Authentication Roadblock for WSS 3.0 Access on the local Server

Ran into a fun little authentication issue with IIS 7 and SharePoint recently. I installed a SharePoint farm on one machine and set up my first site collection with a custom host header. Once the site was created I was unable to access it from the host server where I was working. I received an authentication prompt three times and the browser would report that the page load was "Done" but the result was a blank page. The problem did not occur when I set up the site using the host name and a port number.

A peek in the server event logs showed my account failing the authentication with the following:

Security Log Error: 4625
Keyword: Audit Failure
Failure Reason: An Error occurred during Logon.
Status: 0xc000006d

A little Internet searching and a look at one of my favorite troubleshooting resources, www.eventid.net, resulted in a link to Microsoft KB 896861, which explains an authentication issue with Integrated Authentication and versions of IIS over 5.1.

The fix that worked for me was to disable the loopback checking, a security feature designed to prevent reflection attacks. Make the following change to the registry and everything will be right in your SharePoint world.

1. In Registry Editor, locate and then click the following registry key:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa


2. Right-click Lsa, point to New, and then click DWORD Value.


3. Type DisableLoopbackCheck, and then press ENTER.


4. Right-click DisableLoopbackCheck, and then click Modify.


5. In the Value data box, type 1, and then click OK.


6. Quit Registry Editor, and then restart your computer.

Digital Readers and Twitter May Change Reading and Writing

Check out this interesting segment from NPR this morning, "How E-Books Will Change Reading and Writing", regarding the introduction of digital readers and social media into the mainstream.

Lev Grossman (a Time magazine book reviewer) says the real challenge for writers is electronic-book readers like the Kindle. He says the increasingly popular devices force people to read books in a different way.

"They scroll and scroll and scroll. You don't have this business of handling pages and turning them and savoring them." Grossman says that particular function of the e-book leads to a certain kind of reading and writing: "Very forward moving, very fast narrative ... and likewise you don't tend to linger on the language. When you are seeing a word or a sentence on the screen, you tend to go through it, you extract the data, and you move on."

I don't agree with the idea that digital readers make people less willing to engage in written material for the long haul. Personally, I read more now and spend more time considering and highlighting segments of books using my Kindle, something I didn't do with a printed book. It not all about "extracting the data and moving on," it's about consuming the data in a medium that makes it accessible during the time you have available.

The segment also discusses cell phone novels and writing via Twitter. While I agree that Twitter is certainly not the future of written novels, I do think it is a fast and reasonably reliable way to gather news and information that is relevant to one's current activities. It might even mean I have more time to read that book.

Mostly Useless Server 2008 Personalization Trivia

When you first load a fresh install of Windows 7 or Server 2008 (original or R2) the desktop is empty of icons except for the Recycle Bin. Personally, I really like it that way. The search mechanism is so easy to use I have little need for icons cluttering up my desktop background.

However, some people like the look of the familiar. In Windows 7, you can use the "Personalization" control panel applet to add back the icons for Computer, Network and Documents. Windows 2008 has no such option in the control panel for restoring those icons by default. Instead you must type "desktop icons" into the search window and select the hidden control panel feature to "Show or hide common icons on the desktop."

You can right click "Computer" in the start menu and there is an option for that component to show on the desktop, but the same feature is not available for "Network." The other option is to install the "Desktop Experience" onto the server, which will add several of the customizing features that one might be wishing for. I also noticed that I have access to the Personalization control panel applet on a server that has Terminal Services (aka Remote Desktop Services) installed.

I suspect there are some registry keys that can reveal some of these interface tweaks. Or maybe this is just a Trivial Pursuit question in the making.

New Years Resolution: Get Certified!

Is your New Years' resolution to finally sit down and take some Microsoft exams? I'm planning to work a bit harder toward my Exchange 2007 MCITP certification in the first half of 2010. Just because Exchange 2010 is released doesn't mean that taking the time to learn an "older" technology isn't useful. Especially if that is what you are faced with administering on a day to day basis.

If you haven't visited the Microsoft Learning website recently, it's worth a look. Microsoft has updated several of their charts and learning paths to make the changes between the MCSE program and the MCTS and MCITP programs a lot clearer. I'm a fan of the the "Certification by Technology" chart that lists out each major product line and the certification paths available.

There are also some downloadable charts detailing the upgrade paths from older certifications, complete with recommendations for online or live training and reading materials. Finally, the Learning Catalog has several free "clinics" covering topics such as "Exchange 2010 in the Enterprise" and "Exploring Microsoft Virtualization". They are easy place to get started.

Here's to a productive 2010!

Recovering Hard Deleted Items in Outlook

This isn't new information, but it's something that comes up from time to time - recovering hard deleted (SHIFT+DEL) items from Outlook. Hard deleted items skip over the "Deleted Items" bin, so they can't be recovered using the regular "recover deleted items" tool within the Outlook client.

Exchange 2003 OWA can be used to recover items that were hard deleted using the Outlook client. To get back those items, log into the OWA web page. Then edit the URL to be: "https://server_name/exchange/user_name/inbox/?cmd=showdeleted". The "dumpster" for the inbox will appear and you can recover your deleted email. If you want to recover items from other folders, just change the word "inbox" in the URL to the folder you need, like "calendar" or "drafts".

If you are using Outlook 2003 as your mail client there is a registry setting that you can add to turn the dumpster on for all the folders. Outlook 2007 has the registry setting already enabled by default. Of course, recovering any deleted items assumes that the deleted items retention settings have been configured on your Exchange server.

Installing IIS for SQL 2005 and SharePoint

I've started planning out an installation of SharePoint at work and have found myself installing some of the necessary WSS 3.0 components in the lab. I want to set up SharePoint as a small server farm on one server, which requires SQL to be pre-installed. Both SQL 2005 (if you want all the services) and WSS 3.0 require IIS, but the default installation of IIS on Windows Server 2008 does not include all the necessary components for either one.

First to support WSS 3.o, you'll need to make sure all the components in this list are selected. But if you go with the just components on that list, you'll still get a warning about "IIS Feature Requirement" when installing SQL 2005. Most of the necessary components overlap with WSS 3.0 except for one - HTTP Redirection - so be sure to select that one as well.

Finally, if you are looking around for some WSS 3.0 installation guides, here is a link to some of the downloadable documentation. Perfect if you are looking for some fresh reading on your Kindle.

Keeping track of the SQL User Provisioning Tool

Here's a tool I find myself looking for over and over again. After installing SP2 or SP3 on an installation of SQL 2005 you have the option to run the User Provisioning Tool for Vista", allowing you to set proper access permission.

However if you haven't restarted SQL services before running it, it fails to connect to the database and then closes. There isn't a shortcut anywhere to restart it, so it can be a mystery as to how to locate it again. The path to the tool is:

%ProgramFiles%\Microsoft SQL Server\90\Shared\sqlprov.exe

For more information about why this tool exists, check out this msdn blog post.

Who's Geeky? She is.

Happened across the She's Geeky conference while surfing around the web. "She's Geeky" is an event specifically for women interested in and/or working in the technology, math and science industries. Actually, it's an "un"conference - 3 days of geek-minded women gathered together with a daily agenda of tracks and sessions generated fresh every morning.

I'm always up for an interesting tech conference, plus it's hard to pass up an event being held at the Computer History Museum in Mountain View, CA. Seems like a great chance to check out the Babbage Engine, too!

Handy ASP.NET 2.0 Tidbit

I've been familiarizing myself with WSS 3.0 this week and as part of that process I've been doing several installation in the lab. I ran into an issue on Windows 2003 Server with the installation of .NET 3.0 Framework and ASP.NET 2.0, which are required for the installation of Windows SharePoint Services.

While I had all the components installed, the ASP.NET 2.0 appeared to be missing from IIS. Our DBA has some experience with IIS and had run into a similar problem in the past, so he had the answer for me. ASP.NET 2.0 isn't automatically registered with IIS and that problem is easily solved by running this command:

c:\windows\microsoft.net\framework\v2.0.50727\aspnet_regiis -iru -enable

I want to keep this fix handy, since my co-worker certainly saved me some time. Figured I might as well pay it forward and share it with others who may run into the same issue.

Exchange Server under the tree this Christmas?

I've been reading a lot about Exchange 2007 and have been thinking about what the next move for our Exchange server at the office should be. We haven't decided on Exchange 2007 vs. Exchange 2010 yet, but no matter... I want Santa to bring me a way to eliminate all the PST files being used around the office.

We don't have a large staff. With less than 70 people our Exchange server doesn't work that hard. However, with the desire to bring email services back up as quickly as possible after a failure we have a policy in place that limits the amount of mail stored on the server to 250MB per user. This leaves our data store at a little over 18GB. Our last test restoration of exchange required about 2 hours for loading the database.

Contrary to this is everyone's need to keep every scrap of every email message. This has lead to numerous PST files created as archives for all this mail. It's pretty safe for me to assume that almost every employee has at least one PST file and they are all stored on the network shares.(Yes, I know PST storage on the network is unsupported.) My quick search yielded about 30 GB of PST files and I know I didn't find them all.

So what exactly can Santa bring me?

First, I would be lying if I said I needed a server with more space. The current exchange server still has upwards of 180GB free, so it's likely I could support years of user email with our current setup just by throwing open the storage limits.

I would like to have a proper email archiving system that would automatically move mail from the active mailboxes to secondary storage, thus leaving my primary database small while allowing users to seamlessly access old messages. Personally, I don't keep much in the way of work email and I think that if my company wants me to keep mail for historical purposes, they should provide an easy way to do so. However, I haven't managed to convince the powers-that-be that this is something to embrace quite yet.

My next choice would be reconfiguring Exchange using 2007 or 2010 to take advantage of additional storage groups and "dial-tone" mail service. If I could virtualize the mail server with a SAN for storage, I could bring basic services up in a snap(shot). By breaking up users into multiple storage groups, it would be possible for us to restore mail service immediately and then backfill the databases in small chunks. While it would still take time to restore all the data, users would be able to send and receive mail while old mail would trickle in as the storage groups come back online.

I know "dial-tone" restores are possible with my current setup, but utilizing it in Exchange 2007 or later is much easier than Exchange 2003 due to the auto-discovery features. I also would like to have at least one storage group (with only one database) per department, nearly double of the four storage group limit with Exchange 2003. With the 50 storage group limit in Exchange 2007 I wouldn't have any problem meeting my goal. Also, Exchange 2010 has some good "starter" archiving features for mail management that might be worth a closer look.

Of course Exchange 2007 and 2010 require 64-bit hardware, so maybe Santa can bring me that new server after all.

IT Roadmap at Moscone Center

Yesterday was the Network World IT Roadmap in San Francisco. I had the experience of being the user case study presenter for the virtualization session. If you happened to catch it, I apologize for talking too fast. I'm working on that!

Other sessions covered application delivery, green IT, IP communications, data center, cloud, network management, security and compliance and WAN, LAN and mobility. Phew. Network World offered a lot in one day, plus several additional keynotes and the expo hall. My co-worker caught the WAN, LAN and mobility session, so I'm curious to see what trouble he'll be looking to cause in the office next week.

There was some twittering happening related to the conference, but I was disappointed to see that the @itroadmap Twitter handle didn't tweet at all during the event. They had advertised Twitter on the conference site as a way to stay connected during the conference yet didn't reach out to that audience once. Twitter is becoming a popular way to interact as things happen - several attendees were tweeting during sessions - so it seems like Network World missed out on an opportunity there.

Old Tech is Cool Tech

Hope you didn't miss out on the news that Charles Babbage's Difference Engine has been built (twice!) and is on display in London and at the Computer History Museum in Mountain View, CA.

Check on the article on NPR.com or check it out in person before the end of 2010.

If You Build It, Can They Come?

I've posted several times about working on a disaster recovery project at the office using Server 2008 Terminal Services. We've officially completed the testing and had some regular staffers log on and check things out. That was probably one of the most interesting parts.

One issue with end user access was problems with the Terminal Services ActiveX components on Windows XP SP3. This is disabled by default as part of a security update in SP3. This can usually be fixed with a registry change which I posted about before, however that requires local administrative privileges that not all our testing users had. There are also ActiveX version issues if the client machine is running an XP service pack that is earlier than SP3.

Administrative privileges also caused some hiccups with one of our published web apps that required a Java plug-in. At one point, the web page required a Java update that could only be installed by a server administrator and this caused logon errors for all the users until that was addressed.

In this lab setting, we had also restored our file server to a different OS. Our production file server is Windows 2000 and in the lab we used Windows 2008. This resulted in some access permission issues for some shared and "home" directories. We didn't spend any time troubleshooting the problem this time around, but when we do look to upgrade that server or repeat this disaster recovery test we know to look into the permissions more closely.

Users also experienced trouble getting Outlook 2007 to run properly. I did not have issues when I tested my own -there were some dialog boxes that needed to be address before it ran for the first time to confirm the username and such. While the answers to those boxes seem second nature to those of us in IT, we realized that will need to provide better documentation to ensure that users get email working right the first time.

In the end, detailed documentation proved to be the most important aspect of rolling this test environment out to end users. In the event of a disaster, it's likely that our primary way of sharing initial access information would be by posting instructions to the Internet. Providing easy to follow instructions that include step-by-step screenshots that can be followed independently are critical. After a disaster, I don't expect my department will have a lot of time for individual hand-holding for each user that will be using remote access.

Not only did this project provide an opportunity to update our procedures used to restore services, it showed that it's equally as important to make sure that end users have instructions so they can independently access those services once they are available.

On my calendar - SharePoint and Virtualization

I've got a couple if interesting things coming up this week.

First, I'm taking a quick 2-day LearnIT! class on Windows SharePoint Services 3.0. There has been a desire to add on some collaboration tools specifically for meeting management at the office and I'm hoping this short class will get me pointed in the right direction.

Later this week, I'll be one of the case study speakers on virtualization at Network World's IT Roadmap 2009. If you are there, be sure to drop me a tweet @jkc137. The conference Twitter handle is supposed to be @itroadmap, but that account currently seems to be a bit spam-filled at the moment. I hope they resolve that before Thursday.

What's in a Pop-Up?

Last week, I posted about how some of our strict group policy settings on our Terminal Services RemoteApp deployment were causing some difficulty using some web-based applications, like our time card application. As I continued to use the application through RemoteApp, I found another hiccup in the GPO settings - the lack of the application to be able to pop up additional windows for some special tasks.

I started with looking at all the GPO settings related to the Pop-up Blocker. There are several - Pop-up allow list, Turn off Managing Pop-up Allow list, Turn off pop-up management. After tweaking and disabling those, I still couldn't get the new task window to appear.

In order to leave no stone unturned, I proceeded to look closely at every IE setting that was configured and came across "Disable Open in New Window menu option", under User Config - Policies - Admin Templates - Windows Components - Internet Explorer - Browser Menus. The provided explanation leads one to believe that it only hides the option from the shortcut menu to prevent users from manually launching a new window from that browser session. However, it also prevents an application from launching the window as well.

Since the Pop-Up Blocker itself wasn't the problem, I was curious about what the Pop-up Blocker actually blocks. MSDN has some in-depth explanations about how the Pop-up Blocker works, but it comes down to this: Pop-up blocking prevents new browser windows being opened automatically using a script. Pop-up Blocker doesn't affect browser activities when they are initiated by a user action (such as clicking a button or hyperlink), when opened in the Trusted sites and Local intranet zones, or when opened by other applications running on the local computer.

It does block script methods that call the following:

• window.open
• window.showHelp
• window.showModalDialog
• window.showModelessDialog
• window.external
• window.NavigateAndFind

An interesting note was that pop-ups created with "window.createPopup" are unaffected by the Pop-up Blocker. That doesn't make sense to me, but I'm not a developer and I'm sure there is something I'm missing.

In my case, changing the Pop-up settings were moot, because the specific policy blocking the "window.open" command trumped any attempt to open a new windows, specifically those initiated by users.