Arpan Shah's Blog

SharePoint 2007 and Windows Server 2008

With SharePoint SP1, SharePoint 2007 supports Windows Server 2008. The MOSS & WSS evaluation guides have been updated with installation instructions for Windows Server 2008. We also published a Resource Center on TechNet with information for WS08 & SharePoint @ http://technet.microsoft.com/en-us/office/sharepointserver/bb735844.aspx.

Recently, we released a whitepaper that does a great job highlighting the benefits of WS08 w/ SharePoint @ http://go.microsoft.com/fwlink/?LinkId=116395&clcid=0x409. It's new and a great, quick read. Here's a table from the whitepaper that summarizes some of the benefits that can be achieved when you deploy SharePoint on Windows Server 2008: 

Enterprise Wikis and Simple Web Publishing

I was in Orlando this week presenting at an internal Microsoft conference. I had an opportunity to meet & talk to different people WW about SharePoint. A couple folks I chatted with had customers who wanted to create Enterprise Wiki solutions. It turned out that what they were looking for was an informal publishing system where users were essentially empowered to manage web content on a specific portal. The line b/w wikis & wcm is a fine one. By using the web publishing feature (a MOSS feature - not available in WSS), customers can enjoy the following benefits above and beyond out-of-the-box wiki functionality:

1. Full control over "wiki" page layouts. By leveraging the Page Layout model, you can create pages with multiple edit regions, different types of controls (text, image, et cetera). Furthermore, you can have multiple layouts.

2. Not just web content, but applications as well. You can add web part zones to allow authors to add web parts.

3. Full branding control. Easier to manage master pages and apply them.

4. Navigation. The navigation out-of-the-box is based on the pages you have.

5. Richer inline editing. The editing experience is richer and WYSWYG.

6. Workflow. If you're looking for informal publishing, you probably want to turn this off.

7. Word content converted to a publishing page. Using the document converter, you can convert a docx file to a web page.

While all this is good, a few things are missing that are in the WSS wiki feature. For example, linking to wiki pages with the [[]] syntax; another is revision history. The WSS wiki feature gives you a visual representation of changes made. With publishing pages, you can view past versions but the differences are not visual.

I just wanted to point out the similarity b/w web publishing & wikis. It's something to think about. :-)

SharePoint Security Guidance

A little while ago, I published a blog entry around end-user security. Since then, I've been asked many questions from customers & partners on SharePoint security in general. From hardening servers to server farm architecture. I wanted to point out an excellent, comprehensive SharePoint Security guide that was recently published: http://go.microsoft.com/fwlink/?LinkID=94375. So whether you're looking for comprehensive security guidance or information on a specific topic, this resource is super helpful for all things SharePoint Security.

Announcing the SharePoint Best Practices Series

[Cross-posted from the SharePoint Team Blog]

Over the last few months, the SharePoint product team has released a number of resources, updates and made supportability announcements to help our customers and partners deploy SharePoint solutions. Recently, we released the Infrastructure Update that provides fixes and even a new set of Search Federation features. We also announced support for Virtualization technology like Hyper-V and SQL Server 2008. And most recently, we announced the availability of the SharePoint Administration Toolkit 2.0 which provides functionality to help IT Professionals run highly available and geographically dispersed SharePoint deployments.

Today, I’m happy to announce the SharePoint Best Practices Series. These consumable and actionable guidelines are based on real-world experience from Microsoft Consulting Services (MCS) and the product team. They are aimed to help our SharePoint customers and partners avoid some of the common SharePoint deployment pitfalls and keep their SharePoint environments available and performing well. The SharePoint Customer Team, part of the core product team dedicated to providing real-world feedback inwardly and outwardly, has put this guidance together working with a number of teams within Microsoft.

The SharePoint Best Practices Resource Center on TechNet highlights the different best practices for IT Professionals and Developers and helps you navigate through the resources. IT Professional topics include Operational Excellence, Team Collaboration Sites, Publishing Portals, Search and My Sites. Developer topics include Common Coding Issues, Using Disposable Objects, Search SQL Syntax Queries and Customization Best Practices. We will continue updating and publishing new Best Practices based on real-world experience.

I encourage each one of you to take a look at these resources proactively!

Search Federation and Content Deployment

As I mentioned in my previous post, the Infrastructure Update is now available! It's a roll-up of fixes & even features that I highly recommend everyone take a good look at. It contains new Search Federation features for MOSS, it has fixes for the Content Deployment feature and much more.

Things have been very busy at work so I haven't been blogging as much. I'll try to do better. :-)

Search Federation in SharePoint Server 2007

You can download the presentation I delivered at TechEd 2008 here.

Here are a couple slides from the presentation to remind you what the key features are in Microsoft Search Server 2008 (Express) and a reminder that these features will be available to Office SharePoint Sever 2007 as a "rollup" by early July and will be publicly available on the Microsoft Download Center. We'll post an announcement on the SharePoint Team Blog on its availability.

One of the sites I showed during my presentation was idvsolutions Search Server Demo at http://esearch.idvsolutions.com/default.aspx. It' a really cool demo that highlights the power and simplicity of the new federation features.

Another tip: if you're interested in SharePoint Search, you definitely need to subscribe to http://blogs.msdn.com/enterprisesearch.

SharePoint Web Content Management News

There has been some great recent news for the SharePoint Web Content Management community.

1. Check out the Web 2.0 Fire Starter Event happening in Redmond next week! The content is being presented by some great folks, it's free to attend in person & it will be available over LiveMeeting.

2. Check out this SharePoint Developer landing page. A great place to really learn more about what SharePoint offers to developers and pointers to content - a lot of new content!

3. The SharePoint WCM Development book is available! Order a copy or pick it up @ TechEd. I'll be there next week. :-)

There's a lot more happening in the ecosystem.. now I better get working on my TechEd session - Search Server 2008 Overview.

Live Mesh

A good friend of mine, Aakash Kambuj, is a senior developer on the Mesh team. For the last few weeks he has been pressing me to try out the Mesh Technical Preview - something he has been working on for quite some time now. So just a few days ago, I gave it a shot -- and boy, was I blown away. Mesh is absolutely fantastic. I'm using it on my work machine & home machine to keep my "My Documents" (800 MB) folder in sync. In fact, I'm able to "connect" (remote desktop) into my work machine from outside the firewall from my home machine without having to VPN in. I can also access any piece of content in the "My Documents" folder from anywhere with a browser. It's all stored in the cloud.

Mesh allows you to work the way you want to work... and gives you access to all your data no matter where you are. Unlike other cloud solutions where all the information is stored in the cloud, the performance is great b/c the content is on your device (in this case, on your computer).  It's the best of client + services. Mesh is very much like Groove and it's no surprise that Ray Ozzie led this team. :-)

BTW - don't bother trying to use Mesh on a network share. I already tried that - it doesn't let you. I was trying to add a SharePoint folder to my mesh after mapping it to drive.

I'm looking forward to subsequent versions... I'm already using it "in production".

So long, and thanks for all the Fitz.

Yesterday, I had lunch with Fitz AKA Mike Fitzmaurice. Fitz is probably one of the most recognizable names and personalities in the SharePoint community. He's been in the SharePoint space for more years than I have... and that's a long time. :-) His SharePoint expertise is unparalleled, his ability to connect with customers & partners cannot be matched and most importantly, he's a great person. I've had the privilege of working with Fitz on SPS 2003 and SharePoint Server 2007. In a nutshell, I'm a fan of Fitz.

So why am I randomly writing about this - it's because Fitz decided to leave Microsoft and join Nintex, a strong SharePoint partner, as their VP of Product Technology. I'm sure he'll do wonders... and while I'm sad to see him leave, I'm glad he's going to stay in the greater Seattle area and work closely with SharePoint technology.

If there are a few of you who are wondering "Who's Fitz?", you haven't been in the space long enough to appreciate what Fitz has done. One of the most popular blog entries of its time (2+ years ago) was his post on WSRP - a classic. He was also one of the first to announce and evangelize SharePoint Server 2007. If there's any criticism, he didn't blog enough...which according to his last blog post as a Microsoft employee, he's going to change. :-)

Announcing: SharePoint WCM book available at TechEd 2008

[cross posted on the SharePoint Team Blog]

It's exciting to see customers using SharePoint for their Internet sites. We've seen some great success stories and big companies choosing SharePoint for their web content management solution. While SharePoint offers a rich set of capabilities out-of-the-box, customers want to add new functionality, customize the look and feel and add business specific logic. This requires a deep understanding of the SharePoint web content management (WCM) capabilities.

I'm happy to announce that Andrew Connell, a SharePoint MVP, has written a book titled "Professional SharePoint 2007 Web Content Management Development: Building Publishing Sites with Office SharePoint Server 2007", the first of its kind to cover design, development and deployment of SharePoint WCM solutions. I've known Andrew for several years now so when he asked me to write the foreword, I said yes immediately - I knew Andrew would deliver high quality content that would benefit the SharePoint community. He's a well-known expert in the field and has created some great content for the community. One of his most popular WCM blog postings is where he consolidated SharePoint WCM resources. We will also be posting a couple chapters from the book on MSDN to give you a sneak peak! While the book will be available shortly after this TechEd, we will have the first 1400 copies of the book at TechEd that we'll be giving away.

So keep your eyes open when the book releases! If you're coming to TechEd, swing by the SharePoint booth for a chance to get a copy and have Andrew sign it for you! See you at TechEd.

SharePoint Development - Meet Paul Andrew

Paul Andrew leads the SharePoint Developer Readiness effort at Microsoft. He recently wrote an excellent blog entry about how to get started with SharePoint Development. It's actionable, direct and super helpful. So check out the article and keep a pulse on Paul's blog if SharePoint Development is important to you.

Incidentally, Paul owns our SharePoint presence at TechEd this year in Orlando. Speaking of TechEd, I will be at TechEd IT Professional delivering a session on Search Server 2008. This year I'm only doing one session and planning to spend more time with customers and partners.

SharePoint End User Security

Security covers a number of topics when it comes to software. Everything from locking down a system to end user security. There is absolutely no doubt that security is extremely important and should be taken seriously. And it's no surprise that security is one of the most frequently asked questions when I present to executives and IT professionals.

So here's my attempt at providing the SharePoint End User Security 101 covering different aspects of what enterprises need to think about. By no means is this article comprehensive, but touches upon aspects of SharePoint end user security that I get asked about frequently.

1. Web Single-Sign On. SharePoint is a web application. So the first question you have to think about is how users get authenticated to SharePoint. Simply put, authentication is the process of finding out who the user is. Out-of-the-box, SharePoint provides integration with Active Directory for NTLM authentication. There are many benefits of using AD, one of which include seamless Office integration. SharePoint, because it's built on ASP.NET, also supports the ability for enterprises to use other authentication systems with the pluggable authentication provider model. Office SharePoint Server, out-of-the-box, ships with an LDAP provider. When deciding what authentication model to use and how to configure authentication, you must read the following articles written by Steve Peschka. Steve Peschka is a rockstar SharePoint Microsoft Consultant - and that's an understatement:

- Part 1: Introduction

- Part 2: Membership and Role Provider Samples

- Part 3: Forms Authentication vs. Windows Authentication

2. SharePoint Authorization. SharePoint provides in-built tools and interfaces to configure authorization. Once a user is authenticated, SharePoint needs to make sure the user is authorized to view/edit the content. There are many different access levels and those rights can be applied to a single piece of content (list item) like a document or a page, a group of content like a folder or library, or a collection of content like a site or site collection. By default, security is inherited from the parent which makes it easier to manage security. However, security can be managed separately for an entity allowing for greater control when needed.

SharePoint also has the notion of "groups". You can create a SharePoint group that contains users who have the same set of rights. For examples, "Contoso Readers" for all the users who can read from the Contoso site. SharePoint also respects AD groups which has the benefit of a new employee, for example, automatically getting access to SharePoint when he/she is added to an AD group.

It's also important to note that SharePoint also supports anonymous users. This could prove to be useful in Internet scenarios, for example. In any case, if you do have content that you want to give anonymous users access to, make sure you appropriately configure your web application through Central Administration before you attempt to make the list "anonymous".

Needless to say, authorization can be set at many different levels and can be delegated to Site Administrators. One of the neat features of SharePoint is that content is "security trimmed" (see #3) which means that content is only displayed if a user has access to it. Ted Pattison has done a good job in this video walking through the various controls.

3. Security Trimming. The SharePoint UX framework doesn't display links to content & actions that the user doesn't have access to. For example, a list will only show items/folders that a person has access to - not just that, but will only show drafts that a person has access to; navigation controls will only show menu items a person has access to; My Site controls only show documents people have access to; Search only shows results that a person has access to. This avoids clutter, confusion & inadvertent communication of the existence of a piece of content.

While security trimming is out of the box, it works for content managed by SharePoint. Links to external content that are authored by someone, for example in a Content Editor Web Part, won't be security trimmed; it's feasible to develop a web part/field control that does do this. As for search, security can be captured at index time via a protocol handler or trimmed during rendering time with a custom security trimmer.

4. Content Security. As I mentioned in the previous section, SharePoint handles authorization for content that lives in SharePoint. If you are looking to have security rights "stay" with the document when it leaves SharePoint, you can configure Information Rights Management (IRM). By configuring IRM at the document library level, when a piece of content is downloaded from the library, SharePoint will apply an IRM wrapper on the content ensuring the rights carry forward with the document. By applying the wrapper at download time & leveraging SharePoint security while the content lives in SharePoint, the search indexer is able to effectively index the content - which is a great feature.

5. Accessing/Authenticating to SharePoint from the Outside. ISA and IAG offer fantastic solutions to access SharePoint in a secure way from outside the corporate firewall as well as provide additional security based on user roles & the state of the machine. If you've always wanted to publish your SharePoint solution for external access in a secure way, take a look. Very compelling and ties in with your SharePoint authentication whether you're using AD or some other system using FBA. 

6. The World outside of SharePoint.

a) Other Web Portals
There are a number of ways you can integrate with other web portal technologies. It really depends on what you are attempting to achieve and the standards the third party portal supports. This slide which I created outlines some of the ways you can integrate with 3rd party portals. This comes from a build slide, so it looks a little cluttered. You can find the original deck here.

From a security perspective, the different portal systems will typically manage their own authentication and authorization. By leveraging a common directory for webSSO and using cookies, you can make the experience more seamless. For example, when someone logs onto SharePoint or vice-versa, you essentially log them into the other portal and make sure you set the right cookies.

Another important consideration is "how" you choose to integrate. By using iFrames (for example, the Page Viewer Web Part uses iFrames), the browser is actually requesting a particular web resource and passing its credentials - whether its windows credentials with NTLM & passing a cookie if you've used Forms Based Authentication (FBA). This avoids the double hop challenge you would have if the actual application code (for example, the web part was calling another system) was making the call. For these types of scenarios, you need to consider taking advantage of kerberos - a protocol that SharePoint supports or the Enterprise SSO service which I talk about briefly later in this article. Incidentally, there's been a lot of rambling on how the RSS Web Part doesn't work without kerberos - and there's good reason for that! Otherwise, credentials would be "double hopping"! :-) Clearly, RSS feeds for "anonymous lists" will work just fine out-of-the-box.

b) Search
As I mentioned earlier, the SharePoint UX framework does security trimming and this includes the search service. However, this only works when SharePoint knows who has access to the content and who doesn't. Out-of-the-box you can configure SharePoint to crawl content and "store" ACL information for a number of sources including file shares, SharePoint content and Notes Databases. Check out this article for a more detailed description of how security works with Search including pointers on how to develop your own custom security trimmer.

c) Application Integration
I decided not to spend time walking through the nuances and meaning of Single-Sign On (SSO). The term Single-Sign On is used very often when discussing authentication across different systems. SSO can generally be broken up into two categories: WebSSO (which I described earlier) and Enterprise SSO. Enterprise SSO generally refers to the seamless end user integration with back-end systems. For example, let's say a user logs into a web portal and takes a look at a dashboard where data is coming from all different kinds of systems: SQL, SAP, custom LOB, et cetera. Each one of these systems will have a separate authentication system. By having an Enterprise SSO strategy and system in place, the user logging into the web portal gets access to all the different systems seamlessly without having to sign into each system individually. The magic happens in the background and is typically achieved by managing and retrieving different username (or group) passwords from a secure store that maps to the webSSO username. SharePoint Server 2007 (you need the Enterprise CAL) ships with an out-of-the-box SSO service and you also have the option of plugging in your own SSO Provider.

d) Business Data Catalog (BDC)
You can configure security with the BDC at the entity level. Many customers want more granular security. Granular security is possible when it comes to searching BDC content. More specifically, you can control what the returning search result set looks like by implementing a custom security trimmer. Here's an example of how you would do it.

7. Managing SharePoint User Security

There are a number of articles that describe best practices for managing SharePoint security. The truth is it really depends on what your existing directory and SSO infrastructure look like and how you are looking to integrate that with SharePoint. And as I've pointed out in this article, there are many aspects to "security" that you really need to consider - authentication, authorization, integration, et cetera.

As for SharePoint security specifically, there are a lot of tools out there in the community to help manage SharePoint security. Instead of providing a list of resources, I wanted to comment on one particular technology I recently came across: iDevFactory's Universal SharePoint Manager. From what I've seen, it's absolutely fantastic. It's not too expensive & offers a rich set of features that allows you to really get a handle on what users have access to what assets. Not only does it do reporting, but it also allows you to manage and change credentials in a very intuitive way.

Link to SharePoint Deck

SharePoint Search Tool for SharePoint Resources

With the number of great SharePoint resources out there, it is sometimes difficult to find the specific resource or content that you need. Michal Gideoni and a partner released a great tool that's built on SharePoint for SharePoint.

The concept is very simple. The resource metadata (title, description, location, et cetera) in a SharePoint list and can be pivoted based on audience, level and other metadata. If you have feedback or suggestions on what else should be included, please be sure to submit it from the site. Here's the tool - check it out: http://sharepoint.microsoft.com/readiness.

This is useful when you're looking for a specific type of content. Otherwise, I continue recommend these five great places (besides the SharePoint sections of MSDN, Microsoft.com & TechNet) to bookmark for frequent updates.

Missed the MVP Summit

The MVP Summit was held in Redmond this week. Lawrence Liu, many of my other team members and folks from engineering spent a great deal of time with the SharePoint MVPs this week. They discussed plans, shared ideas and had some fun too!

Unfortunately, I didn't get a chance to stop by and say hello to the SharePoint MVPs. :-( I did get to meet a couple folks who stopped by Building 36 (where I work), but every attempt to get to the Conference Center was foiled by meetings, deadlines and last minute requests.

I finally have some free time now, albeit Friday evening, so here I am trying to vindicate myself... and doing a little blogging. And while it is becoming increasingly difficult for me to blog because the lines between the current version and future version are beginning to blur just a little bit... I will make it a point to write an average of one blog entry a week.... and next MVP summit around, no excuses -  I will present, paintball and eat with the MVPs and someone else on my team can hold down the fort. :-)