Thursday, February 08, 2007
Have you ever needed to manipulate data in a string in InfoPath, maybe to remove characters or pull out a specific piece of data in a string? Or have you ever tried to create a dynamic unique name using the now() function to save an InfoPath form and received an error saying your filename contains illegal or invalid characters? The reason the now() function creates an error is that it contains colons(:) and depending on the format the date may also have forward-slashes(/) in it. The hard part is trying to remove this formatting when you're limited to XPath Functions, you use a date function to re-format the date. So you have to think a little more abstract unless you're planning on using Visual Studio. These concepts apply to other data types as well as text strings, you just have to be creative to get the results you're looking for.
This solution wasn't immediately apparent, but it makes sense after you've done it. You use "Substring", "Substring-After" and "Substring-Before" functions in conjunction with "today()" and/or "now()" functions to pull the date or date/time apart and reformat it any way you choose or put it all in one long ID that is unique to the second. You can also apply this to user input provided you enforce a standard format for a given field. So here are some examples of how to do this:
Note: All examples use the data type "Text(string)", unless otherwise noted.
Example 1
The today function contains characters I want to remove so I can re-arrange the date, use a part of it, or use as a number. So now we can pull out the parts of the date without the extra characters by using a the position and length of each part of the date and a substring function. This can be used on any string when you know the position and length of the parts you need to retrieve.
today() = 2007-02-08
Year: (substring(today(), 1, 4) = 2007
Month: substring(today(), 6, 2) = 02
Day: substring(today(), 9, 2) = 08
concat(substring(today(), 1, 4), substring(today(), 6, 2), substring(today(), 9, 2)) = 20070208
Example 2
The now function contains a date and a time element as shown below, this format is well structured but cannot be used in a filename due to the invalid characters in the string. The time element can also be pulled out of it and if used with the Time data type, it provides a nice neat timestamp.
now() = 2007-02-08T14:20:39
substring(now(), 12, 8) = 14:20:39
substring(now(), 12, 8) = 2:20:39 PM (data type: Time)
concat(substring(now(),12,2),substring(now(),15,2),substring(now(),18,2)) = 142039
Example 3
The now function can also be used to create a unique date/time string that can be used as a control number or as part of a filename.
now() = 2007-02-08T14:20:39
concat(substring(now(), 1, 4), substring(now(), 6, 2), substring(now(), 9, 2), substring(now(),12,2),substring(now(),15,2),substring(now(),18,2)) = 20070208142039
Example 4
Another interesting way to approach data manipulation is to use the today() and now() functions along with substring-before and substring after. This demonstrates how you can pull out the characters in the string that you do not want instead of pulling out the characters you do want. This is more useful in scenarios where the character positions and lengths may not be consistent but you need to remove certain characters from the string.
today() = 2007-02-08
now() = 2007-02-08T14:20:39
Hours: substring-before(substring-after(substring-after(now(), today()), "T"), ":") = 14
Minutes: substring-before(substring-after(substring-after(substring-after(now(), today()), "T"), ":"), ":") = 20
Seconds: substring-after(substring-after(substring-after(substring-after(now(), today()), "T"), ":"), ":") = 39
Note: each piece can be used separately or pieced back together using the concatenate function.
concat(substring-before(substring-after(substring-after(now(), today()), "T"), ":"), substring-before(substring-after(substring-after(substring-after(now(), today()), "T"), ":"), ":"), substring-after(substring-after(substring-after(substring-after(now(), today()), "T"), ":"), ":") = 142039
Recently I presented on Forms Authentication for SharePoint 2007 at a local event Southern California Code Camp and at a local user group San Diego .Net Developers User Group. Code Camp is a free community-based, twice a year event at two locations, Cal State Fullerton(January) and UC San Diego(June), click on the link above and check out the Code Camp Web page for more info and sign-up to receive information about the next event. The San Diego .Net Developers User Group is a free local user group that meets once a month on the first Tuesday of every month, click on their link above and check out a meeting. A link to my presentation and the web.config files shown in the presentation is below, following by some additional information on Authentication.
Download: Forms Authentication Presentation Materials
What is Authentication?
"Authentication is the process of obtaining identification credentials such as name and password from a user and validating those credentials against some authority. If the credentials are valid, the entity that submitted the credentials is considered an authenticated identity." (Quoted from MSDN)
What is Authorization?
"Authorization determines whether an identity should be granted access to a specific resource." (Quoted from MSDN)
What Authentication Types are Supported by SharePoint?
In SharePoint 2003, only Active Directory authentication was supported. New to SharePoint 2007 is the extensible ASP.Net 2.0 Provider Model. This allows a range of standard authentication types and the ability to create a custom provider. Listed below are the methods available to authenticate to SharePoint 2007. Another change from SharePoint 2003 to SharePoint 2007 are Zones.
Windows (Integrated)
- NTLM (Local Users or Active Directory)
- Kerberos (Requires Active Directory)
Forms
- SQL Membership Provider
- Lightweight Directory Access Protocol (LDAP) Provider
- Active Directory Provider
- Active Directory Application Mode (ADAM)
- Custom Provider
Single Sign-On (SSO)
- Active Directory Federation Services (ADFS)
- Other Identity Management Systems (3rd party)
Here is a brief summary of each authentication type listed above.
Windows(Integrated)
NTLM - Is a challenge-response authentication protocol, which allows a client to prove its identity without sending a password to the server by creating a shared context between the two involved parties, and using a shared session key. This method is used with Active Directory or local accounts.
Kerberos - Requires a trusted third-party(Active Directory) in order to mediate between two entities that want to authenticate to one another, such as a User and a Resource. This is done through a ticketing system known as a Key Distribution Center(KDC) which in this case is Active Directory. By the way, Kerberos communications are encrypted using symmetric cryptography. Kerberos has some another advantage over NTLM, delegation, it can perform a double-hop which means Entity A can forward(delegate) a ticket to Entity B which can then use Entity A's ticket to authenticate to Entity C. Kerberos also scales better for large environments because one Entity 1 doesn't need to request authentication from another Entity to prove its identity, it just needs to send its ticket to the Entity.
Forms - Uses an authentication ticket created when the user logs on to a site. The ticket can be contained in a cookie or passed in a query string. Each time a request is received, after the initial authentication process, the authentication cookie is retrieved, decrypted and compared with its key. The user credentials are stored in one of the user stores listed above or a custom provider can be created to use another type.
SQL Membership - Accesses user credentials from a SQL Membership Database.
Lightweight Directory Access Protocol(LDAP) - Accesses user credentials from a non-Microsoft or Legacy user store.
Active Directory - Accesses user credentials from a Microsoft Active Directory user store. Can be used to access Active Directory in a different domain or in a hosting scenario.
Active Directory Application Mode(ADAM) - Accesses user credentials from a application specific lightweight version of Active Directory.
Custom - Accesses user credentials from a custom defined user store that is not supported by a method above or has specialized features.
Single Sign-On (SSO) - Provides access to resources across domains without the need to provide a credential every time. The simple answer is you login to your domain and through defined trusts you can be granted access to various resources outside of your own domain.
Active Directory Federation Services(ADFS) - Enables secure Single Sign-On between domains to allow Entities from one Domain to access Entities in another Domain. This can allow Company A to grant access to a resource on its Domain to Company B by creating a Trust Relationship between the companies and allow specific Entities access to specific resources.
Other Identity Management Systems(3rd Party) - Same concept as ADFS but a 3rd-party solution with a custom SSO module. This would provide support for systems such as those made by Novell, RSA Security, IBM, Sun MicroSystems, SAP and Computer Associates.
What is a Zone?
A zone serves several purposes which include Load Balancing and Authentication boundaries. SharePoint’s authentication model is specified at the Web Application level, which is associated with an IIS web site. Site Collections and sub-sites are expressed as part of the application tier and have no physical presence on the file system. If you choose to implement multiple authentication providers, you can extend the Web Application by extending additional Zones. Zones allow the site to implement additional authentication providers for the same Web Application. Zones available are Default, Intranet, Internet, Extranet and Custom; the default Zone is Default. A Web Application can use any single Zone or extend to any combination of them. When extending a Web Application to a new Zone, a new physical IIS web site is created.
An important thing to note about Zones and Authentication is that the Default Zone needs to use NTLM in order for the Search Index service to crawl content within a Site Collection. A Policy also needs to be created for the Web Application to allow the account for the Index to read all content for the Web Application.
We know the ways to authenticate to SharePoint 2007, so what do all these terms mean? Below are some links on planning your authentication for SharePoint and information about the different types of authentication.
Plan authentication methods for SharePoint 2007
http://technet2.microsoft.com/Office/en-us/library/40117fda-70a0-4e3d-8cd3-0def768da16c1033.mspx?mfr=true
Plan for user accounts and authentication - Authentication Samples
http://technet2.microsoft.com/Office/en-us/library/23b837d1-15d9-4621-aa0b-9ce3f1c7153e1033.mspx
About Microsoft NTLM Authentication
http://msdn2.microsoft.com/en-us/library/aa378749.aspx
About Microsoft Kerberos Authentication
http://msdn2.microsoft.com/en-us/library/aa378747.aspx
Understanding LDAP (Light Weight Directory Access Protocol)
http://search.technet.microsoft.com/search/Redirect.aspx?title=Understanding+LDAP+(Light+Weight+Directory+Access+Protocol)&url=http://www.microsoft.com/technet/community/events/network/tnq40004.mspx
LDAP Query Basics
http://search.technet.microsoft.com/search/Redirect.aspx?title=LDAP+Query+Basics&url=http://www.microsoft.com/technet/prodtechnol/exchange/2003/insider/ldapquery.mspx
Blog: Jeff Schroeder - Setting up ADFS for a Web Application (maybe even SharePoint 2007...)
http://blogs.interknowlogy.com/jeffschroeder/archive/2006/10/19/7053.aspx
Identity & Access Management: Create Custom Directories with ADAM
http://search.technet.microsoft.com/search/Redirect.aspx?title=Identity+%26+Access+Management%3a+Create+Custom+Directories+with+ADAM+...+&url=http://www.microsoft.com/technet/technetmag/issues/2006/07/CustomDir/default.aspx
ASP.NET 2.0 Provider Model: Introduction to the Provider Model
http://msdn2.microsoft.com/en-us/library/aa479030.aspx
ASP.Net 2.0 Provider Toolkit Samples
http://download.microsoft.com/download/a/b/3/ab3c284b-dc9a-473d-b7e3-33bacfcc8e98/ProviderToolkitSamples.msi
Tuesday, October 31, 2006
I was asked to figure out how to allow many users to fill-out and edit a form based on InfoPath, however the users may not access or see anyone else's form and the template must be easy to manage as it is revised over time. On the surface, the answer seemed simple - you just upload the template into a SharePoint 2007 Form Library and you're set. Now you have this issue of securing the documents so Group A users can only see and edit Group A forms and Group B users can only see and edit Group B forms. Ok that is addressed by row-level security and you just assign the right group to each form. Then it was determined that each set of users would access their own site and this form is common between users to collect information. With the potential to have hundreds of sites, it doesn't make much sense any more to publish the InfoPath form to each Form Library and then try to keep track of managing the revisions to the forms over time. No problem...lets publish this form as a Content Type, that seems to have the same limitations as publishing the form to a Form Library. Although it does address using more advanced features of InfoPath 2007 that are not browser-enabled, but this is not going to solve my problem either. Then I remembered hearing that you upload a Form Template in Central Administration and assign it to an entire Site Collection. This allows you to manage the form in one place and use it in many places, this fits the requirements perfectly. After some quick searching I found that the information on this seemed almost non-existent, so here is how you setup the template in InfoPath 2007 and SharePoint 2007. I ran into a minor glitch when I went back to update the template later on and there was something about a job timer not running and SharePoint listed how to solve the problem using StsAdm.exe, I might have overlooked configuring a setting at some point but my problem was solved so I was happy.
- Configure InfoPath so your form is Browser-Enabled and create your template. Pay careful attention to which features are compatible with a browser-enabled form, some of the more advanced features are only available in the InfoPath 2007 client. Using the Design Checker will alert you to most of the problems you may encounter.
- Now lets Publish your Template and make it an Administrator Approved Template for SharePoint 2007. You'll need to select the location you'd like to publish your form, which in this case will be a SharePoint server with or without InfoPath Form Services.
- Select the location of the SharePoint or InfoPath Form Services site you'd like to publish to.
- Check the box that says, Enable this form to be filled out by using a browser and then select the radio-button for Administrator-approved form template (advanced). This prepares the form for an Administrator to upload the form in SharePoint so it can be assigned as a Content Type to a Site Collection.
- Specify a location and filename for the form template to be saved at. This can be a file share or a SharePoint Library, the Administrator has to be able to access the file to upload the template into SharePoint.
- You can add any columns names from the template that you'd like to be available to SharePoint to display in a view or to facilitate search for those fields. I chose not to use any for this scenario.
- Verify your form information and then click Publish.
- You'll see another screen that will say your form template was published successfully and it will have a note about providing your server administrator with the info provided above. Click Close.
Now onto the fun part of making this template a Content Type in SharePoint so you can use it in multiple libraries and manage the template in one location. You must have Admin rights to SharePoint Central Administration to perform this task.
- Navigate to the Central Administration home page and go to Application Management, you'll see InfoPath Form Services listed on the bottom left-hand side. Click on Upload Form Template.you'll see a screen like below. Find the location of the template and browse to it. (If you saved it to SharePoint you'll need to save a local copy on your computer and upload from there.)
- Once you upload the form template you'll get a message telling you it was successfully uploaded. Click OK.
- You're now taken to a screen to Manage Form Templates, you need to Activate to a Site Collection. Click on that link and select the correct Web Application and the Site Collection under that Web Application where you want the Content Type activated for your Template. Now your template will be available as a Content Type for all of your Libraries under your Site Collection.
- When you make revisions to your Form Template and need to re-publish follow all of the steps above. You won't need to activate the Template again as it has already been activated. You will probably get the same message I saw about about the Timer Job Service, see the message below and perform the following action on the server to upgrade the template. I'll have to figure out how to enable the administrative service later.
"The timer job for the operation has been created. However, it cannot be run because the administrative service for this server is not enabled. To run the timer job, use the StsAdm.exe command line utility (stsadm.exe -o execadmsvcjobs)."
So run the StsAdm.exe utility on the Server running SharePoint, the process will take a few minutes to complete and then your updated template will be ready for use. The command to run is "stsadm.exe -o execadmsvcjobs", this has to be run from the directory where StsAdm.exe lives. So you'll just have to navigate to that directory in Command Prompt to run it.
Now onto setting up your Form Library or Document Library to use the Template that is now a Content Type.
- Create a new Form Library or a Document Library under your Site Collection or any of the Sites under that Site Collection. Then go into the Library and go to Settings, Form Library Settings (or Document Library Settings). Under General Settings, click on Advanced Settings and select Yes under Allow Management of Content Types then click OK.
- Find the Content Types section under Settings. Click on Add from existing site content types and select the name of the template you uploaded earlier. Set that as your default Content Type and make sure it's Visible on the New Button. You can also delete the default content type to clean up the library. Adjust your views as needed and set your permissions on the Library and your users can start filling out forms and submitting them to the library. Repeat these steps for every library you wish to use the Template in and assign user permissions as needed.
Thursday, October 19, 2006
I ran across an article in MSDN Magazine yesterday afternoon that sounds like something to try in SharePoint 2007. The scenario in the article talked about using ADFS for a Web Application to allow for Single Sign-On and better user management. I can think of some projects this could apply to. Has anyone tried this yet? I going to setup a test environment and see if I can get SharePoint 2007 to work with this.
The problem this could potentially solve is Host A has a Web Application and they have multiple partners(Client B, C, D, E, etc..) who want to use their Web Application and they want to authenticate from their home domain. This means no additional logins, no extra user accounts, and a trust relationship between the domains of Host A and Clients B, C, D, E, etc. A simplified example is shown in this picture below.
Single Sign-On - A Developer's Introduction To Active Directory Federation Services
http://msdn.microsoft.com/msdnmag/issues/06/11/SingleSignOn/default.aspx
Identity & Access Management - Simplify Single Sign-on Using ADFS
http://www.microsoft.com/technet/technetmag/issues/2006/07/Simplify/
Setting Up ADFS - Constructing a Lab Environment with Virtual PC
http://pluralsight.com/wiki/default.aspx/Keith/SettingUpADFS.html
Look for an update to this one later...
Wednesday, October 11, 2006
There are so many choices when it comes to blogging these days, blogs to use and desktop applications to write to your blog. Most of them comes down to resources available and personal preference. We use .Text so that makes the first part an easy choice. No to find the desktop app to make things a little bit easier, I looked at BlogJet, w.bloggar and then found out about Windows Live Writer(Beta). Each of these programs have their own unique things that make special but they are all pretty similar to each other. I opted to take a look at using Windows Live Writer because it seemed pretty easy to use and has all the features that I seem to need, inserting pictures into my blog and being able to format text. I can also insert tags, hyperlinks and even a Windows Live Map. So I went about trying to setup my new toy and was disappointed that it didn't support my .Text blog. I tried to figure out the setup and gave up on it and starting looking at BlogJet and w.bloggar. Both BlogJet and w.bloggar seem very similar and both have built-in support for .Text blogs. So I looked at my trial of BlogJet and played with it for a little bit. Then I looked at the setup for w.bloggar and then it hit me...something looks familiar here. I saw the MetablogAPI setting in Windows Live Writer earlier, so I went back to it and tried the connection string from w.bloggar for .Text. Guess what...it worked! So now I'm using it and I wanted to share the setup with you so you can give it a try with .Text or figure out how to use it with the blog of your choice.
You're going to start out by Adding a Weblog Account. You'll then be asked whether you want to use a Windows Live Spaces account or Another weblog service. Select Another weblog service as shown in the image below and click next.
Enter your weblog homepage URL, this is going to be http://yourhostname.com/yourblogfolder/. Then you'll enter your blog username and password and click next.
Now select the type of weblog that you are using, which for this setup will be Custom (Metaweblog API) and then enter your remote posting URL for your weblog. This is the special part that makes it work...if you don't have the right connection it doesn't work and this was the hard part to figure out. Enter http://yourhostname.com/yourblogfolder/services/metablogapi.aspx and click next. Then you'll get a confirmation page and click finish to complete the setup. But you're not done yet....see below for setting up your FTP connection.
Now you need to setup your FTP settings so you can publish images and files to your webserver since .Text doesn't allow you to upload directly to the weblog. Select Upload image to an FTP server and click next.
Enter your FTP settings. There is one thing to note about the FTP settings...most likely your FTP Server is on a domain and is a different username and password than your actual blog account. Your blog account is in a Asp.Net Membership database and you're using forms authentication to authenticate. So here is the setup info. Click next when you're done.
FTP hostname: yourhostname.com
Username: Domain\Username
Password: yourpassword
Publish images into this folder: /yourfoldername
URL of the image publishing folder: http://yourhostname.com/downloads/yourfolder
Click Update Style Template so you pick-up your settings from your blog. Click next and then you'll get another confirmation page. Click Finish and you're done. Congratulations!!!...Windows Live Writer is now setup and ready for your to use.
You can download Windows Live Writer(Beta) from the Windows Live website as well as an SDK for it and there are a few plug-ins available for use with it as well. If you don't see what you need...then you can always create your own plug-in with the SDK. Here is the link.
http://windowslivewriter.spaces.live.com/
Happy Blogging!