Thursday, May 17, 2012

Authenticating on a web application with ACS

  1. Connect to ACS. You need to be made a co-Administrator to be able to create a new Access Service instance. Create a new one. Call it something relevant (namespace).  Once it is created, if you try to access it from the “Access Control Service” button in the ribbon, you might get a 403 error. The original Administrator of the Azure account needs to go in and under the new ACS instance, User Management, add you as an admin. Only then will you see the options.
  2. Create a new Relying party. Add the realm and return address to be the new Azure web app url (with https), leave the certify as default, let it create a new rule group. Leave all as defaults.
  3. The identity provider is Windows Live Identity Provider- this is already there out-of-the-box. You are good to go with that. This means you will log in with your Microsoft Live Id.
  4. Edit the rule group, make sure you add a new group for “nameidentifier”.
  5. Set up the web application for ACS:
  • You need Identity Foundation SDK 4 installed. Once installed, the FedUtil (old utility) will be part of Visual Studio. When clicking a web project, you will have a new option in the Tools menu called “Add STS reference”. Add the STS reference. Set the path to its own web.config(it will try to update as a result), set the URL to be the https url of the Azure web app url, add an existing STS by referencing its metadata file. You can get the metadata file from the ACS menu:
  • This adds a new section to the web.config file of the web application, called “Microsoft.IdentityModel”. This new section contains the url of the ACS (Access Control Service Instance you have to set up), the URL of the web application (https://servername), and other data.

Wednesday, May 16, 2012

Installing and setting up PowerPivot for SharePoint 2010

  1. 1. Log into the SharePoint 2010 central admin server as a farm administrator (whatever server Central Admin is installed on)
    2. Install PowerPivot from the SQL 2008 R2 Enterprise disk:

    2.1.  Click the Installation option on the left had side and then select New installation or add features to an existing installation
    2.2.  At the Setup Role screen select SQL Server PowerPivot for SharePoint and select your existing farm installation and click Next
    2.3.  Click Next on the Feature Selection screen (this is read only and for information only)
    2.4.  Setup will now run a rule check, if you get any errors you need to resolve these before you can continue – this should be bypassed now if logged in as farm admin and on the CA machine
    2.5.  Leave the name as is: “POWERPIVOT”
    2.6.  Select an account to run the Analysis Services and click Next. Type in the domain account you used as the app pool service account when you installed the DB engine of the instance that runs SharePoint. (say you have a sql instance that is the sql used by SP, go to configuration manager of that sql instance and look at the service account that was used for the DB engine)
    2.7.  On the summary screen click Install. Please check the summary screen first. It should display the correct Central Administration port. If not, you need to go to the installation configuration file (in the textbox at the bottom of the summary screen), open with Notepad and edit to the right port.
    2.8.  Before hitting install, please check this article. If you install on a CA server without a previous SQL installation, you should not run into errors, but check the 3 issues out of this article anyway before proceeding.
            Look at the red sections HACK #1, 2 and 3.

    3. Configure the farm for PowerPivot:
    3.1.  If the install has succeeded and it says so at the end of it, if you navigate to Central Administration, under ‘Manage Farm Features’, you should see :

    3.2.  Under System Settings, farm solutions you should see the following solutions automatically deployed:

    3.3.  Deploy the powerpivotwebapp.wsp to your web application.
    3.4.  System Settings | Manage Services on Server start the required services:
    ·         Excel Calculation Services 
    ·         Secure Store Service 
    ·         Claims to Windows token Service 

    3.5.  Under “Manage service applications”, create a new service application of type “SQL Server PowerPivot”, like in the screen below. Use all defaults.

    3.6.   Check to see if you have Excel Services enabled by seeing if it is listed in the Service Applications section of central admin. If not enabled, enable it by creating one. Use all defaults.
    3.7.   If there is no listing for a secure store then click on New and select Secure Store Service. Use defaults. Click on Generate New Key and complete the details (I this you should be all set on this one, we generated the key for other purposes in our last session)
    4.     Enable PowerPivot for the site
    4.1.  Site collection features->activate powerpivot:

    4.2.  This should deploy the new document library template:

    4.3.  When creating a PP library instance, you might get this:

    To resolve this, you need to add 
    <SafeControl Src=”~/_layouts/powerpivot/*” IncludeSubFolders=”True” Safe=”True” AllowRemoteDesigner=”True” SafeAgainstScript=”True” />” 
    to the site collection web config manually.

    5.     Additional  setup you need to perform:
    5.1.  Go to your site collection, try to export a list as a datafeed, and if you get this error:
    For security reasons DTD is prohibited in this XML document. To enable DTD processing set the ProhibitDtd property on XmlReaderSettings to false and pass the settings into XmlReader.Create method.
                                    It means you do not have ADO.NET for 3.5 (really just KB 982307) installed. You need to follow this article on MSDN (below) and install on the web server that has the web app that serves your site collection. If farm, on all web servers.

    5.2.  Double-hop issue: you get prompted on data refresh of the powerpivot charts; you need to follow the steps from this article:

Classic mode to Claims mode migration

On an existing web application that is configured o run in Classic Mode authentication, if NTLM is the authentication provider, if you want to switch to Claims, you need to run the following script:

$WebAppName = "http://serverurl"
$account =
$wa = get-SPWebApplication $WebAppName

Set-SPwebApplication $wa -AuthenticationProvider (New-SPAuthenticationProvider) -Zone Default

--wait here for the prompt to migrate users and answer YES

$wa = get-SPWebApplication $WebAppName
$account = (New-SPClaimsPrincipal -identity $account -identitytype 1).ToEncodedString()
$zp = $wa.ZonePolicies("Default")
$p = $zp.Add($account,"PSPolicy")
$wa = get-SPWebApplication $WebAppName

In order to test if this has gone through:
  • check the web.config, if the new Membership Provider section for Claims has been added
  • log in as a site user, make sure that if you navigate to My Settings, you see the token format of the user, rather than domain\user
  • go to Central Administration and check that the Default Zone is set to Claims
  • in Central Administration, make sure in User Profiles that there are no duplicate accounts (the migration part of this script should take care of this)