Category Archives: Everything

“Every” post goes into this category

SPSecurityTrimmedControl

This is one of those blog posts that I cannot take credit, but want to keep the information handy for a later time.

The SPSecurityTrimmedControl shipped with WSSv3 is a very powerful control. It basically allows you to conditionally display content depending on the user’s permission.

Thanks to Waldek for his post on conditional security trimming of page layout content in SharePoint.

Vista MCE and HD – At Last

Recently – I finally decided to take the plunge with Vista Media Center Edition and High Definition Cable TV…. 

I’ve been a fan of MCE for some time, and up until February this year I’d been using Vista MCE with a standard analogue cable line into a dual receiver Hauppauge tuner card and doing relatively well.  Those of you following my rants about Comcast Cable TV of Montgomery County already know that I’d sell my grandma for a time when a better, cheaper solution to cable TV was available – and that time has finally arrived (I didn’t have to sell my Grandma – besides EBay prohibits the sale of family members).

Verizon now offer FIOS TV in my area, and with a standard premium package inclusive of HDTV on offer for $42.99 a month, it didn’t take much to ditch Comcast ($68.00 a month).

I’ve been keeping a close eye over the last few months on the handful of vendors offering Cable-Labs certified Vista PC’s and decided on the purchase of a new Dell XPS 420 with dual ATI TV Wonder Cable Card Tuners.  My decision came down to the following rationale:

  • Dell offers the cheapest Cable-Card solution (at time of writing).
  • Unless I fork out over 4G for a machine; most Vista machines offering Cable-Card are inferior to the Dell XPS.
  • ATI is pretty much the only supplier of Cable-Card tuner for Vista and Dell sold me a pair for $350, unlike other vendors charging $280 a piece.
  • Dell would ship me a machine within a month.
  • Dell is a well known brand.
  • Internal tuners do not sell me because my machine sits out of the way in the basement.

Two weeks after I place my order for an XPS-420 with 1TB disk, 4G RAM and the dual tuners a new box arrived on my doorstep – ahead of schedule.

Setup of my machine was straight forward – my dell shipped with Vista Home Premium and Cable Card support and the drivers for the ATI tuners installed.  After I uninstalled the free Dell software and turned off all unnecessary services in Vista (it’s a server, so no need for Aero) I was ready for the Verizon service person to come and install Cable Card TV.

At 11am one chilly Saturday morning the Verizon guy arrived – I’d called ahead and placed the installation order for Cable-Card so he came with this expectation.  My new XPS was running in my front room, connected to an LCD monitor (so no XBOX 360 Extender to confuse the issue) and MCE running and at the cable-card configuration screen.

The Verizon engineer had never installed Cable-Card in a computer before, but I assured him it was as easy as installing for an HD-TV.  I read somewhere ahead that each cable-card pairs with it’s host tuner, so make sure you know which ATI unit is tuner #0 and tuner #1 in MCE because the engineer calls in the cable-card serial number with HQ to activate the cable signal.

After a short wait on the phone with HQ both cable-cards were activated and receiving a signal – I was then able to tune Vista to an HD channel.  During the whole process the most difficult part was downloading the correct EPG (Guide) for my area because there are several for my zone and each has a slightly different channel number line up.  With correct EPG installed and tuners configured I was able to watch and record HDTV, the only issue I had was with some of the channels in the guide not being part of my service package, which caused Vista to pause looking for the signal when I tuned to these channels.

After tipping the Verizon guy and wishing him a good day I preceded to move my XPS to it’s resting place and hook up my XBOX 360. As with my older machine, this process was a breeze, and it didn’t take long before I had HDTV on the large screen.  A tip for those hooking up a similar setup – make sure you have a nice fast network link between your XBOX and MCE, no wireless for instance, otherwise HDTV will hog the bandwidth.

The acid test with my new setup was whether my wife would have any issues when she came home.  Lisa is familiar with Vista MCE so the new faster machine scored some brownie points, and the monthly savings on the cable bill also got me a high five.  So far we’ve been doing good with the new channel line up (lots more channels) and HD content.  One quirk we found with Vista MCE is that it doesn’t automatically choose HD channels when scheduled recordings are set to “any channel” – you have to explicitly choose the HD channel otherwise Vista records from the first SDTV channel (since HD channels are higher numbering in the channel list).  An episode of “Dancing with the Stars” in HD was day and night compared to SD, and once I demonstrated the difference it didn’t take much to convince Lisa to reprogram the list of scheduled recordings.

I’ve noticed that my MCE platform is a little sluggish when recording from two HD channels and playing a recorded show simultaneously, so I would recommend a minimum 4GB RAM and a dual or quad core processor if you like uninterrupted viewing.  I’ll report back as my new toy gets more usage…

Prolific PL-2303 Driver – Vista x64

I purchased a USB to RS232 Serial cable so I could hook up my GPS unit to my laptop and found out that installing the driver on Vista 64 was problematic. 

Disabling driver signing verification with the following command at an elevated prompt, followed by a reboot, enabled me to install the driver.

BCDEDIT.EXE /SET NOINTEGRITYCHECKS ON

Download the prolific XP 64 bit driver (installs on Vista 64 after disabling driver signing verification) from:

Link

SharePoint Identity

SharePoint user identity is sometimes confusing for developers….

  • When connecting to external resources (like a SQL database via BDC) what user identity does SharePoint use? 
  • How does SharePoint impersonate when using forms-based authentication?
  • What’s the difference between a Windows user and a WSS User?
  • What is SPSecurity.RunWithElevatedPrivileges?

It’s questions like those above the can often lead to confusion – throw IIS authentication settings into the mix and developers too often find themselves scratching their heads as to why BDC (Business Data Catalog) or external resource access is not working.

My attempt at explaining impersonation within SharePoint is best summarized with the following table:

Authentication Windows Account WSS Account
FBA IUSR_MACHINENAME FBA User
Elevated FBA App Pool User SHAREPOINTSystem
Windows Windows User Windows User
Elevated Windows App Pool User SHAREPOINTSystem

Impersonation

SharePoint keeps track of two different user account types – Windows account identity, and internal WSS account.  SharePoint uses the WSS account to grant access to secured SharePoint objects – lists, documents etc.  The ASP.NET runtime, which SharePoint sits atop, impersonates the Windows account identity when executing a SharePoint web application, and it is this impersonation that dictates whether web parts or custom code logic is able to access external secured resources (files, SQL server etc).

Taking a closer look at the web.config for a virgin SharePoint site shows the following XML node:

<configuration>
  <system.web>
    <identity impersonate=”true”/>
  </system.web>
</configuration>

The above node allows the ASP.NET runtime to impersonate the windows account passed by IIS  (setting this to false restricts ASP.NET to run under the default worker process – typically the ASPNET local account).

Windows Authentication – SharePoint is configured by default to use Windows authentication (NTLM or Kerberos).  When the user attempts to access a secured page within SharePoint an HTTP 401 status code is passed back through IIS, which then causes the familiar Windows credentials prompt to appear in the browser.  After passing successful credentials; IIS authenticates the user and passes the windows user token on to SharePoint.  The SharePoint web site executes within this new authenticated user context.  In this authentication scheme the WSS account and windows identity account are synonymous – line 3 in the table above.

Forms Based Authentication – FBA is a completely different animal to Windows Authentication and is managed by ASP.NET rather than IIS.  By default IIS passes the standard IUSER_MACHINENAME local user account token to ASP.NET.  ASP.NET is configured to authenticate using forms by the following XML in the web.config file:

<configuration>
  <system.web>
    <authentication mode=”Forms”/>
  </system.web>
</configuration>

When ASP.NET detects FBA and a secured pages is requested by a user; the runtime looks for a known cookie, if the cookie is present the authentication succeeds, otherwise ASP.NET redirects the user to a login page.  Upon successful authentication the SharePoint web application runs under the IUSER_MACHINENAME user context.  The WSS account is depicted by the forms authentication identity, which is dependent on the membership provider configured in ASP.NET.  Example WSS account identities under FBA are SQL member accounts via the Local SQL Membership Provider or AD members accounts via the AD Membership Provider. 

Note: Authenticating against Active Directory using the AD forms-based membership provider is NOT the same as authenticating via Windows NTLM or Kerberos – in the former case the user context is still IUSR_MACHINENAME, where as Windows authentication receives the user token for the authenticated user from IIS.

Elevated Privileges

Anyone who has played with SharePoint object model has probably used the SPSecurity.RunWithElevatedPrivileges function.  This function allows access to secured SharePoint objects from the object model by changing the WSS user account context to SHAREPOINTSystem – a highly privileged user in SharePoint.  Calling this function also has the effect of changing the current windows user context to the current application pool user, configured in IIS.  In typical SharePoint farm installations, the application pool user is an AD user with restricted permissions and limited access to external resources, although typically this user has more permissions than the local IUSR_MACHINENAME user.

Good Practice

If you’re not concerned with FBA and/or anonymous access to your SharePoint sites then the anonymous account used by IIS is of no concern to you.  All you need to remember is that the elevated privilege method switches the current authenticated windows user to the app pool user, which is probably desirable if the app pool user is configured for external resources via BDC.  Most developers use this method to gain them access to secured SharePoint objects, but it is just as useful if you need access to external resources.

When setting up FBA with anonymous authentication scenarios it is important to be aware of the IUSR_MACHINENAME windows account in context.  For example, if you reference custom ASCX files in SharePoint page templates and these ASCX user controls live in a secured directory on the server; then you’re going to see request for credentials on your anonymous site. If you have a web part that needs to access a third party system or network resource then the IUSR_MACHINENAME account will prevent your web part from working.  Generally I suggest the use of SPSecurity.RunWithElevatedPrivileges function when accessing network/external resources.  However,  if you want to avoid a potential security hole because your code can now access any SharePoint object via SHAREPOINTSystem, then an alternative is to configure the IIS anonymous account as an AD domain account.

Hopefully this blog post has distilled the common confusion surrounding SharePoint identity, I know that I’ll be coming back to the above table from time to time.

Custom XML Feeds in IE7

I often find myself writing custom XML generators in ASP.NET using Http Handlers.  To test my code I want to open my browser and render the XML – naturally. 

In the days of IE6 all was good – I could render the XML and Internet Explorer would show me a nicely formatted view of my XML with collapsible nodes (as above).  Since the inception of IE7 I’ve noticed this nice feature is broken (at least on the few machines I use).  I chalked this problem up to the new RSS viewer, built in to IE7, and have got along by saving my XML and opening the result in Visual Studio (or some other XML editor). 

Today I was done with the extra effort in the XML debugging process, so I decided to see what was up IE7’s butt as to why it would not render my XML.  IT seems that the RSS viewer had nothing to do with it, the problem was a result of a missing MSXML3.DLL registration (go figure), the following command issued at an elevated command line followed by a browser restart fixed all for me:

regsvr32 msxml3

Before all your Fire Fox fans start jumping up and down (yes, I use FF too).. I know FF always renders XML without issues, but I was tired of installing FF on each and every Virtual Server I found myself on developing dynamic XML.

SharePoint Custom Content & Structure Report

I came across some really cool functionality in SharePoint 2007 today…. 

One of my clients has a deep hierarchy of sites and pages maintained in SharePoint – this hierarchy drives content management for their web site.  Most of the publishing pages on their site have an embedded boolean field, called “Appear on Home Page” as part of the page content type, which controls whether elements of the data contained in the page are featured on the site home page. 

My client wanted a roll-up view across the whole site of all pages where the “Appear on Home Page” field was set to “yes” so they could administer home page articles in one location rather than searching across the hierarchy manually.

Those of you familiar with WCM in SharePoint 2007 may know about the various “Content and Structure Reports,” available via either “Site Actions” menu or within the “Content and Structure” view under the view menu.  These reports traverse the site hierarchy looking for pages meeting certain criteria and display the matching pages as a list.  Users can then view/edit/delete these pages, like they would any other collection of pages contained within document libraries. 

How neat it’d be to create custom reports similar to those shipped with MOSS.

 

Turns out that adding your own “Content & Structure Report” into SharePoint is trivially easy:

  1. Access the “Content and Structure Reports” list at /Reports%20List/AllItems.aspx
  2. Add a new list item and set the CAML query field to the expression required, in my case:

    <Where><Eq><FieldRef Name=”Appear_x0020_on_x0020_Home_x0020_Page”></FieldRef><Value Type=”Integer”>1</Value></Eq></Where>

  3. Presto, the new report is available.

“Submit” ASP.NET and SharePoint

One of my developers and I ran into an interesting problem today – we’d migrated a web site over to SharePoint 2007 (using a popular content migration tool) and found that all page postback calls in SharePoint were giving JavaScript errors, specifically:

Object doesn’t support property or method.

Turns out that our master page and page layouts contained input controls (text boxes) with name/id as “submit”.  Use of this reserved name sent ASP.NET’s JavaScript code into a tailspin and wrecked havoc with any postback submissions.

So, when you develop web sites in ASP.NET and/or SharePoint, be inventive with names for your buttons, text boxes and hidden fields – how about btnSubmit 😉

I read somewhere else that naming the main ASP.NET form “default” is a no-no also.

Visual Studio 2008

I finally got around to installing VS2008 RTM today – wow what a marathon!  4 hours after I started, I finally had 2008 installed and working. 

I was running into problems installing Microsoft .NET 3.5 .NET Framework – both from VS2008 installer and when I attempted to install the framework as stand-alone.  Vista adds complication to the install because .NET 2.0 and .NET 3.0 are part of the Vista  OS, and it is when .NET 3.5 attempts to upgrade these previous framework versions; problems occur. 

[12/30/07,12:23:51] Microsoft .NET Framework 3.5 ‘package’: [2] Error: Installation failed for component Microsoft .NET Framework 3.5 ‘package’. MSI returned error code 1603
[12/30/07,12:24:00] WapUI: [2] DepCheck indicates Microsoft .NET Framework 3.5 ‘package’ is not installed.

I read numerous blog posts about uninstalling hot fixes on Vista, which seemed to aggravate .NET 3.5 all the more because the installer then belly ached that .NET 2.0 SP1 was missing.  Each time I’d rerun the .NET 3.5 installer the process would run for about 40 minutes on my dual core 64-bit laptop before coughing up some error.  It is amazing how much other things you can get done if you’re not watching Microsoft progress bars – I managed to prepare lunch, eat it, clean up, and have time for a short nap in the time that my machine spent chugging, apparently to a worthless end with each iteration.

I finally resolved my problem by uninstalling IIS on Vista (I rarely use it anyway) after reading similar complaints on this forum – after a quick reboot the full installation of .NET 3.5 and Visual Studio 2008 et al went without a hitch. 

I love MS products, when they work, but I have to wonder why each version of Visual Studio (I had the same pains with VS2005 and VS2003) requires open heart surgery on my operating system and half a day of an unusable machine before the installation finally works – and I didn’t even meddle with Beta versions this time! 

Is it just me? Am I expecting a lot from the Visual Studio team? Is this the norm and I should be quiet about it?