Setting up Inverness – the External Collaboration Toolkit for SharePoint

Decision Points:

Need to decide…

  • Where to host ADAM – We want it replicated for additional fault tolerance:
  • The best option may be to run it on each SharePoint server in your farm… ADAM supports clustering via network load balancing.  If you have setup up NLB for SharePoint, it then should not be too difficult to set it up for ADAM as well.  This also eases configuration on Internet-facing servers… you don’t need to allow additional firewall rules from the SharePoint web server to an ADAM server in your trusted network.
  • Where to host the ECTS configuration database:
    • Place the DB external to the SharePoint server for scale out … you don’t want to install an essential component on a web farm server that you want to be able to take down to apply maintenance.
  • External URL for SharePoint:
    • I should be something short, and fairly memorable.  It also should sounds distinct from the Internal URL… I am trying “PartnerPoint.uvm.edu” to start out with .

    Gotchas:

    • ADAM Setup:
    • ECTS requires SSL for ADAM… check the Event Viewer “ADAM” events for SSL errors.  Documentation suggests giving the ADAM service account rights to the required certificate in the “All Users” profile… this worked for me in TEST once my certificate has a Fully Qualified Domain Name in its subject line.  My auto-enrollment generated certs only have the FQDN in the SAN (subject alternative name) field, thus I needed to generate a new cert for SSL to work.  Once doing the PROD deployment, this fix did not work, and I had to copy the PROD SSL cert from the “Computer Account” Personal certificate store to the “Service Account” Personal certificate store (the store labeled “ECTS Instance”)
    • In our production environment I had trouble running the setup script… this was because I was trying to use ports that ADAM considered “invalid”.  Keep an eye on %windir%debugadamsetup.log if scripts fail… as indicated here:
      http://technet2.microsoft.com/windowsserver/en/library/2080b841-2211-400f-b393-04675a1653651033.mspx?mfr=true
  • SharePoint app configuration:
    • It seems that host headers may be required by the setup scripts… if initial config fails, try adding host headers to internal and external web sites, then running setup again.
    • Connection Strings are for ADAM and the ECTS database are stored in the web.config files of each SP web site instance… you can inspect these to validate your config.  Also, you can change the ECTS database using these connect strings.  By doing to I was able to rename the database to “ECTSTest” so that I will be able to install the PROD database on the same server.
    • In more complex environments where you are adding ECTS to an existing SharePoint server, the ects_setup_sharepoint.vbs script may not update all of the web.config files on your server.  This was not a problem on my test server, but it was a real pain in production.  To fix the issue, I copied the following sections from my Extranet site web.config to by internal (“Default” zone) web site web.config:
      <connectionStrings>
      <add name=”ADAMConnectionString” connectionString=LDAP://myserver:636/CN=Users,OU=ECTS,dc=mycontext />
      <add name=”DBConnectionString” connectionString=”Data Source=MYDB; Database=ECTS; Integrated Security=SSPI” />
      </connectionStrings>
      <location path=”_layouts/ExternalCollaboration/PasswordReset.aspx”>
      <system.web>
      <authorization>
      <allow users=”*” />
      </authorization>
      </system.web>
      </location>
      <system.net>
      <mailSettings>
      <smtp from=PartnerAdmin@myserver>
      <network host=”smtp.myzone.net” port=”25″ defaultCredentials=”true” />
      </smtp>
      </mailSettings>
      </system.net>
  • ECTS “Configuration Utility” web part:  This is tricky, as the documentation is a bit vague on this.  You must add the account that you are going to use to run the utility to the “datareaders” and “datawriters” roles of the ECTS database IN ADDITION TO the WSS service account.  If the correct permissions are not added, configuration will fail… somewhat silently.
  • Web Part Security:  Access to the ECTS web parts is dictated though SharePoint site groups.  The users that you want to access the site must be added explicitly, not though group objects.  I.E. Lets say we have a user named “Jimmy Joe Jim Bob” (with NetID “jjjb”).  He is a member of the Active Directory group “SharePoint Gods” (DOMAINSPGods).  We want Jimmy Joe to be a “Site Collection Approver”, I must add the NetID “jjjb” to the “External Site Approvers” SharePoint group.  I cannot add the group “DOMAINSPGods”… it just does not work that way.
  • Help Resources:

    “SharePoint – Collaboration” forum on MSDN:
    http://forums.microsoft.com/MSDN/ShowForum.aspx?ForumID=2012&SiteID=1

    ECTS online documentation on TechNet:
    http://technet.microsoft.com/en-us/library/cc268155.aspx

    Here is one that really helped me:
    (actually, the same information is available on many web sites, but this is really concise.  Getting “real” debug output helps to identify the source of config problem.  I found these stack traces a lot more useful than looking at SharePoint diagnostic logs)

    http://www.sharepointblogs.com/michael/archive/2007/06/28/sharepoint-under-the-hood-see-real-error-description-and-callstack-stack-trace.aspx

    Advertisements

    One thought on “Setting up Inverness – the External Collaboration Toolkit for SharePoint”

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s