|Looking for the downloadable PDF? Click here.|
Way back in December 2010 I published the first in a series of SharePoint 2010 certification aids. For various reasons I haven’t had a chance to publish part 2 up until now, so I hope it’s worth the wait!
As I explained in the introduction to part one, the blog is published retrospectively and (aside from the odd typo) I haven’t made any changes to my original revision notes so as to ensure I don’t violate the Microsoft NDA that all exam candidates must sign. As such, you might notice the odd error or missing section (in particular you will notice that there are no notes for the section entitled “Manage accounts and user roles.”). This is deliberate, although I would appreciate a comment if you notice any glaring mistakes so as to prevent misinformation.
- Introduction and ” Installing and Configuring a SharePoint Environment (25 per cent)”
- “Managing a SharePoint Environment (26 per cent)” – you are reading this.
- “Deploying and Managing Applications (24 per cent)”
- “Maintaining a SharePoint Environment (25 per cent)”
2. Managing a SharePoint Environment (26 per cent)
Manage operational settings.
From the Learning Plan:
This objective may include but is not limited to: configuring logging, quotas, monitoring levels, health reports, security, and SQL Server Reporting Services (SSRS) integration
Suggested reading (operational settings)
- Configure diagnostic logging (SharePoint Server 2010)
- Monitoring overview (SharePoint Server 2010)
- Overview of Reporting Services and SharePoint Technology Integration
My notes (operational settings)
- Diagnostic logging is enabled by default and is used for troubleshooting.
- Generally speaking more detailed diagnostic logs require more resources – this includes disk space and IO operations. In particular, use the verbose setting sparingly (e.g. only when troubleshooting or making significant changes).
- Event log flood protection is configured within diagnostic logging and suppresses events if they are logged repeatedly.
- Modifying diagnostic settings requires membership in the farm administrators group.
- Health and data usage collection is also enabled by default performed via timer jobs and is written to the logging directory and database. Frequency of logged data is configurable by modifying timer job schedules and can affect performance in a similar manner to diagnostic logging.
- Logging data is collected from servers via a timer job and written to a logging database.
- SP2010 also includes an integrated health analyser which checks farm health against a (customisable) list of predefined rules. Email alerts can be configured to allow administrators to receive notification if a rule fails, and the schedule can be adjusted on a per-rule basis.
- The add-on for SSRS is installed along with the other SP2010 prerequisites.
Manage accounts and user roles.
From the Learning Plan:
- This objective may include but is not limited to: managing user accounts, group accounts, managedaccounts, computer accounts, and service accounts; and delegating site collection administration
Suggested reading (accounts and user roles)
My notes (accounts and user roles)
Manage authentication providers.
From the Learning Plan:
This objective may include but is not limited to: managing NTLM, Kerberos, claims-based, and forms-based authentication; and configuring Secure Store Service (SSS) and Active Directory Federation Services (AD FS)
Suggested reading (authentication providers)
- Chapter 9 of Professional SharePoint 2010 Administration
- Plan authentication methods (SharePoint Server 2010)
- Understanding Kerberos Double Hop
- NTLM’s dependency on HTTP keep-alives (my blog – this one is quite technical but I thought I would include it given that I skimmed over the post prior to the exam; the main point is that NTLM is a connection based protocol).
Suggested Lab Exercises (authentication providers)
- Create and test a Web application using Kerberos in Classic authentication mode (use setpsn.exe to configure Service Principle Names).
- Create and test a Web application using FBA in Claims authentication mode (requires modifications to the Web app web.config file).
My notes (authentication providers)
Primary resource: Technet
- SP2010 supports the same authentication methods as in MOSS (Windows and Forms) but also adds token based (SAML) authentication.
- Unlike MOSS, there are two authentication modes: “classic” and “claims”.
- Classic mode authentication supports Windows authentication only, whereas claims supports Windows, Forms and SAML (i.e. all three authentication methods). Hence, for new implementations of SP2010 claims mode is always recommended given that it supports all authentication methods.
- “A SharePoint Server 2010 farm can include a mix of Web applications that use both modes.” - Technet.
- “Windows Authentication” in this context covers NTLM, Kerberos, Anonymous, Basic or Digest.
- In Classic mode, user accounts are treated by SP2010 as Windows Active Directory domain accounts.
- In Claims mode, SP2010 changes all user accounts to claims identities.
- The secure store service is the (claims aware) SP2010 equivalent of the MOSS Single Sign on (SSO) service. It stores credentials in a secure database and maps them to an application ID. This is then used to connect to external data – PerformancePoint requires a SS service application. All changes can be logged by enabled the auditing option in the SS service application properties dialog.
- ADFS is a claims based identity technology for Windows that provides identity federation and single sign on (SSO). As the name implies it utilises Active Directory as its directory store.
- “Claims authentication is built on WIF. WIF is a set of .NET Framework classes that are used to implement claims-based identity. Claims authentication relies on standards such as WS-Federation, WS-Trust, and protocols such as SAML.” – Technet
Windows Based Authentication
- Both NTLM and Kerberos are “Integrated” Windows authentication methods meaning that valid users are able to log on without having to enter their credentials.
- NTLM (NT LAN Manager) is the simplest authentication method to implement. It is a proprietary connection-based authentication protocol and requires very little in terms of configuration.
- Kerberos is an industry standard security protocol that support ticketing authentication. It requires Service Principle Names to be created (SPNs) – you can use a tool called setspn.exe to do this. “To create SPNs in an Active Directory domain, you must have domain administrative-level permissions.” - Technet.
- Kerberos is typically used to resolve the “double hop” issue whereby a back end system requires retention of user credentials over two or more server hops.
Forms Based Authentication
- Is only available whilst using claims based authentication in SP2010 (it was available in MOSS).
- Can use credentials stored in AD DS, SQL or an alternative LDAP provider such as Novell Directory.
- Requires changes to the Web app configuration (web.config) file if using an identity store other than one based on Windows. Unlike MOSS, both the membership provider and role manager must be registered in the configuration file.
SAML (token) Based Authentication
“SAML sign-in is typically used in enterprise federation scenarios, for example, to provide access to a business partner. SAML sign-in is also deployed to provide access to internal users whose accounts reside in a domain that is not part of the forest that contains SharePoint Server 2010.” – Technet
- SAML = Security Assertion Markup Language.
- Includes Windows Live ID and ADFS 2.0 (along with other 3rd party providers).