SSP & Profile Imports

Whatever you do if you are running MOSS, do not use the default LDAP filter.  If you really want to make sure that you are only pulling currently active accounts for users, then here’s the user filter you should use:

(&(objectCategory=Person)(&(objectClass=User)(&(!userAccountControl=514)(!userAccountcontrol=66050))))

So it has to be a person, and a user and it can’t be disabled, or have it’s password set to never change and be disabled.

SharePoint and Kerberos

I gave a presentation last night to the Tulsa SharePoint User Group on SharePoint and Kerberos.  Here’s the highlights:

1.  Use an A record in your DNS for any SharePoint site you are going to use Kerberos with.  IE will submit the underlying resource from a CNAME record instead of the URL to Kerberos for authentication, which will not work.  Ex.  You have a CNAME for test.bob.lan that points at moss.bob.lan.  IE will submit moss.bob.lan to kerberos, and if your SPNs are set up correctly, (see below) your kerberos authentication will fail.

2.  Use the domain you are in, in other words, if your local domain is bob.lan, use test.bob.lan for your A record, not test.bob.com.  This is due to the fact that IE will not submit your credentials to any site not in the Intranet zone automatically.  (You would be prompted to enter your username/password.  This works fine for people, but web service calls made by other programs might fail.)

3.  Use the default ports, as IE will not submit non-default ports to the Kerberos service for SPN checking.

4.  Set your spns up like this:  SETSPN –A HTTP/test.bob.lan BOBmossgod & SETSPN –A HTTP/test BOBmossgod

5.  The computer(s) moss/wss is running on must  be trusted for delegation as well as the SPN commands above being set up.

As far as debugging Kerberos errors:

 

—HKLMSYSTEMCurrentControlSetControlLsaKerberosParametersLogLevel(Dword) = 1

—Also ParametersMaxPacketSize(Dword) = 1 This makes Kerberos use TCP instead of UDP

—WFETCH.exe allows you to see the HTTP_AUTH token

—Ldifde (LDAP Data Interchange Format DE? )   

ldifde -f c:allspn.txt -d "DC=envoy,DC=lan" -l serviceprincipalname -r "(serviceprincipalname=*/*)" -p subtree

—w/ Server 2008 SETSPN –X searches for duplicate/colliding spns

—Wireshark – dns || Kerberos || ip.addr==<IP Address of Target machine>

—Klist & KerbTray (Win2k3 Resource kit)

—NetTIME  since Kerberos uses the system time to encrypt the TGT, all machines must have well sync’d clocks.

–adsutil GET w3svc/1801x/root/NTAuthenticationProviders For windows 2003, this is the way to confirm that the NTAuthentication on a web site is set right.  replace the 1801x with the numeric id of the web site in question.

Another reason to love Server 2008

Kerberos and SPNs are a particular type of hell for most sharepoint devs & admins.  One of the more vexing things is finding duplicate spns (Service Principal Names) as they will ruin your afternoon.  Luckily MSFT decided to make the setspn command actually useful for something other than making&nuking SPNs.   Now if you type setspn in on server 2008, here’s what you get:

 

Usage: setspn [modifiers switches data] computername
Where ‘computername’ can be the name or domainname

Modifiers:
-F = perform the duplicate checking on forestwide level
-P = do not show progress (useful for redirecting output to file)

Switches:
-R = reset HOST ServicePrincipalName
Usage:   setspn -R computername
-A = add arbitrary SPN 
Usage:   setspn -A SPN computername
-S = add arbitrary SPN after verifying no duplicates exist
Usage:   setspn -S SPN computername
-D = delete arbitrary SPN 
Usage:   setspn -D SPN computername
-L = list registered SPNs 
Usage:   setspn [-L] computername  
-Q = query for existence of SPN
Usage:   setspn -Q SPN
-X = search for duplicate SPNs
Usage:   setspn -X

Examples:
setspn -R daserver1
It will register SPN ‘HOST/daserver1’ and ‘HOST/{DNS of daserver1}’
setspn -A http/daserver daserver1
It will register SPN ‘http/daserver’ for computer ‘daserver1’
setspn -D http/daserver daserver1
It will delete SPN ‘http/daserver’ for computer ‘daserver1’
setspn -F -S http/daserver daserver1
It will register SPN ‘http/daserver’ for computer ‘daserver1’ if no such SPN exists in the forest

 

Oh, my stars…-X makes me a very happy man.  

 

Yet one more vote on why you should be using Server 2008 as your workstation OS…

SQL 2005 rocks

So the SANS institute put out their 2007 top 20 vulnerabilities.  Of particular interest to me was that in 2007, here were the total CVSS vulnerabilities w/ a base score of 7 or more in the DB category:

 

IBM DB2: 6

Oracle:18

MS SQL: 1!!! 

 

 

For 2006, the same totals were:

IBM DB2:2

Oracle:37

MS SQL:0

 

For 2005:

IBM DB2:2

Oracle:12

MS SQL:0

 

 

 

And the great thing was that MS SQL’s one vulnerability was in the SQL management studio, not in SQL itself.

 

SQL 2005 rocks.

Frob?

In the strange world that is computer programming, there exists a continuum.  On one end you have tweaking. 

Ex:I see you were tweaking the lazy loaders to reduce the database performance hit. 

Generally this notes a fine tuning, or careful adjustment to something.  Then you having twiddling. 

Ex:John was twiddling with the themes on our Sharepoint site to see if he could reduce the color vomit factor. 

This is more gross adjustments, and is not necessarily a productive change.  Then you have Frobnicate. 

Ex:So as I walk in Todd was frobnicating the fan speed on the database server with cpu tweak to the beat of ‘We will rock you’, which explains why I had to walk into the server room in the first place. 

Frobnicating is generally done for no good reason other than that it is fun.  Some code needs tweaking, some needs to be twiddled, and sometimes you just have to frobnicate.