Installing a Standalone Sharepoint Foundation 2010 Server

These are my notes from last week’s project, installing a SharePoint Foundation 2010 server. I wanted the following features:

  • SSL
  • Kerberos SSO Auth
  • Full-Text and PDF Searching
  • Simple single-server install

This walk-through makes the following assumptions:

  • You are running Windows Server 2008 R2.
  • You have an Active Directory Certificate Authority (for SSL).
  • Your server has a DNS entry (for SSL).

Here’s how it goes!

Install SQL

First, follow the SQL Sever Express 2008 R2 installation instructions in this post: Optimized SQL Server 2008 R2 Express Installation .

Download SharePoint

Next, download SharePoint Foundation and Search Server Express.

Prepare Your System

First, configure a disk volume to store your search indexes. Make it at least 5GB and use GPT. Your should now have the following disks:

  • C – System Volume, >20GB
  • D – SQL Data, >15GB
  • E – SQL Logs, >5GB
  • F – Search Indexes, >5GB

Install the SharePoint Prerequisites

  • Run “SharePointFoundation.exe”. On the setup window, choose “Install Software Prerequisites”.
  • It’s really a granny install (next, next, next). There aren’t any real decisions to make.

Install SharePoint Foundation 2010

References:

To save time, I’m only going to create screenshots for steps requiring decisions.

  1. On the setup window, click “Install SharePoint Foundation”
  2. Accept the license agreement.
  3. When presented with the option, choose “Server Farm”
  4. On “Server Type”, choose “Complete”, but don’t move on; we’re not done here!
  5. Click the “Data Location’ Tab, and change the path to F:\SharePointSearch .
  6. Click “Install Now”
  7. When the installation is finished, check the box labeled “Run Sharepoint Configuration Wizard Now”, and press “OK”.
  8. On the screen “Welcome to SharePoint Products”, click “Next”.
  9. A dialog box should pop up warning you that certain services will be restarted. Click “Yes”.
  10. On the screen, “Connect to a Server Farm”, choose “Create a new server farm” and hit “Next”.
  11. On the screen, “Specify Configuration Database Settings”, set ‘Database Server’ to a dot (.), then add your user credentials in the proper boxes.
  12. On the screen “Specify Farm Security Settings”, enter a passphrase.
  13. On the screen “Configure SharePoint Central Administration Web Application”, leave the default settings (do not configure port number, and choose “NTLM”. Click Next.
  14. On the screen, “Completing the SharePoint Projects Configuration Wizard”, there are no decisions to make. Just click, “Next”.
  15. Victory!

Install Search Server Express

Next, install search server by running, “SearchServerExpress.exe”.

  1. Much like the SharePoint install, at the setup screen choose “Install Software Prerequisites”, and proceed through the prerequisites install. It’s easy and there are no options.
  2. Next, choose “Install Search Server Express”.
  3. Accept the license agreement and click “Continue”.
  4. On the screen, “Choose a file location”, change the bottom path to F:\SearchServerIndex then click “Install Now”.
  5. On the success screen, choose to run the configuration wizard.
  6. On the “Welcome to SharePoint Products” screen, click “Next.”
  7. Click “Yes” to the dialog box warning that some services will be restarted.
  8. Click “Next” on the screen, “Completing the SharePoint Products Configuration Wizard”. This will upgrade your SharePoint Foundation installation to use Search Server Express.
  9. If you accidentally closed the SharePoint Configuration wizard, you can run it from the start menu. There should be a new folder in the start menu named “Microsoft SharePoint 2010 Products”. The program you want is “SharePoint 2010 Products Configuration Wizard”.
  10. On the “Configuration Successful” screen, click “Finish”. Victory!

Initial Configuration Wizard

The initial configuration wizard will set up any extra services you want to run on your farm.

The process:

  1. If necessary, start IIS manager, then right click on the SharePoint Central Administration site, choose “Manage Web Site”, then “Browse”.
  2. Choose Configuration Wizards, then “Farm Configuration”.
  3. Run the Wizard
  4. Click “Use existing managed account”, then select your username, then select which services you need, then click ‘next’.
  5. When asked about creating a site, click Skip. If we create a site here it will be permanently named ‘SharePoint – 80’. We will just end up deleting it later when configuring SSL.
  6. Once the configuration is complete, click “Finish”.

Request a Domain Certificate

Now, let’s create a root site and encrypt it. First you need a certificate.

  1. Open IIS Manager -> Server Certificates
  2. Right-Click, “Create Domain Certificate”.
  3. “Common Name” must be the FQDN of the sharepoint server. Nothing else matters.
  4. Select your Certificate Authority, and enter a local ‘Friendly’ name for the cert.

Configure the Web Application

References:

The default SharePoint web application is named, “SharePoint – 80”. This is confusing since SSL runs on port 443. Unfortunately, the only way to rename the web application is to delete and recreate it.

  1. Open SharePoint Central Administration.
  2. Click, “Manage web applications”.
  3. Click on ‘SharePoint – 80’ to select it, then click “Delete”.
  4. For  ‘Delete content databases’ choose Yes.
    For ‘Delete IIS web sites’ choose Yes.
    Then, hit “Delete”, and hit ‘Yes’ when the warning box pops up.
  5. Click ‘New’ to create our new web application and site.
  6. Use the following options, then click OK.
    Authentication: Classic Mode Authentication
    IIS Web Site: Create a New IIS web site
    Site name: Sharepoint – 443
    Port: 443
    NTLM, No, Yes
    url: https://<servername&gt;:443
    All the other options should keep their defaults.
  7. Click OK at the success screen.

Add the SSL Certificate

  1. Open IIS Manager, Right-click “SharePoint – 443”, Click “Edit Bindings”.
  2. Click the https binding to select it, and click ‘Edit’.
  3. Select a certificate from the drop-down menu, and click OK.
  4. Click ‘Close’ to finish.

Create the Site Collection

  1. Open SharePoint Central Administration.
  2. Click “Create site collections”.
  3. Add a title and optionally a description, then type your username in the “Primary Site Collection Administrator” box, then click “OK”.

Configure the Alternate Access Mappings

Now, we need to configure the alternate access mappings.

  1. Open SharePoint Central Admin and click, “Application Management”.
  2. Next, click “Configure alternate access mappings”.
  3. Change the drop down box labeled, “Alternate Access Mapping Collection” to “Sharepoint – 443”, then click “Edit Public URLs”.
  4. Change the mappings:
    Default – https://<FQDN&gt;
    Intranet – https://<servername&gt;
    Custom – https://localhost
  5. Now, open a browser and navigate to https://localhost. Your site should load.

It’s important that you test creating a sub site, and accessing the sub-site’s settings page. Any problems with your access mappings will reveal themselves through this process.

  1. On your site, click “Site Actions” -> “New Site”
  2. Add a title and URL, then click “Create”.
  3. On the new site, click “Site Actions” -> “Site Settings”
  4. You should see the site settings page for your test sub-site. If you get a “File not found” error, redo the alternate access mappings.

Configuring SSL for the Central Administration Site

References:

The Process:

  1. First, edit the sharepoint central admin site bindings, and add an https binding. Open IIS Manager, then Right-Click the site “Sharepoint Central Admin”, then click “Edit Bindings”.
  2. Add a https binding, and hit OK.
    Type: https
    IP Address: All Unassigned
    Port: <add 1 to the port http is currently on>
    SSL Certificate: The domain certificate you made a few steps ago.
  3. Keep the http:80 binding for now!
  4. Hit Close on the “site bindings” window.
  5. Open a command prompt window, and run the following
    1. cd “C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN”
    2. stsadm -o setadminport -ssl -port <https binding port number>
  6. Try opening the sharepoint central admin port by going to https://localhost:<https binding port number>. It should work. If it doesn’t, start over from the beginning of this heading.
  7. Remove the http binding.
  8. Then, configure the alternate access mappings for the central admin site
    Default – https://<servername&gt;.domain.tld:<https binding port number>
    Intranet – httpps://<servername>:<https binding port number>

Securing SharePoint – Redirecting HTTP traffic to HTTPS

This is easy.

  1. Open IIS manager.
  2. Click “Default Web Site” to select it, then double click “HTTP Redirect”.
  3. Click the checkbox, “Redirect requests to this destination”.
  4. Type in “https://<FQDN>&#8221; (example: https://sharepoint.contosco.com)
  5. Check the box “Redirect all requests to exact destination”
  6. Click “Apply”
  7. Now, right click “Default Web Site”, choose “Manage Web Site”, then click “Start”.
  8. To make this start working, you my need to open a command prompt and run “iisreset.exe /noforce”.

Securing SharePoint – Creating Accounts

References:

Now that we’re rollin’, you need to create some AD accounts. Figuring out exactly what you need is difficult at best—I wish someone would just post a quick table illustrating some form of standardized sharepoint service account naming conventions! The MS column are usernames in which previous Microsoft documentation has suggested. The Community column is, as far as I can tell, the actual standard naming practice as of today. I recommend using the community names.

Role Username (MS) Username (Community)
SQL Service mosssqlsvc sp_sql
Farm Admin Account mossfarmadmin sp_farm
Foundation Search Service wsssearch sp_foundsearch
Foundation Search Content Access wsscrawl sp_foundsearchCA
Server Search Service mossearch sp_search
Server Search Content Access mosscrawl sp_searchaccess
App Pool for Portal (root) portalpool sp_apppool
App Pool for My Site mysitepool sp_mysite
Sharepoint 2010 Timer Service mossfarmadmin sp_farm
Sharepoint Foundation Sandboxed Code Service sp_sandbox
Web Analytics Data Processing Service sp_webdata

And, wouldn’t it be great if there were a powershell script to create those accounts for you? Copy and paste this into notepad, and save it as “Create-SPAccounts.ps1”. Now, open powershell, and execute the command, “Set-ExecutionPolicy Unrestricted”. That allows you to run scripts. Then, run the script you just saved.


#create-spaccounts.ps1
# John Puskar, 2010
# gmail\johnpuskar

$hshUsers = @{}
#$hshUsers.add("test101010","SharePoint Foundation auto account test!")
$hshUsers.add("sp_sql","SharePoint SQL Service")
$hshUsers.add("sp_farm","SharePoint Farm Admin")
$hshUsers.add("sp_foundsearch","SharePoint Foundation Search")
$hshUsers.add("sp_foundsearchCA","SharePoint Foundation Search Content Access")
$hshUsers.add("sp_search","Search Server Service")
$hshUsers.add("sp_searchAccess","Search Server Content Access")
$hshUsers.add("sp_appPool","Sharepoint Foundation Default Application Pool")
$hshUsers.add("sp_rootSite","Sharepoint Foundation Root Site Application Pool")
$hshUsers.add("sp_Sandbox","SharePoint Foundation Sandboxed Code")
$hshUsers.add("sp_WebData","SharePoint Foundation Web Analytics Data Processing")

###REF: http://www.pctools.com/guides/password/
$password = $null
$password = "yUWAtuweKega5AcrAc43e6u&u"

$domainRoot = $null
$domainRoot = ([adsi]'').distinguishedName

$strOUDN = $null
$strOUDN = "CN=Users," + $DomainRoot

$objOU = [adsi]("LDAP://" + $strOUDN)
$usernames = $null
$usernames = $hshUsers.Keys
$usernames | % {
$sAMAccountName = $null
$sAMAccountName = $_
$description = $null
$description = $hshUsers.Get_Item($sAMAccountName)
$objUser = $null
$objUser = $objOU.Create("user","cn=$sAMAccountName")
$objUser.Put("sAMAccountName",$sAMAccountName)
$objUser.Put("description",$description)
$objUser.SetPassword($password)
$objUser.SetInfo()
}

You might notice that the same password is used for all the accounts: “yUWAtuweKega5AcrAc43e6u&u” This is ok, because SharePoint Foundation 2010 will auto-change passwords for you.

Next, login to the SharePoint Central Admin site (IIS Manager -> Sharepoint Central Admin -> Right-Click, All Tasks, Browse.

Click “Security”, then “Configure Service Accounts”.

Make your roles\accounts look like the following table, and enable password auto-change on all of them.

Role Username
Farm Account sp_farm
Windows Service – Claims to Windows Token Service Local System
Windows Service – Microsoft SharePoint Foundation Sandboxed Code Service sp_sandbox
Windows Service – SharePoint Foundation Search sp_foundsearch
Windows Service – SharePoint Server Search sp_search
Windows Service – Web Analytics Data Processing Service sp_webdata
Web Application Pool – SharePoint – 443 sp_rootsite
Service Application Pool – SecurityTokenServiceApplicationPool sp_apppool
Service Application Pool -SharePoint Web Services Default sp_apppool
Service Application Pool – SharePoint Web Services System sp_apppool

Configuring Kerberos

References:

Ahh Kerberos. Not nearly as bad as anyone makes it out to be. I’m sure it’s actually much worse and I’m just missing something… (if so, LET ME KNOW!).

First, you need to set the SPN’s. Before you set an SPN, always make sure it doesn’t already exist, or you will get duplicates that break everything (so they say). Our purpose for SPN’s is user-centric. The following command will list SPN’s on a user:

  • setpspn -L <username>

So, run it on the users before you add any new SPNs to that user. Skip adding any SPN’s already exist. To add an SPN:

  • setspn -A <spn> <username>

You need to set the following SPN’s. They are case sensitive. It’s supposed to be HTTP even if you’re using SSL. DO NOT USE HTTP://  OR HTTPS:// HERE, we’re not making URL’s!

SPN User
HTTP/<servername>.domain.tld sp_rootsite
HTTP/<servername> sp_rootsite
HTTP/<servername>.domain.tld sp_apppool
HTTP/<servername> sp_apppool
HTTP/<servername>.domain.tld:<adminport> sp_farm
HTTP/<servername>:<adminport> sp_farm

So, for example:

  • setspn -A HTTP/sharepoint.microsoft.com  sp_rootsite
  • setspn -A HTTP/sharepoint  sp_rootsite

Get it? Now that your SPN’s are set, configure IIS to use Kerberos.

  • IIS Manager -> Authentication
    • Windows Authentication: Enabled
    • Advanced Settings: Kernel Mode and Extended Protection (EAP): Off
    • Providers: Negotiate: Kerberos (Add, move to top).
  • Open a command prompt and run “iisreset /noforce”
  • If using sharepoint by FQDN (e.g. http->s redirection), make sure the FQDN is listed in “Intranet Sites” in IE \ Internet Options. This is a killer, and I’ll explain later how to do so with a GPO.

Now, configure SharePoint to use Kerberos as it’s authentication provider.

  • login to the SharePoint Central Admin site.
  • click “Manage Web Applications”
  • click “SharePoint – 443”
  • click “Authentication Providers”
  • click “default”
  • Scroll half-way down and make sure “Integrated Windows Authentication” is checked, then click the “negotiate (Kerberos)” button.
  • Scroll down and hit “save”.
  • login to another computer with your domain account, add the FQDN to the “Intranet Sites” list in IE, then hit up your root site. Did it work? Congrats! Kerberos is working. Now, go make the same change for your “SharePoint Central Administration v4” site.

Configuring SharePoint Indexing

References:

First, lets configure crawling. Go back to SharePoint Central Administration.

  1. Click “General Application Settings”.
  2. Click “Farm Search Administration”.
  3. Click “Search Service Application”.
  4. Click “Content Sources”.
  5. Click the drop-down arrow for your site’s content source, and click “Edit”.
  6. Make sure your start address is https://<FQDN&gt;, create a full and incremental crawl schedule, and hit “OK”.
  7. Click the drop-down arrow for your site’s content source, and click “Start Full Crawl”.
  8. If you get SSL warning errors because you’re using a self-signed certificate, you’ll have to click “Farm Search Administration”, then under “Ignore SSL warnings” click “No”, and change it to “Yes”. Make sure to undo this once you have your certificate in order!
  9. Once your crawl is complete, click “Crawl Log”
  10. You should see successes and no warnings or errors.

Configuring PDF Search

References*

Downloads:

The process

Troubleshooting and References

See my wiki page

To Do \ Wish-List:

  • Document configuring search
  • Document configuring PDF search
  • Document GPO for adding sharepoint to Intranet Sites in IE
  • Install Sharepoint Foundation CU’s
  • Understand Report Services with SharePoint and what it can do
  • Understand how to integrate Visio, Project, OneNote, and Outlook with SharePoint effectively.
  • Understand what PowerPivot is, what what it can do