Wednesday, December 26, 2012

deploy user controls and web parts in powershell

Deploy user control (it is deployed globally and not associated with any application)
In sharepoint project, make sure the first line in the user control aspx, <%@ Assembly Name="$SharePoint.Project.AssemblyFullName$" %>,  has been replace with the real assembly name (<%@ Assembly Name="MapArea, Version=1.0.0.0, Culture=neutral, PublicKeyToken=bf461b57440b5559" %>) in stead of a reference to the proj file.

uninstall-spsolution -identity MapArea.wsp    (remove folder in \14\template\controltemplates)
remove-spsolution -identity MapArea.wsp     (remove dll from gac)

gacutil /i MapArea.dll
copy \Maparea\map.aspx to C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\TEMPLATE\CONTROLTEMPLATES\MapArea (folder varies depending on what folder you want to deploy to)

add-spsolution -literalpath C:\Installs\webparts\Liheap\MapArea\bin\Debug\MapArea.wsp
Install-SPSolution -Identity MapArea.wsp -GACDeployment

Deploy a web part (this needs to be deployed to a particular web application)




http://yourwebapplication
stsadm -o addsolution -filename C:\Installs\IndividualZips\SectorPoint.Products.AdRotator.wsp
stsadm -o deploysolution -name SectorPoint.Products.AdRotator.wsp -allowCas -local -url http://yourwebapplication

use this command to get the solutions:

GET-SPSOLUTION


to retract a solution:

uninstall-spsolution -identity SectorPoint.Products.AdRotator.wsp -webapplication http://devwebsites.com.wa.lcl


to remove a solution from farm:

remove-spsolution -identity SectorPoint.Products.AdRotator.wsp


to add solution to the sharepoint solution store:
add-spsolution -literalpath C:\Installs\IndividualZips\SectorPoint.Products.AdRotator.wsp

To Deploy the solution.

Install-SPSolution -Identity SectorPoint.Products.AdRotator.wsp -WebApplication http://devwebsites.com.wa.lcl -CASPolicies
-------------------------------------------------------------------
uninstall-spsolution -identity CommerceTreeViewNavigation.wsp -webapplication http://yourwebapplication

remove-spsolution -identity CommerceTreeViewNavigation.wsp

add-spsolution -literalpath C:\Installs\IndividualZips\CommerceTreeViewNavigation.wsp

Install-SPSolution -Identity CommerceTreeViewNavigation.wsp -WebApplication http://yourwebapplicationt
--------------------------------------------------------------------------------------------



add-spsolution -literalpath C:\Installs\IndividualZips\SectorPoint.Products.AdRotator.wsp
http://yourwebapplicationt

Install-SPSolution -Identity CommerceTreeViewNavigation.wsp -WebApplication http://yourwebapplication -GACDeployment


Sunday, December 23, 2012

BCS security







Business Connectivity Services security operations (SharePoint Server 2010)


Assign administrators to a Business Data Connectivity service application

Farm administrators can delegate administration of a specific Business Data Connectivity service application to a service application administrator. The delegated administrator is given access to the Central Administration Web site and can perform administrative tasks that are related to that Business Data Connectivity service application.
Tip Tip:
The delegated administrator is not given permissions to the metadata store.

To assign administrators to a Business Data Connectivity service application

  1. Verify that you have the following administrative credentials:
    • You must be a farm administrator.
  2. On the Central Administration Web site, in the Application Management section, click Manage service applications.
  3. In the list of service applications, click the row that contains the Business Data Connectivity service application.
    note Note:
    Do not select the row by clicking in the Name column. Clicking the name of the Business Connectivity Service opens the Business Connectivity Service management pages.

  4. In the Operations group of the ribbon, click Administrators.
  5. In the text box, type or select a user account or a group account, and then click Add.
  6. In the Permissions box, click Full Control, and then click OK.

Set permissions on a metadata store

Each Business Data Connectivity service application has a metadata store that includes all the models, external systems, external content types, methods, and method instances that have been defined for that store’s purpose. You set permissions on a metadata store to specify who can edit items in the metadata store and who can set permissions on the metadata store.
We recommend that you give specific permissions to each user or group that needs it, in such a way that the credentials provide the least privilege that is necessary to perform the needed tasks. For more information about setting permissions, see Business Connectivity Service permissions overview in "Business Connectivity Services security overview (SharePoint Server 2010)".

To set permissions on a metadata store

  1. Verify that you have one of the following administrative credentials:
    • You must be a farm administrator.
    • You must be the Business Data Connectivity service application administrator and have Set Permissions permission to the metadata store.
  2. On the Central Administration Web site, in the Application Management section, click Manage service applications.
  3. Click in the Name column of the row that corresponds to the Business Data Connectivity service application.
  4. In the Permissions group of the ribbon, click Set Metadata Store Permissions.
  5. In the text box, type the user accounts, groups, or claims for which permissions will be granted, and then click Add.
    note Note:
    The user account, group, or claim cannot have a vertical bar (|) in its name.

  6. Set the permissions for the account, group, or claim:
    note Note:
    At least one user, group, or claim in the metadata object's access control list must have the Set Permissions permission.

    • Click Edit to allow the user, group, or claim to create external systems, to create models, to import models, and to export models.

      securitySecurity Note:
      The Edit permission should be considered highly privileged. With the Edit permission, a malicious user can steal credentials or corrupt a server farm. To help ensure a secure solution, we recommend that you use a test environment where the Edit permission can be assigned freely to developers and solution designers. When you deploy the tested solution to a production environment, remove the Edit permissions.
    • Click Execute to allow the user, group, or claim to execute operations (create, read, update, delete, or query) on external content types.

      TipTip:
      The Execute permission is not applicable to the metadata store itself. This setting is used when you want to propagate the Execute permission to child objects in the metadata store.
    • Click Selectable In Clients to allow the user, group, or claim to create external lists of any external content types and to view the external content types in the external item picker.

      TipTip:
      The Selectable In Clients permission is not applicable to the metadata store itself. This setting is used when you want to propagate the Selectable In Clients permission to child objects in the metadata store.
    • Click Set Permissions to allow the user, group, or claim to set permissions on the metadata store.

      securitySecurity Note:
      The Set Permissions permission should be considered highly privileged. With the Set Permissions permission, a user can grant Edit permission to the metadata store.
  7. To propagate permissions to all items in the metadata store, click Propagate permissions to all BDC Models, External Systems and External Content Types in the BDC Metadata Store. Doing so will overwrite existing permissions.

RevertToSelf authentication mode


Each external content type has an associated authentication mode. The authentication mode gives Business Connectivity Services information about how to process an incoming authentication request from a user and maps that request to a set of credentials that can be passed to the external system. By default, the RevertToSelf authentication mode (also called BDC Identity authentication mode) is not enabled. You cannot create or import models that use RevertToSelf when RevertToSelf authentication mode is not enabled.
RevertToSelf authentication mode uses the application pool account where the Business Connectivity Services is running to authenticate the logged-on user to the external system. For example, when a user opens an external list, the application pool account of the front-end Web server where the external list resides is used for authentication. The application pool account is a highly privileged account. By default, the application pool account has write permission to the farm configuration database. By using RevertToSelf mode, anyone who can create or edit a model that uses RevertToSelf mode has the power to make themselves an administrator of the SharePoint farm.
RevertToSelf authentication mode is not recommended for production environments. We recommend that you use Secure Store Service.
If you must use RevertToSelf authentication mode in a production environment, consider the following:
  • Any users who can create or edit models, including SharePoint Designer users, should be considered equal to a farm administrator from a security perspective. You must be able to trust them as you would a farm administrator.
  • You must lock down the use of the application pool account as much as possible. Doing so can help to limit the damage a malicious user can do to the SharePoint farm and external systems.

Enable RevertToSelf authentication mode

After you enable RevertToSelf authentication mode, new models that use RevertToSelf can be created and imported.
security Security Note:
We do not recommend RevertToSelf authentication mode for production environments. Before enabling RevertToSelf authentication mode, make sure that you have read and understood the implications of enabling RevertToSelf authentication mode.

note Note:
RevertToSelf is not allowed in hosted environments.

To enable RevertToSelf authentication mode

  1. Verify that you meet the following minimum requirements: See Add-SPShellAdmin.
  2. On the Start menu, click All Programs.
  3. Click Microsoft SharePoint 2010 Products.
  4. Click SharePoint 2010 Management Shell.
  5. At the Windows PowerShell command prompt, type the following commands:
    1. To create a variable that contains the Business Data Connectivity service application object, type the following command:
      $bdc = Get-SPServiceApplication | where {$_ -match "<ServiceName>"}
      
      Where <ServiceName> is the name of the Business Data Connectivity service application. This can also be a regular expression (for example, "BDC").
      note Note:
      If the Business Data Connectivity service application is a shared service application, this command must be run on the farm where the service application is published.

    2. To enable RevertToSelf authentication mode, type the following command:
      $bdc.RevertToSelfAllowed = $true
      

Disable RevertToSelf authentication mode

When RevertToSelf is disabled, new models that use RevertToSelf cannot be created or imported.
note Note:
If you have existing models that use RevertToSelf, they will continue to work. You must delete the existing models if you want to remove all instances of RevertToSelf authentication from your farm.

To disable RevertToSelf authentication mode

  1. Verify that you meet the following minimum requirements: See Add-SPShellAdmin.
  2. On the Start menu, click All Programs.
  3. Click Microsoft SharePoint 2010 Products.
  4. Click SharePoint 2010 Management Shell.
  5. At the Windows PowerShell command prompt, type the following commands:
    1. To create a variable that contains the Business Data Connectivity service application, type the following command:
      $bdc = Get-SPServiceApplication | where {$_ -match "<ServiceName>"}
      
      Where <ServiceName> is the name of the Business Data Connectivity service application. This can also be a regular expression (for example, "BDC").
      note Note:
      If the Business Data Connectivity service application is a shared service application, this command must be run on the farm where the service application is published.

    2. To disable RevertToSelf authentication mode, type the following command:
      $bdc.RevertToSelfAllowed = $false
      

Workflows and external lists

Additional configuration is required when you want to develop workflows that interact with external lists. The following sections describe requirements that can affect workflow behavior.
note Note:
Workflows cannot interact with external lists in a hosted environment.

Workflows cannot be associated directly with an external list

Because the external data is not stored in SharePoint Server, the workflow cannot be notified when an item in the external list changes. Instead, you can create a site workflow or a list workflow, and then have the workflow read or update an external list. You can also use an external list item as a destination for a task process in SharePoint Designer; however, the link to the task will not display a title for the external list item.

Workflows sometimes run as the service account

Workflows run as the service account (typically, the application pool account) in the following scenarios:
  • Visual Studio workflows.
  • Declarative workflows that interact with external lists and are started automatically. This is true even when you use an impersonation step in your workflow.
In this case, you must give the service account Execute permission to the external content type that the external list is associated with and verify that the service account has the necessary permissions to access the external system.

Workflows and authentication

To support workflow activities, the external content type that the external list is associated with must use RevertToSelf or Secure Store Service for authentication.
note Note:
These authentication mode restrictions do not apply if you are using a .NET Assembly connector or a custom connector.

  • Authenticate by using RevertToSelf

    RevertToSelf authentication mode (also known as BDC identity authentication mode) authenticates to the external system by using the application pool account of the front-end Web server where the external list resides. This means that the application pool account must have permission to access the external system. By default, RevertToSelf authentication is not enabled. You must enable RevertToSelf authentication mode before you can create or import models that use RevertToSelf authentication.

    securitySecurity Note:
    RevertToSelf authentication is not recommended for production environments.
    For more information about RevertToSelf authentication, see RevertToSelf authentication mode.
  • Authenticate by using the Secure Store Service

    Secure Store Service enables you to securely store data that provides credentials that are required for connecting to external systems and associating those credentials to a specific identity or group of identities. You must ensure that the external content type uses one of the Secure Store Service authentication modes.

    securitySecurity Note:
    If the workflow is running as the service account, we recommend that you map the service account to an account that has lower privileges. For example, you can create a secure store target application ID that maps the service account to an account that has minimal permissions and can access only the required external system.
For more information about authentication modes, see Business Connectivity Services authentication overview in "Business Connectivity Services security overview (SharePoint Server 2010)."

Set permissions to enable a consuming farm to generate deployment packages

The Business Data Connectivity service application can be shared across server farms. The farm that contains the Business Data Connectivity service application and publishes the Business Data Connectivity service application is known as the publishing farm. The consuming farm is the farm that connects to a remote location to use the Business Data Connectivity service application.
When a user takes an external list offline, the application pool account that is used by the front-end Web server where the external list resides, generates a deployment package, which is then installed on the client computer. On the publishing farm, the application pool account of the front-end server has full permissions to the metadata store so that it can generate the deployment package. If you want the consuming farm to be able to generate deployment packages, you must give Edit and Set Permissions permission to the metadata store to the application pool account that is used by the front-end server on the consuming farm. If you do not give these additional permissions to the application pool account, external lists that reside on the consuming farm cannot be taken offline.
security Security Note:
Giving the application pool account of the consuming farm Edit and Set Permissions permission to the metadata store makes that account a farm administrator on the publishing farm.

note Note:
This section applies only to on-premise SharePoint Server deployments.

For more information about external list deployments, see Plan Business Connectivity Services client integration (SharePoint Server 2010).

To assign permissions to the application pool account of the consuming farm

  1. Verify that you have one of the following administrative credentials:
    • You must be a farm administrator on the publishing farm.
    • You must be the administrator of the Business Data Connectivity service application and have Set Permissions permission to the metadata store.
    • When you create BDC application, the managed account for the application pool must be in farm admin group. When you add connection in external content type, your account must in farm admin group too.
  2. On the Central Administration site of the publishing farm, in the Application Management section, click Manage service applications.
  3. Click in the Name column of the row that corresponds to the Business Data Connectivity service application.
  4. In Permissions group of the ribbon, click Set Metadata Store Permissions.
  5. In the text box, type the application pool account that is used by the front-end Web server on the consuming farm, and then click Add.
  6. In the Permissions box, click Edit, and then click Set Permissions.
  7. Click OK.
For more information about shared service applications, see Share service applications across farms (SharePoint Server 2010).

Remove a Managed Account:

Go to Central Administration => Security => General Security => Configure managed accounts.


Remove an service application pool:
Get-SPServiceApplicationPool -Identity 'BDC service' | Remove-SPServiceApplicationPool

See Also

Wednesday, December 19, 2012

Setting up External Content Type for SQL Server database using SQL Server authentication - SharePoint 2010 Foundation

This post is a follow up on the issues that I have got setting up External Content Type (ECT) on SharePoint 2010 Foundation that was going to connect to remote SQL Server database for information. I cannot use my SharePoint user accounts to access SQL Server.

According to the information I have discovered ECT and Business Connectivity Services are available in the SharePoint 2010 Foundation, but there are some issues if you want to use authentication methods in your external connections that are different from Windows Identity or Current User Identity. This is because there is no Secure Store Service in SharePoint 2010 Foundation which serves as an impersonation hub and is only available in SharePoint 2010 Server edition.
The issues are coming from the fact that you can actually create ECT in SharePoint Designer 2010 providing just Secure Store ID and system would ask you for credentials and here you go, but when you try to use your ECT in External Lists or as a lookup columns you would get errors, because Secure Store Service is missing as a module.
For more information about that issue please have a look here:
http://bit.ly/aWYlHn

In my scenario we have our own mighty CRM system called Wylde CRM where data is stored in SQL Server 2008 database and hosted on a remote server. Because I don't want to migrate our customers data to SharePoint I just want to leverage the new shiny functionality that SharePoint 2010 offers out of the box - Business Connectivity Services. Here I will show you how to set up ECT to work properly with remote SQL Server database.

1. Create an ECT in SharePoint Designer 2010.

1.1. Select SQL Server as a type and provide the SQL Server connection settings:

I provided WyldeCRMSS as a Secure Store Application ID, but it can be any name at this stage, because it will only be used on creation and will never work anymore.

1.2. Create all the necessary commands for your ECT to check that all works well from SharePoint Designer, save you ECT and then Export your BDC model to a .bdcm file:

2. Modify your .bdcm file. Open the file in an appropriate editor and find LobSystemInstances element and within it the LobSystemInstance element related to your ECT.

<LobSystemInstance name="SQL2008">
<Properties>
<Property Name="AuthenticationMode" Type="System.String">RdbCredentials</Property>
<Property Name="DatabaseAccessProvider" Type="System.String">SqlServer</Property>
<Property Name="RdbConnection Data Source" Type="System.String">DB Server Name</Property>
<Property Name="RdbConnection Initial Catalog" Type="System.String">DB Name</Property></Properties>
</LobSystemInstance>
...

Whatever is conatined within the <Properties> element should be replaced with the following values:

<Property Name="AuthenticationMode" type="System.String">PassThrough</property>
<Property Name="DatabaseAccessProvider" Type="System.String">SqlServer</Property>
<Property Name="RdbConnection Data Source" Type="System.String">DB Server Name</Property>
<Property Name="RdbConnection Initial Catalog" Type="System.String">DB Name</Property>
<Property Name="RdbConnection Pooling" Type="System.String">True</Property>
<Property Name="RdbConnection User ID" Type="System.String">SQL User Name</Property>
<Property Name="RdbConnection Password" Type="System.String">SQL User Password</Property>
<Property Name="RdbConnection Integrated Security" Type="System.String">False</Property>
<Property Name="ShowInSearchUI" Type="System.String"></Property>

Please pay attention to the elements in bold. They should be provided exactly as above.

Save the .bdcm file.

3. Delete the ECT you have created in SharePoint Designer.

4. Go to Central Administration or to Administration Web site if you have a multi-tenant environment and Import your updated .bdcm file:



5. If the file has been imported successfully - create an External List using the imported ECT: 


6. Enjoy working with your external SQL Server data via SharePoint 2010 Foundation:
Here we go.

If you have any questions in regard to External Content Types, you need assistance or if you think you don't know how you could benefit from using External Content Types for your business - contact us now for a consultation.

Stay tuned for more articles from Wylde Solutions - next article is about setting up ECT properly in SharePoint 2010 Server. :)





 

create BCS in sharepoint designer

Walkthrough: Create a simple BCS connection with SharePoint Designer 2010

First: You need a SharePoint 2010 platform. You can use Foundation because BCS = Business Connectivity Services – former BDC = Business Data Catalog in SharePoint 2007 – included in this “free” edition.
Second: You need a database for the walkthrough. You can use Microsoft’s sample database “AdventureWorks”. You can download them here: http://msftdbprodsamples.codeplex.com – I’ll use the database “AdventureWorksLT2008R2”: This is the lite version of the sample database.
Third: The BCS Application of SharePoint 2010 must be configured. – Create this application in the Central Administration –> Manage Service Applications
Fourth: You need a Site Collection. – In my sample it’s “http://sharepoint.local”
1. Open SharePoint Designer 2010 (“SPD”)


2. Click “External Content Types” in the Site Objects Navigation.

3. Click “External Content Type” in the Group “New” on the Ribbon.
In the “External Content Type Information” group click the text message “New external content type” beside the label “Name”.  
 
Enter “AdventureWorks SalesOrderDetails”. After that the same text will appear beside “Display Name”.

4. Click on the text message beside “External System”:

5. Click “Add Connection”
  
Select “SQL Server” in the drop down “Data Source Type” in the dialog
On the next dialog enter the Database Server Name, Database Name and the Name of the new connection. Select “Connect with User’s Identity”.

6. Now the Data Source Explorer view is filled:
Scroll down and select the table “SalesOrderDetails” in the tree view.
Right click on “SalesOrderDetails”. Click on “Create All Operations”.


7. You get this dialog.
Click “Next”.
 
Click “Finish”

8. Click “Save” or Ctrl+S.

9. After the upload click on “Create Lists & Form”.
 Now the list will be created:

10. Open the browser and navigate to the site collection. You’ll see the previously created list:

11. Open the list view.

12. You may get the error “Access denied by Business Data Connectivity”.
 

13. Then open “Central Administration” –> Manage Service Application –> Business Connectivity Service Application.
Select the BCS application. Open the context menu. Click “Set Permissions”.
On the next dialog add all users that should have access to the BCS app and it’s lists.
Click “OK”.

14. Try to open the list on the site collection.

15. You may get the error message “Login failed for user NT AUTHORITYIUSR”. (This can be tweaked here)
This means: IUSR account has no rights to access the AdventureWorks database.
Open SQL Server Management Studio. Open “Security” –> “Logins” (at server level).
Add “NT AUTHORITYIUSR” as new login.
 
On the “User Mapping” tab change the security settings:
Click “OK”.

16. Open the list again.