Configuring Kerberos authentication for SharePoint 2010

• You can download the white paper in .doc format: Configuring Kerberos Authentication for Microsoft SharePoint 2010 Products and Technologies (http://go.microsoft.com/fwlink/?LinkId=196600) (7.3 MB)
  
• All the same information is available as a set of articles here in the TechNet Library. To begin, see: Overview of Kerberos authentication for Microsoft SharePoint 2010 Products

SharePoint 2010 PerformancePoint Service

• Plan for PerformancePoint Services (SharePoint Server 2010) 
• Plan for PerformancePoint Services security (SharePoint Server 2010) 

The steps for creating and configuring a PerformancePoint Services service application are as follows:

• Configure the PerformancePoint Services application pool account
  
• Start the PerformancePoint service
  
• Create a PerformancePoint Services service application.
  
• Configure service application associations
  

Configure the PerformancePoint Services application pool account

The application pool for the PerformancePoint Services service application requires a Microsoft SharePoint Server 2010 managed account (generally an Active Directory account) to run. This account must have access to the content databases where PerformancePoint data will be stored.
If you run the service application using the same application pool account as the web application where the content databases are located, this required database access is configured automatically. However, we recommend that you use a different account for the PerformancePoint Services application pool, especially in a large or complex farm. This allows for greater control over data and resource access.
If you choose to use the same managed account for PerformancePoint Services as is being used for the web application, you can skip the procedures in this section. If you choose to create a new managed account, you must do the following:

1. Register a managed account in SharePoint Server 2010. (You will need an Active Directory user account for this step. Have your Active Directory administrator create it.)
   
2. Grant access for this account to the content databases that will contain PerformancePoint data. This process includes running a Windows PowerShell script from the SharePoint 2010 Management Shell.

To grant content database access to an account

1. On an application server in the farm, click Start, click All Programs, click Microsoft SharePoint 2010 Products, right-click SharePoint 2010 Management Shell, and then click Run as Administrator.
   
2. At the Windows PowerShell command prompt, type the following, pressing Enter after each line:
   
   $w = Get-SPWebApplication -identity 
   $w.GrantAccessToProcessIdentity("")

Once you have finished granting content database access to the managed account, the next step is to start the PerformancePoint service.

Start the PerformancePoint service

To configure PerformancePoint Services, you must first start the PerformancePoint service on the application server where you want to run PerformancePoint Services. You can start the service on multiple application servers for better performance, if you want, but the service must be started on at least one server. Use the following procedure to start the PerformancePoint service.

To start the PerformancePoint Service

1. In Central Administration, in the System Settings section, click Manage services on server.
   
2. Note the server specified in the Server box. If you want to run the PerformancePoint service on a different server, click the current server, and then click Change Server and select the server that you want.
   
3. Click Start next to PerformancePoint Service.
   

Create a service application

Once the service is started, you can create a PerformancePoint Services service application. Use the following procedure to create the service application.

To create a PerformancePoint Services service application

1. In Central Administration, in the Application Management section, click Manage Service Applications.
   
2. Click New, and then click PerformancePoint Service Application.
   
3. Type a name for the service application and select the Add this service application's proxy to the farm's default proxy list check box.
   
4. Select the Create new application pool option and type a name for the application pool.
   
5. Under the Configurable option, select the managed account to run the application pool.
   
6. Click Create.
   
7. Click OK.
   

Configure service application associations

For PerformancePoint Services to function, the PerformancePoint Services service application proxy must be associated with the default web application. Use the following procedure to confirm that the association is configured between the web application and the PerformancePoint Services proxy.

To configure service application associations

1. In Central Administration, click Application Management.
   
2. In the Service Applications section, click Configure service application associations.
   
3. In the Application Proxy Group section, click default.
   
4. Ensure that the PerformancePoint Services box is selected.
   
5. Click OK.
   

Next Steps

Once you have finished configuring PerformancePoint Services, you can make it available to the users. We recommend that you review the following tasks:

• Configure data access   Users of PerformancePoint Services will need access to back-end data sources. This can be configured by using the unattended service account or Kerberos delegation. For more information, see Configure the unattended service account for PerformancePoint Services and Configure Kerberos authentication for SharePoint 2010 Products (white paper).
  
• Configure data connections   Users of PerformancePoint Dashboard Designer need data connections in order to access the data sources. For more information, see Create a data source inventory for PerformancePoint dashboard authors and Create data connections (PerformancePoint Services).
  
• Configure user permissions   To publish dashboards, users must have specific permissions in SharePoint Server 2010. For more information, see About user permissions for PerformancePoint Services (http://go.microsoft.com/fwlink/p/?LinkId=227542) on Office.com.

Configure the unattended service account for PerformancePoint Services

The Unattended Service Account is an Active Directory account that is used for accessing PerformancePoint Services data sources. This account is used by PerformancePoint Services on behalf of authorized users to provide access to external data sources for the purposes of creating and using dashboards and other PerformancePoint Services content.

Note:
The Unattended Service Account is a universal account that provides equal data access to all authorized users. If you need more fine-grained data access, you must configure per-user data access through Kerberos delegation. For more information, see Configure Kerberos authentication for SharePoint 2010 Products (white paper).

PerformancePoint Services uses Secure Store Service to store the unattended service account password. Before using the Unattended Service Account, make sure that Secure Store has been configured. For more information, see Plan the Secure Store Service (SharePoint Server 2010) and Configure the Secure Store Service (SharePoint Server 2010).

Configure the unattended service account for PerformancePoint Services

To configure the unattended service account for PerformancePoint Services

1. On the SharePoint Central Administration Web site, in the Application Management section, click Manage Service Applications, and then click the PerformancePoint Services service application.
   
2. On the Manage PerformancePoint Services page, click PerformancePoint Service Settings.
   
3. In the Unattended Service Account section, enter the user name and password for the account that you want to use as the unattended service account.
   
4. Click OK.
   

You will see the Secure Store Service name and the user name that represents the unattended service account.

Note:
If an error occurs, the Secure Store Service key may not have been correctly generated or the key was not refreshed after you created a new key.

Once the unattended service account has been configured, you must grant that account access to your data sources:

• For SQL Server data, the account must have a SQL logon with db_datareader permissions on each database that you want to access.
  
• For SQL Server Analysis Services data, the account must have read access to the cube or an appropriate portion of the cube, depending on your needs.
  
• For Excel Services data, the account must have access to the Microsoft Excel workbook in a SharePoint document library.
  
• For data in a SharePoint list, the account must have read access to the list.

SharePoint 2010 PDF Configuration

SharePoint 2010 Standard/Enterprise
http://support.microsoft.com/kb/2293357

1. Install PDF iFilter 9.0 (64 bit) from http://www.adobe.com/support/downloads/detail.jsp?ftpID=4025
2. Download PDF icon picture from Adobe web site http://www.adobe.com/misc/linking.html and copy to C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\TEMPLATE\IMAGES\ 
3. Add the following entry in docIcon.xml file, which can be found at: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\TEMPLATE\XML
   
4. Add pdf file type on the File Type page under Search Service Application
5. Open regedit
6. Navigate to the following location:
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office Server\14.0\Search\Setup\ContentIndexCommon\Filters\Extension
7. Right-click > Click New > Key to create a new key for .pdf
8. Add the following GUID in the default value
   {E8978DA6-047F-4E3D-9C78-CDBE46041603}

• Restart the SharePoint Server Search 14
• Reboot the SharePoint servers in Farm
• Create a Test site (with any out-of-box site template) and create a document library upload any sample PDF document(s).
• Perform FULL Crawl to get search result.

Once the crawl is completed we will get search results.

SharePoint 2010 Foundation
http://support.microsoft.com/kb/2518465
1. Copy the below content to a VBS file and save it (I.E save file name as AddExtension.vbs)

-----------------

Sub Usage

    WScript.Echo "Usage:    AddExtension.vbs extension"
    WScript.Echo

end Sub

Sub Main

    if WScript.Arguments.Count < 1 then
                Usage
                wscript.Quit(1)
   end if

    dim extension
    extension = wscript.arguments(0)

    Set gadmin = WScript.CreateObject("SPSearch4.GatherMgr.1", "")

    For Each application in gadmin.GatherApplications
        For Each project in application.GatherProjects
                    project.Gather.Extensions.Add(extension)
                Next
    Next

End Sub

call Main

-----------------------

2. Copy the above script file to Sharepoint Foundation 2010 Server

3. Run it from Command Prompt
> WScript AddExtension.vbs pdf

4.  Register PDF ifilter as below:
4-1.       Find regkey "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\14.0\Search\Setup\ContentIndexCommon\Filters\Extension\"
4-2.       Right-Click – [New]-[Key]. Then specify key name ".pdf"
4-3.       Right-Click (Default) of above ".pdf" key then click "Modify"
4-5.       Specify value "{E8978DA6-047F-4E3D-9C78-CDBE46041603}"
4-6.       Restart SPSearch4

5. Run crawl as below
>stsadm –o spsearch –action fullcrawlstart

6. Confirm the pdf files can be found in search results

PowerShell Configuration
http://www.sharepointusecases.com/index.php/2011/02/automate-pdf-configuration-for-sharepoint-2010-via-powershell/
Here is what you need to do:

• Download and install the Adobe PDF iFilter
• Configure SharePoint Foundation search service via Central Admin (or PowerShell)
• Download the Adobe PDF icon (select Small 17 x 17) and save it to a folder on your SharePoint server as pdficon_small.gif
• Download the script below and place it to the same folder as Adobe PDF Icon
• Run the script as administrator from Powershell shell

cls
function Get-FileFormatDate {
    param( [DateTime]$Date = [DateTime]::now )
    return $Date.ToUniversalTime().toString( "yyyy-MM-dd_hh-mm-ss" )
}
if((Get-PSSnapin | Where {$_.Name -eq "Microsoft.SharePoint.PowerShell"}) -eq $null) {
        Add-PSSnapin Microsoft.SharePoint.PowerShell;
    }
$continue = Read-Host "This script will change SharePoint configuration files, registry and will restart your IIS! Would you like to continue (Y/N)"
if($continue -eq "Y")
{
    Write-Host -ForegroundColor Yellow "Configuring PDF Icon..."
    $SharePointRoot = "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14";
    $DocIconFolderPath = "$SharePointRoot\TEMPLATE\XML";
    $DocIconFilePath = "$DocIconFolderPath\docicon.xml";
    Write-Host "Creating backup of DocIcon.xml file..."
    $dateNow = Get-FileFormatDate
    $backupFile = "$DocIconFolderPath\Backup_DocIcon_" + $dateNow + ".xml"
    Copy-Item $DocIconFilePath $backupFile
    $pdfIcon = "pdficon_small.gif";
    while((Get-Item $pdfIcon) -eq $null)
    {
        Read-Host "$pdfIcon is missing. Download it from http://www.adobe.com/misc/linking.html and place it to this folder. Press any key to continue...";
    }
    Copy-Item $pdfIcon "$SharePointRoot\Template\Images";
    $pdfNode = select-xml -path $DocIconFilePath -xpath "/DocIcons/ByExtension/Mapping[@Key='pdf']" | select-object -expandProperty Node
    if($pdfNode -eq $null)
    {
         $xml= [xml] (Get-Content $DocIconFilePath)
         $a = $xml.selectSingleNode("/DocIcons/ByExtension")
         $addnode = $xml.createElement("Mapping")
         $a.AppendChild($addNode)
         $keyAttribute = $xml.CreateAttribute("Key")
         $keyAttribute.set_Value("pdf")
         $addNode.SetAttributeNode($keyAttribute)
         $valueAttribute = $xml.CreateAttribute("Value")
         $valueAttribute.set_Value("pdficon_small.gif")
         $addNode.SetAttributeNode($valueAttribute)
         $xml.Save($DocIconFilePath)
    }
    Write-Host -ForegroundColor Yellow "Configuring search crawl extension..."
    $searchServiceApp = Read-Host "Type the name of your search service application (e.g. Search Service Application)"
    $searchApplicationName = Get-SPEnterpriseSearchServiceApplication $searchServiceApp
    if($searchApplicationName -ne $null)
    {
        if(($searchApplicationName | Get-SPEnterpriseSearchCrawlExtension "pdf") -eq $null)
        {
            $searchApplicationName | New-SPEnterpriseSearchCrawlExtension "pdf"
        }
    }
    Write-Host -ForegroundColor Yellow "Updating registry..."
    if((Get-Item -Path Registry::"HKLM\SOFTWARE\Microsoft\Office Server\14.0\Search\Setup\Filters\.pdf") -eq $null)
    {
        $item = New-Item -Path Registry::"HKLM\SOFTWARE\Microsoft\Office Server\14.0\Search\Setup\Filters\.pdf"
        $item | New-ItemProperty -Name Extension -PropertyType String -Value "pdf"
        $item | New-ItemProperty -Name FileTypeBucket -PropertyType DWord -Value 1
        $item | New-ItemProperty -Name MimeTypes -PropertyType String -Value "application/pdf"
    }
    if((Get-Item -Path Registry::"HKLM\SOFTWARE\Microsoft\Office Server\14.0\Search\Setup\ContentIndexCommon\Filters\Extension\.pdf") -eq $null)
    {
        $registryItem = New-Item -Path Registry::"HKLM\SOFTWARE\Microsoft\Office Server\14.0\Search\Setup\ContentIndexCommon\Filters\Extension\.pdf";
        $registryItem | New-ItemProperty -Name "(default)" -PropertyType String -Value "{E8978DA6-047F-4E3D-9C78-CDBE46041603}"
    }
    [System.Environment]::SetEnvironmentVariable("PATH", $Env:Path + ";C:\Program Files\Adobe\Adobe PDF iFilter 9 for 64-bit platforms\bin", "Machine")
    Write-Host -ForegroundColor Yellow "Restarting SharePoint Foundation Search Service..."
    Restart-Service SPSearch4
    Write-Host -ForegroundColor Yellow "Restarting SharePoint Search Service..."
    Restart-Service OSearch14
    Write-Host -ForegroundColor Yellow "Restarting IIS..."
    iisreset
    Write-Host -ForegroundColor Green "Installation completed..."
}

SharePoint 2010 - Service Applications

Service Application represent the evolution of the SSP.

• all service applications are seperate
• all service application can be turned on and off
• all service applications have unique user access permissions. central administration is security trimmed; users only see what they have access to

SharePoint 2010 - Upgrade

There are two methods to upgrade from SP2007:

1. In-place
2. database attach

• read-only content dabase can be rendered during upgrade
• sp2010 can redirect to sp2007 farm until upgrade completes
• visual upgrade allows site upgraded to sp2010 to use look and feel of sp2007

SharePoint 2010 Installation

Installation

• must be installed on 64-bit operating system.
• must be installed on Windows 2008 SP2 or R2, or later
• requires 64-bit version of SQL 2005 SP2 or 2008, or later
• reprequisite installer will download and install all required software, configure IIS and other components
• requires a farm passwphrase; needed to add or remove server from farm. Also used for encryption between farm members.
• AD Group Policy Objects can be used to block installation

Upgrade

• stsadm -o preupgradecheck; interrogates sp2007 content databases and alerts of potential roadblocks
• server
• amount of content
• search configuration
• features
• solutions
• site definitions
• alternate access mappings
• langage packs
• large lists
• orphaned data
• view and content types that use CAML
• database with modified schemas
• the check is read-only; makes no changes to any database
• powershell cmdlet test-SPContentDatabase