The long sad road to getting Metastorm, SharePoint, and Kerberos to work together in a multiple server farm.

Sorry the Screen shots did not come in... I didn't want to put in the time to add each one, maybe I will do it later.

Introduction

This troubleshooting guild is born of the issues encountered when installing the Metastorm BPM product in the <YourCompany> environment.  This will not replace the metastorm documentation, but is intended to be supplemental.
First off make sure the engine starts.  If it does not start check component services and make sure the account you are running the engine off is enabled.  If this doesn’t work unstill and reinstall Metastorm, make sure to delete the registry entries and the files under program files as the uninstall leaves bit’s of the program all over the place.  If this still does not work, blow away the server and try again.  The install of Metastorm should take only about an hour, if you have spent more than three, start over.

Single Sign On (SSO)

The SSO instructions in the Metastorm Administration guide are relatively accurate.  Ensure that you do them in the exact order that they are stated.
The unclear section within the SSO instructions is when you are working with the eSSO_Web.js file.  This file is located in the following location.
C:\Program Files\Metastorm\BPMEngin\Authentication
Make sure you make the recommended change the file there and upload it to Metastorm Administration section.  See Screen Shot
If this is not done, SSO will not work and it will not tell you why.



Kerberos

Enable Delegation

You will have to enable delegation on the engine service account and all the front end servers.

Set the SPN’s

There will need to be six service provider names (SPN) set for Kerberos to work.  If Keberose is not working, good luck.  A quick reminder, that if a host header should have a DNS entry set up against it prior to running these commands.  Also, depending on where the servers are it can take several hours or even a day before these changes are replicated though out the domain.
The three SPNs will be around the SharePoint Server Name (SPSName) the Metstorm Server Name (MetaName) and the Host header of your SharePoint Site (HostHeadName).  The service account that we are using for the application pools and is MOSSServiceAccount.  Your domain name is <YourDomain>, and your fully qualified domain name is <FQDN>.
Setspn –S HTTP/SPSName  <YourDomain>\MOSSServiceAccount
Setspn –s HTTP/SPSName.<FQDN>  <YourDomain>\MOSSServiceAccount
Setspn –S HTTP/ MetaName <YourDomain>\MOSSServiceAccount
Setspn –s HTTP/ MetaName.<FQDN> <YourDomain>\MOSSServiceAccount
Note:  You must have a DNS entry prior to creating the SPN.
Setspn –S HTTP/ HostHeadName <YourDomain>\MOSSServiceAccount
Setspn –s HTTP/ HostHeadName.<FQDN> <YourDomain>\MOSSServiceAccount
Use the setspn –l  <YourDomain>\MOSSServiceAccount to ensure that there are no duplicate entries for the account.  A duplicate entry is about as good as no entry at all, but harder to catch.   Using the –S instead of –A will ensure that you do not already have a HTTP service provider name set up for that address. 
The best explanation of Kerberos I have found is at the following URL: http://support.microsoft.com/kb/929650
You can also enable Kerberos logging to the event log in the registry.  Do this follow these Microsoft instructions.


Enabling Kerberos Event Logging on a Specific Computer

1. Start Registry Editor.

2. Add the following registry value:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters


Registry Value: LogLevel
Value Type: REG_DWORD
Value Data: 0x1

If the Parameters subkey does not exist, create it.

Note Remove this registry value when it is no longer needed so that performance is not degraded on the computer. Also, you can remove this registry value to disable Kerberos event logging on a specific computer.

3. Quit Registry Editor. The setting will become effective immediately on Windows Server 2008, on Windows Vista, on Windows Server 2003, and on Windows XP. For Windows 2000, you must restart the computer.

You can find any Kerberos-related events in the system log.


The Application Host File


Location

The Application Host file can be found at the following location
C:\Windows\System32\inetsrv\config

What to Change

Three major changes need to be made in the application host files, one on the SharePoint server and two in on the metastorm server.

SharePoint (SharePoint Server)

In SharePoint you may need to change the application host file so that you can actually login to the site without typing credentials.  To do this find the following lines in the lower port of the document
    <location path="SharePoint - Meta">
        <system.webServer>
            <handlers accessPolicy="Read, Execute, Script">
………A bunch of XML
                </handlers>
          <security>
                <authentication>
                    <anonymousAuthentication enabled="false" />
                    <basicAuthentication enabled="false" />
                    <digestAuthentication enabled="false" />
                    <windowsAuthentication enabled="true" >
                        <providers>
                            <clear />
                            <add value="Negotiate" />
                            <add value="NTLM" />
                        </providers>
                    </windowsAuthentication>
                </authentication>
            </security>
Change the above  section so it looks like the following (adding the “UseAppPoolCredentals=”true”)
    <location path="SharePoint - Meta">
        <system.webServer>
            <handlers accessPolicy="Read, Execute, Script">
………A bunch of XML
                </handlers>
          <security>
                <authentication>
                    <anonymousAuthentication enabled="false" />
                    <basicAuthentication enabled="false" />
                    <digestAuthentication enabled="false" />
                    <windowsAuthentication enabled="true" useKernelMode="false"  useAppPoolCredentials="true">
                        <providers>
                            <clear />
                            <add value="Negotiate" />
                            <add value="NTLM" />
                        </providers>
                    </windowsAuthentication>
                </authentication>
            </security>

Metastorm Web (Metastorm Server)

Find the following code in the Application Host file.
<location path="Default Web Site/Metastorm">
        <system.webServer>
            <directoryBrowse enabled="false" showFlags="None" />
            <handlers accessPolicy="Read, Script" />
            <httpLogging dontLog="false" />
            <defaultDocument enabled="true">
                <files>
                    <clear />
                    <add value="Default.asp" />
                    <add value="Default.aspx" />
                    <add value="Default.htm" />
                </files>
            </defaultDocument>
            <security>
                <authentication>
                    <anonymousAuthentication enabled="false" />
                    <basicAuthentication enabled="false" />
                    <digestAuthentication enabled="false" />
                    <windowsAuthentication enabled="true" />
                </authentication>
            </security>
Change the above section to look like the following
<location path="Default Web Site/Metastorm">
        <system.webServer>
            <directoryBrowse enabled="false" showFlags="None" />
            <handlers accessPolicy="Read, Script" />
            <httpLogging dontLog="false" />
            <defaultDocument enabled="true">
                <files>
                    <clear />
                    <add value="Default.asp" />
                    <add value="Default.aspx" />
                    <add value="Default.htm" />
                </files>
            </defaultDocument>
            <security>
                <authentication>
                    <anonymousAuthentication enabled="false" />
                    <basicAuthentication enabled="false" />
                    <digestAuthentication enabled="false" />
                    <windowsAuthentication enabled="true" useAppPoolCredentials="true">
                        <providers>
                            <clear />
                            <add value="Negotiate" />
                            <add value="NTLM" />
                        </providers>
                    </windowsAuthentication>
                </authentication>
            </security>

BPM Engine.NET (Metastorm Server)

Find this section in the application Host File
    <location path="Default Web Site/BPMEngine.NET">
        <system.webServer>
            <directoryBrowse enabled="false" showFlags="None" />
            <handlers accessPolicy="Read, Script" />
            <httpLogging dontLog="false" />
            <security>
                <authentication>
                    <windowsAuthentication enabled="true" " />
                    <anonymousAuthentication enabled="false" />
                    <digestAuthentication enabled="false" />
                    <basicAuthentication enabled="false" />
                </authentication>
            </security>

Change the above text to match the following
    <location path="Default Web Site/BPMEngine.NET">
        <system.webServer>
            <directoryBrowse enabled="false" showFlags="None" />
            <handlers accessPolicy="Read, Script" />
            <httpLogging dontLog="false" />
            <security>
                <authentication>
                    <windowsAuthentication enabled="true" authPersistNonNTLM="true" useKernelMode="true" useAppPoolCredentials="true" />
                    <anonymousAuthentication enabled="false" />
                    <digestAuthentication enabled="false" />
                    <basicAuthentication enabled="false" />
                </authentication>
            </security>

Internet Information Services (IIS)

The IIS settings vary depending on weather we are using forms or single sign on (SSO) authentication.  Within the <YourCompany> environment the decision was made to use SSO making the subsequent settings specific SSO configuration.

SharePoint

SharePoint should be set up correctly as long as the site was created with the option to user Kerberos authentication selected.  However, in case this was not done, the configuration is as follows.

Metastorm Web

The Metastorm Web and Engine application pools must run under the specified service account.
Make sure that the ability to run 32-bit applications is also enabled.

For the authentication settings, ensure that ASP.NET authentication is enabled, as well as Windows authentication.  For some newly built servers, Windows authentication will not be available, to enable it, you must add the Windows Authentication role to the server.  For instructions on how to do this see the following link.
http://www.iis.net/ConfigReference/system.webServer/security/authentication/windowsAuthentication




Once this option is available your settings should look like this.
Under Advanced settings, ensure the you have enable kernel mode authentication.




The Engine

Then Metastorm engine has all the same IIS settings as the web with the exception of the ASP.NET impersonation.



Component Services (dcomcnfg)

Process Engine

To access the Component Services type “dcomcnfg” in the run command, or it can be access under administration tools.  The important things to remember are that the account being used to run the engine needs to be in the Administrator and Client Role under Metastorm Process Engine, under COM+ applications.  Not being in these roles is the most common cause of the Engine not starting, or starting and stopping.


Distributed Transactions

In order for Metastorm to interface with SharePoint distributed transactions must be enabled.  To access the settings, right click on DCOM settings and select properties.
Select the services tab and ensure the settings are as follows.

Comments

Post a Comment

Popular posts from this blog

Metastorm - Open form in an action from a list or link

Below is the SQL underneath the custom list with the link to open an action.  If you are opening from outside of a Metastorm client, you may need to add the ‘SessionID’ parameter containing a valid session ID 9.  I haven’t tried this with the current 9.1 SSO, it may be unnecessary.   If the session id parameter is still necessary, usually we write a wrapper aspx page to authenticate to user, grab the session id and redirect them to the action. The syntax is http://<servername/Metastorm/eForm.aspx?Map=<process map name>&Action=<action name>&Folder=<folder name>&FolderID=<folderid>&Service=<BPM Service Name>&Client=External&FolderLaunchURL=&FolderCancelURL=&IsFolderAction=True SELECT eFolder . eFolderID , eFolder . eFolderName , eFolder . eStageName ,   eFolder . eUpdated , eFolder . eSubject , ITProjectInitiation . txtProjectName ,   CASE       WHEN LEN ( ITProjectInitiation . txtNextAction ) > 1          
Read more

Corporate Intranet Information Architecture – a Publishing Site

Image
There have been several occasions in my consulting career where I have discussed what a corporate intranet should look like.   There are several aspects to this question, branding, custom web parts or other bells and whistles, but I believe that the fundamental structure or information architecture is one of if not the most important aspect of a solid, useful corporate intranet. Clearly, each individual company will have a unique look and feel and information architecture.   This will depend on the underlying business as well as the relative size, geographical locations and languages of the company. However, I have noticed certain commonalities across companies and have started to develop a template of how I can help an organization visualize there corporate intranet.   This could be used as a target to reorganize an existing intranet or as a template to stand up a new one.   In either case, changes will have to be made to suit the individual company’s needs.   Most companie
Read more

No Search Results in SharePoint Contextual Search OSSSearchResults.aspx

This is another one for me so I never have to figure this out again.   All the other posts I found when looking into this talked about how to set up a search center and redirect people over there.   That is pretty well documented at this point, but the problem I had was that people were trying to search the local site, being direct to the out of the box _layouts/OSSSearchResults.aspx page and getting no results.   The fix was frustratingly simple, check your alternate access mappings.   If you have extended the web app and users are using the new AAM then that could be the reason that the OOTB search results are not working.   In my case I had the short name as the default, and the FQDN as the custom, I switched them and now everything works.
Read more