I have written a Windows service to send mails to users in a Sharepoint list based on some condition.
The development server is a stand-alone Sharepoint installation and the Windows service works fine. But,the Production environment has the application(Sharepoint) and Database(SQL) residing on different servers.
So when the Windows service tries to open the list it says " Cannot open database "WSS_Content80" requested by the login. The login failed."
Pease let me know how to proceed.I am struck with this issue for a long time now..
To solve the Issue quick and Dirty way what you can do is grant permission to the Content Database of your SharePoint application for the User in Which Windows Services Run.
But you want to do it in a neat way I recommend you to write a Timer Job for SharePoint. Here not only does the Permission is taken care automatically but you can also deploy it to multiple Web Application if you want it and manage it easily.
The Best Article on the Subject is here MSDN or AC Article.
Another possible answer is to check which account your service is running as. Running it as a more privileged user like the account that is acting as your app pool would work.
Another possible tact is to look into SPSecurity.RunWithElevatedPrivledges method.
Related
I'm trying to connect to Active Directory to look for a specific user, edit that user's properties and save the changes. Seems like a simple task, but I'm having a hard time putting this thing together.
I've tried using VBscript, and allthough it seems it can be done, I have to add the administrator username and password in clear text. Which is NOT a good idea. The script is also triggered from regular users which have no access to Active Directory. So the initial script needs to fire a second script that is run as domain admin.
Someone gave me a tip though. Create a web page or a windows service that the script can call. And that service or webpage connects to AD and makes the actual changes. I guess a windows service would be the cleanest way of doing this.
But I only have Visual Studio Express and it seems I cannot create a windows service with that. The initial script needs to be vbscript, because it's being run from a software where only vbscript is supported.
So what would be the ideal solution here? Would it be possible for the first vbscript to collect the data it needs, pass those as arguments to a second vbscript that makes the actual changes? A vbscript would be easier to maintain, if I need to update more user properties than those I need right now.
We do use Sharepoint as well. Perhaps I could create a webpart that uses javascript to collect the data passed from the initial vbscript and connect to AD that way? Just brainstorming here to find the most appropriate solution :)
The fact that you need to have the administrator's username and password in the script should point out to you that what you're asking for is security through obscurity. Somewhere in your solution, there will be a username and password hardcoded or a program that will perform these tasks without authorizing the client. These are security holes that I would avoid at all costs.
Having said that, the service is probably the least vulnerable. Even though VS Express doesn't have the template, it's not hard to create a service manually. Use WCF to communicate. Run the service as a managed service account, and give that managed service account only the rights it needs to perform its task.
I have a business LS web application which I update from time to time.
I do the update by simply using the deploy wizard and everything is working great.
My problem is handling all my users that opened my system in their IE and left it open through my deploy process.
Since they have the old web application is opened on their browsers, and I have deployed the new version to the server, I can see errors occuring in certain situations.
Is there a way to make sure all users with the application opened will be forced to refresh the web application page? Maybe remotely disconnect all currently connected users?
There is no built in way of doing this. You will need to write a custom solution. Someone in the MSDN Forums has written a class to do this for OOB apps.
You should be able to reuse the timer part of that class. I'm not sure if the UpdateAvailable method will work for Web-based applications or not. You'll have to experiment with that.
Alternatively, you can create a custom notification system. Insert a message to your users into a table in your database from the administrator account. Have a timer on the user account check the table every so often. If it finds a new message, display a notification to the user.
Then you can use either an HTTP Response Header or an ASP method to log the users out as described in this Microsoft Support article.
I'm researching some Windows Azure stuff, in order to make a decision whether to move to Azure or not.
Basic information
To answer the question, you'll need some basic understanding of my app so here goes.
The app is an ASP.NET MVC 3 application that connects to a SQL Server database.
It is a single instance application, meaning that every customer eventually has their own instance of the app running on our server, deployed to IIS 7 as a website.
I have one SQL Server, where each instance has its own database.
I also have a set of Windows Services to do some background processing. That should be straight forward, as I'll just rewrite those to use a Worker Role in Windows Azure - most of the logic in the services is located in their own class (library) anyway, so the service it self just calls one or more methods in a class.
Now to the question
Whenever someone signs up for a free trial, I add a record to an Admin database I have.
I then have a Windows Service that deploys a new instance of the ASP.NET MVC 3 app to IIS, grants permission to a few folders, runs the database deployment script and updates the record to reflect that it has now been deployed, and finally sends an e-mail to the prospect that their free trial has been created - here's how you access it.
So, how can I deploy a new instance in Windows Azure from a Worker Role? Preferably, I'd just add a new website to an existing Azure instance and create a new SQL Azure database for that particular site to use.
Does this require a lot of work to set up? Is it even possible?
Based on two quotes, I would like to suggest calling this a multi-tenant application:
It is a single instance application, meaning that every customer eventually has their own instance of the app running on our server,
And...
a Windows Service that deploys a new instance of the ASP.NET MVC 3 app to IIS, grants permission to a few folders
If I understand correctly, there is "one" IIS server (well, in Windows Azure, it's one Web Role, scalable to multiple instances), and with each new "tenant", you set up some new stuff to support that tenant.
If that's indeed the case, you can definitely do this from a worker role - just look at Nate Totten's multi-tenant web role blog post and related code. Look at the webdeploy code that actually manipulates IIS.
Further: take a look at Cloud Ninja, a project a few of my teammates published along with Fullscale180. This is a multi-tenant app that demonstrates how to manage multiple customers in a single deployment, as well as monitoring and scaling.
Finally: should you need to actually create brand new service hosts and storage accounts, the latest updates to the Windows Azure Management API support this.
I hope that helps a bit...
I think most of the things you want to achieve are possible.
It will definitely require some work to setup!
For some ideas on how to achieve what you are looking for, take a look at the MS SaaS example - http://www.fabrikamshipping.com/ - especially designed for porting existing apps to SaaS on Azure. Inside this app they have an "onboarding process" - and that process includes setting up new SQL connections and new portals.
There's lots of good blogging (watch the video) about this on http://blogs.msdn.com/b/vbertocci/archive/2010/10/07/new-online-demo-introducing-fabrikamshipping-saas.aspx
I need to consume an out-proc COM server from both a worker role and a web role in a Windows Azure application. One step I'm almost sure I'll need to do is to alter the access permissions for the COM server - grant "local launch" and "local activation" permissions for the predefined user under which roles code executes.
So far I found there's DCOMPERM utility in Windows SDK samples which contains code that I guess would do that. So I could write similar code and package it into either a separate executable or into the COM registration code of the COM server and run that code from a role start-up task. That's not trivial, but certainly doable.
I only have one major concern before I start.
Are there any reasons why I can't do that? Maybe using out-proc COM servers is not allowed on Windows Azure or something? Are there any such limitations?
Are there any reasons why I can't do that? Maybe using out-proc COM servers is not allowed on Windows Azure or something? Are there any such limitations?
It's not something I've personally done, but if you can install a COM+ server running in a shell exe, then I think you should be able to do what you want - see this recent blog post http://michaelwasham.com/2011/05/15/deploying-a-com-servicedcomponent-to-windows-azure/
I don't think you will hit limitations - but I think you will hit a fair few problems along the way - good luck.
I have a web app that uses some backend servers (UNC, HTTP and SQL). To get this working I need to configure ServicePrincipalNames for the account running the IIS AppPool and then allow kerberos delegation to the backend services.
I know how to configure this through the "Delegation" tab of the AD Users and Computers tool.
However, the application is going to be deployed to a number of Active Directory environments. Configuring delegation manually has proved to be error prone and debugging the issues misconfiguration causes is time consuming. I'd like to create an installation script or program that can do this for me.
Does anyone know how to script or programmatically set constrained delegation within AD?
Failing that how can I script reading the allowed services for a user to validate that it has been setup correctly?
OK, after much digging on the internet and some testing, I've got a way forward.
The following code is c#.
Setting an SPN for a user or computer can be achieved via the setspn utility.
Alternatively, the following C# code can do the same:
DirectoryEntry de = new DirectoryEntry("LDAP://"+usersDN);
if (!de.Properties["servicePrincipalName"].Contains(spnString))
{
de.Properties["servicePrincipalName"].Add(spnString);
de.CommitChanges();
}
To set constrained delegation:
if (!de.Properties["msDS-AllowedToDelegateTo"].Contains(backendSpnString))
{
de.Properties["msDS-AllowedToDelegateTo"].Add(backendSpnString);
de.CommitChanges();
}
If the user has had non-constrained delegation enabled, you may need to turn this off before enabling constrained - but I didn't fully test this scenario.