Archive for July, 2011

Use A Records for SharePoint Sites When Using Kerberos

Posted on 12. Jul, 2011 by .

4

When given the choice between using an A DNS record or a CNAME DNS record for your SharePoint web applications, favor an A record particularly if you are using Kerberos authentication.  Reference the following TechNet article:

http://technet.microsoft.com/en-us/library/gg502606.aspx

Of particular interest in this article is the following passage:

Kerberos authentication and DNS CNAMEs

There is a known issue with some Kerberos clients (Internet Explorer 7 and 8 included) that attempt to authenticate with Kerberos enabled services that are configured to resolve using DNS CNAMEs instead of A Records. The root of the problem is the client does not correctly form the SPN in the TGS request by creating it using the host name (A Record) instead of the alias name (CNAME).

Example:

A Record: wfe01.contoso.com

CNAME: intranet.contoso.com (aliases wfe01.contoso.com)

If the client attempts to authenticate with http://intranet.contoso.com, the client does not correctly form the SPN and requests a Kerberos ticket for http/wfe01.contoso.com instead of http/intranet.contoso.com

Details regarding the issue can be found in the following articles:

http://support.microsoft.com/kb/911149/en-us

http://support.microsoft.com/kb/938305/en-us

To work around this issue, configure Kerberos enabled services using DNS A records instead of CNAME aliases. The hotfix mentioned in KB article will correct this issue for Internet Explorer but will not correct the issue for the .NET framework (which is used by Microsoft Office SharePoint Server for web service communication).

What me and my team experienced is that a customer had a customization which interfaced with Exchange.  The browser authentication to the web application appeared to be working fine, but the double-hop to Exchange was failing with a 401 error.  All SPNs appeared to be correct.  We changed the DNS records from CNAME records to A records and the authentication began to work as expected.

Continue Reading

Couple "Gotchas" with Console Applications and SharePoint 2010

Posted on 12. Jul, 2011 by .

0

Wrote a console application today that synchronizes a SQL database with task information from a SharePoint farm as part of a task aggregation solution for a client. Came across two small “issues” with Visual Studio 2010/SharePoint 2010 and console applications. I am primarily writing this to remind myself later, but perhaps it will help someone else as well.

First “gotcha”: Make sure you set the target .NET Framework to 3.5. By default Visual Studio 2010 is going to select 4.0 and it will then do a bunch of complaining about not finding Microsoft.SharePoint.dll. Yes, the compiler will give a pretty detailed error which may or may not reference the fact that you need to target 3.5, but it had me scratching my head for awhile so I figure its worth capturing.

Second “gotcha”: You need to target x64 platform. I was getting all kinds of crazy behavior when targeting x86. When I would try to create SPSite objects I would get “FileNotFound”. If I would try to use SPWebService.Locate I would get permissions issues. Switch the platform to x64 and everything started working like magic!

That’s it, hope this saves someone some time (preferably me on a later project ;-) ).

Continue Reading