Three of the SharePoint Academy and BPIO University courses I taught earlier this year are now available in webcast format. Many thanks to the sponsors on our product team, the Microsoft Information Worker community (global and local), content contributors, and MS Studios for making these possible. Now you can see what I look like when I'm reading from a teleprompter. :)

These webcasts contain a mix of standard material from the respective courses, as well as a number of my own contributions. Many of my contributions focus on material from areas of focus in my blog - customization, master pages, features, solutions, etc. - so thanks to all of you who've helped me enhance the content by sharing feedback, questions, and corrections to the original blogs.

I'm sure they'll end up on a landing page somewhere soon, but here are the public links:

Microsoft SharePoint Technologies Solution Architecture

http://www.microsoft.com/winme/0805/32847/mod4/index.html

Customizing and Extending Microsoft SharePoint Products and Technologies

http://www.microsoft.com/winme/0805/32847/mod9/index.html

Configuring the Business Data Catalog

http://www.microsoft.com/winme/0805/32847/mod10/index.html

Enjoy!

Preamble... 

One of the frequenly cited shortcomings of Forms-Based Authentication when compared to Windows Integrated Authentication is its lack of built-in support for an "All Authenticated Users" group similar to NT AUTHORITY\Authenticated Users.

This type of role comes in handy in a number of situations, most notably for provisioning public (but not anonymous) sites and public SSP permissions like "Create Personal Site". The most common workaround I've encountered has been a custom solution that ties in with user provisioning - create a role in the directory service, add all existing users to it, add any new users to it, and remove any users from it as they're deleted. For very large-scale directories, it's not practical to store many thousands of users in a single group, so the actual implementation might be one involving nested groups or a denormalized structure where group memberships are enumerated in the user object, but the same idea applies.

Problem...

My present customer's extranet MOSS implementation uses a very large LDAP directory with hundreds of thousands of potential users. To deal with their problems of scale, they long ago adopted the "list groups in the user object" approach. This made us unable to use the out-of-the-box MOSS Role Manager, which expects to find users enumerated in group objects, rather than groups enumerated in user objects. This led to a need for a custom LDAP Role Manager.

Like most MOSS implementations, they have a need for an "all authenticated users" role, but modifying user provisioning processes in their LDAP (of which there are many, but that's another story) wasn't a realistic option in terms of cost or schedule. Fortunately, the custom Role Manager opened the door to an elegant solution to the "All Authenticated Users" requirement.

Solution...

Once you've written your own role manager, it's pretty straightforward to embed your own "All Authenticated Users" feature into the component. I found it easiest to make this a configurable group name, but you could just as easily hard-code the value. Here's the walkthrough:

1. Create a private class variable (_LDAPAuthUsersGroup in the example below) for storing the group name.

2. Populate the group name variable in the Initialize method via a configuration setting.

3. In the GetRolesForUser method, append the "All Auth Users" group name to the roles list every time, thereby making every user a member of the group.

4. In the RoleExists method, always return true for the "All Auth Users" group name, thereby confirming its existence.

That's all there is to it. Snippets from relevant sections of the RoleProvider appear below.

namespace Company.MOSS.Auth
{
    public class CustomRoleProvider : RoleProvider
    {
        /*
        TO DO: put your other class variables here
         */

        private bool _LDAPEnableAuthUsersGroup;
        private string _LDAPAuthUsersGroup;

        public CustomRoleProvider()
        {
            /*
            TO DO: set other defaults here
             */

            this._LDAPEnableAuthUsersGroup = false;
            this._LDAPAuthUsersGroup = string.Empty;
        }

        public override void Initialize(string name, NameValueCollection config)
        {
            this._Name = name;
            if (config != null)
            {
                try
                {
                    /*
                    TO DO: initialize your other configuration variables here
                     */

                    //check for the presence of the auth users group configuration setting
                    if (config["authUsersGroup"] != null)
                    {
                        //Extra validation to prevent blank auth users group
                        if (config["authUsersGroup"].Length > 0)
                        {
                            //making this case-insensitive - this might not apply to your directory service
                            this._LDAPAuthUsersGroup = config["authUsersGroup"].ToUpper();
                            //turning on a boolean flag indicating that we're using this feature
                            this._LDAPEnableAuthUsersGroup = true;
                        }
                    }

                    return;
                }
                catch (Exception ex)
                {
                    throw new LdapProviderException(SPResource.GetString("LDAPProviderGeneralFailure",
                        new object[0]));
                }
            }
            throw new ArgumentNullException("config");
        }

        public override string[] GetRolesForUser(string username)
        {
            //this group list length works for me - might need to be different for you
            List<string> rolesList = new List<string>(10);

            /*
            TO DO: do whatever else you need to do to retrieve the "real" roles first
             */

            //if you're using the feature, then add the all auth users group to the roles list
            if (_LDAPEnableAuthUsersGroup)
            {
                rolesList.Add(_LDAPAuthUsersGroup);
            }

            return rolesList.ToArray();
        }

        public override bool RoleExists(string roleName)
        {
            //if authenticated users functionality is enabled, check to see if this is that special group
            if (_LDAPEnableAuthUsersGroup)
            {
                //making this case-insensitive - this might not apply to your directory service
                string role = roleName.ToUpper();

                if (role.Equals(_LDAPAuthUsersGroup)) return true;
            }

            /*
            TO DO: do whatever else you need to do to check if "real" roles exist
             */
        }

    }
}

Special Concerns:

REALLY, REALLY IMPORTANT: Make sure that the "All Auth Users" group name doesn't intersect with current or possible user/group names. That would be a horrible security hole - if someone created  a user or group with the same name as the All Auth Users group (whatever you choose to call it) and provisioned permissions to it on their site, all of a sudden EVERYONE would have that permission level. Very, very, very bad, potentially with legal/compliance consequences. There are three tactics I recommend for preventing this outcome:

• Simple, fast solution #1: Create a placeholder group (and user) in the directory service with the same name as the All Auth Users group that YOU own. Never do anything with them other than ensuring that they don't get deleted. You're just putting them there to prevent anybody else from creating a group with the same name, assuming that the directory service enforces uniqueness. :)
• Simple, fast solution #2: Give the All Auth Users group a name that falls outside the allowable domain of values for group names in your directory service - i.e. include special characters like # or \ if those are disallowed in group names; create an group name 100 characters long if group names are restricted to 50 characters in the directory service; etc.
• Slow, fallback solution: This could also be used in combination with method #2, but adds a bit of overhead. Instead of the mindless algorithms for checking if the role exists and the list of roles for the user, add a check to see if that role name exists in the directory service. If so, go the safe route and use the "real" non-All Auth users group  instead AND throw a warning to the event log.

A secondary concern... what if you only want to make this feature available to selected users/sites? This is one of the reasons we went with a configurable setting for the group name - we didn't want your everyday user provisioning permissions to all authenticated users in their site. The design pattern for this is simple - go with an elaborate group name (like a GUID) and change it on a regular basis.

If you're attempting an STSADM -o export (or, I'd assume, a content deployment) of a site and receive the following error:

FatalError: Failed to compare two elements in the array.

Check out the following KB article: http://support.microsoft.com/kb/948726/en-us .

The article indicates that the likely cause is one or more invalid feature references in the SPSite and/or SPWeb object. Fortunately, Steven Van de Craen authored a wonderful GUI tool for removing "faulty features" (which is of course unsupported and should be used with caution, but nonetheless very useful). See his article on the topic for more details.

Cases where you might encounter these errors:

• Sites that were migrated from a MOSS Enterprise implementation (even if they're not USING Enterprise features) to a MOSS Standard implementation
• Sites that were created in an beta version of MOSS/WSSv3
• Sites which reference custom features that have since been removed from the filesystem but were not properly deactivated and uninstalled

For anyone using a custom authentication provider or non AD/LDAP* directory service, the Profile Import tool at http://www.codeplex.com/sptoolbox is an awesome tool for adding users. Just plug in your provider(s), tweak a few configuration settings, and go. I've used it to add 200,000+ user profiles from my customer's directory service (though I wouldn't recommend attempting to swallow all those records in one gulp - that requires more memory than we had on our import server) to our latest MOSS environment.

Getting the configuration "just right" resulted in my creating lots of extraneous user profiles in the environment. Not wanting to recreate the SSP or build up some serious callouses hitting the "delete" key hundreds of times, I spent quite a bit of time yesterday searching for a tool for doing mass deletes of user profiles, to no avail. I did, however, find a number of postings for other folks out there looking for a similar tool.

So I put together a quick-and-dirty command-line app for nuking your entire user profile DB or a portion thereof based on account name matches. You could modify this pretty easily to include more sophisticated filter criteria, like an existence check in your directory service of choice, but I didn't want to spend more than an hour on the script... :)

* You'd also need to use the Profile Import tool if you need to do an authenticated bind to your LDAP service using something other than Windows credentials.

Configuration File:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
 <appSettings>
  <add key="test" value="false"/>
  <add key="debug" value="true"/>
  <add key="filterPattern" value="qaldap:"/>
 </appSettings>
</configuration>

Configuration Comments:

Here's how to use the config settings:

• filterPattern
• case-insensitive string used for a "starts with" match on user profile Account Names - i.e. "myprovider:" would be a match for all user profiles that use the provider "myprovider", or "mydomain\" would match all user profiles from the "mydomain" domain
• test - used to control whether delete actions occur
• true (default) - user profiles matching the filterPattern are reported as matches for deletion, but no delete actions occur
• false - all user profiles matching the filterPattern are deleted
• debug
• true - application info/warning/error events are written to the console
• false (default) - application events are written only to the event log

Source Code:

The code is pretty simple. Main is where the action is for retrieving/deleting user profiles and reading the config file; if you need to plug in a different algorithm for identifying profiles to be deleted (like an existence check in your directory service), you'd add it here. GetAnySiteUrl is copied directly from the Profile Import tool to save coding time in establishing a server context; if you have multiple SSPs, you might want to update the way you establish a context.

If you're using only 1 SSP and are OK with the simple "starts with" pattern match algorithm, just put the right references in your project, build it, and you're ready to go. Enjoy!

using System;
using System.Collections.Generic;
using System.Collections.Specialized;
using System.Text;
using System.Diagnostics;
using System.Configuration;

using Microsoft.Office.Server;
using Microsoft.Office.Server.UserProfiles;
using Microsoft.SharePoint;
using Microsoft.SharePoint.Administration;

namespace ProfileDelete
{
    class Program
    {
        static int logLevel = 1;
        static bool debug = false;
        static bool test = true;
        static string logSource = "ProfileDelete";
        static string logDestination = "Application";
        static string filterPattern = "";

        static void Main(string[] args)
        {
            int counter = 0;

            try
            {
                Configuration config = ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None);

                NameValueCollection appSettings = ConfigurationManager.AppSettings;
                logLevel = Convert.ToInt32(appSettings["loglevel"]);
                debug = Convert.ToBoolean(appSettings["debug"]);
                test = Convert.ToBoolean(appSettings["test"]);
                filterPattern = appSettings["filterPattern"];
            }
            catch (Exception e)
            {
                DoLog("Error reading configuration file:" + e.ToString(), EventLogEntryType.Error, 100);
            }

            string currentAccountName = String.Empty;

            using (SPSite site = new SPSite(GetAnySiteUrl()))
            {

                ServerContext context = ServerContext.GetContext(site);

                UserProfileManager profileManager = new UserProfileManager(context);

                foreach (UserProfile profile in profileManager)
                {
                    currentAccountName = (String) profile[PropertyConstants.AccountName].Value;
                    currentAccountName = currentAccountName.ToLower();

                    if (currentAccountName.StartsWith(filterPattern.ToLower()))
                    {
                        counter++;
                        DoLog(currentAccountName + " matches delete criteria. Count: " + counter, EventLogEntryType.Information, 110);
                        if (!test)
                        {
                            DoLog("Deleting " + currentAccountName, EventLogEntryType.Information, 120);
                            profileManager.RemoveUserProfile(profile.ID);
                        }
                    }
                }
            }

        }

        private static string GetAnySiteUrl()
        {
            //the purpose of this function is just to get any site Url so that
            //we can obtain a ServerContext for the UserProfileManager
            string ret = string.Empty;

            SPWebServiceCollection wsc = null;

            try
            {
                wsc = new SPWebServiceCollection(SPFarm.Local);
                foreach (SPWebService sw in wsc)
                {
                    foreach (SPWebApplication wa in sw.WebApplications)
                    {
                        if (wa.Sites.Count > 0)
                        {
                            ret = wa.Sites[0].Url;
                            break;
                        }
                        if (!string.IsNullOrEmpty(ret))
                            break;
                    }
                    if (!string.IsNullOrEmpty(ret))
                        break;
                }
            }
            catch (Exception ex)
            {
                throw new Exception("Error getting a site Url: " + ex.Message);
            }
            finally
            {
                wsc = null;
            }

            return ret;
        }

        private static void DoLog(string msg, EventLogEntryType eventType, int code)
        {
            bool writeEntry = true;
            if (debug) Console.WriteLine("Event Type: {0}; ID: {1}; Message: {2}", eventType.ToString(), code, msg);

            if (logLevel > 0)
            {
                if (!EventLog.SourceExists(logSource))
                    EventLog.CreateEventSource(logSource, logDestination);
                if (eventType.Equals(EventLogEntryType.Warning) && (logLevel < 2))
                    writeEntry = false;
                if (eventType.Equals(EventLogEntryType.Information) && (logLevel < 3))
                    writeEntry = false;
                if (writeEntry) EventLog.WriteEntry(logSource, msg, eventType, code);
            }
        }

    }
}

IRM/RMS Implementation

• General Deployment Resources: http://technet2.microsoft.com/windowsserver/en/technologies/featured/rms/default.mspx
• Extranet planning considerations: http://technet2.microsoft.com/windowsserver/en/library/107e1338-4dcf-4ed5-a49d-e875cc883db11033.mspx?mfr=true

Load Balancing & Session State Management Links

• How State Management Works in SharePoint: http://technet2.microsoft.com/Office/en-us/library/ffa4a256-6885-4295-a712-537ce82b9a0c1033.mspx?mfr=true
• JoelO's LB Troubleshooting & Configuration Tips: http://blogs.msdn.com/joelo/archive/2007/01/05/nlb-network-load-balancing-and-sharepoint-troubleshooting-and-configuration-tips.aspx

Various topics:

• How to change the behavior of the "!NEW" icon: http://support.microsoft.com/kb/825510
• PDF document converters:
• From Bamboo Solutions: http://store.bamboosolutions.com/pc-16-3-office-to-pdf-conversion-solution-accelerator-release-12.aspx
• From Aspose: http://www.aspose.com/documentation/file-format-components/aspose.words-for-.net-and-java/add-doc-to-pdf-and-other-conversions-to-microsoft-office-sharepoint-server-2007-with-aspose-components.html
• User Management Solution Accelerator (for permissions management): http://store.bamboosolutions.com/ps-46-5-user-management-accelerator-available-july-2007.aspx
• InfoPath development reference: http://www.amazon.com/Designing-Microsoft-InfoPath-Services-Development/dp/0321410599/ref=pd_bbs_sr_1/103-2811446-2506209?ie=UTF8&s=books&qid=1179182561&sr=8-1 

Recommended Readings/Resources on ITPro Topics:

• Case Study for DPM 2007 for SharePoint: http://technet.microsoft.com/en-us/library/bb897855.aspx 
• How to increase the size of a Site Template beyond 10MB: http://blogs.msdn.com/joelo/archive/2007/03/15/you-learn-something-new-every-day-site-template-limit.aspx 
• Multilanguage Implementation References:
•  Plan variations: http://technet2.microsoft.com/Office/f/?en-us/library/45264de9-6859-45c1-9d6d-70035c471a2a1033.mspx
• Plan for multilingual sites: http://technet2.microsoft.com/Office/f/?en-us/library/22d5dc9c-66bd-40d7-8c60-2a2a066db2241033.mspx 
• Extranet Toplogies for SharePoint 2007: http://office.microsoft.com/search/redir.aspx?AssetID=AM101638961033&CTT=5&Origin=HA101639821033
• Also review ISA 2006 configurations for SharePoint in the MOSS Administrator's Companion, Chapter 19
• STSADM Command Reference: http://technet2.microsoft.com/Office/en-us/library/e5134b97-b629-4fc0-8733-f2a49126daee1033.mspx?mfr=true 
• Search product comparison: http://www.microsoft.com/enterprisesearch/products.aspx#compare
• Everything you wanted to know about the recycle bin: http://blogs.technet.com/wbaer/archive/2007/11/13/planning-for-additional-storage-with-microsoft-sharepoint-products-and-technologies-recycle-bin.aspx
• SharePoint Product Comparison - http://office.microsoft.com/en-us/sharepointserver/HA101978031033.aspx
• NEW TechNet WebCasts on ITPro Topics (many will be familar): http://blogs.msdn.com/sharepoint/archive/2008/02/18/advanced-sharepoint-videos-and-whitepapers.aspx
• Be sure to check out the SEARCH and PERFORMANCE OPTIONS webcasts

Recommended Reading/Resources on ECM/DM topics:

• Go here for the full MOSS Capacity Planning briefing: http://www.microsoft.com/winme/0712/31729/Module4/Local/index.html
• Tons o' SharePoint Technical & Functional Visio Diagrams: http://technet.microsoft.com/en-us/office/bb310619.aspx
• Office Server Topology Diagram
• Records Management Planning on TechNet:http://technet2.microsoft.com/Office/en-us/library/271017e8-7f23-4166-9501-140ad2fc555d1033.mspx
• Document Management Planning on TechNet:http://technet2.microsoft.com/Office/en-us/library/cb57d4f7-8353-420b-8a10-d05c9bdf1b561033.mspx
• Document Conversion is AKA "Smart Client Authoring" - search on that term for more info, or get a start from this article: http://technet2.microsoft.com/Office/en-us/library/e028f0a7-f9cf-45c1-a8b9-bfb2051352e41033.mspx?mfr=true
• Team Foundation Server Architecture (includes relationship to WSSv2): http://msdn2.microsoft.com/en-us/library/ms364062.aspx
• JoelO on what NOT to store or do in sharepoint (keep in mind that the new External Blob Storage API adds some new twists to these practices): http://blogs.msdn.com/joelo/archive/2007/11/08/what-not-to-store-in-sharepoint.aspx
• Resolving the "The column name that you entered is already in use or reserved" issue that occurs when you rename an OOTB site column like "Title" - http://support.microsoft.com/kb/923589/en-us
• How to increase the max document size for indexing - change this value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office Server\12.0\Search\Global\Gathering Manager
• More to come...

This came up during the SharePoint AcademyLive Search class today, and isn't the first time I've been asked how to do this, so I figured it was time to write a post. :)

When you're first configuring your farm, it's often easier to configure Kerberos & SSL later, once you've completed all the other farm deployment tasks and made sure everything else is working. Doing this for Central Admin requires a couple of minor tricks... the complete procedure listed is listed below.

Assumptions:

• CA was originally installed on the desired server
• you don't have any web.config or other customizations applied to the CA webapp
• all your Kerberos configuration (SPNs, delegation, etc.) is already configured
• CA was originally installed with NTLM & HTTP.

Central Admin Web Application (Kerberos+SSL)

1.       Remove Existing CA site

a.       Navigate to Start Menu > All Programs > Microsoft Office Server > SharePoint Products & Technologies Configuration Wizard

b.      Click Next

c.       Click Yes

d.      Leave “Do NOT disconnect from this server farm” selected and click Next.

e.      Select “Yes, I want to remove the web site from this machine” and click Next.

f.        Click Next

g.       Click Finish

2.       Recreate CA site w/Kerberos auth

a.       Navigate to Start Menu > All Programs > Microsoft Office Server > SharePoint Products & Technologies Configuration Wizard

b.      Click Next

c.       Click Yes

d.      Leave “Do NOT disconnect from this server farm” selected and click Next.

e.      If asked, indicate that this server should host the central administration web application and click Next.

f.        Check the checkbox next to “Specify port number” and enter a port number of 12345.

g.       Select the Negotiate (Kerberos) authentication provider.

h.      Click Next

i.         Click Yes

j.        Click Next

k.       Click Finish

3.       Enable SSL for CA site

a.       Navigate to Start Menu > All Programs > Administrative Tools > IIS Manager

b.      Navigate to {Computer Name } > Web Sites

c.       Right-click SharePoint Central Administration V3 and select Properties

d.      Enter 12345 in the SSL port field.

e.      Enter 80 in the TCP Port field.

f.        Click Apply.

g.       Navigate to the Directory Security Tab

h.      In the Server Communications region of the tab, select Edit.

i.         Select Require Secure Channel and click OK.

j.        Navigate to the Directory Security Tab

k.       Select Server Certificate

l.         Click Next

m.    Select Import a certificate from a .pfx file and click Next

n.      Browse to the file

o.      Click Next

p.      Enter the password (if necessary) and click Next

q.      Confirm that 12345 is in the SSL port field and click Next

r.        Click Next

s.       Click Finish

t.        Click OK

4.       Execute an IISRESET on the central administration host server

5.       Update AAM for CA site

a.       Open the OPERATIONS PAGE of the central administration site in a web browser (i.e. https://contoso86:12345/_admin/operations.aspx  - if a specific page is not indicated in the address, it will fail to open since the AAM requires updating).

b.      If warned, ignore any certificate errors and continue browsing to the page.

c.       Select Alternate Access Mappings from the Global Configuration subheader.

d.      Click on the link for http://contoso86:12345