When software attacks!

Thoughts and musings on anything that comes to mind

SharePoint Search Gatherer Error 10032

We encountered a problem recently with a two server farm. One server was configured as index and query server. Both servers were delivering pages to users. If a user executed a search on the server which did not run the search services, the Search page returned an error, and we saw the following in the application log and SharePoint logs:

Event Type:    Error
Event Source:    Office Server Search
Event Category:    Gatherer
Event ID:    10032
Could not create a database session.
Context: Application '2bee214b-e0b9-413b-8d85-c71002287e99'
    The database connection string is not available.   (0xc0041228)

Application 2bee214b-e0b9-413b-8d85-c71002287e99: The parent farm application root doesn't exist or access denied. - File:d:\office\source\search\search\searchdll\resourcemanagerimpl.cpp Line:703
Application 2bee214b-e0b9-413b-8d85-c71002287e99: Database session creation error for resource type 0. - File:d:\office\source\search\search\searchdll\resourcemanagerimpl.cpp Line:555

After a great deal of investigation and assistance from the guys at Microsoft, we identified the fault. On the server which had no search services configured, we added the following registry keys, copied across from the server which was running index and query functions:

HKLM\SOFTWARE\Microsoft\Office Server\12.0\Search\Applications\<SEARCH APPLICATION GUID>\ResourceManager                              Data=Server=sqlserver;Database=MOSSWEB_MYSITE_SSP_SEARCH;Trusted_Connection=yes;App=Windows SharePoint Services;Timeout=15                              Server=sqlserver;Database=MOSSWEB_MYSITE_SSP_SERVICE;Trusted_Connection=yes;App=Windows SharePoint Services;Timeout=15

Where the Search Application GUID was the GUID from the error message, and the DB connection strings were copied over from the working server.

This resolved the problem, and now both servers deliver search results correctly.

I’m posting this here because I found only two possible leads in all my searching, neither of which detailed the fault. Hopefully, as always, this will help somebody else.

Kerberos for SharePoint on Server 2008 with IIS 7

UPDATE: Spence posted a great comment pointing out some issues with this post. Richard then restored our Community Server DB to a point in time before the post, so it’s been wiped. Post again, Spence, please, as I didn’t get chance to copy the text of the comment, I’m afraid.

I’ve not been doing so well with blog posts lately. I have more than one currently in process but unposted, and I just can’t seem to get the time to finish them – so apologies, CSW, for not getting the article I promised up yet, but I am working on it.

However, I needed to write up the work I did on our SharePoint at the end of last week, which I thought warranted being made available to a wider audience, so this a quick but hopefully helpful post.

Kerberos, Service Principal Names and Application Pool Identities

I’ve been migrating our SharePoint farm from Server 2003 to Server 2008, and because we now also use Microsoft CRM and a few other systems that require it, I’ve been configuring kerberos.

In theory, this should be simple: We always create service accounts in the AD for each web application to run as, so each of those accounts needs the correct SPN’s creating to match the web site.

For example, if our internal domain is mycorp.com and our SharePoint site is Portal running as the portalapp account, then I would register the SPNs of http/portal.mycorp.com and http/portal against the portalapp account using either adsiedit or setspn. I then make sure that the account is trusted for delegation, which I can do through the delegation tab in the account properties dialog in Active Directory Users and Computers. I also make sure that the servers running SharePoint are trusted for delegation to any service in the same way. UPDATE: Spence pointed out that this is completely unnecessary, see the comments, below.

Once I’ve done all that, I can enable Kerberos on the SharePoint web application through Central Administration. If you’ve never done that, the Authentication Providers option is in the Application Security section (usually the right hand column) in Application Management. Make sure you have the correct web application selected and choose the zone you want to configure (if you haven’t extended your web application, that’ll be default). In the Edit Authentication page, simply tick Integrated Windows Authentication and toggle the radio button beneath to Negotiate (Kerberos). Apply the changes, and we’re done.

Or so you’d think…

To be fair, with Server 2003, that should be it. With Server 2008, however, things just didn’t seem to be working properly for me. So I consulted the Oracle (on a side note, I’m trying a new Oracle lately…).

Kernel-mode authentication. Great idea, shame about the configuration

It turns out the IIS 7 has changed the way it deals with authentication, in that it now executes authentication-related processes in kernel mode for security and performance. That’s all well and good, but it also transpires that because of that, it uses the Local System account for this, and that’s where we hit a snag: I’ve created the SPN’s on the wrong account – I would need to create them on the machine account for the hosting server. Except that won’t work if we’re using more than one server in our farm to host the web applications, because I can only set the SPN against a single account.

It turns out that there is a solution to this. Frustratingly, however, it can’t be done through IIS Manager (or at least, I couldn’t see a way – perhaps Andy Westgarth and the IIS boys can help me here?). Once again we need to edit the applicationHost.config file, just like we did for the bindings, previously:

  1. Finding the right section for this can be tricky. You’re looking for the <location> section for your site, which then has a <system.webServer> section within it. I search on the site name (for example, our web site in IIS is SharePoint – Portal) because the line should look something like:
    <location path=”SharePoint – Portal”>
  2. Scroll down until you find the <security> section. In there you should see an <authentication> section and beneath that, <windowsAuthentication>. It will probably say:
    <windowsAuthentication enabled="true">
  3. Edit that line to read:
    <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true">

You’ll need to do an IISReset after that, or at least I did.

Am I the only person that thinks this should be a setting in the GUI somewhere – it’s such a fundamental issue if you’re using any kind of farm-based system (such as SharePoint or CRM) that I can’t believe it’s so hidden.

UPDATE: Spence also pointed out that appcmd lets you configure this. I’ll post more when I’ve learned how to do it myself.

Appcmd syntax and a hotfix

After Spence posted his comments I did more digging. The syntax for appcmd to make the change I describe above is:
appcmd set config “SharePoint – Portal” /section:windowsAuthentication /useAppPoolCredentials:true /commmit:MACHINE/WEBROOT/APPHOST
where you need to replace the stuff in quotes with the name of your site. You can get a list using appcmd:
appcmd list site

I also found a note about a hotfix related to this issue. If you see your server suffering from blue screens after configuring kerberos (I haven’t… yet) then this might help.

Finally, Spence posted a link to a set of useful slides covering just this topic – thanks Spence, I bet those were three great sessions. Hopefully I’ve now corrected the errors you pointed out and this post is back to being helpful!

Places to eat on the South Bank in London

A set of conference posts wouldn’t be complete without a run down of the local culinary delights. We haven’t strayed far from the South Bank Centre for the past few days, but we’ve had a great variety of meals.

Wednesday night and Thursday lunchtime was Wagamamas. I love Wagamamas. There’s one in Leeds as well, and whilst Fuji Hero is perhaps more authentic, I just love the deserts at Wagamamas. I also have at least one of their recipe books, so I can try it at home! Busy though – we arrived just shy of seven in the evening of our arrival and the queue to get in didn’t really die down until after nine. The new teppanyaki soba is to be recommended.

Thursday night was Tapas at Las Iguanas – a latin-themed place. It was pretty good too, although if I’m honest I’ve had better tapas. It was really busy too – I guess that’s partly because it’s summer and the south bank is one of those places where people congregate, but be prepared to wait a while for a table.

Lunchtime today saw us in Ping Pong, a Dim Sum place down the stairs out back. That was great – a menu with loads of different dishes with helpful staff to walk you through ordering a range of really tasty dishes. We all thoroughly enjoyed it and I’d really recommend it as a slightly different experience, and great for lunch where you might not want a huge meal. I also thing it’s a great social experience, as you can all order a dish you like and get others to try it, with all the conversation that will provoke!

@media Day 2 - Afternoon

I hadn’t really thought about it before, but Andy Budd has a very similar presentation style to my own. He’s incredibly enthusiastic and passionate about what he’s speaking about, and he wanders around waving his arms in an extremely animated way. Snap!

The topic of usability testing is an important one. I always try to impress upon our clients the need to see how the systems we build for them are used and tweak and fix accordingly. Andy’s approach to low-budget, formative testing to identify and solve usability issues during development as part of an agile approach struck a chord with me. I think that it’s important to have a dialog with ‘average’ users (i.e. not involved directly with development and therefore too close to a project to notice the problems) and to feed back into the development process what you find and the pain points you identify. Far better to find and fix during development than to force your product to fail testing or, even worse, to hit issues during rollout that hinder adoption.

I really like Andy Budd – every time I come to @media he recognises me and says hi. He’s a guy who knows his stuff, but he takes time out for those around him, and he deserves your attention.

The last session before the Hot Topics panel was Robin Christopherson from AbilityNet. Every time I attend a session with Robin I learn as much from watching and listening to him present (in terms of how he does it) as I do from the content of his session. Robin is blind, and when things don’t go quite as expected on screen, he doesn’t always know. That gives a helpful insight for an able person as to the problems that impaired users might have. I now need to go to Opera Labs to investigate FingerTouch, which looks like a great improvement for my mobile browser of choice. It was also great to see examples of ARIA being used which was pretty inspiring.

@media Day 2 - Morning

It’s a muggy day today. With thunderstorms expected, the morning air was thick as we walked over to the South Bank Centre.

I found Douglas Crockford’s opening session thoughtful. It wasn’t what I was expecting – I had anticipated a focus more on methodologies and approaches to improving quality. instead, it was an interesting and sometimes humorous examination as to why quality in software is such a difficult area, with an informative walk through the history of software thrown in.

Many of the things Douglas covered were topics we take very seriously at Black Marble: The problems described were ones we face and do our best to avoid through our practices every day.

Whilst I got a great deal out of the talk, I was a little disappointed that it didn’t really address the question of how we ensure quality in web development when projects include coders and designers, markup and code, and the very different ways of thinking inherent in the creative processes for each.

After the coffee break came Chris Wilson and a talk that wandered around the web as a platform and some of the issues in play. One statistic I found very interesting was taken from the deployment data for IE6 to IE7 upgrade versus Firefox upgrades. It took around 18 months to convert half of the IE6 userbase to IE7. By contrast, Firefox takes around two months to convert half it’s userbase to a new versino. That’s a powerful illustration of the differing kinds of user that make up the predominant force for each browser, and the kind of organisational inertia which affects the development and progression of Internet Explorer much more than competitive browsers.

Chris also gave some interesting insight into the legal quagmire surrounding font embedding on the web, following on in topical fashion from Mark Boulton’s empassioned delivery yesterday.

Last up before lunch was the indomitable Molly Holzschlag. Ultimately, she was also joined on stage by ‘HTML5’ in a cowboy suit (don’t ask). It was interesting because I admit to not having had time to pay attention to HTML5 at all, and it sounds like a bit of a bun fight, to be honest. Yet more technologies to look at and learn… As usual, Molly’s enthusiastic delivery was infectious. I’m sure she must do a great job as an evangelist for Opera.

Joining in the background noise: I am now on Twitter

One of the reasons I enjoy conferences like @media is that I can be persuaded to change my mind on things. After a persuasive argument from Nick I’ve decided to alter my stance on twitter and give it a go for a while.

A few others recently have suggested that I should sign up to the microblogging system even if I didn’t plan to use it, just to make sure I got the nickname I wanted and nobody else could use it. I’ve never really bought into that kind of approach, and sometimes I wonder if that is as key an indicator as to the lack of importance I have personally come to place in social networking tools. I’m old enough that my first instinct if I want to socialise is to pick up the phone and arrange a pint with a mate.

At significant part of that change in stance is due to a realisation that twitter provides an intriguing way for me to keep in touch with people like Nick in a way which doesn’t demand a response in the way that IM certainly does and email ought to. Twitter simply gives a commentary on Nick’s life as he decides to tell it and I can respond if I want to.

Exactly what I will tweet, I don’t know. Inanity in all it’s forms frustrates me, so I won’t be keying in anything that pops into my head at any time. However, there’s no point deciding to try something and not then using it. That means I’m likely to post either useful nuggets about the technologies I deal with, or my thoughts on bigger issues.

A timely example of this came overnight with the domination of the news by the death of Michael Jackson. Twitter was being used this morning as an interesting barometer of the public response to the news: 15% of all tweets since the news have been about Jackson’s death. Apparently the previous high for a major event was 5%. I find that interesting from two angles: Firstly, that the twittering masses take such an interest in the event and more interestingly how the data is presented as an indicator of general interest.

In an effort to put some heart into my use of twitter I also downloaded a trial of Twikini. My first impressions are favorable, and I' may well post more on that later.

For now, if you want to find me on twitter, look for @rikhepworth and my usual cartoon head and shoulders mugshot.

@media 2009 Day 1 - Afternoon

Not providing lunch at the conference was perhaps a bit of a double edged sword. On the one hand, Wagamamas is just so close (mmm… chicken katsu curry); on the other hand, lots of people were nodding off in the warmth of the first session.

Which is a great shame, because Dan Rubin is a really good speaker (and singer, as it happens). His session was all about reflecting the real world in our user interfaces in order to make them much more usable. It was also about taking real items and using them in designs (such as real textures from scanned objects) because of the much better emotive affect that has with our users. It was pretty inspiring, even though at the end of the day everything he talked about should be common sense.

And then… Mark Boulton. Wow! There’s a man who’s passionate about his specialism, and his specialism is typography. Even though it wasn’t a technical session I learned bucket loads of stuff during his session which talked around the area of, whilst not dipping into the how-to of embedding type with web pages in those browsers which support it. A very key point he raised had not occurred to me: to work successfully in the web environment, fonts must have more glyphs in them to cover multi-language issues, and must have lots of hinting information in them to work at varying sizes on the screen. The upshot of those needs is a big font, and that raises issues of download time, potentially rendering content in a default typeface then re-rendering when the embedded one loads and lots of other questions which I personally think underline the technology as being very young. I’m very interested to see how that all develops and I’m certain that Mark will be a big voice in the forthcoming discussions.

Now we’re outside, enjoying the sun and, ironically, cooling off a little – it was quite warm in the Purcell Rooms. It’s hot out here too, but there’s a lovely cool breeze.

One of the things about blogging is that you can’t see the lovely cut scene. Imagine a fade to black. Our hero attends the final session. Fade back for the finale.

Jason Santa Maria does some really compelling work. He delivered a very eloquent session about approaching design, using grids, finding inspiration in lots of things, sketching through ideas and finally typography. It was a really good session for me.

Which is interesting, because I seem to have said that about all the sessions. I think there’s a great deal of mileage in the idea of a small conference with carefully picked presenters who deliver content which is all about areas of thought in an industry or subject area., Huge conferences mean you are pulled between different sessions in multiple tracks. I really like the simplicity of the small, one track conference where thought has been put in to the content and how it flows. that’s @media and that’s why I like it.

@media 2009 Day 1 - Morning

It’s good to see familiar faces once again here at @media. This year’s conference is around the same size as the first one in 2005 and it has a strangely familial feeling. Nick’s here as a volunteer ‘@mediator’ so he was manning the desk as we registered.

A note at this point about the conference swag: aside from the very nice T-shirt, which strangely matches my normal style (Andy often refers to me as ‘Mister Taupe’), the conference bag is excellent! Made from coconut fibre, it hits all the marks for eco-friendliness, but it’s a very practical, messenger-style durable bag, and perfect for my Dell Mini, upon the keyboard of which I currently type. A bag I shall no doubt use a great deal in the future – no doubt the original aim. The whole look and feel of the conference this year is really good – sophisticated and earthy.


Andy Clarke opened the conference with a rousing session about changing working practices in the design process. It was interesting, because it reminded me of the more agile approach we take to software development. I also love the feel of Andy’s sessions – they have a very distinctive visual style and draw on lots of things I remember from my youth.

Simon Collinson followed with a great discussion of how his agency approach creative projects and some of the tools they use. I found it interesting that he disliked sprints so much, but on reflection, the creative process of web design is perhaps less naturally iterative than the software development projects for which we use Scrum. A few simple things struck me with the old ‘why didn’t I think of that’ and some elements that I can achieve for better interaction with our customers through innovative repurposing of existing tools that we already have and use.

Taking us up to lunch was Jon Hicks. I really got a lot out of his session. Whilst icon design is not something I do much, it was interesting to see the thought processes and hear about some of the pitfalls when icons don’t have the universal meaning you as a designer think they do.

So far then, really good. I love the fact that this year has the same small, friendly feel of the very first @media. May it long continue.

See you at @media09? Tickets are still available

Lauren and I set off for London later to today. It’s @media time again and I’ve been looking forward to this for a while. As usual Patrick Griffiths has lined up a fantastic group of really inspirational speakers and, whilst smaller in the light of the current climate, I have no doubts that it will be useful.

I’ve been to every @media since it started and I’ve always had a great time. If you have the time, I’d urge you to make this year the sell-out it’s been in the past!

Speaking at VBUG Newcastle in July

Andy Westgarth and the guys at VBUG Newcastle very kindly invited me to speak about and demo some of what I consider to be key features in Windows 7 and Server 2008. If you read the blog and would like to see what I really look like, are interested in the topic of the talk or interested in VBUG in general, come along!

The venue is Newcastle University (a campus I’ve never visited before so I’m quite looking forward to that). For more information Andy has details on the VBUG site. In order to make sure the event doesn’t wither through lack of interest, please register yours on the VBUG site. To copy some of it here, however:

Topic: Key features in Windows 7 and Server 2008 R2
Key features in Windows 7 and Server 2008 R2. A look at the new features in Microsoft’s upcoming operating systems that will really make a difference to how we work. The session will a broad overview of new features with demos of the cooler ones to add an element of risk to proceedings. Come along if you want to learn more about technologies such as BranchCache, DirectAccess, Virtual XP Mode and more.

Location: Room 118, Claremont Tower, Newcastle University, Newcastle-upon-Tyne, NE1 7RU, GB

Price: FREE