Sunday 13 December 2009

ISA 2006, Forms, SharePoint 2007 Extranet and Client Integration

Anyone who has worked on SharePoint 2007 extranet project with ISA 2006 used as reverse proxy and to publish SharePoint Farm, knows about Client integration challenges…

When users try to edit a document, they are challenged and required to authenticate and even after a successful authentication, it is not possible to check the document back in to SharePoint.

This is because despite the existing session, office client initiate another session and ISA treats this as a new session.

The short answer to this problem is to configure a Persistent cookie on ISA web listener (Under Forms –> Advance)

clip_image001

BUT there are several security issues that are highlighted by MS and need to be considered:

  • A malicious attacker who obtains a persistent cookie may be able to perform a brute force attack to obtain user credentials from the cookie.
  • On a public computer, if the user does not log off, the session cookie can be used by the next user to access published sites. This threat can be mitigated by not enabling persistent cookies for public computers.
  • Spyware may be able to access the cookie.

The important point to consider here is that the client needs to be making the decision between Security and User experience / functionality

In a recent project I spent some times to identify few factors that the client needed to take into consideration when making this decision:

 

This is a public or shared computer

This is a private computer

Persistent cookie file on logout

Deleted

Not Deleted but user is required to authenticate (Domain name and user name are saved)

Persistent cookie file when user closes the browser

Not Deleted - Session is available before cookie timeout

Not Deleted - Session is available before cookie timeout

Temporary Internet Files

Enabling persistent cookie has no effect

Enabling persistent cookie has no effect

Temporary Draft Files

Enabling persistent cookie has no effect

Enabling persistent cookie has no effect

Ability to open documents on SharePoint within session time (browser closed)

Yes

Yes

FAQ:
Q) Is the cookie hashed e.g. using Hashed MACs (HMACs)?
A) Yes

Q) Are server tokens erased after session end?
A) Yes

Q) Is the cookie transmitted via SSL?
A) It is highly recommended

Q) Are Temporary Internet files deleted when session ends?
A) No, But this is not caused by the persistent cookie

Q) Are copy of the draft documents deleted if the user fail to check in / overwrite checkout?
A) No, But this is not caused by the persistent cookie

Q) are there any extra consideration when accessing the site though Kiosk Stations when using persistent cookies?
A) Yes the followings should be considered:

  • Do not select “This is a private computer”.
  • Perform logoff on published applications.

Additional consideration when accessing the site though Kiosk Stations (regardless of the usage of the persistent cookies):

  • Delete cookies after you finish using published applications.
  • Delete temporary Internet files.
  • Delete temporary files that Office created when working with Microsoft Office SharePoint® Portal Server.
  • Delete any files that were manually downloaded to the kiosk.
  • Close all browser windows.
  • Log off from Windows, if possible.

Windows 7: Boot from VHD

Recently I have been forced to look into available options to best utilise the amount of memory available on my laptop to be able to run SharePoint 2010 VMs. There are number of options available to do this, but I have tried to simplify this as much as possible to speed up the VHD file creation and imaging process.
1) Create a partition to store the VHD; optional (I had to do this since my primary partition is BitLocker encrypted)
2) Download the VHD tool box from http://cid-1dc3b1edb30aea44.skydrive.live.com/self.aspx/.Public/VHDToolBox.zip
This tool box includes:
  • WIM2VHD.wsf – WIM to VHD Converter
  • ImageX.exe 64-bit (32-bit available from http://depositfiles.com/files/4563922)
  • Bcdedit.exe- Command-line tool for managing BCD stores
  • intlcfg.exe - The International Settings and Configuration tool (Intlcfg.exe) is used to configure the language and locale settings in a Windows image
3) Copy the Install.Wim from the OS media to the VHDToolBox folder
4) Now you are ready to create your VHD. Start command prompt and navigate to the VHDToolBox folder and run the script:
There are a number of switches you will need to know:
/wim: specifies the path to the WIM file
/sku: OS version (ServerStandard, Ultimate etc…)
/vhd: specifies the path and the name of the VHD to be created
/size: specifies the size of the VHD in MB
/disktype: specifies the type of disk, Dynamic or Fixed
For example to create a Windows Server 2008 R2 Enterprise VHD on a 40GB Fixed disk we would use the following command:
cscript wim2vhd.wsf /wim: C:\VHDToolBox\install.wim /sku:SERVERENTERPRISE /vhd:F:\2K8_R2_SP2010_01.vhd /size:40960 /disktype:Dynamic/Fixed
Note: to find the sku you could run the following imagex command on your install.wim file:
Imagex /info “<install.wim location>”
5) Next you need to use bcdedit.exe to add an entry to the boot menu:
  • bcdedit /copy {current} /d "My New VHD Description" (This will Return the GUID of the Loader Object that you will use to replace <guid> below)
  • bcdedit /set <guid> device vhd=[driveletter:]\<directory>\<vhd filename>
  • bcdedit /set <guid> osdevice vhd=[driverletter:]\<directory>\<vhd filename>
  • bcdedit /set <guid> detecthal on
That’s it, enjoy