what steps I took to setup MOSS. So guys…get your documentation tight.

STILL THERE IS ONE RISK LEFT

The CONTENT DATABASE is the major risk. You would never be able to always align content database. You will be surprised how quickly the content in your machine and in Test are outdated. People will upload more and more documents in Prod and even worse, some of the users are stupid enough to create content types and meta-data directly in Prod!

I'll discuss about this more later.

Hope this helps and please stay tuned for next series,
Tommy

INTRODUCTION

We just completed a MOSS server rebuild project which we managed to align both Production and Test environments with exactly the same topology and configurations. We installed using the exactly the same user accounts, configurations and even the list of features and solutions. After we configured the farm, we then took Production's latest database backup and restore it in Test. Everything worked perfectly except one thing:

The manual links in navigation menu items are not updated.

You know that in MOSS you can go to Site Actions -> Site Settings -> Modify Navigation, right? And we can create external/manual links, correct? The problem is, some of the users have created links that point to a document/page within MOSS but using static URL instead of relative. The problem is, these manual/static links are NOT updated after database restore to a different environment.

For example:
http://intranet/Pages/Home.aspx is meant to be updated to http://test-intranet/Pages/Home.aspx.

This will create a huge risk because we've actually had problem before when user thought they're still in Test but they're actually in Production. And guess what…he deleted a site that he thought was in Test.

SOLUTION

Anyway, to cut the long story short, I've managed to come up with a very simple SQL statement (which some of you must have known anyway) that can allow us to modify static links into relative links:

update navnodes set url = REPLACE ( url , 'http://intranet' , '' ) where url like '%http://intranet%'

The above statement will update ALL static links in navnodes table (which is the table used by MOSS navigation control) and remove any static reference to any page/document within MOSS.

WHAT LINKS ARE UPDATED BY DB RESTORE?

- Links within content query web-part or page content field

- Automatic links that are created by MOSS in navigation items as a result of creating a page/sub-site

WHAT LINKS ARE NOT UPDATED?

- Manual/static links in MOSS Navigation Items although they may point to a page/document within Sharepoint itself

Hope this helps,
Tommy

INTRODUCTION

Hi everyone,

I've just recently released CompleteSharepoint.NET v2.0, please see http://www.completesharepoint.net for more details. I've also written a blog article about it /tommysegoro/archive/2009/05/18/completesharepoint-net-v2-0-content-management-system-cms-built-on-top-of-wss-3-0.aspx.

I've got some queries from some people that have tried to install it and they have problems with it. I've tried to install it on Microsoft's WSS VPC and it actually worked totally fine! So I'm sure there may have been some missing steps.

Anyway, I've just released a Developers Guide (available from both CodePlex http://www.codeplex.com/completesharepoint or from http://www.completesharepoint.net itself) that will provide installation and customization/development instructions.

My friend Jeremy has written an article about it at http://wss.made4the.net/archive/2009/05/18/reviewing-open-source-sharepoint-products-first-look-at-completesharepoint-net-v2-0.aspx and seems that he himself had trouble with. He said that the application didn't run on a clean environment while I've installed it on three different environments (including Microsoft WSS VPC) and they all worked fine. So I need you all to help me by installing CS.NET on your machine and let me know what the outcome is.

Anyway, with the Developers Guide, I hope that it will help you with the installation of CompleteSharepoint.NET.

Please contribute to my blog or sending me emails regarding issues/problems/comments of CompleteSharepoint.NET. I promise that I will keep improving this application and I'm sure – based on comments made by some of my colleagues around the world who have used it – that this application has a lot of potentials and will help a lot of people.

So please keep supporting me guys, I would love to hear a lot of comments and suggestions.

Cheers,
Tommy

INTRODUCTION

Hi everyone, I thought I would love to share with you my latest development. I've ever written CompleteSharepoint 1.0 that was released months ago. It's basically a CMS built on top of WSS. It's meant to be an alternative to MOSS. You will not want to spend $50K on a simple information website with MOSS, will you? Well, I won't.

Anyway, I've released version 1.0 which has a lot of defects of course. I've now re-written the code to be a lot better and I've just released v2.0 last night. Please go to http://www.completesharepoint.net for more information.

Some of the features are:
- Page editing toolbar
- Versioning
- Page edit mode
- Custom content type
- Custom page layouts and master pages
- etc

Below are some screenshots:

 Create Publishing Page

Publishing Page – Display Mode

Publishing Page – Edit Mode

Page Editing Toolbar – Edit Mode

INTRODUCTION

I can access my Sharepoint site from remote machine's browser but not from the Sharepoint machine that hosts that site. I keep getting authentication box whenever I tried to access the Sharepoint site and its sub-sites/sub-folders/pages.

The fix is actually to disable security check on loopback in registry.

http://support.microsoft.com/kb/896861

Hope this helps,

Tommy

INTRODUCTION

Just thought of sharing this with you as I was blessed with a beautiful girl of whom I just proposed yesterday. Anyway, please visit our website at http://www.tommyfrancesca.com and it's fully created using CompleteSharepoint.NET (http://www.completesharepoint.net) – a content management system built on top of WSS 3.0. Cheers everyone.

INTRODUCTION

Several months ago I wrote a simple Content Management System (CMS) built on top of WSS 3.0 called CompleteSharepoint.NET (http://www.completesharepoint.net). I've just got a client who is currently using it in action.

http://www.bmuu.com.au

For more information about CompleteSharepoint.NET please go to http://www.completesharepoint.net or http://www.codeplex.com/completesharepoint. Please note that this is still in BETA and will have ongoing code upgrade.

Cheers,
Tommy

INTRODUCTION

Last week I had this problem where search service couldn't index my Sharepoint site. It said that access is denied and asked me to make sure that I'm using the correct content access account. The exact error message was as below:

Access is denied. Check that the Default Content Access Account has access to this content, or add a crawl rule to crawl this content. (The item was deleted because it was either not found or the crawler was denied access to it.)

I have done the following:
- Add the default content access account as a Farm Administrator
- Add the default content access account as a Site Collection Administrator
- Add the default content access account as SYSADMIN on ALL Sharepoint-related tables in SQL Server (including Sharepoint_Config)
- Add the default content access account as a local Administrator

I've done everything and given full access to the default content access account to everything but yet I still couldn't get rid of the problem.

SOLUTION

The solution is somehow something not too related to Sharepoint. Please check out http://support.microsoft.com/kb/896861.

That's it!

I've got the following infrastructure configuration
- Proxy is set in Internet Explorer for Internet access although accessing the Intranet should bypass proxy.
- To access local resource (ie. Sharepoint instance on my local machine) I can't edit the HOSTS file freely simply because we have proxy setup. Therefore, I have to use mydomain.local suffix (eg. http://intranet-devlocal.mydomain.local).
- When I configure the content source to use http://intranet-devlocal.mydomain.local, it says that it can't find the Sharepoint site.
- So I had to then create an alternate access mapping with the name http://intranet-devlocal. It could then find the Sharepoint site but I then had that access denied error.

Hope that this helps everyone who experiences the same problem.

Tommy

INTRODUCTION

I'm currently working at a client site who has the following Sharepoint Intranet farm configuration:
- 2 Web Front End (WFE) servers
- 1 Central Admin server
- 1 Indexing server
- 1 Database

There is a load balancer that should balance the load between the 2 WFE however it doesn't work properly. Somehow, the load balancer always points to the first WFE. Therefore, if you access http://intranet it always points to the first WFE.

The Intranet works OK everyday until one point few months ago it started to return the incorrect version of the document. For example, you upload a document and check-in as version 0.1. When you navigate to the document via the URL directly (eg. http://intranet/DocumentLibrary/MyDoc.doc) it returns you version 0.1 which is correct. Then you upload a new version of the document, override the old version and check-in to become version 0.2. Now, when you navigate directly to the URL of the document, somehow Sharepoint returns it with version 0.1. What's strange is, this only happens on the first WFE. If you force-point http://intranet to the second WFE via editing HOSTS file, you get the correct version of the document!

We have looked at this problem for quiet some time now and we finally resolve it after few weeks of investigation. We know that there must be something different (configuration, etc) on first WFE compared to the second one because the second WFE always returns the correct version of the document. Therefore, this is what we've done:
- Checking and comparing IIS settings
- Checking and comparing web.config settings
- Checking Sharepoint cache settings
- Checking load balancer cache settings
- Checking the actual document data in SP database! Yep, we actually went into Sharepoint DB and looked for that particular document in AllDocs table and the data that is stored in the DB is actually correct (ie. the newer version is stored correctly)

SOLUTION

So, what's the problem then? The DB clearly stores the latest version of the document so there is no reason for Sharepoint to return the incorrect version of the document. After further investigation we actually found out that the problem was actually with the BLOB CACHE settings! In web.config someone has turned on BLOBCACHE and somehow the cached documents in first WFE aren't synced with second WFE's. When we clear the BLOB CACHE folder of first WFE, it starts to return the CORRECT version of the document! So from this moment on, we will ensure that the blob cache folder content is synched between first WFE and second WFE.

If anyone has ever had the same problem, this may help.

Cheers,
Tommy