Advanced SharePoint Extranet Management: Implementing Extranet Collaboration Manager (ExCM) 2010 Advanced Features – Part 3 - User Automation

by Matthew McBride, SharePoint Solutions

One problem that SharePoint Server Administrators regularly encounter is this:
How can I know when an extranet user from a partner company leaves the company, and how can I avoid accumulating inactive accounts for users that no longer exist that are just “sitting out there?” 

Unfortunately, it is nearly impossible to keep up with the “comings and goings” of extranet users who are employees of partner companies.

But Extranet Collaboration Manager 2010 (ExCM) contains within it the capability of helping our clients with specific extranet user security needs like this. The ExCM User Automation (UA) feature can be used to apply recurring policies to accounts residing in the ExCM user database.  These policies are applied by a SharePoint Timer Job, which periodically inspects each account.  UA can be used to expire user accounts based on attributes such as periods of inactivity or failure to update their password within a specified period, solving the problem of user account “housekeeping.”

Configuration

As with the other ExCM Advanced Features, (see the previous two posts) you first need to enable the SharePoint Service object, which is used to provide farm-wide services and configuration data.  To activate the service, open the SharePoint Management Shell and type the following command:


                                                   (Click the images to make them larger.)

Next, create a new User Automation job:

Now, provide values for a few parameters:

PolicySite – URL of SharePoint site running ExCM 2010

Schedule – frequency the job will be executed

               Examples

"every 5 minutes between 0 and 4”
"hourly between 0 and 59"
"daily at 15:00:00"
"weekly between Fri 22:00:00”
"monthly at 15 15:00:00"
"yearly at Jan 1 15:00:00"

In this example, I will have the job run daily:

Once that is configured, a new menu appears under “Extranet Settings” from the Site Settings page:

From within this menu, all UA options are available.  You can expire accounts based on two attributes: activity and password change.  You can also choose to use both attributes in combination.  Available options include when the policy will go into effect; how far ahead of that time the user will receive an email notification; and how often the expiration notification will be repeated:

In this case, I would like to expire accounts based on inactivity. To achieve this, I will disable all the password attributes using the default values provided:

Now that the User Automation options have been configured via the ExCM user interface, I’ll need to edit the OWSTIMER.EXE configuration. Specifically, the job must be able to read and write data to the database where the extranet users are located.  This file is found at the following location:

C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\OWSTimer.exe.config

Below is a sample configuration file that allows the service to connect to the extranet database:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
 <connectionStrings>
   <add name="ExtranetDirectory" connectionString="Data Source=[servername];Initial Catalog=ExtranetDirectory;Integrated Security=SSPI"/>
 </connectionStrings>
 <system.web>
   <membership defaultProvider="Ext">
     <providers>
     <add name="Ext" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"connectionStringName="ExtranetDirectory" enablePasswordRetrieval="false" passwordFormat="Hashed" applicationName="/" requiresUniqueEmail="true"enablePasswordReset="true" requiresQuestionAndAnswer="true" maxInvalidPasswordAttempts="10" passwordAttemptWindow="10" minRequiredPasswordLength="6"minRequiredNonalphanumericCharacters="0" passwordStrengthRegularExpression=""/>
     </providers>
   </membership>
   <roleManager defaultProvider="ExtRole" enabled="true" cacheRolesInCookie="false">
     <providers>
       <add name="ExtRole" connectionStringName="ExtranetDirectory" applicationName="/" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
     </providers>
   </roleManager>
 </system.web>
</configuration>

Please note that some values in the example above, such as SQL server name and membership providers, may be different in your file.  Once the edits have been made and the file has been saved, be sure to perform an IIS reset.

Now that I have configured the UA options and subsequently configured the timer job, I want to monitor the job’s execution.  Here’s how you do it.  Navigate to Central Administration:

1. From Central Administration’s Home page, click Monitoring
2. On the Monitoring page, under the Timer Job section, click Check job status
3. From the Timer Job Status page, in the view filter, click Service
4. In the Service filter, click Change Service
5. From the Select Service dialog, click Extranet Service

In summary, many organizations using ExCM to manage their extranet need to provide specific and ongoing security for extranet user accounts.  For example, if an employee with an extranet account leaves the company, a “live” account with working security credentials is potentially abandoned.  Realistically, it is nearly impossible for a client running a SharePoint extranet to manually keep up with the employment status of extranet users from partner companies. Without ExCM 2010’s User Automation functionality, abandoned extranet user accounts would accumulate and could pose a security threat.  With ExCM 2010’s UA feature, SharePoint Administrators can have the peace of mind of knowing that abandoned accounts can be expired automatically based on periods of inactivity, failure to update passwords, or both.

Overcoming One of the Biggest Challenges We All Face

by Ricky Spears

As a SharePoint consultant and instructor for SharePoint Solutions I work closely with a variety of other SharePoint professionals and users from a variety of different organizations and industries. These professionals openly share their challenges with me--their victories, their failures, and their ongoing battles.

The thing that would surprise most of them is that the single biggest challenge each type of user faces (in every type of organization) is the exact same challenge. Unfortunately, they each see the challenge only from their own individual point of view. Not only that, they each initially seem to be incapable of seeing the problem from the other person's perspective--so they don't realize it's the exact same problem.

Consider These Complaints…

·        A SharePoint Server Administrator tells me, "I can't trust our power users with SharePoint Designer--I know they'll break something and I'll have to fix it." 

·        An IT Manager tells me, "If we let users create Access Web Databases, we'll ultimately have to support those databases—and they won't be designed properly in the first place."

·        A Power User tells me, "My boss wants me to automate a particular business process, but IT won't let me publish browser-enabled InfoPath forms to SharePoint—and not everyone has InfoPath."

·        Another Power User tells me, "I need to create a dashboard, but the Server Administrator won't set my library as a trusted location for Excel Services." 

·        A Site Owner tells me, "We've got 5 GB of documents on our H: drive that I want to move into SharePoint, but IT limits our sites to only 100MB each."

·        An End User tells me, "It's so frustrating to have to page forward through several pages of documents to get to the ones I use most often, but I'm not allowed to create the metadata columns and views that would allow me to quickly get to the items I need."

Do you see the common problem?

Each type of user is oblivious to the needs and objectives of the other types--and the result is a decrease in productivity and efficiency for the overall business.

There is a solution—communication +.

You're probably thinking, Communication?!  I've tried communicating with them; they just don't understand! And you're absolutely right. Each of you can talk about your problems, frustrations, and expectations until you’re blue in the face, but the odds are each one still won't understand the other's position and needs.

Each of you is communicating, but it’s like you’re speaking two different languages. You need to move beyond communication—simply sharing the facts—to a deeper level of communication. You can call it “communication +” or what I like to call it, “personal conversation.”

A Story about How I Handled This Problem

Let me share a story with you about this problem in my own life and the solution I eventually discovered.

I was working in the e-Services department of a large credit union. I was the Webmaster; essentially everything that worked in a web browser was my responsibility: Internet, intranet, and extranet. Unfortunately, I didn't work in the IT department. The e-Services department was established to bridge a gap between the Marketing department and the IT department, and I didn't fit in either area. Employees of the Marketing department saw me as a technical IT-type and treated me as such. Likewise, people in the IT department saw me as a more of an Advanced Power User who had too much potential to create problems—and they treated me as such. So I experienced both the Admin side of the issue and the Power User / End User side as well—and I experienced them both at the same time. For a few years it was like pulling teeth to get anything at all done.

Eventually, things became easier. Although there were still issues to work through at times, it wasn't nearly as bad as it had been those first few years. We began to butt heads and move forward instead of butting heads and standing still until one of us got our way.

What changed?

I became friends with the people in the Marketing department and the people in the IT department. I developed relationships with them, some of which have continued for years since I left. It started with me having lunch with the people I needed to support me. Over lunch, I got to know them personally outside of just their business role, and they got to know me personally as well. As we got to know each other better, we also got to know each other's business challenges—some which didn't involve the other at all and some which did --as either the problem or the solution.

As we got to know each other better, we wanted to help each other succeed. Ultimately, that helped the organization succeed. 

How Can You Do This?

You're probably thinking that this sounds good, but you have no idea how to make it happen. Here is how you start: take the person to lunch who you feel is challenging you most in regard to your SharePoint projects. If you're the Server Administrator, identify the Power Users in your organization and take them to lunch. If you're the Power User or End User, invite your SharePoint Server Admin to lunch.

This isn't meant to be a working SharePoint lunch. It's meant to be a time of getting to know one another. In fact, if the conversation gets onto the topic of business or SharePoint, I encourage you to change the subject.

Try to make it a one-on-one thing. If you’re more comfortable in a group, balance the types of people in the group so one person doesn't feel like he's being ganged up on. Keep the group small though (probably only four people) or else the Admins will only talk to the Admins and the Power Users to the other Power Users.

If lunch doesn't work for you, consider drinks after work, or ice cream, or even coffee. The important thing is to get away from the office and to get to know each other. The less structured it is the better.

After the first outing or two, you'll have found some common ground. You will have begun to trust each other and you'll be communicating more openly. Then you can begin adding your business challenges into the conversation. You'll be able to openly talk about your challenges without thinking the other has some hidden agenda. And you'll discover that each of you not only can help the other, but actually wants to help the other when possible.

Shattering the Barrier

Once friendship is established, concerns and objectives can then be shared openly.

·        The Power User may discover that the Server Admin just doesn't want him to mess up the Master Page, and the Server Admin may discover that the Power User just wanted to create a data view on a page and is fine not exploring the options beyond that.

·        The Server Admin may discover that a Power User really does have a lot of database experience and knows how to properly design an Access Web Database that she shouldn't have to support later.

·        The End User may discover that SQL storage space and performance will be a problem with all those documents, but he can work with the Server Admin to create a new site collection where storage isn't an issue, but that it still appears integrated with the rest of the intranet.

We can always find win-win types of solutions for our friends that we trust.

Your Challenge for This Week

If you're a Power User or Advanced End User, take your SharePoint Server Admin to lunch. If you're the SharePoint Server Admin, take one of your organization's Power Users to lunch. Then, continue to do this every two or three weeks.

Send Me the Receipt!

After that first lunch, scan in the receipt and send it to me. No, I'm not going to reimburse you; I just want to know you actually did it. I promise you, the rewards will be much greater than a free lunch. However, if you come to one of my classes, I'll cover a lunch for you where you and I can get to know each other as well. Deal?

The Missing Pieces in Most SharePoint Server Administrators’ Skill Sets

Last year a four-year-old boy made national news when he took his mother’s SUV for a joyride. For a boy his age, he had some impressive driving skills. He managed to maneuver onto a busy Southern California street during rush hour, making his way through several turns and intersections. Eventually, though, his lack of training caught up with him and he crashed into a fence after crossing into oncoming traffic. Fortunately, the daring lad wasn’t badly hurt, but his mom’s vehicle didn’t fare nearly as well. He had enough skill to get the car running down the street and to make a few panicky turns, but he didn’t have the training to control his speed, keep the SUV headed in the right direction or even stay in his lane.

I often hear students tell me, “I just want to learn to configure and administer SharePoint. I’m the Server Administrator and I’m not going to be involved in the day-to-day business use of it.” Or an IT Manager may tell me, “Kelly is going to be our new SharePoint Server Administrator. She just needs to know how to administer and configure the server—she doesn’t need all that end-user stuff.”

When I hear statements like these, I get an uneasy feeling in the pit of my stomach. It’s similar to how I would feel if were asked to ride with someone who knew how to start a car and make some very basic maneuvers, but hadn’t been trained on how to really drive it or how to adjust to the different circumstances we may encounter in our journey. Although it isn’t life-threatening if a SharePoint Admin doesn’t know how people are using SharePoint within the organization or what SharePoint offers for solving business problems, I feel it does pose a significant threat to the business.

It’s possible for someone to administer a mail server, a file server, or a web server, without knowing much about how business users are using those things or knowing what business users want to do with them; in fact, this is extremely common. That’s not the case with SharePoint, however.

In my experience, the best SharePoint Server Administrators have a combination of three skill sets:

• Business knowledge and experience. SharePoint integrates with every area of a business: sharing information, creating information, collaboration, information discovery, business intelligence, business process automation, and social interaction. The more a SharePoint Admin knows about your business (both generally, the specific day-to-day operations, and short-term and long-term goals) the better prepared she will be to configure SharePoint to support the needs of your business.
• SharePoint knowledge and experience from a business perspective. SharePoint is more than just software; it’s a platform that supports the entire business. The more a SharePoint Admin knows about what SharePoint offers for the business, and how employees can best make use of those features, the better prepared she will be to configure those SharePoint features so your employees can best take advantage of them.
• How to configure and administer SharePoint. Obviously. It’s why we call them SharePoint Server Administrators. :-)

If your SharePoint Server Administrator is lacking in one of these three areas, she’s a lot like the young boy who managed to get the vehicle on a road but didn’t really know how to drive it. That’s scary.

If your SharePoint Server Administrator doesn’t have knowledge and experience in the business side of your business, I recommend that you begin teaching her about the business: let her shadow employees in a variety of areas of the business; provide opportunities for her to hang out with managers throughout the business who will share about the business from their perspective; and make her aware of what the company goals are, why they are important, and how you plan to achieve them.

We can help with building the other two skill sets. The first day of our Introduction to SharePoint 2010 for Server Administrators class focuses on how end users can use SharePoint for sharing information. SharePoint is capable of much more than just sharing information; for this reason, many Server administrators also take our Introduction to SharePoint 2010 – Using SharePoint Server 2010 to get a good overall understanding of how business users can use SharePoint on a day-to-day basis. Once they have this information, they are better prepared to return to work and configure SharePoint so the users in their businesses can make the best use of everything that’s available in SharePoint.

We want to be your partner in preparing your SharePoint Server Administrators to help drive your business where it wants to go.

Implementing SharePoint Extranet Collaboration Manager 2010 (ExCM) Advanced Features– Part 2 – Extranet Account Managers

By Matthew McBride

Overview of Extranet Account Managers

In the 2007 version of Extranet Collaboration Manager (ExCM), we received a lot of feedback from customers regarding Site Collection Administrators and their ability to delete external accounts.  Many of them experienced inadvertent user deletion due to the elevated permissions a Site Collection Administrator has by default.

In Extranet Collaboration Manager for SharePoint 2010, users can only be deleted from the following Users tab ribbon in the ExCM Extranet Users menu:

By default, only SharePoint Farm Administrators can view this area.  For all other users, including Site Collection Administrators, the tab is hidden:

While this addresses the inadvertent deletion of users, there may be situations where administrators want to grant a particular user the ability to delete an account, but NOT grant that user Farm Administrator privileges.  The Extranet Account Manager (EAM) feature addresses such instances.

Granting Users Extranet Account Manager Privileges

An EAM is defined as a user who is a Site Collection Administrator and has been appointed an Extranet Account Manager using the SharePoint Management Shell.  One can grant EAM access to either a Windows or Forms Based account.

ExCM 2010 comes with a SharePoint Service object used to provide farm wide services and configuration data.  This opens up some advanced options available via a command line interface.  To activate the service, open the SharePoint Management Shell and type the following command:

Next, enter the command to create a new EAM:

Next, specify the identity of the new EAM.  This is the fully qualified login name of the account, so make sure to enter one of the following formats depending upon the type of user you are adding (Windows or FBA):

Windows:            DomainName\Username (ACME\TestyTester

FBA:                      MembershipProviderName:Username (Ext:ExtranetUser)

Finally, specify the Membership Provider Name(s) that you want the EAM to manage.  In this case, I only have one provider (Ext) so I will use it:

One can verify that the account was added successfully by typing this command:

If I now log on to my site as “extadmin@demo.com,” I see the following under the “Extranet Users” menu:

In summary, Extranet Collaboration Manager for SharePoint 2010’s Extranet Account Manager feature allows SharePoint Admins to grant certain users the ability to fully manage your Extranet Users, including the ability to delete them, without having Farm Admin privileges.  Either Windows or FBA accounts can be granted EAM privileges.

Implementing SharePoint Extranet Collaboration Manager 2010 (ExCM) Advanced Features – Part 1 – Authentication Provider Mapping

By Matthew McBride

Overview of Authentication Provider Mapping

SharePoint Extranet Collaboration Manager 2010 (ExCM) can streamline the experience for users located inside your corporate network by implementing a feature called Authentication Provider Mapping (APM).  This simply maps an IP address to a specific authentication provider.  When APM is enabled and configured, it will determine whether the request for your ExCM page is coming from inside your network or from an external user.  This is achieved by specifying a range of IP addresses belonging to your internal network and then specifying the authentication provider that is to be used (Windows in this case).

By default, all requests to your ExCM site are sent to our custom sign in page (assuming you have configured it within Central Administration).  Notice the “Sign in using Windows Authentication” link near the bottom:

 

This can be useful if your corporate users want to access the ExCM site externally, but can be redundant for those users when inside the network since they have already logged on to their workstation using the same information.  However, by configuring APM and a couple of items within Internet Explorer (IE), your internal users will bypass this page and be sent straight to the top level site without providing any further information:

Configuring Authentication Provider Mapping

The first thing we need to do to configure APM is to enable the PowerShell service provided as part of ExCM 2010.  This service provides additional configuration options not available in the normal User Interface (UI).  To enable the service, open up the SharePoint Management Shell and type the following command:

Next, we need to add a mapping.  Note that you can add a single IP address or an entire subnet.  You can also break the IP range into smaller subnets using masks.  In this example, we will add the entire 192.168.0.* subnet.  To create a new mapping, type the following:

Then we will need to specify the subnet and the authentication provider to be used (Windows, or AD, as in this case):

We can verify the mapping by typing this command:

With APM configured, we also need to ensure that IE is set up to authenticate the user accordingly.  To do this, we need to first add the ExCM site to the “Trusted Sites” list:

Then we need to ensure that the “Automatic logon with current user name and password” setting is enabled for the Trusted Sites Zone security level:

With those settings in place, your internal users will never be presented with the ExCM Sign In page when accessing the site…they will simply be sent directly to the Top Level page.

Additional Considerations and Summary

There are a couple of things to keep in mind before and when you implement APM.  First, it is NOT recommended to use APM during your ExCM testing phase.  Doing so will make it difficult to test Forms Based Authentication user credentials.  Second, if you have a device inside your network performing any type of reverse proxy that may change the IP address of the original request (such as an F5), you would need to add the address or range of addresses the device is using.

In summary, Authentication Provider Mapping can greatly streamline the experience for your internal users when accessing a SharePoint Extranet Collaboration Manager 2010 (ExCM) site inside your corporate network.  When APM is configured, these users will be sent directly to the top level site without having to provide any further credentials.