vrijdag 7 januari 2011

Creating My Site Web Application in SharePoint 2010 using kerberos

The blog that will follow this one will be about configuring SharePoint 2010 system services and application services. During the configuration of one of the services (Profile Synchronization) it is required to have your my site web application available.

This blog is a guide on how to setup the My Site web application and  Site Collection.

All is done in my Business Intelligence Demo Portal environment: http://blog.arjanfraaij.com/2010/12/sharepoint-2010-installation.html

All action in Central Administration are done with the initial setup account corp\shpSetup

Create the Web Application

  1. Start Central Administration
  2. Go to Application Management > Manage web applications
  3. Click New
  4. Before changing settings in the the "Create New Web Application” window scroll down to the Application Pool section and click Register new managed account.
    When you do this after you already changed some settings they will be lost and you can start again. So first register the needed managed account. (You can do this also in advanced using Central Administration > Security > Configure Managed Accounts)
    I like to use different Application Pool Users (APU) for each need application pool, for the my site I use corp\Farm1APUMySite, Click OK to create the managed account.
  5. Scroll back up and start configuring the My Site web application. Missing settings in the below screenshots I left as default.
    Click OK, a warning message appears:
    This is because I did choose to use Kerberos, to make this work you need to configure some Active Directory settings and SPN’s. I will use the deleg config tool from http://blogs.iis.net/brian-murphy-booth/archive/2007/03/09/delegconfig-delegation-configuration-reporting-tool.aspx later to configure this.
    Click OK, the web application will be created.
    Click OK again to return to the Manage web applications window.image
  6. Select the created Web Application and click Managed Paths to add the Personal Managed Path.
    Click Add Path
    The personal path is added, click OK to finish
  7. Next thing we need to do is creating a My Site Host site collection
  8. Go to Application Management > Create Site Collections
    Make sure you have select the My Web application. In the template section, select Enterprise and My Site Host template.
    I am used to create standard functional accounts for the primary and secondary site collection administrators. This is a personal choice and you don’t have to do this.
    Click OK to create the site collection.
    Click OK to finish
  9. Enable the Self-Service site creation for the web application. You can do this true Central Administration > Security > Configure Self Service site creation, Application Management > Configure Self Service site creation or by going to the Manage Web Applications page.
  10. This time I choose Security > Configure Self Service site creation :-)
    In the Enable section select On and click OK.
  11. The basis for the my site structure is now ready, we need to do a few more things.
    1. Add a DNS A-Host record to point to the mysite.corp.local location
    2. Configure the Kerberos settings using deleg config
    3. Configure User Profile Synchronization Service to enable the My Site usages.

Adding the A host record to the DNS services.

  1. Open the DNS management console and browse to the corp.local forward lookup zone
  2. Right click in the right pane and select New Host (A or AAAA)
    As name type mysite, as IP address type the IP address of the SharePoint Application server SHP01 and click Add Host to add the record.
    Click ok to Finish

Configure Kerberos with the Deleg Config tool.

  1. Download the tool from: http://blogs.iis.net/brian-murphy-booth/archive/2007/03/09/delegconfig-delegation-configuration-reporting-tool.aspx
  2. Extract the kerberos folder and copy it to the IIS Default web application virtual folder: \\shp01\c$\inetpub\wwwroot
  3. Start Internet Information Service Manager on the SharePoint application server (SHP01)
  4. Browse to the Default Web Site.
  5. Right Click the Kerberos folder and click Convert to Application
    Click OK
  6. Open the Kerberos website while you are on the SHP01 server with IE. http://shp01/kerberos the below error might appear:
    To solve this error execute the following steps.
    1. Create a new application pool: Kerberos
    2. In the advanced settings of the application pool change the Identity from ApplicationPoolIdentity to Local System
  7. Open the Kerberos website while you are on the SHP01 server with IE. http://shp01/kerberos
    This time the site is displayed.
  8. Click Next
  9. Click Yes and Next
  10. Select the MSSP… service type and click Next
  11. Type the host name SHP01 and click next
  12. Current I have a single Application Server, select not applicable and click Next
  13. This is default IIS 7.0 so I can’t select anything just click Next
  14. Change the port number to the port that is used by the web application and click Next
  15. Type the service account name of the application pool running the MySite
  16. Select Yes and click Next, this will enable the tool to add an other delegation server.
  17. Select trust this account for delegation to any service and click Next
  18. Select the SQL service type and click Next
  19. Type the host name of the SQL Server SQL01 and click next
  20. Select Not Applicable and click Next
  21. Click Next
  22. Change port number when desired and click Next
  23. Type the SQL Service account and click Next
  24. No other server is added to be trusted for delegation, select No and click Finished.
  25. The report page is displayed. This results in the following objects that needs to be created.
    setspn.exe -A MSSQLSvc/SQL01:1433 corp\svcSQL01_sqldbe
    setspn.exe -A MSSP/SHP01.corp.local:80 corp\Farm1APUMySite
    setspn.exe -A MSSP/shp01:80 corp\Farm1APUMySite

    Accounts to be configured to be trusted for delegation
  26. corp\Farm1APUMySite
  27. Creating the SPN’s. When you are logged on to the tool with account that has the required rights you can click the Fix It button in the delegconfig tool. Otherwise execute the given setspn commands with a account that has the needed rights.
  28. Configuring the accounts for delegation. Start the Active Directory Users and Computers management tool. Browse to the given service accounts. Right click and select Properties.
    Change to Trust this user for delegation on any service (Kerberos only) and click OK.
  29. Do this for all service accounts that are needed.
  30. We now have finished the settings for kerberos. The only thing we need to do is test or everything is working.
  31. Open the http://shp01/kerberos site from a remote pc (not shp01) execute some tests to see everything is working as desired.

Configure User Profile Synchronization Service to enable the My Site usages

This part will be placed in my blog about configuring SharePoint 2010 system and application services.

Geen opmerkingen: