We're currently building a client some integration components and one of the pieces of functionality we need to work with is Kerberos, my favourite 3-headed dog.

Windows 2008 Server runs IIS 7, which has a great feature that (by default) means you don't have to set up SPN's for Kerberos-based sites - it uses Kernel-mode authentication (which means "things just work").

Bad news bears for SharePoint though - because SharePoint runs as a "farm" - even in single-server configurations - you have to run the site and authentication under the app pool account... AND still set up your SPN's. Bugger, eh! So... how do you make it work?

Go to the server on the site and change the following setting in the C:\Windows\System32\inetsrv\config\applicationHost.config file (which will affect all sites on the server) -

<system.webServer>

<security>

         <authentication>

                     <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true" />

         </authentication>

</security>

</system.webServer>

OR do it on the App pool under the Windows Authentication Advanced settings option

I found the solution for the problem we were facing only blogged about in one location - www.Harbar.net (actually, I seem to keep hitting problems that this guy has already overcome, because I find myself regularly drawn to his site from Google).

Cheers!

In September 2007 I implemented a 4-layer Kerberos solution at a client's site. Back then, there was only a couple of people who'd done it and there was not much information around on it (and it nearly killed me... well, it wasn't that bad, but it was pretty stressful). Since then, lots of people have started to implement Kerberos authentication-based sites and it's become a bit more mainstream. Certainly I look around and there's lots of people with info.

One of the things I noticed while troubleshooting was that when you browsed sites the ticket that was generated never appended the port number when attempting to authenticate. Well apparently this was a "feature" of IE6 when used on XP or 2003 server and has carried over to current versions as a result. Now it's possible to fix this - You can download the patch for 2003 server or XP from this KB Article 908209.

Just a warning: If you have SPN's set up to not use the port number and this patch is applied to a client, YOUR SITES WILL STOP USING KERBEROS TO AUTHENTICATE. For example:

• You have a site http://mybeautiful.site.liveshere:8000
• You have an SPN set up for the service account on this site eg setspn -a http/mybeautiful.site.liveshere serviceAccount
• Everything works fine and dandy because IE builds a poor Kerberos request without the port number.
• You apply the patch & reg key. Suddenly, everyone starts getting the "3 prompts and you're out" authentication request, because now the port number forms part of the request.
• Whoopsie! The fix is to register another 2 SPN's for the site that uses a port number, against the Web App pool account (2 spn's - one DNS prefix and one FQDN - in our example, one for http/mybeautiful:8000 and one for http/mybeautiful.site.liveshere:8000)

Anyway, hope this helps!

Brad

Microsoft released a tool called the Win XP Virtual CD Control Panel. It's cool because it DOES NOT NEED A REBOOT AND HAS NO SPYWARE AND DOES NOT "PHONE HOME" - and it's 60kb. Ideal for prod servers :).

When was the last time you got a useful tool that was smaller than Notepad (at 166kb, it's a bit big, eh!)

Anyway, pull it down here.

Virtual CD-ROM Control Panel for Windows XP

32 bit only, sorry. Still, everyone's got one of those kicking around somewhere :)

Brad

Now's the time to plan your upgrade of SharePoint to Service Pack 1 if you have not already done so. I know I know, there are a lot of people stuck in a change freeze this time of year, so if this is you, then plan to do it as soon as the change freeze ends because on the 13th of JANUARY 2009 your SharePoint 2007 system will no longer be supported by Microsoft.

More information can be found here - Lifecycle Supported Service Packs - info came from Stefan Goßner's blog.

Also SharePoint 2007 SP 2 is currently in Beta and will be coming soon to a Microsoft site near you (official word is between February and April - I'm betting February) :) - once it hits, the 12-month EOL clock starts for SP1.

Brad

My wife was constantly having problems running out of space on her C drive. Back when the computer was first built, I'm pretty sure Windows 95 was just vapourware and nobody would ever need more than 640k to run an OS... well, it's not that bad... it's running the last of the single-core Athlons and a gig of DDR RAM...

Anyway, I always used to think that the latest was ALWAYS the greatest... and sometimes I was right, sometimes I was wrong. I'd gone and converted my wife's C drive to a dynamic disk (because I could then create JBOD arrays, raid 1 disks, extend into free space etc).

Problem with boot disks that are configured as basic, when you upgrade them you can't manage the space allocated to each drive. But you can't build a disk in Dynamic format in XP from the install CD either... so this problem exists for every XP owner who has more than one partition on their boot drive. There are heaps of tools out there that allow you to mess around with partitions (Partition Magic is my favourite) but none of them work with Dynamic disks.

So what can you do? Format & Reload? Hell no! I've got better things to do, like watching the grass grow out the back of the house. Well it seems that Live OneCare doesn't work nicely with Dynamic disks either... so much so that Microsoft have documented the way to convert a dynamic disk back to a basic disk in a non-data destructive way. This is what's in the article:

1. Download and install the Windows Support Tools for Microsoft Windows XP. To do this, visit the following Web site:
   
   http://www.microsoft.com/downloads/details.aspx?FamilyId=49AE8576-9BB9-4126-9761-BA8011FABF38&displaylang=en
   
   Note When you install these tools, click Complete when you are prompted to click Typical or Complete.
2. Click Start, click Run, type Dskprobe.exe, and then click OK.
3. On the Drives menu, click Physical Drive.
4. In the Available Physical Drives box, double-click the drive you want to change.
5. Click Set Active, and then click OK.
6. On the Sectors menu, click Read.
7. Click Read to accept the default settings.
8. In the editor, find the 01C0 line. In this line, the third pair of numbers on the right is 42. Change 42 to 07.
   Note On some computers, 42 may appear on the 01D0 line.
   [Brad's Tip: It can appear on both as well - the trick is to convert all instances of 42 to 07 in this area. My wife has C and D drives - we had 42 appear on both 01C0 and 01D0]
9. On the Sectors menu, click Write.
10. When you receive a message that is similar to the following, click Yes:

    The current handle is in Read Only mode. Do you wish to change the current mode to allow writing the selected buffer to disk?
    

11. Click Write it.
12. When you receive a message that is similar to the following, click Yes:

    Are you sure you want to permanently overwrite the data in sector 0 on the device PhysicalDrive 0
    

13. Exit the Disk Prob program, and then restart the computer.
14. After the computer restarts, click Start, click Run, type cmd, and then click OK.
15. On the command line, type chkdsk to scan for errors.
16. If any errors are found, type chkdsk /f on the command line to fix these errors.

Had a very unusual issue recently on a hardened SharePoint environment (read: set up according to Microsoft Best Practices).

I was trying to install a feature, and I was getting a response back... Access Denied. Nothing really unusual in that... I must have forgotten to set myself up as a farm admin again... except in this case I was already a farm administrator. So... what could be causing that problem?

It turns out that Microsoft decided that in order to install a feature, being a Farm Administrator is simply not enough - you have to be a SysAdmin on the SQL Database as well. Huh? Where'd the "Least Privilege, best-practice" thinking go when they set up that trap?

So I log into the SQL database and add myself in as a SysAdmin, and tada! I'm able to successfully deploy the feature. I honestly would have thought that the application would have verified your credentials, then once confirming you are a farm administrator, run the feature installation under the SharePoint admin account (which has all the required DB Access). But Nooooooo, not this time!

If anyone knows why this might be the case, I'm interested to hear from you. To me, it makes no sense and works against least privilege configuration.

Brad

It took me a little while to understand what this plug-in was trying to do and how it was adding value, and then it dawned on me - it's like a "Blog this" button on your browser! I love the ability to just click on a browser button and have a Windows Live Writer window open up pre-populated with the page name and a link. It's awesome! That's how I created this blog article...

So this SharePoint feature installs on the server and gets called from a link in your links list. It then retrieves information about the last page you visited in that window (from your referer browser property) and pre-populates some fields in the list. You can then "tag" the link with topics, like "SharePoint" or "Shopping" or "Christmas" or "Maxed Out Credit Card"... or whatever other topics you think are relevant.

It's quick, it's easy, and it's a great way of having a range of link lists that are then searchable by others. Like blogging about an article you just saw that may be useful in the future, but you are not sure when... or a list of personal bookmarks.

I'm always on the lookout for ways to get information into WSS / MOSS without effort - the more information you have, the easier it is to make informed decisions. This looks to be a great one! Grab it here - http://community.zevenseas.com/Blogs/Daniel/archive/2008/11/22/free-solution-tagged-links-–-social-bookmarking-for-sharepoint.aspx - and have a look at how it's used here - http://community.zevenseas.com/blogs/daniel/archive/2008/07/19/tagged-links-%E2%80%93-walkthrough.aspx

Brad