Sunday, November 16, 2008

Email-enable a SharePoint Group

You can use SharePoint to send email to a mail-enabled AD Distribution
group. But did you know that you can email-enable a SharePoint permission
group? Daniel A. Galant gives the recipe below. Brian Hart notes that you
must have AD and Exchange behind the scenes for this to work.


If you go into the settings for a given group, (select the group and then
Settings>Group Settings) you'll find a setting to Create an e-mail
distribution group for this group. Select this. You will then likely need to
go into your Central Administration and actually approve the group before
you can use it. This is done from the Operations tab, Approve/Reject
Distribution groups.

Daniel A. Galant MINDSHARP 636-233-0762

MCITP - Enterprise Administrator, MCTS - SharePoint, MCTS - WSS v3, MCTS -
OCS, MCSE+Messaging, MCSE+Security, MCT...


Of course this approach requires AD and Exchange Server, since what's
happening behind the scenes is that an Exchange Distribution Group is
being created for the members of the SharePoint group...

Bryan Hart Technical Consultant Solanite Consulting, Inc.

Thursday, November 13, 2008

Incoming email to SharePoint Document Libraries

You WILL run into this at some point if you use incoming mail to lists or
libraries. An incredibly useful technique, but "incredibly

There is an EmailReceived event for which you can write a handler, but this is not for the faint-of-heart.

------ Forwarded Message
From: "Todd O. Klindt" <>
Reply-To: ""
Date: Mon, 10 Nov 2008 08:49:50 -0600
To: ""
Subject: RE: [sharepointdiscussions] incoming email to SharePoint Document

1) There is no way to alert the sender out of the box.

2) There is no way to alert the administrator out of the box.

3) There is no way to send an NDR out of the box

Incoming e-mail is incredibly limited, unfortunately.


[] On Behalf Of
Sent: Friday, November 07, 2008 3:05 PM
Subject: [sharepointdiscussions] incoming email to SharePoint Document

I have successfully enabled incoming email to Document Libraries. On
the Document Library settings for Incoming email, I have selected the E-
mail security policy of "Accept e-mail messages based on document
library permissions". I receive the following message in the log file
when an unathorized user sends an email to the document libary: "An
error occurred while processing the incoming e-mail file
C:\Inetpub\mailroot\Drop\2cea94d301c93f820000000c.eml. The error was:
Access denied. You do not have permission to perform this action or
access this resource.."

Is there any way to configure SharePoint to 1)alert the sender, 2)alert
an administrator, or 3)somehow return an undeliverable message when
this situation occurs?

[Non-text portions of this message have been removed]


Yahoo! Groups Links

<*> To visit your group on the web, go to:

<*> Your email settings:
Individual Email Traditional

<*> To change settings online go to:
(Yahoo! ID required)

<*> To change settings via email:

<*> To unsubscribe from this group, send an email to:

<*> Your use of Yahoo! Groups is subject to:

------ End of Forwarded Message

Web App, Zone, AAM: Get it right the first time

A notice about "unexpected side effects" when changing the address for the
default Zone.

------ Forwarded Message
From: Paul Stork <>
Reply-To: ""
Date: Sat, 8 Nov 2008 13:41:24 -0600
To: ""
Subject: RE: [sharepointdiscussions] RE: FBA with Client Integration

That's the problem then. Extending a Web Application to Create a ZONE will
create an AAM, but they aren't the same thing. When you swapped the AAM
addresses around that didn't change the address for the Zone in the
Authentication Provider. So switching around client integration didn't
help. In general after an AAM is created by either a Web Application or a
Zone you shouldn't change the address. That's why planning the address for
the default Zone is so critical. Once its created you end up with
unexpected side effects if you try to change it.

Paul Papanek Stork /<> / 216-272-0573 /
Know More. Do More.
MVP Profile<>

Come to the SharePoint Best Practices Conference in San Diego, CA: Feb. 2-4!
Register at<

[] On Behalf Of Harold W.
Sent: Friday, November 07, 2008 7:17 PM
Subject: RE: [sharepointdiscussions] RE: FBA with Client Integration

One thing I want to point out is that I had moved the external URL with
SSL to the Default Site to get the external URL to appear to External
Users when they have subscribed to alerts. Now when I go to
Authentication Providers the external is
appearing in the Web Application field when I go to Authentication
Providers. I select the Extranet zone and disable client integration
and it doesn't seem to matter. My question is this. If I moved this
URL to the Default Site in Alternate Access Mappings and the internal
URL to the Intranet zone, why is this not being revealed when I go to
Authentication Providers? I would think that the Alternate Access
Mappings change should be reflected in both locations in Alternate
Access Mappings and in Authentication Providers wouldn't you?

Harold W. Gravatt, MCSE


269.978.6988 office

877.286.9120 toll free<>

Want to learn more about Realign? Visit our website.

[<mailto:sharepointdiscussions%4>] On Behalf Of Paul Stork
Sent: Friday, November 07, 2008 7:04 PM
Subject: [sharepointdiscussions] RE: FBA with Client Integration

In SharePoint you enable the creation of a persistent cookie by click
the 'remember me' check box on the login page. You also have to enable
client integration when you setup the Authentication provider in the
Application management tab of Central Admin.

Paul Papanek Stork /<>
<> > / 216-272-0573 / Know More. Do
MVP Profile<>

Come to the SharePoint Best Practices Conference in San Diego, CA: Feb.
Register at<>

<> [mailto:<mailto:sharepointdiscussions%40yahoogr>
<> ] On Behalf Of Harold
W. Gravatt
Sent: Friday, November 07, 2008 6:45 PM
Subject: [sharepointdiscussions] FBA with Client Integration


The External Collaboration Toolkit for SharePoint allows me to install
ADAM, IIS, WSS, .Net Framework 3.0, ASP.NET onto a W2K3R2SP2 server and
allow external users to use their email address for authentication
against the ADAM store. However, one feature that does not work is
enabling FBA with Client Integration. Therefore, the context menu that
includes Edit in Microsoft Office Word or Excel is not supported and
does not function correctly. I talked to Dave Mowers at Securitay and
he suggested enabling persistent cookies. IE 7 enables persistent
cookies supposedly by adding the URL to the Trusted Sites list.
However, using this advice to enable persistent cookies using IE 7 does
not seem to do the trick.

I am all ears to another workaround or solution would be nice. I
haven't installed DotNetNuke yet, but that supposedly works with FBA and
Client Integration enabled.

Harold W. Gravatt, MCSE


269.978.6988 office

877.286.9120 toll free<>
------ End of Forwarded Message

Wednesday, October 8, 2008

User Profile Replication Engine Released

Microsoft has released a "User Profile Replication Engine" which can synchronize user profile information between Shared Service Providers on different farms within an enterprise.The Engine must run with pretty serious privileges on both the source SSP and the destination SSP(s), which means some negotiation about accounts and privileges between (e.g central IT services and a department which has its own SharePoint farm.

However, we finally have an approach to avoid multiple profiles for one user between central farms and departmental farms.

The User Profile Replication Engine is part of the SharePoint Administrators Toolkit version 2.0:

Friday, October 3, 2008

Silverlight and SharePoint

From this looks like a good resource on Silverlight for SharePoint.

------ Forwarded Message
From: Devin Rader <>
Reply-To: ""
Date: Tue, 30 Sep 2008 14:21:10 -0400
To: ""
<>, <>
Subject: Re: [sharepointdiscussions] silverlight & sharepoint

There is a bunch of great info on SharePoint + SL2 here:

The first video walks you through creating and deploying a basic SL2


----- Original Message -----
From: "Akshaya M"
Subject: [sharepointdiscussions] silverlight & sharepoint
Date: Tue, 30 Sep 2008 19:51:55 +0530


has anyone worked or has integrated silverlight component with
and deployed as a webpart if so can u please suggest me appropriate
i.e deploying via .XAP method nad the normal dll method.
thanks for all ur suggestion.


[Non-text portions of this message have been removed]

Content Deployment Options Compared

It appears on the surface that SharePoint is intended to be used as a "live site" technology, where content is developed in the same place where it is published. For collaborative teamsites, this is often an appropriate model, since team members can generally be trusted with "half-baked" content. For content that is published outside the team, the built-in "publishing" feature (option) provides an extension of the develop-in-place model which hides draft content from readers until it is "approved".

However, there are many scenarios where develop-in-place is not appropriate; for example, when there is code involved as well as content, or where massive changes need to be coordinated to avoid large numbers of "did I update that link to the new page" questions. In these cases, some method of migrating content from a "development" server to a "production" server (or perhaps to some intermediate "staging" server) is needed.

Chris O'Brien, a Microsoft Most Valued Professional, does a thorough job of comparing the options in this blog post:

Load Balancing Central Administration

Ben Curry from Mindsharp says there's no need for multiple instances of Central Admin on a farm, because it's easy to construct one on a working node if the regular one fails.

------ Forwarded Message
From: "Benjamin D. Curry"
Date: Mon, 22 Sep 2008 21:23:21 -0500
To: ""
Subject: RE: [sharepointdiscussions] Load Balancing Central Administration

by executing " "c:\program files\common files\microsoft shared\web server
extensions\12\bin\psconfig.exe" -cmd adminvs -provision -port 12345
-windowsauthprovider onlyusentlm" on any server in the farm, you are 2
minutes from having Central Admin on any server farm member. So, I generally
only have it on one server in the farm.


Ben Curry, CISSP, SharePoint Server MVP

[] On Behalf Of lazybugger76
Sent: Monday, September 22, 2008 2:52 PM
Subject: [sharepointdiscussions] Load Balancing Central Administration

So I have read a couple of articles that say you cannot load balance
Central Administration. Is this really the case? If so, if I lose my
Central Administraion server are there any better ways to have
redundancy then manually moving it to another server?

Any help or suggestions would be appreciated


Authentication Zones and Alternate Access Mapping

In the course of developing a model corporate deployment, this Technet
article does the best job yet of explaining authentication zones and
Alternate Access Mapping.

Useful SharePoint Designer Custom Workflow Activities

Check out "Useful SharePoint Designer Custom Workflow Activities" on
CodePlex: Includes (as of 8/21/08):

  • Send Email with HTTP File attachment - Allows sending emails with attachments retrieved using a web request
  • Send Email with List Item attachments - Allows sending list item attachments as files attached to an email
  • Start Another Workflow - Starts another workflow associated with a list item
  • Grant Permission on Item - Allows granting of specified permission level on a spicified item
  • Delete List Item Permission Assigment - Allows deleting of specified permission level assigment for a given user
  • Reset List Permissions Inheritance - removes any unique permissions assigned to an item by inheriting list permissions
  • Is User a member of a SharePoint group - Checks if a given user is part of given sharepoint group
  • Is Role assigned to User - Checks if a user role is already assigned on the current list item
  • Lookup user info - allows to lookup properties in site's user information list for a given login
  • NEW! Copy List Item Extended Activity - Allows copying/moving list items and files cross site.
  • NEW! Send Email Extended - Enhaced version of the OOTB activity. Allows you to specify the sender. Also does not break links in body.

Friday, September 5, 2008

Social Networking Primer and Overview

Mike Gratta, a Principal Aalyst at the Burton Group, has contributed to Educause a 46-page primer and analysis of social networking in the enterprise:

[Note: a free registration (available to all WSU staff) is required.]

The key takeaway is that social networks cannot be counted on to happen via a simple "corporate Facebook" strategy; rather, an analysis of goals and methods is needed (surprise!). Anyone who wishes to plan or even discuss social networking in an enterprise context should be familiar with the terms and concepts introduced in this paper.

Tuesday, August 19, 2008

SharePoint and ADFS

It looks like ADFS ("WSU Unified Signon") is not yet an option for SharePoint at WSU. Though it is possible to set up intranet access with integrated Windows authentication alongside extranet access with ADFS authentication, the user experience is worse, (especially with client-side features like web folders and Office direct open-and-save).

Some resources:

Support Boundaries for ADFS

MS official take on what works and what doesn't when ADFS is used as an authentication provider for WSS (2 or 3), SPS, or MOSS.

How to use ADFS to turn MOSS into a Claims-Aware Application

Blog by authoritative MS people with step-by-step setup. Also points to TechNet articles. Note that there is an update by one of the authors at

Configuring Multiple Authentication Providers for SharePoint 2007

Background reading for setting up authentication providers.

Saturday, July 19, 2008

SharePoint Authentication and Auto-Signon

The following is an email summarizing my investigation of issues around SharePoint logins and client integration. We are currently using Basic Authentication so that all clients can authenticate, but we would also like to have the benefits of Internet Explorer auto-login and single-signon via Integrated Windows Authentication. It turns out, you can't have both…

After an extensive (maybe too extensive) investigation, I have concluded that if the SharePoint server is configured to accept auto-signon with Internet Explorer, IE will require that the domain be specified by the user if the browser cannot use or is not configured for auto-signon. In short, we have to choose between requiring "domain\" on SharePoint logins, and using the client integration features with Windows clients, including transparent download/upload of Office documents.

On the first request to a server, IE attempts to access a website anonymously. On our SharePoint server, since anonymous access is not enabled, the server responds with an "Unauthorized" result code. When both NTLM and Basic authentication are enabled on the server side, the "Unauthorized" response includes two "WWW-Authenticate" headers: NTLM and Basic.

IE prefers NTLM and will always use it if the server offers it; if NTLM does not succeed, IE will not fail over to Basic.. If auto-signon is not enabled in the browser (that is, if the site is not determined to be in the "local intranet" security zone due to browser configuration), or if the client has not been bound to the domain, then IE puts up a username/password dialog box. The legend in this box says "connecting to <sitename>" -- this is a constant in IE. The fields in the box are labeled "User name" and "Password", and there is a "remember my password" checkbox, but there is no separate "Domain" field. Domain must be specified as a prefix to the username (delimited by "\"), but there is no way of telling the user this.

If the user enters a username and password, but no domain, authentication fails, because IE fails to use the domain suggested by the server; instead it prefers to use the server name as a domain. Microsoft claims this is by design; I'm not sure why yet.

When authentication fails, Internet Explorer re-prompts with the username/password dialog box; this time, it inserts the hostname as the domain prefix. Of course, the user has no local account on the server, so this can never work. If the user knows enough to replace the domain prefix with "AD\", then authentication can succeed.

Interestingly, Firefox will do both auto-login (if the host is white-listed in the browser config) and no-domain-specified login; for the latter, FF simply uses the domain suggested by the server ("AD"). Why Microsoft doesn't do the same bewilders me.

In short, we are still in the same place that we were when Diane first did this investigation:

  1. If we enable auto-signon by enabling NTLM on SharePoint sites, users on Windows machines bound to the domain and with thehost properly whitelisted will have auto-signon, whether using IE or Firefox. However, users who do not meet these requirements will need to use the "AD\" prefix (at least for SharePoint sites; the prefix will cause login to fail on (e.g.) Unified Signon. Making matters worse, there is no way to warn users about the prefix requirement during the login process.
  2. If we do not enable NTLM, we will have the current situation of no auto-logins, and have multiple logins for SharePoint sites for all the too-familiar reasons.

Thursday, July 17, 2008

Integrated Windows Authentication and SharePoint

According to Wikipedia, Integrated Windows Authentication (which even MS sometimes calls "Windows Integrated Authentication") "refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality..." However, Wikipedia goes on to say "The term is used more commonly for the automatically authenticated connections between Microsoft Internet Information Services and Internet Explorer."


The "automatically authenticated" connections use the workstation login credential. This means that the workstation login must use an AD domain that is trusted by the server. The chief advantage is that every application which needs a connection to the server can use the same credential – single signon heaven, if you are using Windows, IE, Office, and SharePoint (there's a pattern here… <g>)

In SharePoint terms, in the Central Administration site, for each web application you can select authentication providers. If you select the "Windows" authentication provider, then under "IIS Authentication" you can select "Integrated Windows Authentication" and/or "Basic Authentication". If you select "Integrated", you can then choose "Kerberos" or "NTLM", but not both.

MS says "If Active Directory is installed on a domain controller running Windows 2000 Server or Windows Server 2003, and the client browser supports the Kerberos v5 authentication protocol, Kerberos v5 authentication is used; otherwise, NTLM authentication is used." I don't know if that works in a SharePoint setting.

Via testing, I have determined that the current versions of Safari (both on Mac and on Windows) support NTLM, but do not support the automatic login feature which is often called Integrated Windows Authentication. A site that is set (via SharePoint Central Admin or via IIS Manager) to use only "Integrated Windows Authentication" can be accessed via a login prompt from Safari 3.x (or, for that matter, Mozilla browsers later than November 2003). However, only Internet Explorer automatically sends the desktop login credential to the server (as far as I know).

Note that the "login prompt for every Office doc" is not an issue for browsers other than IE, because other browsers do not establish their own authenticated connection to SharePoint. They just download Office docs, then pass the file path of the temporary file to the Office app. This method does not require an authentication for the download (the browser is already authenticated), but it does require that if the file is modified, the new version must be saved, then uploaded manually.

Be aware that NTLM login problems have been reported where Safari is used with the Mac OS X 10.5 ("Leopard") system and an authenticating proxy server (such as ISA) is involved:

-- Joshua

MySites, Anonymous Access, and Lockdown Mode


It is sometimes desirable to have anonymous access to parts of a MySite site. The usual facilities for setting anonymous access are available, but they don't seem to work for all elements of the site. While the Default (My Home) page may not have any meaning for anonymous users, and the MyProfile not much, there are occasions when Shared Documents or another doclib might need to be accessed anonymously.

We have found that setting the site to allow anonymous access to the "Entire Web", and setting the library to inherit from its parent (or not to inherit, but to allow anonymous access), enables users to access .doc, .pdf., and other files, but not pages (.aspx). This means that (for example) web part pages, document libarary lists, and other useful sites are disabled for anonymous access, and the access can't be turned on, even by the site owner.

Tentative Diagnosis

In SharePoint, anonymous users are associated with the permission level "Limited Access". The default settings for limited access are intended for team sites. MOSS has a security provision called "lockdown mode" which is intended to improve security for publishing sites. The MS document "Plan security for an external anonymous access environment (Office SharePoint Server)" <> contains a description of lockdown mode:

Lockdown mode is a feature that you can use to secure published sites. When lockdown mode is turned on, fine-grain permissions for the limited access permission level are reduced.

Lockdown mode appears to be activated by default in the "Publishing Site" template, and perhaps by the "Publishing" features. The page linked above shows the following two commands for lockdown mode:

The following table lists the Stsadm commands related to using lockdown mode.

Action Command
Turn on lockdown mode for a site collection
stsadm -o activatefeature -url <site collection url> -filename ViewFormPagesLockDown\feature.xml
Turn off lockdown mode for a site collection
stsadm -o deactivatefeature -url <site collection url> -filename ViewFormPagesLockDown\feature.xml

I believe we need to check to see if the lockdown feature is enabled on MySites, and what we need to do to deactivate it across the board.

-- Joshua

Wednesday, June 18, 2008

Browsers, Standards, and Martian Headsets

Joel on Software chews through Internet Explorer 8.0, web standards, Mea Sharim, Jon Postel, and a few other things in his blog post ""Martian Headsets". This is mandatory reading before any internet posting about "standards compliance".

Tuesday, June 17, 2008

SharePoint Designer Technique: Mashups

From the Microsoft SharePoint Designer Team Blog (that is, the guys who know
this stuff well enough to write code around it), here are a couple of
mashup-type techniques. One is used to combine information from different
lists in a single display (almost like <gasp> a relational database); the
other brings in a Google map.

-- Joshua

Wednesday, April 9, 2008

Tuesday, April 8, 2008

An Introduction to Conditional Formatting

Microsoft SharePoint Designer Team Blog : An Introduction to Conditional Formatting

Using SharePoint Designer to manage hide/show or colors based on data conditions. Behind the scenes, uses XSLT.

Building a SharePoint Designer Mashup (Part 1)

Microsoft SharePoint Designer Team Blog : SharePoint Conference - Building a SharePoint Designer Mashup (Part 1)

Using SPD's Data View to combine information from different lists (and other sources). Includes a fixup for filtering on lookup-type fields.

To MOSS or Not to MOSS

Ian's SharePoint Blog -

reasons to use MOSS instead of just WSS 3.0

SharePoint - Firefox and NTLM authentication

SharePoint - Firefox and NTLM authentication

Gives a workaround to let Firefox provide windows credential automatically to trusted hosts when used from intranet clients

Chris O'Brien's blog: Blending publishing/collaboration functionality in SharePoint

Chris O'Brien's blog: Blending publishing/collaboration functionality in SharePoint: "Use of Content Editor web parts vs publishing RichHtmlField controls

Most folks in WCM development know there is an overlap in functionality provided by the Content Editor web part and the RichHtmlField control in the Microsoft.SharePoint.Publishing.WebControls namespace, i.e. they can both be used to enter page content such as text/images. However it's important to consider the differences - the RichHtmlField control stores it's content in a column of the list item for the page, whereas the CEWP is a web part and thus stores content in the web part storage architecture. This is important, since if deployment to a different environment is in your project plan or ongoing architecture, things will likely be simpler if you use the field control, since this content will then travel with the page properly.

Additionally, there are some URL fix-up issues with using the CEWP across different environments, as documented in the write up.

In summary, I'd recommend considering the CEWP as a means of entering content in non-publishing SharePoint sites only."

Outlook as a SharePoint client, online and offline - Todd Klindt's Blog

Outlook as a SharePoint client, online and offline - Todd Klindt's Blog

Benefits and limitations of using Outlook as a front-end for SharePoint data, with how-tos and screen shots.

Monday, April 7, 2008

Calling SharePoint Web Services from Javascript

Look alive. Here comes a buzzard. :: Calling SharePoint Web Services from Javascript

Glen Cooper uses a javascript library called "Prototype" which includes an AJAX framework to support SOAP calls to SharePoint Web services. A little clunky (the browser must be pre-authenticated), but he claims it works.

Release: Enhanced Blog Edition 2.0 Final Release

Community Kit for SharePoint - Release: Enhanced Blog Edition 2.0 Final Release

Sharing ....SharePoint : Client Integration Support for Different Authentication Providers

Sharing ....SharePoint : Client Integration Support for Different Authentication Providers: "Client Integration Support for Different Authentication Providers"

What happens when client integration is disabled? How do FBA and SSO handle it when client integration is enabled?

Configuring Multiple Authentication Providers for SharePoint 2007

Microsoft SharePoint Products and Technologies Team Blog : Configuring Multiple Authentication Providers for SharePoint 2007

Steve Peschka of the Microsoft SharePoint "Rangers" covers multiple authentication providers.

2007 update to Microsoft Office and SharePoint Integration "Good, Better, Best" white paper

Microsoft SharePoint Products and Technologies Team Blog : 2007 update to Microsoft Office and SharePoint Integration "Good, Better, Best" white paper now (finally!) published

Lawrence writes the book (or at least the White Paper) on client integration of various versions of Office with SP 2003 and 2007.

Thursday, April 3, 2008

SharePoint 2007 URL Quick List

SharePoint 2007 URL Quick List

Heather Solomon is a Microsoft MVP (that is, she is a person recognized for her expertise by Microsoft, but is outside the company). This list of URL's for direct access to SharePoint management pages is part of her website focusing on SharePoint Design and customization.