Avviso: A Content Publishing Framework for SharePoint 2010

words and pictures logo

Last week was really exciting for me and my colleagues here at Black Marble as the work we’ve been doing with a partner came to fruition. Words and Pictures are a communications agency based not far from us, and we’ve been working together on a great product that builds upon SharePoint 2010 to greatly improve content publishing.

I’ll come to the product in a little while, but I’d like to talk about how we created it first, as it’s a great example of how working together within the Microsoft space can help companies build upon their strengths and overcome their weaknesses.

A tale of two specialisms

I first encountered Words and Pictures at one of a series of events Black Marble ran to explain the Microsoft offerings that exist in the creative space, targeted at design and creative agencies. In the event we talked about a range of technologies, including Silverlight, web technologies and SharePoint, and how creative agencies could use those technologies to deliver the kind of vibrant material their clients were looking for. It was a good example of the evangelism we spend a fair amount of our time engaged in, and it was an interesting way for us to explore how we might use our technical skills to fill the gaps experienced by creative agencies.

Black Marble are, as I’m sure you know as readers of the blogs on this site, technical specialist. We are extremely good at delivering solutions to business problems by tailoring or even creating IT systems to meet our customers’ needs.

Words and Pictures have turned out to be a kind of creative analogue of Black Marble. They are a well respected organisation that specialise in delivering great services for businesses centred around communications. Be it for an internal or external audience, Words and Pictures write, design and deliver a range of communication channels for their customers. Historically, this had been predominantly printed content of one form or another, but in today’s fast changing world their customers are starting to shift to digital delivery.

A meeting of minds; clarity of vision

Words and Pictures got in touch with us directly because they thought that SharePoint 2010 might be a good content delivery platform for them to focus on as their customers shifted towards digital delivery. They had already had feedback from the organisations they supported that SharePoint was becoming an almost ubiquitous system across the panoply of Words and Pictures’ customers. This awareness, couple with the demonstrations we had given at our design event around what SharePoint could do for content publishing, had led them to believe that SharePoint was the right choice. Now they had lots of questions about whether it would do what they wanted.

In situations like this, where a client believes SharePoint is the right choice but is unsure how to proceed with implementation, I like to run a Vision Workshop with them. The idea is that we forget they ever mentioned SharePoint and instead talk about what they do as a business – their operations, problems, aims and aspirations. I can then reflect that back at them, matching SharePoint’s capabilities to their needs in the short, medium and long term.

The workshop at Words and Pictures was an eye-opener for me!

I arrived at their very nice offices in a very nice part of Yorkshire and found myself in a room with the biggest whiteboard I’d ever seen. Over the course of the day, that whiteboard was filled, erased and re-filled with ideas, drawings and diagrams to illustrate the ideas, concepts and desire that Words and Pictures had. During that day a small number of very passionate specialists in journalism and content creation emptied their collective experience onto the wall and as I took more and more notes and thought more and more about how SharePoint might help, I became more and more convinced that something great could come out of this.

A panoply of features

The vision workshop threw up a huge amount of information about how Words and Pictures needed to create, manage and publish digital content in the same manner as they currently managed their printed content. We quickly realised that if we extended SharePoint to match these needs, the solution we created would be useful to more than simply Words and Pictures. As we talked it through the idea of a content publishing framework that would sit on top of and extend the capabilities of SharePoint was born. Such a framework would bring SharePoint’s publishing model more in line with the processes used by both an agency like Words and Pictures and the Internal Communications teams within their client organisations. It could also greatly improve the services Black Marble were increasingly finding ourselves working on for customers in both intranet and external web publishing scenarios.

A product is born

avviso logo

Working closely together, building on all of our expertise, Words and Pictures and Black Marble have created Avviso. It was launched last week at events at Black Marble’s offices and Microsoft’s London offices. I was really enthused by the reception we received from the audience at both events. Avviso was met with a great deal of interest and enthusiasm which really made the development journey worthwhile.

Words and Pictures came up with the name. For those who are curious:
An Avviso was a hand-written newsletter used to convey political, military, and economic news quickly and efficiently throughout Europe, and more specifically Italy, during the early modern era (1500-1700). In the beginning avvisi were very similar to letters written from one dignitary to another, but diverged from such letters in the sixteenth century with more standardized practices.

I think it’s a great name. It’s both catchy and memorable, whilst at the same time meaningful and relevant to what the product does.

So what does it do?

Avviso contains a wealth of extensions to the SharePoint platform that enables better creation of rich, impactful published content: Crisp template-based pages as well as the ability to produce unique, vibrant designs; the ability to create features and article series; better categorisation and aggregation of content; richer content management for published pages. Importantly, we’ve only begun to tackle the list of ideas that came out of that original vision workshop, so there is a solid roadmap for new features that will be delivered through regular version updates.

I’m not going to detail features here. There is a product website at avvisosharepoint.co.uk and if you want to know more, get in touch with us. We have more events planned for the new year, both in the north and south of the UK so we can offer you a chance to see it in the flesh.

Here are some examples of the kind of pages Avviso can help you build, using some sample content from Words and Pictures.

riverhomepageAn intranet home page with aggregated content and rich multimedia.

flintfocus
An article with bespoke design applied

futurefeature
A feature splash page, with links to articles in the feature

challengearticle
An article built using a standard template

The London launch

The London launch event was at the Microsoft offices in Cardinal Place. Andy Holt, Creative Director of Words and Pictures, and myself were the presenters, ably assisted by Jon Eland, also from Words and Pictures. It was a great room and it was good to see so many enthusiastic attendees. We were lucky that it didn’t snow until the evening! Words and Pictures had designed some great bags and pamphlets for the guests and Black Marble made sure that chocolates were close at hand!

I really enjoy presenting with Andy. We have a similar dynamic to how Andy Dawson and I present at Black Marble events, but at the same time our differing backgrounds of creativity and technology allow us to bounce off each other and really explain how Avviso works and what we’re trying to deliver.

jonprepandypresentavvisobags

Lessons learned

I’ve learned a great deal from my experiences during the conception and creation of Avviso. I think one of the most important things has been to reinforce my thoughts about approaching SharePoint solutions. By ignoring SharePoint and focusing on what Words and Pictures needed as an organisation in terms of their process we were able to generate a rich wish-list of functionality that could then be matched against existing SharePoint features and inform what we would need to develop from scratch. The things that Words and Pictures described added so much to my understanding of the needs of content publishing that I can help other customers deliver better intranets, extranets and internet sites (hopefully using Avviso!).

  • Ignore the technology. Talk about process, business needs, problems and goals.
  • Teach and learn. Understand each other’s specialism and explain domain terminology.
  • Concentrate on your area of expertise. Don’t try to second-guess each other’s approach to a problem.
  • Draw lots of pictures and diagrams. Write lots of notes.
  • Relationships are important. Build the team with individuals who can work well together. Time invested in getting to know each other is time well spent.

Fixing SharePoint 2007 IIS WAMREG DCOM 10016 activation errors on Server 2008 R2

Anybody who works will SharePoint will grumble if you mention DCOM activation permissions. No matter how hard we try, how many patches we install (or how hard we try to ignore it), granting activation and launch permissions to the SharePoint service accounts is like plugging a dike with water-soluble filler.

On Server 2008  R2 our job is made that much harder by the fact that, by default, even administrators can’t edit the security settings for the IIS WAMREG service (GUID {61738644-F196-11D0-9953-00C04FD919C1}, for when you see it in your application event log).

The fix is to change the default permissions on a registry key, which you can only do by taking ownership of the key. My only comment would be that those permissions were locked down for a good reason in Server 2008 R2 and it’s somewhat frustrating that we need to do this.

Anyway, the key you are looking for is:

HKEY_CLASSES_ROOT\AppID\{61738644-F196-11D0-9953-00C04FD919C1}

To change the ownership you need to click the Advanced button in the Permissions tab of the properties dialog, then select the Owner tab. I’d recommend changing the owner to the Administrators group rather than a specific user, and make sure the permissions for TrustedInstaller are the same after you finished as they were before you started.

Once done, you can edit the DCOM permissions for the IIS WAMREG service in the same way as on other versions of Server 2008.

SharePoint Search Gatherer Error 10032

We encountered a problem recently with a two server farm. One server was configured as index and query server. Both servers were delivering pages to users. If a user executed a search on the server which did not run the search services, the Search page returned an error, and we saw the following in the application log and SharePoint logs:

Event Type:    Error
Event Source:    Office Server Search
Event Category:    Gatherer
Event ID:    10032
Description:
Could not create a database session.
Context: Application '2bee214b-e0b9-413b-8d85-c71002287e99'
Details:
    The database connection string is not available.   (0xc0041228)

Application 2bee214b-e0b9-413b-8d85-c71002287e99: The parent farm application root doesn't exist or access denied. - File:d:\office\source\search\search\searchdll\resourcemanagerimpl.cpp Line:703
Application 2bee214b-e0b9-413b-8d85-c71002287e99: Database session creation error for resource type 0. - File:d:\office\source\search\search\searchdll\resourcemanagerimpl.cpp Line:555

After a great deal of investigation and assistance from the guys at Microsoft, we identified the fault. On the server which had no search services configured, we added the following registry keys, copied across from the server which was running index and query functions:

HKLM\SOFTWARE\Microsoft\Office Server\12.0\Search\Applications\<SEARCH APPLICATION GUID>\ResourceManager                              Data=Server=sqlserver;Database=MOSSWEB_MYSITE_SSP_SEARCH;Trusted_Connection=yes;App=Windows SharePoint Services;Timeout=15                              Server=sqlserver;Database=MOSSWEB_MYSITE_SSP_SERVICE;Trusted_Connection=yes;App=Windows SharePoint Services;Timeout=15

Where the Search Application GUID was the GUID from the error message, and the DB connection strings were copied over from the working server.

This resolved the problem, and now both servers deliver search results correctly.

I’m posting this here because I found only two possible leads in all my searching, neither of which detailed the fault. Hopefully, as always, this will help somebody else.

Kerberos for SharePoint on Server 2008 with IIS 7

UPDATE: Spence posted a great comment pointing out some issues with this post. Richard then restored our Community Server DB to a point in time before the post, so it’s been wiped. Post again, Spence, please, as I didn’t get chance to copy the text of the comment, I’m afraid.

I’ve not been doing so well with blog posts lately. I have more than one currently in process but unposted, and I just can’t seem to get the time to finish them – so apologies, CSW, for not getting the article I promised up yet, but I am working on it.

However, I needed to write up the work I did on our SharePoint at the end of last week, which I thought warranted being made available to a wider audience, so this a quick but hopefully helpful post.

Kerberos, Service Principal Names and Application Pool Identities

I’ve been migrating our SharePoint farm from Server 2003 to Server 2008, and because we now also use Microsoft CRM and a few other systems that require it, I’ve been configuring kerberos.

In theory, this should be simple: We always create service accounts in the AD for each web application to run as, so each of those accounts needs the correct SPN’s creating to match the web site.

For example, if our internal domain is mycorp.com and our SharePoint site is Portal running as the portalapp account, then I would register the SPNs of http/portal.mycorp.com and http/portal against the portalapp account using either adsiedit or setspn. I then make sure that the account is trusted for delegation, which I can do through the delegation tab in the account properties dialog in Active Directory Users and Computers. I also make sure that the servers running SharePoint are trusted for delegation to any service in the same way. UPDATE: Spence pointed out that this is completely unnecessary, see the comments, below.

Once I’ve done all that, I can enable Kerberos on the SharePoint web application through Central Administration. If you’ve never done that, the Authentication Providers option is in the Application Security section (usually the right hand column) in Application Management. Make sure you have the correct web application selected and choose the zone you want to configure (if you haven’t extended your web application, that’ll be default). In the Edit Authentication page, simply tick Integrated Windows Authentication and toggle the radio button beneath to Negotiate (Kerberos). Apply the changes, and we’re done.

Or so you’d think…

To be fair, with Server 2003, that should be it. With Server 2008, however, things just didn’t seem to be working properly for me. So I consulted the Oracle (on a side note, I’m trying a new Oracle lately…).

Kernel-mode authentication. Great idea, shame about the configuration

It turns out the IIS 7 has changed the way it deals with authentication, in that it now executes authentication-related processes in kernel mode for security and performance. That’s all well and good, but it also transpires that because of that, it uses the Local System account for this, and that’s where we hit a snag: I’ve created the SPN’s on the wrong account – I would need to create them on the machine account for the hosting server. Except that won’t work if we’re using more than one server in our farm to host the web applications, because I can only set the SPN against a single account.

It turns out that there is a solution to this. Frustratingly, however, it can’t be done through IIS Manager (or at least, I couldn’t see a way – perhaps Andy Westgarth and the IIS boys can help me here?). Once again we need to edit the applicationHost.config file, just like we did for the bindings, previously:

  1. Finding the right section for this can be tricky. You’re looking for the <location> section for your site, which then has a <system.webServer> section within it. I search on the site name (for example, our web site in IIS is SharePoint – Portal) because the line should look something like:
    <location path=”SharePoint – Portal”>
  2. Scroll down until you find the <security> section. In there you should see an <authentication> section and beneath that, <windowsAuthentication>. It will probably say:
    <windowsAuthentication enabled="true">
  3. Edit that line to read:
    <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true">

You’ll need to do an IISReset after that, or at least I did.

Am I the only person that thinks this should be a setting in the GUI somewhere – it’s such a fundamental issue if you’re using any kind of farm-based system (such as SharePoint or CRM) that I can’t believe it’s so hidden.

UPDATE: Spence also pointed out that appcmd lets you configure this. I’ll post more when I’ve learned how to do it myself.

Appcmd syntax and a hotfix

After Spence posted his comments I did more digging. The syntax for appcmd to make the change I describe above is:
appcmd set config “SharePoint – Portal” /section:windowsAuthentication /useAppPoolCredentials:true /commmit:MACHINE/WEBROOT/APPHOST
where you need to replace the stuff in quotes with the name of your site. You can get a list using appcmd:
appcmd list site

I also found a note about a hotfix related to this issue. If you see your server suffering from blue screens after configuring kerberos (I haven’t… yet) then this might help.

Finally, Spence posted a link to a set of useful slides covering just this topic – thanks Spence, I bet those were three great sessions. Hopefully I’ve now corrected the errors you pointed out and this post is back to being helpful!

Configuring IIS Bindings to include host headers with https on Windows Server 2008 (for SharePoint)

NOTE: We use a wildcard SSL certificate which makes our life much easier when dealing with multiple hostnames. I have not tested this approach with multiple SSL certificates for specific sites.

We’ve been reconfiguring our SharePoint 2007 farm over the past couple of days and it’s now hosted on Windows Server 2008 and using NLB (network load balancing). The load balancer has been configured with a single public IP address and all our previous DNS CNAME registrations have been replaced with hostname A registrations pointing at the address. With our previous configuration we had multiple IP addresses on the server, one for each web application. Each IIS web site was then configured with a host header and ip address to allow for secure traffic over HTTPS.

With our new configuration, I didn’t want to specify an IP address on the web site. Handily, IIS 7 makes that scenario possible (and even relatively straightforward). The only snag is that you can’t configure the necessary bindings through the IIS Manager GUI. You can do it through an xml config file, however:

  1. Look in c:\windows\system32\inetsrv\config and edit the applicationHost.config file. Make sure you take a backup first!
  2. Find the <sites> section in the file. In there you will find a <site> element for each IIS web site. Each of those has a <bindings> element with each port/protocol binding listed. Our main site looked like this:
    <bindings>
    <binding protocol=”https” bindingInformation=”*:443:” />
    </bindings>

    and we changed it to look like this:
    <bindings>
    <binding protocol=”https” bindingInformation=”*:443:myhost.mydomain.com” />
    </bindings>
  3. Repeat for each web application. If you have more than one web application on the same IP address using either http or https you need to configure a host header or you’ll have problems.
  4. Execute an iisreset.

We now have all our content web applications, the SSP and the central administration web sites all running on a single IP address, many on the same port and using SSL.

As I said at the start of this post, we use a wildcard certificate which makes my initial IIS configuration easier. I haven’t tried multiple certificates, and I’m interested to know if that works or not.

Incoming Email with SharePoint on Windows Server 2008

I’ve been meaning to write this up for a while, simply because it’s not quite as straightforward as with Server 2005.

To configure incoming email on SharePoint when running on Server 2008 you’ll need to run through the following steps:

  1. Install the SMTP feature
    Open Server Manager. Click on Features in the left hand column then click add features in the right hand pane. Tick the SMTP Server check box and click install.
  2. Configure the SMTP Service in IIS Manager (version 7)
    Start Internet Information Services (IIS) Manager from Administration tools in the Start Menu. Once open, click the name of the web server to bring up the options in the centre panel. In the centre panel, right-click SMTP E-mail and select Open Feature from the menu.
    Click the option to ‘store e-mail in pickup directory’ and set the path to be c:\inetpub\mailroot\Drop (that’s the default).
  3. Configure the SMTP Service in ISS Manager (version 7)
    Start Internet Information Services (IIS) 6.0 Manager from Administration tools in the Start Menu. Expand the server to show the SMTP service. In the ‘domains’ section, add any email domain aliases you need in there. Configure the other SMTP service settings just like you did with Server 2005.

SharePoint Service Pack 2 Pains

I finally bit the bullet and decided to upgrade our SharePoint farm yesterday. I’d been holding off for a while because of time constraints and because of a known issue with Project Server, also part of our farm.

I took careful steps to increment the farm from the SP1+Infrastructure update all the way through each CU up until the service pack. That all worked fine. It was when I tried SP2 I hit problems.

The first issue was that once I’d installed the WSS patch, the Sp2 patch refused to install. Rebooting the server then caused chaos as all my services complained that the SharePoint DB was the wrong version (too old, because I hadn’t run the config wizard yet).

Andy and I spent a long time poking the server yesterday, and spent time building virtual machines to take over the farm as well. We finally knocked it on the head just shy of midnight and left the server in the state it was, trying to start the upgrade installer.

When I got in this morning, the upgrade had installed. I’m guessing that the problems we were seeing were related to services starting and needing time to fail, and we simply hadn’t given them enough time to fail (mind you, the paranoid disk integrity check took a while…)

Much happier, I started the upgrade wizard. Which promptly failed. The logs showed the following:

[WebApplicationSequence] [ERROR] [5/27/2009 7:48:09 AM]: Action 12.0.4.0 of Microsoft.SharePoint.Portal.Upgrade.WebApplicationSequence failed.
[WebApplicationSequence] [ERROR] [5/27/2009 7:48:09 AM]: Feature '20477d83-8bdb-414e-964b-080637f7d99b' is not installed in this farm, and can not be added to this scope.
[WebApplicationSequence] [ERROR] [5/27/2009 7:48:09 AM]:    at Microsoft.SharePoint.SPFeatureCollection.AddInternal(Guid featureId, SPFeaturePropertyCollection properties, Boolean force, Boolean fMarkOnly)
   at Microsoft.SharePoint.SPFeatureCollection.Add(Guid featureId, Boolean force)
   at Microsoft.SharePoint.Portal.Upgrade.ActivatePublisingTimerJobsWebAppFeature.Upgrade()
   at Microsoft.SharePoint.Upgrade.SPActionSequence.Upgrade()
[ActivatePublisingTimerJobsWebAppFeature] [12.0.4.0] [DEBUG] [5/27/2009 7:48:09 AM]: Begin Rollback()
[ActivatePublisingTimerJobsWebAppFeature] [12.0.4.0] [DEBUG] [5/27/2009 7:48:09 AM]: End Rollback()
[ActivatePublisingTimerJobsWebAppFeature] [12.0.4.0] [DEBUG] [5/27/2009 7:48:09 AM]: Begin Dispose()
[ActivatePublisingTimerJobsWebAppFeature] [12.0.4.0] [DEBUG] [5/27/2009 7:48:09 AM]: End Dispose()
[ActivatePublisingTimerJobsWebAppFeature] [12.0.4.0] [DEBUG] [5/27/2009 7:48:09 AM]: Elapsed time: 00:00:00.0312496.

A quick dig with our old friend google turned up a couple of similar posts from Jukka on Moss and MySharePointofView so I had a look at the 12 hive and to my surprise found that there was no folder for the PublishingTimerJobs feature. I copied it from one of the new servers, already patched to SP2 and ran the command:

stsadm –o installfeature –name PublishingTimerJobs

That succeeded. I then followed with the old favourite:

psconfig –cmd upgrade –inplace b2b –force

That upgrade has just completed. No project-related errors, just success, so I add my experience to the collective.

SharePoint 2007: Following Adobe Instructions Can Cause Problems

Having just spent a long time examining the state of a new farm we’ve been working on for demonstrations, I would like to issue a warning…

The Problem: None of the ‘New…’ menu items in our document libraries would work – we were seeing the error message:

‘Edit Document’ requires a Windows SharePoint Services-compatible application and Microsoft Internet Explorer 6.0 or greater.

The Solution: Correcting an error in the docicon.xml file which lives in c:\program files\common files\microsoft shared\web server extensions\12\TEMPLATE\XML

The Cause: Adobe’s documentation for installation of the 64-bit iFilter. We copied and pasted the line from the documentation (yeah, I know, our mistake…) which reads:

<Mapping Key="pdf" Value="pdf.gif">

Note the lack of the trailing slash, as required by XML the world over. The line should read:

<Mapping Key="pdf" Value="pdf.gif" />

With some luck this will help others – I spent a long time searching the internet to no avail.

Workflow and SQL Error: Part 3

As you may remember from my earlier post and subsequent follow-up, we have been seeing an issue related to workflows and the Workflow History list in SharePoint 2007. As I’ve already mentioned, the case is with Microsoft and I also said that I would post updates as new information arrived. Today, more detail has emerged and, as promised, I am sharing.

Whilst replicating the fault today we were having trouble – one of us had a SharePoint install that failed every time and the other had one which would not fail at all. Whilst looking at possible differences we realised that the failing site was a publishing site and the non-failing site was a team site.

After some testing, I can now report that the fault I have described only occurs when the SharePoint Publishing site feature is enabled (note, the site feature, not the SharePoint Publishing Infrastructure site collection feature). If you’re not using a publishing site you have nothing to worry about from the problem we see.

Unable to access My Tasks in Project Web Access

Sometime ago we noticed an issue with My Tasks in Project Server. Certain users were unable to access My Tasks at all – they simply got a SharePoint error page.

A little jiggery-pokery with callstack and custom errors later, we saw that the error referenced a GUID for a task. I then searched the Project Server Publishing DB for the task GUID and subsequently located the project to which it belonged. If I edited the project in MS Project and updated the server, removing the task assignment from the user, they could access my tasks.

For anyone who has a similar problem, here are the SQL queries you need:

select * from dbo.MSP_TASKS where TASK_UID='<Task GUID>'

select * from dbo.MSP_PROJECTS where PROJ_UID='<Project GUID>'

Most odd. So I logged a call with our friends in Microsoft Support.

It’s been parked for a while, but I received an email from support today advising me that the Infrastructure updates would help. Funnily enough, I’d already installed them (we keep our SharePoint farm as fully patched as we can), so that was almost all the way there.

Finally, they provided a short SQL script to run against the Publishing DB. This would identify any tasks that were orphaned and correct the issue. Luckily, we had none!

SELECT MP.PROJ_NAME, MAS.PROJ_UID, MAS.TASK_NAME,
MAS.TASK_UID, MR.RES_NAME, MAS.RES_UID,MAS.ASSN_UID
FROM MSP_ASSIGNMENTS_SAVED AS MAS
INNER JOIN MSP_PROJECTS AS MP        
ON MAS.PROJ_UID=MP.PROJ_UID
INNER JOIN MSP_RESOURCES as MR
ON MAS.RES_UID=MR.RES_UID
WHERE TASK_UID NOT IN(SELECT TASK_UID
FROM MSP_TASKS_SAVED)

When I experienced the problem there were no hits in my old friend Google so hopefully this will help somebody, somewhere.

Here are the links to the infrastructure updates for completeness. Remember to read the docs carefully on installing these babies!

Infrastructure Update for Windows SharePoint Services 3.0 (KB951695)

Infrastructure Update for Windows SharePoint Services 3.0 (KB951695), 64-bit edition

Infrastructure Update for Microsoft Office Servers (KB951297)

Infrastructure Update for Microsoft Office Servers (KB951297), 64-bit edition

Infrastructure Update for Project 2007 (KB951547) – English