Sunday, February 24, 2008

WSS 3.0 Extranets on SBS 2003 - Solved with External Collaboration Toolkit for SharePoint

I never really bothered with SharePoint until WSS 3.0/MOSS 2007 came out and then got overwhelmed with the sheer size and complexity of the architecture.

Once I managed to get a handle on it, I found it to be an exceptionally powerful package with some very nifty features.

I was excited when I saw SharePoint had the concept of different zones for the same content with the ability to use different authentication providers for each zone. Thus began my quest to find an existing package or template that provided user registration and management for Extranet users for a SharePoint site.

After a few false turns I ended up settling on SharePoint Custom Forms Authentication Feature (SCFAF). The setup wasn't intuitive nor was it simple - especially when I had to quickly hack up a simple .aspx page to add the initial user management user to the ASP.NET membership database.

It worked, but there were a few rough edges, particularly in the area of Extranet user administration and self-service. But this was still acceptable for the purposes in which it was to be used.

Further development seemed to have stalled on SCFAF and I had resigned myself to wait for a release of CKS:IEE (Community Kit for SharePoint: Intranet/Extranet Edition). Then out of the blue - well at least for me - came the Extranet Collaboration Toolkit for SharePoint Beta. On paper, this rocked! It provided the exact feature set I was after for this type of tool. The big downside for me was that the Beta didn't work out of the box on SBS 2003 - a real pain, as most of the WSS 3.0 sites I look after are on SBS 2003 boxes.

I ended up having to perform a manual install (detail here) and hack a DLL to modify the hard-coded LDAPS port so that I could get the ECTS components to talk to the ADAM instance on the SBS box. Side note: I find it quicker to respond to other people's blogs than write my own, hence the blog comment link!

I logged this "bug" on the Microsoft Connect site, but the bug was essentially closed, with "feature as designed" as an excuse.

I didn't give up however. I asked Susan Bradley to help make some noise about it and I managed to find this blog entry by someone in Microsoft who sounded like they were working on this project. This "someone" turned out to be Bill Canning - Project Manager for ECTS!

I e-mailed Bill to let him know how I managed to hack my way around the hard-coded LDAPS port (not as simple as it sounds, as I had to re-sign the DLL and then do some PE header stripping to get the DLL into the GAC).

Bill's response that this wasn't on his team's radar for their release goals, but would be releasing the code on CodePlex so I could rebuild the DLL that way.

Four days later I had another e-mail from Bill to tell me that the feature I'd requested (removing the hard-coded LDAPS port from a component DLL and requesting an LDAPS port for the ADAM instance) had now been implemented and to await the final release.

I pinged Bill last week regarding the release of ECTS as it had been a month since the feature went in. Bill very kindly provided me with a pre-release so I could confirm its operation on SBS 2003. It went smoothly! I've provided some feedback on the documentation and I'm currently happy with the operation of ECTS on SBS 2003. The release will happen Real Soon Now(tm).

My final comments are that if you need an Extranet solution based on Windows SharePoint Services, then you need to at least review Extranet Collaboration Toolkit for SharePoint - especially for use on SBS.

The second point is don't take no for an answer. If you've got a good idea for a feature request and you believe it should be there, be persistent. Don't take no for an answer and argue your position in multiple forums. Also demonstrate that you're prepared to do the hard yards to help get the feature working. Bill can correct me if I'm wrong, but I believe my persistence is what helped to get ECTS running on SBS 2003.

14 comments:

John Smith said...

Thank you! I've just upgraded side-by-side our nonprofit's SBS 2003 to have WSS 3.0 on there and we need an extranet solution for our board committees (which are populated by both elected volunteers as well as non-elected community members). So, we need secure access through the firewall but want those groups to stay out of the rest of the domain resources. Will you let me know when they release ECTS for SBS 2003? Thanks! J Smith (I'm the volunteer board chair).

Chris Knight said...

Hi John,

ECTS has been released and can be downloaded here.

Don't forget to look at the Application Templates for WSS 3.0 to help develop your Extranet solution.

Also be advised that you need SBS CALs for the Extranet users. See Chad Gross's blog post for more details.

Pete said...

Hi,

Ive looked at ECTS and its what I need, but I am struggling with the documentation. Is there any documentation specific to SBS 2003? If not could you point aout the areas that are "difficult" for SBS, e.g. ADAM (do i need to download and install this, any implications?), certificates (how do I generate this on SBS), and anything else a dumb admin needs to know. (No chance of trying this out, I only have 1 server and its obviously live)

Pete

Chris Knight said...

Hi Pete,

Yes, you'll need to download and install ADAM.

There isn't any specific documentation for SBS 2003. You basically need an ADAM instance installed, using a different LDAP and SSL port than the default (I use 8389 and 8636 respectively).

The ECTS install then uses this instance and ports to store the Extranet users in.

WSS needs to be set up according to the ECTS documentation. I run the internal zone site as HTTP only and make the external zone site run with HTTP and HTTPS access. You may need to add an extra local IP to the internal network interfrace and have the external zone use this IP.

Your firewall then needs to be configured to forward port 443 to the internal IP used for the external zone site.

I'd recommend obtaining a certificate from someone like GoDaddy or GeoTrust to install on the external zone site. You can use SelfSSL as part of the IIS Resource Kit Tools, but you then need to install this into the certificate store.

I do have plans to put up a blog post with a walk-through for setting this up on SBS, but the death of my father and the arrival of baby girl #2 in the space of a month has left me short on time for the moment.

Pete said...

Hi Chris,

Congratulations on your new arrival and commiserations on the passing away of your father.

Thanks for the info, it was most helpful and I'll look forward to your next installment in this saga.

Pete

Shawn Gleason said...

Chris,

Have you ever created the detailed walkthrough for installation on SBS 2003 Premium?

Shawn Gleason said...

Chris,

Did you ever assemble any documentation to deploy the ECTS on SBS 2003 with ISA 2004 ?

Thanks !

Shawn

Chris Knight said...

Hi Shawn,

I have baseline documentation for the installation I did on my own SBS 2003 Premium installation. It's text-only and requires some deciphering.

There are a number of challenges to face when running ECTS on SBS 2003.

The first is that you really need additional IPs added to run a secure (HTTPS) site so that content search and search results don't break. The problem is that if you load up the internal NIC with the additional IP, you then need to perform some IIS virtual server binding changes to not listen on this additional IP and some of the network configuration wizards stop working.

The second challenge is that you need SBS 2003 CALs for every external user, as they are considered to be authenticated users accessing SBS resources.

The third challenge is that it's a non-trivial configuration and places additional memory pressure on an already overburdened installation.

My recommendation would be to use a hosted SharePoint provider. This outsources complexity, keeps the SBS CAL count down and can provide you with an offsite copy of SharePoint data if you replicate your SharePoint data between the hosted install and the SBS install.

Shawn Gleason said...

Thanks much for the information Chris. I have a client who is set on running everything from the SBS install. What are your thoughts on leveraging SBS 2008 for external sharepoint?

Thanks,

Shawn

Chris Knight said...

Hi Shawn,

SBS 2008 is a better platform as the 4GB memory constraint is no longer present.

Note that ECTS is primarily useful in separating out the external user accounts from your SBS Active Directory, as well as assisting with external user creation and self-service. If there's no problem with domain accounts being used on the external site, then you can use the SBS Wizards for account creation and then move the new account into a separate OU for easier management.

In either case you run into the problem that you need additional IPs on the SBS box if you want to run an external secure site. It's preferable to attach these additional addresses to the loopback interface. This can break the wizards and put you into a potentially unsupported scenario.

Hmm, just thinking out loud - it might be possible to use Application Request Routing and URL Rewrite modules in IIS7 to provision the external site underneath the RWW URL. This would modify the SBS Web Applications web.config file, but might be OK.

Again, any external users will consume an SBS CAL. Important, especially if your internal + external user count exceeds 75 users.

Shawn Gleason said...

Chris,

Here is a link to a thread I have going with Phillip (http://blog.mpecsinc.ca/2008/07/sbs-quick-companyweb-internet-access.html)

What are your thougths in regards to this method?

Thanks,

Shawn

Chris Knight said...

Hi Shawn,

Leveraging SharePoint via RWW is a far simpler process and will meet most of your external collaboration requirements.

There are two scenarios where it won't suffice, and that is if you want end-user self-subscription and password management, or if your external users have corporate firewalls and are unable to provide access to port 987. In both cases you would need to look at alternate options. The first is addressed by something like ECTS and the second is addressed by using something like Application Request Routing + URL Rewrite or ISA Server.

Anonymous said...

ECTS database problem-

I have WSS 3.0 installed and have installed the July 2009 version of ECTS. The site is working as expected, but when adding external users through SharePoint, they seem to be added after I approve them, but the external user never sees the Forms Based Logon page (just the regular Windows Login window) nor do I see their info in the ECTS database within SQL. It is like the user doesn't exist in the ECTS db and therefore will never be able to login.

Chris Knight said...

Hi Anonymous,

Sounds like the membership provider hasn't been added to the external site for FBA to work.

Check the ADAM instance to see if the user has been created there. You should see the user in ECTS and the user in one of the tables in the SQL db, but I can't remember which table. It's been a while since I've set up any of the ECTS deployments so I don't have anything to add off the top of my head. The documentation provided with ECTS was pretty good, so if you followed that you should have a working system. Have a look in the Event Logs to see if any errors are being generated there.