zondag 30 januari 2011

SharePoint / IIS Service Unavailable error Windows (NLB) Network Load Balancer


One of my customers is using SharePoint 2007 with 2 WFE servers and Windows 2003 Network Load Balancer. They asked me to take a look because when WFE1 server is shutdown SharePoint shows the message:


When I tried to browse the site on WFE2 directly from Internet Information Services the related Application Pool is automatically disabled. The Windows event viewer shows:


And before this error a few other errors did occur like:
A process serving application pool …… terminated unexpectedly. The process id was … the process exit code was 0xfffffffffff


The first thing I did was enable the Default IIS website because I could not match this to be a SharePoint related error. Even the default IIS page gives the Service Unavailable error and the default application pool is terminated.

After looking for the error on internet for a while I did find this article from Microsoft http://support.microsoft.com/Default.aspx?kbid=2009746.

I first looked at all KB installed on the server but the one mentioned it the above site was not found. The message is most similar so I decided to reinstall Windows 2003 SP2 and it fixed the problem!!

Still when shutting down WFE1, WFE2 did not start the SharePoint site, Looking at the event viewer application log did display a well known error:


Adding the mentioned user to the DCOM object IIS WAMREG local Activation security fixed this issue. Know when shutting down WFE1 SharePoint sites are stilled displayed true WFE2.

The customer also asked why users are not load balanced when using the Windows NLB. For SharePoint the NLB is configured with the Affinity set to Single, this is because SharePoint can not handle session sharing over multiple servers from one client accessing SharePoint. You can test this by only disabling the IIS service on the server you have connected to for opening your SharePoint application for example on WFE2. When doing this the SharePoint site is not working anymore after refreshing IE. You would expect that you would be pointed to the other server WFE1 but this seems not to happen, why?

This is because NLB does not provide failover for applications or servers only for failure of the server itself - meaning it will not poll a machine to check that a particular service or facility is available and drop the box from the NLB cluster if it does not respond. Therefore requests are still sent to the stopped web site/application pool as they would normally unless a monitoring application is configured to remove servers from the cluster under certain circumstances. NLB provides the services required by monitoring applications to remove servers from the cluster remotely. For example a monitor could be set up to check that a certain web site or application pool responds and remove the server from the cluster if it does not.

dinsdag 18 januari 2011

SharePoint 2010 070-667 Configuring exam

Today I did pass exam 070-667 so current I am a SharePoint 2010 Technology specialist in configuring SharePoint.

I passed the exam based on my experience with configuring SharePoint 2010 environments for the past year, reading blogs and playing around. You could say this first exam is not that difficult. I did see some questions however that made me think “I need to have a look at that”

The next step is doing exam 070-668 to become a MCITP, think I need to study for that one will try it in April I think.

Good luck to you all who plan for the 070-667 exam, you can do it!

Hope you enjoy this blog! When you have comments, better solution and recommendation I like to hear from you.

Dynamic Intelligence | LinkedIn | Blog | Twitter

vrijdag 14 januari 2011

Configure Microsoft TMG 2010 SharePoint publishing rule

As promised in my previous rule I would make a blog on how to configure the Threat Management Gateway.

We still start with the same situation:

Let me give you a little bit more detail about the possible network configuration.


  • I have my internet connection with the external IP-Address
    • At my ISP I asked a DNS registration biportal.corp.com to point to the given IP-Address
  • The inside IP-Address of my router is, the router internal firewall is configured to forward all external https request to the internal address of the TMG01 server.
  • The TMG01 server has 2 NIC’s
    • One connected to the switch1 with fixed IP-Address
    • And the other with IP-Address Fixed connected to the switch 2 of the internal network
    • The internal DNS has a registration tmg01.corp.local for the IP-Address
  • And as last the SHP01 with 1 NIC using IP-Address connected to switch2
    • The internal DNS has multiple registrations for the SHP01 server IP-Address
      • biportal.corp.local
      • publicbiportal.corp.local
      • mysite.corp.local
      • publicmysite.corp.local
      • projects.corp.local
      • publicprojects.corp.local

That’s all about the network configuration for now, let’s start configuring TMG. It’s quite simple just use the wizard for SharePoint in the TMG management interface:


The first we need to do is give the rule a name:

Then we need to make a choice on what type of rule we like to add.
Current I did choose for single web site or load balancer, in the future I might like to add a second SharePoint Application Server.


Then we to select of we like to use SSL for the communication between the TMG01 server and the SHP01 server. When you choose Use SSL you need to add SSL Certificates on the SHP01 server. For now I choose not to encrypt the internal traffic.


Then we need to give the internal site name that is used as to address. Test on your TMG server that it can resolve the internal site name. When this is not possible select the Use a computer and add the IP address of the SharePoint Server or LoadBalancer. In my case this is not needed, should it be needed I should have add the IP-Address


Then we need to specify the public name, you can select any domain but this is less secure. I use the biportal.corp.com domain. This means that only requests from this domain are allowed to be forwarded to the internal site.


Then we need to configure the web listener for the rule, because we don’t have one yet we select New. First to do is give it a name:


Then we need to tell that SSL should be used by the external clients to communicate with the TMG server. We like to have this using SSL because this traffic is going over the WWW and don’t like to make information free available.


Then we need to tell TMG on which IP-Address it would listen, select External and click Select IP Addresses. On the windows select Specified IP addresses, click Add IP and give the Addresses you need or select the displayed interface IP Address. When you select the Interface IP Address as below you grant that all external WWW IP-Addresses are accepted to be forwarded. When you now that you only want to publish to specific organizations you need to acquire there external WWW IP-Address and add that to the Selected IP Addresses.


Because we selected SSL to use for the external communication we now need to specify the SSL Certificate. On the screen you can select different certificates to each IP Addresses you did add, I select the simple solution to use a single certificate. I will not explain how to request certificates, mine is internal created and published to the TMG01 server.


Now we need to specify how external users need to authenticate. When you choose as I to use HTML Form Authentication users do get a TMG web form to login, because I selected Windows (Active Directory) they need to use a Domain account to authenticate. For example corp\Arjan.Fraaij. When you do this they don’t get a SharePoint login any more. You can also choose No Authentication then users are direct redirected to the SharePoint site and need to login there with there account which also can be a domain account depending on your SharePoint authentication configuration.

The other 2 are HTTP or SSL authentication, where again you can choose to use Windows (Active Directory) and is integrated. Which means that when someone is anonymous they still get a login screen but when they on a remote site location in the same domain they will be granted access without the need to login.


Then we need to tell TMG to use SSO for the external domain. This makes sure users don’t need to login again when they switch to mysite.corp.com or projects.corp.com


The listener configuration is now finished. Click finish to continue the configuration of the Firewall rule.



Most organizations have SharePoint configured to use NTLM (Default setting). I want to make sure that I have a high secure environment and do use Kerberos in my SharePoint configuration. So I could choose Kerberos constrained delegation making sure only Kerberos authenticated can be used. When you are not sure choose the below setting that also allows NTLM authentication


I will not explain configuring SPN’s and Delegation settings. Please look at one of my other blogs about SharePoint configuration and using DELEG Config.

Now we need to tell TMG about the Alternate Access Mapping configuration in SharePoint. I am not sure but I think this is a reminder screen, I don’t now what TMG needs to do with this because it is a SharePoint side configuration. See my previous blog post about configuring AAM.


Next you can specify which users can make use of the configured rule. For now I did choose All authenticated. I recommend to add a new set of users to split them from your internal other domain accounts like server services accounts. You can define specific Active Directory groups or users. Okay because I recommend let’s me do so.

Select the All Authenticated Users in the window you see and click Remove. Then click Add and click New in the next window you see.

Give the new set a name:

In the new appearing window Click Add and select windows users and groups…


You will get the well know AD selection screen. I created a domain group to grant access to users. Select the group or users you want and click OK.


We have finished the user selection.

We also finished the rule configuration!

Start trying to access SharePoint by from the WWW using URL https://biportal.corp.com!

It could be that it does not work directly, I changed the below setting of the Rule to make it work:


You need to repeat some of these steps for the other URL’s https://mysite.corp.com and https://projects.corp.com.

Addition 17-1-2011: (Need to relogin after not using SharePoint for 10 minutes)

This caused by the configuration of the listner. You can change this on the Forms tab of the listener configuration by clicking Advanced:

On the advanced settings you can change the timeout for public and private connections. When you look at this people can always call your servicedesk with telling you about the timeout while others don’t have this issue. This depends on the choice they made during the TMG Login screen. End users need to tell if they try to login from a public of private computer.

Default the timeout for public computers will be 10 minutes.


Hope you enjoyed! Comments, better solution and recommendation I like to know about them.

Dynamic Intelligence | LinkedIn | Blog | Twitter

donderdag 13 januari 2011

SharePoint 2010 and Threat Management Gateway 2010 Alternate Access Mappings

Because I couldn’t find any clear blog about how to configure AAM in SharePoint 2010 with in this case TMG 2010 I hope this one can help some other people.


Above is a simplified overview of the infrastructure.

  • SHP01 is the SharePoint 2010 Application Server
  • DC01 is the domain controller for the corp.local domain and also the DNS server for corp.local
  • TMG01 is the Threat Management Gateway 2010 server acting as a firewall between the internal corp.local network and  the WWW
  • Client01 is just an internal client
  • Client02 is just an client in someone home location connected to the WWW

The story is that people working on the work location where shp01 is hosted like to use the URL http://biportal.corp.local to access the SharePoint sites from client01. The people at the home location like to access the SharePoint sites from client02 using the URL https://biportal.corp.com

First I created a A-Host record biportal.corp.local in the DNS pointing to the SHP01 server IP Address.

Then I configured a SharePoint 2010 web application using URL http://biportal.corp.local: (I also created the bindings (host header) on the web application in IIS after the web application was created)

And left the public URL as generated.


When now looking at the alternate access mappings you will see:

I started to configure TMG using the SharePoint Site Publishing rule wizard. For know I will give you some screen shots on the most needed configuration items:

The To address is the DNS record address that points to the SHP01 server. On the from tab the Anywhere location is used. This is done when you follow the wizard.

I selected on the Traffic tab making sure only https request are allowed.


The Public Name address says that only using this address accessing the TMG internet site is allowed to be handled by the TMG firewall rule.


Also a listner is configured: Accepting only SSL connections.

And for authentication HTML form is used, this means when users try to open the SharePoint site by using https://biportal.corp.com they will get a TMG web form to login.



The next thing they did was adding an alternate access mapping for the home users:

Seems to be okay or not? The internal users can do everything on the SharePoint Sites using http://biportal.corp.local and the home users can do there work using https://biportal.corp.com. But then some more advanced users started working from home and the helpdesk starts to receive messages like:

  • User: I’m redirected to an error page but it is not displayed, instead it displays an DNS error could not find host.
  • Helpdesk: Okay sir, what is the url in your browser?
  • User: http://biportal.corp.local/_layout/……
  • Hey that’s strange we will have an look!

Also an other user was not able to edit lists entries in the DataSheet view, he would get an error like: "The Access Web Datasheet is attempting to retrieve data from a different domain.  You will be redirected to an error page. Contact your system administrator to resolve this error."

So what is causing this?

An URL can be used only once in AAM, and http://biportal.corp.local is already used for your internal network and now you try to use it a second time in the TMG publishing configuration. This is my interpretation of the text on http://sharepoint.microsoft.com/blog/Pages/BlogPost.aspx?PageType=4&ListId={72C1C85B-1D2D-4A4A-90DE-CA74A7808184}&pID=795 Mistake #3.

So we need to change something.

  1. Add a new A-Host record to your DNS, I choose publicbiportal.corp.local
  2. Add a new Internal URL Alternate Access Mapping in the same Zone as the  http://biportal.corp.com URL, this should result in:
  3. Change the bindings on the IIS web application to also use publicbiportal.corp.local as host header.
  4. Then we need to change the published SharePoint rule in TMG 2010, the biportal.corp.local is changed to publicbiportal.corp.local

When correct we should be finished and can access the SharePoint site from client01 by URL http://biportal.corp.local

When we try to open http://publicbiportal.corp.local from client01 we should be able to open the SharePoint site but are redirected to https://biportal.corp.com what is correct!

From the home client02 we can use https://biportal.corp.com to access the SharePoint site! No errors occur anymore and I can use the DataSheet View to edit list entries without the earlier mentioned error about retrieve data from other domain…

Could we do something else to make life easier? I did think about always using the server address for the web application when creating. In above case this means using shp01.corp.local as host header and http://shp01.corp.local as public url when configuring the web application. Then we could use biportal.corp.local and biportal.corp.com for the alternate access mappings and TMG configuration. ONLY most of my SharePoint applications don’t exist of 1 web application. Start thinking of mysite.corp.local and a specific projects.corp.local site. Then already we can’t use shp01.corp.local any more because it is already in use.

As last example where I want the biportal, projects and mysite web applications I and up with:

Did I miss something or you have a better solution please let me know! Comments are welcome.

dinsdag 11 januari 2011

Convert ISBN10 to ISBN13

Today I did get a request to make it possible to convert ISBN10 numbers to ISBN13 numbers. Based on the C# function of http://www.codeproject.com/Tips/75999/Convert-ISBN10-To-ISBN-13.aspx I created the following T-SQL Function.

(download T-SQL Code)

Version Information
Author:        Arjan Fraaij
Create date: 10-01-2010
Converts ISBN-10 to ISBN-13
Execute as SELECT dbo.udf_ISBN10toISBN13(<ISBN10ColmnName>,<ISBN13ReturnType>) FROM <TableName>
<ISBN13ReturnType> when 0 ISBN13 short is returned 9780860014096
<ISBN13ReturnType> when 1 ISBN13 long is returned 978-0-86001-409-6

Example: SELECT dbo.udf_ISBN10toISBN13(ISBN10,0) FROM tblISBNNumbers

Version        Date        Auteur                Description
0.1            12-1-2011    Arjan Fraaij        Initial version no error handling

- Adding Error handling
- Adding check for existing ISBN number

    -- Add the parameters for the function here
    @ISBN VARCHAR(10),

--- Declare needed variables
   DECLARE @Result VARCHAR(18)
    ,@ISBN10_4 VARCHAR(2),@ISBN10_5 VARCHAR(2),@ISBN10_6 VARCHAR(2)
    ,@ISBN10_7 VARCHAR(2),@ISBN10_8 VARCHAR(2),@ISBN10_9 VARCHAR(2)
    ,@ISBN10_10 VARCHAR(2),@ISBN10_11 VARCHAR(2),@ISBN10_12 VARCHAR(2)

    SELECT @ISBN13_SHORT = '978' + SUBSTRING(@ISBN,1,9) ---
    ---- Caculate check digit
                                    CAST(@ISBN10_1 AS INT) +
                                    CAST(@ISBN10_2 AS INT) +
                                    CAST(@ISBN10_3 AS INT) +
                                    CAST(@ISBN10_4 AS INT) +
                                    CAST(@ISBN10_5 AS INT) +
                                    CAST(@ISBN10_6 AS INT) +
                                    CAST(@ISBN10_7 AS INT) +
                                    CAST(@ISBN10_8 AS INT) +
                                    CAST(@ISBN10_9 AS INT) +
                                    CAST(@ISBN10_10 AS INT) +
                                    CAST(@ISBN10_11 AS INT) +
                                    CAST(@ISBN10_12 AS INT)
                                ) % 10 -- Calculate Modulo

    -- Create return values
    IF (@ISBNTYPE = 0)
            SELECT @Result =    SUBSTRING(@ISBN13_SHORT,1,3) + '-' +
                                SUBSTRING(@ISBN13_SHORT,4,1) + '-' +
                                SUBSTRING(@ISBN13_SHORT,5,5) + '-' +
                                SUBSTRING(@ISBN13_SHORT,10,3) + '-' +
                                CAST(@CHECKDIGIT AS VARCHAR(1))
    -- Return the result of the function
    RETURN @Result


You need to create the function in the database that contains the ISBN number or called it with the database prefix from the database where you did create it.

SELECT dbo.udf_ISBN10toISBN13('0860014096',0) will return 9780860014096

SELECT dbo.udf_ISBN10toISBN13('0860014096',1) will return 978-0-86001-409-6

If you have any comment or improvement please let me now.

vrijdag 7 januari 2011

Creating My Site Web Application in SharePoint 2010 using kerberos

The blog that will follow this one will be about configuring SharePoint 2010 system services and application services. During the configuration of one of the services (Profile Synchronization) it is required to have your my site web application available.

This blog is a guide on how to setup the My Site web application and  Site Collection.

All is done in my Business Intelligence Demo Portal environment: http://blog.arjanfraaij.com/2010/12/sharepoint-2010-installation.html

All action in Central Administration are done with the initial setup account corp\shpSetup

Create the Web Application

  1. Start Central Administration
  2. Go to Application Management > Manage web applications
  3. Click New
  4. Before changing settings in the the "Create New Web Application” window scroll down to the Application Pool section and click Register new managed account.
    When you do this after you already changed some settings they will be lost and you can start again. So first register the needed managed account. (You can do this also in advanced using Central Administration > Security > Configure Managed Accounts)
    I like to use different Application Pool Users (APU) for each need application pool, for the my site I use corp\Farm1APUMySite, Click OK to create the managed account.
  5. Scroll back up and start configuring the My Site web application. Missing settings in the below screenshots I left as default.
    Click OK, a warning message appears:
    This is because I did choose to use Kerberos, to make this work you need to configure some Active Directory settings and SPN’s. I will use the deleg config tool from http://blogs.iis.net/brian-murphy-booth/archive/2007/03/09/delegconfig-delegation-configuration-reporting-tool.aspx later to configure this.
    Click OK, the web application will be created.
    Click OK again to return to the Manage web applications window.image
  6. Select the created Web Application and click Managed Paths to add the Personal Managed Path.
    Click Add Path
    The personal path is added, click OK to finish
  7. Next thing we need to do is creating a My Site Host site collection
  8. Go to Application Management > Create Site Collections
    Make sure you have select the My Web application. In the template section, select Enterprise and My Site Host template.
    I am used to create standard functional accounts for the primary and secondary site collection administrators. This is a personal choice and you don’t have to do this.
    Click OK to create the site collection.
    Click OK to finish
  9. Enable the Self-Service site creation for the web application. You can do this true Central Administration > Security > Configure Self Service site creation, Application Management > Configure Self Service site creation or by going to the Manage Web Applications page.
  10. This time I choose Security > Configure Self Service site creation :-)
    In the Enable section select On and click OK.
  11. The basis for the my site structure is now ready, we need to do a few more things.
    1. Add a DNS A-Host record to point to the mysite.corp.local location
    2. Configure the Kerberos settings using deleg config
    3. Configure User Profile Synchronization Service to enable the My Site usages.

Adding the A host record to the DNS services.

  1. Open the DNS management console and browse to the corp.local forward lookup zone
  2. Right click in the right pane and select New Host (A or AAAA)
    As name type mysite, as IP address type the IP address of the SharePoint Application server SHP01 and click Add Host to add the record.
    Click ok to Finish

Configure Kerberos with the Deleg Config tool.

  1. Download the tool from: http://blogs.iis.net/brian-murphy-booth/archive/2007/03/09/delegconfig-delegation-configuration-reporting-tool.aspx
  2. Extract the kerberos folder and copy it to the IIS Default web application virtual folder: \\shp01\c$\inetpub\wwwroot
  3. Start Internet Information Service Manager on the SharePoint application server (SHP01)
  4. Browse to the Default Web Site.
  5. Right Click the Kerberos folder and click Convert to Application
    Click OK
  6. Open the Kerberos website while you are on the SHP01 server with IE. http://shp01/kerberos the below error might appear:
    To solve this error execute the following steps.
    1. Create a new application pool: Kerberos
    2. In the advanced settings of the application pool change the Identity from ApplicationPoolIdentity to Local System
  7. Open the Kerberos website while you are on the SHP01 server with IE. http://shp01/kerberos
    This time the site is displayed.
  8. Click Next
  9. Click Yes and Next
  10. Select the MSSP… service type and click Next
  11. Type the host name SHP01 and click next
  12. Current I have a single Application Server, select not applicable and click Next
  13. This is default IIS 7.0 so I can’t select anything just click Next
  14. Change the port number to the port that is used by the web application and click Next
  15. Type the service account name of the application pool running the MySite
  16. Select Yes and click Next, this will enable the tool to add an other delegation server.
  17. Select trust this account for delegation to any service and click Next
  18. Select the SQL service type and click Next
  19. Type the host name of the SQL Server SQL01 and click next
  20. Select Not Applicable and click Next
  21. Click Next
  22. Change port number when desired and click Next
  23. Type the SQL Service account and click Next
  24. No other server is added to be trusted for delegation, select No and click Finished.
  25. The report page is displayed. This results in the following objects that needs to be created.
    setspn.exe -A MSSQLSvc/SQL01:1433 corp\svcSQL01_sqldbe
    setspn.exe -A MSSP/SHP01.corp.local:80 corp\Farm1APUMySite
    setspn.exe -A MSSP/shp01:80 corp\Farm1APUMySite

    Accounts to be configured to be trusted for delegation
  26. corp\Farm1APUMySite
  27. Creating the SPN’s. When you are logged on to the tool with account that has the required rights you can click the Fix It button in the delegconfig tool. Otherwise execute the given setspn commands with a account that has the needed rights.
  28. Configuring the accounts for delegation. Start the Active Directory Users and Computers management tool. Browse to the given service accounts. Right click and select Properties.
    Change to Trust this user for delegation on any service (Kerberos only) and click OK.
  29. Do this for all service accounts that are needed.
  30. We now have finished the settings for kerberos. The only thing we need to do is test or everything is working.
  31. Open the http://shp01/kerberos site from a remote pc (not shp01) execute some tests to see everything is working as desired.

Configure User Profile Synchronization Service to enable the My Site usages

This part will be placed in my blog about configuring SharePoint 2010 system and application services.