Trust me, I’m digitally signed

InfoPath has this concept of trust levels. A form template can be running in one of three levels of trust – Restricted, Domain or Full Trust. By default, InfoPath uses the Restricted trust level. This prevents you accessing any resources outside of the form template. If you add any managed code or data connections, InfoPath will raise the trust level to Domain. Sometimes your template needs to include code that requires the Full Trust level. If that’s the case, then you need to jump through extra hoops to enable this level.

There are two approaches that you can use to enable Full Trust – deploying the form to desktops using an installation package or digitally signing a form. To me, the first approach is cumbersome, as it requires you to redeploy the form any time there are changes. That’s fine if your forms are very stable, but most of the forms we work on go through multiple updates. Perhaps there are easy ways to redeploy forms using products like SCCM, but I haven’t any experience with them.

The second approach – digitally signing - allows you to deploy the form to a SharePoint forms library or network share. For me, this makes life easier if you need to update the template.

So what is involved in digitally signing an InfoPath template? In this post, I’ll walk you through my recent experiences. Digital signatures is just one of the many areas I’m no expert in, so please forgive any incorrect assumptions I have made. I was inspired to write this post due to the lack of information I found when researching this topic myself.

To state the obvious, before you can digitally sign a form template, you are going to need a digital certificate. This certificate needs to be issued by a “Certificate Authority” (commonly called a CA) that is trusted. My understanding is that our operating systems maintain a list of Trusted Root Certification Authorities. In Vista and Windows 7, this list of root certificates is updated any time your computer encounters a certificate signed by a Certificate Authority that it doesn’t already know about. You can read more about this on TechNet.

If you want to have a look at the list of Root Certificates on your computer, open Internet Explorer 9, then go to Internet Options – Content – Certificates – Trusted Root Certification Authorities. Have a look at the Untrusted Publishers while you are there. It just goes to show that you can’t trust everyone.

I believe that it is possible for an organisation to set up their own certificate server and register themselves as a Trusted Root Certification Authority on computers within their own network, but that is not something I have played with. Instead, we decided to purchase a certificate from Thawte, one of the main commercial Certificate Authorities.

My first challenge was trying to figure out exactly what I needed to buy. I couldn’t find any reference to InfoPath code signing on any of the Certificate Authority web sites. They all seem to offer a bunch of certificate types and it was unclear to me which one I needed. For example, Thawte offer a Microsoft Authenticode certificate and a Microsoft Office VBA certificate. Well, InfoPath is an Office product, but I’m not signing VBA code. I decided to go with the Authenticode option.

When I first started looking into digital signing, I wasn’t sure what exactly I needed to purchase a certificate for. Did I need a certificate for each InfoPath form template, for each computer that needed to sign forms or for each person? It turns out I was purchasing a certificate for my company. We could then sign any number of InfoPath forms with this certificate. We could deploy the code-signing certificate to as many computers as we wanted and it could be used by as many staff members as we wanted. It makes sense though to keep a tight control over who has access to the certificate, otherwise you run the risk of your certificate being used to sign code that you really don’t want to be associated with.

In my next post, I’ll walk you through the steps for purchasing a cert, installing it on a computer and then signing your InfoPath form template.

SharePoint Licensing information–where to look

Every so often I need to delve into the murky waters of SharePoint licensing. I always find this challenging. Mainly because there is a lot of contradictory information out there. I can understand why – there are many different scenarios, its complicated, people interpret the rules in lots of different ways, the rules have changed over time.

Where possible, I try to reference information directly from Microsoft, as this obviously has a lot more credibility than some blog post that you read (present blogger excepted). Imagine my surprise when I recently had to research information for a SharePoint 2007 engagement I’m working on – Microsoft seems to have removed all of the SharePoint 2007 licensing information from their site. Well, they aren’t selling it any more, so I guess that makes sense. But what if you need to answer a licensing question from an existing SharePoint 2007 client?

Of course the correct answer here is to refer your client to a mythical licensing expert, then wash your hands of the whole incident. After all, you are responsible for zeros and ones, not licensing compliance.

But what if you did actually want to understand what is allowed and even provide “evidence” to back up any readings you have taken of the licensing tea-leaves?

Here are two links that I have recently come across that I think are worth sharing. These are correct at the time of writing.

http://www.microsoftvolumelicensing.com/userights/DocumentSearch.aspx – Search for licensing documents. I’d recommend selecting PUR (Product Use Rights) in the first column and then your preferred language, region and sector. The real magic for me is the “Show Archived” checkbox. This allows you to access older documents that contain details on products that are no longer sold (e.g. SharePoint 2007). I’ve found I get more archived results if I set Region to “WW (World Wide)”. Note that the archived results are displayed in a separate box below the current results.

 

http://download.microsoft.com/download/6/8/9/68964284-864d-4a6d-aed9-f2c1f8f23e14/Assessing_SharePoint_Server_Licensing.docx – “A Guide to Assessing SharePoint Server Licensing” – December 2010. Here is the summary, straight from the document:

“This document gives Microsoft® Volume Licensing customers an overview of licensing for Microsoft SharePoint® Server 2010, SharePoint Server 2007, and SharePoint Server 2003, as well as guidance on how to assess the licenses needed. Please refer to the Product Use Rights (PUR) document for detailed guidance”

SharePoint Saturday Sydney - InfoPath Tips and Tricks

SharePoint Saturday in Sydney was held yesterday, Aug 6, 2011. It was a great event, with about 120 attendees. Kudos to Brian Farnhill and Alexandre Bacchin for organizing it.

I gave a presentation entitled "InfoPath Tricks of the Trade" which included my "Planet of the APIs" sample form. This session was showing off some ways to accomplish specific tasks with InfoPath. I focused on two tasks - getting information about the current person and creating a unique name for your form (without using a timestamp).

I certainly enjoyed delivering the session and there were interesting questions from the audience. And as soon as I retrieve my laptop's power supply that I left at the venue, I'm going to put the presentation and demo template online for people to download.

---

Update: As promised, here is the PowerPoint presentation and InfoPath template

Getting Access Denied, even when you are a Site Collection Administrator

Here’s a solution I found to a weird issue I recently encountered. It was for a SharePoint 2007 site that had been upgraded to 2010 while also moved to a new domain. For some reason, a few of the user accounts were not getting authenticated properly. They would get the “Access Denied” page. This happened even if the person was set up as a Site Collection Administrator.

I found that this problem disappeared if I ran the following command:

stsadm –o migrateuser olddomain\username newdomain\username –ignoresidhistory

This command would return an error “Value cannot be null. Parameter Name: UserProfileApplicationProxy”. Regardless, the account could then log into the site.

Why? Don’t know.

How to make 100 friends in SharePoint

Do you have SharePoint installed on a development or test environment somewhere? Does it have it’s own Active Directory installation? So, how do you explore all the wonderful features of the SharePoint User Profile service? You know, like the Silverlight organisation chart, or Audiences, or Colleagues, or…

Well, not to fear, after much procrastination, I’m finally able to provide a solution to your problem. I’ve made up names, job titles and managers for 100 people. Any similarity to real people is purely coincidental. Not only that, but I’ve created a PowerShell script to create these accounts in Active Directory.

This means your User Profiles in your virtual environment can go from a bland handful of test accounts, to a dazzling collection of fictitious employees in different departments, physical offices and job titles. Just imagine the Audiences you can create!

Feel free to edit the CSV file (using Excel) to modify personal details and add more people. You can even add additional user properties, but you will also need to make some changes to the PowerShell script to get these into Active Directory, not hard if you are familiar with PowerShell.

I’ve tested the PowerShell script on a Windows 2008 R2 domain, however I executed it from a Windows 7 desktop. The script does not require Microsoft Exchange or third party script add-ons. I execute the script using the domain admin account. You may run into issues if you try using accounts with less privileges.

The script contains a path to an Active Directory Organisation Unit (OU) where all the accounts will be created (OU=Staff,DC=lab,DC=laptop,DC=iw). You will want to change this before running it in your environment. This OU needs to exist before you run the script.

I have configured the script to create the accounts but not to enable them. This is for security purposes. However, if you want to enable them, you just need to uncomment two lines and seek legal advice.

You can download the zip file containing the people details and PowerShell script from here. Any feedback greatly appreciated.

Getting help with Kerberos and SharePoint

Ever tried configuring a SharePoint environment to use Kerberos authentication? It is never a lot of fun. There aren’t that many people that know Kerberos to any great depth – I know I don’t. So any kind of help you can get with setting this up should be taken advantage of.

So pop over to SharePointSecurity.com and read about your new best friend – SharePoint Kerberos Buddy. I don’t think its an over-exaggeration to say that Adam Buenz is a genius in this area. Now he has released a FREE tool to help you get your Kerberos configuration right. Check it out.

Configuring BackConnectionHostNames for the Loopback Check

Its not always easy doing the right thing. At this stage, we all probably know about the issue with trying to access a site with a host name on Windows Servers (http://support.microsoft.com/kb/896861).

You probably know that there are two ways of dealing with this issue - disabling the check or providing a safe list of sites.

The easiest thing to do is disable the check. But that doesn't make it right. The check is there to protect your system against nasties that want to do bad things to your server.

So that leaves us with the option of defining a safe list of addresses that the server can access locally. Sounds easy, but I've had problems every now and again with getting this to work and the temptation is to just revert to disabling the check. So I thought I'd share some rules that I follow when setting the BackConnectionHostNames entry:

1. Don't include the protocol - e.g. "mywebsite" rather than "http://mywebsite"
2. Put each entry on it's own line
3. Use lowercase - e.g. "mywebsite" rather than "MyWebSite"
4. If it is an internal site, include the short name as well as the fully qualified domain name (e.g. "mywebsite" and "mywebsite.domain.somewhere.local")
5. Reboot after you have created the BackConnectionHostNames registry entry. I believe that you don't need to reboot for subsequent changes to this key, but I probably would - call me superstitious.

Australian SharePoint Conference – only days away

The Australian SharePoint Conference is back in Sydney on March 8th and 9th. This is a great event to learn more about the SharePoint products and see how other companies in Australia are using it. There are four tracks, so there should be something for everyone:

• Business
• Voice of the Customer
• IT Professional
• Developer

Also check out the half-day workshops held on the 7th and 10th. For full details and to purchase tickets, visit www.sharepointconference.com.au

Sydney SharePoint User Group tonight (18 Jan 2011)

The Sydney SharePoint User Group is kicking off the year with a session on InfoPath 2010 on SharePoint 2010. The meeting is tonight – Tuesday 18 Jan, in the city – 280 Pitt Street.

For more details, check out http://www.sharepointusers.org.au/sydney

Geeks without Borders

Check out http://www.qlditrelief.org/ – see how you can provide assistance to the people affected by flooding in Queensland

Solved: Cannot upload a file to SharePoint 2010

A client was having a problem uploading documents to a SharePoint 2010 library last week. After filling out the Upload Document pop-up dialog box they got a basic browser “An error has occurred” message.

On closer inspection we saw a JavaScript error message in the lower left corner of the browser window. The details were:

Message: Unexpected call to method or property access.
Line: 264
Char: 5
Code: 0
URI: res://ieframe.dll/httpErrorPagesScripts.js

I found a KB article (979887) that mentions this error message and indicates that the problem is fixed in the latest security updates for Internet Explorer 8 (MS10-018 at the time of writing).

The client used the Microsoft Windows Update site (http://www.update.microsoft.com) to apply the updates and the problem vanished.