Roux Visser’s SharePoint Blog

After you have deployed the SharePoint Server, there are some other additional settings which you need to configure. You should perform these tasks to take full advantage of the SharePoint 2007 administrative Features: 

• Email Settings:
  • Incoming:
    

Configuring server for incoming emails will enable you to get advantage of the following SPS 2007 features:

• SharePoint sites can accept and archive incoming e-mail.
  
• SharePoint sites can archive e-mail discussions as they happen, save e-mailed documents, and show e-mailed meetings on site calendars.
  
• In addition, configure the SharePoint Directory Management Service for e-mail distribution list creation and management.
  
• Outgoing
  

Configure Outgoing SMTP Email server to enable SPS 2007 for sending Notifications and alerts to the site users and administrators. You can configure “From” and “Reply to” email addresses for outgoing emails.

• Create SharePoint sites: Create more SharePoint sites and Web applications if your site design requires multiple sites or multiple Web applications.
  
• Diagnostic logging settingsTo get yourself helped in troubleshooting, configure various logging and diagnostics settings including trace logs, event messages, user-mode error messages, and Customer Experience Improvement Program events.
  
• Configure antivirus protection settingsConfigure Antivirus Settings for Server to enable the virus scanning for document upload and downloads, also configure virus scanning timeout and execution threads on the server for antivirus. A SharePoint Server 2007 compatible Antivirus program is required for this.
  
• You can use the following procedure to configure optional administrative settings using SharePoint Central Administration.
  

Configure administrative settings using SharePoint Central Administration

• Click Start, point to All Programs, point to Administrative Tools, and then click SharePoint 3.0 Central Administration.
  
• On the SharePoint Central Administration home page, under Administrative Tasks, click the administrative task you want to perform.
  
• On the Administrative Tasks page, next to Action, click the task.
  

If you installed and configured Office SharePoint Server 2007 on a single front-end server, and a user browses to your server, the server will render the content that is in your Web application. However, if you added subsequent front-end servers to your server farm, the newly-added servers will not have alternate access mappings configured to your Web application. To map newly-added front-end servers to your existing Web application, you need to configure alternate access mappings.

Before you configure alternate access mappings, install and configure Office SharePoint Server 2007 on all of the front-end servers that you want to add to your server farm, and make sure that the servers are joined to your server farm. See “Run Windows SharePoint Services Setup” and “Run the SharePoint Products and Technologies Configuration Wizard” for information about installing and configuring Office SharePoint Server 2007. 

To configure alternate access mappings

1. On the SharePoint Central Administration home page, click the Operations tab.
   
2. On the Operations page, in the Global Configuration section, click Alternate access mappings.
   
3. In Alternate Access Mapping Collection, click Change Alternate Access Mapping Collection.
   
4. In the Select an Alternate Access Mapping Collection dialog box, click the Web application that you want to modify. If you have created only one Web application, and you specified port 80 for the Web application, the Web application should be listed as SharePoint (80).
   
5. Click Edit Outbound URLs, and verify that your Web application is listed in the Default zone for outbound URLs. The outbound URL is the URL that you want users to use to access your Web application.
   

Note: If you have a load-balanced configuration with a host name, add the host name to the Outbound URL for the Default zone.

1. Click Save.
   

• Click Add Incoming URLs.
  
• On the Add Incoming URLs page, in New default zone URL protocol, host and port type the URL for the server that you want to map to your Web application. Typically, this is http://servername:portnumber.
  Note: If you have a load-balanced configuration, you should add the server name of each of your front-end Web servers to the list of internal URLs. This will allow each of your Web servers to reach the content in your common Web application. Also, make sure the zone you selected for the incoming URL matches the zone of the outbound URL for the load balancer. You can have multiple incoming URLs associated with a single outbound URL.
  

1. In Zone, make sure that Default is selected.
   

• Click Save.
  

To take full advantage of the business intelligence capabilities of Office SharePoint Server 2007 you need to start and configure Excel Calculation Services. Instructions for doing this are provided below.

Note: Excel Services is only available if you use a product key that activates the Enterprise version of Office SharePoint Server 2007. 

Start and configure Excel Calculation Services

1. On the SharePoint Central Administration home page, click Administrative Tasks.
   
2. On the Administrative Tasks page, click Add Excel Services Trusted Locations.
   
3. On the Add Excel Services Trusted Locations page, in Action, click Add Excel Services Trusted Locations.
   
4. On the Excel Services Trusted File Locations page, click Add Trusted File Location.
   
5. In the Location section, in Address, type the address of the trusted file location. It is recommended that the trusted file location be an Office SharePoint Server 2007 site, but you can also specify universal naming convention (UNC) paths or HTTP Web sites.
   
6. In Location Type, click Windows SharePoint Services if you specified an Office SharePoint Server 2007 site, click UNC if you specified a UNC path, or click HTTP if you specified an HTTP Web site.
   
7. In the External Data section, in Allow External Data, select the trust level for external data sources that you want to enable by doing one of the following:
   

• Click None to prevent Excel Calculation Services from processing connections to any external data connection.
  
• Click Trusted data connection libraries only to prevent Excel Calculation Services from processing connections to external data sources that are embedded within workbooks. This setting permits Excel Calculation Services to process links to trusted data connection libraries.
  
• Click Trusted data connection libraries and embedded to permit Excel Calculation Services to process direct connections to external data sources that are embedded within workbooks. This setting also permits Excel Calculation Services to process links to trusted data connection libraries.
  

To configure Single-Sing On follow these steps:

• Create a new domain service account for running SSO service.
  
• Change SSO service’s Identity to the new service account form Services
  console.
  
• Add SSO service account as a farm administrator by using “Update farm
  administrator’s group” link from share point central admin.
  
• Right click internet explorer shortcut select “Run As” provide the credentials for the service account to run it. Open share point central admin using this IE window.
  
• Setup SSO using this IE window.
  
• Remove SSO service account from farm administrator group.
  

Common Issues:

You cannot configure single sign-on settings for a server in your server farm deployment of Microsoft Office SharePoint Portal Server 2003. You specify single sign-on settings for the server on the Manage Server Settings for Single Sign-On page of SharePoint Portal Server Central Administration. After you do this, when you click OK, you receive the following error message:

You do not have the rights to perform this operation.

To resolve this issue, make sure that the user account that you configure the Microsoft Single Sign-On Service to log on as meets the following requirements:

Note In a single-server deployment of SharePoint Portal Server 2003, if the Microsoft Single Sign-On Service runs under an account that is a member of the local Administrators group, the user account does not have to be a member of either of the following roles:

However, we recommend that you do not configure the Microsoft Single Sign-On Service to run as a member of the local Administrators group.

Note Other Issues include

• ISS Service Account Settings to be configured manually in ISS.
  

  • Bug Error resulting in the need for Microsoft Registry Hack (due to Windows Installer 3.1. being installed)

1. On the Create Site Collection page, in the Title and Description section, in Title, enter a title for the new site.
   
2. In Description, enter a description of the site collection.
   
3. In the Web Site Address section, click Create site at this URL, and in URL path click (root).
   It is most common to create a site collection at the root; however, you can create a site collection at a specific URL path.
   

4. In the Primary Site Collection Administrator section, in User name, type the user name of the site collection administrator. This can be the same user account that you specified as the Office SharePoint Server 2007 service account, but you should follow the principle of least privilege and use a user account that does not have administrative privileges or rights on your front-end or back-end servers.
   

• In the Quota Template section, select a predefined quota template to limit resources used for this site collection.
  Note: You can also select No Quota, thereby allowing this site collection to use any available resources.
  

1. In the Template Selection section, click the Publishing tab, and then click Corporate Intranet Site.
   

• Click OK to create the site collection with the attributes you specified.  Upon successful completion, a Top-Level Site Successfully Created page appears.
  
• Click OK to return to the SharePoint Central Administration home page, or click the http://ComputerName link to go to your new SharePoint site home page.
  

Create a Web application for your SharePoint site

On the SharePoint Central Administration home page, click the Application Management tab on the top navigation bar.

1. In the SharePoint Web Application Management section, click Create or extend Web application.
   
2. On the Create or Extend Web Application page, click Create a new Web Application.
   
3. On the Create New Web Application page, in the IIS Web Site section, click Create a new IIS web site, and change the port setting to port 80. This will allow you to access your site by typing http://ServerName. If you use a nonstandard port number you will have to include the port number in the URL to access your site (for example, http://ServerName:port).
   
4. In the Security Configuration section, under Authentication provider, select the appropriate option for your environment, and do not modify any other settings in this section.
   

Note: By default, the authentication provider is set to NTLM.

1. In the Load Balanced URL section, do not modify the default settings.
   
2. In the Application Pool section, select Create new application pool, and use the default settings for the application pool name.
   
3. Click Configurable, and in User name and Password, type the user name and password for the user account under which you want the application pool to run. The user account does not have to be a member of any particular security group. It is recommended that you use the principle of least privilege and select a unique user account that does not have administrative rights on your front-end servers or on your back-end database servers. You can use the user account that you specified as the Office SharePoint Server 2007 service account; however, if that user account is a member of a security group that has administrative rights on your front-end servers or your back-end database servers, you will not be following the principle of least privilege. The user name must be in the format DOMAIN\username.
   
4. In the Database Name and Authentication section, verify the database information and ensure Windows Authentication (recommended)is selected.
   
5. In the Search Server section, do not modify the default settings.
   
6. Click OK.
   
7. On the Application Created page, which appears after successful creation of the Web application, click Create a new Windows SharePoint Services site collection.
   

Create and configure a site

After you configure services in your server farm, you can create a Web application and a site collection. You should create the Web application on the first server on which you installed Office SharePoint Server 2007 (in other words, the same server that is running the SharePoint Central Administration service).  

Once SharePoint has been installed it is time to configure the services and settings for your SharePoint farm, the following post will outline Microsoft Best Practices for doing so.

 Notes

• If you are prompted for your user name and password, you might need to add the SharePoint Central Administration site to the list of trusted sites and configure user authentication settings in Internet Explorer. Instructions for configuring these settings are provided in the next set of steps.
  
• If you see a proxy server error message, you might need to configure your proxy server settings so that local addresses bypass the proxy server. Instructions for configuring this setting are provided later in this section.
  

Add the SharePoint Central Administration site to the list of trusted sites

1. In Internet Explorer, on the Tools menu, click Internet Options.
   
2. On the Security tab, in the Select a Web content zone to specify its security settings box, click Trusted Sites, and then click Sites.
   
3. Clear the Require server verification (https:) for all sites in this zone check box.
   
4. In the Add this Web site to the zone box, type the URL for the SharePoint Central Administration site, and then click Add.
   
5. Select the Require server verification (https:) for all sites in this zone check box.
   
6. Click Close to close the Trusted Sites dialog box.
   
7. Click OK to close the Internet Options dialog box.
   

Configure user authentication settings for trusted sites

1. In Internet Explorer, on the Tools menu, click Internet Options.
   
2. On the Security tab, in the Select a Web content zone to specify its security settings box, click Trusted sites, and then click Custom Level.
   
3. In the Settings list box, under User Authentication, click Automatic logon with current username and password.
   
4. Click OK twice.
   

Note: If you do not want to add the SharePoint Central Administration site to the list of trusted sites, but you do not want to be prompted for your user name and password every time you access the SharePoint Central Administration site, you can instead add the SharePoint Central Administration site to the Local intranet zone. If you do this, you must enable the Automatic logon only in Intranet zone user authentication setting instead of the Automatic logon with current username and password user authentication setting. 

Configure 2007 Office SharePoint Server services

After you have installed and configured Office SharePoint Server 2007 on all of your front-end servers, you must configure Office SharePoint Server 2007 services. The services you need to configure depends on your server topology and the server roles you deploy. Use the following guidelines to determine which services you need to configure in your server farm.

• Search and indexing servers You must start and configure the Office SharePoint Server Search service on at least one of your front-end servers. This service provides search and indexing services. You can start and configure this service on any type of server, including a server that is acting as an application server and provides only Office SharePoint Server 2007 services, a server that is acting as both an application server and a Web server and provides both Office SharePoint Server 2007 services and Web services, or a server that is acting as a Web server and provides only Web services.
  
• Web servers The Web server role is implemented by IIS and the Windows SharePoint Services Web Application service. The Windows SharePoint Services Web Application service must be running on any server that acts as a Web server and renders Web content. This service is started by default on servers that you set up using the Web Front End option during Setup. If you set up a server using the Complete option during Setup, and you want that server to act as a Web server and render Web content, then you must start the Windows SharePoint Services Web Application service on that server.
  

In addition to configuring services on your front-end servers, you must create the Shared Services Provider (SSP). The SSP makes it possible to share the Office SharePoint Server 2007 services across your server farm. You must create the SSP before you can use it in a farm environment; Office SharePoint Server 2007 does not create the SSP by default in a farm environment.

The following procedures step you through the process of configuring Office SharePoint Server 2007 services, creating a Web application for the SSP, creating the SSP, and configuring indexing settings.

 Start and configure the Search service

1. On the SharePoint Central Administration home page, click the Operations tab on the top navigation bar.
   
2. On the Operations page, in Topology and Services, click Servers in farm.
   
3. On the Servers in Farm page, click the server on which you want to configure the search service.
   
4. Click Start next to Office SharePoint Server Search.
   
5. On the Office SharePoint Server Search Settings page, in the Query and Indexing section, make sure that the Use this server for indexing content and Use this server for serving search queries check boxes are selected.
   
6. In the Default Catalog Location section, type a path to a physical folder to store the index files, or use the default location that is specified.
   
7. In the Contact E-Mail Address section, specify a valid e-mail address.
   
8. In the Service Account section, click Configurable, and in User name and Password, type the user name and password for the user account under which you want the Search service to run. The user account must be a member of the Administrators group on the computer that is running the Search service. If you want to use the principle of least privilege and select a unique user account that does not have administrative rights on your front-end servers or on your back-end database servers, see the Known Issues/Readme for Office SharePoint Server 2007 Beta 2. The user name must be in the format DOMAIN\username.
   
9. In the Web Front End And Crawling section, do one of the following:
   

• If you are configuring the search service on a server that provides Web services and renders Web content, click No dedicated Web front-end computer for crawling
  
• If you are configuring the search service on a server that is a standalone search server that does not provide Web services and render Web content, click Use a dedicated web front end computer for crawling, and then, in Select a web front end computer, click the computer you want to use for crawling.
  

1. Click Start.
   

Start the Windows SharePoint Services Web Application service

You must start the Windows SharePoint Services Web Application service on every computer that you want to act as a Web server and was set up using the Complete option during Setup. This service is started by default on servers that were set up using the Web Front End option. To enhance security, you can leave this service turned off on application servers that do not provide Web content to client computers. Also, you do not need to turn this service on to use SharePoint Central Administration on a server.

1. On the SharePoint Central Administration home page, click the Operations tab on the top navigation bar.
   
2. On the Operations page, in Topology and Services, click Servers in farm.
   
3. On the Servers in Farm page, click the server on which you want to start the Windows SharePoint Services Web Application service.
   
4. Click Start next to Window SharePoint Services Web Application.
   

Create the Shared Services Provider

1. On the SharePoint Central Administration home page, click the Application Management tab on the top navigation bar.
   
2. On the Application Management page, in the Office SharePoint Server Shared Services section, click Create or configure this farm’s shared services.
   
3. On the Manage this Farm’s Shared Services page, click New SSP.
   

Important: If you have not created a Web application for the SSP administration site, you need to create one before you create the SSP. If you have already created a Web application for the SSP administration site, skip to step 14.

On the New Shared Services Provider page, click Create a new Web application.

• On the Create New Web Application page, in the IIS Web Site section, click Create a new IIS web site, and do not modify the default settings in this section.
  
• In the Security Configuration section, under Authentication provider, select the appropriate option for your environment, and do not modify the default settings in the remainder of this section.
  
• In the Load Balanced URL section, do not modify the default settings.
  
• In the Application Pool section, click Create new application pool.
  
• In Application pool name, enter the name of your application pool or use the default name.
  
• Click Configurable, and in User name and Password, type the user name and password for the user account under which you want the application pool to run. The user account does not have to be a member of any particular security group. It is recommended that you use the principle of least privilege and select a unique user account that does not have administrative rights on your front-end servers or on your back-end database servers. You can use the user account that you specified as the Office SharePoint Server 2007 service account; however, if that user account is a member of a security group that has administrative rights on your front-end servers or your back-end database servers, you will not be following the principle of least privilege. The user name must be in the format DOMAIN\username.
  
• In the Database Name and Authentication section, verify the database information and make sure that Windows Authentication (recommended)is selected.
  
• In the Search Server section, do not modify the default settings.
  

Click OK. Upon successful creation of the Web application, the New Shared Services Provider page appears.
NOTE: If the SharedServices Provider created successfully but can not be displayed in your web browser then follow these steps to correct this issue:

This issue happens when creating all your sites in the same web application which means they use the same port, these sites are:

• Shared Service Provider Administration Site (Recommended to be called ‘SSPAdmin’)
  
• My Site Host (Recommended to be called ‘MySite’)
  
• The Main Intranet (or ‘Portal’) Site (Recommended to be called ‘Intranet’)
  

It is much simpler if all of these sites are on port 80 in IIS; this means that you do not have to remember to enter the ports all of the time. However having all three sites on port 80 means that each needs their own Host Header (required by IIS to differentiate between sites on the same port). The simplest way to do this is to create new ‘Host (A)’ records in DNS for each of your three sites. These should point to the IP address of your server; to do this follows these steps:

• Open the DNS Management tool from Administration Tools on your domain controller
  
• Navigate to your DNS zone
  
• Create new ‘Host (A)’ record
  
• Enter the Host header (i.e. ‘SSPAdmin’, ‘MySite’ or ‘Intranet’) for the site and the IP address of your server
  
• Click ‘Add Host’ and repeat for each of the three sites
  

Now the DNS entries are configured, we can continue.

• In the SSP Name section, in Web Application, select the Web application that you created for the SSP, and do not modify any of the default settings in this section.
  
• In the My Site Location section, do not modify any of the default settings.
  
• In the SSP Service Credentials section, in User name and Password, type the user name and password for the user account under which you want the SSP to run. The user account does not have to be a member of any particular security group. It is recommended that you use the principle of least privilege and select a unique user account that does not have administrative rights on your front-end servers or on your back-end database servers. You can use the user account that you specified as the Office SharePoint Server 2007 service account; however, if that user account is a member of a security group that has administrative rights on your front-end servers or your back-end database servers, you will not be following the principle of least privilege. The user name must be in the format DOMAIN\username.
  
• In the SSP Database section, you can either accept the default settings (recommended), or specify your own settings for the database server, the database name, or the SQL authentication credentials.
  
• In the Search Database section, you can either accept the default settings (recommended), or specify your own settings for the search database server, the database name, or the SQL Server authentication credentials.
  
• In the Index Server section, in Index Server, click the server on which you configured the Search service.
  

  
  Note: If there is no index server listed in the Index Server section, then no server in your farm has been assigned the index server role. To assign the index server role to a server in your farm, follow the instructions in the “Configure the Search service” section earlier in this topic.
  

1. In the SSL for Web Services section, click No.
   

• Click OK. Upon successful creation of the SSP, the Success page appears.
  
• On the Success page, click OK to return to the Manage this Farm’s Core Services page.
  

Configure indexing settings

1. On the SharePoint Central Administration home page, click the Application Management tab on the navigation bar.
   
2. On the Application Management page, in the Office SharePoint Server Shared Services section, click Create or configure this farm’s shared services.
   
3. On the Manage this Farm’s Shared Services page, click SharedServices1.
   
4. On the Shared Services Administration page, in Search, click Search Settings.
   
5. On the Configure Search Settings page, in the Crawl Settings section, click Default content access account.
   
6. In the Default content access account section, in Account, Password, and Confirm Password, type the user name and password for the user account that you want to use to crawl content on your sites. This account must be a domain user account. It is recommended that you use the principle of least privilege and select a unique user account that cannot modify content and does not have administrative rights on your front-end servers or on your back-end database servers. You can use the user account that you specified as the Office SharePoint Server 2007 service account; however, if that user account is a member of a security group that has administrative rights on your front-end servers or your back-end database servers, you will not be following the principle of least privilege. The user account that you specify will be added to the Web application Full Read policy for your farm. The user name must be in the format DOMAIN\username.
   
7. Click OK.
   
8. In the Crawl Settings section, click Content sources.
   
9. On the Manage Content Sources page, click Local Office SharePoint Server sites.
   
10. On the Edit Content Source page, in the Crawl Schedules section, under Full Crawl, click Create schedule.
    
11. In the Manage Schedules dialog box, configure schedule settings for full crawls of your content, and then click OK.
    
12. In the Crawl Schedules section, under Incremental Crawl, click Create schedule.
    
13. In the Manage Schedules dialog box, configure schedule settings for incremental crawls of your content, and then click OK.
    
14. In the Start Full Crawl section, select the Start full crawl of this content source check box, and then click OK.
    

From Joel Oleson’s Blog (http://blogs.msdn.com/joelo/)

Configuring Service Principle Names (SPNs)

The first thing you need to do in order to enable Kerberos for SharePoint is configure Service Principle Names (SPNs) for your SharePoint service accounts in Active Directory. Here lies the first stumbling block… depending on your configuration it is very hard to figure out which SPNs need to be applied to which accounts.

If you are installing SharePoint properly, you’ll use the ‘least privilege account principle’; this basically means that each distinct service inside the SharePoint farm will have its own domain user account. These accounts should have the minimum privileges that they need to perform their jobs. There is a great document which goes into detail on each different account (8+ accounts) here, however in summary, you should have the following accounts:

• SQL Server Service Account: Account used by SQL to run all SQL services
  

• Server Farm Account
  

• SSP Service Account
  

• Office SharePoint Server Search Account
  

• Default Content Access Account
  

• User Profile and Properties Content Access Account
  

• Excel Services Unattended Account
  

• One account per application pool: This is typically three accounts; SSPAdministration, MySite and your main ‘Portal’ or ‘Intranet’.
  

SPNs are used by Kerberos to ensure that only certain accounts have permission to delegate a specific service on a user’s behalf. An SPN needs to be configured for each service and address that the account needs to delegate for. SPNs are configured by using SetSPN.exe (download here) which is a command line  provided as part of the Windows 2003 resource kit. This table outlines the commands that are required to create the right SPNs for each of the relevant SharePoint service accounts, however please bear the following points in mind:

• Some services require the fully qualified domain name (FQDN) even if your users only use the host name. For example if user type http://portal to get to you main portal and you Active Directory is called Domain.local then the FQDN is Portal.Domain.Local
  

• Some SPNs require the host name which is the FQDN without the .domain.local bit on the end. In the example above, this would simply be portal
  

• For all user accounts you must include the domain prefix.
  

• To make the table easier to understand, I have included an example for a single server farm in a domain called ‘Domain.local’ where the MOSS server is called ‘Server’ and I have three host headers for web applications which are called ‘My Site’, ‘Portal’ and ‘SSPAdmin’. The ‘least privilege account principle’ has been used in this example and the accounts are fairly descriptively named.
  

Trust for Delegation

In addition to setting the SPNs for each of your service accounts, you also need to trust each of the computer accounts and some of the service accounts for delegation. Trusting for delegation means that the accounts are allowed to delegate on a user’s behalf.

In order to trust for delegation you need to open Active Directory Users and Computers as a user with domain administration rights and follow these instructions

• Repeat the process for each of the following
  

• MOSS Server (Computer Account)
  

• SQL Server (Computer Account)
  

• FarmService (User Account)
  

• MySiteAppPool (User Account)
  

• SSPAdminAppPool (User Account)
  

• PortalAppPool (User Account)
  

• Locate the account and click ‘properties’
  

• Navigate to the ‘Delegation’ tab
  

• Choose ‘Trust this user/computer for delegation to any service (Kerberos)’
  

Enable Kerberos on your web applications

In MOSS 2007, the switch between Kerberos and NTLM is very simple and is undertaken via Central Administration.

If you are creating your farm from scratch, be sure to set Central Administration itself to use Kerberos which you can set as part of the ‘SharePoint Products and Technologies Configuration Wizard’, however if the farm is pre-created you can easily enable Kerberos by following these steps:

• Open Central Administration
  

• Navigation to Application Management > Authentication Providers
  

• Choose the web application you wish to configure from the drop-down in the top right corner (this includes the Central Administration web application)
  

• Click on ‘Default’
  

• Set the authentication to Negotiate (Kerberos)
  

• IISRESET
  

Enable Kerberos on your SSP

In this step you enable Kerberos on your SSP. Follow these steps:

• Open a Command Prompt and navigate to your ‘12\Bin’ directory (normally c:\program files\common files\microsoft shared\web server extensions\12\bin) 
  

• Run ‘STSADM.exe -o SetSharedWebServiceAuthn -negotiate’
  

Component Services Configuration

This is one of the lesser documented steps. You need to set various permissions in Component Services. Follow these steps:

• Open Component Services on the MOSS server
  

• Navigation to Component Services > Computers > My Computer
  

• Click on Properties (for My Computer) > Default Properties > Default Impersonation Level = Delegate (see http://support.microsoft.com/kb/917409)
  

• Navigate to Component Services > Computers > My Computer > DCOM Config > IIS WAMREG Admin Service
  

• Click on Properties (for IIS WAMREG Admin Service) and navigate to the Security tab
  

• Edit Launch and Activate Permissions
  

• Grant all three of your application pool account ‘Local Activation’ permissions (see http://support.microsoft.com/kb/920783). In our example, these accounts would be domain\MySiteAppPool, domain\SSPAdminAppPool, domain\PortalAppPool
  

Testing Kerberos Configuration

The thing with Kerberos is that it can be difficult to see if it is working properly. There are several things you can do to check:

• Do your web applications work from a client computer? If they do, then this is a good sign
  

• Keep an eye on your System event log on both your MOSS and SQL servers. Kerberos related errors are logged here.
  

• Make sure all the servers in the loop (MOSS, SQL and Domain Controllers) have the same time set. Inconsistent time settings are one of the primary causes of Kerberos related issues.
  

Configure Kerberos for MOSS

The first step in configuring this scenario is to get your base MOSS configuration sorted. Follow the steps in my first article to do this

Configure Permissions in SQL AS

This section specifically relates to using SQL Analysis Services, but similar steps will be required for normal SQL or Reporting Services.

In order that users can access your SQL AS cube, you need to configure permissions inside SQL Management Studio. Follow these steps:

• Open SQL Management Studio
  

• Connect to Analysis Services
  

• Right-click on the server level and go to properties
  

• Go to the Security tab
  

• Give the relevant users access. If you want everyone to have access, add ‘authenticated users’
  

This will means that user have access to actually read the data from the AS cube

Configure Excel Services for Delegation

One of the key things that people get caught out with on when attempting this scenario is configuring Excel Services to use Delegation (i.e. to use Kerberos rather than NTLM). This is a setting that you can only set by using STSADM.exe; you cannot set it through the SharePoint Administration pages and it is not well documented. The discussion thread outlines this step: http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=1224539&SiteID=17

Follow these steps:

• On your SharePoint server, open a command prompt and navigate to c:\program files\common files\microsoft shared\web server extensions\12\bin
  

• Run the following command where %SSPNAME% is the name of your Shared Service Provider:
  

• stsadm.exe -o set-ecssecurity -ssp %SSPNAME% -accessmodel delegation
  

• Now run the following command:
  

• stsadm.exe -o execadmsvcjobs
  

• Now perform and IISRESET
  

Create your Data Connection file

Now Excel Services has been configured, you need to make sure that the data connection has the right settings for Kerberos. Typically in this scenario, a data connection file will be created and stored in a SharePoint data connections library. This ensures that you only have to set the data connection up once and use it many times.

There are several key settings that must be in the data connection file in order for Kerberos to work, these include using the FQDN of the SQL server and adding SSPI=Kerberos to the connection string. Follow these steps:

• Open Excel 2007 (Client)
  

• Go to the ‘Data’ ribbon
  

• In the ‘Get external data’ area click on ‘From Other Sources’ and choose ‘From Analysis Services’
  

• Enter the FQDN of your SQL server here (i.e. server.domain.local, not just server), leave the default of ‘Use Windows Authentication’ and click Next
  

• Choose the database and cube that you wish to connect to and click Next. Click Finish on the following screen.
  

• Choose to show a pivot table (this is not relevant and will not be used at this stage) and click OK
  

• Once the pivot table is displayed, it is a good idea to test it out to make sure you got the right settings
  

• Go to the ‘Data’ ribbon and click ‘Properties’
  

• Go to the ‘Definition’ tab of the connection properties dialog
  

• Add ‘;SSPI=Kerberos’ (without the ‘) at the end of the connection string (after MDX Missing Member Mode=Error)
  

• Now Export your data connection to SharePoint by clicking ‘Export Connection File’
  

• Enter the full URL to the Data connection library that you wish to save you data connection to and click ‘Save’.
  

• You may now close Excel and disregard the spreadsheet (you have got the data connection in SharePoint which is the bit you need)
  

Configure your site

Now you have created the data connection, you can go ahead and configure your site.

Generally one of the first things to do is to add an ‘SQL Server 2005 Analysis Services Filter’ webpart which uses the data connection to provide filters to other webparts on your site. This is one of the first places to test Kerberos. When you add the SQL AS Webpart, you will first need to choose the data connection. Upon doing this the Dimension drop-down should populate with dimensions from SQL. If this works then Kerberos is working!

Application Server – Configure a Web Server

Before you install and configure Office SharePoint Server 2007, you must install and configure the required software on each of your front-end servers. This includes installing and configuring IIS so your front-end servers act as Web servers, installing Windows .NET Framework 2.0, enabling ASP.NET 2.0, and installing Windows Workflow Foundation Runtime Components Beta 2.2 (build 3807.7).

 Install and configure IIS

IIS is not installed or enabled by default in Windows Server 2003. To make your server a Web server, you must install and enable IIS, and you must make sure that IIS is running in IIS 6.0 worker process isolation mode.

• Click Start, point to All Programs, point to Administrative Tools, and then click Configure Your Server Wizard.
  
• On the Welcome to the Configure Your Server Wizard page, click Next.
  
• On the Preliminary Steps page, click Next.
  
• On the Server Role page, click Application server (IIS, ASP.NET), and then click Next.
  
• On the Application Server Options page, click Next.
  
• On the Summary of Selections page, click Next.
  
• Click Finish.
  
• Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
  
• In the IIS Manager tree, click the plus sign ( ) next to the server name, and then right-click the Web Sites folder and select Properties.
  
• In the Web Sites Properties dialog box, click the Service tab.
  
• In the Isolation mode section, clear the Run WWW service in IIS 5.0 isolation mode check box, and then click OK.
  

Note: The Run WWW in IIS 5.0 isolation mode check box is only selected if you have upgraded to IIS 6.0 on Windows Server 2003 from IIS 5.0 on Microsoft Windows 2000. New installations of IIS 6.0 use IIS 6.0 worker process isolation mode by default.

A common SharePoint Backup Configuration Error can be seen from the information below, this post will highlight how this can be rectified.

Error: Object SharePoint_Config failed in event OnBackup. For more information, see the error log located in the backup directory. SqlException: Cannot open backup device ‘\\servername\backup\spbr0001\0000001.bak’. Operating system error 5(error not found).

This can be seen in the screenshot below:

Follow these steps to allow successful SharePoint Backups:

• Set the SQL Server (MSSQLSERVER) Windows service to run as a domain account. Will require a restart of the service and IIS.
• Setup sharing on the backup folder. Grant access for the identity that the Central Administration Application Pool runs under, the database SQL account, the identity that the Timer service runs under, to change and read rights.
• On each of the SharePoint servers check you can access the share.
• On each of the database servers check you can access the share.
• Set the folder security, grant privileges for the identity that the Central Administration Application Pool runs under, the database SQL account, the identity that the Timer service runs under to all rights apart from Full Control.
• When running the backup specify the UNC path to the backup share, instead of the folder location (K:\backups\).  For example: \\SPSDev\Backups