Security & Identity

ECTS Extension Released

I am happy to announce the release of our ECTS Extensions to CodePlex. This extension provides a bit of a performance boost especially to the User Management capability in ECTS.
ECTS provides a forms based authentication schema for SharePoint that leverages ADAM so you can allow external people access to your SharePoint to enable collaboration. With these extensions you can now allow external users to request accounts as well as manage the accounts in a more friendly UI.

Advertisements

How many users can ECTS Handle?

How many users can ECTS Handle?

   

This has become a common question for a couple of my clients, to which I really don’t have a good answer. However, with my clients we have found significant issues when attempting to use the User Manager web part in ECTS when we have 100+ users. In fact, recently the client has had to go to using the ECTS login so they can manage the users because the Active Directory times out before the page loads.

   

Therefore my best answer right now is: Not many.

   

While that is my current answer, that is not the final answer. I have recently been working on a series of web parts to replace the default ECTS web parts. The goal is to make fast loading and easy to use web parts, which means sacrificing some of the custom call backs in favor of just displaying the hidden capabilities when the page is loaded.

   

If interested here are a couple of screen shot on how this looks.

   

ECTS User Manager

   

    ECTS External User Manager

This web part actually shows all of the users in ADAM. When you click on the Take Action button on the far right this is what you get.

    ECTS External User Take Action

   

My ECTS Enhanced User Manager

   

    MY User Manager

This is actually two web parts, the a | b | c |… is a connection provider which controls what CNs are searched for. This could be adapted to have a more, or less, capable filtering mechanism. Notice that the Reset Password, Toggle Enabled State and Delete are all exposed immediately. This prevents us from having to recreate the list of ADAM users every time the web part is loaded, and with the filter web part we now are able to reduce our search result set to a more manageable size. I have dropped the Modify capability in the current version, in the future I will add another connectable web part that will allow for editing of the selected user.

   

One difference in my version is that when a password is reset the user’s who’s password was reset receives an e-mail with the new password. I’m not sure if ECTS is supposed to do this as well, but from my experience, I have never received an e-mail when the password was reset other than that sent manually by the help desk personnel.

   

My ECTS Enhanced User Approval

    My User Approval Part

   

Here you will notice that the Requestor has been dropped from the default ECTS User Approval Web Part (not pictured).

   

One of the key changes I have made is to use the SPUtility.SendEmail(…) rather than the crazy database settings that ECTS has used. This provides several advantages, but most of all we can see if the send succeeded or failed. If it fails we can prompt the user to manually send information like passwords to the user proactively rather than waiting for the user to again request a password reset or, worse, leave and never come back. One of the biggest issues I have seen is that once an account gets approved the approval e-mail does not get sent to the user and they never receive a password. This then requires the site support team to use the User Manger, which can time out easily, to reset the password and e-mail it to the user.

   

The other major advantage is you don’t have to manage three different locations where the SMTP settings are kept, currently ECTS stores these in the web.config, the ECTS database, and they are stored in SharePoint’s SMTP settings.

ECTS Post Installation Issue

So I have had the opportunity to go back and work on the ECTS enabled system I worked on earlier this year for DoD. Sadly in my preparation for creating a new site I began working in my ECTS Virtual Machine, but in my haste one day I removed the external USB HD the VM is located on and corrupted the entire VM. As it turns out this has been a nice refresher in installing ECTS and I have found some new issues to write about.

 
 

Ok, so after installing ECTS on the system, which had a fresh installations of SQL Server Dev 2005, MOSS EE 2007, Visual Studio 2008, .NET Framework 3.5 I was able to install ECTS successfully without issue. Using my certificate authority installed on the VM I created the Cert for the ECTS ADAM communication and checked to ensure it was working. Finally, I extended my "internal" site so I would have an "external" forms authentication site. Next step was to check the "external" site to ensure it was configured correctly, and I was immediately redirected to the login page where I got the standard "Unknown Error" MOSS page.

 
 

Since I had the generic error, I updated the web.config to allow the callstack to display and turned off the custom errors. I then accessed the login page again and had the following error:

 

The resource object with key ‘loginPageTitleInTitleArea’ was not found. at System.Web.Compilation.ResourceExpressionBuilder.ParseExpression(String expression, Type propertyType, ExpressionBuilderContext context)

at System.Web.UI.BoundPropertyEntry.ParseExpression(ExpressionBuilderContext context)

at System.Web.UI.ControlBuilder.FillUpBoundPropertyEntry(BoundPropertyEntry entry, String name)

at System.Web.UI.ControlBuilder.AddBoundProperty(String filter, String name, String expressionPrefix, String expression, ExpressionBuilder expressionBuilder, Object parsedExpressionData, Boolean generated, String fieldName, String formatString, Boolean twoWayBound)

at System.Web.UI.ControlBuilder.PreprocessAttribute(String filter, String attribname, String attribvalue, Boolean mainDirectiveMode)

at System.Web.UI.ControlBuilder.PreprocessAttributes(ParsedAttributeCollection attribs)

at System.Web.UI.ControlBuilder.Init(TemplateParser parser, ControlBuilder parentBuilder, Type type, String tagName, String id, IDictionary attribs)

at System.Web.UI.ControlBuilder.CreateBuilderFromType(TemplateParser parser, ControlBuilder parentBuilder, Type type, String tagName, String id, IDictionary attribs, Int32 line, String sourceFileName)

at System.Web.UI.ControlBuilder.CreateChildBuilder(String filter, String tagName, IDictionary attribs, TemplateParser parser, ControlBuilder parentBuilder, String id, Int32 line, VirtualPath virtualPath, Type& childType, Boolean defaultProperty)

at System.Web.UI.TemplateParser.ProcessBeginTag(Match match, String inputText)

at System.Web.UI.TemplateParser.ParseStringInternal(String text, Encoding fileEncoding)

 

Ok, so the first thing I noticed was the statement about a "resource object" which is a tell tail sign some .resx file did not get deployed.

 
 

RESX File’s in your Solution

RESX files (.resx) usually get deployed to your site’s app_globalresources folder, so if a resource object is missing then it’s a good idea to look there to ensure your resx file was deployed.

 
 

Next step was to determine what resx file was missing, so I went to the folder, typically you’re My Documents folder, that has the ECTS installer (ECTSSetupWizard.hta). In that folder is also the ECTSSolution.wsp file, which is really just a renamed .cab file. So I copied the ECTSSolution.wsp to ECTSSolution.cab and then opened the cab, inside there are 3 resx files. I initially copied all three to the "internal" and "external" site app_globalresources folders, however you should only have to copy the ExternalCollaboration.resx file to resolve the problem above.

 
 

After copying the files to the app_globalresource I refreshed the login page, and happly ever after it has worked.

 

DirectoryEntry Exception when calling Invoke(“SetPassword”,…)

I wrote a blog a few months ago about a COMException I got when I attempted to call DirectoryEntry.Invoke(“SetPassword”, …). The issue was that I could set the password for one account but then subsequent set password attempts would throw an exception. I had contacted Microsoft and they informed me that I was only the second person ever to report the problem, and that is was intermittent at best for the previous report. Microsoft had, and to this day still does not, have a hotfix for this issue.
After testing and trying a lot of ideas I thought I had resolved the issue by just capturing the exception and continuing on in my code (later calls would set account enabled and commit, etc). However, when we deployed the solution we quickly realized our test environment was able to create the account more regularly than our production environment. Therefore our testers were able to create account with valid password and log into the test environment, but production users were getting invalid passwords.
I started looking back through our system and SharePoint logs and realized I was still having the COMException get thrown and that the password change was not getting committed later in the process, our lost password utility really triggered this since both the account provisioner and lost password used the same logic for setting the password. Microsoft had told me that when the first caller notified them of this issue they were able to reset IIS and the issue was resolved.
Although this is a high availability environment, we really couldn’t afford resetting our IIS on the server every time a new account was created. Instead I realized that I could push the DirectoryEntry.Invoke(“SetPassword”, …) into a web service and allow my provisioning code to use that. Each time a web service was called it essentially created a new process to handle the service request, and when complete the process would effectively terminate.
Just to make sure this issue could also be worked around I added a Application Pool Recycle, basically a restart of an IIS Web Application, so that if it did fail we could restart the web service’s web application. I have been monitoring the log for about a month and have NEVER seen the recycle request. To date the code has created over 200 new Active Directory, MOSS, Exchange, and OCS accounts on our system.

Real Deployment use of External Collaboration Toolkit for SharePoint

Microsoft has released the External Collaboration Toolkit from development, so what does this give you and your organization? 

Lets start with a little background.  Most companies have internal sites, I’ll refer to as internal, that their employees use for various activities like timecard management, team collaboration, document storage.  However, it is often desired that they have a site they can use with people outside of their organization, corporate partners, who do not need access to items like the timecard management but do need the team collaboration capability.  Before ECTS we would either create an external user within our companies own Active Directory (AD) or some other user storage/authentication system.  The problem was that organizations who had 100 people working there now had 1500 names in their AD because no one ever cleaned out old contacts, but that also means many of those users had access to systems, like the office desktops, that they did not need.

To try to resolve this issue Microsoft create the External Collaboration Toolkit for SharePoint (ECTS) which leverages Active Directory Application Mode (ADAM) and allows access to a previously internal site to external users.  The documentation for ECTS provides a great installation document, but I have found some gaps in the install that can take hours to get around, and cause lots of headaches.

First, Microsoft’s documentation talks a lot about how to create an internal and external web application from scratch, but since MOSS has been out for a while and is being heavily used then it is more probable that your internal site already exists.  You can get around having to recreate your site from scratch, here is how (lets assume that your existing site it accessible at http://internal and you want your external site accessible via https://external.company.com).

Extending and Existing Web Application

  1. In Central Admin click on the Application Management tab
  2. Click on the Create or Extend Web Application
  3. Click on the Extend an Existing Web Application
  4. On the Extend an Existing Web Application
    1. Web Application Section
      1. Choose your http://internal site from the Web Application drop down
    2. IIS Web Site Section
      1. Description: If you desire enter as description for your site.  This will be used for the name of your IIS Application.  The default value is also ok here.
      2. Port: 443
        1. This is the standard SSL port and since you are allowing external access this is probably what you want to use.  However you can choose any port you want for this
      3. Host Header: external.company.com
      4. Path: Leave as default (If you have all of you web applications somewhere else point this to the same location
    3. In the Security Configuration Section
      1. Authentication provider: (just use the default)
      2. Allow Anonymous Access: No
      3. Use Secure Sockets Layer (SSL): Yes
    4. Load Balanced URL Section
      1. URL: should now be https://external.company.com
      2. Zone: Extranet
    5. Click OK

Once the Web Application Extension has completed we need to make sure the Alternate Access Mappings are correct.  Conflicts might exist will exist if the internal and external sites are running on the same ports without any way for IIS to differentiate between the two sites.

Alternate Access Mappings

  1. In Central Admin click on the Operations tab
  2. Click on Alternate access mappings under Global Configuration
  3. Verify you have an entry that shows https://external.company.com as the Internal URL and Public URL.  The Zone should be Extranet
  4. I also recommend adding an entry for http://internal in the Alternate access mappings
    1. Select the internal site from the Alternate Access Mapping Collection drop down list
    2. Click on the Edit Public URLs
    3. In the Intranet text box add http://internal
    4. Click OK

Now that we are sure our alternate access mappings are correct we need to make sure we do not have any IIS conflicts.  IIS conflicts are likely because both the internal and external sites are likely running on port 80 and neither is configured with host headers.  Another possible issue is that the internal site could have been setup to run on port 443 which will also cause conflicts.

IIS Web Applications

  1. Right click on the My Computer icon and select Manage from the menu
  2. Expand the Services and Applications and Internet Information Service branches in the Computer Management Tree
  3. Click on the Web Sites folder under IIS.  This will cause the right pane to display the web sites that are hosted on the machine.
  4. If either your internal or external site is stopped then you have an IIS port conflict which means you will have to add host headers to resolve the issue.
  5. Right click on your internal site and select Properties
  6. On the Web Site tab click on the Advanced button (next to the IP Address for the site)
  7. Select your default identity for the site and click on the Edit button
  8. Set the Host Header value to internal
  9. Click OK
  10. Click OK
  11. On the Web Site tab set the TCP port to 80 and remove the SSL Port value
  12. Click OK
  13. Right click on the external site and select Properties
  14. On the Web Site tab click on the Advanced button (new to the IP Address for the site)
  15. Select your default identity for the site and click on the Edit button
  16. Set the Host Header value to external.company.com
  17. Click OK
  18. Click OK
  19. On the Web Site tab set the TCP Port value to 80 and the SSL Port to 443
  20. Click OK

What we have just done is set IIS to handle request for external.company.com and internal by the two web applications.  If either of your sites (internal or external) were stopped then you may now start the site successfully.

Now try connecting to http://internal, you should get the windows authentication box, or you will be logged in automatically.  Then try connecting to https://external.company.com, you should be presented with a forms based authentication box.  If you are presented with an error about the inability to connect to your ADAM instance then the most likely cause is that the Secure LDAP connection is not working. 

Troubleshooting ADAM

  1. On the server where your ADAM instance for ECTS is installed try connecting using the ldp program.
    1. Click on Start->All Programs->ADAM->ADAM Tools Command Prompt
    2. Type ldp and press Enter
    3. Click on the Connection menu
    4. Click on Connect…
    5. In the Connect window use
      1. Server: localhost
      2. Port: <port number Secure ADAM is running on default is 636>
      3. SSL: Check the box
      4. Click OK

If you are able to connect locally then attempt this from the SharePoint WFE, use the directions above but use the correct server name instead of localhost, where the external site is running.  (Windows 2003 Server R2 comes with ADAM, but you may need to install it.  To install ADAM refer to the ECTS Installation and Configuration manual or download ADAM from Microsoft’s MSDN web site.)  If you are unable to connect ensure that you have installed the appropriate Certificate for Secure LDAP connection and that any firewalls that may exist between you ADAM Server and your WFE have openings for the Secure LDAP connection.

If you get both the windows and the forms based authentication then you can move on at this point.  Otherwise you should probably revisit the above steps, and ensure you can connect to ADAM over Secure LDAP.

At this point you might be interested in adding a user to your ADAM instance and seeing if you can use that to log in, DO NOT.  What you will find is that by adding the user through ADAM instance editor when you attempt to add the User Manager web part to your management page like instructed in the ECTS install the Web Part will throw an exception.  Instead, follow the configuration instructions in ECTS. 

When you have completed the ECTS configuration you will be ready to allow internal and external users to access your sites.