I recently retired my MacBook Pro for a swanky new Dell Precision M6500 “covet”. The MBP has treated me well for the last few years but as a SharePoint person the machine (or indeed the new ones) aren’t up to scratch spec wise. I needed a new mobile rig with 16Gb RAM. I’ve lots of other requirements as well. In the end it came down to the Dell versus the Lenovo, which had broadly similar specs. I won’t go into all the details of why I chose the Dell, but that’s the one I went for. I got the so called “covet” model with top of the line everything, including a rather silly orange coloured case.
That “top of the line” included a FIPS touch fingerprint reader. Everything worked great out of the box except this guy. And it’s been a complete saga to get it sorted, mainly due to Dell support being a complete and utter farce.
They came and replaced the reader itself which is part of the hinge cover (a really retarded place to have a fingerprint reader), the motherboard, the daughterboard (actually a USH hub) to which the reader is attached. No joy. Dopey support peeps tried all the software and driver reinstalls. No joy. Basically the thing wasn’t being detected. Device Manager showed “ControlPoint Device w/o Fingerprint reader”, the w/o bit meaning without. Lots of times people told me to activate the TPM, which of course has absolutely nothing to do with the fingerprint reader. They also suggested that I enrol fingerprints, which of course is impossible if the reader isn’t present. At one stage the Dell guy told me to try with Windows 32bit! Right, like that’s useful on a machine with 16GB. These guys also did things like uninstall my driver for the SD card slot, like that is gonna have any impact whatsoever! It was real funny watching these people point and click with no clue.
Anyways, whilst Dell were doing their best to annoy me, an old friend who works there got things moving with an escalation. I was also checking out all the other Dell users with similar problems. Tons of them on forums and such, there are even three ideawaves on the Dell site about this area. This is a massive fault area for the Dells. So I wasn’t confident it could be fixed.
The engineer comes back today and replaces a cable which connects the reader to the daughterboard and hey presto – the bad boy shows up in device manager as “ControlPoint Device w Touch Fingerprint Reader”.
Basically the cable is crap, and the unit ships from the factory faulty. The cable is attached to the wrong side of the reader and then wraps around the monitor side of the hinge and back towards the board. That’s retarded, one of the stupidest engineering things I've seen in a while. The old cable was just a joke, twisted and creased. The engineer took special care to put the new one in correctly and without stressing it. He wasn’t exactly impressed with the whole thing either.
So the driver is recognised by Windows, great. But the next thing is the software. Dell don’t use the Windows BioAPI, but then sadly not many manufacturers do. They use a piece of crap called ControlPoint Security Manager and an even worse third party tool from Wave Systems which is responsible for enrolment and so on.
Control Point wasn’t recognising the reader. So I went ahead and got the latest firmware revision from Dell’s super speedy FTP site (FTP seriously WTF!!!!) interestingly enough the firmware “update” is actually a lesser version than the one on the device in the first place. Bounce the machine and here we go, ControlPoint sees the reader, and I can go ahead and enrol. The firmware update by the way will also re-enable the no touch smart card reader. If you are interested in FIPS compliance you need to disable that bad boy. They may be used in your local hospital, but they are not compliant.
So I’m now cooking with gas, right? Well not quite. As I mentioned before the Dells don’t use Eikon’s software. The device itself is made by UPEK, but unlike any other manufacturer they don’t use the excellent UPEK Protector Suite. Wave, bandits that they are, don’t support all their features on 64bit. So the only things the reader is good for on 64bit is Windows Logon (GINA) and system security (BIOS, Drives, Startup etc). Now of course these are the important pieces, the other side of things (web pages, outlook etc) is a convenience feature. But still not supporting 64bit here is LAMER. They say it’s not a common need and there are no plans to support 64bit in the future. Which is total bullshit. They don’t seem to realise that before long all new machines will ship with a 64bit OS install as default.
So can you run the UPEK software anyways? well you can but it won’t work with the UPEK reader! It’s all because of the idiot ControlPoint. You cannot use the built in reader for web pages and so on on a 64bit box, simple as that. I’m actually not that concerned. I use a smart card. But it’s so daft of Dell to not use UPEK, which works fine and is the market leader, and it’s similarly pathetic of Wave to not step up and get into the 2000s by having 64bit support. Shame on both of them.
You may be wondering why I am posting about this saga. Well, there’s lots of people with similar issues, and the answers are:
- replace the faulty cable which ships from the factory broken
- “update” the firmware
- if you need FIPS disable the contact less smart card reader
- remember that Wave is a POS and doesn’t fully work on 64bit
Hopefully this will help someone else, if you want my Dell support case number to slap the first line support, drop me a comment with your email.
Am I happy with the Dell?, yes – it’s an awesome machine and the reasons for choosing for it over the Lenovo are justified. I’m not a zealot here like many others, it’s a work machine. It’s one kick ass laptop. Will I buy another Dell in the future? Unlikely, the support experience and the way the so called business account managers have dealt with me have been downright rude and unprofessional.
Having said that, the 2nd level support guys and the engineer who has now visited me three times were excellent. First rate in terms of professionalism and approach. It all makes me wonder that if my mate hadn’t escalated things how long I would have been waiting for the thing to be fixed. Cheers Campbell!
Lastly, you may also be wondering why I care so much about a fingerprint reader. Well firstly it’s part of the thing I paid for, so it should work. Secondly, it’s actually pretty important in terms of securing my machine. It’s a misconception that a fingerprint reader is just a convenience thing. Some customers of mine mandate this amongst other security devices. Not saying that is right or wrong, but it is the way it is.
In closing, Dell need to sort their life out. Not going to happen I know. but they are shipping a machine that is faulty out of the factory in this configuration. Buyer beware.
I’m honoured once again to be speaking at the Best Practices Conference, which is taking place in Washington D.C. August 24th thru 27th. The Best Practices Conference is easily the best non Microsoft SharePoint event, and the speaker line up is excellent. If you are implementing SharePoint 2010, you don’t want to miss this show.
This year, I’m leading up the Keynote: What the Masters think About SharePoint 2010, which will feature five fellow MCMs all of whom do not work for Microsoft.
I will also be presenting the following breakouts, all with updated new content specifically for this conference:
Multi Tenancy in SharePoint 2010
SharePoint 2010 delivers compelling new infrastructure features for those wishing to host multiple customers on a shared platform whilst retaining confidentiality, integrity and availability. This session will cover how multi-tenancy can benefit all sizes of deployment from a basic farm to the largest such as SharePoint Online. Learn how to approach the design of a multi-tenant deployment and to configure and operate multi-tenant infrastructure, create Member Sites, Subscriptions, Feature Packs, and Service Application Partitions. Related features such as Host Named Site Collections and Claims Identity will also be covered. This session will be split 50/50 between lecture and demonstrations.
Implementing Multilingual Solutions with SharePoint 2010
Multilingual solutions present significant design and implementation challenges for SharePoint practitioners both on the Intranet and the Internet and thankfully SharePoint 2010 delivers some significant improvements in this space. See the new Multilingual User Interface (MUI) feature in action across SharePoint Sites and Metadata. Learn how to approach designing support for content translation within SharePoint Server. The improvements to the core Variations engine and the new end user focused features will be covered along with design guidance and advice for supplementing Variations with custom code. This session will be split 60/40 between demonstrations and lecture.
Rational Guide to implementing User Profile Synchronization
Get the real deal on configuring User Profile Synchronisation in SharePoint 2010 in this demo and best practices heavy session. This session will cover the architecture of the new User Profile Synchronization capability in SharePoint Server 2010 and provide a walkthrough of the configuration requirements and setup eccentricities. This session will be split 70/30 between demonstrations and lecture.
I will also be at the Architecture Ask the Experts session.
It promises to be a lot of fun, I am looking forward to the trip to D.C. and catching up with some old friends and hopefully meeting new ones. You can register for the conference here.
I’m giving away a one year Visual Studio 2010 Ultimate with MSDN subscription. It’s worth quite a lot of money, but more importantly you get all the software you could possibly want to help you build your solutions.
The contest is very simple. Just suggest a topic for a future article here.
The rules are:
- Open only to non Microsoft Employees and non MVPs
- You must post your suggestion here using a comment. No email, no twitter, no face book, no nothing apart from comments here.
- The suggestion cannot be any of the following (as these are already in the hopper):
- multi-tenant
- my service apps part two article on topology
- least privilege
- Kerberos
- Claims authentication
- My decision is final
- I will pick the winner based on the “interestingness” of the suggestion, how much is covered out there already (and how well it is covered) and what scope there is for proper coverage
- It must be about SharePoint 2010, but it could be dev, IT, end user, certification, anything is fair game, apart from….
- You can suggest licensing, but I'll give you a tip, I won’t choose that one
The winner will be announced here in about three weeks time. Good luck.
It’s been a bit quiet here recently, one of the reasons for that is I recently attended the first rotation of the Microsoft Certified Master for SharePoint 2010. A number of people have requested that I post my thoughts on this and address some common questions about the certification.
Before I get started, I must include another Thrilleresque disclaimer. I am part of the team that produced the MCM for SharePoint 2010. I am an instructor and content owner for six modules. Therefore I have an obvious vested interest in the program. However, this doesn’t change the fact that I look at the program as an independent, with a non Microsoft view, both in terms of what I post here, but also my ongoing feedback on the program to the rest of the team. This I hope means you won’t discount my opinions completely, but that’s of course, up to you.
Secondly, I can’t and won’t post personal details of candidates without their consent nor details of the exams. That would be breaking all manner of agreements, but more importantly it would be really very silly.
OK, so with that out of the way lets cover some basics. The first rotation was an upgrade rotation, this was attended by 22 (yup, count em) candidates, all of whom were MCMs for 2007. We had a very good mix of people from Microsoft and Partners, and from across the world. I knew all of the candidates either from work, or the 2007 rotation I attended or those I taught subsequently. I was great to meet again for the first time some of my R2 cohorts. Whilst it was a big class, it was a very good group. An Upgrade will always be very different because of this familiarity amongst the students. A number of instructors were also students in this rotation, which for me was a very interesting experience – the pressure of teaching at this level is considerable even if it doesn't show, and adding to that the actual work you have to do as a student made for a very demanding time.
The upgrade rotation was over two weeks. This is shortened from a full rotation, but it still includes the majority of the material and hands on exercises. Time is certainly compressed in an upgrade rotation, and I know that some found this difficult, but it is simply the nature of the beast. The upgrade rotation also includes written exams (which were split up into “mini” exams over the two weeks), and on the final day an all day qualification lab (aka the reckoning!) more on that later.
One of the most common questions I get is, “isn’t it too early to have a MCM for SharePoint 2010?”. Whilst there is some obvious merit to this question, for example there are many things we simply just don’t know yet about such a new product, especially with regards to enterprise deployment and “best practices”. However, my answer to that question is a categorical “NO!”. It’s not too early. We need the MCM, the field needs it and one could argue how can you ship the product without it. One of the biggest investments with the 2010 release has been the vastly improved field readiness, and MCM is part of that investment.
The material of course needs work. It always does, especially with a product like SharePoint. The MCM team is firmly committed to continually improving the material. Of course some areas were more refined than others, and as a team have been working on revs for the first full rotation which starts on Monday next week. Another thing to note is that many areas remain constant from the 2007 MCM, just as valid and in some cases even more important. Many of the lessons from the 2007 rotations have been applied in the production of the 2010 MCM. Of course some areas are totally new, and the level of these was impressive so soon after the RTM of the product. There can be no student who didn’t learn a lot of stuff during this rotation. It’s that simple.
Will things change over the shelf life of the product? Absolutely, where they need to they will. As was the case with the 2007 MCM.
Another thing to bear in mind is just how vast the additions to the product are this time around. MOSS was a monster, SPS is another scale of feature explosion altogether. How we deal with this going forward will be interesting, but they key thing here is that is terribly important that you have extensive experience with the product before the MCM.
Just like my R2 experience the human dynamics are pretty interesting, especially with such a diverse group. As I mentioned this being an upgrade changed things considerably, and overall it was a very enjoyable experience, if exhausting and demanding.
Which brings us to the Qualification Lab. An all day hands on exam where you prove your chops with the product as opposed to on paper. Wow! To state this was “hard” would be rather silly. The 2010 qual lab is a definite step up, and is a rigorous test of your ability hands on with the product in a pressure situation. Whilst I wasn’t too keen on it immediately afterwards :), on reflection I have to say this is probably the best thing about the entire certification. This is a real exam.
The thing that impressed me most about the overall thing is how well it was run. There were of course a number of things that need improvement, and there were the usual problems during the two weeks. Overall this being the first rotation things went very well, and we are in a great position for the upcoming full rotations. Many of the problems were on the logistical side (aka the little things). These are terribly important of course and the feedback from the 22 candidates is being used to improve things going forward. I was nervous before it started about how well things may or may not go, and I think it’s fair to say it was a success.
If you are serious about validating your skills with SharePoint 2010, the MCM is still the way to do it – literally miles ahead (no pun intended) than anything else. It’s definitely harder than the 2007 MCM, and that’s a good thing.
One of the other common questions I get of course is, “did you pass?”. This is interesting, whilst I did pass the MCM exam and the lab, right now I am not an MCM for 2010. Nobody is. Just like with 2007, in order to be certified one must pass all four of the regular SharePoint exams and as these are only just out of beta (next week) no one is currently an MCM. I’ve actually two of these still to do, so assuming I don’t flunk those… :) Fingers crossed.
The first full (non upgrade) rotation starts next week, and it will be another fun experience to be out in Redmond teaching some of the best of the best SharePoint talent. It will certainly be much more fun to just teach and not have to be a student at the same time!
Hopefully this post gives you some impression of the 2010 MCM. I may post more in the future, but I think I will return to the overflowing “hopper” of technical posts I have waiting for publication first!
.
In the first part of my Rational Guide to Multi Tenancy with SharePoint 2010 article, I walked through the problem space and discussed the features of SharePoint 2010 that enable multi tenant environments. This can be seen as the “overview” (or perhaps “marketing” :)). As promised this is part two, the idea of which is to walk through how to set it all up along with some general recommendations.
Now, as much as I wanted to post this as a single article, it’s just too big. There’s too much to discuss and there’s way too much script. I’m not a fan of downloadable documents for this stuff. I am now doing this as a longer series of articles. Hopefully this makes it more easily consumable.
The articles are (links will be added as they come on line):
- Feature and Capability Overview
- Planning your Deployment
- Example Scenario and what Multi Tenancy brings to the party
- Configuring the base Infrastructure
- Configuring Partitioned Service Applications
- Provisioning Tenants
- Testing the Functionality
Since the release of SharePoint 2010, one of the most common questions I get is “what is the best way to get up and running to be able to play around”. Microsoft of course offer a pre-canned VM which is an excellent resource for partners for sales purposes. But if you are a little more technical, you probably want to set it up yourself. Here is THE GUIDE for doing this, hot off the press from the folks at Critical Path:
***NOW AVAILABLE*** Create your own SharePoint Server 2010 RTM Virtual Machine - The Complete Guide
Enjoy!
Since I published my article, Rational Guide to implementing SharePoint Server 2010 User Profile Synchronization, I’ve been deluged with email on the topic. All good, it shows me that I chose the right content to post, and that the content has relevance.
However one key aspect keeps coming up over and over again both in these emails and on IM etc. Lots of people after attempting to provision the UPS Service from Services on Server, need to reboot the server before the service is provisioned correctly.
If you are running the UPS Service instance on the machine hosting Central Administration, you MUST do an IISRESET. Even if you aren’t i would recommend this step. As a friend of mine, Todd Carter says, “you can never have enough IISRESETs with SharePoint”.
However, this doesn’t explain the restart requirement. Well, it’s not a requirement. And the answer is very simple. It’s also a fundamental concept of Windows Security which isn’t well enough understood by SharePoint people.
In my article I describe the rights required for the Farm Account (which is the account we must use to run the UPS service instance). The Farm Account must have:
- Log on Locally on the machine running UPS
- Local Administrator on the machine running UPS during provisioning only (this doesn't give the first in all cases)
But what I fail to mention, because it should be inherent, is that once you change the rights of a user account in Windows, you must log off and log back on for those changes to take effect.
Now, the Farm Account is logged on to the box – it’s running the app pool for Central Admin and the Timer Service at the very least. So to ensure the changes, processes that uses the account must be stopped and restarted.
The easiest way to do this and guarantee the rights will be applied, is to reboot the box.
So you should reboot the machine after you setup the permissions, but before you create the Service Application and attempt to provision the Service Instance. If you do this the provisioning won’t get “stuck”. If you don’t you will need to restart the machine before provisioning can complete successfully.
Simple, and a basic tenant (no pun intended) of Windows Security.
.
This second article in my Rational Guide series focuses on the capabilities in SharePoint 2010 which enable the delivery of hosting environments. Hosting is finally a first class citizen in SharePoint 2010, however there isn’t a great deal of material out there on this subject. This article will:
- walk through the problem space
- discuss the features of SharePoint 2010 that enable multi-tenant environments
- provide a step by step guide to setting it all up
- give general recommendations for those looking to deliver hosting platforms based on SharePoint 2010
For those who attended my breakout session on multi-tenancy at the SharePoint Evolution conference in London during April, this article can be used as its companion.
Rational Guide to Multi Tenancy with SharePoint 2010
PowerShell for SharePoint 2010 rocks. No, really it does. You hate it at first, but then it’s all pure goodness. But boy, does the UI SUCK! Crap for productivity, crap for demos, just about crap for anything other than lame jokes about old skool shell scripting.
Sure, there are funky PowerShell GUIs out there, but they appear to cost money. The good news is Windows ships with it’s own IDE. This thing is called an ISE – prey how much do marketing people get paid?
Anyway – that’s what I’ve been using for all my demos to show the PowerShell stuff that I do. Better than a command prompt. Trouble is this bad boy doesn’t load the SharePoint cmdlets, so you have to do that before working with SharePoint.
The good news is you can add the guff necessary to load the DLL in a PowerShell ISE profile. It’s a very basic thing, but you may find it useful. To set it up, use the following PowerShell. This one is a user profile, you can change this to be a machine wide one if you wish (refer to this article).
# creates a local user powershell ISE profile
if (!(test-path $profile ))
{new-item -type file -path $profile -force}
# opens it for edit
psEdit $profile
# copy the following into the new file and save it
cd 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\CONFIG\POWERSHELL\Registration'
.\SharePoint.ps1
cd \
# now everytime you run powershell ise as the same user - it will load the SP cmdlets automatically on start up
Happy ISEing!
Yalls may be playing around with Service Application Federation with SharePoint 2010 with the shiny new SharePoint Server 2010 bits. This federation is also called publishing and consuming service applications, but as I’m spending a lot of my time of late in PowerPoint, I’m using the buzzword for the time being.
However, with the RTM bits there is a fundamental missing piece that is not currently documented on Tech Net.
Of course you need to exchange and install the necessary certificates as detailed here. However in order to make it work the consuming farm must have permissions to the publishing farm’s Topology service app, otherwise it will fail with the following error:
"Unable to connect to the specified address. Verify the URL you entered and contact the service administrator for more details.”
In your ULS logs you will see the following slightly more helpful detail:
An exception occurred when calling SPTopologyWebServiceApplicationProxy.EnumerateSharedServiceApplications on service https://SERVERNAME:32844/Topology/topology.svc : System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied.
To grant the permissions necessary, on the consumer farm, run the following PowerShell:
(Get-SPFarm).Id
Copy the output (a GUID of course!). On the publishing farm run the following PowerShell – replacing <farmid> with the guid from above:
$security = Get-SPTopologyServiceApplication | Get-SPServiceApplicationSecurity
$claimProvider = (Get-SPClaimProvider System).ClaimProvider
$principal = New-SPClaimsPrincipal -ClaimType http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid -ClaimProvider $claimProvider -ClaimValue <farmid>
Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights "Full Control"
Get-SPTopologyServiceApplication | Set-SPServiceApplicationSecurity -ObjectSecurity $security
Now you're cooking with gas, you will be able to see the consuming farm's claim in the permissions dialog for the Topology service app. And now you can connect to the published service from the consuming farm. hopefully TechNet will be updated soon.
SharePoint 2010 includes a fundamental architectural change from the previous version with the introduction of “Service Applications”. This new architecture has extremely broad and deep consequences for SharePoint practitioners. Unfortunately Service Applications thus far have been poorly explained and documented, and already there are many myths surrounding them. This “In a Nutshell” article is an attempt to distil the core elements down to brass tacks. It is intended primarily for architects and administrators planning their farm topologies, but will also be useful for anyone working with SharePoint 2010.
http://www.harbar.net/articles/sp2010sa2.aspx