Creating Shared Hosting Solutions on Windows SharePoint Services 3.

0

Prepared by Microsoft Consulting Services, West Region

Version .1.0

Prepared by Mannan Mohammed, Sr. Architect Saivendra Kayal, Principal Consultant David Gorgone, Sr. Consultant II Lisa Takahashi, Consultant II Contributors Hyder Ali Bob Sutton

This file does not collect any personal information. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place or event is intended or should be inferred. © 2007 Microsoft Corporation. All rights reserved. Microsoft, Outlook, SharePoint, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Table of Contents
Introduction................................................................................... ....1 Deployment Architectures...................................... ............................5 1.1 Stand-alone server architecture.......................................................................5 1.2 Silo architecture...................................................................................... .........6 1.3 Hosting farm with shared SQL back-end servers.............................................8 1.4 Scalable hosting farm......................................................................................9 1.5 Improvements in Windows SharePoint Services 3.0 scalable hosting mode over Windows SharePoint Services 2.0................................................................10 Authentication Modes................................................................... ....13 1.6 Active Directory.............................................................................................13 1.6.1 Account creation mode.........................................................................13 1.6.2 Domain account mode..........................................................................13 1.7 Non-Active Directory or custom mode...........................................................14 Forms-Based Authentication.............................................................15 1.8 Active Directory.............................................................................................16 1.8.1 Account creation mode.........................................................................16 1.8.2 Domain account mode..........................................................................16 1.9 SQL authentication........................................................................................18 1.9.1 Configure SharePoint for SQL forms authentication..............................20 Multiple Tenancy..................................................... .........................23 1.10 Active Directory...........................................................................................23 1.10.1 Account creation mode.......................................................................23 1.10.2 Domain account mode........................................................................24 1.11 Non-Active Directory or custom mode.........................................................27 Site Provisioning....................................................... .......................29 1.12 Provisioning host-named site collections.....................................................31

1.13 Additional steps to provision host-named site collections in SQL authentication mode...................................................................................... ......32 User Management................................................... .........................36 1.14 User Provisioning.........................................................................................36 1.14.1 Account creation mode.......................................................................36 1.14.2 Domain account mode........................................................................41 1.14.3 Non-Active Directory custom authentication mode.............................44 1.15 Resetting passwords....................................................................................44 HTTPS...................................................... .......................................46 1.16 Configuring HTTPS for host-named site collections......................................46 1.17 Issues..................................................................................................... ......47 Search............................................................................ .................48 1.18 Configuring Search with Basic Authentication:............................................48 1.19 Configuring Search for HTTPS sites..............................................................50 1.20 Configuring Search for Forms Based Authentication with Custom Authentication Provider:......................................................................................53 Configuring HTTPS for Host-Named Site Collections...........................54 1.21 Issues..................................................................................................... ......54 Migration from 2.0 to 3.0................................................... ...............55 1.22 In-place upgrade................................................................................ ..........55 1.23 Gradual upgrade............................................................................. .............55 The “Fabulous 40” Application Templates..........................................57 1.24 Site administrator templates.......................................................................58 1.25 Server administrator templates...................................................................59 1.26 Grouping of templates.................................................................................60 1.27 Converting templates from Windows SharePoint Services 2.0 to Windows SharePoint Services 3.0.......................................................................................61 Other Deployment Issues in Hosting Scenarios..................................62 1.28 Active site count..........................................................................................62

1.29 IIS reset.................................................................................................... ....62 1.30 Bandwidth measurement tools....................................................................62 1.31 People picker...............................................................................................63 PeoplePicker Options:.............................................................................. ......63 1.31.1 1.31.2 1.31.3 1.31.4 1.31.5 peoplepicker-activedirectorysearchtimeout....................................64 peoplepicker-distributionlistsearchdomains................................64 peoplepicker-onlysearchwithinsitecollection...............................65 peoplepicker-searchadcustomquery............................................65 peoplepicker-searchadforests................................................66

Development Guide....................................................... ...................67 1.32 Developing custom SharePoint Web services..............................................67 1.32.1 Why would you need to develop this?.................................................67 1.32.2 How do you develop?..........................................................................67 1.32.3 How do you debug?.............................................................................73 1.33 Developing SharePoint Web Parts................................................................75 1.33.1 Why would you need to develop this?.................................................75 1.33.2 How do you develop?..........................................................................76 1.33.3 How do you debug?.............................................................................79 1.34 Developing SharePoint Web applications.....................................................81 1.34.1 Why would you need to develop this?.................................................81 1.34.2 How do you develop?..........................................................................81 1.34.3 How do you debug?.............................................................................85 1.35 Developing custom HTTP modules...............................................................86 1.35.1 Why would you need to develop this?.................................................86 1.35.2 How do you develop?..........................................................................87 1.35.3 How do you debug?.............................................................................90 Appendix (from popular blogs)................................................. .........91 1.36 EnableListObjectMode.vbs...........................................................................91

1.37 Setting up account creation mode – Screen shots.......................................93 1.38 What happened to Smigrate.exe? What if I only want to upgrade one site? What can I do now with Stsadm.exe?..................................................................96 1.39 Capacity planning........................................................................................98 1.40 Important references.................................................................................100 1.41 Feature comparisons in SharePoint Search versions..................................101

Introduction
Microsoft® Windows® SharePoint® Services 3.0 builds on the Microsoft Windows Server 2003 operating system and database services to support requirements for creating Web sites that can serve as team sites for workgroups or as large enterprise portal solutions. Windows SharePoint Services 3.0 platform services provide security-enhanced, scalable, reliable, and high-performance capabilities that are outlined in the following figure.

Figure 1: Components of Windows SharePoint Services 3.0

In addition, Windows SharePoint Services 3.0, a feature of Windows Server 2003, implements the collaboration features of the 2007 release of Microsoft Office SharePoint Products and Technologies: • • • • • • • • Document collaboration Wikis and blogs Really Simple Syndication (RSS) support Discussions Project task management Contacts, calendars, and tasks E-mail integration Integration with the 2007 Microsoft Office system client applications

1

Offline support for SharePoint lists and document libraries, using Microsoft Office Outlook 2007 as the offline client application.

In addition, Windows SharePoint Services 3.0 provides key capabilities and features that make it a very attractive solution to become a platform to offer shared hosting services that are geared towards small and medium businesses. These capabilities include: • Custom authentication. Windows SharePoint Services 3.0 uses the provider model to integrate with any authentication store. Windows SharePoint Services 3.0 integrates with the SQL membership provider that ships with ASP.NET 2.0. This provider, distributed as source code in MSDN, can be extended to integrate with other authentication stores such as Lightweight Directory Access Protocol (LDAP), Microsoft .NET Passport, or proprietary single sign-on (SSO) solutions. Forms-based authentication. In conjunction with the custom authentication providers, Windows SharePoint Services 3.0 redirects users to a logon form, where in the user gets prompted for credentials. With the use of the ADProvider that ships with ASP.NET 2.0, this new mode of authentication can even replace the dialog box that was used with Basic authentication (over HTTPS). • Host-named site collections. This feature allows for a DNS entry to be mapped to a site collection within a Web application. There can be thousands of site collections inside a single Web application. This is the most scalable configuration of Windows SharePoint Services 3.0 and is tailored for hosting needs. • Tight integration with Office (even in non-Active Directory modes). Windows SharePoint Services 3.0 now has a tighter integration with the 2007 Microsoft Office system, even with non-Active Directory modes. For this integration to work, users need to select the Persist session information check box, and then Office will work with credentials provided by using forms-based authentication. • New built-in application templates. Application templates are custom scenarios for the Windows SharePoint Services 3.0 platform, tailored to address the needs and requirements of specific business processes or sets of tasks in organizations of any size. In Windows SharePoint Services 3.0,

2

in addition to the sites such as team sites, meeting workspaces, document workspaces, etc., that are geared towards office collaboration, a new set of application templates for blogs, wikis, photo albums, etc., is provided. These templates are geared towards small and medium businesses and hosting scenarios. • “Fabulous 40” templates. By end of Q1-FY07, Microsoft will release a set of 40 new application templates for Windows SharePoint Services 3.0. These templates will offer solutions for scenarios such as Help Desk, Project Site, Knowledge Base, Employee/HR, etc., to address specific customer needs and business requirements. Twenty of the templates will be “site administrator templates” and available in English only. These templates will be easy for site administrators to install in a template gallery without requiring server administration access. The remaining 20 will be “server administrator templates” and available in 11 languages (English, French, Italian, German, Spanish, Portuguese, Japanese, Chinese Simplified, Chinese Traditional, Korean, and Hebrew). The site definitions provide a tighter integration and enhanced functionality within Windows SharePoint Services 3.0, but will require a server administrator to install. For the hosting market, Windows SharePoint Services 3.0 offers a clear differentiator for the Windows platform. Offering “intranet” solutions that allow small and medium business customers to not only share documents, but also to collaborate by using wikis and blogs, will be key to growing market share and creating value-added services. Microsoft engaged with more than a dozen international hosting partners after the Beta 2 Technical Refresh release of Windows SharePoint Services 3.0 and helped create shared offers on Windows SharePoint Services 3.0. This white paper captures the key areas of learning from this pilot program, and is geared towards facilitating an independent software vendor (ISV) or hoster to create an offer on Windows SharePoint Services 3.0 in a short amount of time. In the following sections, we will outline the different deployment options available for Windows SharePoint Services 3.0 and present some the issues that were faced by hosters in the pilot program. Most of the issues encountered could
3

be avoided by preemptive guidance, which is provided in this white paper. Some issues will require a workaround, which was developed by Microsoft Consulting Services and provided to the hosters. Excerpts of the workarounds will be presented in this paper, whereas the full solutions for the workarounds will be made available as part of a download . In spite of our best efforts, there are some issues that do not have any solutions in place and will require the product team to address them in the next major release of Windows SharePoint Services (service pack or full release). We will present these issues so that hosters can avoid them if at all possible.

4

Deployment Architectures
Windows SharePoint Services 3.0 can be installed on a wide range of configurations that varies from a single server configuration to a large farm of servers. In each of the configurations, the workloads can be distributed across the hardware. In this white paper, we will focus on the three primary components of Windows SharePoint Services 3.0, namely Windows SharePoint Services application (Web application), Search (including crawling and indexing), and Storage (for data, as well as configuration information). We will present only the most popular configurations for hosting scenarios. Irrespective of the hardware architecture, Windows SharePoint Services 3.0 can be installed and configured independently. We will therefore present only the hardware architectures, and then discuss the software configurations in the subsequent sections.

1.1 Stand-alone server architecture
In this configuration, the hoster installs all components of Windows SharePoint Services on a single server. The server might optionally be part of a domain. All features of Windows SharePoint Services 3.0 are available in this scenario. However, there is no scalability or availability built into the configuration. Windows SharePoint Services 3.0 ships with its own Microsoft SQL Server 2000 Desktop Engine (Windows) (WMSDE) database, which can get installed on the server. The normal limits of WMSDE are removed, and Windows SharePoint Services 3.0 can support as many users as the hardware constraints can support (up to hundreds of customers). However, note that only Windows SharePoint Services 3.0 can interface with WMSDE. Other tools such as SQL Development Explorer, etc., cannot be used for managing WMSDE. Just as with Microsoft Windows SharePoint Services 2.0 and Microsoft Office SharePoint Portal Server 2003, the free database used in a default installation is not the same for both a Windows SharePoint Services 3.0 default installation and a Microsoft Office SharePoint Server 2007 default installation. The version used for Office SharePoint Server 2007 is the standard version of Microsoft SQL Server 2005 Express Edition and has the standard restriction of a maximum
5

4 gigabyte (GB) size for a database. However, the version used by Windows SharePoint Services 3.0 is (again, just as Windows SharePoint Services 2.0) a special "Windows" version, which does not have this maximum database size restriction. The Windows SharePoint Services 3.0 version compared to the Windows SharePoint Services 2.0 WMSDE does support Search, because the search used in Windows SharePoint Services 3.0 is a cut-down version (single site only) of the search used by Office SharePoint Server 2007 and no longer SQL Server FullText Search. Note that management tools such as SQL Server Management Studio Express are blocked from attaching to this database engine. Users can use only the osql command-line utility. From a hoster standpoint, the most attractive feature of this option is the lack of licensing costs for the database. However, in the long run, as the numbers of customers go from hundreds to thousands, a single-server architecture will have a higher total cost of ownership (TCO) in terms of managing individual servers. Therefore, hosters will mostly use this configuration during the prototyping or start-up stage to minimize costs, and then typically consider one of the other configurations before going into full production or supporting a large customer base.

1.2 Silo architecture
The most popular configuration in shared hosting (for ASP.NET applications) is to have a front-end Web server being served by a SQL back-end server. In some instances, multiple front-end Web servers can be served by a single SQL backend server. Hosters typically serve about 2,000 customers (or whatever the server threshold might be) with a single pair of front-end Web server/SQL backend server. As the number of customers approaches the server threshold, the hosters will bring up an additional pair to handle the new customers. Basically, the capacity grows as each pair is added. The hosters use a combination of host headers, multiple IP addresses, and creative DNS mappings to distribute loads. Windows SharePoint Services 3.0 supports this exact configuration. The hoster can install the Web application along with search components on the front-end

6

Web servers and configure a SQL Server computer to store the SharePoint configuration, as well as content databases. As additional capacity is needed, the hosters can add a new pair or optionally add just a new front-end Web server to the existing SQL back-end server, or create a farm of front-end Web servers. This option provides the hosters with the ability to scale up or scale out as needed, as well as provides the ability to manage SQL Server computers by using traditional tools and techniques. Each pair is configured to be a “silo” and can be managed independently. This architecture is illustrated in the following figure.

Figure 2: Example of silo architecture

In this configuration, you will need both the front-end Web server and the SQL back-end servers to be part of an Active Directory directory service domain. Domain users are also required to configure the SharePoint servers, as well as SQL services. Note that while Active Directory is required for the servers, Windows SharePoint Services 3.0 can still use any form of authentication for its users (the most popular are still Active Directory or SQL-based custom authentication that ships as part of ASP.NET 2.0). If the SQL-based custom authentication is used, the hosters might opt to configure a stand-alone SQL Server computer that serves as a user repository for all authentication needs. If multiple front-end Web servers are served by a single SQL back-end server, each front-end Web server is configured as a stand-alone Windows SharePoint Services server. On the SQL Server computer, there will be multiple configuration databases, one for each Web application that is configured on the front-end Web server.

7

While Windows SharePoint Services 3.0 can support thousands of users and customers on a single front-end Web server/SQL back-end server pair, this is not the most optimal configuration for Windows SharePoint Services 3.0. However, as the hosters are most familiar with this architecture for their shared hosting environments, it is becoming a very popular choice. However, there are some drawbacks to this approach which are described in the following paragraphs. One of the most popular usage scenarios for Windows SharePoint Services 3.0 is to use it as a document repository on the Web, to facilitate collaboration. Because all documents (and any other content) are stored in a SQL database, the size of the SQL database will grow very rapidly. In this architecture, it will be difficult to add new capacity to the SQL back-end servers because the hosters will run into physical limitations of the hardware (stand-alone servers). In addition, as multiple silos are added, over a period of time, the customers might end up on multiple servers, in which case the user and customer management will become difficult. Therefore, this configuration might be used as long as the customer base is small (in thousands). However, as the customer base grows large (in tens of thousands), the hosters should consider a hosting farm that has a shared SQL back-end server or a scalable hosting farm that has both shared SQL back-end servers and front-end Web servers.

1.3 Hosting farm with shared SQL back-end servers
This architecture is a simple extension of the silo architecture described the previous paragraphs, wherein multiple front-end Web servers are configured to use a single SQL cluster that has a storage area network (SAN) device (or some other form of extensible, shared storage). The SQL cluster can be active-active or active-passive. In this architecture, each front-end Web server is configured with its instance of Windows SharePoint Services 3.0 (i.e., each front-end Web server will have its own configuration database in the SQL Server computer). Much like in the silo architecture, the front-end Web servers are added incrementally, on demand, as soon as the number of customers reaches a predetermined threshold. This architecture is illustrated in the following figure.

8

Figure 3: Example of hosting farm architecture

As the SQL Server computer is shared, it needs to be a high-end computer, such as quad-processor server with 4 GB or more of RAM. Hosters will get enhanced performance if they invest in 64-bit servers for the SQL cluster. (The capacity planning numbers might be released shortly by Microsoft.) The advantage of this approach is that the disk storage can be optimized. The shared SQL SAN can support multi-terabytes of data and shared capacity can be added on an as-needed basis. Note that the Search Service is configured individually on each of the Windows SharePoint Services servers.

1.4 Scalable hosting farm
Scalable hosting farm architecture refers to a set of “load balanced” front-end Web servers going against a SQL cluster. This configuration is the most scalable configuration. However, it is a bit more complex to set up. Instructions to set up the load balanced farms are provided as part of SharePoint documentation. In this configuration, there is a single instance of a Windows SharePoint Services 3.0 Web application that is serving tens of thousands of customers. Hosters can still create multiple Web applications if they choose to do so. These Web applications can share the same configuration databases (and be configured as an additional zone for an existing application), or a completely new instance of the configuration database can be created. Note that Search can be configured on a single server (or multiple servers) to serve the entire farm.

9

As each component of Windows SharePoint Services 3.0 is shared in this architecture, this configuration provides the most efficient use of resources and can support tens of thousands of customers. This is also the most popular configuration for large enterprise customers that have more than 100,000 employees. However, in the hosting space, this architecture is still being evaluated.

1.5 Improvements in Windows SharePoint Services 3.0 scalable hosting mode over Windows SharePoint Services 2.0
(Excerpts from http://wss.collutions.com/pages/Windows SharePoint Services%20v3%20FAQ.aspx) Scalable hosting mode had some limitations in Windows SharePoint Services 2.0. The first limitation was that you had to specify whether or not you wanted to use scalable hosting mode when creating the SharePoint configuration database by using the -hh parameter. Once selected, this setting could never be changed. The second limitation was that scalable hosting mode limited you to extending only one Internet Information Services (IIS) Web site with SharePoint. We did not support extending any additional IIS Web sites with SharePoint when this mode was enabled. The third limitation was that only Windows SharePoint Services 2.0 supported scalable hosting mode. SharePoint Portal Server 2003 did not support this mode. In Windows SharePoint Services 3.0, there are several improvements. First, this feature is no longer exposed through a "mode." In other words, you no longer need to specify whether you want to use host-named site collections when creating the configuration database. Instead, you can now just specify whether site collections should be host-named or path-based when creating the site collection itself. Second, you can now have host-named site collections on multiple Web applications, so you are no longer limited to extending just one IIS Web site with SharePoint. In fact, you can have a mix of path-based and host-named site collections on the same Web application.

10

Finally, we have expanded host-named site collection support to include other Office Server applications, including portal sites. As with Windows SharePoint Services 2.0, you must use the stsadm.exe createsite command to create host-named site collections. You add the following parameter to that operation to indicate that it should be host-named instead of path-based: -hhurl <web application URL> Where <web application URL> is one of the URLs assigned to the "target" Web application in alternate access mappings (Start -> Control Panel -> Administrative Tools -> SharePoint 3.0 Central Administration -> Operations -> Alternate access mappings). For example, let us say you have a Web application named www.example.com and you want to add a host-named site collection with the URL http://hoster.example.com. The command would look like this: stsadm.exe -o createsite -url http://hoster.example.com -ownerlogin DOMAIN\username -owneremail username@example.com -hhurl http://www.example.com Regular Internet service providers (ISPs) would configure their DNS servers to associate hoster.example.com with the appropriate IP address. For your own testing, you can just edit your %WINDOWS%\system32\drivers\etc\hosts file to associate host-named site collections with the IP address of your SharePoint server. Once this is done, you can browse to http://hoster.example.com to access your site. Host-named site collections can be used with both HTTP and Secure Sockets Layer (SSL) if you create them on the default port. If you create them on a nondefault port, each individual host-named site collection can be only HTTP or only SSL, depending on which URL you entered with the -url parameter in the createsite command.

11

Also, host-named site collections cannot be used with the advanced extranet scenarios provided by alternate access mappings, such as SSL termination.

12

Authentication Modes
The new authentication model in Windows SharePoint Services 3.0 leverages the ASP.NET 2.0 authentication framework. The new model is a pluggable framework that provides easy integration for a number of providers into SharePoint.

1.6 Active Directory
By default, Active Directory is the standard user store for Windows SharePoint Services 3.0. Using Active Directory, there are two modes that are available for adding users: account creation mode and domain account mode. 1.6.1 Account creation mode Active Directory account creation mode is popular with hosters because of its ability to create unique accounts for customers. By configuring SharePoint in this mode, Windows SharePoint Services 3.0 will automatically create Active Directory accounts for new users. You must enable Active Directory account creation mode when you first configure Windows SharePoint Services 3.0. When you use Active Directory account creation mode, you cannot use existing domain accounts. Instead, new accounts are created whenever you add users. The new users are notified of their accounts and password through e-mail. This mode requires that an Active Directory organizational unit (OU) be created, and all users that are created in this mode will end up in a single OU. There are security issues because of this and it is one of the reasons that this mode is being deprecated in Windows SharePoint Services 3.0 and will no longer exist in future versions. 1.6.2 Domain account mode Domain account mode is used mainly within organizations that use Microsoft Windows domain accounts. This mode is recommended for hosters that have Active Directory skills, as well as the infrastructure in place. Unlike account creation mode, there is no user provisioning system. However, because Windows SharePoint Services 3.0 now leverages the ASP.NET 2.0 authentication

13

framework, you can easily create a custom user provisioning system and integrate forms-based authentication into Windows SharePoint Services 3.0.

1.7 Non-Active Directory or custom mode
Because Windows SharePoint Services 3.0 provides a pluggable framework that leverages ASP.NET 2.0 authentication, any user data store can be implemented. Currently, providers that are included are SQL, LDAP, and Active Directory. This new capability has become popular with hosters who want to create low-cost offers. It also provides the capability to easily integrate forms authentication, a feature that hosters have been asking for in Windows SharePoint Services 2.0. Like domain account mode, a custom user provisioning system will need to be created.

14

Forms-Based Authentication
The new authentication model in Windows SharePoint Services 3.0 leverages the ASP.NET 2.0 authentication framework. The new model is a pluggable framework provides easy integration for a number of providers. The current providers are SQL, LDAP, and Active Directory. Any of these providers can be configured when forms authentication is specified in SharePoint. ASP.NET membership supports facilities for: Creating new users and passwords. Storing membership information (user names, passwords, and supporting data) in Microsoft SQL Server, Active Directory, or an alternative data store. Authenticating users who visit your site. You can authenticate users programmatically, or you can use the ASP.NET logon controls to create a complete authentication system that requires little or no code. Managing passwords, which includes creating, changing, and resetting them. Depending on membership options you choose, the membership system can also provide an automated password-reset system that takes a user-supplied question and response. Specifying a custom membership provider, which allows you to substitute your own code to manage membership and maintain membership data in a custom data store. ASP.NET role supports facilities for: •

Creating roles and assigning users to those roles. Managing users that belong to those roles. For instance, in SharePoint, you can grant access to a role and add or remove users from the role. This eliminates the need to grant access to individual members.

Authorizing access to specific areas of the application by defining which role will have access.

The following sections describe the configurations that are included for the Active Directory and SQL membership providers. Subsequent sections of this document will describe the customizations that were developed for a hosting solution. The customizations provide the scoping of users to their respective sites.

15

1.8 Active Directory
1.8.1 Account creation mode In Windows SharePoint Services 3.0, forms-based authentication will not work with account creation mode. This is because forms-based authentication expects users to be in the format of “Provider:user”, while the account creation mode adds users as “Domain\user”. For forms-based authentication to work, the user in the format of “Provider:user” should be added to the site collection. Because there is no clean way of performing this action, we recommend forms-based authentication not be used with account creation mode. Also note that account creation mode is a deprecated feature of Windows SharePoint Services 3.0. It is supported through version 3.0. However, the product teams recommend customers plan to move off of it at their earliest convenience. 1.8.2 Domain account mode This section discusses enabling the Active Directory membership provider within Windows SharePoint Services 3.0. There are three configuration files that need to be modified. These configuration files belong to the SharePoint Central Administration Web site, the SharePoint Web application, and the stsadm.exe command-line utility. 1. Open the Web.config files for both the Web application and the Central Administration application, and add the following ConnectionStrings element immediately after the ConfigSections element:
<connectionStrings> <add name="ADConnectionString" connectionString="LDAP://litwareinc.com/OU=Users, DC=litwareinc,DC=com"/> </connectionStrings>

Note: In the above the example, the connection string is pointing to the Users OU. 2. Add the following in the system.web section:
<membership defaultProvider=”MyADMembershipProvider”> <providers> <add name= "MyADMembershipProvider"

16

type="System.Web.Security.ActiveDirectoryMembershipProvid er, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADConnectionString" connectionUsername="litwareinc\administrator" connectionPassword="pass@word1" attributeMapUsername="sAMAccountName"/> </providers> </membership>

Note: You will need to specify the appropriate connectionUsername and connectionPassword that has full access to the Users OU as described in the connection string above. 1.8.2.1Configure SharePoint for Active Directory forms authentication Once the Web.config files have been modified, follow the following steps. 1. Open Central Administration, and click Application Management. 2. Click Authentication Providers. Ensure that you are working on the correct Web application. 3. Click the Windows link. By default, SharePoint enables Windows as the membership provider name. 4. On the Edit Authentication page, in the Authentication Types section, select the Forms option. 5. In the Membership provider name text box, enter the name of your Web application’s membership provider. Based on the membership section above, the name would be MyADMembershipProvider. 6. In the Role Manager Name text box, enter the name of your Web application’s role provider. 7. Click the Save button. Note: The stsadm.exe tool also needs to be configured for forms authentication. To do so, create an stsadm.exe.config file such as shown in the following code sample and deploy it to the stsadm.exe folder located in C:\Program Files\Common Files\Microsoft Shared\Web server extensions\12\BIN.

17

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <configuration> <connectionStrings> <add name="ADConnectionString" connectionString="LDAP://litwareinc.com/OU=Users,DC=litwareinc, DC=com"/> </connectionStrings> <system.web> <membership defaultProvider=”MyADMembershipProvider”> <providers> <add name= "MyADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembership Provider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADConnectionString" connectionUsername="litwareinc\administrator" connectionPassword="pass@word1" attributeMapUsername="sAMAccountName"/> </providers> </membership> </system.web> </configuration>

1.9 SQL authentication
To begin working with the SQL membership provider, you will need to create the SQL database.
1.

Create the aspnetdb database. From a Visual Studio 2005 command prompt, run the following command: aspnet_regsql –A all –E Where -A all specifies to add all provider features, and -E specifies

Windows authentication to connect to SQL Server.
2.

Add users to the SQL database. There are a variety of ways to do this. ASP.NET provides an ASP.NET Web site administration tool to set up and manage users. You can also write your own application to manage users by using the membership and role application programming interfaces (APIs).

3.

Configure the SQLMembershipProvider for a given Web application.

18

4.

Once the SQL database has been implemented, modify the Web.config files for both the Web application and Central Administration. The ConnectionString element should point to your SQL database. It should be placed in the Configuration section of the Web.config, as shown in the following code sample.
<connectionStrings> <remove name="localSqlMembershipDatabase" /> <add name="localSqlMembershipDatabase" connectionString="server=MOSS; database=aspnetdb;
Trusted_Connection=True" /> </connectionStrings>

The Membership and Rolemanager elements should be placed in the system.web section of the Web.config file. Important attributes to note are the name and connectionStringNames. The name attribute values contain the default SQL membership provider and role provider names. The connection string values need to be consistent with what is specified in the connectionString section. In this case, it is localSqlMembershipDatabase. The applicationName attribute contains the name of the application and is used to identify users that are specific to that application, as shown in the following code sample.
<membership defaultProvider="AspNetSqlMembershipProvider"> <providers> <remove name="AspNetSqlMembershipProvider" /> <add name="AspNetSqlMembershipProvider" connectionStringName="localSqlMembershipDatabase" applicationName="FormsAuth" passwordAttemptWindow="10" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" requiresUniqueEmail="false" passwordFormat="Hashed" description="Stores and retrieves membership data from the Microsoft SQL Server database" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </membership>

19

<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider"> <providers> <remove name="AspNetSqlRoleProvider" /> <add name="AspNetSqlRoleProvider" connectionStringName="localSqlMembershipDatabase" applicationName="FormsAuth" description="Stores and retrieves roles data from the local Microsoft SQL Server database" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </roleManager>

If you plan to provide a custom logon page, make sure that the appropriate section has been modified. Otherwise, SharePoint’s default logon will be used, as shown in the following code sample.
<authentication mode = “Forms”> <forms loginurl=”/_layouts/login.aspx /> </authentication >

1.9.1 Configure SharePoint for SQL forms authentication Once the Web.config files have been modified, follow the following steps. 1. Open Central Administration, and click Application Management. 2. Click Authentication Providers. Ensure that you are working on the correct Web application. 3. Click the Windows link. By default, SharePoint enables Windows as the membership provider name. 4. On the Edit Authentication page, in the Authentication Types section, select the Forms option. 5. In the Membership provider name text box, enter the name of your Web application’s membership provider. Based on the membership section above, the name would be AspNetSqlMembershipProvider.

20

6. In the Role Manager Name text box, enter the name of your Web application’s role provider. 7. Click the Save button. Note: The stsadm.exe tool also needs to be configured for forms authentication. To do so, create an stsadm.exe.config file such as shown in the following code sample and deploy it to the stsadm.exe folder located in C:\Program Files\Common Files\Microsoft Shared\Web server extensions\12\BIN.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <configuration> <connectionStrings> <remove name="localSqlMembershipDatabase" /> <add name="localSqlMembershipDatabase" connectionString="server=MOSS; database=aspnetdb; Trusted_Connection=True" /> </connectionStrings> <system.web> <membership defaultProvider="AspNetSqlMembershipProvider"> <providers> <remove name="AspNetSqlMembershipProvider" /> <add name="AspNetSqlMembershipProvider" connectionStringName="localSqlMembershipDatabase" applicationName="FormsAuth" passwordAttemptWindow="10" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" requiresUniqueEmail="false" passwordFormat="Hashed" description="Stores and retrieves membership data from the Microsoft SQL Server database" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </membership> <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider"> <providers> <remove name="AspNetSqlRoleProvider" /> <add name="AspNetSqlRoleProvider"

21

connectionStringName="localSqlMembershipDatabase" applicationName="FormsAuth" description="Stores and retrieves roles data from the local Microsoft SQL Server database" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </roleManager> </system.web> </configuration>

22

Multiple Tenancy
The ability to host multiple public Web sites, each with its own domain name, on a single installation of Windows SharePoint Services 3.0 will allow hosters to maximize customers on a given implementation. There are various challenges that exist today when trying to host multiple domains on a single Web server. As shipped, Windows SharePoint Services 3.0 does not provide tools to scale out to high numbers of public-facing Web sites of different domains to the degree that many hosters want to provide offerings for. To enable Windows SharePoint Services 3.0 to increase capacity and really scale at an Internet level, we have researched different configurations to extend the standard Windows SharePoint Services 3.0 capabilities. Using Active Directory and SQL Server 2005 as the two main membership directories, we have put together guidance to increase site capacity on a single Windows SharePoint Services 3.0 implementation. On a standard installation of Windows SharePoint Services 3.0, membership groups are scoped at the Web application level (the IIS virtual server level). This means that a user named "John" who has been granted access to a site (on a single Web application) will be able to log on to all sites on that Web application. While he will not have access granted to those sites, he will still have a valid logon because the authentication form is shared by each site. This becomes not only a potential security concern, but also an issue when the owner of a different site would like to have a different user named “John” as a site member. The user “John” has already been taken by the first owner and is not available. Plus, there can be confusion when using the Windows SharePoint Services 3.0 people-picker utility (a Web control that allows a user to search for other users) with a site configured for forms-based authentication.

1.10Active Directory
1.10.1Account creation mode There are various places in a SharePoint site where a site owner or another site user needs to find another user. Windows SharePoint Services 3.0 provides a people-picker utility to search for users based on keywords. This people picker has some issues when working with forms-based authentication and the various
23

providers. Specifically, for the Active Directory providers, the default behavior is to return users in the form of “Domain\username”. These users, if selected, cannot log on to the site by using forms authentication. It is important to understand that users must be added to sites by using the naming convention of <Provider>:<username>. For example, if you want to add a user named John Smith, you will need to add the user specified with the provider such as “ADProvider:john_smith”. Do not add users where the domain name appears such as “DOMAIN\john_smith”. While this is technically the same account in Active Directory, it is a completely different account according to Windows SharePoint Services 3.0. More importantly, this domain-specified user will not be able to log on by using forms authentication. Only users added by using the provider naming convention can use forms authentication. This information is useful to have in an FAQ for site owners and administrators, or anyone else who might add users to a site through Windows SharePoint Services 3.0. 1.10.2Domain account mode Similar to the Active Directory account creation mode, using the domain account mode also relies on the ASP.NET 2.0 Active Directory membership provider to enable forms-based authentication. The behavior of the SharePoint site and the authentication process is the same for both modes of Active Directory. As shipped, Windows SharePoint Services 3.0 provides no way to create Active Directory users when using the domain account mode, so we have built a sample application and user interface to provide this functionality inside a site (see the User Provisioning section for more details on this sample). New installations of Windows SharePoint Services 3.0 using Active Directory are encouraged to use the domain account mode to host users. In this mode, there are no specific Windows SharePoint Services 3.0 requirements of Active Directory in regards to setting up OUs, groups, or users. For many enterprises, this is not an issue because their Active Directory structure has been created prior to the introduction of SharePoint. In the hosting environment, there are recommendations and best practices for setting up Active Directory to work with Windows SharePoint Services 3.0 by using forms-based authentication. Supporting multiple users on a single implementation of Windows SharePoint Services 3.0 means enabling a secure and scalable hosting model in Active

24

Directory that maps to multiple SharePoint sites. To allow fine-grained security to individual sites, Active Directory must be set up to allow the List Object property to be visible and available. To set Active Directory to List Object mode, we have included a VBScript file named “EnableListObjectMode.vbs” that can set this property. The source code for this script is also included in the appendix of this document. The usage is simply: cscript EnableListObjectMode.vbs Note: Setting the dsHeuristics attribute to 001 enables List Object mode. The following is a sample design in Active Directory that will help to support segregation of those users in conjunction with the sample code Web services provided.

To enable this in our sample scenario, we have created an Organizational Unit (OU) named Hosting. It is in this OU where all of the users for a hosting scenario will be created. As illustrated in the screen shot, each SharePoint site has its own sub-OU under the Hosting node. Inside each site OU, each user will be created and placed in a group named “<Site OU Name> Users”. To properly secure this environment for multiple users across various sites you want to make sure that each user in Contoso, for example, cannot get any information about users in other sites or in other OUs outside of the Contoso OU. To accomplish this, a few basic security settings must be configured. Once you have created the initial Hosting OU, you must make sure that Authenticated Users (any user on any Windows SharePoint Services site) can read from this OU.

25

This should be a manual step when the Hosting OU is created, if not already configured in Active Directory. You might also want to manually remove access for Authenticated Users on the following standard Active Directory containers: Builtin Computers Domain Controllers ForeignSecurityPrincipals Infrastructure System Users The following steps around security and setting up the site OUs will be automatically completed in the sample Web services when creating a new site or new user, but here are the steps that are happening behind the scenes. When a new site is created through the Web services, a site OU will automatically be created under the Hosting OU. For example, when we create a

26

site named www.Contoso.com, we will also create a child OU named “Contoso”. We will also create the site owner as a user in this OU. We will also create a user group named Contoso Users to store this and all other users. Each new user created for this site will live in this Contoso OU and be a member of the Contoso Users group. Now we can enable this group to have the appropriate read access on this Contoso OU. In addition, we must remove read access for the Authenticated Users. The net effect of these two operations means that no other users (in ADatum, for example) will have read access into users of Contoso. It also grants only Contoso users this read access. Security should be set for “This object only” with List Object allow access, and also “This object and all child objects” with List Contents, Read All Properties, and Read Permissions.

These settings above are automatically set by the Web service when a new SharePoint site is created.

1.11Non-Active Directory or custom mode
Many of these issues are still problematic on non-Active Directory membership stores as well. To represent such a platform that many hosters might use, let us look at using SQL Server 2005 as a membership store for SharePoint sites. Using the ASP.NET 2.0 SQL membership provider we can enable forms authentication with SharePoint sites. The main problem here is that this membership provider is scoped at the Web application level. Users must be unique across all SharePoint sites in that Web application (or virtual server in IIS). This becomes very confusing for site owners who are trying to create new users when they receive an error message that a user already exists with that name, yet they surely have not created one yet. To solve this problem and to enable Windows SharePoint Services 3.0 to scale to many more sites on a single Web application, we have created a custom membership provider built on top of the ASP.NET 2.0 SQL membership provider. This custom provider essentially allows www.ADatum.com, www.Contoso.com, www.Fabrikam.com, etc., to exist as separate site collections within a single SharePoint Web application. Each site is uniquely separated, and users of one site cannot see another. This configuration allows SharePoint to host thousands of domains in a single Web site. The custom SQL membership provider scopes

27

users down to a group of one or more sites named an Application. An Application has a one-to-many relationship to SharePoint sites. Users can be created and given permissions to access one or more individual sites within a SharePoint Web application. When a user is created, the user is associated with a SQL-based “Application” instead of just a site. You can then add one or more SharePoint sites to that Application grouping, and each user in the Application can access any site in that group. This is particularly useful for related sites or sites that are owned by the same customer. One example is when a customer (site owner) creates SharePoint sites named “east.contoso.com” and “west.contoso.com”, both inside the “litwareinc” application. Users are then associated with the “contoso” application, so they can potentially log on to either of the two Web sites. They will not need two separate accounts, and the site owner simply has to grant read (or higher) access to a single account on both sites. One of the challenges with using forms-based authentication and the provider model is that adding users to sites is not as intuitive as it could be. As the site owner of a SQL-based membership site, a customer might want to add an existing user to a new site. In the example above, the same site owner also purchases a new site named “north.litwareinc.com” and wants to add the same user “John” with author permissions on this new site. Windows SharePoint Services 3.0 providers a people-picker interface for adding users where the site owner can search for keywords such as “john” and it will return the account options. Because John is a member of the “litwareinc” application, he will be available to the north.litwareinc.com Web site. To assist with the creation of users and applications, we have a sample command-line utility specifically for working with SQL-based membership repositories and deals with the Application idea to separate SharePoint sites. The next section discusses site provisioning and includes additional details on the MembershipSiteAdmin.exe tool.

28

Site Provisioning
The ability to provide a fast and automated provisioning experience for the customer can help reduce the required time, resources, and risk of user error. One key aspect that can benefit from automation is the process of creating a new site. Many hosting companies have a control panel application that presents their customers with various options including signing up for a new Web site. Windows SharePoint Services 3.0 site provisioning can be integrated directly into the control panel application in various ways. We have provided sample Web services for Windows SharePoint Services 3.0 site provisioning that can be integrated directly into an existing application. These Web services provide an example of using Windows SharePoint Services 3.0 in a hosting scenario that has Active Directory as the back-end user repository with forms-based authentication on the front end. A recommended configuration of Active Directory will help hosters scale Windows SharePoint Services 3.0 for multiple sites on a single implementation and domain. Guidance is provided on how to build, install, and use these sample Web services to integrate this functionality into custom provisioning applications. Here are the sample Web methods that are provided that can be integrated into a hosting console application: • CreateNewSiteNewOwner. This method creates a new SharePoint site and also creates a new Active Directory user to be the owner of that site. This method would be used when a new site and a new owner should be created at the same time. • CreateNewSiteExistingOwner. This method creates a new SharePoint site and uses an existing Active Directory user as the site owner. This method can be used when the user already has a valid account on another site (already in Active Directory), but they are to be the owner of another new SharePoint site. • AddNewUserToSite. This method creates a new user in Active Directory and adds this user to an existing SharePoint site. You can use this method

29

when you want to create a new end user to access a running SharePoint site. Typically, the site owner will trigger this process from a control panel application or a link or Web Part on their SharePoint site. • AddUserToSite. This method adds an existing user in Active Directory to an existing SharePoint site. This method will most likely be used the least, but if the site owner knows that a user already exists on another site, and would like to add this user to his or her own SharePoint site, this method can be called. While these examples are specific to Active Directory, they can be extended or modified to work with other back-end membership repositories such as SQL Server. It is important to understand the security issues surrounding the process of calling a Web service from another Web application (such as a hosting console application). Because these Web methods (functions in the sample Web services) require elevated privileges to complete the provisioning tasks, they should be installed in the Administration section of Windows SharePoint Services 3.0. You can put these Web services in the Central Administration directory of Windows SharePoint Services 3.0, and they will be running in the context of other Windows SharePoint Services administrative functions. Specifically, they will be running in the application pool named “SharePoint Central Administration 3.0”. This should be running under the identity of an administrator user as specified in the Windows SharePoint Services 3.0 installation instructions. The Web services have been designed to run in this same context requiring administrative access to Active Directory and to Windows SharePoint Services 3.0. This directory is configured to run with authentication set up for Integrated Windows authentication only. The best way to call into a Web service with this configured is from the Microsoft platform (Windows form application where you pass administrator credentials or an ASP.NET Web application, which can be configured for anonymous as long as the application pool that hosts it has valid credentials that can be passed back to the Web services). For additional information on passing credentials to these Web services, see http://msdn2.microsoft.com/en-us/library/bfazk0tb.aspx.

30

1.12Provisioning host-named site collections
Windows SharePoint Services 3.0 allows multiple domains to exist in a single SharePoint Web application. In Windows SharePoint Services 2.0, this was named scalable hosting mode. This mode allows http://www.ADatum.com, http://www.Contoso.com, etc., to exist as separate site collections within one Web application. The feature is also available in Windows SharePoint Services 3.0, and can be used in a variety of different ways. For console operation, a new site can be created by using the stsadm.exe command-line tool. The following command creates a new site off of the root site:
Stsadm -o createsite -url http://www.Contoso.com -ownerlogin litwareinc\owner -owneremail Owner_Email -hhurl http://rootsite

In addition to using the command-line tool to create sites, you can use the Windows SharePoint Services 3.0 object model to achieve the same results. The following code sample creates the same site:
SPGlobalAdmin globalAdmin = new SPGlobalAdmin(); SPSiteCollection sites = globalAdmin.VirtualServers[0].Sites; SPSite oSite = null; oSite = sites.Add("http://www.Contoso.com", "Site_Title", "Site_Description", 1033, "STS#0", "LITWAREINC\owner", "Owner_Display_Name", "Owner_Email", "LITWAREINC\secondaryowner, "Secondary_Owner_Display_Name", "Secondary_Owner_Email", true);

Many developers are familiar with the fact that Windows SharePoint Services 3.0 ships with a set of Web services for various user and administrative tasks. One of those administrative tasks is creating a new site. There is an issue with the CreateSite Web method, because it does not support the creation of host-named site collections. There are a few options to work around this. Developers can write their own Web service wrapping the API sample code as shown previously. There are several additional configuration options to consider when provisioning a new SharePoint site. Specifying the appropriate site template during site creation will determine which preconfigured Web Parts and other user interface elements are available on the new site. In a hosting scenario, you will probably want to select either a team site template (value of “STS#0” when creating the

31

site), or a blank site with no Web Parts or prebuilt lists (value of “STS#1”). In addition, you can offer one of the “Fabulous 40” templates when they become available. In a hosting environment, it might be a good idea to specify site quotas on each newly provisioned SharePoint site. While this feature is not included in the sample Web services, it can be added, and you can create a quota template based on predetermined limits, which can be used in future site provisioning. For more information on creating a quota template, see http://technet2.microsoft.com/Office/f/?en-us/library/c2eda191-1814-423b882f-1fdafe9df6c91033.mspx.

1.13Additional steps to provision host-named site collections in SQL authentication mode
Working with the SQL membership provider in a hosting scenario requires some additional steps to properly set up and use a host-named site collections. In general, when you create any SharePoint site, you need to specify a user who will be the site owner. This implies that the owner user already exists in your membership directory. To simplify this and other tasks surrounding the SQL membership provider, we have put together a sample utility called the MembershipSiteAdmin.exe tool. This is a command-line tool that that manages how sites and users are created, deleted, and mapped to applications that help with the following tasks: Create a user in the SQL membership database. Delete a user in the SQL membership database. Create a SharePoint site. Delete a SharePoint site. Enumerate all the applications associated with a specified user (or check if a user already exists in the system and in any other application). The command-line tool completes the actions described above by calling custom stored procedures, calling the membership provider API, and wrapping the stsadm.exe tool. This requires that stsadm.exe have a configuration file created and available. The process of creating or deleting a SharePoint site is handled by the stsadm.exe tool, and not part of this application (it is handed off to

32

stsadm.exe to complete). The part of the operation that we are concerned with is the mapping between the desired application name and the fully qualified domain name (FQDN) of the SharePoint site. To do this, we call the appropriate custom stored procedure: aspnet_Sitemaps_CreateMapping (takes as input an application name and an FQDN) aspnet_Sitemaps_DeleteMapping (takes as input an FQDN) Creating and deleting users in the SQL membership repository is done by using the ASP.NET membership service API (System.Web.Security.Membership). We simply call the Membership.CreateUser method or the Membership.DeleteUser method to complete those actions. The provider that is used by the membership service is specified in the App.config file (MembershipSiteAdmin.exe.config) for this custom command-line tool. We are using the shipping SQL provider to complete these tasks, and we manually specify the application name we intend to connect to this user. There is no need to use the custom provider we built because we are not doing the actual authentication from a Web application such as Windows SharePoint Services 3.0. The MembershipSiteAdmin.exe.config file should point to the default location for the stsadm.exe file. If you have installed SharePoint in another location, you will need to update this application setting. Refer to this section of the MembershipSiteAdmin.exe.config file and change the highlighted portion as needed: <appSettings> <add key="stsadmPath" value="C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\BIN\" /> </appSettings>

Here are examples on using each feature: • Creating a membership user in a specified application: MembershipSiteAdmin.exe -o createuser -appname SampleApps -login naderi@fabrikam.com -password pass@word1 -passwordquestion "Favorite Color" -passwordanswer Red -email naderi@fabrikam.com

33

Deleting a membership user: MembershipSiteAdmin.exe -o deleteuser -appname SampleApps -userlogin naderi@fabrikam.com

Creating a site and application mapping: MembershipSiteAdmin.exe -o createsite -appname SampleApps -ownerlogin AspNetSqlMembershipProvider:naderi@fabrikam.com -owneremail naderi@fabrikam.com -url http://www.fabrikam.com -hhurl http://moss.litwareinc.com -sitetemplate STS#0

Deleting a site and application mapping: MembershipSiteAdmin.exe -o deletesite -url http://www.fabrikam.com

Enumerating the applications associated with a specified user: MembershipSiteAdmin.exe -o enumapps -userlogin naderi@fabrikam.com

Important: You will notice that the user name specified in all of these examples is naderi@fabrikam.com. We recommend that you use a unique user name (or user logon) across the entire Web application. So while security boundaries will be based on the application name, you should provide each new user with a unique name for increased security. To check if a user already exists, you can run with the “enumapps” option, and if that user exists anywhere in the database, the name of an application will be returned. This is a great way to verify you have a database-wide unique user name. This command-line tool provides some simple console output to indicate the success or failure of a particular task. A user running these various administrative tasks should be familiar with the database structure to help troubleshoot any issues that might arise during any of these routine tasks. For more information on the database structure used by the SQL authentication providers, see

34

http://msdn.microsoft.com/asp.net/downloads/providers/default.aspx?pull=/libr ary/en-us/dnaspp/html/asp2prvdr02.asp. As specified previously, there is an additional table that has been added to the database named “aspnet_Sitemaps”. You might want to become familiar with this as well. Feel free to explore the aspnetdb database by using the Microsoft SQL Server Management Studio. Be careful not to modify the data unless you know exactly what you are doing. In general, it is a good idea to use the command-line tool to remove users and data.

35

User Management
User management is a concern for both the hosting company, and the site owner who might be a customer of the hosting company. The hosting company needs a secure location to store user accounts that will log on to each SharePoint site. The site owner also needs to worry about users specific to the sites they own. For both parties, the issues of user creation, deletion, password changes, and security restrictions need to be addressed.

1.14User Provisioning
Creating new users in your membership repository will be essential for end users to access individual SharePoint sites. For most hosters, users will be stored in a database (such as Microsoft SQL Server 2005), or another LDAP directory. Much of the sample source code included shows examples of working with SQL Server or Active Directory as the main user repository for SharePoint site users. These samples show how you can integrate user provisioning directly into each SharePoint site so that site owners can create new users for their SharePoint sites. 1.14.1Account creation mode When using forms-based authentication with Active Directory as the membership directory for SharePoint site users, there are two different modes that can be configured. Windows SharePoint Services 3.0 can be installed in a special mode named account creation mode. Used mainly by hosting organizations, this mode allows ISPs to automatically create sites and add users for customers. Customers are then able to log on to their site and invite others to collaborate. The invitations are sent automatically with a description of the site along with a link to the site, and the user name and password. To install SharePoint in account creation mode, it is required that an Active Directory OU exist for all users. As sites are created, and users invited, SharePoint will put all users into a single OU. Unfortunately, there are issues around using a single OU. This is the main reason that account creation mode is

36

now a deprecated feature. Although support will continue through version 3.0, account creation mode will not exist in version 4.0. 1.14.1.1Configuring Windows SharePoint Services in account creation mode Active Directory account creation mode enables Windows SharePoint Services 3.0 to automatically create accounts for new users. A specific Active Directory OU must be created for all users who are provisioned through this mode. New accounts are created based on a user’s e-mail address. The e-mail address is used to send an invitation to the user. The user’s e-mail will contain the site URL, and the user name and password for the site. 1.14.1.2Create an Active Directory organization unit Prior to installing Windows SharePoint Services 3.0 in account creation mode, create the OU that will be used to contain users that are created by SharePoint. To do this, launch Active Directory Users and Computers.

37

In the Organization unit box, enter the name that you would like to use, and then click OK. The new OU will appear under the Active Directory domain.

1.14.1.3Configuring Windows SharePoint Services in account creation mode The following is a concise checklist of the installation procedure. Refer to the appendix of this document for a step-by-step screen shot version. 1. Install Windows SharePoint Services 3.0 with Server Farm options. 2. Once the initial installation is complete run the SharePoint Products and Technologies Configuration Wizard. 3. On the Connect to a server farm page, select No, I want to create a new server farm, and then click Next. 4. Configure the database settings add more information as needed. 5. On the Configure SharePoint Central Administration page, select the Specify port number if you want a specific port number. Otherwise, accept the defaults and click Next. 6. On the Completing the SharePoint Products and Technologies Configuration Wizard page, click the Advanced Settings button. 7. The Advanced Settings page will allow you to enable Account Creation Mode. Select the Enable Active Directory Account Creation Mode check box. Once the check box has been checked, enter the Active Directory Domain and the Organization Unit that was created earlier. Click OK. 8. On the Completion page, click Next.

38

9. The Configuration Successful page will appear. Click Finish to launch the Central Administration page. 10.Create a new Web application by going to Application Management and clicking on Create or extend Web application link. 11.On the next page, click Create a new Web application. 12.On the Create New Web Application page, select Create a new IIS Web site in the IIS Web Site section. In the Application Pool section, either select your Predefined security account, or specify the name of the account to be configured. Keep all other defaults, and click OK. 13.While in Central Administration, navigate to the Operations tab. Select the Outgoing e-mail settings link. 14.On the Outgoing E-Mail Settings page, specify the SMTP server name and the From and Reply-to addresses. Then click OK. 1.14.1.4Create SharePoint site collections At this point, you are now ready to create the top-level site. Use the stsadm.exe command-line tool to create a site. Stsadm.exe –o createsite –url <url> -ownerlogin <Domain\name> [-ownername <display name>] [-lcid <language>] [-sitetemplate <site template>] [-title <site title>] [-description <site description>] [-hostheaderwebapplicationurl <web application url>] [-quota <quota template>] The following command creates a new site. Stsadm -o createsite -url http://www.contoso.com -ownerlogin userB -owneremail ryani@contoso.com

39

-hhurl http://moss –sitetemplate STS#0 On a successful completion, the user will receive an e-mail invitation for the new site. Within the e-mail, the user will receive the user name and password to log on to the site.

1.14.1.5Using the stsadm getproperty operations The stsadm getproperty operation is useful when the configured values need to be obtained. Use the following syntax: Stsadm –o getproperty –pn <property-name> The following property names pertain to the account creation mode. createadaccounts. Contains a value specifying which user account mode has been configured. "Yes" indicates that you are in Active Directory account creation mode, "no" indicates that you are in domain account mode. adaccountdomain. Specifies the Active Directory domain name to use for user accounts in Active Directory account creation mode. adaccountou. Specifies the organizational unit to use for user accounts in Active Directory account creation mode.

40

1.14.2Domain account mode Account creation mode is now a deprecated feature in Windows SharePoint Services 3.0, so new installations requiring the use of Active Directory as the membership repository should not use this feature. Instead, the default mode most installations use is the domain account mode. This mode is most often used and is the best option when using integrated authentication in an organization. However, this mode can still be used with an Internet authentication scheme by using forms-based authentication. Domain account mode is the default installation of Windows SharePoint Services 3.0, and there are no special instructions required outside of installing Windows SharePoint Services 3.0 in your environment. That means that there is no required OU that SharePoint knows about for authenticated users. In previous chapters, we have discussed the setup of Active Directory for multiple tenancy. Once Active Directory has been set up, and the ASP.NET 2.0 Active Directory Membership Provider is configured, sites and users can be created by using this membership model. We have provided sample code in the form of Web Parts, Web pages, and Windows SharePoint Services 3.0 features that provide a simple user interface to allow an administrator to create a new user in the membership repository and automatically add that user as a reader to the SharePoint site. Individual users can change their own passwords when visiting a SharePoint site. These new features are integrated directly into the Windows SharePoint Services 3.0 drop-down menus and Site Settings options by using Windows SharePoint Services 3.0 features. The sample features to provide these user provisioning capabilities can be accessed at each SharePoint site when the features have been installed. Navigate to your SharePoint site, and log on as a site owner. Click the Site Actions button, and select Site Settings. This will load the Site Settings page, and you should see a new link named "Create User" in the Users and Permissions column.

41

Click the Create User link to go to the CreateUser.aspx page. This will allow you to create a new user in your current authentication provider repository and also on your current site (configured as a reader at first which you can change later).

42

On this page, you can enter the basic information to create a new user such as first name, last name, user name, e-mail address, and password. The default setting is for the page to create a random password for you and automatically send it via e-mail it to the user, so the site owner will never see it. You can clear this option and specify a desired password which will also be sent via e-mail to the user. The user will want to change this initial password after they first log on. In addition to these Web pages exposed directly on the SharePoint site, we have also provided Web services that can create and add users to a SharePoint site. These Web services contain Web methods for user creation and handle most of steps to properly secure users in Active Directory. You might want to use these Web services (or the sample code included) to programmatically create users in Active Directory.

43

1.14.3Non-Active Directory custom authentication mode If you choose to use a different membership repository other than Active Directory, you can still enable forms-based authentication to SharePoint sites. Each authentication zone can have a pluggable, custom authentication provider in addition to the default support for Windows Basic, Digest, NTLM, Forms, and Kerberos authentication methods. This provider model is based on the ASP.NET 2.0 authentication provider architecture. In addition to various prebuilt providers (SQL Server and Active Directory), custom providers can be built to use any number of custom membership directories or systems. For more information about building custom providers, see http://msdn.microsoft.com/library/default.asp?url=/library/enus/dnpag2/html/PAGExplained0002.asp. If you are using SQL Server 2005 as your membership provider, and you are using the custom membership provider described in the associated sample code, you can use the Hosting Provisioning Features sample Web pages and features to enable user provisioning. Refer to the steps and screen shots in the Active Directory Domain Account Mode section for information on how the user creation process works for a site owner. If you are using a custom membership provider, you can use the source code for these Web Parts and pages to enable user creation in your own membership repository.

1.15Resetting passwords
As with most Web sites that use user names and passwords, it can be extra work for the site owner or Web designer to enable self-service password resetting. This is not a feature of Windows SharePoint Services 3.0, but we have included sample code for a Web Part and hosting page to enable self-service password resets for both Active Directory and SQL-based membership users. The Hosting Provisioning Feature sample set includes a feature that adds the ability to change passwords directly in the Welcome drop-down menu on a SharePoint site. Once an end user is logged on to a site, the user can click the Welcome drop-down menu and select the Change Password option.

44

Click the Change Password link to display the CreatePassword.aspx page.

This page enables a user to enter an old password, enter a new password, and confirm that new password. The password is then immediately changed for the next time the user logs on to the site. While this sample only works with Active Directory or SQL membership users, it can be extended through custom code to work with your own custom provider and membership store.

45

HTTPS
To configure HTTPS, a certificate needs to be applied to the Web site at an IIS Web site. Therefore, HTTPS can only be configured at the Web application level in Windows SharePoint Services 3.0. In hosting scenarios, the hosters can configure a single Web application with HTTPS and then create multiple hostnamed site collections within that Web application. Each Web site is technically sharing a single certificate. However, if the requirement is to apply a unique certificate per site, the hoster will need to create Web applications (which by definition do not scale as high as site collections in Windows SharePoint Services 3.0).

1.16Configuring HTTPS for host-named site collections
Configuring HTTPS is a matter of enabling SSL on the Create Web application page. SharePoint will automatically assign a port number to the Web application or you can specify a specific number if you choose to do so.

Once the Web application has been created, open IIS manager and assign a certificate. Create site collections as usual, making sure that you specify the port number for both the –url and –hhurl parameters of the stsadm –o createsite command.
Stsadm –o createsite –ownerlogin litwareinc\administrator –owneremail administrator@litwareinc.com –url https://www.Contoso.com:443 –hhurl https://moss:443

46

HTTPS sites can be created for account creation mode, Active Directory – domain account mode, and Active Directory forms authentication.

1.17Issues
The customizations that were done to the SQL membership providers do not support SSL, neither do they support creating site collections on any port other than port 80. Additional enhancements are required to both the MembershipSiteAdmin tool and the SQLSiteProvider to provide these capabilities.

47

Search
Search in Windows SharePoint Services 3.0 is designed to work only with NTLM. More specifically, the index component in Search requires NTLM. Therefore, in order for Search to be used with any other authentication mechanism, there are certain workarounds that are needed. This implies that search will work in Account Creation and Domain Account modes, if these modes are configured with NTLM. To configure search in either of these two modes, start the search service then, ensure that the content database is associated with the Search Server. Wait for the content to be crawled and then initiate a search query to see results. SSL can be enabled on these sites and search will automatically work. This is the default configuration, whereby each NTLM Web site points to its own content database. In situations where the Web Application’s authentication is configured for something other than NTLM ( ie. Forms authentication, Basic authentication, Kerberos authentication …etc…) you will need to configure two zones. The Default zone must be configured with NTLM, and then the Web app should be extended to another zone for the non NTLM authentication mode.

1.18Configuring Search with Basic Authentication:
Windows SharePoint Services 3.0 Search does not work when a site is configured to use basic authentication. For host-named site collections, use the following steps to get this working: Steps:

• • • •

Open SharePoint Central Administration Web site Click Application Management. Click "Create or extend Web application" Click "Create a new Web application "

48

• • • • • • • • • • •

Select "Create a new IIS Web site". Set the Port to 80. Set options as needed. Click OK Return to the Application Management Page. Click "Create or extend Web application" Click "Extend an existing Web application" Select the Web Application that was just created. Select "Create a new IIS Web site" Set the Port field to 80. Enter "temp" in the Host Header field. Set Zone to "Internet" (or whatever you'd like the zone which uses Basic to be, just make note of it.)

• • • • • • •

Set other options as needed. Click OK Click "Authentication Providers" Click "Internet" (or whicever zone you picked above) Set the Zone to use Basic Authentication, click OK. Open the Internet Information Services manager. Right-click on the Web site we created first and select Properties. (by default is labeled "Sharepoint - 80")

• •

click "Advanced" Double Click the Default entry in the "Multiple Identities for this Web site" section.

49

Select the "correct" IP address to be used by the Windows SharePoint Services search box for indexing. (which uses NTLM)

• •

click OK, then click OK. Right click on the Web site which was created 2nd and select Properties. (by default this site is labled SharePoint -temp80)

• • • • •

Click "advanced". doubleclick the entry which has the host header value of "temp". Remove Temp from the Host Header field. Select the "correct" IP address for Basic site. Click OK, then OK again.

At this point, we are ready to create our first host-named site collection, however we need to ensure that the server running the Windows SharePoint Services Search service resolves the IP address to the NTLM IP before we create this site. This can be done with either a split DNS architecture or just using the hosts. file on that server. Once that is configured, use "STSADM -o Createsite" with the -hostheaderwebapplicationurl parameter to create the site. To add more host-named site collections, simply add the DNS/Hosts file entry on the search machine, then use STSADM to create the site. If anonymous access is desired, it must be configured on the "Default" Zone, even if users are browsing via the Internet zone, as Host-Named site collections always take that setting from the Default Zone.

1.19Configuring Search for HTTPS sites
In some situations, there may be a need to extend an http Web application to an https Web application and have search results returned for both. This scenario

50

arose with hosters who had customers that want to move from http to https sites and couldn’t afford the overhead of doing a backup/restore for each customer’s site. Although this is an unsupported scenario, it can be made to work. The issue arises from the https site. Once the http site has been converted to an https site, the search from the https site fails. The two urls are shown below. The http site returns results, while the https site doesn’t.

By modifying the query string in the url, search results are returned.

You will also notice that the results are http links and not https – as it should be.

51

The workaround for the above issue involves developing an HttpModule that replaces the https in the query string, as well as redirects the search result links to https. A sample http module can be found below:
using using using using using using using System; System.Collections.Generic; System.Text; System.Web; System.Web.Configuration; System.Configuration; System.Diagnostics;

namespace SearchMapper { public class Mapper : IHttpModule { #region IHttpModule Members public void Dispose() { return; } public void Init(HttpApplication context) { context.BeginRequest += new EventHandler(context_BeginRequest); } void context_BeginRequest(object sender, EventArgs e) { System.Web.HttpApplication Appl = (System.Web.HttpApplication)sender; HttpContext cntx = Appl.Context; // if the path is /_layouts/searchresults.aspx, // modify the query string if (cntx.Request.Url.AbsolutePath == "/_layouts/searchresults.aspx") { string query = cntx.Request.Url.Query; query = query.Replace("?", ""); query = query.Replace("https", "http"); cntx.RewritePath(cntx.Request.Url.AbsolutePath, "", query); } // Implementation to be done by hosters // if url is http://fqdn // change url to https and redirect the request } } #endregion

In order for this http module to be used by Sharepoint, it needs to be compiled and deployed to the GAC. The Web.config for the Web Application should be modified by adding a new element ( as shown below ) to the httpModules

52

section. Ensure that the PublicKeyToken matches the assembly that has been installed in the GAC.

<add name="Searchfix" type="SearchMapper.Mapper, SearchMapper, Version=1.0.0.0, Culture=neutral, PublicKeyToken=3a56f1135add3e4a"/> Eventhought the search was conducted on a site with https, the results are returned with http urls (not https). In order to fix this problem, you can create a new http module that maps the http urls to https urls. The shell of the http module is similar to the sample given above.

1.20Configuring Search for Forms Based Authentication with Custom Authentication Provider:
Search in Windows SharePoint Services does not work with FBA and custom authentication providers. At the point of writing this white paper, we are still investigating workarounds for Search to work with Custom Authentication Providers using FBA. If a workaround is found, it will be communicated separately.

53

Configuring HTTPS for Host-Named Site Collections
Configuring HTTPS is a matter of enabling SSL on the Create Web application page. Windows SharePoint Services 3.0 will automatically assign a port to the Web application. However, you can change it to whatever port you want. Once the Web application has been created, open IIS manager and assign a certificate. Create sites as usual, making sure that you specify the port number for both the –url and –hhurl parameters of the stsadm –o createsite command. HTTPS sites can be created for account creation mode, Active Directory – domain account mode, and Active Directory forms authentication.

1.21Issues
The customizations that were done to the SQL membership providers do not support SSL, neither do they support creating site collections on any port other than port 80. Additional enhancements are required to both the MembershipSiteAdmin tool and the SQLSiteProvider to provide these capabilities. As shipped, Search for Windows SharePoint Services 3.0 will not work when HTTPS is configured. For a workaround, see the section on Search.

54

Migration from 2.0 to 3.0
Windows SharePoint Services 3.0 provides two options to upgrade from Windows SharePoint Services 2.0 to Windows SharePoint Services 3.0: in-place and gradual. An in-place upgrade is used to upgrade all SharePoint sites at once. A gradual upgrade allows selected sites to be upgraded. The following sections describe each method.

1.22In-place upgrade
• Windows SharePoint Services 2.0 is overwritten with Windows SharePoint Services 3.0, and the content databases are changed. This means that an in-place upgrade is an irreversible process, without the option of rolling back to the previous version. • The original Windows SharePoint Services 2.0 sites cannot be viewed after the upgrade. • • All sites are unavailable to site visitors during the upgrade. Site visitors continue to use the same URLs after the upgrade.

1.23Gradual upgrade
• For larger deployments of Windows SharePoint Services 3.0, a gradual upgrade is the best option because it allows the administrator who is performing the upgrade to control how many site collections to upgrade at one time. In this way, large deployments of Windows SharePoint Services 2.0 can be upgraded gradually while hosting previous version sites. • As each group of site collections is upgraded, the data in the groups is copied from the original database to a new database before the data is upgraded to Windows SharePoint Services 3.0. The original Windows SharePoint Services 2.0 data is maintained in the original database until the server administrator explicitly deletes it. Because of this, upgraded sites can be easily rolled back to the previous version, if necessary. • All sites are available to site visitors during the upgrade.

55

The upgrade process redirects the original URLs to the upgraded version of the sites. This way, users can continue to use the same URLs that they used before the upgrade.

For a high-level workflow process of the upgrade, see http://office.microsoft.com/en-us/sharepointtechnology/HA100773421033.aspx. For additional information provided in the Upgrade Operations Guide, see Upgrading to Windows SharePoint Services version 3.

56

The “Fabulous 40” Application Templates
Application templates are custom scenarios for the Windows SharePoint Services 3.0 platform tailored to address specific business processes or sets of tasks. These application templates are tailored to address the needs and requirements for specific business processes or sets of tasks for organizations of any size. While these applications also provide a starting point for partners and developers looking to build deeper Windows SharePoint Services 3.0 solutions. A sample application template that can be used to create a portal site for a “Sales Team” is as follows:

Microsoft will release a new set of application templates for Windows SharePoint Services 3.0. Some of the previous scenarios, such as Help Desk, Project Site,

57

Knowledge Base, and the Employee/HR templates, have been significantly improved to incorporate and highlight new capabilities in Windows SharePoint Services 3.0. New scenarios were also added to address customer and partner requests. Some examples include call center, supporting the compliance process, inventory and asset tracking, and sports league. The new set of templates will make use of Windows SharePoint Services 3.0 capabilities, preconfigured with Office SharePoint Designer, such as workflows, wikis, Gantt task charts, portal sites, master pages, and document management. To learn more about templates and to download them, see http://www.microsoft.com/technet/windowsserver/sharepoint/wssapps/v3templ ates.mspx

1.24Site administrator templates
Forty new application templates are coming soon for Windows SharePoint Services 3.0. Twenty of the templates will be “site administrator templates” and available in English only. These templates will be easy for site administrators to install in a template gallery without requiring server administration access. The English-only site administrator templates are: Board of Directors Classroom Management Clinical Trial Initiation and Management Competitive Differentiation Site Discussion Database Emergency Management for Government Agencies Employee Activities Site Employee Self-Service Benefits Employee Training Scheduling and Materials Equity Research Manufacturing Process Management Marketing Campaign Planning and Execution New Product Development New Store Opening

58

Product Portfolio and Profitability Management Request for Proposal Sports League Team Work Site Timecard Management Vendor Performance Rating

In order for these templates to be available to the end customer, they will need to be downloaded separately, so that they can be saved on the customer’s hard disk. Instead, the server administrater (at the hoster) can make these templates (.stp) files available to their customers by executing the following command:

stsadm.exe -o addtemplate -filename <template filename> -title <template title> [-description <template description>]

1.25Server administrator templates
The other 20 will be “server administrator templates” and available in 11 languages (English, French, Italian, German, Spanish, Portuguese, Japanese, Chinese Simplified, Chinese Traditional, Korean, and Hebrew). These will be created as site definitions, providing tighter integration and enhanced functionality within the Windows SharePoint Services 3.0 platform. They will require a server administrator to install. These templates are: Absence Request and Vacation Schedule Management Budgeting and Tracking Multiple Projects Bug Database Call Center Change Request Management Compliance Process Support Site Contacts Management
59

Document Library and Review Event Planning Expense Reimbursement and Approval Site Help Desk Inventory Tracking IT Team Workspace Job Requisition and Interview Management Knowledge Base Lending Library Physical Asset Tracking and Management Project Tracking Workspace Room and Equipment Reservations Sales Lead Pipeline

1.26Grouping of templates
To create compelling business applications, a hoster can combine one or more of these application templates to create a “packaged” offering. These templates can provide various functions that are grouped together according to the function they perform. For example, a hoster can create a package geared towards “Telephone Services” oriented businesses. They can create a Web site named www.thephone-company.com. The www.thephone-company.com can be any generic team site. Using this team site, multiple subsites can be created by using templates such as: • www.thephone-company.com/OOF: Absence Request and Vacation template • • • www.thephone-company.com/schedules: Schedule Management template www.thephone-company.com/timecard: Time card Management www.thephone-company.com/benefits: Employee Self Service Benefits

Alternatively, sites can be created by using subdomains of a top-level domain. For example, for www.thephone-company.com, you can have blogs.thephone-

60

company.com, wiki.thephone-company.com, and so on. However, for hostnamed sites, a DNS entry can only map to a top-level site collection; and each top-level site collection becomes an independent application, thereby giving rise to security and authentication issues. There are two ways this issue can be solved: 1. By implementing a a façade layer across all top-level site collections to manage all site collections as a single site. 2. Implmented these solutions as subsite; but create a http module that maps blogs.myBusiness.com to www.myBusiness.com/blogs and so on

1.27Converting templates from Windows SharePoint Services 2.0 to Windows SharePoint Services 3.0
Microsoft has released tools and guidance as a “solution accelerator” to help customers attempt upgrades from some of the previous application templates for Windows SharePoint Services 2.0 to run on the new Windows SharePoint Services 3.0 platform. For information about the solution accelerator, see http://www.microsoft.com/technet/solutionaccelerators/collaboration/default.msp x or http://www.microsoft.com/downloads/details.aspx?familyid=35EBF87F-BF984E6F-9987-E861533E3A8D&displaylang=en. Next, we will present a list of all templates and categorize them. These categories can be samples of groupings of business applications that hosters can offer to their customers.

61

Other Deployment Issues in Hosting Scenarios
1.28Active site count
One of the metrics that is of interest to hosters is the “Active Site Count”, as measured and reported by Netcraft. With Windows SharePoint Services 3.0, as is the case with all secured sites, Netcraft has an issue with accessing the sites, and therefore, cannot count them. A site that is secured by using NTLM or Basic authentication does not get counted at all because an HTTP 401 or 403 error is returned. These sites will not be counted at all. If Windows SharePoint Services 3.0 is using forms-based authentication, access to any site in the Web application is always directed to the same logon page. This is by design; wherein the validity of the URL is not confirmed until the user is authenticated. As all sites get mapped to the same common logon page, all sites get counted as 1 by Netcraft. This issue is being discussed by Microsoft and Netcraft. If a workaround is found, it will be communicated to all hosters.

1.29IIS reset
In Windows SharePoint Services 3.0, on IIS 6.0, any time a new Web application is created, IIS needs to be reset (by using the IISReset command). This is due to how access control lists (ACLs) are administered by IIS 6.0. In a shared hosting scenario, IISReset will cause all Web sites that are hosted on the server to be reset, which is not a desirable situation. This problem is being researched by Microsoft.

1.30Bandwidth measurement tools
Hosters care about bandwidth usage. However, in the current version of Windows SharePoint Services 3.0, there is not a good built in reporting mechanism for reporting bandwidth usage. There is an article on MSDN for 2.0 (unchanged for 3.0) that covers how to use the usage data provided by Windows

62

SharePoint Services. To view this information, see http://download.microsoft.com/download/7/1/d/71df322f-81dc-423e-8b58b4badc6b4366/GetUsageBlobSample.exe. Hosters are encouraged to access this download and modify it as needed.

1.31People picker
In the hosted scenarios, if the hoster is using Active Directory in domain account mode and has structured Active Directory in the list account mode as describe in this document, the people picker does not restrict users based on the site or the OU they belong to. This is because the people picker is running in the context of the application pool account that has higher privileges. For the scoping to work properly, the hosters need to set the peoplepickeronlysearchwithinsitecollection attribute at the Web application level. This attribute needs to be set to yes. Once this attribute is set, the users need to be added to the site collection programmatically. A similar workaround exists to get forms-based authentication to work properly, where the domain\user in Active Directory needs to be added to the site collection as “Provider:user”. In the hosted scenarios, if the hoster is using AD in Domain account mode and have structured the AD in the list-account mode as describe in this document, the people-picker does not restrict users based on the site or the OU they belong to. This is because the people picker is running in the context of the application pool account that has higher privilages. In order for the scoping to work properly, the hosters need to set the peoplepickeronlysearchwithinsitecollection attribute at the web application level. This attribute needs to be set to “yes”. Once this attribute is set, the users need to be added to the site collection programmatically.

Below is how you can set peoplepicker attribute using stsadm. You can do all of these things programmatically as well. PeoplePicker Options:

63

PeoplePicker is a property that can be set using stsadm command. To set properties, the stsadm command is as follows: stsadm.exe -o setproperty -propertyname <property name> The peoplepicker properties available are:

• • • • •

peoplepicker-activedirectorysearchtimeout peoplepicker-distributionlistsearchdomains peoplepicker-onlysearchwithinsitecollection peoplepicker-searchadcustomquery peoplepicker-searchadforests

1.31.1 peoplepicker-activedirectorysearchtimeout Allows you to configure the timeout when a query is issued to Active Directory (AD). For example, if you have 10 ADs to search and you do not want to let the user to wait too long, you could configure the timeout to be 10 seconds per AD. The value of this property is an integer such as “30”. The default value is 30 seconds. stsadm.exe -o setproperty -pn peoplepicker-activedirectorysearchtimeout –pv 30

1.31.2 peoplepicker-distributionlistsearchdomains Restricts the search from a search distribution list to be from a specific subset of domains. For example, if we use the following command:

stsadm.exe -o setproperty -url http://contoso-370 -pn peoplepickerdistributionlistsearchdomains -pv corp.microsoft.com;ntdev.corp.microsoft.com The result will restrict the search for DL to only be corp.microsoft.com and ntdev.corp.microsoft.com. If nothing was set, it will search all trusted domains or the domains listed in the configuration.

64

Note: The domain name should be DNS name instead of flat name.

1.31.3

peoplepicker-onlysearchwithinsitecollection

Displays only users that are members of the site collection. Only users that are already added to the site collection are displayed in the People Picker. This prevents anyone from browsing your user directory through the People Picker. For example, in a hosting scenario, we do not want to let the end users to be able to search users from Active Directory. We only want the end users be able to search users that are already in the site collection. But suppose the end user already knows the login name in Active Directory, we still allow end users to invite the user with fully qualified login name. The following commands are used to configure this property:

Stsadm.exe -o setproperty –url http://server –pn peoplepickeronlysearchwithinsitecollection –pv yes Stsadm.exe -o setproperty –url http://server –pn peoplepickeronlysearchwithinsitecollection –pv no

1.31.4

peoplepicker-searchadcustomquery

Allows the administrator to set the custom query that is sent to Active Directory. For example, the admin could use the following command to search for the last name: stsadm.exe -o setproperty -pn peoplepicker-searchadcustomquery -pn (sn={0}*)

65

1.31.5

peoplepicker-searchadforests

Allows a user to search from a second one-way trusted forests or domains. By default SharePoint only talks to the domain controller for the domain in which we’re running. Therefore, if you want SharePoint to enumerate a list of users using PeoplePicker from a second forest or domain, you need to run the following command: Stsadm.exe –o setproperty –pn peoplepicker-searchadforests –pv <list of forests or domains> -url <webapp> The format of <list of forests or domains> is a list of forest:DnsName,LoginName,Password or domain:DnsName,LoginName,Password separated by semicolon. If they are trusted domains/forests, then it is not necessary to pass in the LoginName or Password, just in the format of forest:DnsName or domain:DnsName

66

Development Guide
1.32Developing custom SharePoint Web services
1.32.1Why would you need to develop this? The Windows SharePoint Services 3.0 Web service provided by the Microsoft.SharePoint.SoapServer namespace has numerous methods for accessing content on a site, including methods for working with lists or site data, as well as methods for customizing meetings, imaging, document workspaces, or search. The Simple Object Access Protocol (SOAP) interfaces used in these services provide .NET developers with object models for creating solutions that work with Windows SharePoint Services 3.0 remotely from a client application or custom application. The interfaces are integrated with the server-side object models of the Windows SharePoint Services 3.0 assembly, and their design has been optimized to reduce the number of roundtrips transacted between the client computer and the server. Most Web services provide their functionality through the /_vti_bin virtual directory, which maps to the \\Program Files\Common Files\Microsoft Shared\Web server extensions\12\ISAPI physical directory in the file system. The Administration Web service uses the /_vti_adm virtual directory, which maps to \12\ADMISAPI. When these services do not meet your needs, you can develop custom Web services to provide access remotely to SharePoint content. 1.32.2How do you develop? The basic steps in creating a Web service for SharePoint are: 1. Create an ASP.NET Web service in Microsoft Visual Studio 2005. 2. Create a class library within the Web service that defines the programming logic for the Web service. 3. Generate and edit a static discovery file and a Web Services Description Language (WSDL) file.

67

4. Deploy the Web service files to the _vti_bin directory. 5. Create a client application to consume the Web service. 1.32.2.1Create an APS.NET Web service 1. Open Visual Studio 2005 and create a new Web site from the File menu. 2. In the Templates dialog box: a. Select the ASP.NET Web Service template. b. For location, select File System. c. For language, select C#. d. Name the service MyWebService. 1.32.2.2Create a class library 1. In the same solution, add a C# class library project and name it MyWebServiceClass. Use this library for the Web service logic. 2. By default Class1.cs is created. Rename this class to MyService.cs. This changes the name of the class to MyService. 3. In the MyWebService project in App_Code folder is the Service.cs file. Open the file and copy all the using statements to the clipboard. 4. Go back to MyService.cs class in MyWebServiceClass project and replace all the using statements with the ones copied to the clipboard. 5. Switch back to the Service.cs file in the MyWebService project and copy the entire class including the attributes to the clipboard. 6. Go back to MyService.cs class in MyWebServiceClass project and replace the entire MyService class with the copy in the clipboard. 7. Change the name of the class to MyService from Service. Also change the constructor Service() to MyService(). 8. For the Web service Namespace attribute change the default from http://tempuri.org/ to http://microsoft.com/mywebservice/. 9. In Solution Explorer, select the MyWebServiceClass project and right-click to bring up the context menu. Select Properties. On the Signing tab, select Sign the Assembly. 10.Under the Choose a strong name key file drop-down menu, select New.

68

11.In the Create String Name Key dialog box, clear Protect my key file with password. 12.For Key File Name provide a name of MyWebServiceClass.snk and click OK to close the dialog box. 13.Right-click the project in Solution Explorer and add a reference to System.Web.Services. 14.Also add a reference to Microsoft.SharePoint.dll. You will find this in C:\Program Files\Common Files\Microsoft Shared\Web server extensions\12\ISAPI. You will need this for using the SharePoint object model. 15.The Web service class that we copied into our class library has a default HelloWorld() Web method. Change the name of it to GetWebInfo(). 16.For the Web method, add the following code that uses SharePoint object model to query all sites and get some information.

69

StringBuilder sb = new StringBuilder(); try { SPFarm mySPFarm = SPWebService.ContentService.Farm; SPServerCollection mySPServerCollection = mySPFarm.Servers; SPWebService.ContentService.WebApplications; //SPSecurity.RunWithElevatedPrivileges(delegate() //{ if (mySPWebAppCollection != null) { foreach (SPWebApplication mySPWebApp in mySPWebAppCollection) { sb.Append("\nWebApplication: " + mySPWebApp.Name); sb.Append("\n AppPool: " + mySPWebApp.ApplicationPool.Name + " (" + mySPWebApp.ApplicationPool.Status + ")"); SPContentDatabaseCollection mySPContentDBCollection = mySPWebApp.ContentDatabases; sb.Append("\n # Content DBs: " + mySPContentDBCollection.Count); foreach (SPContentDatabase mySPContentDB in mySPContentDBCollection) { sb.Append("\n Database Name: " + mySPContentDB.Name); sb.Append("\n Database Server: " + mySPContentDB.Server); sb.Append("\n DSN: " + mySPContentDB.DatabaseConnectionString); } sb.Append("\n\n"); } } //}); } catch (Exception ex) { return "Error: " + ex.Message; } return sb.ToString();

17.Add the following using statements to the class.
using using using using using Microsoft.SharePoint; Microsoft.SharePoint.Utilities; Microsoft.SharePoint.WebControls; Microsoft.SharePoint.Administration; System.Text;

18.Right-click the MyWebServiceClass project and build it.

70

19.Drag and drop the MyWebServiceClass.dll from the bin\debug folder to C:\WINDOWS\assembly. 20.Select the MyWebServiceClass.dll file in the C:\WINDOWS\assembly folder. Right-click the file and select Properties. Copy the public key token from here. 21.From MyWebService project under the App_Code folder, select the Service.cs file and delete it. You no longer need this. 22.Open the Service.asmx file and get rid of the CodeBehind file. Instead of code behind, you will use a separate assembly for the class. 23.In service.asmx change the class to refer to MyWebServiceClass.MyService. It should read as follows with the PublicKeyToken replaced with the one that has been copied to the clipboard.
<%@ WebService Language="C#" Class="MyWebServiceClass.MyService,MyWebServiceClass,Version=1.0.0.0,Culture=neutra l,PublicKeyToken=e7f13ad5976e23d8" %>

1.32.2.3Generate and edit a static DISCO & WSDL 1. In Windows Explorer, copy the Service.asmx file of your Web service to \\Program Files\Common Files\Microsoft Shared\Web server extensions\12\TEMPLATE\LAYOUTS. 2. Run Disco.exe at the Visual Studio command prompt from the LAYOUTS directory to generate .disco and .wsdl files. Run a command in the following format to generate the files in \LAYOUTS: disco http://MyServer/_layouts/MyCustomWebService.asmx. This will produce two files: service.disco and service.wsdl. 3. Rename service.wsdl to servicewsdl.aspx and service.disco to servicedisco.aspx. 4. To register namespaces of the Windows SharePoint Services object model, open both the disco and wsdl files and replace the opening XML processing instruction -- <?xml version="1.0" encoding="utf-8"?> -- with instructions such as the following code sample.
<%@ Page Language="C#" Inherits="System.Web.UI.Page"%> <%@ Assembly Name="Microsoft.SharePoint, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %> <%@ Import Namespace="Microsoft.SharePoint.Utilities" %> <%@ Import Namespace="Microsoft.SharePoint" %> <% Response.ContentType = "text/xml"; %>

5. In the disco file replace literal paths with code-generated paths, as shown in the following code sample.

71

<contractRef ref=<% SPHttpUtility.AddQuote(SPHttpUtility.HtmlEncode(SPWeb.OriginalBaseUrl(Request) + "?wsdl"),Response.Output); %> docRef=<% SPHttpUtility.AddQuote(SPHttpUtility.HtmlEncode(SPWeb.OriginalBaseUrl(Request)),Res ponse.Output); %> xmlns="http://schemas.xmlsoap.org/disco/scl/" /> <soap address=<% SPHttpUtility.AddQuote(SPHttpUtility.HtmlEncode(SPWeb.OriginalBaseUrl(Request)),Res ponse.Output); %> xmlns:q1="http://MyWebService.com/" binding="q1:MyServiceSoap" xmlns="http://schemas.xmlsoap.org/disco/soap/" /> <soap address=<% SPHttpUtility.AddQuote(SPHttpUtility.HtmlEncode(SPWeb.OriginalBaseUrl(Request)),Res ponse.Output); %> xmlns:q2="http://MyWebService.com/" binding="q2:MyServiceSoap12" xmlns="http://schemas.xmlsoap.org/disco/soap/" />

6. In the wsdl file make similar changes for the <soap:address> element, as shown in the following code sample.
<wsdl:service name="MyService"> <wsdl:port name="MyServiceSoap" binding="tns:MyServiceSoap"> <soap:address location=<% SPHttpUtility.AddQuote(SPHttpUtility.HtmlEncode(SPWeb.OriginalBaseUrl(Request)),Res ponse.Output); %> /> </wsdl:port> <wsdl:port name="MyServiceSoap12" binding="tns:MyServiceSoap12"> <soap12:address location=<% SPHttpUtility.AddQuote(SPHttpUtility.HtmlEncode(SPWeb.OriginalBaseUrl(Request)),Res ponse.Output); %> /> </wsdl:port> </wsdl:service>

1.32.2.4Deploy the Web service files The _vti_bin folder is mapped to Program Files\Common Files\Microsoft Shared\Web server extensions\12\ISAPI. To deploy the Web service files: 1. Copy the three files named service.asmx, servicedisco.aspx, and servicewsdl.aspx from \\Program Files\Common Files\Microsoft Shared\Web server extensions\12\TEMPLATE\LAYOUTS to \\Program Files\Common Files\Microsoft Shared\Web server extensions\12\ISAPI. 1.32.2.5Create a client application 1. From the File menu, add a Windows Application project to the solution and name it MyWebServiceTest. 2. Right-click this project in Solution Explorer and select Add Web Reference. 3. In the Add Web Reference dialog box, for URL type enter http://<servername>/_vti_bin/service.asmx where <servername> is the name of your server, and then click the GO button.

72

4. Change the Web Reference Name to MyCustomService and click Add Reference. 5. In the default Form1, add a button control and change the Text property to read Invoke Web Service. 6. Change the name of the button control to buttonInvoke. 7. Double-click the button control to add code to its click event. 8. Add the code as shown in the following code sample.

try { MyCustomService.MyService myService = new MyWebServiceTest.MyCustomService.MyService(); myService.UseDefaultCredentials = true; MessageBox.Show(myService.GetWebInfo()); } catch (Exception ex) { MessageBox.Show(ex.Message); }

9. Run the test application, and click the Invoker Web Service button. If everything is OK this will return a string of all Web sites and information about the content database using SharePoint object model through our custom Web service. 1.32.3How do you debug? Debugging the Web service entails three fundamental steps: 1. Set breakpoints. 2. Attach to the ASP.NET process. 3. Step into the code. 1.32.3.1Setting breakpoints 1. Open Visual Studio and the MyWebServiceClass project. 2. Open the MyService.cs class. 3. Set breakpoint where desired.

73

1.32.3.2Attaching to the ASP .NET process 1. Right-click the MyWebServiceTest project and click Debug. 2. Switch back to Visual Studio and select MyWebServiceClass project. 3. Attach to the ASP.NET process: a. On the Debug menu, click Attach To Processes…. b. Select the Show process in all sessions check boxes. c. Look for the w3wp.exe process and click Attach, and you are ready to debug. 1.32.3.3Step into the code 1. Switch to the running MyWebServiceTest application. 2. Click the Invoke Web Service button. Execution will stop at the breakpoint that has been set. 3. Step through the code as required.

74

1.33Developing SharePoint Web Parts
1.33.1Why would you need to develop this? Web Parts in Windows SharePoint Services 3.0 provide developers with a way to create user interface elements that support both customization and personalization. A site owner or a site member who has the appropriate permissions can customize a Web Parts Page by using a browser or Microsoft Office SharePoint Designer 2007 by adding, reconfiguring, and removing Web Parts. The term customization implies that changes are seen by all site members. Individual users can further personalize a Web Parts Page by adding, reconfiguring, and removing Web Parts. The term personalization implies that these changes will be seen only by the user that made them. Developing custom Web Parts provides an easy and powerful way to extend SharePoint sites. Some ways in which you can use custom Web Parts include the following: • • • • Creating custom properties you can display and modify in the user interface. Improving performance and scalability. A compiled custom Web Part runs faster than a script. Implementing proprietary code without disclosing the source code. Securing and controlling access to content within the Web Part. Built-in Web Parts allow any users with appropriate permissions to change content and alter Web Part functionality. With a custom Web Part, you can determine the content or properties to display to users, regardless of their permissions. Making your Web Part connectable, allowing Web Parts to provide or access data from other connectable Web Parts. Interacting with the object models that are exposed in Windows SharePoint Services 3.0. For example, you can create a custom Web Part to save documents to a Windows SharePoint Services 3.0 document library. Controlling the cache for the Web Part by using built-in cache tools. For example, you can use these tools to specify when to read, write, or invalidate the Web Part cache.

• •

75

• •

Benefiting from a rich development environment with debugging features that are provided by tools such as Visual Studio 2005. Creating a base class for other Web Parts to extend. For example, to create a collection of Web Parts with similar features and functionality, create a custom base class from which multiple Web Parts can inherit. This reduces the overall cost of developing and testing subsequent Web Parts. Controlling the implementation of the Web Part. For example, you can write a custom server-side Web Part that connects to a back-end database, or you can create a Web Part that is compatible with a broader range of Web browsers.

Beginning with Windows SharePoint Services 3.0, the SharePoint Web Part infrastructure is designed and built to lie on top of the ASP.NET Web Part infrastructure. Web Parts that inherit from System.Web.UI.WebControls.WebParts.WebPart are fully supported in Windows SharePoint Services 3.0 (with the exception of user controls as generic Web Parts), and can be used not only in ASP.NET applications but also in Windows SharePoint Services 3.0 applications, whether Windows SharePoint Services is involved or not. The Windows SharePoint Services WebPart class is part of an infrastructure that was designed specifically for SharePoint sites, and Web Parts that inherit from this class can be used only in SharePoint sites. When creating new Web Parts, you have the option of creating Web Parts that inherit from System.Web.UI.WebControls.WebParts.WebPart (recommended) or Microsoft.SharePoint.WebPartPages.WebPart. The Windows SharePoint ServicesWebPart class exists primarily for the purpose of backward compatibility (Web Parts written for Windows SharePoint Services 2.0 continue to work in Windows SharePoint Services 3.0 without modification), and to provide a small set of features that are not available in the System.Web.UI.WebControls.WebParts.WebPart class. 1.33.2How do you develop? Beginning with Windows SharePoint Services 3.0, the SharePoint Web Part infrastructure is built on top of the ASP.NET 2.0 Web Part infrastructure. Web Parts that derive from the ASP.NET WebPart class are completely supported in SharePoint. You should create ASP.NET Web Parts whenever possible.

76

For more information about choosing the best Web Part base class from which to derive, see Creating Web Parts in Windows SharePoint Services in this SDK. For more information about ASP.NET Web Parts, see the in the ASP.NET documentation. The general process for writing a custom ASP.NET Web Part is: 1. Create an ASP.NET Web Part assembly. 2. Place your assembly in the bin or global assembly cache. 3. (Optional) If using the bin directory, set special security attributes. 4. Add your Web Part to the SafeControls List. 5. Create a .webpart file for your Web Part. 6. Add your Web Part to a page. For the purposes of this document, we will walk through creating a basic Web Part. 1.33.2.1Create an ASP .NET Web Part assembly 1. Start Visual Studio 2005 and create a C# class library. Name the project MyWebPart. 2. Rename the default class1.cs file to HelloWorldWebPart.cs. This will not only rename the file but also rename the class to HelloWorldWebPart. 3. Add a reference to System.web assembly. 4. Add a using statement; using System.Web.UI.WebControls.WebParts 5. Derive the HelloWorldWebPart class from WebPart. 6. Override the Render() method. For example, for HelloWorldWebPart, use the code shown in the following code sample.

77

using using using using

System; System.Collections.Generic; System.Text; System.Web.UI.WebControls.WebParts;

namespace MyWebPart { public class HelloWorldWebPart : WebPart { protected override void Render(System.Web.UI.HtmlTextWriter writer) { writer.Write("Hello, World!"); } } }

1.33.2.2Place your assembly in the bin or GAC For the purposes of this walk through, we will place the Web Part assembly in the \bin folder of the SharePoint Web site. 1. Right-click the MyWebPart project in the solution explorer and click Properties. 2. Select the Build tab on the properties page. 3. Set the Output Path to be the \bin folder of the SharePoint Web site. 4. Compile the solution. The Web Part assembly will be built in the \bin folder of the SharePoint Web site. 1.33.2.3(Optional) If using the bin folder, set special security attributes By default, code access security permissions for the bin directory are low; only pure execution is allowed. Although the sample in this walkthrough can run with the minimal trust level, in most cases you need to elevate these permissions to make your assembly run correctly, for example, if your Web Part requires access to the SharePoint object model. There are two ways to elevate permissions: • (Recommended) Create a new trust policy file, and point the Web.config file at the new file. This option is more complicated but it gives you a precise attribution of permissions for your Web Parts. For more information about trust policy files, see Microsoft Windows SharePoint Services and Code Access Security. Raise the net trust level of the bin directory. In the Web.config file in the Web application root, there is a tag called <trust> that has a default attribute of level="Windows SharePoint Services_Minimal". You can

78

change this level to Windows SharePoint Services_Medium. While this option is simpler, it grants arbitrary new permissions you might not need and is less secure than creating a new trust policy file. 1.33.2.4Register the Web Part as a safe control 1. Open Web.config from the application root of the SharePoint Web site. 2. Locate the <SafeControls> section. 3. Add a <SafeControl> entry for the Web Part developed.

<SafeControl Assembly="MyWebPart, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" Namespace="MyWebPart" TypeName="*" Safe="True" AllowRemoteDesigner="True" />

1.33.2.5Add the Web Part to the Team Site Gallery 1. Navigate to http://server/_layouts/newdwp.aspx, where server is the name of the server where SharePoint is deployed. 2. Locate and select the MyWebPart.HelloWorldWebPart check box. 3. Click Populate Gallery to add the Web Part to the Team Site Gallery. 1.33.2.6Add a Web Part to a page 1. Navigate to a page where you want to add the Web Part. 2. Click Site Actions and select Edit Page. 3. In the Web Part zone, click where you want to add the new Web Part, click Add Web Part. 4. From the list, select the MyWebPart.HelloWebPart Web Part. 5. Click Exit Edit Mode, and you are done. You can also use project templates included in Visual Studio 2005 extensions for Windows SharePoint Services 3.0 to speed your Web Part development. For a detail description of this, see http://msdn2.microsoft.com/enus/library/aa973249.aspx. 1.33.3How do you debug? Web Part assemblies are fundamentally ASP.NET Web controls. The high-level steps in debugging them are:

79

1. Set breakpoints. 2. Attach to the ASP.NET process. 3. Step into the code. 1.33.3.1Setting breakpoints 1. Open Visual Studio and the Web Part solution. 2. Ensure that the Output Path of the solution is in the \bin folder of the Web site. If not, go to project properties and change the Output Path to be the \bin folder of the Web site. 3. Build the Web Part if not already built. 4. Ensure that the Web Part assembly is registered as a safe control in the Web.config for the Web site. 5. Set breakpoint where desired. 1.33.3.2Attaching to the ASP .NET process 1. Set up the Web Part in any page in the SharePoint site. 2. Attach to the ASP.NET process. a. On the Debug menu click Attach To Processes…. b. Select the Show process in all sessions check boxes. c. Look for the w3wp.exe process and click Attach, and you are ready to debug. 1.33.3.3Step into the code 1. Request the page with the target Web Part in it. When the page and the Web Part renders, depending on where you have set the breakpoint, the execution will stop and switch over to Visual Studio. 2. Step through the code as required.

80

1.34Developing SharePoint Web applications
1.34.1Why would you need to develop this? The Microsoft.SharePoint and Microsoft.SharePoint.Administration namespaces provide types and members that can be used with lists and sites, as well as to manage a server or collection of servers that is running Windows SharePoint Services 3.0. You can use the classes in these namespaces to gain access to all the other classes to work with lists and Web sites, to manage servers, and to manage the entire deployment. Starting with one of these classes, you can work through the object model to the class that you need to use. Developing a custom SharePoint Web application gives you complete freedom and flexibility in designing a Web site that can run under the SharePoint context and yet be designed outside of SharePoint. The Visual Studio 2005 integrated development environment (IDE) offers the premier environment for customizing a Web site based on Windows SharePoint Services 3.0. You can create, for example, Windows applications, console applications, or class libraries, as well as Web applications (or Web sites) and Web services that implement the Windows SharePoint Services object model. You run code that uses namespaces of the Microsoft.SharePoint assembly on the server running the deployment, while applications that use SharePoint Web services run remotely from a client computer. 1.34.2How do you develop? The fundamental steps in creating a Web application to run under the context of SharePoint are: 1. Create the site project. 2. Customize the site to co-exist with SharePoint. 3. Add a reference to Microsoft.SharePoint.dll. 4. Add and modify the Web form to suit the need.

81

1.34.2.1Create a Web site 1. To customize Windows SharePoint Services 3.0 through its object model or Web services, you must use Visual Studio 2005, not an earlier version. 2. Create a new Web site project under a. For Language select C#. b. For location, select File System and use \\Program Files\Common Files\Microsoft Shared\Web server extensions\12\TEMPLATE\LAYOUTS\ folder. c. Name the site as MyWebSite and click OK. You can use the \\Program Files\Common Files\Microsoft Shared\Web server extensions\12\TEMPLATE\LAYOUTS\ as existing site and develop your custom .aspx pages here. We prefer to have our custom .aspx pages in a separate folder named MyWebSite. d. For a detailed description of this, see http://msdn2.microsoft.com/en-us/library/ms479423.aspx. 1.34.2.2Co-exist with SharePoint For an application to co-exist with SharePoint, you must modify the Web.config file of the application. For more information, see http://msdn2.microsoft.com/en-us/library/ms433526.aspx. The steps are: 1. Exclude the path of the application from Windows SharePoint Services 3.0. 2. Clear out the ASP.NET handler used in Windows SharePoint Services, and specify the default ASP.NET handler for all pages. 3. Adjust the trust level. 4. Enable the session module. An alternative method to do this, simply copy and overwrite the Web.config file from \\Program Files\Common Files\Microsoft Shared\Web server extensions\12\TEMPLATE\LAYOUTS\ to \\Program Files\Common Files\Microsoft Shared\Web server extensions\12\TEMPLATE\LAYOUTS\ MyWebSite. 1.34.2.3Add a reference to Microsoft.Sharepoint.dll To add a reference to the Microsoft.SharePoint assembly: 1. In Solution Explorer, right-click the MyWebSite project, and then click Add Reference on the shortcut menu.

82

2. On the .NET tab of the Add Reference dialog box, select Windows SharePoint Services in the list of components, and then click OK. 1.34.2.4Add or modify a Web form You can create a new form or modify the Default.aspx form or add another Web form. For the purposes of this walkthrough, we will modify the Default.aspx page that was created when we created the new Web site. 1. In Design view, use the Toolbox to add a label, and a button to Default.aspx. To open the Toolbox, click Toolbox on the View menu. 2. Open the code-behind file named Default.aspx.cs by double-clicking the button you created. 3. Add the using statements at the top of the file, as shown in the following code sample.

using using using using

Microsoft.SharePoint; Microsoft.SharePoint.Utilities; Microsoft.SharePoint.Administration; System.Text;

4. Add the following function to the class. The function uses SharePoint object model to query and fetch information about a SharePoint Web application.

83

protected void GetWebInfo() { StringBuilder sb = new StringBuilder(); try { SPFarm mySPFarm = SPWebService.ContentService.Farm; SPServerCollection mySPServerCollection = mySPFarm.Servers; SPWebApplicationCollection mySPWebAppCollection = SPWebService.ContentService.WebApplications; if (mySPWebAppCollection != null) { foreach (SPWebApplication mySPWebApp in mySPWebAppCollection) { sb.Append("\nWebApplication: " + mySPWebApp.Name); sb.Append("\n AppPool: " + mySPWebApp.ApplicationPool.Name + " (" + mySPWebApp.ApplicationPool.Status + ")"); SPContentDatabaseCollection mySPContentDBCollection = mySPWebApp.ContentDatabases; sb.Append("\n # Content DBs: " + mySPContentDBCollection.Count); foreach (SPContentDatabase mySPContentDB in mySPContentDBCollection) { sb.Append("\n Database Name: " + mySPContentDB.Name); sb.Append("\n Database Server: " + mySPContentDB.Server); sb.Append("\n DSN: " + mySPContentDB.DatabaseConnectionString); } sb.Append("\n\n"); } } } catch (Exception ex) { Label1.Text = "Error: " + ex.Message; } Label1.Text = sb.ToString(); }

5. For the button event handler add the following code to invoke the GetWebInfo() function when the button is clicked. 6. To run the code added in the previous step and avoid receiving an access denied error message, the user executing the GetWebInfo() method must have Full Control permission. 7. Add the following code to the Button1_Click event handler, which uses the RunWithElevatedPrivileges method to grant the current user appropriate permissions.

84

SPSecurity.CodeToRunElevated elevatedGetWebInfo = new SPSecurity.CodeToRunElevated(GetWebInfo); SPSecurity.RunWithElevatedPrivileges(elevatedGetWebInfo);

8. You are now ready to run the form. Save all your changes and navigate to the form by using the URL http://<servername>/_layouts/MyWebSite/Default.aspx where <servername> is the name of your server. 9. When the form is rendered, click the button to get the Web information.

1.34.3How do you debug? The high level steps in debugging them are: 1. Set breakpoints. 2. Attach to the ASP.NET process. 3. Step into the code. 1.34.3.1Setting breakpoints 1. Open Visual Studio and the Web site solution. 2. Set breakpoints where desired. 1.34.3.2Attaching to the ASP .NET process Attach to the ASP.NET process 1. On the Debug menu, click Attach to Processes…. 2. Select the Show process in all sessions check boxes. 3. Look for the w3wp.exe process, and click Attach, and you are ready to debug. 1.34.3.3Step into the code 1. You are now ready to run the form. Save all your changes and navigate to the form using the URL http://<servername>/_layouts/MyWebSite/Default.aspx where <servername> is the name of your server. When the page request is processed, depending on where you have set the break point, the execution will stop and switch over to Visual Studio. 2. Step through the code as required.

85

1.35Developing custom HTTP modules
1.35.1Why would you need to develop this? When you think of an ASP.NET application you generally think of a Web site with .aspx pages. In most situations, this is all that is required for developing a Web application. Yet there are situations where you want to tap into the underlying infrastructure of ASP.NET to provide custom handling of HTTP requests. The ASP.NET framework provides a flexible HTTP pipeline-based model that can be used to extend HTTP request processing – both preprocessing and postprocessing. Intercepting HTTP requests and providing custom hooks to alter the course of default action can be achieved by using HTTP modules. An HTTP module is an assembly that is called on every request made to your application. HTTP modules are called as part of the ASP.NET request pipeline and have access to life cycle events throughout the request. HTTP modules give you the opportunity to examine incoming requests and take action based on the request. They also give you the opportunity to examine the outbound response and modify it. ASP.NET HTTP modules are similar to ISAPI filters in that they run for all requests. However, they are written in managed code and are fully integrated with the life cycle of an ASP.NET application. They act as content filters and are integral part of ASP.NET. Typical uses for HTTP modules include: • Security. Because you can examine incoming requests, your HTTP module can perform custom authentication or other security checks before the requested page, XML Web service, or handler is called. Statistics and logging. Because HTTP modules are called on every request, you can gather request statistics and logging information in a centralized module, rather than in individual pages. Custom headers or footers. Because you can modify the outbound response, you can inject content such as custom header information into every page or XML Web service response. Redirection. Because you can intercept the incoming message and examine it, you can also take the decision of redirecting the URL.

86

1.35.2How do you develop? Developing a HTTP module is fairly straight forward. An HTTP module class implements the IHttpModule interface and typically will set up event handlers for preprocessing or postprocessing or both. You can create a custom HTTP module by creating a class that implements the IHttpModule interface and then registering it in the Web.config file. The general process for writing an HTTP module is: 1. Create a class that implements the IHttpModule interface. 2. Write a handler for the Init method. Your init method should initialize your module and subscribe to any application events you need. For example, you might subscribe to the EndRequest event if you want to append something to responses, or you might subscribe to the AuthenticateRequest event if you wish to perform custom authentication logic. For more information on application events, see ASP.NET Application Life Cycle Overview. 3. Write code for the events you have subscribed to. 4. Optionally implement the Dispose method if your module requires cleanup. 5. Register the module in the Web.config file. 1.35.2.1Create a class that implements an IHttpmodule 1. Start Visual Studio 2005 and create a C# class library. Name the project MyHttpModule. 2. Rename the default class1.cs file to HelloWorldHttpModule.cs. This will not only rename the file, but also rename the class to HelloWorldHttpModule. 3. Add a reference to System.web assembly. 4. Add a using statement; using System.Web. 5. In your HelloWorldHttpModule, implement the interface IHttpModule. 1.35.2.2Write a handler for Init() 1. In the Init() method add event handlers to the application object as required.

87

2. Use the BeginRequest for pre-processing and EndRequest for postprocessing. 1.35.2.3Write event delegates Implement the event handler delegates to do your processing. 1.35.2.4Dispose of resources Use the Dispose() method to cleanup resources as required. 1.35.2.5Register the module in the Web.config file 1. Open the Web.config file from the application root of the SharePoint Web site. 2. Locate the <httpModules> section. 3. Add an entry for the HttpModule developed, as shown in the following code sample.

<add name="HelloWorldHttpModule" type="MyHttpModule.HelloWorldHttpModule, MyHttpModule, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />

4. Add code for HelloWorldHttpModule, as shown in the following code sample.

88

using using using using

System; System.Collections.Generic; System.Text; System.Web;

namespace MyHttpModule { public class HelloWorldHttpModule : IHttpModule { #region IHttpModule Members public void Dispose() { return; } public void Init(HttpApplication application) { application.BeginRequest += new EventHandler(application_BeginRequest); application.EndRequest += new EventHandler(application_EndRequest); } void application_EndRequest(object sender, EventArgs e) { HttpApplication application = (HttpApplication)sender; HttpContext context = (HttpContext)application.Context; // // add post-procesing logic here // return; } void application_BeginRequest(object sender, EventArgs e) { HttpApplication application = (HttpApplication)sender; HttpContext context = (HttpContext)application.Context; // //add pre-processing logic here // return; }

#endregion } }

89

1.35.3How do you debug? HttpModules are essentially .NET class libraries. The high-level steps in debugging them are: 1. Set breakpoints. 2. Attach to the ASP.NET process. 3. Step into the code. 1.35.3.1Setting breakpoints 1. Open Visual Studio and the Web Part solution. 2. Ensure that the Output Path of the solution is in the \bin folder of the Web site. If not go to project properties and change the Output Path to be the \bin folder of the Web site. 3. Build the HttpModule if not already built. 4. Ensure that the Web Part assembly is registered as a safe control in the Web.config file for the Web site. 5. Set breakpoints where desired. 1.35.3.2Attaching to the ASP .NET process Attach to the ASP.NET process: 1. On the Debug menu click Attach To Processes…. 2. Select the Show process in all sessions check boxes. 3. Look for the w3wp.exe process and click Attach, and you are ready to debug. 1.35.3.3Step into the code 1. Request any page from the site where you added the HttpModule. When the page request is processed, depending on where you have set the break point, the execution will stop and switch over to Visual Studio. 2. Step through the code as required.

90

Appendix (from popular blogs)
To configure Active Directory to be in the list account mode, the following script can be used.

1.36EnableListObjectMode.vbs
'******************************************************************* ' THIS CODE AND INFORMATION IS PROVIDED TO YOU FOR YOUR REFERENTIAL ' PURPOSES ONLY, AND IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY ' KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO ' THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A ' PARTICULAR PURPOSE, AND MAY NOT BE REDISTRIBUTED IN ANY MANNER. ' ' Copyright (c) 2006 Microsoft Corporation. All rights reserved. '******************************************************************* Dim Dim Dim Dim Dim sDomainDN configObjectDN configObject heuristics newHeuristics

' Bind to the root of the Domain Set rootDSE = GetObject("LDAP://RootDSE") ' Get the default NamingContext sDomainDN = rootDSE.Get("defaultNamingContext") ' Set AD to List Object Mode configObjectDN = "LDAP://CN=Directory Service,CN=Windows NT,CN=Services," configObjectDN = configObjectDN & rootDSE.Get("configurationNamingContext") Set configObject = GetObject(configObjectDN) GetHeuristics write "Current DSheuristics: " & heuristics newHeuristics = Left(heuristics, 2) newHeuristics = newHeuristics & Left("00", 2-Len(newHeuristics)) newHeuristics = newHeuristics & "1" Write "New DSheuristics: " & newheuristics If Len(heuristics) > 3 Then newHeuristics = newHeuristics & Right(heuristics, Len(heuristics)3) End If configObject.Put "dSHeuristics", newHeuristics configObject.SetInfo Function write(strToWrite) WScript.Echo strToWrite End Function

91

Sub GetHeuristics On Error Resume Next heuristics = configObject.Get("dSHeuristics") If Err Then If Err.Number = &H8000500D Then ' no error -- the dSHeuristics attribute was just unset heuristics = "" Else WScript.Echo Err.Description WScript.Quit(1) End If End If End Sub

92

1.37Setting up account creation mode – Screen shots
On the Installation Type page, click the Advanced button to continue.

1. On the Server Type page, select Web Front End, and click Install Now. 2. When the installation completes, click the Close button. 3. The SharePoint Products and Technologies Configuration Wizard will launch automatically. Click Next. 4. An information dialog box will appear indicating that some services will be restarted during configuration. Click the Yes button. 5. On the Connect to a server farm page, select No, I want to create a new server farm and then click Next. 6. On the Configuration Database Settings page, enter the following: • • • • Database server: Database name: Username: Password:

93

7. Click the Next button. 8. Note: in a production environment 9. On the Configure SharePoint Central Administration page, select the Specify port number if you would like a specific port number. Otherwise, accept the defaults and click the Next button. 10.On the Completing the SharePoint Products and Technologies Configuration Wizard page, click the Advanced Settings button. 11.The Advanced Settings page will allow you to enable Account Creation Mode. Select the Enable Active Directory Account Creation Mode check box. Once the check box has been checked, enter the Active Directory Domain and the Organization Unit that was created earlier. Click the OK button. 12.On the Completion page, click Next. 13.The Configuration Successful page will appear. Click Finish to launch the Central Administration page. 14.When the Central Administration application launches, verify that you have installed Beta 2 Technical Refresh by navigating to Site Actions -> Site Settings.

15.Create a new Web application by going to Application Management and clicking the Create or extend Web application link.

94

16.On the next page, click Create a new Web application. 17.On the Create New Web Application page, select Create a new IIS Web site in the IIS Web Site section. In the Application Pool section under either select your Predefined security account, or specify the name of the account to be configured. Keep all other defaults, and click OK. 18.The Application Created page will appear. 19.While in Central Administration, navigate to the Operations tab. Select the Outgoing e-mail settings link. 20.On the Outgoing E-Mail Settings page, specify the SMTP server name and the From and Reply-to addresses. Then click OK.

95

1.38What happened to Smigrate.exe? What if I only want to upgrade one site? What can I do now with Stsadm.exe?
http://blogs.msdn.com/joelo/archive/2006/10/16/what-happened-to-smigrateexe-what-if-i-only-want-to-upgrade-one-site-what-can-i-do-now-with-stsadmexe.aspx The Three Upgrade Methods Gradual You can choose individual sites to be upgrade when running both versions of the product on the same farm/server. This would give you control of choosing which sites are upgraded and when. Database Attach Back up and restore a site into its own database (steps referenced below in TechNet section) then attach the content database into the farm you want it to belong to. In Place You could make a copy of your entire environment (could be on a virtual server) then upgrade in place, finally delete all the sites you do not need. Not sure if that is useful. If you only want to upgrade a single site from a 2.0 farm to a 3.0 farm, the database attach is the easiest. Migration Some thought of the smigrate utility as being the tool for migrating subsites (also known as webs). You can now do full fidelity (including security) site collection and subsite backups with stsadm. For full usage type from your /bin directory. stsadm -help export [stsadm -o export -url URL -f filename] stsadm -help import [stsadm -o import -url URL -includesecurity] (more details below)

96

The following is an edited snippet from the MSDN documentation: Ways to Use the Content Migration APIs There are three ways you can invoke the Content Migration APIs. 1. stsadm.exe

Using the stsadm utility, you can use the import and export operations to migrate data.

2. SOAP

You can use the ExportWeb and ImportWeb methods implemented in the Sites Web service to migrate data from a remote server.

3. Content Migration object model [The Richest if you have dev resources]

The object model provides the most control over your data migration scenarios. Using the object model, you can migrate anything, from a Web site to an item in a list, or a single document in a library. You can choose whether to include information about security, versioning, user roles, and other metadata appropriate to the objects you are migrating. The Content Migration object model is implemented in the Microsoft.SharePoint.Deployment namespace.

The following is a snippet from TechNet: Migrate content by using import/export The import/export feature is based on the new Content Migration APIs. With import/export, you can migrate either subsites or entire site collections, and you can import a subsite into an existing site collection. Like the Smigrate.exe utility in the previous version, import/export requires that the site that you import to already exists. Note that import/export does not include some site settings, such as Recycle Bin state and alerts. For more information about what settings are preserved during import/export, see <Link to come>. To use import/export to migrate a site, you would use the following process: 1.Export the subsite or site collection (stsadm.exe -o export -url URL). 2.In Central Administration, on the Manage Content Databases page, set all databases except the one that currently contains the subsite or site collection to offline.

97

3.Create the site collection to contain the content you are importing (only if importing an entire site collection). 4.Import the subsite or site collection (stsadm.exe -o import -url URL -includeusersecurity). The includeusersecurity parameter specifies that you want to import the security settings for the subsite or site collection. If you do not need the security settings, you can omit this parameter. Migrate content by using backup/restore You could backup a site collection, then delete the site collection, set the manage content databases to take the current database offline (or set the capacity to the content database you want the site in so that it has more capacity than the other content databases, and then restore the site to original URL and that would get the site collection in the new database. The main thing to note is that this feature is at the site collection level so would not be an option for moving subsites around. This feature can restore a site collection to a new name and the site cannot already exist unless you are using the –overwrite option to restore over an existing site. To use backup/restore to migrate a site collection, you would use the following process: 1.Back up the subsite or site collection (stsadm.exe -o backup -url URL). 2.In Central Administration, on the Manage Content Databases page, set the database that currently contains the subsite or site collection to offline. 3.Restore the site collection (stsadm.exe -o restore -url URL). For more information about using backup/restore, see Office SharePoint Server 2007 Backup and Restore . With Office SharePoint Server 2007, you can migrate sites, subsites, or specific lists/libraries or items/documents by using the content deployment capability. This method is as easy as specifying the content to deploy and the target for the deployment, and then starting the deployment process. For more information about content deployment, see the Content Deployment Administration section at RTM.

1.39Capacity planning
A very through capacity planning data is presented at:
98

http://technet2.microsoft.com/Office/en-us/library/eb2493e8-e498-462a-ab5d1b779529dc471033.mspx?mfr=true We encourage our readers to review the articles listed on TechNet.

99

1.40Important references
Stsadm.exe command-line utility: http://technet2.microsoft.com/Office/enus/library/003e5316-1018-4949-ac54-42fa12c5e51e1033.mspx?mfr=true Setup.exe command-line reference: http://technet2.microsoft.com/Office/enus/library/003e5316-1018-4949-ac54-42fa12c5e51e1033.mspx?mfr=true Command-line reference for the SharePoint Products and Technologies Configuration Wizard: http://technet2.microsoft.com/Office/enus/library/003e5316-1018-4949-ac54-42fa12c5e51e1033.mspx?mfr=true Config.xml reference: http://technet2.microsoft.com/Office/enus/library/003e5316-1018-4949-ac54-42fa12c5e51e1033.mspx?mfr=true

100

1.41Feature comparisons in SharePoint Search versions
The following is from Mike Tag’s blog: http://blogs.msdn.com/miketag/archive/2006/12/04/feature-comparisons-in-sharepointsearch-versions.aspx What is the difference in features in Windows SharePoint Services 3.0, Office SharePoint Server 2007, and Office SharePoint Server 2007 for Search? One thing to note is that the Search in the three products are all based on the same Microsoft Search core indexing engine. However, there are differences between the three SharePoint search versions. This table does a comparison of features in the three products.

Feature

Search in Windows SharePoint Services 3.0
Local SharePoint content

Office SharePoint Server 2007 for Search
SharePoint sites, Microsoft Exchange Server content, file shares, Lotus notes, custom content. Yes

Enterprise Search in Office SharePoint Server 2007
SharePoint sites, Microsoft Exchange Server content, file shares, Lotus notes, custom content, line-ofbusiness (LOB) content. Yes

What can be indexed Rich, relevant results Alerts RSS Did you mean? Collapsing of duplicates Best bets Results removal, Query reports Search Center / Tabs People search

Yes

Yes to all

Yes to all

Yes to all

No to all

Yes to all

Yes to all

No

Search Center without Tabs

Search Center with Tabs

No to all

Yes to all

Yes to all

Knowledge network Business Data Search Query Web service
No No Yes

http://<site>/_vti_bin/sps http://<site>/_vti_bin/search.as http://<site>/_vti_bin/searc earch.asmx mx h.asmx

101

Security trimming of search results

Yes; supports default security trimming only Windows SharePoint Services 3.0 Search SQL Syntax

Yes; supports default security trimming only Enterprise Search SQL Syntax Reference Enterprise Search Keyword Syntax Reference Enterprise Search URL Syntax Reference

Yes; supports default and custom security trimming Enterprise Search SQL Syntax Reference Enterprise Search Keyword Syntax Reference Enterprise Search URL Syntax Reference

Query syntax

Windows SharePoint Services 3.0 Search Keyword Syntax URL syntax

For more information, see this article in the Office SharePoint Server SDK: http://msdn2.microsoft.com/en-us/library/aa981559.aspx

102