And I’m not talking about the rock and roll type of headbanging either. I’m talking about the type of headbanging where you slam your forehead onto your desk every hour or so and pray to the SharePoint gods for moral support.
I was actually part of a small group of non-Microsoft beta testers while the ECTS Solution Accelerator was still Beta and was able to work with it pretty easily in a dev 2003 environment so I thought what the heck, can’t be much different for a Windows Server 2008 environment right? Yeah…right… So I’ve spent the last couple of days trying to install this Extranet Collaboration Toolkit (Technet documentation here) onto a Windows Server 2008 production box hosting Windows SharePoint Services version 3.0 and luckily for me none of the documentation had been written for Windows Server 2008 yet. On the flip side, I get to try to write everything I remember down and to share my experience with all of you guys! 🙂
Architecture (My Setup)
1 – Windows Server 2008 Standard 64-bit hosting latest WSS v3.0 bits + AD LDS + the ECTS.
1 -SQL Server 2005 with a new instance just for the new WSS farm.
1- Windows Server 2003 Domain Controller (Also the Enterprise Root Certificate Authority).
Steps
- Installed 64-bit Windows Server 2008 Standard. This was basic, no biggies.
- Installed 64-bit WSS v3.0 with SP1
– Download bits here
– Download post SP1 infrastructure updates
– Read deployment documentation here
– Comments: The documentation is pretty good here, was able to install with all recommended service accounts.
- Download Extranet Collaboration Toolkit
– Download bits here
– Follow along with this prep and deployment guide
– Comments: I’ll outline some of the gotchas I came across below
Gotchas
This section will pretty much follow the steps detailed in the deployment guide but I’ll intervene with comments where I met some difficulty.
Preparing the environment
1. Record all the Required Data on a piece of paper or something. Will make your life easier later on. These include of:
– Internal URL
– External URL
– ADAM host name
– SQL Server name
– etc, they’re all listed and detailed at the beginning of the guide.
2. Make sure you have an Enterprise Root Certification Authority deployed on your domain controller. If not, see this article. Comment: this step was pretty easy and self-explanatory.
3. Setup DNS alias using CNAME records for your internal and externally facing collaboration site URLs. Example internal: http://collab.mycompany.com; external: https://partners.mycompany.com
4. Install Certificate and Update Key File Permissions – now this part was a major pain the butt. I spent a solid day figuring this out. From the extranet server the guide tells us to use Internet Explorer to access our Enterprise Certification services, usually found at http://domainController/certsrv.
First road block was that with new features (security?) in Windows Server 2008 and Vista, you’ll need to download a hotfix for your Certification Authority (CA). I don’t have the link to the hotfix but you’ll see it when you try to access the webpage. The other gotcha in this step is the fact that it must be an encrypted site, so you’ll have to install a self-signed certificate and bind it to the IIS website. This part wasn’t too hard.
So after I got the CA prepped and was able to access the page, I resumed with the guide:
– Request a certificate
– Click advanced certificate request
– Click Create and submit a request to this CA
– Use the Web Server Certificate Template, type the FQDN of the extranet server. Ex: wssextranet.mycompany.com
– Under Key Options, create a new key set with Microsoft RSA SChannel Cryptographic Provider.
Click Automatic key container name and then select “the Store certificate in the local computer certificate store check box.”
This is where I got tripped up. I didn’t have that check box! I’m not sure why but I surely found out that it didn’t work after trying to complete this step for the 5th time unsuccessfully. Everytime that I was installing the certificate, it was being installed to the account’s profile and not the ‘All users’ profile. So with much digging I found 4 links that helped enable me to request a Certificate via command line.
– How to enable LDAP over SSL with a thir-party certification authority (KB 321051)
– Configuring LDAP over SSL Requirements for AD LDS (Windows Server 2008 )
– MSDN SharePoint Forum post by Dan Barua 7/24/2008
– Advanced Certificate Enrollment and Management
So after creating the request.inf file, and replacing the “Subject=” with the extranet server instead of the DC (another gotcha), I created a request file using:
certreq -new c:\request.inf c:\request.req
Then you have to submit it to your Enterprise CA using:
certreq -submit -attrib “CertificateTemplate:webserver” c:\request.req c:\certnew.cer
Then install using:
certreq -accept c:\certnew.cer
So now the certificate should be installed to the right place, except I was having a hard time finding where it was installed to so I found another way to change the permissions on the Certificate that I didn’t see mentioned in any of the documentation:
– Go to Run > MMC > Add in Certificates snap-in for Local Computer account
– Expand to Certificates (Local Computer) > Personal > Certificates
– Right-click on your certificate > All Tasks > Manage Private Keys… > Add Network Service permissions.
Unfortunately, we won’t really be able to test this out until we install the ADAM/AD LDS instance so you may have to loop back to this step and review if you can’t connect to it later on.
5. Set up the Web App, Site Collection, Extend it to port 443, and Set up Forms-based Authentication – This was easy, basic SharePoint admin stuff. Just make sure you bind an SSL cert to the extranet site in IIS or else you won’t be able to browse to it.
Install ECTS
This was tricky as your mileage may vary depending on your environment. The setup wizard didn’t work for me so I had to install all the components manually one by one.
1. Run the ADAM Setup Script – As pointed out by a post in this thread, you’ll have to manually update the ects_setup_adam.vbs file to reflect the new location of ldifde.exe.
strLDIFDE = objFSO.BuildPath(colProcessEnvVars(“windir”), “\system32\ldifde.exe”)
Then run cscript ects_setup_adam.vbs CN=ExternalUsers,DC=domain,DC=com
After this step you’ll be able to test to see whether or not your certificate from earlier works properly with your LDAP connection. To test this:
– Run > ldp.exe > Connect > your AD LDS server’s FQDN, port 636 (default), check SSL > OK
– You should get a response and no pop-up error.
2. Run the Database Setup Script – For some weird security issues, I was unable to run this script from my extranet server so I copied all the files over to my SQL Server and ran the script there with no problems.
cscript ects_setup_sql.vbs sql\instance
3. Run the ECTS Setup Script – This step really gave me some new gray hairs. For some reason I was getting the following error:
Adding the WSPs to SharePoint…
ERROR: Could not add the ECTSBase.wsp to SharePoint. Script aborting…
So after awhile, I thought I would try on a Windows 2003 server to see what would happen. I noticed that this time the script went further than on the 2008 Server so I ran it once more but this time interrupted the script right after it generated the WSPs and before it tried to deploy. I copied the WSPs over to the Extranet server and then tried to manually add them to the solution store. Then I noticed that my service account didn’t have access to run STSADM even though it was a member of the Local Administrators’ group. I still don’t know why this is, but after running STSADM as the Local Administrator account I was able to do the following commands to add the solution to the solution store:
stsadm -o addsolution -filename c:\ECTSBase.wsp
stsadm -o addsolution -filename c:\ECTSSolution.wsp
Now they show up in Central Admin > Operations > Solution Management. Woohoo! From here you can deploy the 2 solutions to your web app. Next step is to activate the features at the Site Collection level. I compared the available number of visible features to the script file and noticed a discrepancy. There were some hidden features – 6 visible and 2 hidden.
So I carefully activated each feature one at a time according to their order in the setup script:
stsadm -o activatefeature -name ExternalCollaboration -url http://collab
stsadm -o activatefeature -name ConfigurationUtility -url http://collab
stsadm -o activatefeature -name SiteCollectionApproval -url http://collab
stsadm -o activatefeature -name SiteCollectionManager -url http://collab
stsadm -o activatefeature -name UserManager -url http://collab
stsadm -o activatefeature -name CreateSiteCollection -url http://collab
stsadm -o activatefeature -name ExternalUserApproval -url http://collab
stsadm -o activatefeature -name ECTSBase -url http://collab
Working with the ECTS Web Parts
Configuration Utility Web Part – At first I was unable to update any of the configurations but after scanning my event viewer, it mentioned that a service account had insufficient permissions to the SharePoint_AdminContent_GUID database. Fixed this by giving the account sys_admin permissions to that DB.
[Update – 7/30/2008 5:30pm]
Site Collection Manager Web Part – I was getting an access denied page when trying to approve the submitted site creation request. Event ID error 6141. Fixed it by making the Application Pool account run as a domain account instead of Network Service. – TechNet
Adding External Users Error/External Login Error: “An invalid dn syntax has been specified. (C:\inetpub\…\web.config line 133)”. Solved this by manually updating the web.config file’s ADAMConnectionString. The LDAP string was incompletely configured. Should be:
<add name=”ADAMConnectionString” connectionString=”LDAP://ADLDSserver.mycompany.com:636/CN=Users,CN=ExternalUsers,DC=mycompany,DC=com” />
To be continued… I’ll update this post with more information as I continue to work with the ECTS.
The SharePoint Swiss Army Knife 
Well I’m a complete and utter sharepoint n00b but i’m glad i found something that was helpful! 🙂
Henry, first, this has been a great help and I’m sorry to hear about your MSFT debacle.
I have a few notes that I should probably write down before I forget, but for now the reason that the ects_sharepoint script doesn’t work is that I assume you are trying to run it logged in as your SharePoint service account. A CMD prompt, by default in Server 2008, does not run with admin priv’s even if you are logged into an account with local admin rights. So, by using runas you can open a cmd prompt under the admin guise and successfully execute the script without all the extra work you had to do.
The other wierd thing is the SSL Cert request. In my INF file, where it says in the documentation to put the name of the DC, it took me a bit to realize that they meant DC as in the server hosting AD LDS, not the DC/CA. But that was more of a DUH! moment than anything else. But thought maybe other users might make the same gaff.
Last, I’m runnning SQL2008 and I had to change the SQL script to use the 100 directory instead of the 90 directory.
Thanks again for putting this together!
Update: The current roadblock is adding external users. I get a “General Access Denied” error. Everything up through Site Creation and Approval is working and I feel like this is the last step before we hit full steam ahead.
The applicationPool account running the collaboration account must be a member of the “Farm administrators” in Central Admin. This is because the sitecreation use’s this account.
On doing the certreq -submit step I was getting the error “Certificate not issued (Denied) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute.”
My environment: CA server is 2008, while extranet server is Server 2003. I had to change the command to drop the inverted commas around the certificate template detail:
certreq -attrib CertificateTemplate:WebServer -submit c:\request.req c:\certnew.cer
Thanks for the helpful article!