30 March, 2009

You do not have permissions to open this file on Excel Services

Hello Guys,
If you receive the following Exception when you try to open the sample workbook or another workbook try the following steps:


You do not have permissions to open this file on Excel Services.Make sure that the file is in an Excel Services trusted location and that you have access to the file.

1.Open Central Administration -> go to Operations tab -Ensure that the Excel Service is running.
2.Open Central Administration -> go to your configured Shared Service -> click Excel Service Settings.

-File Access Method: ensure that it is not using Impersonation, instead the Option Process Account should be enabled.

3. Open Central Administration -> go to your configured Shared Service -> click add new trusted file location
-Field URL: here you can specify a report library or the whole portal
-Location Type: should be Windows SharePoint Services
-Children trusted: defines whether the children should also be trusted or only the definied path

How to enable SSL site collections using host headers to be browseable using ISA

1.In ISA 2006, right click Firewall Policy, New, and finally SharePoint publishing rule; type a new name for the publishing rule.Click Next.

2.Select Publish a single Web site or load balancer since we are dealing with a single site collection. Click Next.

3.Select Use SSL.. Click Next.

4.Type the name of the published web site, which is the external URL as it would appear on the certificate. Click the box next to Use a computer name or IP address to connect to the published server, and fill in the correct IP address for the server. Click Next.

5.From the drop down for Accept requests for, select This domain name. In the Public name box, type in the domain name you wish to use. Click Next.

6.We now must create a new listener. Give the new listener a name. Click Next.

7.Select Require SSL secured connections with clients. Click Next.

8.Select External Network and then the IP Address. This IP address will be dedicated to accept requests from SharePoint traffic externally. Click on OK, and then click Next.

9. Click on Select certificate and select the correct certificate with the name you are using in the public name. Click on Select.

10. Select the authentication type, and configure as needed. Click Next.

11. If SSO is being used, click on Enable SSO for Web sites published with this Web listener, and configure the SSO domain being used for authentication. Click Next.

12. Click Finish.

13. Select the new Listener, and click on Next.

14. Select the NTLM authentication, and click on Next.

15. Select the first option if AAMs are already configured; if not select the second option. Click Next.

16. Select All Authenticated Users. Click Next.

17. Click on Finish.

Disable MySite and MyLinks in MOSS 2007

In order to turn off or disable the MySite or MyLinks functionality you need to be an Sharepoint administrator.

-Go to the Central Administration Web Page
-Click on the link for Shared Services Administration
If you have more than one SSP, select the one that is running the MySites functionalityUnder "User Profiles and My Sites" click Personalization Services Permissions

Select the group you want to limit the functionality for. More than likely you will just have NTAuthority\Authenticated Users.
In the next screen you will see a list of checkboxes,

--To disable MySites uncheck "Create Personal Site"
--To disable MyLinks uncheck "Use Personal Features"
Once you find it, disabling the functionality is pretty easy.
Hopefully this will save your lot of efforts.

29 March, 2009

Configure single sign-on

Single sign-on (SSO) is a Microsoft Office SharePoint Server feature that provides storage and mapping of credentials such as account names and passwords. Using SSO, portal site–based applications can retrieve information from third-party applications and back-end systems such as Enterprise Resource Planning (ERP) and Customer Relations Management (CRM) systems.

The use of single sign-on functionality enables users to authenticate only once when they access portal site–based applications that need to obtain information from other business applications and systems.

There are seven main activities that we need to do:
1.Create the SSO service account -- This is the account that the service will run under.
2.Create the SSO groups -- These groups are used to control who has the ability to administer SSO (export the master key) and who has the ability to manage it (add/remove application definitions.)
3.Configure the SSO Service - Set SSO to start and get it to use the service account.
4.Configure SQL Server - Authorize the SSO service account to SQL server.
5.Manage SSO - Setup SSO in MOSS including the groups and the database.
6.Manage the encryption key -- Create the encryption key that will be used for protecting the username and password information on the system.
7.Manage settings for enterprise application definitions -- Define what initial applications SSO will be setup to manage passwords for.

Create the SSO Service Account
We need to create an account for the "Microsoft Single Sign-on Service" (SSO Service) to run as. This account has to be a domain account that has local administrative privileges for the front end web servers, must be a member of the SharePoint group Farm Administrators, must have db_creator and security administrator roles in SQL Server, and must be a member of the group that is defined as SSO administrators.

1.From the Start Menu click Administrative Tools-Active Directory Users and Computers
2.In the left hand pane on the Users folder right click and select New-User from the menu that appears. If your organization places service accounts in a different organizational unit (OU) you can certainly add this account to that location.
3.Enter the First Name (SharePoint SSO), Last Name (Service), and User logon name (SharePointSSOSvc) fields and click the Next button. You can name the account anything you want, however, these values make it clear what the account is used for.
4.Enter the a password into the Password and Confirm password fields. Uncheck the User must change password at next logon checkbox. Check the User cannot change password and Password never expires checkboxes. Click the Next button. This sets the account up to be a service account.
5.Click the Finish button.
6.On the user that was just created, right click and select Properties.
7.Click the Member Of tab.
8.Click the Add button.
9.Enter the group name Domain Admins and click Check Names then click OK. As mentioned above, if you're using another group to provide local administrator access to the farm servers, use that group here.
10.Click the OK button.

Create the SSO Groups
There are two important groups for SSO. The first group is the administrative group which includes those users capable of administering SSO. This includes the ability to backup and restore the encryption key -- because of this they can effectively decrypt all user credentials in the SSO database and thus membership to this group should be severely limited. The second group, a managers group, is used to manage the application profiles in the SSO system. This group doesn't directly have access to passwords but could inadvertently delete all of the stored passwords. In the following steps we'll create both groups and add the SSO service account we created above into the administrators group.

1.In Active Directory Users and Computers (still open from the last set of steps) from the left pane right-click Users and select New-Group. As before if your organization requires that groups be placed in a different OU, select that OU to create group in.
2.Enter the Group Name (SharePoint SSO Administrators) and click the OK button.
3.Left click the new group, and then right click the new group and select Properties.
4.Click the Members tab.
5.Click the Add button.
6.Enter SharePointSSOSvc, click the Check Names button, and click the OK button.
7.Click the OK button.
8.In the left pane, right click Users and select New-Group. As before, if your organization requires a different location, use that location.
9.Enter the Group Name (SharePoint SSO Managers) and click the OK button.
10.Close Active Directory Users and Computers, we're done with it.

Configure the SSO Service
By default the SSO service in SharePoint doesn't start. In this activity we're going to enable the SSO service. On each server in the farm and then once completed we're going to change the account used for SSO in SharePoint Central Administration.

1.On the Start menu click Administrative Tools-Services
2.In the Services application in the right hand pane scroll down to the Microsoft Single Sign-on Service, right click and click Properties.
3.Change the Startup type from Manual to Automatic.
4.Click the Start button.
5.Click the OK button.
6.Close the Services application. We're done with it.
7.Repeat steps 1-5 on each server in the SharePoint farm.
8.On the Start menu click Administrative Tools-SharePoint 3.0 Central Administration
9.Click the Operations tab
10.In the Security Configuration section, click the Service Accounts link
11.In the Windows service drop down list select Single Sign-on Service.
12.Enter the Username (DC\SharePointSSOSvc) and Password for the service account and click the OK button.

Configure SQL Server for the SSO Service Account
The SSO service account needs to create the SSO database and setup the correct permissions. In order to do that it needs the security administrator (securityadmin) and database creator (dbcreator) system roles. In the following steps we'll get permissions setup for the service account.

1.On the Start menu click All Programs -Microsoft SQL Server 2005 - SQL Server Management Studio.
2.If your server name isn't correct in the dialog select the correct server. Then click the Connect button to connect to your SQL server.
3.Click on the plus sign to the left of Security to expand it. Click on the plus sign to the left of Logins to expand it.
4.Right click on the SharePoint SSO service account (DC\SharePointSSOSvc) and click properties.
5.In the Select a page (left) pane select Server Roles.
6.Click the checkboxes to the left of dbcreator and securityadmin.
7.Click the OK button.
8.Close Microsoft SQL Server Management Studio, we're done with it.

Manage Settings for Single Sign-on

In this step we'll go through the process of creating the SSO database by using the Manage settings for single sign-on link on the central administration operations screen.
1.On the SharePoint Central Administration Operations page in the Security Configuration heading select the Manage settings for single sign-on link.
2.Click the Manage server settings link.
3.In the far upper right corner, click the down arrow next to Welcome System Account (or whatever name is displayed.) From the menu that appears, select Sign in as a Different User.
4.In the User name text box enter the SharePoint SSO Service Account (DC\SharePointSSOSvc) and in the Password text box enter the account's password. 5.Enter the administrators group name including the domain name (DC\SharePoint SSO Administrators)in the Single Sign-On Administrator Account section's Account name textbox.
6.Enter the managers group name including the domain name (DC\SharePoint SSO Managers) in the Enterprise Application Definition Administrator Account section's Account name textbox.
7.Click the OK button.

Manage the Encryption Key
The next step is creating an encryption key for the credentials to be encrypted with. In order to do this, follow these steps:
1.On the Manage Settings for Single Sign-on page click the Manage encryption key link
2.Click the Create Encryption Key button.
3.Click the OK button.
4.In the breadcrumbs, click the Manage Single Sign-On link.

With an encryption key set, you're ready to create an application definition.

Manage Settings for Enterprise Application Definitions

The final step is to define an application definition for SSO. This can be done with the following steps.
1.On the Manage Settings for Single Sign-On for... page in the Enterprise Application Definition Settings, click the Manage settings for enterprise application definitions link.
2.Click the New Item button.
3.Enter a Display name (Demo Application), a Application name (Demo), and Contact e-mail address (sharepoint@demo.thorprojects.com).
4.Select the Account type. Generally this will be Individual. Note that this cannot be changed once the application has been defined.
5.Click the OK button.
6.Close the web browser with central administration.

I hope the above steps helps you to configure Single Sign On . If you have any query or doubt regarding any step then please let me know. I would be more happy to answer your queries.




Configure single sign-on