Using Kernel-Mode with SharePoint 2010 Farm

I will start with this quote from Microsoft: "Kernel Mode Authentication is not supported in SharePoint 2010 Products. This information is provided for informational purposes only."

But, Microsoft gave us work around for this issue, as you probably know the Kernel-Mode says that the Kerberos tickets will be decrypted using SPN's that exist on the machine account instead of the custom application pool identity.
What we going to do is to say to the IIS to use application pool identity instead of the machine account when the Kernel-Mode is Enabled.

What we need to do is very simple, just read this article from Microsoft about adding to theApplicationHost.config file (located at: %windir%\system32\inetsrv\config\)
the attribute useAppPoolCredentials, example:

<system.webServer>
   <security>
      <authentication>
         <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true" />
      </authentication>
   </security>
</system.webServer>

I tested this work around on a testing environment (Tier 1 - 2 WFE servers with NLB, 2nd tier - Application Server, 3nd tier - SQL server) and its work Perfectly, if you have more information about issues with this work around please share with as, thanks.

For more information about the subject you can refer to this articles :
- Michel Barneveld's Blog
- MSDN Blog's
- Kerberos configuration known issues (SharePoint Server 2010)  - TechNet
- Internet Information Services (IIS) 7.0 Kernel Mode Authentication Settings - TechNet

DelegConfig (Delegation / Kerberos Configuration Tool)

We all know how frustrating it is to configure Kerberos in some situations, I want to show you now really nice tool by Brian-murphy-booth that can help you to pass smoothly that part of building new secure environment using Kerberos \ Constrained Delegation, and for SharePoint, yes this tool supports SharePoint as a service type well as other service types for Back-End for checking double hoping, you can see it at the picture below.

I recommend you to read the Welcome page when you open the tool at the first time.

The DelegConfigTaken from here

Overview 
This is an ASP.NET application used to help troubleshoot and configure IIS and Active Directory to allow Kerberos and delegating Kerberos credentials.

Features
- Supports IIS 6.0 as well as IIS 7.0 (useKernelMode / useAppPoolCredentials) Allows adding backend servers of type UNC, HTTP, LDAP, OLAP, SQL, SSAS, and RDP Allows chaining of multiple hops (versus only a single backend) Performs duplicate SPN check against all trusted domains.

/Set/SPNs.aspx - Allows adding and removing of ServicePrincipalNames.

/Set/Delegation.aspx - Allows changing Trust for Delegation settings.

/Set/Providers.aspx - Allows correcting of inadequate NTAuthenticationProviders settings.

/Report.aspx - Gives a picture of what is right and what is wrong.

/Wizard.aspx - A set of wizard steps that supports adding more tiers to /Report.aspx.

/Test.aspx - Allows double-hop tests for webServer-to-Sql or webServer-to-fileServer or webServer-to-webServer.

Requirements
IIS 6.0 or IIS 7.0
ASP.NET 2.0 or higher

Links:
- Brian-murphy-booth Blog
- IIS Community Official Page 

I start using it on every IIS\SharePoint servers, just create new site pointing to DelegConfig Folder and make the site as STOP, use it when you want to check Kerberos problem's, My friend (Assaf Lev from Matrix Company) gave this tool a nick name "Kerbi" :-)



As well don't forget that you can use the "setspn.exe -x" to see duplicate SPN's in your domain (just on the new setspn version in Win2K8), Refer to this link (Read It !) for more new features.

If you have new Info to share with me and other viewers just make a comment, thanks and good luck my friends.

DB Server Alias - SQL Server Client Network Utility

I will show you here a tool called "SQL Server Client Network Utility" (RUN > CliConfg.exe), With this tool we can create SQL Alias for our DB Server instead of the FQDN of the DB Server when we install SharePoint for example.

It makes life easier when we want to move to other SQL Server, just change the Alias on the WFE's and you ready to go, It's known as Best Practice for installing SharePoint.
More than that, when you configure the DB Alias in the utility you can specify pre-defined protocol so you get better performance for your clients !

Refer to this great post about CliConfg.exe: Click Here

New BDC created with error: There are no addresses available for this application

Today I got into this nice error that brought to me by someone from the Dev Department, He created a new BDC on our SP2010 Dev Farm and got this error: "There are no addresses available for this application", first if you got this error, go to "Manage services on server" and Start the BDC Service, Started ? great .. now do IISRESET and you ready to GO !

Windows Installer Stuck at some preparations parts

 Today I worked on a very annoying problem, the Windows Installer just stop working when we try to install some product of Symantec .. what ever you try to install. 
After 2 weeks of trying to fix it by CheckPoint and SecureNet, I got the chance to try solve this problem by my self, I managed to find it, if you have really strange problems with Windows Installer and you tried all ready the Windows Installer Cleanup Tool .. just copy the "magic" file called "MsiZap.exe" from the Windows Support Tools to the "System32" or at the installation folder, when you copy it you should run the MsiZap.exe with the "g" switch.
Example: "MsiZap.exe g" just like this.

By the way, just search "msizap.exe windows installer" at google and you can find really nice info about this tool ..

Exporting Public Folders Names and other attributes

This days I started to work on moving the Public Folders from our Exchange 2003 to the SharePoint, at the first step I needed to make a list that include all the names of our PF, for that I using the PFDAVAdmin Tool from Microsoft, its a great tool to fix DCAL's of PF who got corrupted and you cant change the Client Permissions, the error you get: "An unknown error has occured id no: 8004010f Exchange System Manager "
So back to our subject, download the PFDAVAdmin (google it) and connect to your Exchange server to get the PF List, for export the list you need to go to Tools > Export Properties, at the list make sure to mark "PR_DISPLAY_NAME".

Export it to Text file and import to Excel, nice tool not ?

How to get Assembly (DLL) from GAC

Their are many ways to get Assembly from the GAC folder, I thinks that the easiest way to do this is just run the command: "Subst X: c:\windows\ assembly" (X = Drive letter to get into the GAC Folder). 

After you done to run this command you can enter your new "drive" and find your Assembly.