Blogs
Welcome to EMC Consulting Blogs Sign in | Join | Help

Welcome to EMC Consulting Blogs

Mohammad Al-Zawati's Blog

  • Extending SharePoint 2007 Single Sign-On (SSO)

    Microsoft Office SharePoint Server 2007 provides the Microsoft Single Sign-On (SSO) service for storage and mapping of credentials for use in connecting with third-party or back-end systems.

    By examining various scenarios, MOSS SSO proves to be a good fit in SharePoint projects which requires user impersonation into service accounts to enable end users to access secure web services & legacy systems. User Impersonation allows SharePoint to execute a task in an external system or a remote web service using the security context of a specific service account. SSO supports mapping end users credentials into the same or multiple service accounts for each external/back-end system. Even better, SSO can map end users from different domains into the same or multiple service accounts, which means that you can use SSO to implement a fairly complex identity management system out of the box.

    One good SSO example is when it is used to resolve the "Double-Hop" issue which is an NTLM authentication issue where credentials used to access resources on a 2nd tier server (IIS Server) can not be used from that server in the request of resources in a 3rd tier server (a server other than the IIS server) due to delegation restrictions inherent to the NTLM authentication system used by Microsoft Windows. This issue is common in InfoPath forms which consume external web services. As MOSS SSO Service lives in the 2nd tier (IIS Server), it can impersonate end users using a predefined service account credentials to enable access to the 3rd tier resources (external web services).

    SharePoint SSO also allows customization & extendibility.  It enables developers to create their own custom SSO provider to replace the standard SSO provider in SharePoint 2007. Developers can customize how users are authenticated or control the user mapping; this can be done by building a class that implements the Microsoft.SharePoint.Portal.SingleSignon.ISsoProvider interface.

    Depends on what are you using  Single Sign-On for, you may also consider extending  the standard SSO Provider rather than creating a new custom SSO provider, so that developers have to only customize the methods they want and benefit from what is available in the built-in SSO Provider.

    Before you start extending the SSO Provider, you will need to configure your MOSS SSO.  A good article that describes how to do that can be found at this link.

     After you have configured MOSS SSO, you can use the following 2 steps to create your own SSO provider:

    1) Implement a custom SSO Provider class that inherits from the standard SSO Provider "SpsSsoProvider" as explained in the following code example. Notice that MyCustomSSOProvider class customises "GetCredentials" method to check if the user is active in a legacy system before mapping the user into the stored service account. 

     

namespace EMCConsulting.SSO
{
    using System;
    using System.Collections.Generic;
    using System.Linq;
    using System.Text;
    using System.Reflection;
    using System.Threading;
    using Microsoft.SharePoint.Portal.SingleSignon;

    /// 
    /// MyCustomSSOProvider. Custom SSO Provider which inherits 
    /// the standard MOSS SSO Provider
    /// 
    public class MyCustomSSOProvider : SpsSsoProvider
    {
        #region ISsoProvider Members

        /// 
        /// Gets the mapping credentials for the current user
        /// 
        /// The SSO application definition Id
        /// Service Account SsoCredentials object
        /// Because GetCredentials is not overridable, I hide its 
        /// implementation in the base class using the "new" keyword
        public new SsoCredentials GetCredentials(string AppID)
        {
            SsoCredentials creds = new SsoCredentials();

            try
            {
                // Do further authentication checks for the current user
                // before mapping the user into the stored service account
                if (IsUserActiveInOurLegacySystem(Thread.CurrentPrincipal.Identity.Name))
                {
                    creds = base.GetCredentials(AppID);
                }
            }
            catch (SingleSignonException ex)
            {
                System.Diagnostics.EventLog.WriteEntry(
                  "MyCustomSSOProvider", ex.ToString());
            }
            catch (Exception ex)
            {
                System.Diagnostics.EventLog.WriteEntry(
                  "MyCustomSSOProvider",ex.ToString());
            }

            return creds;
        }

        #endregion

        #region Private Methods

        private bool IsUserActiveInOurLegacySystem(string currentUser)
        {
            // Do any further checks in the current user
            return true;
        }

        #endregion
    }
}

    2) Install the Custom SSO Provider with SharePoint, SharePoint allows only one SSO Provider to be active at the given time.

    To install the MyCustomSSOProvider implemented in the example above, you must do the following:

    A. Register it in the global assembly cache

    B. Register it with the ProviderAdmin console application (By default, located in C:\Program Files\Microsoft Office Servers\12.0\Bin). Notice that you must register the new SSO provider with each computer in case you have a server farm environment.

    C:\Program Files\Microsoft Office Servers\12.0\Bin>
    Microsoft.SharePoint.Portal.SingleSignon.ProviderAdmin.exe
    "EMCConsulting.SSO, Version=1.0.0.0, Culture=neutral, PublicKeyToken=ed92a9d1a761f390"
    "EMCConsulting.SSO.MyCustomSSOProvider"

    You can also remove the installed custom SSO provider and restore the standard SSO provider by executing the following command:

    C:\Program Files\Microsoft Office Servers\12.0\Bin>
    Microsoft.SharePoint.Portal.SingleSignon.ProviderAdmin.exe /u

    Happy Coding!

    Mohammad

    Posted 17 March 2010 16:18 by mohammad.al-zawati | 0 Comments

  • How to quickly troubleshoot MOSS 2007

     

    Whether you are a SharePoint 2007(MOSS) developer or an administrator, you probably have seen a MOSS error page with the error message: “unknown error” or “unexpected error”, where these error messages do not give enough information about what happened, more logging is taking place behind the scenes. In order to troubleshoot the underlying error, you may like to follow the following steps:

    1-    Disable the user friendly error pages

     

    This will stop MOSS 2007 verbose error pages and throw the exception text to the browser instead. I consider this to be the most important step as this will give you an idea of what is really happening or where to look for more details. This can be done by modifying some configuration values in the SharePoint Site “web.config” file on the server, by default, a SharePoint site that runs on port 80 will have its “web.config” file at:

    C:\intepub\wwwroot\wss\VirtualDirectories\80

     

    a.       Open the web.config  file and locate the “customErrors” tag

    b.      Modify the Tag’s “Mode” attribute to “Off” (case sensitive) so it would look like:

     <customErrors Mode=”Off”…

    c.       Also, locate the “SafeMode” tag and modify the Tag’s “CallStack” attribute to “True” so it would look like:

    <SafeMode CallStack=”True”…

    d.      To get a more detailed stack trace, locate the compilation” tag and modify the Tag’s “debug” attribute to “True” so it would look like:

    <compilation debug="True"

    2-    Windows Event Logs

     

    It is always good to have a quick look in the Event Logs. Although it is not a very common place to find MOSS-specific errors, but it still can contain a more generic errors such as a WSS service error or a lost connection to the SQL Database Server. You can view the events logs by going to:

     

    Start Menu>> Run, then write eventvwr, and browse to the “Application” Logs

    3-    Debug   custom  SharePoint  code

     

    If you have a custom code (e.g. custom webpart) on the SharePoint page, you may want to debug your code to make sure that it is not what causing the problems, you can debug your code from Visual studio by attaching the Visual Studio Debugger to a process called w3wp.exe.

    1.       From Visual Studio click on “Debug” then “Attach To Process”

    2.       Choose w3wp.exe process

    3.       Run the page on the MOSS and watch your breakpoints gets hit

    If you have more than one w3wp.exe process, you may either attach the debugger to all the processes to make sure that the process that is responsible of executing your specific SharePoint site code will be attached , or you attach to the right process by its Process Id, you can get the running process information on IIS 7.0 by running the command “Appcmd list wp on the server, this will list all the pools and their process ids , follow this link for more information. For IIS 6.0, see http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/2228ff79-0838-4143-8680-e38c452dc243.mspx?mfr=true

    Note that if you are running a workflow in SharePoint, attaching the debugger to the w3wp.exe may crash Visual Studio and force it to close. The way to avoid this is to attach the debugger to Workflow Code Only, This can be done in the “Attach To Process” Dialog window, make sure to select "Attach to: Workflow Code".

    To make the debugging experience much easier to initiate, Jonathan Dibble from Microsoft Consulting Services created a neat “Debugger Feature” that can be installed and activated on a SharePoint site, this feature enables a developer to attach to the right process directly.

    4-    SharePoint Trace Logs

     

    WSS 3.0 and MOSS events are written to log files, by default; these files can be found at this directory: 

    C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\LOGS

     

    If the log files are not there, you can check the log files location that can be found in MOSS Central Administration >> Operations >> Logging and Reporting >> Diagnostic Logging.

     

    SharePoint Log files are large and hard to read sometimes, I normally open them using Office Excel to benefit from its organizing and formatting features (e.g. conditional formatting), also, you may like to check SPLogViewer which is an open source feature that simplifies reading log files.

     

    Although there are much more ways to troubleshoot SharePoint and  Web Applications in general, these four steps are considered your first aid to quickly examine an error, find what is causing it, plan what to do next or may be solve it.

     

     

    Posted 13 October 2009 13:28 by mohammad.al-zawati | 0 Comments

This Blog

Syndication
EMC2, EMC, and where information lives are registered trademarks of EMC Corporation.
All other trademarks used herein are the property of their respective owners.                  
© Copyright 2009 EMC Corporation. All rights reserved.                                                    
Powered by Community Server (Personal Edition), by Telligent Systems