Set SharePoint to use cross-domain queries (PeoplePicker)

Scenario:
You have 3 domains env's, DEV - TEST - PROD.
prod.contoso.com | NetBIOS: PROD
test.contoso.com | NetBIOS: TEST
dev.contoso.com | NetBIOS: DEV

One-Way Trusts:
DEV > PROD
TEST > PROD

You have SharePoint Farm in your Dev env, you want to access to this farm from your Prod env without entering your Dev user.

Resolution:
Using the right command with STSADM you can set PeoplePicker at your farm to find also users from your prod.contoso.com and dev.contoso.com.

Phase 1:
Open CMD as administrator and type:

Syntax: stsadm.exe -o setapppassword -password <RandomString>

Simple: stsadm.exe -o setapppassword -password GsfE2#4ew


Phase 2:
Enter this command with the following settings:

Syntax: stsadm.exe -o setproperty -pn peoplepicker-searchadforests -pv "<Valid list of forests or domains, Login name, Password>" -url <Web application URL>

Simple: stsadm.exe -o setproperty -pn peoplepicker-searchadforests -pv "prod.contoso.com,PROD\OrB,EGsf#fr3" -url Http://spsdev2010

* The user you enter needs rights to your AD !

* From my experience with this command you can type this syntax and you will get "Command line error" .. as I know you can write this command as follows:

- Simple 2: stsadm.exe -o setproperty -pn peoplepicker-searchadforests -pv "domain:prod.contoso.com" ,PROD\OrB,EGsf#fr3 -url Http://spsdev2010
- Simple 3: stsadm.exe -o setproperty -pn peoplepicker-searchadforests -pv "forest:prod.contoso.com" ,PROD\OrB,EGsf#fr3 -url Http://spsdev2010

Phase 3:
Check your self:

Syntax: stsadm.exe -o getproperty -url <Web application URL> -pn “peoplepicker-searchadforests”

Simple: stsadm.exe -o getproperty -url Http://spsdev2010 -pn “peoplepicker-searchadforests”

You need to see your domain from the last command that you ran on Phase 2.

Why inventing the wheel again ?!
Refer to this great sites:
- Configure People Picker (SharePoint Server 2010) - TechNet
- People Picker overview (SharePoint Server 2010) - TechNet

* Known Issues:
- SharePoint 2010: people picker issue "There was an error in the callback"
- More People Picker issues - Great post about issues with this command !

SharePoint 2010 - Service Pack 1

So, WE Have it, the first SP for Office 2010 - SharePoint Server 2010.

New features: · Support for SQL Server Code Name “Denali” 
· Shallow copy functionality (Nice one ! You can move sites between Content DB's who configured to work with RBS without moving the BLOB Store.)
· Site-level recycle bin
· Improvements to storage management (StorMan.aspx)
· Cascading filters for PerformancePoint services
· Additional browser support (IE9,Chrome)

* As one of the SP1 Beta Testers I can say that this SP1 will be very helpful for all of us !

 - List of all SharePoint 2010 and Office Server 2010 SP1 packages - Downloads\Info

Read this Post about install process for SP1 and June 2011 CU - Link

SharePoint 2010 Topology - Visio Template

I share with you today a Visio that I made for myself, use this template to design your SharePoint farm with a clear design and easy to understand.

You can even link the shapes to a SharePoint list with servers information and to SQL Database such as SCOM and get the DEAD\LIVE link.  

Here you can see part of the Visio:

Using Kernel-Mode with SharePoint 2010 Farm

I will start with this quote from Microsoft: "Kernel Mode Authentication is not supported in SharePoint 2010 Products. This information is provided for informational purposes only."

But, Microsoft gave us work around for this issue, as you probably know the Kernel-Mode says that the Kerberos tickets will be decrypted using SPN's that exist on the machine account instead of the custom application pool identity.
What we going to do is to say to the IIS to use application pool identity instead of the machine account when the Kernel-Mode is Enabled.

What we need to do is very simple, just read this article from Microsoft about adding to theApplicationHost.config file (located at: %windir%\system32\inetsrv\config\)
the attribute useAppPoolCredentials, example:

<system.webServer>
   <security>
      <authentication>
         <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true" />
      </authentication>
   </security>
</system.webServer>

I tested this work around on a testing environment (Tier 1 - 2 WFE servers with NLB, 2nd tier - Application Server, 3nd tier - SQL server) and its work Perfectly, if you have more information about issues with this work around please share with as, thanks.

For more information about the subject you can refer to this articles :
- Michel Barneveld's Blog
- MSDN Blog's
- Kerberos configuration known issues (SharePoint Server 2010)  - TechNet
- Internet Information Services (IIS) 7.0 Kernel Mode Authentication Settings - TechNet

DelegConfig (Delegation / Kerberos Configuration Tool)

We all know how frustrating it is to configure Kerberos in some situations, I want to show you now really nice tool by Brian-murphy-booth that can help you to pass smoothly that part of building new secure environment using Kerberos \ Constrained Delegation, and for SharePoint, yes this tool supports SharePoint as a service type well as other service types for Back-End for checking double hoping, you can see it at the picture below.

I recommend you to read the Welcome page when you open the tool at the first time.

The DelegConfigTaken from here

Overview 
This is an ASP.NET application used to help troubleshoot and configure IIS and Active Directory to allow Kerberos and delegating Kerberos credentials.

Features
- Supports IIS 6.0 as well as IIS 7.0 (useKernelMode / useAppPoolCredentials) Allows adding backend servers of type UNC, HTTP, LDAP, OLAP, SQL, SSAS, and RDP Allows chaining of multiple hops (versus only a single backend) Performs duplicate SPN check against all trusted domains.

/Set/SPNs.aspx - Allows adding and removing of ServicePrincipalNames.

/Set/Delegation.aspx - Allows changing Trust for Delegation settings.

/Set/Providers.aspx - Allows correcting of inadequate NTAuthenticationProviders settings.

/Report.aspx - Gives a picture of what is right and what is wrong.

/Wizard.aspx - A set of wizard steps that supports adding more tiers to /Report.aspx.

/Test.aspx - Allows double-hop tests for webServer-to-Sql or webServer-to-fileServer or webServer-to-webServer.

Requirements
IIS 6.0 or IIS 7.0
ASP.NET 2.0 or higher

Links:
- Brian-murphy-booth Blog
- IIS Community Official Page 

I start using it on every IIS\SharePoint servers, just create new site pointing to DelegConfig Folder and make the site as STOP, use it when you want to check Kerberos problem's, My friend (Assaf Lev from Matrix Company) gave this tool a nick name "Kerbi" :-)



As well don't forget that you can use the "setspn.exe -x" to see duplicate SPN's in your domain (just on the new setspn version in Win2K8), Refer to this link (Read It !) for more new features.

If you have new Info to share with me and other viewers just make a comment, thanks and good luck my friends.

DB Server Alias - SQL Server Client Network Utility

I will show you here a tool called "SQL Server Client Network Utility" (RUN > CliConfg.exe), With this tool we can create SQL Alias for our DB Server instead of the FQDN of the DB Server when we install SharePoint for example.

It makes life easier when we want to move to other SQL Server, just change the Alias on the WFE's and you ready to go, It's known as Best Practice for installing SharePoint.
More than that, when you configure the DB Alias in the utility you can specify pre-defined protocol so you get better performance for your clients !

Refer to this great post about CliConfg.exe: Click Here

New BDC created with error: There are no addresses available for this application

Today I got into this nice error that brought to me by someone from the Dev Department, He created a new BDC on our SP2010 Dev Farm and got this error: "There are no addresses available for this application", first if you got this error, go to "Manage services on server" and Start the BDC Service, Started ? great .. now do IISRESET and you ready to GO !