Monday, January 21, 2008

Our Newest Class – Mission: Automation – SharePoint Workflow and InfoPath

For the past year, students have been telling me they wanted more information on how to use Workflow Designer in SharePoint Designer to write workflows to automate their business processes. I hear this after they use the out-of-the-box workflows in our MOSS Core Features class. When I wrote the MOSS Advanced Features class, I included an entire module dedicated to SharePoint Designer Workflows and InfoPath. Students continue to tell me that was great, but they still want more about workflows and InfoPath.
I'm excited to announce our newest class – Mission: Automation – SharePoint Workflow and InfoPath. For three exciting days, students will dig into InfoPath, Forms Services, and SharePoint Designer workflows.
On day one, you'll focus on learning the basics of InfoPath, Forms Services, and Workflow Designer in SharePoint Designer. On day two, you'll continue to build on those skills while you learn how to interact with external data, convert existing Word and Excel forms to InfoPath forms, work with digital signatures, and explore e-mail enabled forms in InfoPath and e-mail enabled lists in SharePoint. On the last day, you will continue to expand your knowledge by learning how to send your InfoPath form data to a database, how to work with forms on a mobile device, and how to work with an InfoPath form that contains code. Whew! I told you it was exciting!
If you want to make SharePoint far more than just a place to store information, this is the class for you. Register today! The class is geared towards Information Workers who want to learn how to use SharePoint to automate common business processes, Power Users, Enterprise Planners and Teams, Webmasters, Application Designers, Systems Analysts, Help-desk and end-user support professionals, Trainers, and IT Pros and Developers who are primarily interested in out-of-the-box functionality and features. Note: this course does not teach workflow development using Visual Studio and .NET.

Sunday, January 20, 2008

Checking for a NULL Date Field in SharePoint Designer Workflow

I was recently teaching an Advanced SharePoint class in Richardson, TX and a student was expressing his frustration over Microsoft's apparent oversight within the SharePoint Designer workflow wizard. One of the "IF" conditions is a simple testing of the value of a field…"If this equals that." He wanted to test a date field in SharePoint to see if it was empty or not. Problem is, when you select a field that is typed as DATE in SharePoint Designer, there is no test for the empty or null condition. You can see this in the first figure.

It occurred to me that we might be able to change the type of the field to a string and then be able to perform the comparison. I used the "Build Dynamic String" action.

I selected the End Date custom field on my Expense Statements list and stored it in a new variable that was typed as STRING.

The results of this were not exactly what I expected, however I was able to determine, through trial and error (sending the values in an email), that the conversion created a string that was filled with question marks (????). Therefore, if you simply test to see if the new string begins with a ?, you can successfully test for an empty date value.

Both my student and I were happy with the results. There may be other ways to do this (perhaps by testing if the value of the date is equal to the "beginning of time" date), but this certainly seems like an easy and foolproof method.

Sunday, January 13, 2008

VMs Disappearing from Microsoft Virtual Server

I know this isn't specifically a SharePoint issue, but...

I use Microsoft Virtual Server to run all the SharePoint VMs that I use. At any given time, I may have 4-6 VMs on my notebook computer. Recently I ran into a problem where I kept losing my VMs that I set up on Virtual Server. Each time I came back into the Virtual Server administration web site (after restarting my notebook) my VMs that I set up from the last time would be missing. This caused me to have to go into the directory C:\Documents and Settings\All Users\Application Data\Microsoft\Virtual Server\Virtual Machines and delete all the VM shortcuts so I could re-add the VMs. Sometimes I had to create the VM again. However, all the Virtual Network shortcuts seemed to be unaffected. In all cases, the VHD and VMC files were was just the shortcuts that were causing the problem. I had been living with this problem for the last several months.

The Solution:
I felt like there was a problem somewhere in the permissions, so I finally started poking around. Sure enough, I found that there were some permissions that were not being correctly inherited from C:\Documents and Settings\All Users\Application Data\Microsoft\Virtual Server. I'm a little rusty on setting advanced permissions, so it took me a while to figure out how to make the correct permissions inherit to the Virtual Server sub-directories, but I finally figured it out. The Network Service didn’t have the appropriate permissions to the Virtual Machines directory. I finally found
this MSDN documentation that details the DACLs for the Virtual Server directory. The NETWORK SERVICE entries in the following table were the permissions that were missing and not correctly being inherited by the sub-folders.

NETWORK SERVICERead & executeThis folder, subfolders, and files
NETWORK SERVICECreate Files/Write Data Create Folders/Append DataThis folder only

Whew! Finally got that fixed!

Tuesday, January 08, 2008

Presenting at Information Worker Conference 2008 (IWC08)

I'm looking forward to presenting at this year's upcoming Information Worker Conference. Along with SharePoint Solutions' president Jeff Cate and fellow software engineer Jeremy Luerkens, I'll be presenting a session on how we use SharePoint and Extranet Collaboration Manager to facilitate and automate our customer-facing business processes. Here is the title and description of our session:

Real-world case study: Collaborating with Customers on the Extranet with SharePoint

In January, 2007, SharePoint Solutions began using SharePoint 2007 to collaborate on the Extranet with every customer that attends one of its training classes. Each training class that is held receives its own WSS site that students can access during and after class to collaborate with fellow students and their instructors. The class extranet collaboration application has been a huge success with over 100 extranet sites created and being accessed securely over the Internet by over 1,500 customers. Come hear about the features of this solution, the approach that has been taken to ensure security, and the processes that have been established to quickly generate user accounts and uniform class sites. SharePoint Solutions' award-winning Extranet Collaboration Manager add-on, a big part of this solution, will also be highlighted by its designers, Tony Bierman and Jeremy Luerkens.

A full list of session titles and descriptions can be found here. If you haven't yet, you can register for IWC08 here. Hope to see you there.

Sunday, January 06, 2008

Single Server RMS and MOSS 2007 Installation from a SharePoint Perspective

Howdy from Texas!

Russell Wright here, from SharePoint Solutions (Dallas office). Thought some of y'all might want to see what I've gone through recently getting Windows Rights Management Server installed on my virtual SharePoint box.


We're going to install Windows Rights Management Server on a server with MOSS. I've found several documents and blogs where multiple server installations are discussed, but I wanted something that would be easy to carry around for demonstration purposes. I was also told that you couldn't do this, but was never told why, so I decided to try.
Why do you want to use Windows Rights Management Server? Let's say you have some documents you are "passing around" that have fairly sensitive information in them and you don't want anyone except those you have specifically authorized to have access to the documents. RMS encapsulates the security in the documents so just having the document doesn't mean you can access it. There are several whitepapers that discuss all the reasons why you'd want to use RMS.
Of course, RMS won't protect you against someone…
  1. Retyping the information into another document
  2. Taking a picture of the screen
  3. Using 3rd party screen capture apps
This installation is intended for the SharePoint professional who uses virtual machines for testing and as a general learning environment; hence, everything is installed on a single server image.

The Process

I started with my VM that has MOSS (SP1) installed. What you'll see here are lots of pictures with a little explanation when necessary. If a picture is worth a thousand words, this post is equivalent to about fifty thousand "words" to make you feel good about the installation.
To install Windows Rights Management Services, you need the following:
  • Server running in Application Server Role (your SharePoint server)
  • SQL Server 2005 Standard (already part of your SharePoint server)
  • Message Queuing (a subcomponent under Application Server)
Install message queuing.

I selected the weakened security, but it probably wouldn't matter.

This error might be left over from a previous attempt at installing DRMS. Didn't seem to affect anything.

Here's proof that the service is running. Check to make sure that your SQL Server is still up and running. Mine got stopped, somehow.

And then you need to:
  • Install the WRM client
  • Install RMS Server
  • Configure RMS
  • Register SCP in AD so SharePoint can find it
  • Configure SharePoint to use the exposed web services

Install the WRM client.

SharePoint needs the WRM client since it will be responsible for managing the rights assigned to a document through a document library.

Installing the WRM client is easy. Download from here and run. Good for 32-bit and 64-bit clients.

This is a very quick installation. Takes about 10-20 seconds. After the installation you'll see a change in the Central Admin for SharePoint. The warning has disappeared.

Install Windows Rights Management Services (with SP2)

WRMS can be downloaded here. Note that there are different versions for x86, x64 and IA-64 architectures. You might want to go ahead and download the Windows Rights Management Toolkit while you're in the downloading mode.

What's this look like when you're done?

Notice we have an RMS Administration web site.

Provision RMS

Now that RMS is installed, it's time to provision the thing. This means you have to do a little configuration (or provisioning, whichever word you like to use). This will set up the web services that SharePoint needs from RMS to do its thing.
You want to provision RMS on a site without a host header. If you have several sites running on port 80 and utilize a host header, I've found that RMS doesn't seem to know how to handle that. So, I'd recommend that you install RMS on the default web site on port 80. You might be able to get away with installing it on a site running on a different port, but I didn't try that.
I'll warn you…this next part I tried didn't work correctly because my virtual machine had a failed RMS installation of which I was unaware. If you read through it you'll see where I found and corrected my error. I left all my steps in the procedure, just in case you have similar problems.

After selecting Provision RMS on this Web site on the Default Web Site, here's how I filled out the provisioning form.

Configuration database

Since SQL is running on the local server, I selected Local database for the Configuration database.

RMS service account

Again, since this is a single server installation, I used the Local System account.

Cluster URL

Leave it with the default value (i.e. this server).

Private key protection and sub-enrollment

Leave the box ticked and enter a nice, strong password. Don't forget this password, especially in a production environment (which this is not, since it's a single server installation). The server licensor certificate name will default to the name of the server. Let it be (makes me want to sing).

RMS Proxy Settings

Okay, you have to know something about the network that this server is on. As part of the provisioning process it's going to go out on the internet and automatically get a set of keys to run this beast. If you're not connected to the internet you have to perform this process manually. You know, take the key request and get a set of keys created. You can probably do this internally, if you have a key generator service running somewhere.
Anyway, you have to set the proxy server settings here if you want it to get on the internet and you are behind a proxy server. When you tick the boxes you'll see all the proxy server receptacles.

Alas, we are met with an error. No permission to sub-enroll. This is caused by a previous installation that left some stuff (service connection point) registered in Active Directory.

We need to go and correct the problem. From Active Directory Sites and Services, click on the top most node and select Show Services Node from the View menu.

Now, delete the old SCP (service connection point).

Now let's repeat the provisioning process (practice makes perfect)! Make sure the title on the screen says Provision the RMS Root Certification Server and not Provision the RMS Licensing Server. That's the mistake I made originally (since I didn't know that someone had tried to install RMS on my virtual machine in the past).
Notice there is some extra information that needs to be filled out (like the administrative contact) that wasn't part of the Provision the RMS Licensing Server process.

Server Internet Connectivity

Easiest way is to be connected to the internet so it can get a key pair automagically.

Now let's visit the RMS Global Administration page.

Here's an error I received in a previous installation attempt. I think it was when I tried to install on a web site with a host header.

Now we can go to the RMS Global Administration page and begin the configuration process.
We have to register the RMS Service Connection Point in Active Directory. The link is located at the bottom of the administration screen.

That was quick and easy.
We now have the web service installed on the default web app.

We can check the web service and see the methods it provides.

Now we can check and see if the service really works. Start by creating a Word document and then try and protect it. When I created the document, I was logged in as administrator.

I've given Alan read permissions and Connie change permissions.

Log on as Alan to test it out. You'll find that he can't make any changes to the document or print it.

Log in as Connie. She has permissions to change the document. Click on the View Permission… button to see what permissions she has.

After Connie edits the document and saves a new copy we can see that Alan still only has read permission on the new document Connie has created.

In order for SharePoint to use RMS and according to the instructions I read, you need to set the security on ServerCertification.asmx. This is the web service that is used by SharePoint. You have to get past the error shown in the IRM screen on the SharePoint Central Administration.

Here's what ServerCertification.asmx security looks like prior to messing with it.

This is what it needs to look like. Be sure and add the Local Service account.

Here's the trick for our single server installation. Since we didn't create and use a service account during the initial installation of RMS, there is no account in the RMS Service Group. To fix this problem, create a user account, with no special permissions, and put it in the RMS Service Group. I created RMS Service Account with User privileges and placed it in the group and viola!

Chrissy Blanco had a 2006 blog post that kind of sheds some light on the permissions issue, but it was non-conclusive for me due to the varying setups people were using.

Using RMS from SharePoint

I went through all of this so I could have a good demo environment I could easily carry around on my laptop. So, let's see how this works with SharePoint, now that it's installed and working.
Here's a document library that we'll apply IRM to. I'm skipping a lot of details here because I'm counting on you being familiar with SharePoint (but not that familiar with RMS).

Here's the place where you start defining the IRM policy for the document library. Tick the top box and start "getting' after it!" The idea here is that any document downloaded from this library will inherit the IRM rights that have been assigned from SharePoint.

You can set the IRM settings as you like and test it out. Upload a document and then download it while you are logged on as different users. You'll find that the permissions the user had to the document in SharePoint are used to drive the RMS permissions. They are applied to the document as it is downloaded, thus automatically being protected. For example, if you have view only permissions to the document library in SharePoint, those are the permissions you'll have on the RMS protected document when you download it.

When You Don't Have the WRM Client Installed

Here's the dialog you get when you attempt to open a file in an IRM protected document library and you don't have the RMS client installed. In this scenario, I was hitting the MOSS server running on SERVER1 on my notebook from my Windows XP desktop client (which is also the VM host). I have modified my HOSTS file to point to the loopback IP address ( for SERVER1 and provided portal.awbikes.local as the DNS name.