August 19, 2009 - 13:10, by Dostalek, Kevin
Well I attended
DevLink down in Nashville, TN last week. It was my first time, but certainly won't be my last.
John Kellar and all the volunteers did a great job pulling off a super conference that felt more like a huge extended community code camp than what I traditional think of as an "industry conference" (e.g. TechEd, SxSW, PDC, etc...). Don't read that as a negative in any way- it was a great experience, and by far one of the best values all year (it was $100).
The sessions were great and they had even added a SharePoint track this year, so there was no shortage of good stuff happening each day. One thing that I do regret is not checking out the Open Spaces stuff (sorry
Alan, the timing just never worked out). As is often the case with conferences though, it was the networking that happens informally in the evenings that really provides the incalculable value. From the quiet lobby-bar chats to the loud parties out at the
Honky Tonks (
Tootsie's Orchid Lounge was a favorite) I made a ton of new friends that I'm sure I'll keep in touch with and see again and again.
Lastly, let me post a quick soundbite from the closing panel. It's
Richard Campbell telling his Goliath story. Seriously, this guy is a great story-teller- I can just imagine him on NPR or something listening to this.
August 18, 2009 - 15:28, by Dostalek, Kevin
I just recently had a bout with my MOSS search service. After a couple faithful years of service our SSP got a tick and so we decided the best thing to do was rebuild it (pretty easy really, only a few BDC apps to port, etc...) Unfortunately once everything was done we could not get the search service to crawl the "All Local Sites" content source. Here were the symptoms:
- Crawler Log indicated "Access Denied" when it tried to crawl the root of our intranet or mysites.
- Crawling of the sps:// people content source was fine.
- Content Access account had the proper policy (Read All), and actually even had rights to the site. You could log in as that user and browse all around the site from another computer.
- When a crawl was started (and thus ended very quickly with the one access denied log event) you could no longer open up the content source edit page in search administration (returned a .net "object not found" error).
- If you cleared all indexed content, then you could get back into the content source edit page, so long as you didn't actually attempt a crawl.
- Nothing else really significant in the windows logs (except a failure audit).
- Trying to navigate to the intranet root from the server with the content access account returned a 403 error <--- WHOA... BIG RED FLAG / HINT HERE.
So after searching around (sorry I'd link the blogs here, but the search was quite far and wide and I didn't properly keep track) I discovered that in Windows Server 2003 SP1 they introduced this new feature called "Loopback Check Security Feature". Essentially this means that any attempt by that machine to access an FQDN from the console (or apparently from services running on the box) will fail if it resolves back to itself. I presume the little scriptkiddie hack goes something like this: 1) trick an admin into installing your worm, 2) modify the hosts file or proxy settings so that some official site, say Paypal or your HR payrole system for example, gets redirected back to a local hacked up version of the site, 3) continue with man-in-middle attack, except without the middle man....
Anyway, you may be wonder why FQDN's were involved here since SharePoint by default pops in http://servername as the default "All Local Sites" content source. Well apparently we had changed the default access mapping for these sites a while back (typical) to their FQDN's. When we went to recreate the new SSP it just picked these up and used them.
SO-- the solution can be found at this KB article. Rather than turning off this loopback check (method 2) even though the scenario that it protects against seems pretty far fetched to me, I decided to use method 1, which worked great and didn't require a server reboot :) I've reproduced it below:
Method 1: Specify host names
Note We recommend that you use this method.
To specify the host names that are mapped to the loopback address and can connect to Web sites on your computer, follow these steps:
- Click Start, click Run, type regedit, and then click OK.
- In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
- Right-click MSV1_0, point to New, and then click Multi-String Value.
- Type BackConnectionHostNames, and then press ENTER.
- Right-click BackConnectionHostNames, and then click Modify.
- In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
- Quit Registry Editor, and then restart the IISAdmin service.
And that dear friends concludes this edition of "why is search not working...today (there is hope!)"
August 17, 2009 - 15:45, by Dostalek, Kevin
Well as some of you may notice, I've replaced the blog comment system here on The Kick Board (which had been using a standard SP-Based List) with JS-Kit Echo (the free version at present). So far it seems to be working pretty well although I did have to play around with the order I'm loading and running scripts, but this is more just an issue with my crazy design than any other JS components.
Why?
Why did I do this? Well, there are a couple of reasons, the primary one is that I was tired of dealing with spam. Even though I was using Akismet with the CKS:EBE, it seemed that the spammers had found lots of ways around that. I considered going to an "authenticated only" comment system, but obviously to be effective I couldn't just make people sign up for my blog- so I would have had to use a third party identity provider. I actually got an open facebook widget working in sharepoint, but I wasn't really sure that many visitors to my website would bother auth'ing to FB just to leave a comment. For now I'm going to leave anonymous comments on for Echo and see how it goes, but if things get spammy, then I'll just require authentication-- luckily Echo supports auth'ing to 5 or 6 different open systems.
The secondary reason I really wanted to try Echo out is that it supports a lot of real-time social network connectivity (for example, it can show tweets about your post). This does require an upgrade to the paid version of the control (it's only $12/year), so as soon as I get the free version stable and working consistently then I'll do this. Really I'm using this as a proof of concept platform for an idea I have related to bringing social media content into the SharePoint collaboration space.
For more information about JS-Kit Echo go check out their site at
http://js-kit.com and please give it a whirl here and leave me some comments so I can shake all the integration bugs out. Thanks!
[update 8/17 11:00PM]
Ok, I just couldn't resist... so I sprang for the Echo Live upgrade so I could test the social aggregation features. Also I decided that I'm not going to try and port any of my old comments in-- sorry to everyone that commented here in the past, but I just don't know how I'd do it.