Years ago using Internet Explorer was the only choice for my line of work. Sure, you had Netscape and several other browsers but no viable alternatives for working with Microsoft solutions, such as SharePoint.
With the recent introduction of Google Chrome it’s been interesting to see how Firefox, IE 8 (beta) and Chrome have and will shape one’s daily work routines.
Having used Chrome for 15 minutes I must say I really, really like it. It seems to have all the good stuff imported from Firefox, a (fairly) low memory fingerprint and it’s super fast. Not that Firefox or IE are slow but Chrome doesn’t keep you waiting when you hit Ctrl-T.
On a daily basis I use Firefox 90% of the time, and IE 8 beta 1 whenever a site requires IE. This works for me since Firefox introduces so many neat features I’ve grown to like – the ‘Add keyword here’ for custom searches, fast tabbing, Adblock and customizable icons and themes. Whenever I can’t use FF, I fall back to IE which I open manually through Start > Run > iexplore.exe. I’ve configured IE to execute 32-bit by default since so many sites seem to use proprietary 32-bit client extensions that do not work with x64.
SharePoint is one of the first products use to perform the ‘can I use this daily?’ test for emerging browsers. Chrome didn’t quite pass this due to several reasons:
- The righthand scroller for the page gets confused with an OOB SharePoint page
- Moving of web parts doesn’t work, but it also doesn’t fall back to the legacy mode
- Default templates don’t scale correctly vertically
- Manage Content and Structure –tool flickers and renders incorrectly
Minor problems and definitely something that can be fixed but still annoying.
About People Picker
One of the often used features of SharePoint (WSS 3.0 and MOSS 2007) is People Picker. This is the component responsible for providing a fancy user interface for finding users when provisioning access:
By default, which in this context means - “I did a full installation of MOSS 2007 with mostly default settings and didn’t pay particular attention to securing anything” – People Picker is not secure.
Main issue with People Picker is that it’s accessible for regular users of a given site. Thus by accessing /_layouts/aclinv.aspx">http://<portal>/_layouts/aclinv.aspx anyone with basic access to the site can list and view existing users of the system:
By typing 'a' as the user and hitting search one can review a list of accounts that match this search term. Obviously this isn't a big issue in intranets and similar closed systems where trust is already given for that particular user performing the search. For anonymous sites (public WCM-sites mostly) lockdown mode should resolve most issues related to /_layouts/ application pages. See this article for more details: http://technet.microsoft.com/en-us/library/cc263468.aspx#section6.
What additional approaches can you take to secure People Picker?
Modifying People Picker behavior with stsadm.exe
Stsadm.exe (with SP1) enables you to control People Picker with the following properties:
- peoplepicker-activedirectorysearchtimeout
- peoplepicker-distributionlistsearchdomains
- peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode
- peoplepicker-onlysearchwithinsitecollection
- peoplepicker-searchadcustomfilter
- peoplepicker-searchadcustomquery
- peoplepicker-searchadforests
- peoplepicker-serviceaccountdirectorypaths
These are well documented here: http://technet.microsoft.com/en-us/library/cc263318.aspx.
Deny access to /_layouts/aclinv.aspx
It would also be a good idea to deny access to /_layouts/aclinv.aspx. For some reason SharePoint doesn't have a built-in security authorization for this given application page like it has for settings.aspx. A proper approach would be to filter access to this given application page on the border firewall.
Alternatively, brewing your own HTTP Handler to filter out requests is also a viable option. See this article for more details: http://msdn.microsoft.com/en-us/library/bb457204.aspx
Modify /_layouts/aclinv.aspx
You should know that modifying anything underneath /_layouts/ probably breaks any support, so proceed with caution.
Modifying aclinv.aspx has its advantages too. This is the control from aclinv.aspx that renders People Picker:
<wssawc:PeopleEditor
AllowEmpty=false
ValidatorEnabled="true"
id="userPicker"
runat="server"
ShowCreateButtonInActiveDirectoryAccountCreationMode=true
SelectionSet="User,SecGroup,SPGroup"
/>
Several properties exist that can help in securing People Picker functionality:
- ValidatorEnabled [true, false]: Set to false to disable validation of user accounts
- Rows [#]: Set to 1 to prevent multiple user access
- ShowButtons [true, false]: Set to false to disable the two functional buttons (check names and addressbook)
- ValidateResolvedEntity [true, false]: Set to false to prevent validation of resolved entity
- UrlZone [Custom, Intranet, Extranet, Internet, Default]: Specify with zone (AAM) to use for this control. Might be handy to set this to Intranet only
Hope this helps :)
A company in Finland called Humeko Ltd, is now offering a free one month trial for OCS 2007 services for companies. See full announcement here: http://www.humeko.com/news_20071119.htm (in Finnish only, sorry).
What they'll provide is an interesting package for a fairly cheap price: OCS 2007 (Standard) services including IM, Presence and audio/video conferencing for users, 6,95 eur/month/user. Enterprise gives you Web conferencing on top of that (Live Meeting) for 13,95 eur/month/user.
Great to see OCS gaining more ground!
Oftentimes when deploying OCS 2007 to complex environments something doesn't work as expected. Even more often the culprit is either a certificates issue or AD (and thus, often a DNS) issue.
One of my colleagues had problems when connecting Office Communicator to OCS 2007, using Access Edge. Thus the workstation was outside the company's LAN (and AD), and was running Windows Vista with Internet Explorer 7.0. Most companies choose to deploy OCS 2007 with private certificates, i.e. generating their own rather than shelling out the hard-earner dollars to companies like Verisign.
The problem here is that while the workstation is able to connect, you will see a problem with authentication. Debugging this through OCS 2007 Logging Tool (which, I might add, is excellent) it all boils down to certificate problems - the client doesn't have the CRL (Certificate Revocation List), and IE7 always enforces that by default.
Fix? Uncheck "Check for server certificate revocation" -option from IE7 > Tools > Internet Options > Advanced.
..and missing those fancy ADUC (Active Directory Users and Computers) controls for enabling users to your pool? Fear not, just run this to get them visible:
mmc /32 dsa.msc. Yeah, I'm a keyboard junkie amongst other vices, but this was something I really needed to troubleshoot for a sec. It seems every day is a learning day!
I, for one, have been struggling a bit when it comes down to understanding what's happening with OCS 2007 (Office Communications Server 2007, RTM'd some time ago). Having played with LCS 2005 (Live Communications Server 2005) quite a bit, I've been eagerly waiting for the first stabile betas and release candidates of its successor.
Here is my attempt to explain OCS 2007 (Standard Edition) in 10 insights from the field:
10. Can be deployed with SQL Express on the same box - scales a bit poorer but is easier to set up for demo/trial/customer case environments. This is what I use in my daily work
9. Office Communicator 2.0, Office Communicator Mobile 2.0, Microsoft Tanjay/Catalina phones and Communicator Web Access are all good ways of using OCS. Most people will be happy with MOC (Microsoft Office Communicator 2.0), yet one should really take a look at the mobile client for Windows Mobile 5/6 - it's hugely useful when out of the office. Remember to export your cert chain for this to work.
8. It all boils down to two main support vehicles - Active Directory and Certificate Services. Learn these, and use these for debugging (via the excellent OCS Logging Tool running with Powershell)
7. Start your OCS 2007 deployment with the central server (i.e. the first box that's going to host your IM/Presence roles of OCS), and go for the Edge Services last. They are always the hardest to set up, and often require quite a lot of troubleshooting with certificate issues.
6. If possible, avoid using third-party certificates. The process is a hassle, and not really worth the headaches.
5. Need to build a demokit/playground for OCS 2007? Here's my recommendation: Use whatever virtualization solution you prefer (read: Virtual PC 2007), and set up 3 virtual servers:
- Active Directory + Certificate Services -server
- OCS 2007 Standard (all core roles) + Exchange 2007 Unified Messaging
- OCS 2007 Standard (Edge/Mediation/CWA)
In addition use the host as a client for
- Roundtable
- SIP 2.0-phones (such as Cisco, Nokia and Nortel)
- Microsoft Tanjay/Catalina-phones
- Office Communicator
- Outlook 2007 for voice mailbox access
- VoIP Gateway (such as AudioCodes and Dialogic)
Make sure to enable IVT (Intel Virtualisation Technology) if your host supports that, and make that VPC 2007 is configured to use it.
4. Exchange 2007 UM (Unified Messaging) is easy to configure, but has a crappy interface for doing that. Just go out of your comfort zone for a sec, and use the command-line tools to do it. It's worth it.
3. OCS 2007 Guides are essential - Planning Guide is truly good, yet a few topics are not really described in detail, so prepare for some research during deployment
2. Check, doublecheck, triplecheck and have someone else check that your DNS zones and records are properly set up. "whoops, I missed the underscore" is a quite common problem. Oh yeah, Netbios-traffic (port 135/TCP) and AD RPC-traffic (ports 1025, 1026/TCP and UDP) are needed.
1. OCS 2007 is all about infrastructure! the rest is just persistence.
One of the 'perks' at Microsoft is the ability to dogfood things - i.e. installing every piece of alpha, beta, gamma and whatnot version of software that interests you. And then observing if your laptop still boots, or not.
I was asked recently "What's a good antivirus/antispyware software for a small company?". My obvious answer, which came out in 2 seconds, was of course "Forefront products!", but remembering this company had mostly laptops, I chose to recommend/insinuate that Windows Live OneCare 2.0 (http://get.live.com/) might be worth looking at. I've had the habit of skipping most of Microsoft's consumer products because I don't have the need for them personally.
Installation of OneCare 2.0 beta is fairly straightforward - setup -> next -> next -> restart. Since I already had another antivirus on my laptop I disabled that before restarting - just to avoid any additional problems.
After reboot OneCare shows a panel with a risk-factor of "good". Great!
Next, one needs to set up subscription - pay something to get updates. Long story short, I'm not only $49,95 poorer but my subscription doesn't work. It's good that the billing process works, yet I didn't receive the key to actually activate my subscription.
Bypassing this slight annoyance, next I need to connect my OneCare to other PC's in my circle. Obviously since I'm running a beta software I don't need to connect this anywhere - and I couldn't find a way to disable the nagging about connecting this machine URGENTLY to my OneCare circle. No thanks.
Finally, I've got the third urgent (!) message of backing up my PC. Since my subscription is not valid (yet, anyway) I can't use online backup. I do however have a 2 GB memory stick (with a fancy Vista-sticker, which makes it faster) that I tried to use as a backup media. After carefully selecting which files to backup, I get "Unknown error" when trying to schedule or initiate the backup.
I do have protection now, but with 3 red warnings throughout the OneCare console, and "YOU ARE AT RISK" everywhere. I guess I'm still not ready for consumer products.
I just got a note that the following migration tools for Microsoft Office SharePoint Server 2007 (MOSS) and Microsoft SharePoint Portal Server 2003 (SPS) have been released via CodePlex:
Check out the project's homepage at http://www.codeplex.com/SPMigration/.
It's possible to upgrade your existing Release Candidate installation of OCS 2007 to RTM. Alternatively you can do a clean installation (RTM bits here here and Office Communicator bits here). Should you go ahead with upgrade, here's a few tips you should keep in mind:
- Release Candidate upgrades to RTM only if you have the Volume License (VL) bits - and really, the bits, not just the license
- Evaluation (trial) license does not upgrade to MSDN RTM - at least, it's not tested
- Release Candidate does not upgrade to MSDN RTM
I find it almost always easier to start from a clean installation rather than do upgrades, but in certain scenarios it's often necessary to perform a direct in-place upgrade.
Recently I was working with a customer, where we had to deploy Office Communications Server 2007 (Release Candidate at the time) to their production environment. As it turned out when setting up Access Edge-role in their DMZ, remote Office Communicator (MOC) clients couldn't connect to it. At first we thought it was a certificate issue because of all the hassle you have with setting up MTLS, TLS and SSL-certificates to get OCS 2007 fully deployed.
Finally we tried tweaking with the client - by default, MOC is configured to contact OCS via TLS, so it should use port 443/TCP. This is something you can specify on the Access Edge (5061/TCP or 443/TCP) for clients. As it turned out, due to a feature, bug or position of the stars: if the MOC client is unmanaged, you need to manually specify the port in the External Address. Thus, you need to manually specify the port also (the radio button for TLS/TCP is not enough). This is the correct value then: ocs-edge-server.domain.com:443.
I'll keep you posted with additional OCS 2007 tips from the field.
OCS 2007 (Office Communications Server 2007), which was just released to RTM, finally has Live Meeting Conferencing built-in. You can use the Live Meeting client or the web frontend to attend your meetings. Because of the nature of OCS, you can deploy all services internally and expose selected services to external users (even for federated users) through your DMZ.
The challenge here is that when you deploy Live Meeting client centrally through SMS or Active Directory, you would need to specify what is the internal server for LAN users, and what is the external server for roaming users. Actually there's a switch for that in the GPO template but it only affects Office Communicator 2007 client, not Live Meeting.
So here's the fix:
Specify the values in registry:
HKEY_CURRENT_USER\Software\Microsoft\Shared\UcClient\ServerAddressExternal
HKEY_CURRENT_USER\Software\Microsoft\Shared\UcClient\ServerAddressInternal
Leech these to your GPO, and roll it out to your client workstations - works like a toilet in the train (bad Finnish humor, I know)!
