Tuesday, February 21, 2012

Testing Service Applications in SharePoint 2010

So you've taken time and built a farm, but you still wonder how do I test all of this?  Well stay tuned this week I  am going begin writing a series on how to test each and every service application that ships with SharePoint 2010.  I hope that this will become a good resource for those of you, who like myself, would like to be able to test their farm and ensure it is running properly before releasing it to end users.  I will update this post as I release new articles in this series with links to each article.

Before testing applications setup a secure store: http://matthewchurilla.blogspot.com/2012/03/configuring-secure-store.html
Testing Access Services: http://matthewchurilla.blogspot.com/2012/03/testing-access-services.html

Thursday, February 9, 2012

Central Administration Prompts for Credentials

I stumbled across a quirky authentication issue when we enabled Kerberos on our Central Administration Web Applications for SharePoint 2010. Every time we launched Central Administration using the link provided on the start menu we would be prompted for credential entry, and everytime credentials were entered they would fail even if they were entered correctly. After double checking the SPNs it was obvious they were setup properly and Kerberos authentication should have been logging us in automatically.

 It turns out the problem here is somewhat related to another issue I posted about with our CRM environment (http://matthewchurilla.blogspot.com/2012/01/outlook-plugin-is-nice-feature-of.html). At first I looked at the command that was getting executed by the menu link and it was pointing to psconfigui.exe so it was hard to tell what was happening there. Next I opened internet explorer and found the Central Administration URL had been added to trusted sites and trusted sites does not automatically login users, only the intranet zone does this. It occured to me that psconfigui.exe must do something similar to what I discovered the CRM Outlook plugin doing.  In an attempt to be helpful it is adding the Central Administration URL to trusted sites but unfortunately when the URL is in trusted sites kerberos integrated authentication does not work. The solution to this problem is as simple as it was for CRM you just need to follow this process:

  • Find the URL that got added to trusted sites and remove it.
    • Internet Options -> Security -> Trusted Sites -> Sites
  • Open Local Intranet configuration and add the URL you just removed from trusted sites.  Make sure the URL matches exactly.  If you removed http://machine from trusted sites then add http://machine to local intranet sites.  If you removed http://machine.fqdn from trusted sites than add http://machine.fqdn to local intranet sites.
    • Internet Options -> Security -> Local Intranet -> Sites -> Advanced
  • Launch Central Administration using the start menu link; everything should work fine.