Tech Tips, News and Tribal Knowledge

I found a bug today in the Quest Security Explorer 7.0.0 for SharePoint 2007.  If you create a document library with a forward slash in the name, the application will prompt for a logon and after several unsuccessful tries, it will return a message box stating “Error: Invalid Pointer.”  At this point, you will need to click on the root site and hit F5 to refresh the perms.

You will also have difficulty if you attempt to backup permissions of any site that has a document library, or probably any securable object, that has a forward slash in the path.  The backup will proceed normally until it hits the errent object.  It will then ask you for authentication and finally give up the ghost with the error:

“[-2146233088] Exception of type ‘ScriptLogic.Common.SharePointAccess.Node
+AuthenticationException’ was thrown.”

 So, if you use the Quest product for permissions management, don’t create document libraries that contain a forward slash “/” with names like “My Docs/Under Review.”  

I’m going to open a tickect with Quest / ScriptLogic later this week.  I’ll post any additional info I receive from them.

UPDATE:

Apparently Quest is aware of this issue and they have created a tech note in their support database.  Their workaround is to remove all forward slashes from document libraries and lists.  However, if you really want to use the forward slash in your system, it is possible to continue to use the forward slash in your navigation links.

1. Create your document library using a forward slash.
2. Navigate to your document library and open your library’s settings page.
3. Select “Title, Description and Navigation.” 
4. Remove the forward slash from the “Name” field and save. 
5. Open your “Site Settings” page and select “Navigation” under the “Look and Feel” section.
6. Find your site link and add the slash back into the “Title” field.
7. Click “OK” and close the “Navigation” page.

Your document library link will now contain the forward slash as  before and Security Explorer will be able to parse the object properly. 

Ever wished you could link directly from a SharePoint document library to a file or file share?   Well here is a code snippet  that allows you to specify the file:// prefix as well as http:// or https://.  It accomplishes this by altering the input checking on the newlink.aspx found in your layouts directory.

While you can always use the page viewer web part to accomplish the same thing, this method will allow you to mix SharePoint documents and file server documents in the same library.

This method does require that you edit one of your layout files in the ”…\12\TEMPLATE\LAYOUTS” directory, so make sure you back it up before you begin. 

1) Add the content type “Link to a Document” to your document library. If the content type doesn’t exist, simply create it with Document as the parent.

2) Navigate to your “layouts” folder and edit the newlink.aspx. Add the following at the end of the script section near the top of the page:

function HasValidUrlPrefix_Override(url)
{
var urlLower=url.toLowerCase();
if (-1==urlLower.search(”^http://”) &&
-1==urlLower.search(”^https://”) && -1==urlLower.search(”^file://”))
return false;
return true;
}

3) Find each occurance of the function HasValidUrlPrefix and replace it with HasValidUrlPrefix_Override.  It’s in there twice.

4) Save and restart IIS.

Now not only can you add a link to an http:// or https:// page, the override function allows you to link to docs on a file share. Use a syntax of:  file://\\fileserver\filename.doc.

If you’d rather have it open a folder instead, create a shortcut to the folder in question and create your link like this:  file://\\fileserver\shortcutname.lnk

If you really want to get fancy, you can edit the wss.resx file at:  c:\Inetpub\wwwroot\wss\VirtualDirectories\<app name>\App_GlobalResources

Find the section named ‘<data name=”newlink_badurl”>’ and change the value to read:  <value>Enter a valid document name and URL.  Valid URLs must begin with ‘http:’,  ’https:’,  or ‘file:’</value>

Remember to backup your layouts folder and wss.resx file before messing around in there!

Love it, or hate it, free is always a good thing!

Anyone interested in a free copy of SharePoint Designer can get it here:

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=baa3ad86-bfc1-4bd4-9812-d9e710d44f42

I’ve recently e-mail enabled some document libraries on our SharePoint site and have noticed some odd behavior.  It seems that In order to send a document to the library, I need to actually have some content in the message.  If I simply attach a message, using Outlook 2007, without any accompanying text, the document disappears into SharePoint heaven never to be seen again.  It doesn’t seem to need a subject, just some text.  Even a single carriage return is sufficient.

I’m running the site using a least priviledged model which requires me to add the contacts manually to AD.  Everything seems to work properly as long as I include some text.

I’m not sure if this is a SharePoint deficiency or an Outlook issue.  I will post a followup if I figure this out.

Recently I experienced some unusual Kerberos authentication issues with one of our SharePoint farms. Users accessing the farm using the Kerberos protocol would receive repeated logon dialog boxes from the front-end server. The prompts would continue even though the user was entering the proper credentials. These repeated logon attempts wouldn’t lock out the user account which indicated the logon never got past the front-end server. This behavior affected only those users authenticating to the farm using Kerberos. Any users authenticating to the farm using the NTLM protocol had no issues logging in. In addition, the following KRB_AP_ERR_MODIFIED error appeared in the event logs:

Read more

After installing SharePoint using the least privileged model, you will undoubtedly find your event logs filled with errors. You will see dozens of 10016, 7888, 6482 and 6398 events all with red the “X”, but don’t despair, you haven’t done anything wrong. If you have followed SharePoint best practices, the accounts you have used for your farm, shared services provider, default content access and application pools are all domain user accounts with no special rights or privileges. When installing MOSS under the least privileged model, these errors are expected. In order to eliminate the errors and finish your install, you need to complete three basic permissioning tasks before calling it a day.

Read more

Recently I was tasked with creating a training environment for new SharePoint site administrators. Since the trainer wanted to create as realistic an experience as possible, the site needed to closely match the production environment. The training session was scheduled to begin in a couple of days, so I didn’t have much time to come up with a workable solution.

Read more

Microsoft has just released updates to both Sharepoint 2007 and Windows Sharepoint Services 3.0.  The update addresses several performance and scalability issues as well as adding new search features such as federated search and a unified search admin dashboard.

Microsoft recommends applying these fixes as soon as possible.

You can find the patches at:

32 bit

Infrastructure Update for Microsoft Office Servers (KB951297)

Infrastructure Update for Windows SharePoint Services 3.0 (KB951695)

64 bit

Infrastructure Update for Microsoft Office Servers (KB951297)

Infrastructure Update for Windows SharePoint Services 3.0 (KB951695)

Join the forum discussion on this post - (1) Posts

In Eric Eaton’s post, How do I make our SharePoint site stop asking me to login? – Part II, he discusses several issues that prevent pass-through authentication from SharePoint to Active Directory. While browser settings are a common source of authentication problems, in this post, I’d like to discuss an interesting credential issue related to Kerberos ticket expirations.

Read more

The double-hop issue in SharePoint occurs when IIS attempts to pass the user’s NTLM credentials to a service that is running on a server that is either not part of the requesting server’s farm, or not running directly on the web server. A good example of this is a web part that requests data from a SQL server that is not part of the MOSS farm and that SQL server requires the credentials of the user making the request. This type of authentication request is disallowed in .NET. As NTLM authenticates only the client and not the server, there would be no way for the end user to know if their credentials were passed to a valid service. If Microsoft Windows authentication allowed this, a web server could collect user credentials and pass them around at will. This would be a very poor security model. Fortunately, Kerberos authentication provides a workaround for this, but it requires a little more configuration effort.

Read more