Friday, March 28, 2008
401 Error when trying to create MySite (personal site) in SharePoint 2007
Wednesday, March 26, 2008
Value cannot be null error When Trying to View a SharePoint Site
Configuring SharePoint 2007 to Display Errors
Tuesday, March 25, 2008
Backing up and Restoring SharePoint 2007 Sites and Site Collections
--
Restore Errors
DCOM Permissions
If your restore fails with a log referencing "UnauthorizedAccessException" referencing a COM class with a long CLSID and error number 80070005, you've got a COM Config permissions problem. This error is accompanied by a system event log like the one below.
{3D42CCB1-4665-4620-92A3-478F47389230}
to the user domain\databaseconnectuser SID (S-1-5-21-2142909598-1293495619-134157935-85307). This security permission can be modified using the Component Services administrative tool.
As the event log error indicates, the fix for this is to use the Component Services tool (dcomcnfg.exe) to give Local Activation permissions to the user listed. Here's the rub: you don't at this time know which COM class to modify. To figure that out, search in the registry for the CLSID as referenced in the event log and restore log.
The registry search will give you the name of the com class. Unless it doesn't: a common class to have this problem is OSearch. If, when you search the registry, you see "Microsoft Office SharePoint Server Search Gathering Manger", the name you'll look for in the component services tool is OSearch.
By the way, you're looking in the DCOM Config tree in Component Services, as in this screen shot.
Right-click on the appropriate class and select Properties. Then click on the Security tab and edit the Launch and Activation Permissions.
Add the user that is mentioned in the event log, and give that user local launch and local activation permissions.
Finally, restart IIS with a iisreset /noforce. That should take care of this error.
Web Site Is In Use Restore Error
Especially if you've set up multiple SharePoint sites using host headers and SSL, you'll likely end up with the following error when trying to restore the web application:
You must select another port or hostname.
The issue is that SharePoint, in restoring the IIS sites, doesn't restore the host headers, as well. Hard to figure out why, but there you have it. Moreover, this error isn't a IIS error, which is to say that, even if you fix the alleged conflict, SharePoint still will error out on the restore, because it still thinks there's a problem.
So you have to do one of two things: customize the settings when you restore the web applications (to use different port numbers), or restore them one at a time, configuring each after the individual restore to use host headers. In either case, to end up with the original URLs, you'll have to do some fiddling after the restore is complete.
In short: you want to restore the web applications, such that you've got the content back. Having done that, you can re-create the web sites, using the Extend an existing Web application component of SharePoint's Application Management.
Extend the newly-restored web application to a new IIS web site, using the appropriate port number and URL. Once you've extended it, you can go back and "Remove SharePoint from IIS Web site." Using the remove function, you can delete the unwanted site, leaving only the desired URL.
Sunday, March 16, 2008
Rebuilding RPMs in RHEL
Saturday, March 15, 2008
Using 'Alternatives' in Linux to use a different Java package
This post shows how to install Sun's java implementation alongside the Linux default GNU java.
Installing Sun Java alongside the default GNU java
Sun's java isn't installed by default on RedHat systems. This is because Sun hasn't licensed it for RedHat's distribution. Instead, Linux ships with an open source alternative, GNU Java. It's based on Sun's Java implementation, and--in part because of that--it's always a version or two behind Sun. In all, it's a very good implementation, but sometimes--as in the case with DSpace--it's necessary to use Sun's Java, instead.
We don't want to remove the Gnu Java; we'll install Sun's alongside it.
Thursday, March 13, 2008
Using SSL with a Wildcard Certificate on Multiple Apache Sites
Setting up SSL virtual hosts in linux (specifically RHEL and CentOS, but the steps are similar in other distros) isn't hard, and--to correct a common misperception--it is possible to have multiple SSL virtual hosts running under apache using host headers. To be clear: you don't have to use separate IP addresses or different port numbers in order to have multiple SSL sites under apache.
In short, the process involves creating multiple SSL virtual hosts, each with its own host header (ServerName in apache parlance), and adding the same wildcard SSL certificate to each of the sites. There are a variety of ways to create a certificate, and you can see many of them discussed with a simple Google search. In our case, we'll use genkey from crypto-utils. Feel free to use any utility you'd like
Wednesday, March 12, 2008
Multiple SSL Sites on a Single IIS Server Using Host Headers
So you read about these things, wildcard certificates, but mostly you read about how to buy them. It is possible (and easy) to create one for yourself, however, so long as you don't mind it not being trusted by folks' browsers. There are some really good uses for these, not least in a test environment in which you don't care about the trust.
Production environments need them, too, sometimes, such as when you're using a network appliance like a Netscaler or F5 load balancer. Those devices allow you to point multiple URLs (cnames, really) to a single (or multiple) server(s). Very handy.
In our case, we have several web sites that we'd like to secure using SSL. Problem is: they're all on a single server. There are several options for dealing with such a case: assign multiple IP addresses to the server, use different SSL ports for each IIS site, or (definitely the coolest option) use a wildcard certificate on the server to allow IIS to decipher the http host header. This option, by the way, is a new feature with IIS 6, so if there's anyone out there still using IIS v5, this is another reason to upgrade.
Tuesday, March 11, 2008
LDAP Authentication in Mediawiki
LDAP Authentication
This is a big one. It can be got from the MediaWiki Extensions Site. The instructions are pretty tough to follow, but it does work.Here are our settings in LocalSettings.php, in which the user is authenticated against the domain, and all users except those in a select group are disallowed from logging in.
A note about SSL encryption
SSL encryption is necessary to ensure this is a secure process. Especially given that we're talking about domain usernames and passwords. So first, make sure that the apache server is requiring https when accessing the wiki. Second, for the SSL piece of the LDAP authentication to work, the wiki server has to recognize and trust the root CA of the LDAP server (or, in our case, the LDAP virtual IP fronted by a netscaler device). I hope to have instructions on doing this piece posted soon. In any case, please do this before going further.
LocalSettings.php Contents
#$wgLDAPDebug = 6;
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "DOMAINNAME");
$wgLDAPServerNames = array( "DOMAINNAME"=>"ldapserver.FQDN" );
$wgLDAPSearchStrings = array( "domainname"=>"DOMAINNAME\\USER-NAME" );
$wgLDAPEncryptionType = array( "domainname"=>"ssl" );
$wgLDAPUseLocal = false;
$wgMinimalPasswordLength = 1;
$wgLDAPBaseDNs = array( "domainname"=>"dc=tcu,dc=edu" );
$wgLDAPSearchAttributes = array( "domainname"=>"sAMAccountName" );
#Everything above is for simple LDAP authentication; the stuff below is for group syncronization
#DNs in $wgLDAPRequiredGroups must be lowercase, as search result attribute values are...
$wgLDAPRequiredGroups = array( "domainname"=>array("Fully qualified LDAP cn structure goes here") );
$wgLDAPGroupUseFullDN = array( "domainname"=>true );
$wgLDAPLowerCaseUsername = array( "domainname"=>true, );
$wgLDAPGroupObjectclass = array( "domainname"=>"group" );
$wgLDAPGroupAttribute = array( "domainname"=>"member" );
$wgLDAPGroupSearchNestedGroups = array( "domainname"=>true );
$wgLDAPUseLDAPGroups = array( "domainname"=>"true" );
$wgLDAPGroupNameAttribute = array( "domainname"=>"cn" );
#Adding new groups to the list of possible groups. This value (the group name)
#also needs to be added to the user_groups table in the database. That happens manually.
$wgGroupPermissions['groupname']['edit']= true;
Likewise, $wgLDAPRequiredGroups is very specific, and if it's not just right, the whole thing will break. Note that ldapsearch--a piece of openssl--can be an extremely useful tool in determining the correct settings for all of this. If you're using linux, you very likely already will have this tool. If you're using Windows, dsget is an equivalent (as a part of Windows Server) that can really help you out of a jam. Many will recommend a web-base ldap browser, but, honestly, I think the command-line tools like ldapsearch and dsget are much easier to use and set up.
If you're having difficulty, uncomment the $wgLDAPDebug line, and it'll provide a lot of useful debugging information within the browser session.
User Rights Management
User rights management is done through groups. We use the domain groups for this purpose, but it's also necessary to tell MediaWiki about the groups, and how we'll use them. This is done in a single step:Defining group rights
Edit the LocalSettings.php file and add lines as below:$wgGroupPermissions['*' ]['read'] = false;
$wgGroupPermissions['*' ]['edit'] = false;
$wgGroupPermissions['tcudba']['edit'] = true;
$wgGroupPermissions['user' ]['move'] = false;
$wgGroupPermissions['user' ]['read'] = true;
$wgGroupPermissions['user' ]['edit'] = false;
$wgGroupPermissions['user' ]['upload'] = false;
There are a variety of possible permissions, which are detailed here. The table below shows a few of the more relevant permissions:
Permission | Description |
read | allows viewing pages not defined in $wgWhitelistRead |
edit | allows editing unprotected pages. |
createpage | allows the creation of new pages (requires the edit right). |
move | allows renaming page titles. |
upload | allows the creation of new images and files. |
createaccount | allows the creation of new user accounts. |
delete | allows the deletion of edits and pages. |
Modifying User Groups
An easy way to modify the Mediawiki database is to use PHPmyAdmin. Of course, whether you use a GUI or the command line, the data to modify is the same.After logging in to phpmyadmin, select the WIKIDB database on the left. Then select the user_groups table and click on the browse button. You'll see the userid and group name of all the users. Note that the userid is a number; you have to use the users table to find out which userid corresponds to which username. Use this method to get back as a sysop in the wiki if you've accidentally removed yourself from that group. If you're still a sysop, you simply can use the special:userrights page.
Troubleshooting
If you receive the error basedn is not set for this type of entry, trying to get the default basedn, that means that the $wgLDAPBaseDNs variable isn't set correctly. At the time of this writing, the correct value for that is$wgLDAPBaseDNs = array( "tcu"=>"dc=tcu,dc=edu" );
The following commands also can be helpful in determining if your system is set up correctly:
Manually Adding a User to a Group in Mediawiki
The other 'power' group is sysop:
To find out which user_id you want to use, execute the following:
Copying SQL Server 2005 logins from one instance to another
SharePoint with SQL Server Mirroring
- Microsoft SQL Server Mirroring with SharePoint Unfortunately, this document is almost entirely instructions on how to set up database mirroring in SQL Server. If you're a DBA, this is not useful information to you, and if you're not a DBA, you're likely going to use the SQL Server GUI to implement database mirroring, anyway (the white paper gives instructions on mirroring through T-SQL commands). Happily, though, there is a bit on configuring SharePoint to use the mirror database in the event of a failover. In short: you use the SQL Alias feature (through cliconfg.exe) on the front-end web server(s). This is the method we ended up using.
- Mirror the SQL Server databases
- Ensure the SharePoint login accounts can access the mirror DB server
- Configure the SharePoint front-end web server(s) to allow for failover
\\HKLM\Softare\Microsoft\MSSQLServer\Client\ConnectTo\
While the 32-bit compatible key is at\\HKLM\Software\Wow6432Node\Microsoft\MSSQLServer\Client\ConnectTo\
A TCP Alias breaks down something like this: DBMSSOCN,servername,4984 Where DBMSSOCN refers to TCP, servername is the server name, and 4984 is the port number. A Named Pipes Alias, on the other hand: DBNMPNTW,\\servername\PIPE\MSSQL$spstg\sql\query Where DBNMPNTW refers to Named Pipes, servername is the server name, and $spstg is the instance name. Once you've got these registry keys set, it's a simple matter of changing the server name (and port, if necessary) in the alias after a failover. This will point SharePoint to the mirror DB server instead of to the primary. If you're comfortable doing this, changing the registry directly is quite sufficient. If not, you can edit the alias with the cliconfg.exe application. After changing the alias, it's prudent to go ahead and reset IIS. You can simply run the IISRESET command from the command line to do this. It should be pointed out again that, while SQL Server DB mirroring is on a database-level (that is, a single database within an instance can fail over to the mirror), SharePoint, for the most part, treats the SQL Server instance as a unit. While it's possible to use STSADM to rename a server for a particular database, this seems like more work than is necessary. To do this failover automatically requires another step, and it's one that we're still working on. I'll post that as we move closer to that goal.