Deployment For MOSS 2007

Deployment for Office SharePoint Server
2007
Microsoft Corporation
Published: March 2009
Author: Microsoft Office System and Servers Team (o12ITdx@microsoft.com)
Abstract
This book provides deployment instructions for Microsoft Office SharePoint Server 2007. The
audiences for this book include application specialists, line-of-business application specialists,
and IT administrators who are ready to deploy Office SharePoint Server 2007 and want
installation steps. Before using the instructions in this book you should read the Planning and
architecture for Office SharePoint Server (http://technet.microsoft.com/en-
us/library/cc261834.aspx) and plan your deployment. For a complete list of downloadable books
for Office SharePoint Server 2007, see Downloadable books for Office SharePoint Server 2007
(http://technet.microsoft.com/en-us/library/cc262788.aspx).
The content in this book is a copy of selected content in the Office SharePoint Server technical
library (http://go.microsoft.com/fwlink/?LinkId=84739) as of the publication date. For the most
current content, see the technical library on the Web.
2
The information contained in this document represents the current view of Microsoft Corporation
on the issues discussed as of the date of publication. Because Microsoft must respond to
changing market conditions, it should not be interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the
date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the
rights under copyright, no part of this document may be reproduced, stored in or introduced into a
retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written
permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, email address, logo, person, place
or event is intended or should be inferred.
© 2009 Microsoft Corporation. All rights reserved.
Microsoft, Microsoft, Access, Active Directory, Excel, Groove, InfoPath, Internet Explorer,
OneNote, Outlook, PowerPoint, SharePoint, SQL Server, Visio, Windows, Windows Server, and
Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
ii
Contents
Deployment for Office SharePoint Server 2007........................................................................1
Abstract..............................................................................................................................1
Contents...................................................................................................................................iii
Getting Help...........................................................................................................................xiv
Roadmap to Office SharePoint Server 2007 content................................................................1

Office SharePoint Server 2007 content by audience................................................................1
Office SharePoint Server 2007 IT professional content by stage of the IT life cycle.................2
Evaluate.............................................................................................................................3
Plan....................................................................................................................................3
Deploy................................................................................................................................4
Operate..............................................................................................................................6
Security and Protection......................................................................................................6
Technical Reference...........................................................................................................7
Deployment worksheets for Office SharePoint Server 2007.....................................................8

Deployment worksheets by task...............................................................................................8
Deployment worksheets by title................................................................................................9
I. End-to-end deployment scenarios.......................................................................................11
Chapter overview: End-to-end deployment scenarios............................................................12
Install Office SharePoint Server 2007 on a stand-alone computer.........................................14

Hardware and software requirements.....................................................................................14
Configure the server as a Web server....................................................................................15
Install and configure IIS....................................................................................................15
Install the Microsoft .NET Framework version 3.0............................................................15
Enable ASP.NET 2.0........................................................................................................16
Install and configure Office SharePoint Server 2007 with Microsoft SQL Server 2005 Express
Edition.................................................................................................................................16
Post-installation steps.............................................................................................................18
Deploy in a simple server farm ..............................................................................................20

Deployment overview.............................................................................................................20
Suggested topologies.......................................................................................................21
Before you begin deployment...........................................................................................21
Overview of the deployment process...............................................................................22
Deploy and configure the server infrastructure.......................................................................23
Security account requirements.........................................................................................23
Prepare the database server............................................................................................23
iii
Verify that servers meet hardware and software requirements........................................26
Run Setup and build the farm...........................................................................................28
Run Setup on the first server............................................................................................30
Run the SharePoint Products and Technologies Configuration Wizard............................31
Add the SharePoint Central Administration Web site to the list of trusted sites................32
Configure proxy server settings to bypass the proxy server for local addresses..............33
Add servers to the farm....................................................................................................33
Run the SharePoint Products and Technologies Configuration Wizard on additional
servers..........................................................................................................................35
Start the Windows SharePoint Services Search service (optional)..................................35
Stop the Central Administration service on all index servers............................................36
Disable the Windows SharePoint Services Web Application service on all servers not
serving content.............................................................................................................36
Create and configure a Shared Services Provider..................................................................37
Start the Office SharePoint Server Search service..........................................................37
Create a Web application to host the SSP and create the SSP.......................................39
Perform additional configuration tasks....................................................................................40
Create a site collection and a SharePoint site........................................................................41
Configure the trace log...........................................................................................................46
Deploy using DBA-created databases....................................................................................48

About deploying by using DBA-created databases.................................................................48
Required database hardware and software............................................................................49
Required accounts..................................................................................................................49
Create and configure the databases.......................................................................................51
Deploy a simple farm on the Windows Server 2008 operating system...................................58

Deployment overview.............................................................................................................58
Suggested topologies.......................................................................................................59
Before you begin deployment...........................................................................................59
Overview of the deployment process...............................................................................60
Deploy and configure the server infrastructure.......................................................................60
Prepare the database server............................................................................................60
Verify that servers meet hardware and software requirements........................................63
Run Setup on all servers in the farm................................................................................64
Run the SharePoint Products and Technologies Configuration Wizard..................................77
servers..........................................................................................................................83
Start the Windows SharePoint Services Search Service.................................................84
Configure Windows Firewall with Advance Security.........................................................85
Perform additional configuration tasks....................................................................................88
Create a site collection and a SharePoint site........................................................................89
Configure the trace log...........................................................................................................93
Configure Windows Server Backup..................................................................................94
Install Office SharePoint Server 2007 by using the command line.........................................96

iv
Install software requirements..................................................................................................96
Determine required accounts for installation...........................................................................97
Install Microsoft Office SharePoint Server 2007 by running Setup at a command prompt......99
Configure the server by using the Psconfig command-line tool............................................101
Configure SharePoint Server 2007 on a stand-alone server..........................................102
Configure SharePoint Server 2007 on a farm................................................................102
Perform additional configuration tasks..................................................................................104
Create a Shared Services Provider (SSP) by using the Stsadm command-line tool............105
Create a site collection by using the Stsadm command-line tool..........................................107
Configure the trace log.........................................................................................................109
Install Office SharePoint Server 2007 with least privilege administration by using the
command line....................................................................................................................111
Install software requirements................................................................................................112
Determine required accounts for least-privilege administration............................................112
Install Microsoft Office SharePoint Server 2007 by using least-privilege administration.......115
Configure the server by using the Psconfig command-line tool............................................117
Configure SharePoint Server 2007 on a stand-alone server..........................................117
Configure SharePoint Server 2007 on a farm.................................................................118
Perform additional configuration tasks..................................................................................120
Create a Shared Services Provider by using the Stsadm command-line tool.......................120
Create a site collection by using the Stsadm command-line tool..........................................123
Migrate a stand-alone installation to a server farm installation.............................................126

Install SharePoint Portal Server 2007 on a new farm...........................................................127
Prepare servers for installation.......................................................................................127
Install SharePoint Server 2007 and configure the server by using the SharePoint
Products and Technologies configuration wizard........................................................128
Migrate data from the stand-alone server.............................................................................129
Stsadm Command-Line Tool..........................................................................................131
Create and attach data from the Shared Services Provider (SSP).......................................132
Attach site collection data from content databases...............................................................133
Perform a stand-alone installation of Office SharePoint Server 2007 on Windows Server 2008
..........................................................................................................................................135
Hardware and software requirements...................................................................................136
IIS 6.0 Management Compatibility role service..............................................................136
Microsoft .NET Framework version 3.0..........................................................................136
Perform installation steps.....................................................................................................137
Configure SharePoint Products and Technologies.........................................................138
Perform post-installation steps.............................................................................................140
Configure Windows Server Backup......................................................................................142
II. Install Office SharePoint Server 2007 in a server farm environment................................144
v
Chapter overview: Install Office SharePoint Server 2007 in a server farm environment.......145
Suggested topologies...........................................................................................................145
Before you begin deployment...............................................................................................146
Overview of the deployment process....................................................................................147
Phase 1: Deploy and configure the server infrastructure...............................................147
Phase 2: Create and configure a Shared Services Provider..........................................148
Phase 3: Deploy and configure SharePoint site collections and sites............................148
Prepare the database servers..............................................................................................149

SQL Server and database collation......................................................................................149
Required accounts................................................................................................................149
Preinstall databases (optional).............................................................................................150
Prepare the Web and application servers.............................................................................151

Install the Microsoft .NET Framework version 3.0................................................................151
Enable ASP.NET 2.0.............................................................................................................151
Install Office SharePoint Server 2007 and run the SharePoint Products and Technologies
configuration wizard..........................................................................................................152
Recommended order of configuration..................................................................................152
Add servers to the farm..................................................................................................154
Run Setup on the first server................................................................................................154
Run the SharePoint Products and Technologies Configuration Wizard................................155
Add the SharePoint Central Administration Web site to the list of trusted sites....................157
Configure proxy server settings to bypass the proxy server for local addresses..................157
Add servers to the farm........................................................................................................157
Run the SharePoint Products and Technologies Configuration Wizard on additional servers
..........................................................................................................................................159
Start the Windows SharePoint Services Search service (optional).......................................160
Stop the Central Administration service on all index servers................................................160
Disable the Windows SharePoint Services Web Application service on all servers not serving
content..............................................................................................................................161
Deploy language packs........................................................................................................162

About language IDs and language packs.............................................................................162
Preparing your front-end Web servers for language packs...................................................164
Installing language packs on your front-end Web servers....................................................165
III. Create and configure Shared Services Providers............................................................168
Chapter overview: Create and configure Shared Services Providers...................................169
Configure the primary Shared Services Provider..................................................................170

Create the Shared Services Provider...................................................................................170
Create a new SSP................................................................................................................172
Associate an SSP with a Web application............................................................................173
vi
Configure the Office SharePoint Server Search service.......................................................174
Server-level configuration.....................................................................................................174
Install protocol handlers.................................................................................................174
Install and register IFilters..............................................................................................175
Farm-level configuration.......................................................................................................177
Create crawler impact rules............................................................................................177
Configure farm-level search settings..............................................................................178
Configure the trace log...................................................................................................179
SSP-level configuration........................................................................................................180
Open the administration page for the SSP.....................................................................180
Specify the default content access account...................................................................180
Create content sources..................................................................................................180
Create crawl rules..........................................................................................................182
Reorder your crawl rules................................................................................................183
Configure the file type inclusions list..............................................................................184
Crawl the content...........................................................................................................184
Create managed properties............................................................................................185
Create shared scopes....................................................................................................186
Create scope rules.........................................................................................................187
Specify authoritative pages............................................................................................191
Create server name mappings.......................................................................................192
Manage search-based alerts..........................................................................................192
Site collection–level configuration.........................................................................................193
Create scopes at the site collection level.......................................................................193
Create scope rules at the site collection level................................................................194
Manage display groups..................................................................................................196
Create keywords and Best Bets.....................................................................................198
A. Configure personalization.................................................................................................200
Chapter overview: Configure personalization.......................................................................201

Configure personalization permissions.................................................................................201
Configure connections to personalization services...............................................................201
Configure targeted content...................................................................................................202
Configure personalization sites.............................................................................................202
Configure policies for Profile Services..................................................................................202
Configure personalization permissions.................................................................................203

Configure SSP administrator permissions for Profile Services.............................................203
Configure access to the SSP pages.....................................................................................204
Configure user permissions for personalization....................................................................205
Configure access to trusted My Site host locations..............................................................206
Configure connections to Profile Services............................................................................208

Configure import settings......................................................................................................208
Add import connections........................................................................................................209
vii
Configure user profiles.........................................................................................................213
Configure targeted content...................................................................................................216

Create and configure audiences...........................................................................................216
Configure published links to Office client applications..........................................................218
Configure personalization site links......................................................................................218
Configure access to trusted My Site host locations..............................................................219
Configure personalization sites.............................................................................................221

Create personalization sites.................................................................................................221
Design personalization sites.................................................................................................222
Target personalization site links............................................................................................222
Configure policies for Profile Services..................................................................................224

Configure policies for personalization features.....................................................................224
Configure policies for user profiles.......................................................................................225
B. Configure business intelligence features..........................................................................228
Chapter overview: Configure business intelligence features................................................229

Configure access to business data.......................................................................................229
Register line-of-business applications in the Business Data Catalog...................................229
Customize business data lists, Web Parts, and sites............................................................230
Configure business data search...........................................................................................230
Configure access to business data.......................................................................................231

Configure SSP administrator rights for the Business Data Catalog......................................231
Configure access to the SSP pages.....................................................................................232
Configure application definitions and single sign-on for the Business Data Catalog............233
Configure data warehousing.................................................................................................234
Configure permissions for business data..............................................................................235
Register business applications in the Business Data Catalog..............................................237

Create application definitions................................................................................................237
Import application definitions................................................................................................238
Configure enterprise application definitions for single sign-on..............................................238
Configure business data types and fields.............................................................................240
Manage permissions for an application or entity............................................................240
Add business data actions for an entity..........................................................................241
Edit the profile page template.........................................................................................242
Customize business data lists, Web Parts, and sites............................................................243

Create business data lists.....................................................................................................243
Create KPIs and KPI lists.....................................................................................................244
Create and configure reports in the Report Center site........................................................245
Create and configure dashboard sites..................................................................................245
Create other business data sites..........................................................................................246
viii
Configure business data search...........................................................................................248
Ensure availability of business data......................................................................................248
Configure and crawl business data content sources............................................................248
Configure and customize query options for business data...................................................249
C. Configure Excel Services.................................................................................................251
Chapter overview: Configure Excel Services........................................................................252

About Excel Services configuration......................................................................................252
Add a trusted file location.....................................................................................................253

About trusted file locations....................................................................................................253
Add a trusted file location.....................................................................................................253
Start the Single Sign-On service...........................................................................................255

About single sign-on authentication......................................................................................255
Start the Single Sign-On service...........................................................................................255
Manage settings for single sign-on.......................................................................................256

About single sign-on settings................................................................................................256
Manage single sign-on settings............................................................................................256
Add a trusted data provider..................................................................................................257

About trusted data providers.................................................................................................257
Add a trusted data provider..................................................................................................257
Add a trusted data connection library...................................................................................259

About trusted data connection libraries................................................................................259
Add a trusted data connection library...................................................................................259
Enable user-defined functions..............................................................................................261

About user-defined functions................................................................................................261
Enable user-defined functions..............................................................................................261
Enable user-defined functions for workbooks in a trusted file location.................................262
D. Configure InfoPath Forms Services.................................................................................263
Configure InfoPath Forms Services for Office SharePoint Server........................................264

Configure InfoPath Forms Services using Central Administration........................................264
Configure session state for InfoPath Forms Services...........................................................267

Configure session state for Forms Services.........................................................................267
Session state versus Form view...........................................................................................267
E. Configure Office Project Server........................................................................................269
Deploy Project Server 2007 with Office SharePoint Server 2007.........................................270
IV. Perform additional configuration tasks.............................................................................271
ix
Chapter overview: Additional configuration tasks.................................................................272
Configure additional administrative settings.........................................................................272
Configure incoming e-mail settings.......................................................................................274

Install and configure the SMTP service................................................................................275
Start the Windows SharePoint Services Web Application service..................................275
Install the SMTP service.................................................................................................275
Configure the SMTP service..........................................................................................276
Add an SMTP connector in Exchange Server................................................................277
Configure Active Directory....................................................................................................277
Configure Active Directory under atypical circumstances...............................................279
To delegate full control of the organizational unit to the Central Administration application
pool account...............................................................................................................279
To add the Delete Subtree permission for the Central Administration application pool
account.......................................................................................................................280
Configure permissions to the e-mail drop folder...................................................................281
Configure e-mail drop folder permissions for the logon account for the Windows
SharePoint Services Timer service.............................................................................281
Configure e-mail drop folder permissions for the application pool account for a Web
application...................................................................................................................281
Configure DNS Manager......................................................................................................282
Configure attachments from Outlook 2003...........................................................................283
Configure incoming e-mail settings.......................................................................................283
Configuring incoming e-mail on SharePoint sites.................................................................285
Configure outgoing e-mail settings.......................................................................................286

Configure outgoing e-mail settings for a specific Web application........................................289

Configure workflow settings..................................................................................................292

Configuring workflow settings...............................................................................................292
Configure diagnostic logging settings...................................................................................294

Customer Experience Improvement Program.......................................................................294
Error reports.........................................................................................................................294
Event throttling......................................................................................................................295
Configuring diagnostic logging settings................................................................................296
Configure single sign-on.......................................................................................................298
x
Configure and start the Microsoft Single Sign-On service....................................................298
Configure Single Sign-On for Office SharePoint Server 2007..............................................299
Manage the encryption key...................................................................................................301
Create a new encryption key..........................................................................................301
Back up an encryption key.............................................................................................302
Restore an encryption key.............................................................................................302
Manage enterprise application definitions............................................................................302
Manage account information for an enterprise application definition....................................303
Configure antivirus settings..................................................................................................305

Administrative credentials.....................................................................................................305
Configure authentication.......................................................................................................306
Office SharePoint Server authentication...............................................................................306
Windows authentication provider..........................................................................................307
Forms authentication provider..............................................................................................310
Web single sign-on (SSO) authentication provider...............................................................310
Configure anonymous access...............................................................................................311

About anonymous access.....................................................................................................311
Enable anonymous access for a zone..................................................................................311
Enable anonymous access for individual sites.....................................................................312
Enable anonymous access for individual lists.......................................................................313
Configure digest authentication............................................................................................314

About digest authentication..................................................................................................314
Enable digest authentication for a zone of a Web application..............................................315
Configure IIS to enable digest authentication.......................................................................315
Configure forms-based authentication..................................................................................317

About forms-based authentication........................................................................................317
Configure forms-based authentication across multiple zones...............................................320
Configure forms-based authentication for My Sites Web applications..................................321
Configure the SSP for forms-based authentication...............................................................324
Configure user profiles and people search...........................................................................326
Configure Web SSO authentication by using ADFS.............................................................328

About federated authentication systems...............................................................................328
Before you begin..................................................................................................................328
Configuring your extranet Web application to use Web SSO authentication........................329
Allowing users access to your extranet Web site..................................................................331
About using Central Administration................................................................................333
Working with the People Picker............................................................................................334
Working with E-mail and UPN claims...................................................................................335
Working with groups and organizational group claims..........................................................335
Configure Kerberos authentication.......................................................................................338
xi
About Kerberos authentication.............................................................................................338
Before you begin..................................................................................................................339
Software version requirements.......................................................................................340
Known issues.................................................................................................................340
Additional background....................................................................................................341
Server farm topology......................................................................................................342
Active Directory, computer naming, and NLB conventions.............................................343
Active Directory domain account conventions................................................................344
Preliminary configuration requirements..........................................................................345
Configure Kerberos authentication for SQL communications...............................................345
Create the SPNs for your SQL Server service account..................................................346
Confirm Kerberos authentication is used to connect servers running Office SharePoint
Server 2007 to SQL Server.........................................................................................346
Configure Internet Explorer to include port numbers in Service Principal Names.................348
Create Service Principal Names for your Web applications using Kerberos authentication. 349
Deploy the server farm.........................................................................................................350
Install Office SharePoint Server 2007 on all of your servers..........................................350
Run the SharePoint Products and Technologies Configuration Wizard and create a new
farm............................................................................................................................351
Run the SharePoint Products and Technologies Configuration Wizard and join the other
servers to the farm......................................................................................................353
Configure services on servers in your farm..........................................................................354
Windows SharePoint Services Search...........................................................................354
Index server...................................................................................................................354
Query server..................................................................................................................355
Create Web applications using Kerberos authentication......................................................355
Create the portal site Web application............................................................................355
Create the My Site Web application...............................................................................356
Create the Shared Services Administration site Web application...................................356
Create a site collection using the Collaboration Portal template in the portal site Web
application.........................................................................................................................357
Create a Shared Services Provider for your farm.................................................................358
Confirm successful access to the Web applications using Kerberos authentication.............358
Confirm correct Search Indexing functionality......................................................................361
Confirm correct Search Query functionality..........................................................................361
Configure your SSP infrastructure for Kerberos authentication............................................362
Register new custom-format SPNs for your SSP service account in Active Directory..........363
Run the Stsadm command-line tool to set the SSP infrastructure to use Kerberos
authentication....................................................................................................................364
Add a new registry key to all of your servers running Office SharePoint Server to enable
generation of the new custom-format SPNs......................................................................364
Confirm Kerberos authentication for root-level shared services access...............................365
Confirm Kerberos authentication for virtual-directory-level shared services access.............366
Configuration limitations.......................................................................................................368
xii
Additional resources and troubleshooting guidance ............................................................368
Run the Best Practices Analyzer tool....................................................................................370
Configure usage reporting....................................................................................................371

About usage reporting..........................................................................................................371
Enable Windows SharePoint Services usage logging..........................................................372
Enable usage reporting........................................................................................................373
Activate usage reporting.......................................................................................................373
Monitor usage reporting........................................................................................................374
V. Deploy and configure SharePoint sites.............................................................................375
Chapter overview: Deploy and configure SharePoint sites...................................................376
Create or extend Web applications.......................................................................................378

Create a new Web application..............................................................................................378
Extend an existing Web application......................................................................................380
Configure alternate access mapping....................................................................................382

Manage alternate access mappings.....................................................................................382
Add an internal URL.............................................................................................................382
Edit or delete an internal URL...............................................................................................383
Edit public URLs...................................................................................................................383
Map to an external resource.................................................................................................383
Create zones for Web applications.......................................................................................385

Create a new zone...............................................................................................................385
View existing zones..............................................................................................................385
Create quota templates........................................................................................................386

Create a new quota template................................................................................................386
Edit an existing quota template.............................................................................................387
Delete a quota template.......................................................................................................387
Create a site collection.........................................................................................................388

Create a blank site to migrate content into...........................................................................390

Add site content....................................................................................................................392

Use Web site designers to design and add content..............................................................392
Migrate content from another site.........................................................................................393
Allow users to add content directly.......................................................................................393
Enable access for end users................................................................................................394

Add site collection administrators.........................................................................................395
Add site owners or other users.............................................................................................396
xiii
Getting Help
Every effort has been made to ensure the accuracy of this book. This content is also available
online in the Office System TechNet Library, so if you run into problems you can check for
updates at:
http://technet.microsoft.com/office
If you do not find your answer in our online content, you can send an e-mail message to the
Microsoft Office System and Servers content team at:
o12ITdx@microsoft.com
If your question is about Microsoft Office products, and not about the content of this book, please
search the Microsoft Help and Support Center or the Microsoft Knowledge Base at:
http://support.microsoft.com
xiv
Roadmap to Office SharePoint Server 2007
content
In this section:
• Office SharePoint Server 2007 content by audience
• Office SharePoint Server 2007 IT professional content by stage of the IT life cycle
Office SharePoint Server 2007 content by

audience
Each audience for Microsoft Office SharePoint Server 2007 can go to a specific Web site for
content that is tailored for that audience. The following table lists the audiences and provides links
to the content for each audience.
Information Workers IT Professionals Developers
Content available on Content available on Content available on

Office Online TechNet MSDN
• Home page - a central • TechCenter - a central portal • Developer Portal - a

portal for Information Worker for IT professional resources central portal for
resources (http://go.microsoft.com/fwlink/? developer resources
(http://go.microsoft.com/fwlin LinkID=80125&clcid=0x409) (http://go.microsoft.com/f
k/? • Technical Library - an index for wlink/?
LinkId=89166&clcid=0x409) IT professional content LinkID=88846&clcid=0x4
• Help and How To - an (http://go.microsoft.com/fwlink/? 09)
index for Information Worker LinkId=89168&clcid=0x409) • MSDN Library - an
content • Newly published content - an index for developer
(http://go.microsoft.com/fwlin article that lists new or updated content
k/? content in the Technical Library (http://go.microsoft.com/f
LinkId=89167&clcid=0x409) (http://go.microsoft.com/fwlink/? wlink/?
LinkId=89171&clcid=0x409) LinkID=88847&clcid=0x4
09)
• Downloadable books — an
article that lists the books available
for download
(http://go.microsoft.com/fwlink/?
LinkId=89172&clcid=0x409)
1
Additionally, there is information for all users of SharePoint Products and Technologies at the
community and blog sites listed in the following table.
Community content and blogs
• SharePoint Products and Technologies community portal — a central place for community
information (blogs, newsgroups, and so on) about SharePoint Products and Technologies
(http://go.microsoft.com/fwlink/?LinkId=88915&clcid=0x409)
• SharePoint Products and Technologies team blog — a group blog from the teams who
develop the SharePoint Products and Technologies (http://go.microsoft.com/fwlink/?
• Support Center for Microsoft Office SharePoint Server 2007 — a central place for issues
and solutions from Microsoft Help and Support (http://go.microsoft.com/fwlink/?
Office SharePoint Server 2007 IT professional

content by stage of the IT life cycle
IT Professional content for Office SharePoint Server 2007 follows the IT life cycle and includes
content appropriate for each stage in that cycle — evaluate, plan, deploy, and operate — plus
technical reference content. The following sections describe each stage in the IT life cycle and list
the content available to assist IT professionals during that stage. The most up-to-date content is
always available on the TechNet Web site.
We also offer downloadable books that cover each stage in the IT life cycle, plus books that cover
all stages of the lifecycle for a specific solution. For an updated list of all downloadable books
available for Office SharePoint Server 2007, see Downloadable books for Office SharePoint
Server 2007 (http://go.microsoft.com/fwlink/?LinkID=89172&clcid=0x409).
2
Evaluate
During the evaluation stage, IT professionals (including decision makers, solution architects, and
system architects) focus on understanding a new technology and evaluate how it can help them
address their business needs. The following table lists resources that are available to help you
evaluate Office SharePoint Server 2007.
Content Description Links
Online content Includes the most Product evaluation for Office SharePoint Server 2007
up-to-date (http://go.microsoft.com/fwlink/?LinkId=89180&clcid=0x409)
content. The
Technical Library
on TechNet is
continually
refreshed with
new and updated
content.
Evaluation Provides Evaluation guide for Office SharePoint Server 2007

Guide overview, what's (http://go.microsoft.com/fwlink/?LinkId=83060&clcid=0x409)
new, and
conceptual
information for
understanding
Office SharePoint
Server 2007.
Evaluation Provides Evaluation guide for search in Office SharePoint Server

Guide for overview, what's 2007 (http://go.microsoft.com/fwlink/?
Search new, and LinkID=79614&clcid=0x409)
conceptual
information for
understanding
how searching
works in Office
SharePoint Server
2007.
Plan
During the planning stage, IT professionals have different needs depending on their role within an
organization. If you are focused on designing a solution, including determining the structure,
capabilities, and information architecture for a site, you might want information that helps you to
3
determine which capabilities of Office SharePoint Server 2007 you want to take advantage of,
and that helps you to plan for those capabilities and to tailor the solution to your organization's
needs. On the other hand, if you are focused on the hardware and network environment for your
solution, you might want information that helps you to structure the server topology, plan
authentication methods, and understand system requirements for Office SharePoint Server 2007.
We have planning content, including worksheets, to address both of these needs.
The following table lists resources that are available to help you plan for using Office SharePoint
Server 2007.
Online content Includes the most Planning and architecture for Office SharePoint Server
up-to-date content. 2007 (http://go.microsoft.com/fwlink/?
The Technical LinkId=89404&clcid=0x409)
Library on TechNet
is continually
refreshed with new
and updated
content.
Planning Provides in-depth Planning and architecture for Office SharePoint Server, part 1
Guide, Part 1 planning (http://go.microsoft.com/fwlink/?LinkID=79552)
information for
application
administrators
designing a
solution based on
Office SharePoint
Server 2007.
Planning Provides in-depth Planning and architecture for Office SharePoint Server, part 2
Guide, Part 2 planning (http://go.microsoft.com/fwlink/?LinkID=85548)
information for IT
professionals
designing the
environment to
host a solution
based on Office
SharePoint Server
2007.
Deploy
During the deployment stage, you configure your environment, install Office SharePoint Server
2007, and then start creating SharePoint sites. Depending on your environment and your
4
solution, you may have several configuration steps to perform for your servers, for your Shared
Services Providers, and for your sites. Additionally, you may have templates, features, or other
custom elements to deploy into your environment.
The process of upgrading from a previous version product, such as Microsoft Office SharePoint
Portal Server 2003, Microsoft Content Management Server 2002, or Windows SharePoint
Services, is also part of the deployment stage of the IT life cycle, and we have content that
addresses planning for upgrade, performing the upgrade, and performing post-upgrade steps.
The following table lists resources that are available to help you deploy or upgrade to Office
SharePoint Server 2007.
Online content Includes the Deployment for Office SharePoint Server 2007
most up-to-date (http://go.microsoft.com/fwlink/?LinkID=76139&clcid=0x409)
content. The
Technical
Library on
TechNet is
continually
refreshed with
new and
updated
content.
Deployment Provides in- Deployment for Office SharePoint Server 2007

Guide depth (http://go.microsoft.com/fwlink/?LinkID=79589)
deployment
information for
Office
SharePoint
Server 2007.
Upgrade Guide Provides Upgrading to Office SharePoint Server 2007

overview and in- (http://go.microsoft.com/fwlink/?LinkId=85556)
depth
information for
upgrading from
a previous
version product
to Office
SharePoint
Server 2007.
Migration and Provides cross- Migration and Upgrade Information for SharePoint
Upgrade for audience (IT Developers
SharePoint and developer)
5
Developers information for (http://go.microsoft.com/fwlink/?LinkId=89129&clcid=0x409)

migration and
upgrade from a
previous version
product to Office
SharePoint
Server 2007.
Operate
After deployment, in which you install and configure your environment, you move to the
operations stage. During this stage, you are focused on the day-to-day monitoring, maintenance
and tuning of your environment.
The following table lists resources that are available to help with day-to-day operations for Office
Online content Includes the most Operations for Office SharePoint Server 2007
content. The
Technical Library
on TechNet is
continually
refreshed with
new and updated
content.
Security and Protection

Because security and protection are concerns during all phases of the IT life cycle, appropriate
content for security and protection is included in the content for each life cycle stage. However, an
aggregate view of this content is provided in a Security and Protection section of the
documentation. The following table lists resources that are available to help you understand
security and protection for Office SharePoint Server 2007.
Online content Includes the most Security and protection for Office SharePoint Server 2007
content. The
Technical Library
6
on TechNet is
continually
refreshed with
new and updated
content.
Technical Reference
Technical reference information supports the content for each of the IT life cycle stages by
providing the technical information you need to work with Office SharePoint Server 2007. For
example, the Technical Reference content has information about how permissions work, how to
perform operations from the command line, and how to use Setup.exe from the command line.
The following table lists resources that are available to help you use Office SharePoint Server
2007.
Online content Includes the most Technical Reference for Office SharePoint Server 2007
content. The
Technical Library
on TechNet is
continually
refreshed with
new and updated
content.
7
Deployment worksheets for Office
SharePoint Server 2007
In this section:
• Deployment worksheets by task
• Deployment worksheets by title
This section provides links to worksheets that you can use to record information that you gather
and decisions that you make as you perform your deployment of Microsoft Office SharePoint
Server 2007. Use these worksheets in conjunction with — not as a substitute for — Deployment
for Office SharePoint Server 2007.
Deployment worksheets by task

For this task Use this worksheet To do this
Chapter
overview:
Create and
configure
Shared
Services
Providers
Deploy and
configure
SharePoint
sites
Upgrading to Custom templates and mapping files worksheet Record which

Office (http://go.microsoft.com/fwlink/?LinkId=73751&clcid=0x409) custom site
SharePoint definitions and
Server 2007 page templates
need mapping
files, and record
file names and
paths for mapping
files.
8
For this task Use this worksheet To do this
Estimate database space and time for upgrade worksheet Record current
(http://go.microsoft.com/fwlink/?LinkId=73752&clcid=0x409) database sizes
and estimate how
much space you
need for upgrade.
Supported topologies for upgrade worksheet Record current

(http://go.microsoft.com/fwlink/?LinkId=73753&clcid=0x409) topologies and
any changes
needed before
upgrade.
Upgrade server requirements worksheet List servers in the

(http://go.microsoft.com/fwlink/?LinkId=73754&clcid=0x409) farm, hardware
capacities, and
identify
requirements
before upgrading.
Deployment worksheets by title

Use this worksheet For this task To do this
Custom templates and mapping files worksheet Upgrading to Record which

(http://go.microsoft.com/fwlink/?LinkId=73751&clcid=0x409) Office custom site
SharePoint definitions and
Server 2007 page templates
need mapping
files, and record
file names and
paths for mapping
files.
Estimate database space and time for upgrade worksheet Upgrading to Record current
(http://go.microsoft.com/fwlink/?LinkId=73752&clcid=0x409) Office database sizes
SharePoint and estimate how
Server 2007 much space you
need for upgrade.
9
Use this worksheet For this task To do this
Supported topologies for upgrade worksheet Upgrading to Record current

(http://go.microsoft.com/fwlink/?LinkId=73753&clcid=0x409) Office topologies and
SharePoint any changes
Server 2007 needed before
upgrade.
Upgrade server requirements worksheet Upgrading to List servers in the

(http://go.microsoft.com/fwlink/?LinkId=73754&clcid=0x409) Office farm, hardware
SharePoint capacities, and
Server 2007 identify
requirements
before upgrading.
10
I. End-to-end deployment scenarios
11
Chapter overview: End-to-end deployment
scenarios
This chapter provides information and directions for deploying Microsoft Office SharePoint Server
2007 as an end-to-end solution, whether on a single computer or on a simple server farm. This
chapter does not discuss more complex deployments. For information about deploying Office
SharePoint Server 2007 in a large server farm, see Deploy in a simple server farm.
The articles in this chapter include:
• Ι ν σ τ α λ λ Ο φ φ ι χ ε Σ η α ρ ε Π ο ι ν τ Σ ε ρ ϖ ε ρ 2007 ο ν α
σ τ α ν δ − α λ ο ν ε χ ο µ π υ τ ε ρ discusses how to install Office SharePoint Server
2007 on a single-server computer running the Windows Server 2003 operating system. A
stand-alone configuration is useful if you want to evaluate Office SharePoint Server 2007
features and capabilities, such as collaboration, document management, and search. A
stand-alone configuration is also useful if you are deploying a small number of Web sites and
you want to minimize administrative overhead.
• Perform a stand-alone installation of Office SharePoint Server 2007 on Windows Server
2008 discusses how to install Office SharePoint Server 2007 on a single-server computer
running the Windows Server 2008 operating system. A stand-alone configuration is useful if
you want to evaluate Office SharePoint Server 2007 features and capabilities, such as
collaboration, document management, and search. A stand-alone configuration is also useful
if you are deploying a small number of Web sites and you want to minimize administrative
overhead.
• Deploy in a simple server farm discusses how to do a clean installation of Office
SharePoint Server 2007 in a server farm environment on the Windows Server 2003 operating
system. You can deploy in a server farm environment if you are hosting a large number of
sites, if you want the best possible performance, or if you want the scalability of a multi-tier
topology. A server farm consists of one or more servers dedicated to running the Office
SharePoint Server 2007 applications.
• ∆ ε π λ οψ α σ ι µ π λ ε φ α ρ µ ο ν τ η ε Ω ι ν δ οω σ Σ ε ρϖ ε ρ
2008 ο π ε ρ α τ ι ν γ σ ψ σ τ ε µ discusses how to do a clean installation of Office
SharePoint Server 2007 in a server farm environment on the Windows Server 2008 operating
system. You can deploy in a server farm environment if you are hosting a large number of
sites, if you want the best possible performance, or if you want the scalability of a multi-tier
topology. A server farm consists of one or more servers dedicated to running the Office
SharePoint Server 2007 applications.
• Deploy using DBA-created databases discusses how to deploy Office SharePoint Server
2007 in an environment in which database administrators (DBAs) create and manage
databases. This section discusses how DBAs can create these databases and how farm
administrators configure them. The deployment includes all the required databases, one
12
portal site, a Shared Services Administration Web site, My Sites, and one Shared Services
Provider (SSP).
• Ι ν σ τ α λ λ Ο φ φ ι χ ε Σ η α ρ ε Π ο ι ν τ Σ ε ρ ϖ ε ρ 2007 β ψ
υ σ ι ν γ τ η ε χ ο µ µ α ν δ λ ι ν ε discusses how to use the command-line tools
Setup.exe, Psconfig.exe, and Config.xml, to install and configure Office SharePoint Server
2007 from the command prompt window.
• Install Office SharePoint Server 2007 with least privilege administration by using the
command line discusses how to install Office SharePoint Server 2007 from the command
prompt window while granting the user the least privileges necessary.
• Migrate a stand-alone installation to a server farm installation discusses the process for
moving from a stand-alone installation to a server farm installation. This process consists of
creating a new server farm, and then migrating the data from your stand-alone server to the
new farm.
13
Install Office SharePoint Server 2007 on a
stand-alone computer
In this section:
• Hardware and software requirements
• Configure the server as a Web server
• Install and configure Office SharePoint Server 2007 with Microsoft SQL Server 2005
Express Edition
• Post-installation steps
Important:
This section discusses how to install Microsoft Office SharePoint Server 2007 on a single
computer as a stand-alone installation. It does not cover installing Office SharePoint
Server 2007 in a farm environment, upgrading from previous releases of Office
SharePoint Server 2007, or how to upgrade from SharePoint Portal Server 2003. For
information about how to do this, see the following:
Deploy in a simple server farm
Upgrading to Office SharePoint Server 2007 (http://technet.microsoft.com/en-
us/library/cc303420.aspx)
You can quickly publish a SharePoint site by deploying Office SharePoint Server 2007 on a single
server computer. A stand-alone configuration is useful if you want to evaluate Office SharePoint
Server 2007 features and capabilities, such as collaboration, document management, and
search. A stand-alone configuration is also useful if you are deploying a small number of Web
sites and you want to minimize administrative overhead. When you deploy Office SharePoint
Server 2007 on a single server using the default settings, the Setup program automatically
installs Microsoft SQL Server 2005 Express Edition and uses it to create the configuration
database and content database for your SharePoint sites. In addition, the Setup program creates
a Shared Services Provider (SSP), installs the SharePoint Central Administration Web site and
creates your first SharePoint site collection and site.
Note:
There is no direct upgrade from a stand-alone installation to a farm installation.
Hardware and software requirements

Before you install and configure Office SharePoint Server 2007, be sure that your servers have
the required hardware and software. For more information about these requirements, see
Determine hardware and software requirements (http://technet.microsoft.com/en-
us/library/cc262485.aspx).
14
Configure the server as a Web server
Before you install and configure Office SharePoint Server 2007, you must install and configure
the required software. This includes installing and configuring Internet Information Services (IIS)
so your computer acts as a Web server, installing the Microsoft .NET Framework version 3.0, and
enabling ASP.NET 2.0.
Install and configure IIS

Internet Information Services (IIS) is not installed or enabled by default in the Microsoft Windows
Server 2003 operating system. To make your server a Web server, you must install and enable
IIS, and you must ensure that IIS is running in IIS 6.0 worker process isolation mode.

1. Click Start, point to All Programs, point to Administrative Tools, and then click
Configure Your Server Wizard.
2. On the Welcome to the Configure Your Server Wizard page, click Next.
3. On the Preliminary Steps page, click Next.
4. On the Server Role page, click Application server (IIS, ASP.NET), and then click
Next.
5. On the Application Server Options page, click Next.
6. On the Summary of Selections page, click Next.
7. Click Finish.
Internet Information Services (IIS) Manager.
9. In the IIS Manager tree, click the plus sign (+) next to the server name, right-click the
Web Sites folder, and then click Properties.
10. In the Web Sites Properties dialog box, click the Service tab.
11. In the Isolation mode section, clear the Run WWW service in IIS 5.0 isolation
mode check box, and then click OK.
Note:
The Run WWW in IIS 5.0 isolation mode check box is only selected if you have
upgraded to IIS 6.0 on Windows Server 2003 from IIS 5.0 on Microsoft Windows
2000. New installations of IIS 6.0 use IIS 6.0 worker process isolation mode by
default.
Install the Microsoft .NET Framework version 3.0

Go to the Microsoft Download Center Web site (http://go.microsoft.com/fwlink/?
LinkID=72322&clcid=0x409), and on the Microsoft .NET Framework 3.0 Redistributable Package
page, follow the instructions for downloading and installing the .NET Framework version 3.0.
There are separate downloads for x86-based computers and x64-based computers. Be sure to
15
download and install the appropriate version for your computer. The .NET Framework version 3.0
download contains the Windows Workflow Foundation technology, which is required by workflow
features.
Note:
You can also use the Microsoft .NET Framework version 3.5. You can download the
.NET Framework version 3.5 from the Microsoft Web site (http://go.microsoft.com/fwlink/?
LinkId=110508).
Enable ASP.NET 2.0

ASP.NET 2.0 is required for proper functioning of Web content, the Central Administration Web
Site, and many other features and functions of Office SharePoint Server 2007.
Enable ASP.NET 2.0

2. In the Internet Information Services tree, click the plus sign (+) next to the server
name, and then click the Web Service Extensions folder.
3. In the details pane, right-click ASP.NET v2.0.50727, and then click Allow.
Install and configure Office SharePoint Server

2007 with Microsoft SQL Server 2005 Express
Edition
When you install Office SharePoint Server 2007 on a single server, run the Setup program using
the Basic option. This option uses the Setup program's default parameters to install Office
SharePoint Server 2007 and SQL Server 2005 Express Edition.
Notes
• If you uninstall Office SharePoint Server 2007 and then later install Office
SharePoint Server 2007 on the same computer, the Setup program could fail when
creating the configuration database causing the entire installation process to fail. You can
prevent this failure by either deleting all the existing Office SharePoint Server 2007
databases on the computer or by creating a new configuration database. You can create
a new configuration database by running the following command:
• psconfig -cmd configdb -create -database <uniquename>
Run Setup
1. From the product disc, run Setup.exe, or from the product download, run
Officeserver.exe.
2. On the Enter your Product Key page, enter your product key, and then click
16
Continue.
Note:
Setup automatically verifies the product key, places a green check mark next to
the text box, and enables the Continue button after it validates the key. If the key
is not valid, Setup places a red circle next to the text box and displays a message
that the key is incorrect.
3. On the Read the Microsoft Software License Terms page, review the terms, select
the I accept the terms of this agreement check box, and then click Continue.
4. On the Choose the installation you want page, click Basic to install to the default
location. To install to a different location, click Advanced, and then on the File Location
tab, specify the location you want to install to and finish the installation.
5. When Setup finishes, a dialog box prompts you to complete the configuration of your
server. Be sure that the Run the SharePoint Products and Technologies
Configuration Wizard now check box is selected.
6. Click Close to start the configuration wizard.
Run the SharePoint Products and Technologies Configuration Wizard

1. On the Welcome to SharePoint Products and Technologies page, click Next.
2. In the dialog box that notifies you that some services might need to be restarted or
reset during configuration, click Yes.
3. On the Configuration Successful page, click Finish. Your new SharePoint site
opens.
Note:
If you are prompted for your user name and password, you might need to add the
SharePoint site to the list of trusted sites and configure user authentication
settings in Internet Explorer. Instructions for configuring these settings are
provided in the following procedure.
Note:
If you see a proxy server error message, you might need to configure your proxy
server settings so that local addresses bypass the proxy server. Instructions for
configuring proxy server settings are provided later in this section.
Add the SharePoint site to the list of trusted sites

1. In Internet Explorer, on the Tools menu, click Internet Options.
2. On the Security tab, in the Select a Web content zone to specify its security
settings box, click Trusted Sites, and then click Sites.
3. Clear the Require server verification (https:) for all sites in this zone check box.
4. In the Add this Web site to the zone box, type the URL to your site, and then click
Add.
17
5. Click Close to close the Trusted Sites dialog box.
6. Click OK to close the Internet Options dialog box.
If you are using a proxy server in your organization, use the following steps to configure Internet
Explorer to bypass the proxy server for local addresses.
Configure proxy server settings to bypass the proxy server for local addresses
2. On the Connections tab, in the Local Area Network (LAN) settings area, click
LAN Settings.
3. In the Automatic configuration section, clear the Automatically detect settings
check box.
4. In the Proxy Server section, select the Use a proxy server for your LAN check
box.
5. Type the address of the proxy server in the Address box.
6. Type the port number of the proxy server in the Port box.
7. Select the Bypass proxy server for local addresses check box.
8. Click OK to close the Local Area Network (LAN) Settings dialog box.
Post-installation steps
After Setup finishes, your browser window opens to the home page of your new SharePoint site.
Although you can start adding content to the site or you can start customizing the site, we
recommend that you perform the following administrative tasks by using the SharePoint Central
Administration Web site.
• Configure incoming e-mail settings You can configure incoming e-mail settings so
that SharePoint sites accept and archive incoming e-mail. You can also configure incoming e-
mail settings so that SharePoint sites can archive e-mail discussions as they happen, save e-
mailed documents, and show e-mailed meetings on site calendars. In addition, you can
configure the SharePoint Directory Management Service to provide support for e-mail
distribution list creation and management. For more information, see Configure incoming e-
mail settings.
• Configure outgoing e-mail settings You can configure outgoing e-mail settings so that
your Simple Mail Transfer Protocol (SMTP) server sends e-mail alerts to site users and
notifications to site administrators. You can configure both the "From" e-mail address and the
"Reply" e-mail address that appear in outgoing alerts. For more information, see Configure
outgoing e-mail settings.
• Create SharePoint sites When Setup finishes, you have a single Web application that
contains a single SharePoint site collection that hosts a SharePoint site. You can create more
18
SharePoint sites collections, sites, and Web applications if your site design requires multiple
sites or multiple Web applications.
• Configure Workflow settings Specify whether users can assemble new workflows and
if participants without site access should be sent documents in email attachments so they can
participate in document workflows. For more information, see Configure workflow settings.
• Configure diagnostic logging settings You can configure several diagnostic logging
settings to help with troubleshooting. This includes enabling and configuring trace logs, event
messages, user-mode error messages, and Customer Experience Improvement Program
events. For more information, see Configure diagnostic logging settings.
• Configure antivirus protection settings You can configure several antivirus settings if
you have an antivirus program that is designed for Office SharePoint Server 2007. Antivirus
settings enable you to control whether documents are scanned on upload or download and
whether users can download infected documents. You can also specify how long you want
the antivirus program to run before it times out, and you can specify how many execution
threads the antivirus program can use on the server. For more information, see Configure
antivirus settings.
• Configure search You can configure several search and index settings to customize
how Office SharePoint Server 2007 crawls your site content or external content. For more
information, see Configure the Office SharePoint Server Search service
• Configure Excel Services Before you can use Excel Services, you must start the
service and add at least one trusted location. For more information about doing this, see C.
Configure Excel Services.
Perform administrator tasks by using the Central Administration site

1. Click Start, point to All Programs, point to Microsoft Office Server, and then click
SharePoint 3.0 Central Administration.
2. On the Central Administration home page, under Administrator Tasks, click the
task you want to perform.
3. On the Administrator Tasks page, next to Action, click the task.
19
In this section:
• Deployment overview
• Deploy and configure the server infrastructure
• Create and configure a Shared Services Provider
• Perform additional configuration tasks
• Create a site collection and a SharePoint site
• Configure the trace log
Deployment overview
Important:
This section discusses how to do a clean installation of Microsoft Office SharePoint
Server 2007 in a server farm environment. It does not cover upgrading from previous
releases of Office SharePoint Server 2007 or how to upgrade from Microsoft SharePoint
Portal Server 2003. For more information about upgrading from Microsoft Office
SharePoint Portal Server 2003, see Upgrading to Office SharePoint Server 2007
Note:
This section does not cover installing Office SharePoint Server 2007 on a single
computer as a stand-alone installation. For more information, see Install Office
SharePoint Server 2007 on a stand-alone computer.
You can deploy Office SharePoint Server 2007 in a server farm environment if you are hosting a
large number of sites, if you want the best possible performance, or if you want the scalability of a
multi-tier topology. A server farm consists of one or more servers dedicated to running the Office
SharePoint Server 2007 application.
Note:
Because a server farm deployment of Office SharePoint Server 2007 is more complex than a
stand-alone deployment, we recommend that you plan your deployment. Planning your
deployment can help you to gather the information you need and to make important decisions
before beginning to deploy. For information about planning, see Planning and architecture for
Office SharePoint Server 2007 (http://technet.microsoft.com/en-us/library/cc261834.aspx).
Deploying Office SharePoint Server 2007 in a DBA environment

In many IT environments, database creation and management are handled by the database
administrator (DBA). Security and other policies might require that the DBA create the databases
20
required by Office SharePoint Server 2007. This topic provides details about how the DBA can
create these databases before beginning the Office SharePoint Server 2007 installation or
creation of a Shared Services Provider (SSP). For more information about deploying using DBA-
created databases, including detailed procedures, see Deploy using DBA-created databases.
Suggested topologies
Server farm environments can encompass a wide range of topologies and can include many
servers or as few as two servers.
A small server farm typically consists of a database server running either Microsoft SQL Server
2005 or Microsoft SQL Server 2000 with the most recent service pack, and one or more servers
running Internet Information Services (IIS) and Office SharePoint Server 2007. In this
configuration, the front-end servers are configured as Web servers and application servers. The
Web server role provides Web content to clients. The application server role provides Office
SharePoint Server 2007 services such as servicing search queries, and crawling and indexing
content.
A medium server farm typically consists of a database server, an application server running Office
SharePoint Server 2007, and one or two front-end Web servers running Office SharePoint Server
2007 and IIS. In this configuration, the application server provides indexing services and Excel
Calculation Services, and the front-end Web servers service search queries and provide Web
content.
A large server farm typically consists of two or more clustered database servers, several load-
balanced front-end Web servers running Office SharePoint Server 2007, and two or more
application servers running Office SharePoint Server 2007. In this configuration, each of the
application servers provides specific Office SharePoint Server 2007 services such as indexing or
Excel Calculation Services, and the front-end servers provide Web content.
Note:
All of the Web servers in your server farm must have the same SharePoint Products and
Technologies installed. For example, if all of the servers in your server farm are running
Office SharePoint Server 2007, you cannot add to your farm a server that is running only
Microsoft Office Project Server 2007. To run Office Project Server 2007 and Office
SharePoint Server 2007 on your server farm, you must install Office Project Server 2007
and Office SharePoint Server 2007 on each of your Web servers. To enhance the
security of your farm and reduce the surface area that is exposed to a potential attack,
you can turn off services on particular servers after you install SharePoint Products and
Technologies.
Before you begin deployment

This section provides information about actions that you must perform before you begin
deployment.
21
Important
• The account that you select for installing Office SharePoint Server 2007 needs to be
a member of the Administrators group on every server on which you install Office
SharePoint Server 2007. You can, however, remove this account from the Administrators
group on the servers after installation.
• For information about assigning users to be SSP administrators, see “Shared
Services Providers” in Plan for administrative and service accounts
• To deploy Office SharePoint Server 2007 in a server farm environment, you must provide
credentials for several different accounts. For information about these accounts, see “Shared
Service Providers” in the Planning and architecture for Office SharePoint Server 2007
(http://technet.microsoft.com/en-us/library/cc261834.aspx) guide.
• You must install Office SharePoint Server 2007 on the same drive on all load-balanced
front-end Web servers.
• You must install Office SharePoint Server 2007 on a clean installation of the Microsoft
Windows Server 2003 operating system with the most recent service pack. If you uninstall a
previous version of Office SharePoint Server 2007, and then install Office SharePoint Server
2007, Setup might fail to create the configuration database and the installation will fail.
Note:
We recommend that you read the Known Issues/Readme documentation before you
install Office SharePoint Server 2007 on a domain controller. Installing Office
SharePoint Server 2007 on a domain controller requires additional configuration
steps that are not discussed in this document.
• You must install the same language packs on all servers in the farm. For more
information about installing language packs, see Deploy language packs.
• All the instances of Office SharePoint Server 2007 in the farm must be in the same
language. For example, you cannot have both an English version of Office SharePoint Server
2007 and a Japanese version of Office SharePoint Server 2007 in the same farm.
• You must use the Complete installation option on all computers you want to be index
servers, query servers, or servers that run Excel Calculation Services.
• If you place a query server beyond a firewall from its index server, you must open the
NetBIOS ports (TCP/User Datagram Protocol (UDP) ports 137, 138, and 139) on all firewalls
that separate these servers. If your environment does not use NetBIOS, you must use direct-
hosted server message block (SMB). This requires that you open the TCP/UDP 445 port.
• If you want to have more than one index server in a farm, you must use a different
Shared Services Provider (SSP) for each index server.
Overview of the deployment process

The deployment process consists of three phases: deploying and configuring the server
infrastructure, creating and configuring one or more Shared Services Providers (SSPs), and
deploying and configuring SharePoint sites.
22
Phase 1: Deploy and configure the server infrastructure
Deploying and configuring the server infrastructure consists of the following steps:
• Preparing the database server.
• Verifying that the servers meet hardware and software requirements.
• Running Setup on each server you want to be in the farm, including running the
SharePoint Products and Technologies Configuration Wizard.
• If you want to search over the Help content for Office SharePoint Server 2007, starting
the Windows SharePoint Services Search service.
Phase 2: Create and configure a Shared Services Provider

Creating and configuring a Shared Services Provider consists of the following steps:
• Creating a Web application to host the SSP.
• Creating the SSP.
• Configuring the Web application and the SSP.
• Configuring services on servers.
Phase 3: Create site collections and SharePoint sites

Creating SharePoint site collections and SharePoint sites consists of the following steps:
• Creating a Web Application to host the site collections and SharePoint sites.
• Creating site collections.
• Creating SharePoint sites.
Deploy and configure the server infrastructure

Security account requirements
To deploy Office SharePoint Server 2007 in a server farm environment, you must provide
credentials for several different accounts. For information about these accounts, see Plan for
administrative and service accounts (http://technet.microsoft.com/en-us/library/cc263445.aspx) in
the Planning and architecture for Office SharePoint Server 2007 guide.
Prepare the database server

The database server must be running Microsoft SQL Server 2005 or Microsoft SQL Server 2000
with the most recent service pack.
The Office SharePoint Server 2007 Setup program automatically creates the necessary
databases when you install and configure Office SharePoint Server 2007. Optionally, you can
preinstall the required databases if your IT environment or policies require this.
For more information about prerequisites, see Determine hardware and software requirements
23
If you are using SQL Server 2005, you must also change the surface area settings.
Configure surface area settings in SQL Server 2005

1. Click Start, point to All Programs, point to Microsoft SQL Server 2005, point to
Configuration Tools, and then click SQL Server Surface Area Configuration.
2. In the SQL Server 2005 Surface Area Configuration dialog box, click Surface Area
Configuration for Services and Connections.
3. In the tree view, expand the node for your instance of SQL Server, expand the
Database Engine node, and then click Remote Connections.
4. Select Local and Remote Connections, select Using both TCP/IP and named
pipes, and then click OK.
SQL Server and database collation

The SQL Server collation must be configured for case-insensitive. The SQL Server database
collation must be configured for case-insensitive, accent-sensitive, Kana-sensitive, and width-
sensitive. This is used to ensure file name uniqueness consistent with the Windows operating
system. For more information about collations, see Selecting a SQL Collation
(http://go.microsoft.com/fwlink/?LinkId=121667&clcid=0x409) or Collation Settings in Setup
(http://go.microsoft.com/fwlink/?LinkId=121669&clcid=0x409) in SQL Server 2005 Books Online.
24
Required accounts
The following table describes the accounts that are used to configure Microsoft SQL Server and
to install Office SharePoint Server 2007. For more information about the required accounts,
including specific privileges required for these accounts, see Plan for administrative and service
accounts (http://technet.microsoft.com/en-us/library/cc263445.aspx).
Account Purpose Requirements
SQL Server This account is used as SQL Server prompts for this account during SQL
Service the service account for Server Setup. You have two options:
Account the following SQL Server • Assign one of the built-in system accounts
services: (Local System, Network Service, or Local Service)
• MSSQLSERVER to the logon for the configurable SQL Server
• SQLSERVERAGE services. For more information about these
NT accounts and security considerations, refer to the
Setting Up Windows Service Accounts topic
If you are not using the
(http://go.microsoft.com/fwlink/?
default instance, these
LinkId=121664&clcid=0x409) in the SQL Server
services will be shown as:
documentation.
• MSSQL$InstanceNa
• Assign a domain user account to the logon for
me
the service. However, if you use this option you
•SQLAgent$InstanceNa
must take the additional steps required to configure
me
Service Principal Names (SPNs) in Active Directory
in order to support Kerberos authentication, which
SQL Server uses.
Setup user The Setup user account • Domain user account

account is used to run the • Member of the Administrators group on each
following: server on which Setup is run
• Setup on each • SQL Server login on the computer running
server SQL Server
• The SharePoint • Member of the following SQL Server security
Products and roles:
Technologies
• securityadmin fixed server role
Configuration Wizard
• dbcreator fixed server role
• The PSConfig
If you run Stsadm command-line tool commands that
command-line tool
read from or write to a database, this account must be
• The Stsadm
a member of the db_owner fixed database role for the
command-line tool
database.
25
Server farm The Server farm account • Domain user account.

account/ is used to: • If the server farm is a child farm with Web
Database • Act as the applications that consume shared services from a
access application pool larger farm, this account must be a member of the
account identity for the db_owner fixed database role on the configuration
SharePoint Central database of the larger farm.
Administration Additional permissions are automatically granted for
application pool. this account on Web servers and application servers
• Run the Windows that are joined to a server farm.
SharePoint Services This account is automatically added as a SQL Server
Timer service. login on the computer running SQL Server and added
to the following SQL Server security roles:
• db_owner fixed database role for all
databases in the server farm
Verify that servers meet hardware and software requirements

the recommended hardware and software. To deploy a server farm, you need at least one server
computer acting as a Web server and an application server, and one server computer acting as a
database server.
For more information about these requirements, see Determine hardware and software
requirements (http://technet.microsoft.com/en-us/library/cc262485.aspx).
Important:
Office SharePoint Server 2007 requires Active Directory directory services for farm
deployments. Therefore Office SharePoint Server 2007 cannot be installed in a farm on a
Microsoft Windows NT Server 4.0 domain.

Internet Information Services (IIS) is not installed or enabled by default in the Microsoft Windows
Server 2003 operating system. To make your server a Web server, you must install and enable
IIS, and you must ensure that IIS is running in IIS 6.0 worker process isolation mode.

Configure Your Server Wizard.
26
2. On the Welcome to the Configure Your Server Wizard page, click Next.
3. On the Preliminary Steps page, click Next.
4. On the Server Role page, click Application server (IIS, ASP.NET), and then click
Next.
5. On the Application Server Options page, click Next.
6. On the Summary of Selections page, click Next.
7. Click Finish.
9. In the IIS Manager tree, click the plus sign (+) next to the server name, right-click the
Web Sites folder, and then click Properties.
10. In the Web Sites Properties dialog box, click the Service tab.
11. In the Isolation mode section, clear the Run WWW service in IIS 5.0 isolation
mode check box, and then click OK.
Note:
The Run WWW in IIS 5.0 isolation mode check box is only selected if you have
upgraded to IIS 6.0 on Windows Server 2003 from IIS 5.0 on Microsoft Windows
2000. New installations of IIS 6.0 use IIS 6.0 worker process isolation mode by
default.

LinkID=72322&clcid=0x409). On the Microsoft .NET Framework 3.0 Redistributable Package
page, follow the instructions for downloading and installing the Microsoft .NET Framework version
3.0. There are separate downloads for x86-based computers and x64-based computers; be sure
to download and install the appropriate version for your computer. The Microsoft .NET Framework
version 3.0 download contains the Windows Workflow Foundation technology, which is required
by workflow features.
Note:
You can also use the Microsoft .NET Framework version 3.5. You can download the .NET
Framework version 3.5 from the Microsoft Web site (http://go.microsoft.com/fwlink/?
LinkId=110508).
Enable ASP.NET 2.0

You must enable ASP.NET 2.0 on all Office SharePoint Server 2007 servers.
Enable ASP.NET 2.0

27
2. In the IIS Manager tree, click the plus sign (+) next to the server name, and then click
the Web Service Extensions folder.
3. In the details pane, click ASP.NET v2.0.50727, and then click Allow.
Run Setup and build the farm

Run Setup and then the SharePoint Products and Technologies Configuration Wizard on all your
farm servers. Do this on all farm servers before going on to create a Shared Services Provider
(SSP).
Note:
We recommend that you run Setup on all the servers that will be in the farm before
configuring the farm.
You can add servers to the farm at this point, or after you have created and configured an SSP.
You can add servers after you have created and configured an SSP to add redundancy, such as
additional load-balanced Web servers or additional query servers. It is recommended that you run
Setup and the configuration wizard on all your application servers before you create and
configure the SSP.
Recommended order of configuration

We recommend that you configure Office SharePoint Server 2007 in the order listed below. This
order makes configuration easier and ensures that services and applications are in place before
they are required by server types.
Recommended Order of installation
1. We recommend that the Central Administration site be installed on an application server.
In a server farm that includes more than one application server, install the Central
Administration site on the application server with the least overall performance load. If your
farm will have an application server, install Office SharePoint Server 2007 on that server first.
This also installs the Central Administration site.
2. All your front-end Web servers.
3. The index server (if using a separate server for search queries and indexing).
4. The query servers, if separate from the index server.
Note:
To configure more than one query server in your farm, you cannot configure your
index server as a query server.
5. Other application servers (optional).
Because the SSP configuration requires an index server, you must start the Office SharePoint
Server Search service on the computer that you want to be the index server, and configure it as
an index server before you can create an SSP. Because of this, you must deploy and configure
an index server before other servers. You can choose any server to be the first server on which
28
you install Office SharePoint Server 2007. However, the Central Administration Web site is
automatically installed on the first server on which you install Office SharePoint Server 2007.
You can configure different features on different servers. The following table shows which
installation type you should use for each feature set.
Server type Installation type
Central Administration Web application Complete or Web Front End
Application server (such as Excel Calculation Complete

Services)
Search index server Complete
Search query server Complete
Web server Web Front End (subsequent servers must join

an existing farm) or Complete
Note:
If you choose the Web Front End
installation option you will not be able to
run additional services, such as search,
on the server.
When you install Office SharePoint Server 2007 on the first server, you establish the farm. Any
servers that you add you will join to this farm.
Setting up the first server involves two steps: installing the Office SharePoint Server 2007
components on the server, and configuring the farm. After Setup finishes, you can use the
SharePoint Products and Technologies Configuration Wizard to configure Office SharePoint
Server 2007. The SharePoint Products and Technologies Configuration Wizard automates
several configuration tasks, including: installing and configuring the configuration database,
installing Office SharePoint Server 2007 services, and creating the Central Administration Web
site.
Add servers to the farm

We recommend that you install and configure Office SharePoint Server 2007 on all of the farm
servers before you configure Office SharePoint Server 2007 services and create sites.
Regardless of how many Web servers you have in your server farm, you must have SQL Server
running on at least one database server before you install Office SharePoint Server 2007 on your
Web servers. By default, when you add servers to the farm and run the SharePoint Products and
Technologies Configuration Wizard, the wizard does not create additional Central Administration
sites on the servers that you add, nor does it create any databases on your database server.
However, you can use the wizard to create additional Central Administration sites on the servers
that you add.
29
Run Setup on the first server
Important:
If you uninstall Office SharePoint Server 2007 from the first server on which you installed
it, your farm might experience problems. It is not recommended that you install Office
SharePoint Server 2007 on an index server first.
Note:
Setup installs the Central Administration Web site on the first server on which you run
Setup. Therefore, we recommend that the first server on which you install Office
SharePoint Server 2007 is a server from which you want to run the Central Administration
Web site.

Officeserver.exe, on one of your Web server computers.
Continue.
Note:
is not valid, Setup displays a red circle next to the text box and prompts you that
the key is incorrect.
4. On the Choose the installation you want page, click Advanced. The Basic option is
for stand-alone installations.
5. On the Server Type tab, select Complete.
6. Optionally, to install Office SharePoint Server 2007 at a custom location, select the
File Location tab, and then type the location or Browse to the location.
7. Optionally, to participate in the Customer Experience Improvement Program, select
the Feedback tab and select the option you want. To learn more about the program, click
the link. You must have an Internet connection to view the program information.
8. When you have chosen the correct options, click Install Now.
9. When Setup finishes, a dialog box appears that prompts you to complete the
configuration of your server. Be sure that the Run the SharePoint Products and
Technologies Configuration Wizard now check box is selected.
10. Click Close to start the configuration wizard. Instructions for completing the wizard
are provided in the next set of steps.
30
Run the SharePoint Products and Technologies Configuration
Wizard
After Setup finishes, you can use the SharePoint Products and Technologies Configuration
Wizard to configure Office SharePoint Server 2007. The configuration wizard automates several
configuration tasks, including: installing and configuring the configuration database, installing
Office SharePoint Server 2007 services, and creating the Central Administration Web site. Use
the following instructions to run the SharePoint Products and Technologies Configuration Wizard.

2. Click Yes in the dialog box that notifies you that some services might need to be
restarted during configuration.
3. On the Connect to a server farm page, click No, I want to create a new server farm,
and then click Next.
4. In the Specify Configuration Database Settings dialog box, in the Database
server box, type the name of the computer that is running SQL Server.
5. Type a name for your configuration database in the Database name box, or use the
default database name. The default name is "SharePoint_Config".
6. In the User name box, type the user name of the Server farm account. (Be sure to
type the user name in the format DOMAIN\username.)
Important:
The server farm account is used to access your configuration database. It also
acts as the application pool identity for the SharePoint Central Administration
application pool, and it is the account under which the Windows SharePoint
Services Timer service runs. The SharePoint Products and Technologies
Configuration Wizard adds this account to the SQL Server Logins, the SQL
Server Database Creator server role, and the SQL Server Security Administrators
server role. The user account that you specify as the service account must be a
domain user account, but it does not need to be a member of any specific
security group on your Web servers or your back-end database servers. We
recommend that you follow the principle of least privilege and specify a user
account that is not a member of the Administrators group on your Web servers or
your back-end servers.
7. In the Password box, type the user's password, and then click Next.
8. On the Configure SharePoint Central Administration Web Application page, select the
Specify port number check box and type a port number if you want the SharePoint
Central Administration Web application to use a specific port, or leave the Specify port
number check box cleared if you do not care which port number the SharePoint Central
Administration Web application uses.
9. In the Configure SharePoint Central Administration Web Application dialog box,
do one of the following:
31
• If you want to use NTLM authentication (the default), click Next.
• If you want to use Kerberos authentication, click Negotiate (Kerberos), and then
click Next.
Note:
In most cases, use the default setting (NTLM). Use Negotiate (Kerberos)
only if Kerberos authentication is supported in your environment. Using the
Negotiate (Kerberos) option requires you to configure a Service Principal
Name (SPN) for the domain user account. To do this, you must be a member
of the Domain Admins group. For more information, see How to configure a
Windows SharePoint Services virtual server to use Kerberos authentication
and how to switch from Kerberos authentication back to NTLM authentication
(http://go.microsoft.com/fwlink/?LinkID=76570&clcid=0x409).
10. On the Completing the SharePoint Products and Technologies Configuration Wizard
page, click Next.
11. On the Configuration Successful page, click Finish.
The SharePoint Central Administration Web site home page opens.
Note:
SharePoint Central Administration site to the list of trusted sites and configure
user authentication settings in Internet Explorer. Instructions for configuring these
settings are provided in the next set of steps.
Note:
If a proxy server error message appears, you might need to configure your proxy
configuring this setting are provided later in this section.
Add the SharePoint Central Administration Web site to the list of

trusted sites

settings box, click Trusted sites, and then click Sites.
4. In the Add this Web site to the zone box, type the URL for the SharePoint Central
Administration Web site, and then click Add.
5. Click Close to close the Trusted sites dialog box.
32
Configure proxy server settings to bypass the proxy server for
local addresses

LAN Settings.
check box.
box.

We recommend that you install and configure Office SharePoint Server 2007 on all of your Web
servers and the index server before you configure Office SharePoint Server 2007 services and
create sites. If you want to build a minimal server farm configuration, and incrementally add Web
servers to expand the farm, you can install and configure Office SharePoint Server 2007 on a
single Web server and configure the Web server as both a Web server and an application server.
Regardless how many Web servers you have in your server farm, you must have SQL Server
running on at least one back-end database server before you install Office SharePoint Server
2007 on your Web servers.
Important:
Run Setup on additional servers — front-end Web servers

Continue.
Note:
33
4. On the Choose the installation you want page, click Advanced.
5. On the Server Type tab, click Web Front End.
are provided in the following section.
Run Setup on additional servers — index or query server

Continue.
Note:
5. On the Server Type tab, click Complete.
34

Wizard on additional servers
configuration tasks, including installing Office SharePoint Server 2007 services. Use the following
instructions to run the SharePoint Products and Technologies Configuration Wizard.

servers
3. On the Connect to a server farm page, click Yes, I want to connect to an existing
server farm, and then click Next.
5. Click Retrieve Database Names, and then from the Database name list, select the
database name that you created when you configured the first server in your server farm.
6. In the User name box, type the user name of the account used to connect to the
computer running SQL Server. (Be sure to type the user name in the format
DOMAIN\username.) This must be the same user account you used when configuring the
first server.
page, click Next.
Start the Windows SharePoint Services Search service (optional)

You must start the Windows SharePoint Services Search service on every computer that you
want to search over Help content. If you do not want users to be able to search over Help
content, you do not need to start this service.

1. On the SharePoint Central Administration home page, click the Operations tab on
the top link bar.
35
2. On the Operations page, in the Topology and Services section, click Services on
server.
3. On the Services on Server page, next to Window SharePoint Services Search,
click Start.
4. On the Configure Windows SharePoint Services Search Service Settings page, in the
Service Account section, type the user name and password for the user account under
which the Windows SharePoint Services Search service account will run.
5. In the Content Access Account section, type the user name and password for the
user account that the search service will use to search over content. This account must
have read access to all the content you want it to search over. If you do not specify
credentials, the same account used for the search service will be used.
6. In the Indexing Schedule section, either accept the default settings, or specify the
schedule that you want the search service to use when searching over content.
7. After you have configured all the settings, click Start.
Stop the Central Administration service on all index servers

In farms with more than one index server, you should stop the Central Administration service on
all index servers. This service is used for the Central Administration site and is not required on
index servers. Stopping this service on index servers can help avoid URL resolution problems
with indexing. On the other hand, you must be sure that this service is started on the server that
hosts the Central Administration Web site, even if that server is also an index server. You do not
need to stop this service for installations where the farm has only one index server.
Before stopping the service on the index server, make sure that the service is running another
server.
Stop the Central Administration service on an index server

1. On the Services on Server page, select the index server from the Server drop-down
list.
2. Under Select server role to display services you will need to start in the table
below, select the Custom option.
3. In the table of services, next to Central Administration, in the Action column, click
Stop.
Disable the Windows SharePoint Services Web Application

service on all servers not serving content
You should disable the Windows SharePoint Service Web Application service on all servers that
are not serving content, especially index servers. On the other hand, you must be sure that this
service is enabled on the servers that are serving content.
36
Disable the Windows SharePoint Services Web Application service on a server
the top link bar.
server.
3. On the Services on Server page, next to Window SharePoint Services Web
Application, click Stop.
Create and configure a Shared Services Provider

This section covers how to create and configure a single Shared Services Provider (SSP). An
SSP is a logical grouping of shared services and their supporting resources. In Office SharePoint
Server 2007, the SSP enables sharing services across multiple server farms, Web applications,
and site collections. For more information about configuring and using SSPs, see Chapter
overview: Create and configure Shared Services Providers.
In this phase, you create one or more SSPs and configure them to meet the needs of your farm.
Each server farm can host one or more SSPs, or consume services provided by an SSP on
another server farm. Each SSP runs in its own Web application, which contains one or more site
collections. Other Web applications on a server farm can be associated with any of the SSPs on
the farm. Shared services cannot be enabled or disabled separately from other shared services.
Web applications on a farm consume either all of the services of an SSP or none of them. For
more information about SSPs, see Plan Shared Services Providers
Start the Office SharePoint Server Search service

You must start the Office SharePoint Server Search service on at least one computer that was set
up by using the Complete option during Setup. This service must be started on the computer that
you want to use as your index server and optionally as a query server before you can create an
SSP.
Start the Office SharePoint Server Search service on the index server
the top link bar.
server.
3. In the Server list, select the server that you want to configure as an index server
and — optionally — as a query server.
4. On the Services on Server page, next to Office SharePoint Server Search, click
Start.
5. Select the Use this server for indexing content check box. This expands the page
and adds the Index Server Default File Location, Indexer Performance, and Web
37
Front End and Crawling sections.
6. If you want to use this server to service search queries, select the Use this server
for servicing search queries check box. This expands the page and adds the Query
Server Index File Location section. If not, skip to the next step.
7. In the Contact E-mail Address section, type the e-mail address you want external
site administrators to use to contact your organization if problems arise when their sites
are being crawled by your index server.
8. In the Farm Search Service Account section, specify the User name and
Password of the account under which the search service will run. This domain account
should not be a member of the Farm Administrators group in the Central Administration
Web site (the WSS_ADMIN_WPG Windows security group). For least privilege
scenarios, this should be a separate domain account, used only for this service. For more
information about this account, see Plan for administrative and service accounts
9. Optionally, you can also configure other settings or accept the default settings.
10. When you have configured all the settings, click Start.
You can optionally use the following steps to start the Office SharePoint Server Search service on
computers that were set up by using the Complete option during Setup to deploy query servers.
Important:
If you selected the Use this server for serving search queries option in step 6 of the
previous procedure, you cannot deploy additional query servers unless you first remove
the query server role from the index server.
For information about how to perform this procedure using the Stsadm command-line tool, see
Osearch: Stsadm operation (http://technet.microsoft.com/en-us/library/cc262920.aspx).
Start the Office SharePoint Server Search service on query servers

the top link bar.
server.
3. In the Server list, select the server that you want to configure as a query server.
4. On the Services on Server page, next to Office SharePoint Server Search, click
Start.
5. Select the Use this server for servicing search queries check box. This expands
the page and adds the Query Server Index File Location section.
6. In the Farm Search Service Account section, specify the User name and
Password of the account under which the search service will run. This domain account
should not be a member of the Farm Administrators group in the Central Administration
Web site (the WSS_ADMIN_WPG Windows security group). For least privilege
scenarios, this should be a separate domain account, used only for this service. For more
38
information about this account, see Plan for administrative and service accounts
7. In the Query Server Index File Location section, in the Query server index file
location box, either type the location on the local drive of the query server on which you
want to store the propagated index, or accept the default path.
8. In the Query Server Index File Location section, select one the following:
• Configure share automatically Select this option to automatically configure
the share on which you want to store the propagated index, and type the user name
and password of the account that you want to use to propagate the index
(recommended).
Important:
This account must a member of the Administrators group and a member of
the WSS_ADM_WPG group on the query server before you proceed to the
next step, or propagation of the index will fail.
• I will configure the share with STSAdm Select this option if you want to use
the Stsadm command-line tool to create this share at a later time.
• Do nothing. The share is already configured Select this option if the share
already exists and the permissions to the share are configured as described above.
9. When you have configured all the settings, click Start.
For information about how to perform this procedure using the Stsadm command-line
tool, see Osearch: Stsadm operation (http://technet.microsoft.com/en-
Create a Web application to host the SSP and create the SSP
1. On the SharePoint Central Administration home page, click the Application

Management tab on the top link bar.
2. On the Application Management page, in the Office SharePoint Server Shared
Services section, click Create or configure this farm's shared services.
3. On the Manage this Farm's Shared Services page, click New SSP.
4. On the New Shared Services Provider page, in the SSP Name section, click Create
a new Web application.
Note:
If you see any items in the Web application drop-down list, a Web application
has already been created. You can either use this Web application or create
another.
5. On the Create New Web Application page, in the Application Pool section, specify
the User name and Password for the user account that the Web application pool will run
39
under.
6. You can also configure other settings on this page, or click OK to create the new Web
application.
Note:
By default, the Web application uses the default Web site in IIS and port 80. This
port might be used by other Web applications. Ensure that this port is open for
use, or choose another port before you click OK.
Note:
By default, Restart IIS Manually is selected. If you use this setting, you must
restart the default Web site in IIS, or restart the W3C service by using the
command line.
7. On the New Shared Services Provider page, in the SSP Service Credentials
section, type the user name and password for the user account that the SSP service will
run under.
8. Optionally, you can also configure other settings.
9. When you have configured all the settings, click OK.
10. If you used the same Web application for the SSP administration site and the My
Sites site collection, you will be prompted to use separate Web applications for these site
collections. If you want to use the same Web application, click OK. For more information
about site planning, see Plan Web site structure and publishing
11. After the SSP has been created, click OK on the confirmation page that appears.
Perform additional configuration tasks

Although you can start adding content to the site or customizing the site, we recommend that you
first perform the following administrative tasks by using the SharePoint Central Administration
Web site.
mail settings.
40
• Configure workflow settings Specify whether users can assemble new workflows, and
if participants without site access should be sent documents in e-mail attachments so they
can participate in document workflows. For more information, see Configure workflow
settings.
settings enable you to control whether documents are scanned on upload or download, and
antivirus settings.
• Configure search Before search queries can be serviced, content must first be
crawled. You can configure several search and index settings to customize how Office
SharePoint Server 2007 crawls your site content or external content. For more information,
see Configure the Office SharePoint Server Search service.
• Configure Excel Calculation Services Before you can use Excel Services, you must
start the service and add at least one trusted location. For more information, see C. Configure
Excel Services.

1. Click Start, point to All Programs, point to Microsoft Office Server, and then click
2. On the Central Administration home page, in the Administrator Tasks section,
click the task you want to perform.
Create a site collection and a SharePoint site

This section guides you through the process of creating a single site collection containing a single
SharePoint site. You can create many site collections, and many sites under each site collection.
For more information, see V. Deploy and configure SharePoint sites.
You can create new portal sites or migrate pre-existing sites or content from a previous version of
Windows SharePoint Services. For information about planning SharePoint sites and site
collections, see Plan Web site structure and publishing (http://technet.microsoft.com/en-
us/library/cc262789.aspx). For information about migrating content, see Deploy new server farm
and migrate content (http://technet.microsoft.com/en-us/library/cc303436.aspx).
41
You can also migrate content from a pre-existing Microsoft Content Management Server 2002
source. For information, see Migrate from Microsoft Content Management Server 2002 to Office
SharePoint Server 2007 (http://technet.microsoft.com/en-us/library/cc261812.aspx).
Before you can create a site collection or a site, you must first create a Web application. A Web
application is comprised of an Internet Information Services (IIS) site with a unique application
pool.
Create a new Web application

1. Click the Start button, point to All Programs, then point to Microsoft Office Server,
and then click SharePoint 3.0 Central Administration.
2. On the Central Administration home page, click Application Management.
3. On the Application Management page, in the SharePoint Web Application
Management section, click Create or extend Web application.
4. On the Create or Extend Web Application page, in the Adding a SharePoint Web
Application section, click Create a new Web application.
5. On the Create New Web Application page, in the IIS Web Site section, you can
configure the settings for your new Web application.
a. To choose to use an existing Web site, select Use an existing Web site, and
specify the Web site on which to install your new Web application by selecting it from
the drop-down menu.
b. To choose to create a new Web site, select Create a new IIS Web site, and type
the name of the Web site in the Description box.
c. In the Port box, type the port number you want to use to access the Web
application. If you are creating a new Web site, this field is populated with a
suggested port number. If you are using an existing Web site, this field is populated
with the current port number.
d. In the Host Header box, type the URL you wish to use to access the Web
application. This is an optional field.
e. In the Path box, type the path to the site directory on the server. If you are
creating a new Web site, this field is populated with a suggested path. If you are
using an existing Web site, this field is populated with the current path.
6. In the Security Configuration section, configure authentication and encryption for
your Web application.
a. In the Authentication Provider section, choose either Negotiate (Kerberos) or
NTLM.
b. In the Allow Anonymous section, choose Yes or No. If you choose to allow
anonymous access, this enables anonymous access to the Web site by using the
computer-specific anonymous access account (that is, IUSR_<computername>).
c. In the Use Secure Sockets Layer (SSL) section, select Yes or No. If you
choose to enable SSL for the Web site, you must configure SSL by requesting and
installing an SSL certificate.
42
7. In the Load Balanced URL section, type the URL for the domain name for all sites
that users will access in this Web application. This URL domain will be used in all links
shown on pages within the Web application. By default, the box is populated with the
current server name and port.
The Zone box is automatically set to Default for a new Web application and cannot be
changed from this page.
8. In the Application Pool section, choose whether to use an existing application pool
or create a new application pool for this Web application. To use an existing application
pool, select Use existing application pool. Then select the application pool you wish to
use from the drop-down menu.
a. To create a new application pool, select Create a new application pool.
b. In the Application pool name box, type the name of the new application pool, or
keep the default name.
c. In the Select a security account for this application pool section, select
Predefined to use an existing application pool security account, and then select the
security account from the drop-down menu.
d. Select Configurable to use an account that is not currently being used as a
security account for an existing application pool. In the User name box, type the user
name of the account you wish to use, and type the password for the account into the
Password box.
9. In the Reset Internet Information Services section, choose whether to allow Office
SharePoint Server 2007 to restart IIS on other farm servers. The local server must be
restarted manually for the process to finish. If this option is not selected and you have
more than one server in the farm, you must wait until the IIS Web site is created on all
servers and then run iisreset/noforce on each Web server. The new IIS site is not
usable until that action is completed. These choices are unavailable if your farm only
contains a single server.
10. Under Database Name and Authentication, choose the database server, database
name, and authentication method for your new Web application.
43
Item Action
Database Server Type the name of the database server and

SQL Server instance you want to use in the
format <SERVERNAME\instance>. You
may also use the default entry.
Database Name Type the name of the database, or use the

default entry.
Database Authentication Choose whether to use Windows

authentication (recommended) or SQL
authentication.
• If you want to use Windows
authentication, leave this option
selected.
• If you want to use SQL
authentication, select SQL
authentication. In the Account
box, type the name of the account
you want the Web application to
use to authenticate to the SQL
Server database, and then type the
password in the Password box.
11. Click OK to create the new Web application, or click Cancel to cancel the process
and return to the Application Management page.
tool, see Createsiteinnewdb: Stsadm operation (http://technet.microsoft.com/en-
Create a site collection

2. On the Application Management page, in the SharePoint Site Management section,
click Create site collection.
3. On the Create Site Collection page, in the Web Application section, either select a
Web application to host the site collection from the Web Application drop-down list, or
create a new Web application to host the site collection.
4. In the Title and Description section, type a title and description for the site
collection.
5. In the Web Site Address section, select a URL type, and specify a URL for the site
collection.
44
6. In the Template Selection section, select a template from the tabbed template
control.
7. In the Primary Site Collection Administrator section, type the user account name
for the user you want to be the primary administrator for the site collection. You can also
browse for the user account by clicking the Book icon to the right of the text box. You can
verify the user account by clicking the Check Names icon to the right of the text box.
8. Optionally, in the Secondary Site Collection Administrator section, type the user
account for the user you want to be the secondary administrator for the site collection.
You can also browse for the user account by clicking the Book icon to the right of the text
box. You can verify the user account by clicking the Check Names icon to the right of the
text box.
9. Click Create to create the site collection.
tool, see Createsite: Stsadm operation (http://technet.microsoft.com/en-
Create a SharePoint site

click Site collection list.
3. On the Site Collection List page, in the URL column, click the URL for the site
collection to which you want to add a site. The full URL path for the site collection
appears in the URL box.
4. Copy and paste the full URL path into your browser, and then, on the home page of
the top-level site for the site collection, on the Site Actions menu, click Create.
5. On the Create page, in the Web Pages section, click Sites and Workplaces.
6. On the New SharePoint Site page, in the Title and Description section, type a title
and description for the site.
7. In the Web Site Address section, specify a URL for the site.
control.
9. Either change other settings, or click Create to create the site.
10. The new site opens.
After creating sites, you might want to configure alternate access mappings. Alternate access
mappings direct users to the correct URLs during their interaction with Office SharePoint Server
2007 (while browsing to the home page of a Office SharePoint Server 2007 Web site, for
example). Alternate access mappings enable Office SharePoint Server 2007 to map Web
requests to the correct Web applications and sites, and they enable Office SharePoint Server
45
2007 to serve the correct content back to the user. For more information, see Plan alternate
access mappings (http://technet.microsoft.com/en-us/library/cc261814.aspx).
Createsite: Stsadm operation (http://technet.microsoft.com/en-us/library/cc262594.aspx).
Configure the trace log

The trace log can be useful for analyzing problems that might occur. You can use events that are
written to the trace log to identify what configuration changes were made in Office SharePoint
Server 2007 before the problem occurred.
By default, Office SharePoint Server 2007 saves two days of events in the trace log files. This
means that trace log files that contain events that are older than two days are deleted. Whether
you are using the Office SharePoint Server Search service or the Windows SharePoint Services
Search service, we recommend that you configure the trace log to save seven days of events.
You can use the Diagnostic Logging page in Central Administration to configure the maximum
number of trace log files to maintain and how long (in minutes) to capture events to each log file.
By default, 96 log files are kept, each one containing 30 minutes of events.
96 log files * 30 minutes of events per file = 2880 minutes or two days of events.
You can also specify the location where the log files are written or accept the default path.
Configure the trace log to save seven days of events

1. In Central Administration, on the Operations tab, in the Logging and Reporting
section, click Diagnostic logging.
2. On the Diagnostic Logging page, in the Trace Log section, do the following:
• In the Number of log files box, type 336.
• In the Number of minutes to use a log file box, type 30.
Tip:
To save 10,080 minutes (seven days) of events, you can use any
combination of number of log files and minutes to store in each log file.
3. Ensure that the path specified in the Path box has enough room to store the extra log
files or change the path to another location.
Tip:
We recommend that you store log files on a hard drive partition that is used to
store log files only.
4. Click OK.
Trace log files can help you to troubleshoot issues related to configuration changes of either the
Office SharePoint Server Search service or the Windows SharePoint Services Search service.
Because problems related to configuration changes are not always immediately discovered, we
recommend that you save all trace log files that the system creates on any day that you make any
configuration changes related to either search service. Store these log files for an extended
46
period of time in a safe location that will not be overwritten. See step 3 in the previous procedure
to determine the location that the system stores trace log files for your system.
Logging and events: Stsadm operations (http://technet.microsoft.com/en-
47
Deploy using DBA-created databases
In this topic:
• About deploying by using DBA-created databases
• Required database hardware and software
• Required accounts
• Create and configure the databases
About deploying by using DBA-created databases

In many IT environments, database administrators (DBAs) create and manage databases.
Security policies and other policies in your organization might require that DBAs create the
databases required by Microsoft Office SharePoint Server 2007.
This section discusses how DBAs can create these databases and farm administrators configure
them. This section describes how to deploy Office SharePoint Server 2007 in an environment in
which DBAs create and manage databases. The deployment includes all the required databases,
one portal site, a Shared Services Administration Web site, My Sites, and one Shared Services
Provider (SSP). This section only applies to farms that use Microsoft SQL Server 2000 with the
most recent service pack or Microsoft SQL Server 2005 database software.
Some procedures in this section use the Psconfig or Stsadm command-line tools. These tools are
located in the following folder: Program Files\Common Files\Microsoft Shared\web server
extensions\12\BIN.
Note:
This section does not cover using the Office SharePoint Server 2007 graphical user
interface tools to create or configure databases. For information about creating and
configuring databases by using the Office SharePoint Server 2007 graphical user
interface tools, see Deploy in a simple server farm.
Using these procedures, the DBA will create databases and the farm administrator will perform
other configuration actions in the following order:
• The configuration database (only one per farm).
• The content database for Central Administration (only one per farm).
• Central Administration Web application (only one per farm, created by Setup).
• The Windows SharePoint Services search database (only one per farm).
• Start the Office SharePoint Search service.
For each portal site:
• Portal site Web application content database.
For each SSP:
48
• A content database for the My Sites Web application (if the SSP is using its own Web
application).
• A content database for the Shared Services Administration Web application (if the SSP is
using its own Web application).
• SSP Search database (one per SSP).
• SSP Web application (created by Setup if the SSP is using its own Web application).
Note:
As part of the Web site and application pool creation process, a Web application is also
created in Internet Information Services (IIS). Extending a Web application will create an
additional Web site in IIS, but not an additional application pool.
Required database hardware and software

Before you install and configure the databases, be sure that your database servers have the
recommended hardware and software. For more information about these requirements, see
Determine hardware and software requirements (http://technet.microsoft.com/en-
There are also requirements specific to the database server, and, if you are using SQL Server
2005 database software, the DBA must configure surface area settings so that local and remote
connections use TCP/IP only.
All of the databases required by Office SharePoint Server 2007 use the
Latin1_General_CI_AS_KS_WS collation. All of the databases require that the Setup user
account be assigned to them as the database owner (dbo, or db_owner).
For more information about the security requirements for these databases, see Plan for
administrative and service accounts (http://technet.microsoft.com/en-us/library/cc263445.aspx).
Required accounts
The DBA needs to create SQL Server logins for the accounts that are used to access the
databases for Office SharePoint Server 2007 and add them to roles
For more information about the required accounts, including specific permissions and roles
required for these accounts, see Plan for administrative and service accounts
49
The following table describes the accounts that are used to access the databases for Office
SQL Server This account is used as the SQL Server prompts for this account during SQL
Service service account for the Server Setup. You have two options:
Account following SQL Server • Assign one of the built-in system accounts
services: (Local System, Network Service, or Local
• MSSQLSERVER Service) to the logon for the configurable SQL
• SQLSERVERAGENT Server services. For more information about
these accounts and security considerations, refer
to the Setting Up Windows Service Accounts
topic (http://go.microsoft.com/fwlink/?
• MSSQL$InstanceName
documentation.
• SQLAgent$InstanceNa
• Assign a domain user account to the logon
me
for the service. However, if you use this option
you must take the additional steps required to
configure Service Principal Names (SPNs) in
Active Directory in order to support Kerberos
authentication, which SQL Server uses.
Setup user The Setup user account is • Domain user account

account used to run the following: • Member of the Administrators group on each
• Setup on each server on which Setup is run
server • SQL Server login on the computer running
• The SharePoint SQL Server
Products and • Member of the following SQL Server security
Technologies roles:
• The PSConfig
command-line tool
• The Stsadm
read from or write to a database, this account must
command-line tool
be a member of the db_owner fixed database role
for the database.
50
Server farm The Server farm account is • Domain user account.

account/ used to: • If the server farm is a child farm with Web
Database • Act as the applications that consume shared services from a
access application pool identity larger farm, this account must be a member of
account for the SharePoint the db_owner fixed database role on the
Central Administration configuration database of the larger farm.
application pool. Additional permissions are automatically granted for
• Run the Windows this account on Web servers and application servers
SharePoint Services that are joined to a server farm.
Timer service. This account is automatically added as a SQL Server
login on the computer running SQL Server and added
Note:
If you are using the least-privilege principle for added security, use a different account for
each service, process, and application pool identity for each Web application. Each SSP
will use two accounts, one for the SSP service account and one for the application pool
identity for the Shared Services Administration Web application.
Create and configure the databases

Use the procedures in this section to create the required databases and give the accounts
membership in the database Users security group and database roles.
The procedures require action by the DBA and the Setup user account. Each step is labeled
[DBA] or [Setup] to indicate which role performs the action.
The following procedure will only have to be performed once for the farm, on the server you want
to run the Central Administration Web site. The farm only has one configuration database and one
content database for Central Administration.
Create and configure the configuration database, the Central Administration content
database, and the Central Administration Web application
1. [DBA] Create the configuration database and the Central Administration content
database using the LATIN1_General_CI_AS_KS_WS collation sequence and set the
database owner (dbo) to be the Setup user account.
2. [Setup] Run Setup on each server computer in the farm. You must run Setup on at
least one of these computers by using the Complete installation option.
51
Note:
The rest of the farm servers will be configured after the procedures in the article
are finished and the farm is established. You will run the SharePoint Products
and Technologies Configuration Wizard on these servers by selecting the Yes, I
want to connect to an existing server farm option, instead of by using the
commands used in this procedure.
3. [Setup] On the server on which you used the Complete installation option, do not run
the SharePoint Products and Technologies Configuration Wizard after Setup. Instead
open the command line, and then run the following command to configure the databases:
Psconfig –cmd configdb –create –server <SqlServerName> –database
<SqlDatabaseName> –user <DomainName\UserName> –password <password> –
admincontentdatabase <SqlAdminContentDatabaseName>
Note:
<SqlDatabaseName> is the configuration database. -user is the server farm
account. <SqlAdminContentDatabaseName> is the Central Administration
content database.
4. [Setup] After the command has completed, run the SharePoint Products and
Technologies Configuration Wizard and complete the remainder of the configuration for
the server. This creates the Central Administration Web application and performs other
setup and configuration tasks.
5. [DBA] After the SharePoint Products and Technologies Configuration Wizard has
completed, perform the following actions for both the configuration database and the
Central Administration content database:
• Add the Office SharePoint Server Search account, default content access
account, and the SSP service account to the Users group.
• Add the Office SharePoint Server Search account, default content access
account, and the SSP service account to the WSS_Content_Application_Pools role.
6. [Setup] To confirm that the databases were created and correctly configured, verify
that the home page of the Central Administration Web site can be accessed. However, do
not configure anything by using Central Administration at this time. If the Central
Administration page does not render, verify the accounts used in this procedure and
ensure that they are properly assigned.
52
The following procedure will only have to be performed once for the farm. The farm has only one
Windows SharePoint Services search database.
Create and configure the Windows SharePoint Services Search database and start the
Windows SharePoint Services Search service
1. [DBA] Create the Windows SharePoint Services Search database using the
LATIN1_General_CI_AS_KS_WS collation sequence and set the database owner (dbo)
to be the Setup user account.
2. [Setup] Open the command line, and then run the following command to configure
the database and start the Windows SharePoint Services Search service:
stsadm -o spsearch -action start -farmserviceaccount <DomainName\UserName>
-farmservicepassword <password> -farmcontentaccessaccount
<DomainName\UserName> -farmcontentaccesspassword <password>
-databaseserver <server\instance> -databasename <DatabaseName>
Note:
-farmserviceaccount is the server farm account. -farmcontentaccessaccount
is the Office SharePoint Services Search service account. For -databaseserver,
if you are using the default instance of SQL Server, you only have to specify the
name of the computer running SQL Server.
The following procedure must be performed once for each server running indexing or search
queries in the farm.
Start the Office SharePoint Server Search service on each server that will run search
queries or indexing
1. [Setup] Open the command line, and then run the following command:
stsadm -o osearch -action start -role <OsearchRole>-farmcontactemail
<FarmContactEmail> -farmserviceaccount <DomainName\UserName>
-farmservicepassword <password>
For additional information, see Osearch: Stsadm operation
Note:
farmserviceaccount is the server farm account. role specifies what type of server
role the server plays. The values for OsearchRole can be "Index", "Query", or
"IndexQuery". For more information about these options, see Add query servers to
expand a farm (http://technet.microsoft.com/en-us/library/cc297192.aspx).
The following procedure will only have to be performed once for the farm. The farm only has one
My Sites database. The My Sites Web application typically is hosted by its own SSP.
Create and configure the content database and Web application for My Sites
1. [DBA] Create the My Sites content database using the
53
2. [DBA] Add the SSP service account to the db_owner role for the My Sites Web
application content database.
the My Sites content database:
stsadm.exe -o extendvs -url <url> -donotcreatesite -exclusivelyusentlm
-databaseserver <DatabaseServerName> -databasename <DatabaseName>
-apidtype configurableid -description <IISWebSiteName> -apidname
<AppPoolName> -apidlogin <DomainName\UserName> -apidpwd <password>
For additional information, see Extendvs: Stsadm operation
Note:
url is the URL (in the form http://hostname:port) of the My Sites Web application.
databasename is the content database for the My Sites Web application.
description is the text name you give to the Web site in IIS. apidname is the text
name that you give to the Web application pool in IIS. apidlogin is the identity for
the application pool in IIS. This is the application pool process account. If you are
using Kerberos v5 authentication rather than NTLM authentication, use the
negotiate parameter rather than the exclusivelyusentlm parameter
Important:
This command must be run on the same computer that is indicated in the url
parameter. This is the same computer that is running the My Sites Web
application. The host name and port combination must not describe a Web
application that already exists or an error will result without creating the Web
application.
4. [Setup] Open the command line, and then run the following command to restart IIS:
iisreset /noforce.
You must create a Shared Services Administration site Web application for every SSP in the farm.
Create the content database and the Web application for the Shared Services
Administration site
1. [DBA] Create the Shared Services Administration site content database using the
2. [DBA] Using SQL Server Management Studio, add the SSP service account to the
Users group and then to the db_owner role for the Shared Services Administration site
content database.
3. [Setup] Open the command line, and then run the following command to create the
Shared Services Administration site Web application and configure the content database:
54
Note:
url is the URL (in the form http://hostname:port) of the Shared Services
Administration site Web application. databasename is the content database for
the Shared Services Administration site Web application. description is the text
name you give to the Web site in IIS. apidname is the text name that you give to
the application pool in IIS. apidlogin is the identity for the application pool in IIS.
This is the application pool process account. If you are using Kerberos v5
authentication rather than NTLM authentication, use the negotiate parameter
rather than the exclusivelyusentlm parameter
Important:
parameter. This is the same computer that is running the Shared Services
Administration Web application. The host name and port combination must not
describe a Web application that already exists or an error results and the Web
application is not created.
iisreset /noforce.
The following procedure will have to be performed once for each portal site in the farm.
Create and configure the portal site Web application content database
1. [DBA] Create the portal site Web application content database using the
2. [DBA] Using Microsoft SQL Server Management Studio, add the SSP Service
account to the Users group and then to the db_owner role for the portal site Web
application content database.
the portal site Web application content database:
55
Note:
url is the URL (in the form http://hostname:port) of the portal site Web
application. databasename is the content database for the portal site Web
application. description is the text name you give to the Web site in IIS.
apidname is the text name that you give to the Web application pool in IIS.
apidlogin is the identity for the application pool in IIS. This is the application pool
process account. If you are using Kerberos v5 authentication rather than NTLM
authentication, use the negotiate parameter rather than the exclusivelyusentlm
parameter.
Important:
parameter. This is the same computer that is running the Web application. The
host name and port combination must not describe a Web application that
already exists or an error results and the Web application is not created.
iisreset /noforce.
The following procedure must be performed once for each SSP in the farm.
Create and configure the SSP content database and SSP Search database, and then
create and configure the SSP
1. [DBA] Create the SSP content database and the SSP Search database using the
2. [DBA] Using Microsoft SQL Server Management Studio, add the following accounts
to the Users group and then to the db_owner role in both databases:
• Server farm account
• SSP Service account
• Windows SharePoint Services Search service account
• Office SharePoint Server Search service account
• Application pool process account. This is the Web application pool identity for
each Web application associated with the SSP. In this section, these are the Shared
Services Administration Web application and the My Sites site Web application.
3. [Setup] Open the command line, and then run the following command to create the
SSP (the SSP will use the DBA-created SSP content database and the SSP Search
database):
stsadm -o createssp -title <SSPName> -url <url> -mysiteurl <url>-ssplogin
<UserName> -ssppassword <password> -indexserver <IndexServerName>-
indexlocation <IndexFilePath>-sspdatabaseserver <SSPDatabaseServerName>
-sspdatabasename <SSPDatabaseName> -searchdatabaseserver
<SearchDatabaseServer> -searchdatabasename <SearchDatabaseName>
56
For additional information, see Createssp: STSadm operation
Note:
url is the URL (in the format http://hostname:port/ssp/admin) of the Shared
Services Administration site. mysiteurl is the URL (in the format
http://hostname:port) of the My Sites Web site. ssplogin is the SSP service
account in the format domain\username. indexserver is the name of the server
that the index is hosted on. indexlocation is the directory on the index server
where the farm administrator specified the index to be stored. By default this is
SystemDrive:\Program Files\Microsoft Office Servers\12.0\Data\Office
Server\Applications.
Important:
parameter. This is the same computer that is running the Web applications. In
this section, this is the server where the Shared Services Administration site Web
application and the My Sites Web application are running.
Note:
For more information about properly sizing these databases, see Estimate
performance and capacity requirements (http://technet.microsoft.com/en-
us/library/cc261716.aspx) and Estimate performance and capacity requirements for
portal collaboration environments (http://technet.microsoft.com/en-
57
Deploy a simple farm on the Windows Server
2008 operating system
In this section:
• Deployment overview
• Deploy and configure the server infrastructure
• Create a site collection and a SharePoint site
As of the release of Microsoft Office SharePoint Server 2007 Service Pack 1 (SP1), you can
install Office SharePoint Server 2007 on a server running Windows Server 2008. As with the
Windows Server 2003 operating system, you must download and run Setup and the SharePoint
Products and Technologies Configuration Wizard. You cannot install Office SharePoint Server
2007 without service packs on Windows Server 2008.
Important:
Office SharePoint Server 2007 requires the following components: the Web Server role,
Windows Internal Database, and the Microsoft .NET Framework. Office SharePoint
Server 2007 will cease to run if you uninstall these components.
Deployment overview
multi-tier topology. A server farm consists of one or more servers dedicated to running Office
Note:
Important:
This section discusses how to perform a clean installation of Office SharePoint Server
2007 with SP1 in a server farm environment on Windows Server 2008. It does not cover
upgrading the operating system from Windows Server 2003 to Windows Server 2008.
Note:
computer as a stand-alone installation on Windows Server 2008. For more information,
58
see Perform a stand-alone installation of Office SharePoint Server 2007 on Windows
Server 2008.
Deploying Office SharePoint Server 2007 in a DBA environment

required by Office SharePoint Server 2007. For more information about deploying using DBA-
created databases, including detailed procedures that describe how the DBA can create these
databases, see Deploy using DBA-created databases.
Server farm environments can encompass a wide range of topologies and can include many
A server farm typically consists of a database server and one or more servers running Internet
Information Services (IIS) and Office SharePoint Server 2007. In this configuration, the front-end
servers are configured as Web servers. The Web server role provides Web content and services
such as search.
balanced front-end Web servers running IIS and Office SharePoint Server 2007, and two or more
servers providing Search services.
When you install Office SharePoint Server 2007, you can decide if you want to perform a
complete installation, which results in an application server, or to install just a front-end Web
server. The main difference between an application server installation and a front-end Web server
installation is the ability to run services such as the Search service. Since the front-end Web
server installation is a subset of the application server installation, if necessary, you can use an
application server as a front-end Web server; however, you should note that this configuration
increases the attack surface area on the server.

deployment.
• To deploy Office SharePoint Server 2007 in a server farm environment on computers running
Windows Server 2008, you must provide credentials for several different accounts. For
information about these accounts, see Plan for administrative and service accounts
59
• All the Office SharePoint Server 2007 installations in the server farm must be in the same
2007 and a Japanese version of Office SharePoint Server 2007 in the same server farm.
Note:
We recommend that you read the Known Issues and the Readme documentation
before you install Office SharePoint Server 2007 on a domain controller. Installing
Office SharePoint Server 2007 on a domain controller requires additional
configuration steps that are not discussed in this section.
• All of the Office SharePoint Server 2007 installations must be running the same software
update. For example, if one of the servers is updated to Post Service Pack 1 rollup, you
should update all of the Office SharePoint Server 2007 servers in the server farm to that
software update.

The deployment process consists of two phases: deploying and configuring the server
infrastructure, and deploying and configuring SharePoint site collections and sites.

• Pre-installing databases (optional).
• Running Setup on all servers you want to be in the server farm, installing SP1, and then
running the SharePoint Products and Technologies Configuration Wizard.
• Starting the Windows SharePoint Services Search service. This is an optional step, but
we recommend you start the Search service because it is used to search the Office
SharePoint Server 2007 Help.
Phase 2: Deploy and configure SharePoint site collections and sites

Deploying and configuring SharePoint site collections and sites consists of the following steps:
• Creating site collections.
• Creating SharePoint sites.
Deploy and configure the server infrastructure

Prepare the database server
databases when you install and configure Office SharePoint Server 2007. Optionally, if your IT
environment or policies require, you can preinstall the required databases.
60
We recommend that you run Microsoft SQL Server 2005 on the database server. However, both
Microsoft SQL Server 2005 and Microsoft SQL Server 2000 database software with the most
recent service pack are supported. If you are using SQL Server 2005, you must also change the
surface area settings.


sensitive. This is used to ensure file name uniqueness consistent with the Windows operating
system. For more information about collations, see Selecting a SQL Collation
(http://go.microsoft.com/fwlink/?LinkId=121667&clcid=0x409) or Collation Settings in Setup
(http://go.microsoft.com/fwlink/?LinkId=121669&clcid=0x409) in SQL Server 2005 Books Online.
61
Required accounts
The following table lists the accounts used to configure SQL Server and to install Office
SharePoint Server 2007. For detailed information about the required accounts, including specific
role memberships and permissions required for these accounts, see Plan for administrative and
service accounts (http://technet.microsoft.com/en-us/library/cc263445.aspx).
SQL Server This account is used as the SQL Server prompts for this account during SQL
Service service account for the Server Setup. You have two options:
Account following SQL Server • Assign one of the built-in system accounts
services: (Local System, Network Service, or Local
• MSSQLSERVER Service) to the logon for the configurable SQL
• SQLSERVERAGENT Server services. For more information about
these accounts and security considerations, refer
to the Setting Up Windows Service Accounts
topic (http://go.microsoft.com/fwlink/?
documentation.
• SQLAgent$InstanceNa
• Assign a domain user account to the logon
me
for the service. However, if you use this option
you must take the additional steps required to
configure Service Principal Names (SPNs) in
Active Directory in order to support Kerberos
authentication, which SQL Server uses.
Setup user The Setup user account is • Domain user account

account used to run the following: • Member of the Administrators group on each
• Setup on each server on which Setup is run
server • SQL Server login on the computer running
• The SharePoint SQL Server
Products and • Member of the following SQL Server security
Technologies roles:
• The PSConfig
command-line tool
• The Stsadm
read from or write to a database, this account must
command-line tool
be a member of the db_owner fixed database role
for the database.
62
Server farm The Server farm account is • Domain user account.

account/Dat used to: • If the server farm is a child farm with Web
abase • Act as the applications that consume shared services from a
access application pool identity larger farm, this account must be a member of
account for the SharePoint the db_owner fixed database role on the
Central Administration configuration database of the larger farm.
application pool. Additional permissions are automatically granted for
• Run the Windows this account on Web servers and application servers
SharePoint Services that are joined to a server farm.
Timer service. This account is automatically added as a SQL Server
login on the computer running SQL Server and added
If you use a domain user account for the SQL Server service account, you must make sure that a
valid service principal name (SPN) for that account and instance of SQL Server on their database
server exists in their environment. This is the case regardless of whether you use NTLM or
Kerberos authentication for Office SharePoint Server 2007.
You must configure the SPN for that account in the domain using the Setspn.exe command-line
tool. Setspn.exe is installed by default on computers running Windows Server 2008. Run the
following command on a computer that is joined to the same domain as the user/service account.
setspn -a <http/<farmclusterdnsname> <serviceaccountname>
You only have to complete this task once for this account.
Verify that servers meet hardware and software requirements

the recommended hardware and software. To deploy a server farm, you need at least one server
computer acting as a Web server and an application server, and one server computer acting as a
database server. For more information about these requirements, see Determine hardware and
software requirements (http://technet.microsoft.com/en-us/library/cc262485.aspx). Also, make
sure the Management Compatibility role service is added to your server and the .NET Framework
is installed, as described below.
Important:
Office SharePoint Server 2007 requires Active Directory Domain Services for farm
deployments in a Windows Server 2008 environment.
63
IIS 6.0 Management Compatibility role service
If you use the Windows Server 2008 Server Manager to perform a default Internet Information
Services (IIS) 7.0 installation, the IIS 6.0 Management Compatibility role service is not included.
Since this is a required role service, you must use the following procedure.
Add the IIS 6.0 Management Compatibility role service

1. Click Start, point to Administrative Tools, and then click Server Manager.
2. In the left navigation pane, expand Roles, and then right-click Web Server (IIS) and
select Add Role Services.
3. In the Add Role Services wizard, in the Role services area, select IIS 6
Management Compatibility.
4. In the Select Role Services pane, click Next, and then in the Confirm Installations
Selections pane, click Install.
5. To complete the Add Role Services wizard, click Close.
Install Microsoft .NET Framework

Before you install Office SharePoint Server 2007 on Windows Server 2008, you must install the
Microsoft .NET Framework. You do not need to install the Web Server role or the Windows
Process Activation Service; these are installed automatically, along with the Windows Internal
Database when you install Office SharePoint Server 2007 SP1. Use the following procedure to
install Microsoft .NET Framework version 3.0.
Install Microsoft .NET Framework version 3.0

2. In Server Manager, on the Action menu, click Add features.
3. In the Features list, select the .NET Framework 3.0 Features check box, and then
click Next.
4. Follow the wizard steps to install Microsoft .NET Framework version 3.0.
Note:
Framework version 3.5 from the Microsoft Web site (http://go.microsoft.com/fwlink/?
LinkId=110508).
Run Setup on all servers in the farm

You can only install Office SharePoint Server 2007 with SP1 on Windows Server 2008, so on
each server in the server farm you must run the Office SharePoint Server 2007 Setup and then
install SP1 before you run the SharePoint Products and Technologies Configuration Wizard. To
save time and effort on setup tasks, we recommend that you create a slipstreamed installation
source for Office SharePoint Server 2007. This installation source must include the files from both
Windows SharePoint Services 3.0 SP1 and Office SharePoint Server 2007 SP1. For more
64
information about using the updates folder to create a slipstreamed source, see the topic Create
an installation source that includes software updates (http://technet.microsoft.com/en-
Note:
If you have not created an updated installation source, you must first install Office
SharePoint Server 2007 without any software updates, and then, without running the
SharePoint Products and Technologies Configuration Wizard at the end of the
installation, install SP1. After the installations are complete, you can run the SharePoint
Products and Technologies Configuration Wizard.
The server farm is established when you configure Office SharePoint Server 2007 on the first
server. You must join additional servers in the server farm to this farm.
Setting up the first server involves two steps: installing the Office SharePoint Server 2007 and
SP1 components on the server, and configuring the farm. After Setup finishes, you can use the
several configuration tasks, including: installing and configuring the configuration database,
site.
The first server

We recommend that you install and configure Office SharePoint Server 2007 and Office
SharePoint Server 2007 SP1 on all of the servers in your server farm before you configure Office
SharePoint Server 2007 services and create sites. You must have SQL Server database software
running on at least one back-end database server before you install Office SharePoint Server
2007 on your farm servers.
Note:
SharePoint Server 2007 be a server on which you want to run the Central Administration
Web site.
65
1. From the slipstreamed installation source, run Setup.exe on one of your Web
servers. For more information about slipstreaming, see Create an installation source that
includes software updates (http://technet.microsoft.com/en-us/library/cc261890.aspx).
Continue.
Note:
is not valid, Setup displays a red circle next to the text box and alerts you that the
key is incorrect.
66
67
4. On the Choose the installation you want page, click Advanced. (The Basic option is
for stand-alone installations.)
68
69
70
71
Configuration Wizard now check box is not selected.
10. Click Close.
Note:
You should wait to run the SharePoint Products and Technologies Configuration Wizard
until you have installed Office SharePoint Server 2007 and Office SharePoint Server
2007 SP1 and performed the rest of the procedures in this section on all the servers in
the server farm.
Use the following procedure to add the SharePoint Central Administration Web site to the list of
trusted sites.
Add the SharePoint Central Administration Web site to the list of trusted sites.
1. In Windows Internet Explorer, on the Tools menu, click Internet Options.
72
Use the following procedure to configure proxy server settings to bypass the proxy server for local
addresses.
LAN Settings.
check box.
box.
Additional servers
We recommend that you install and configure Office SharePoint Server 2007 on all of your front-
end Web servers and the index server before you configure Office SharePoint Server 2007
services and create sites. If you want to build a minimal server farm configuration, and
incrementally add front-end Web servers to expand the farm, you can install and configure Office
SharePoint Server 2007 on a single Web server, and configure the Web server as both a front-
end Web server and an application server. Regardless of how many servers you have in your
server farm, you must have SQL Server 2005 running on at least one back-end database server
before you install Office SharePoint Server 2007 on your front-end Web servers.
Important:
73
servers.
Continue.
Note:
74
Use the following procedure to run Setup on additional servers in your server farm.

servers.
Continue.
Note:
75
76
Run the SharePoint Products and Technologies
After you have run Setup and both Office SharePoint Server 2007 and Office SharePoint Server
2007 SP1 are installed on all the servers in your server farm, you can use the SharePoint
Products and Technologies Configuration Wizard to configure Office SharePoint Server 2007. The
configuration wizard automates several configuration tasks, including installing and configuring
the configuration database, installing Office SharePoint Server 2007 services, and creating the
Central Administration Web site. Use the following instructions to run the SharePoint Products
and Technologies Configuration Wizard.
Run the SharePoint Products and Technologies Configuration Wizard to configure

Office SharePoint Server 2007
77
3. In the dialog box that notifies you that some services might need to be restarted
during configuration, click Yes.
78
79
default database name. The default name is SharePoint_Config.
7. In the User name box, type the user name of the server farm account. (Be sure to
type the user name in the format <DOMAIN>\<user name>.)
Important:
The server farm account is used to access your configuration database. It also
acts as the application pool identity for the SharePoint Central Administration
application pool, and it is the account under which the Windows SharePoint
Services Timer service runs. The SharePoint Products and Technologies
Configuration Wizard adds this account to the SQL Server Logins, the SQL
Server Database Creator server role, and the SQL Server Security Administrators
server role. The user account that you specify as the service account must be a
domain user account, but it does not need to be a member of any specific
security group on your Web servers or your back-end database servers. We
recommend that you follow the principle of least privilege, and specify a user
80
account that is not a member of the Administrators group on your Web servers or
your back-end servers.
Specify port number check box; type a port number if you want the SharePoint Central
Administration Web application to use a specific port, or leave the Specify port number
check box cleared if it does not matter which port number the SharePoint Central
click Next.
Note:
81
Negotiate (Kerberos) option requires you to configure a service principal
name (SPN) for the domain user account. To do this, you must be a member
page, click Next.
82
Notes
If you are prompted for your user name and password, you might need to add the SharePoint
Central Administration Web site to the list of trusted sites, and configure user authentication
settings in Internet Explorer. Instructions for configuring these settings are provided in the
next set of steps.
If a proxy server error message appears, you might need to configure your proxy server
settings so that local addresses bypass the proxy server. Instructions for configuring this
setting are provided later in this section.

Wizard on additional servers
After Setup finishes, use the SharePoint Products and Technologies Configuration Wizard to
configure Windows SharePoint Services 3.0. The configuration wizard automates several
configuration tasks, including: installing and configuring the configuration database, and installing
83
Windows SharePoint Services 3.0 services. Use the following instructions to run the SharePoint
Products and Technologies Configuration Wizard.
Run the SharePoint Products and Technologies Wizard

<DOMAIN>\<user name>.) This must be the same user account you used when
configuring the first server.
page, click Next.
Start the Windows SharePoint Services Search Service

want to search content. You must start it on at least one of your servers.
Start the Windows SharePoint Services Search service on computers used to search
content
the top link bar.
2. On the Operations page, in the Topology and Services section, click Servers in
farm.
3. On the Servers in Farm page, click the server on which you want to start the
Windows SharePoint Services Search service.
4. Next to Window SharePoint Services Search, click Start.
Service Account section, specify the user name and password for the user account
under which the Search service will run.
84
6. In the Content Access Account section, specify the user name and password for
the user account that the Search service will use to search content. This account must
have read access to all the content you want it to search. If you do not enter credentials,
the same account used for the Search service will be used.
schedule that you want the Search service to use when searching content.
Configure Windows Firewall with Advance Security

After you create Web applications in your server farm, you must use Windows Firewall with
Advanced Security in Windows Server 2008 to open ports on computers that host Web
Applications. You only need to open the ports for the SSP on computers that do not host any Web
applications.
By default, port 80 is open on Web servers, but to be able to communicate with other computers
you must open the port for Central Administration and, for the SSP, you must open ports 56737
and 56738. You must also open the ports for any additional Web applications that you create in
your server farm.
The default configuration of the Windows Server 2008 firewall is to deny all connections unless
there is an exception. Make sure you create the exceptions for the currently enabled profile
(Private, Public, or Domain) when you are making changes to ports. If you create the exceptions
in the wrong profile they will not work.
Note:
If you configure host headers in IIS, the ports for the Web Applications will be created on
port 80 and you may not have to perform the procedures in this section. If, however, you
use the host header mode in Windows SharePoint Services 3.0 to create multiple
domain-named sites in a single Web application you will need to perform the procedures
in this section to determine which ports the Web applications, including Central
Administration, will use in your server farm.
Determine ports used by Web Applications

2. On the Central Administration site, click Application Management.
3. On the Application Management Web page, in the SharePoint Web Application
Management section, click Web application list.
4. On the Web Application List Web page, in the URL column, the server name with port
number is listed for each Web application.
You should use Windows Firewall with Advanced Security to open the ports required for your
server farm as identified in the Determine ports used by Web Applications
85
(http://technet.microsoft.com/en-
us/library/cc263408.aspx#BKMK_DeterminePortsUsedByWebApplications) procedure.
For ease in managing the rules, we recommend that you create one rule per Web application and
one for the two SSP ports. Alternatively, for more centralized rule management you can create
one rule to manage all the ports.
For Web applications you only need to create a rule to open a port for incoming connections, the
rule for the two SSP ports must be configured to enable both incoming and outgoing traffic.
Configure Windows Firewall with Advanced Security

Windows Firewall with Advanced Security.
2. In the User Account Control dialog box, click Continue.
3. On the details pane, in the Overview section, verify that the domain profile is active
by noting if the domain network location entry displays Domain Profile is Active.
4. In the Domain Profile is Active area, depending on how the inbound connections
rule is configured, choose one of these options.
• If it is Inbound connections that do not match a rule are allowed, then you do
not need to complete this procedure.
• If it is Inbound connections that do not match a rule are blocked, then you
must proceed to the next step in this procedure to configure the firewall to allow
Office SharePoint Server 2007 traffic.
5. On the Console Tree, select Inbound Rules, and then in the Actions pane click
New Rule.
6. Complete the New Inbound Rule Wizard using the settings from the following table.
86
Wizard page Settings
Rule Type Select Port.
Protocol and Ports • Select TCP.

• Select Specific local ports. In the
Specific local ports text box, type all
the port numbers that you need.
Action • Select Allow the connection.
Profile • Enable Domain.

• Clear Private and Public.
Name In the Name and Description text boxes,

type information that is both descriptive
and meaningful for your network
administrators. As a best practice, we
recommend that you assign each firewall
rule a unique name. When unique names
are assigned, it is easier to use Windows
Server 2008 Network Shell (Netsh)
commands to manage the network.
7. On the Console Tree, select Outbound Rules, in the Actions pane click. New Rule.
8. Complete the New Outbound Rule Wizard using the settings from the following table.
Rule Type Select Port.
Protocol and Ports • Select TCP.

• Select Specific local ports. In the
Specific local ports text box, type
all the port numbers that you need.
Action Select Allow the connection.
Profile • Enable Domain.

• Clear Private and Public.
87
Name In the Name and Description text boxes,

type information that is both descriptive
and meaningful for your network
administrators. As a best practice, we
recommend that you assign each firewall
rule a unique name. When unique names
are assigned, it is easier to use Windows
Server 2008 Network Shell (Netsh)
commands to manage the network.
For more information about Windows Firewall with Advanced Security, see Windows Firewall
(http://go.microsoft.com/fwlink/?LinkID=84639).

After the initial installation and configuration of Office SharePoint Server 2007, you can configure
several additional settings. The configuration of additional settings is optional, but many key
features are not available unless these settings are configured.
mail settings so that SharePoint sites can archive e-mail discussions as they happen, save
documents, and send meeting requests to site calendars. In addition, you can configure the
SharePoint Directory Management Service to provide support for e-mail distribution list
creation and management. For more information, see Configure incoming e-mail settings.
"Reply" e-mail address that appear in outgoing alerts. You can also configure outgoing e-mail
settings for all Web applications or for only one Web application. For more information, see
Configure outgoing e-mail settings and Configure outgoing e-mail settings for a specific Web
application.
• Configure workflow settings You can configure workflow settings to enable end users
to create their own workflows by using code pre-generated by administrators. You can also
configure whether internal users without site access can receive workflow alerts, and whether
external users can participate in workflows by receiving copies of documents by e-mail. For
more information, see Configure workflow settings.
settings to help with troubleshooting. These include enabling and configuring trace logs,
event messages, user-mode error messages, and Customer Experience Improvement
Program events. For more information, see Configuring diagnostic logging settings.
88
• Configure single sign-on You can configure single sign-on settings in the farm. Single
sign-on enables you to connect to external data sources by using Excel Calculation Services
or the Business Data Catalog. For more information, see Configure single sign-on.
• Configure antivirus settings You can configure several antivirus settings if you have
an antivirus program that is designed for Office SharePoint Server 2007. Antivirus settings
allow you to control whether documents are scanned on upload or on download, and whether
users can download infected documents. You can also specify how long you want the
antivirus program to run before it times out, and you can specify how many execution threads
the antivirus program can use on the server. For more information, see Configure antivirus
settings.
You can use the following procedure to configure optional administrative settings using
SharePoint Central Administration.
Configure administrative settings using SharePoint Central Administration

2. On the SharePoint Central Administration home page, in the Administrator Tasks
list, click the administrative task that you want to perform.
Create a site collection and a SharePoint site

This section guides you through the process of creating a single site collection containing a single
SharePoint site. You can create many site collections and many sites under each site collection.
For more information, see Chapter overview: Deploy and configure SharePoint sites. For
information about planning SharePoint sites and site collections, see Plan Web site structure and
publishing (http://technet.microsoft.com/en-us/library/cc262789.aspx).
Before you can create a site or a site collection, you must first create a Web application. A Web
application is composed of an Internet Information Services (IIS) site with a unique application
pool. When you create a new Web application, you also create a new database and define the
authentication method used to connect to the database.
If you are in an extranet environment where you want different users to access content by using
different domains, you might also need to extend a Web application to another IIS Web site. This
action exposes the same content to different sets of users by using an additional IIS Web site to
host the same content.

1. Click Start, point to All Programs, then point to Microsoft Office Server, and then
click SharePoint 3.0 Central Administration.
89
the drop-down menu.
b. To create a new Web site, select Create a new IIS Web site, and then type the
name of the Web site in the Description box.
NTLM.
Note:
To enable Kerberos authentication, you must perform additional configuration
tasks. For more information about authentication methods, see Plan
authentication methods (http://technet.microsoft.com/en-
anonymous access, this enables anonymous access to the Web site using the
Note:
If you want users to be able to access any site content anonymously, you
must enable anonymous access for the entire Web application. Later, site
owners can configure how anonymous access is used within their sites. For
more information about anonymous access, see Determine which Windows
security groups and accounts to use for granting access to sites.
90
Important:
If you use SSL, you must add the appropriate certificate on each server by
using IIS administration tools. For more information about using SSL, see
Plan for secure communication within a server farm
The Zone box is automatically set to Default for a new Web application, and cannot be
changed from this page. To change the zone for a Web application, see Extend an
existing Web application.
name of the account you wish to use, and then, in the Password box, type the
password for the account.
9. In the Reset Internet Information Services section, choose whether to allow
Windows SharePoint Services to restart IIS on other farm servers. The local server must
be restarted manually for the process to finish. If this option is not selected, and you have
servers and then run iisreset /noforce on each Web server. The new IIS site is not
usable until that action is completed. The choices are unavailable if your farm only
10. In the Database Name and Authentication section, choose the database server,
database name, and authentication method for your new Web application.
Item Action

format <SERVERNAME>\<instance>. You
may also use the default entry.
Database Name Type the name of the database, or use the 91

Use the following procedure to create a site collection.

1. On the top link bar, click Application Management.
3. On the Create Site Collection page, in the Web Application menu, if the Web
application in which you want to create the site collection is not selected, click Change
Web Application on the Web Application, and then on the Select Web Application
page, click the Web application in which you want to create the site collection.
4. In the Title and Description section, type the title and description for the site
collection.
5. In the Web Site Address section, in the URL area, select the path to use for your
URL (such as an included path like /sites/ or the root directory, /).
If you select a wildcard inclusion path, such as /sites/, you must also type the site name
to use in your site's URL.
Note:
The paths available for the URL option are taken from the list of managed paths
that have been defined as wildcard inclusions. For more information about
managed paths, see “Define managed paths” in the Central Administration Help
(http://technet.microsoft.com/en-us/library/cc263179.aspx) system.
6. In the Template Selection section, in the Select a template list, select the template
that you want to use for the top-level site in the site collection.
7. In the Primary Site Collection Administrator section, enter the user name (in the
form DOMAIN\user name) for the user who will be the site collection administrator.
8. If you want to identify a user as the secondary owner of the new top-level Web site
(recommended), in the Secondary Site Collection Administrator section, enter the
user name for the secondary administrator of the site collection.
9. If you are using quotas to limit resource use for site collections, in the Quota
Template section, click a template in the Select a quota template list.
10. Click OK.
Use the following procedure to create a SharePoint site.
Create a SharePoint site

click Site collection list.
3. On the Site Collection List page, in the URL column, click the URL for the site
collection to which you want to add a site. The full URL path for the site collection
92
appears in the URL box.
4. Copy and paste the full URL path into your browser, and then, on the home page of
the top-level site for the site collection, on the Site Actions menu, click Create.
5. On the Create page, in the Web Pages section, click Sites and Workplaces.
and description for the site.
7. In the Web Site Address section, type a URL for the site.
control.
9. Either change other settings, or click Create to create the site.
The new site opens.
2007 to display the correct site. For more information, see Plan alternate access mappings

Trace log files can help you to troubleshoot issues related to configuration changes of the
Windows SharePoint Services Search service. The trace log can also be useful for analyzing
problems that might occur. For example, you can use events that are written to the trace log to
identify what configuration changes were made in Office SharePoint Server 2007 before the
problem occurred.
configuration changes related to the Search service. Store these log files for an extended period
of time in a safe location that will not be overwritten.
By default, Office SharePoint Server 2007 saves two days of events in the trace log files; trace
log files that contain events that are older than two days are deleted. When using the Windows
SharePoint Services Search service, we recommend that you configure the trace log to save
seven days of events.
number of trace log files to maintain and the duration (in minutes) to capture events to each log
file. By default, 96 log files are kept, each one containing 30 minutes of events.
You can also specify where the log files are written or accept the default path. See step 3 in this
procedure to determine where the system stores trace log files for your system.
93

Tip:
To save 10,080 minutes (seven days) of events, you can use any combination of
number of log files and minutes to store in each log file.
files, or change the path to another location.
Tip:
4. Click OK.
Configure Windows Server Backup

If you want to use Windows Server Backup with Windows SharePoint Services 3.0, you must
configure the following registry keys. If you do not configure these registry keys, Windows Server
Backup will not work properly with Windows SharePoint Services 3.0.
Important:
You must be logged on as a member of the Administrators group on the local server
computer to edit the registry. Incorrectly editing the registry might severely damage your
system. Before making changes to the registry, you should back up any valued data on
the computer.
Configure registry keys for Windows Server Backup

1. Click Start, click Run, and in the Open box, type regedit, and then click OK.
2. In the User Account Control dialog box, click Continue to open the Registry Editor.
3. In the Registry Editor, locate the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
4. On the Edit menu, click New, and then click Key.
5. Type WindowsServerBackup, and then press ENTER.
6. Select the WindowsServerBackup key, and then on the Edit menu, click New, and
then click Key.
94
7. Type Application Support, and then press ENTER.
8. Select the Application Support key, and then on the Edit menu, click New, and then
click Key.
9. Type {c2f52614-5e53-4858-a589-38eeb25c6184} as the key name, and then press
ENTER.
This is the GUID for the WSS Writer.
10. Select the new key, and then on the Edit menu, click New, and then click String
Value.
11. Type Application Identifier as the new value, and then press ENTER.
12. Right-click the Application Identifier value, and then click Modify.
13. In the Value Data box, type Windows SharePoint Services, and then click OK.
14. On the Edit menu, click New, and then click DWORD (32-bit) Value.
15. Type UseSameVssContext as the new value name, and then press ENTER.
16. Right-click the UseSameVssContext value, and then click Modify.
17. In the Value Data box, type 00000001, and then click OK.
95
Install Office SharePoint Server 2007 by
using the command line
In this section:
• Install software requirements
• Determine required accounts for installation
• Install Microsoft Office SharePoint Server 2007 by running Setup at a command prompt
• Configure the server by using the Psconfig command-line tool
• Create a Shared Services Provider (SSP) by using the Stsadm command-line tool
• Create a site collection by using the Stsadm command-line tool
This section discusses how to do a clean installation of Microsoft Office SharePoint Server 2007
on a stand-alone server or on a server farm by using command-line tools.
The command-line tools enable you to customize the configuration of Office SharePoint Server
2007. Additionally, you can streamline deployment by using command-line installations in
combination with other administrator tools to automate unattended installations.
To install Office SharePoint Server 2007 on a server farm, you have to complete the following
steps:
1. Plan the deployment and ensure that you have installed all the software requirements.
2. Determine the required accounts that are used during installation.
3. Install Office SharePoint Server 2007 by running Setup at a command prompt, and
specifying a configuration file.
4. Configure the server by using the Psconfig command-line tool with the appropriate
options.
5. Create a Shared Services Provider (SSP) by using the Stsadm command-line tool (only
applies on server-farm installations).
6. Create a site collection by using the Stsadm command-line tool (only applies on server-
farm installations).
Install software requirements

Before you run Setup, you must perform several actions to prepare the deployment. For more
information about the complete list of actions you must perform before installation, see Chapter
overview: Install Office SharePoint Server 2007 in a server farm environment. Ensure that you
have the following software requirements before you run Setup:
96
• Office SharePoint Server 2007 on a clean installation of the Windows Server 2003
operating system with the most recent service pack. To install Office SharePoint Server 2007
on Windows Server 2008, see Installing Microsoft Office SharePoint Server 2007 on
Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkId=122586&clcid=0x409).
Note:
All the instances of Office SharePoint Server 2007 in the farm must be in the same
language. For example, you cannot have both English and Japanese versions of
Office SharePoint Server 2007 in the same farm.
• The Microsoft .NET Framework version 3.0. The .NET Framework version 3.0 download
contains the Windows Workflow Foundation technology, which is required by workflow
features.
Note:
You can also use the Microsoft .NET Framework version 3.5. You can download
the .NET Framework version 3.5 from the Microsoft Download Center
(http://go.microsoft.com/fwlink/?LinkId=110508).
• ASP.NET 2.0 enabled in the Internet Information Services (IIS) Manager on all servers
that are running Office SharePoint Server 2007.
• Microsoft SQL Server 2000 or Microsoft SQL Server 2005 with the most recent service
pack running on at least one database server before you install Office SharePoint Server
2007 on the Web servers.
To deploy a server farm, you must have at least one server computer acting as a Web server and
an application server, and one server computer acting as a database server.
Determine required accounts for installation

Before installing Office SharePoint Server 2007 at a command prompt, you should understand
the three-tier security model for Office SharePoint Server 2007 and the detailed account
permissions that are required for each configuration. For more information, see the following
resources:
• Plan for security roles (http://technet.microsoft.com/en-us/library/cc262918.aspx)
• Plan for administrative and service accounts (http://technet.microsoft.com/en-
• Office SharePoint Server Security Account Requirements (http://go.microsoft.com/fwlink/?
LinkID=92883&clcid=0x409)
97
The following table describes the accounts that are used during installation and configuration of
Office SharePoint Server 2007. These accounts must be created and configured before you run
Setup.
Setup user account The Setup user account is • Domain user account.
used to run the following: • Member of the
• Setup on each server. Administrators group on each
• The SharePoint server on which Setup is run.
Products and Technologies • SQL Server login on the
Configuration Wizard. computer that is running SQL
• The Psconfig Server.
command-line tool. • Member of the following
• The Stsadm SQL Server security roles:
command-line tool. • securityadmin fixed
server role
• dbcreator fixed
server role
If you run Stsadm command-line
tool commands that read from or
write to a database, the Setup
user account must be a member
of the db_owner fixed database
role for the database.
98
Server farm account or The server farm account is • Domain user account.
database access account used to: • If the server farm is a
• Configure and manage child farm with Web
the server farm. applications that consume
• Act as the application shared services from a larger
pool identity for the farm, the server farm account
SharePoint Central must be a member of the
Administration application db_owner fixed database
pool. role on the configuration
database of the larger farm.
• Run the Windows
SharePoint Services Timer Additional permissions are
service. automatically granted for the
server farm account on Web
servers and application servers
that are joined to a server farm.
The server farm account is
automatically added as a SQL
Server login on the computer that
is running SQL Server, and
added to the following SQL
Server security roles:
• dbcreator fixed server
role
• securityadmin fixed
server role
• db_owner fixed
database role for all
Install Microsoft Office SharePoint Server 2007 by

running Setup at a command prompt
After you have determined the required accounts for the installation, you can install Office
SharePoint Server 2007. The product DVD contains examples of configuration (Config.xml) files.
These example files are stored under the \Files folder in the root directory of the DVD, in folders
that correspond to different scenarios. These example files are described in the following table.
99
Configuration file Description
Setup\Config.xml Stand-alone server installation, using Microsoft

SQL Server 2005 Express Edition
SetupFarm\Config.xml Server farm installation
SetupFarmSidebySide\Config.xml Gradual upgrade of an existing farm
SetupFarmSilent\Config.xml Server farm installation in silent mode
SetupFarmUpgrade\Config.xml In-place upgrade of an existing farm
SetupSilent\Config.xml Stand-alone server installation, using SQL

Server 2005 Express Edition, in silent mode
SetupSingleUpgrade\Config.xml In-place upgrade of an existing single-server

installation
Important:
The example configuration files that are included with Office SharePoint Server 2007 omit
the <Setting Id="SETUP_REBOOT"Value="Never"/> setting. You must include this setting
if you want to suppress restarts during a command-line installation.
Example
The following example shows the configuration file for setting up a single server in silent mode
(SetupSilent).
<Configuration>
<Package Id="sts">
<Setting Id="LAUNCHEDFROMSETUPSTS" Value="Yes"/>
<Setting Id="REBOOT" Value="ReallySuppress"/>
<Setting Id="SETUPTYPE" Value="CLEAN_INSTALL"/>
</Package>
<Package Id="spswfe">
<Setting Id="SETUPCALLED" Value="1"/>
<Setting Id="OFFICESERVERPREMIUM" Value="1" />
</Package>
<Logging Type="verbose" Path="%temp%" Template="Office Server Setup(*).log"/>
<Display Level="none" CompletionNotice="no" />
<PIDKEY Value="Enter PID Key Here" />
<Setting Id="SERVERROLE" Value="SINGLESERVER"/>
100
<Setting Id="USINGUIINSTALLMODE" Value="0"/>
</Configuration>
Run Setup with a Config.xml file at a command prompt

1. On the drive on which the Office SharePoint Server 2007 product DVD is located,
change to the root directory to locate the setup.exe file.
2. Run Setup with the selected Config.xml file.
setup /config<path and file name>
Note:
You can select one of the example files, or customize your own configuration file.
3. Press ENTER.
Setup is now finished.

Example
To run Setup in silent mode, type one of the following commands at a command prompt, and then
press ENTER:
• setup /config Files\SetupSilent\config.xml (for a single server deployment)
• setup /config Files\SetupFarmSilent\config.xml (for a farm deployment)
You can also customize your own configuration file. To control the installation, first edit the
Config.xml file in a text editor to include the elements that you want with the appropriate settings
for those elements. Then run setup /config<path and file name> to specify that Setup runs and
uses the options that you set in the Config.xml file.
Some typical configuration options include the following:
• Bypassing the prompt for the product key by providing the key as a value, <PIDKEY
Value="Enter PID Key Here" />, in the Config.xml file.
• Adding a location for a log file, <Logging Type="off" | "standard"(default) | "verbose"
Path="path"Template="file name.log"/>, which you can view if command-line installation fails.
Important:
Use a text editor, such as Notepad, to edit Config.xml. Do not use a general-purpose
XML editor such as Microsoft Office Word 2007.
For more information about the options available for customizing the configuration file, see
Config.xml reference (http://technet.microsoft.com/en-us/library/cc261668.aspx).
For more information about the command-line options for Setup, see Setup.exe command-line
reference (http://technet.microsoft.com/en-us/library/cc262897.aspx).
Configure the server by using the Psconfig

command-line tool
You use the Psconfig command-line tool to configure Office SharePoint Server 2007 after Setup
has finished. The tool is located at %COMMONPROGRAMFILES%\Microsoft shared\Web Server
101
Extensions\12\bin. The configuration options are different depending on whether you install Office
SharePoint Server 2007 on a stand-alone server or on a server farm.
For more information about the Psconfig command-line tool and its operations and parameters,
see Command-line reference for the SharePoint Products and Technologies Configuration Wizard
(http://technet.microsoft.com/en-us/library/cc263093.aspx). For more information about the
services and features that are registered during the configuration, see Using PSConfig.exe
command-line options to complete SharePont Server Configuration
(http://go.microsoft.com/fwlink/?LinkId=122627&clcid=0x409).
Configure SharePoint Server 2007 on a stand-alone server

In stand-alone server deployments, you can run the Psconfig command-line tool with the setup
command.
After you have logged on by using the Setup user account that you previously created and
configured, you configure Office SharePoint Server 2007.
Configure SharePoint Server 2007 on a stand-alone server by using the Psconfig

command-line tool
1. On the drive on which SharePoint Products and Technologies is installed, change to
the following directory: %COMMONPROGRAMFILES%\Microsoft shared\Web server
extensions\12\Bin.
2. Type the following command, and then press ENTER:
psconfig -cmd setup
The Psconfig command-line tool describes the configuration steps as they occur, and notes the
successful completion of configuration. For a stand-alone server installation, this is the final step
in a command-line installation.
Configure SharePoint Server 2007 on a farm

In server farm deployments, you use the Psconfig command-line tool to create a new farm or
connect to an existing farm. The Psconfig command-line tool installs the SharePoint Central
Administration Web site on the first server in the farm. Therefore, we recommend that the first
server on which you install Office SharePoint Server 2007 is a server from which you want to run
the Central Administration Web site.
The following procedure describes how to configure the first server in the farm. How to add
servers to the farm is described at the end of this procedure.
Note:
Ensure that you follow the procedure in the order that it is written to avoid configuration
problems.
Configure SharePoint Server 2007 on a farm by using the Psconfig command-line tool
102
extensions\12\Bin.
2. Create the configuration database:
psconfig-cmd configdb -create -server<database server name>-database<database
name>
[-dbuser<domain\user name>-dbpassword<password>]
-user<domain\user name>-password<password>
-addomain<domain name>-adorgunit<org unit>
-admincontentdatabase<Central Administration Web application content database
name>
Note:
The dbuser and dbpassword parameters are only used in deployments that use
SQL Server authentication. If you are using Windows authentication, these
parameters are not required.
3. Install all Help collections:
psconfig-cmd helpcollections -installall
4. Perform resource security enforcement:
psconfig-cmd secureresources
5. Register services in the server farm:
psconfig-cmd services -install
Note:
After installing services, you must start and configure two services, Windows
SharePoint Services Search and Office SharePoint Server Search, by using the
Stsadm command-line tool:
a. stsadm-o spsearch -action start -farmserviceaccount <domain\user name>
-farmservicepassword<password>[-database name<content database name>][-
database server<server instance>][-search server<search server name>]
For more information, see Spsearch: Stsadm operation
b. stsadm -o osearch -action start -role IndexQuery -farmserviceaccount
<domain\user name> -farmservicepassword<password>
-farmcontactemail<user@domain.com>
For more information, see Osearch: Stsadm operation
c. Provision the services of the farm:
psconfig -cmd services -provision
6. Register all features:
psconfig-cmd installfeatures
103
7. Provision the SharePoint Central Administration Web application:
psconfig-cmd adminvs -provision -port<port>-windowsauthprovider onlyusentlm
8. Install shared application data:
psconfig-cmd applicationcontent -install
The SharePoint Central Administration Web site has now been created.
servers before you create sites.
Note:
If any of these commands fail, look in the post-setup configuration log files. The log files
are available at %COMMONPROGRAMFILES%\Microsoft shared\Web server
extensions\12\Logs, and can be identified by a file name that begins with “PSC” and the
.log file name extension.
To connect to an existing configuration database and join the server to an existing server farm,
you have to run the configdb command together with the -connect parameter instead of the
-create parameter.
psconfig -cmd configdb -connect -server<server name>-database<database name>
Note:
Omit the -admincontentdatabase command because you have already included this
command when you created the configuration database.
Use the psconfig -cmd adminvs -provision -port<port>-windowsauthprovider onlyusentlm
command if you want to provision the SharePoint Central Administration Web application on
additional servers, which reduces the risk if the server that is running the SharePoint Central
Administration Web application fails.
To successfully complete the command-line installation on a server farm, you must use the
Stsadm command-line tool to create the Shared Services Provider (SSP), and then a site
collection for the farm. However, before you create the SSP and a site collection, we recommend
that you first perform some additional configuration tasks.

After you have installed Office SharePoint Server 2007, we recommend that you perform the
following administrative tasks:
• Χο ν φ ι γ υ ρ ε ι ν χ ο µ ι ν γ ε−µ α ι λ σ ε τ τ ι ν γ σ .
• Χο ν φ ι γ υ ρ ε ο υ τ γ ο ι ν γ ε−µ α ι λ σ ε τ τ ι ν γ σ .
• Χο ν φ ι γ υ ρ ε ωο ρ κ φ λ οω σ ε τ τ ι ν γ σ .
• Χο ν φ ι γ υ ρ ε δ ι α γ ν ο σ τ ι χ λ ο γ γ ι ν γ σ ε τ τ ι ν γ σ .
• Χο ν φ ι γ υ ρ ε α ν τ ι ϖ ι ρ υ σ σ ε τ τ ι ν γ σ .
104
Create a Shared Services Provider (SSP) by using
the Stsadm command-line tool
After you create and configure Office SharePoint Server 2007 on a farm, you must use the
Stsadm command-line tool to create the SSP for the farm. The Stsadm command-line tool is
available on the installation drive for Office SharePoint Server 2007 at
%COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin.
Important:
To run the Stsadm command-line tool, you must be a member of the Administrators group
on the local computer.
The recommended procedure for creating an SSP is to create a Web application for the My Site
host location, and a separate Web application for the Shared Services Administration Web site.
To create a new Web application, use the following procedure.
Create a Web application by using the Stsadm command-line tool

extensions\12\Bin.
stsadm -o extendvs
-url<URL name>
-ownerlogin<domain\user name>
-owneremail<e-mail address>
[-exclusivelyusentlm]
[-ownername<display name>]
[-databaseuser<database user name>]
[-databaseserver<database server name>]
[-databasename<new content database name>]
[-databasepassword<database password>]
[-lcid<language>]
[-sitetemplate<site template>]
[-donotcreatesite]
[-description]
[-sethostheader]
[-apidname<application pool name>]
[-apidtype {configurableID | NetworkService}]
[-apidlogin<domain\user name>]
[-apidpwd <application pool password>]
105
[-allowanonymous]
For more information, see Extendvs: Stsadm operation (http://technet.microsoft.com/en-
The extendvs operation creates the Web application. The donotcreatesite parameter creates
the Web application without creating a site collection on the Web application.
After creating the Web applications for the My Site host location and for the Shared Services
Administration Web site, you create the SSP.
Create an SSP by using the Stsadm command-line tool

extensions\12\Bin.
stsadm -o createssp
-title<SSP name>
-url<Web application URL>
-mysiteurl<My Site Web application URL>
-ssplogin<user name>
-indexserver<index server name>
-indexlocation<index file path>
[-ssppassword<password>]
[-sspdatabaseserver<SSP database server name>]
[-sspdatabasename<SSP database name>]
[-sspsqlauthlogin<SQL user name]
[-sspsqlauthpassword <SQL password>]
[-searchdatabaseserver<search database server name>]
[-searchdatabasename<search database name>]
[-searchsqlauthlogin<SQL user name>]
[-searchsqlauthpassword<SQL password>]
[-ssl {Yes | No}]
For more information, see Createssp: Stsadm operation (http://technet.microsoft.com/en-
Example
The following command creates a Web application with the URL http://intranet:8080 that can be
used to host the SSP Administration site.
stsadm -o extendvs -url http://intranet:8080 -ownerlogin <domain\user name> -owneremail
<user@domain.com> -exclusivelyusentlm -databaseserver <database server name>
106
-databasename <SSP content database> -donotcreatesite -apidname <SSP application pool
name> -apidtype {configurableID | NetworkService}-apidlogin<domain\user name> -apidpwd
<password>
Similarly, you can create another Web application as the My Site host location by using the
following command:
<user@domain.com> -exclusivelyusentlm -databaseserver <database server name >
-databasename <My Sites content database name> -donotcreatesite -apidname <My Sites
application pool name>-apidtype {configurableID | NetworkService}-apidlogin<domain\user
name> -apidpwd <password>
Then you create the SSP, named MySSP1_db:
stsadm -o createssp -title MySSP1 -url http://intranet -mysiteurl http://intranet:8090
-ssplogin <domain\user name> -ssppassword <password> -sspdatabaseserver <SSP
database server name > -sspdatabasename MySSP1_db -indexserver <index server name>
-indexlocation "D:\Program Files\Microsoft Office Servers\12.0\Data\Office
Server\Applications" -searchdatabaseserver <search database server name>
-searchdatabasename <search database name>
For more information, see Stsadm command-line tool (http://technet.microsoft.com/en-
Create a site collection by using the Stsadm

command-line tool
You create the top-level site collection by using the same extendvs command that you used to
create the Web applications for My Sites and the Shared Services Administration Web site
Important:
Create a site collection by using the Stsadm command-line tool

extensions\12\Bin.
stsadm -o extendvs
-url<URL name>
107
[-lcid<language>]
[-donotcreatesite]
[-description]
[-sethostheader]
[-allowanonymous]
us/library/cc263040.aspx) and Stsadm command-line tool
Example
The following command creates a site collection at http://intranet that uses the corporate intranet
site template.
stsadm -o extendvs -url http://intranet -ownerlogin<domain\user name> -owneremail
<user@domain.com> -exclusivelyusentlm -sitetemplate SPSPORTAL -apidname
"SharePoint AppPool" -apidtype {configurableID | NetworkService} -apidlogin<
domain\user name> -apidpwd <password>
If you do not specify the site template to use, site owners can choose the site template when they
first browse to the site.
The following table lists common templates.
Parameter value Description
STS#0 Team site
STS#1 Blank site
STS#2 Document workspace
MPS#0 Basic meeting workspace
MPS#1 Blank meeting workspace
MPS#2 Decision meeting workspace
MPS#3 Social meeting workspace
108
Parameter value Description
MPS#4 Multipage meeting workspace
BLOG#0 Blog
WIKI#0 Wiki site
If you want to create additional Web applications or site collections by using the Stsadm
command-line tool, you can use either the extendvs operation or the createsite operation.
The extendvs operation extends a Web application and creates a new content database. The
createsite operation creates a site collection at a specific URL with a specified user as a site
owner.
Note:
The createsite operation does not create a new content database. If you want to create a
new content database with the new site, use the createsiteinnewdb operation.
For more information, see Createsite: Stsadm operation (http://technet.microsoft.com/en-
us/library/cc262594.aspx) and Createsiteinnewdb: Stsadm operation
The extendvs operation also enables site collection administrators to specify the language of the
site collection by using the Locale ID (LCID) parameter. If you do not specify an LCID, the
language of the server is used for the top-level site collection. For more information about the
available LCID values, see List of Locale ID (LCID) Values as Assigned by Microsoft

written to the trace log to determine what configuration changes were made in Office SharePoint
means that trace log files that contain events that are older than two days are deleted. When you
are using the Windows SharePoint Services Search service, we recommend that you configure
the trace log to save seven days of events.
109
number of trace log files to maintain, and how long (in minutes) to capture events to each log file.
You can also specify where the log files are written or accept the default path.
Trace log files can help you troubleshoot issues related to configuration changes of the Windows
SharePoint Services Search service. Because problems related to configuration changes are not
always immediately discovered, we recommend that you save all trace log files that the system
creates on any day that you make any configuration changes. Store these log files for some time
in a safe location that will not be overwritten. We recommend that you store log files on a hard
disk drive partition that is used to store log files only.
See Also
Plan for security roles (http://technet.microsoft.com/en-us/library/cc262918.aspx)
Plan for administrative and service accounts (http://technet.microsoft.com/en-
Office SharePoint Server Security Account Requirements (http://go.microsoft.com/fwlink/?
LinkID=110493&clcid=0x409)
110
Install Office SharePoint Server 2007 with
least privilege administration by using the
command line
In this section:
• Install software requirements
• Determine required accounts for least-privilege administration
• Install Microsoft Office SharePoint Server 2007 by using least-privilege administration
• Configure the server by using the Psconfig command-line tool
• Create a Shared Services Provider by using the Stsadm command-line tool
• Χρ ε α τ ε α σ ι τ ε χ ο λ λ ε χ τ ι ο ν βψ υ σ ι ν γ τ η ε
Σ τ σ α δ µ χ ο µ µ α ν δ−λ ι ν ε τ ο ο λ
• Χο ν φ ι γ υ ρ ε τ η ε τ ρ α χ ε λ ο γ
This section discusses how to install Microsoft Office SharePoint Server 2007 on a stand-alone
server or on a server farm by using least-privilege administration.
The Office SharePoint Server 2007 standard configuration uses a set of user accounts and
installation settings for both stand-alone servers and server farms to simplify the installation
process. However, enterprises are often required to use least-privilege administration in which
each service or user is provided with only the minimum permissions and group memberships that
they need to accomplish the tasks that they are authorized to perform. Installing Office
SharePoint Server 2007 with least-privilege administration requires additional preparation and
configuration steps. We strongly recommend that you use least-privilege administration.
To install Office SharePoint Server 2007 by using least-privilege administration on either a stand-
alone server or a server farm, you complete the following steps:
1. Plan the deployment and ensure that you have installed all the software requirements.
2. Determine the required accounts that are used during installation.
3. Use the least-privilege Setup user account to install Office SharePoint Server 2007 by
using Setup at a command prompt and specifying a configuration file.
4. Configure the server by using the Psconfig command-line tool with the appropriate
options.
5. Create a Shared Services Provider (SSP) by using the Stsadm command-line tool (only
applies on server-farm installations).
6. Create a site collection by using the Stsadm command-line tool (only applies on server-
farm installations).
111
Install software requirements
Before running Setup, you must perform several actions to prepare the deployment. For more
information about the complete list of actions you must perform before installation, see Chapter
overview: Install Office SharePoint Server 2007 in a server farm environment. Ensure that you
have the following software requirements before you run Setup in any deployment:
• Office SharePoint Server 2007 on a clean installation of the Windows Server 2003
operating system with the most recent service pack. To install Office SharePoint Server 2007
on Windows Server 2008, see Installing Microsoft Office SharePoint Server 2007 on
Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkID=122586&clcid=0x409).
Note:
All the instances of Office SharePoint Server 2007 in the farm must be in the same
language. For example, you cannot have both English versions and Japanese
versions of Office SharePoint Server 2007 in the same farm.
• The Microsoft .NET Framework version 3.0. The .NET Framework version 3.0 download
contains the Windows Workflow Foundation technology, which is required by workflow
features.
Framework version 3.5 from the Microsoft Download Center (http://go.microsoft.com/fwlink/?
LinkId=110508).
• ASP.NET 2.0 enabled in the Internet Information Services (IIS) Manager on all Office
SharePoint Server 2007 servers.
• Microsoft SQL Server 2005 or Microsoft SQL Server 2000 with the most recent service
pack running on at least one database server before you install Office SharePoint Server
2007 on the Web servers.
Note:
To deploy a server farm, you must have at least one server computer acting as a Web
server and an application server, and one server computer acting as a database server.
Determine required accounts for least-privilege

administration
Before installing Office SharePoint Server 2007 by using least-privilege administration in any
security configuration, you should understand the three-tier security model for Office SharePoint
Server 2007 and the detailed account permissions that are required for each configuration. For
more information, see the following topics:
• Plan for security roles (http://technet.microsoft.com/en-us/library/cc262918.aspx)
• Plan for administrative and service accounts (http://technet.microsoft.com/en-
112
• Office SharePoint Server Security Account Requirements
(http://go.microsoft.com/fwlink/?LinkID=92883&clcid=0x409)
Many requirements and configuration steps for installing Office SharePoint Server 2007 by using
least-privilege administration resemble the standard farm installation. For more information about
the standard farm installation, see Chapter overview: Install Office SharePoint Server 2007 in a
server farm environment.
The following table describes the accounts that are used to install Office SharePoint Server 2007
for least-privilege administration compared to the standard account requirements for farm
installation.
Account Purpose Server farm standard Least-privilege

requirement administration using
domain user accounts
requirements
Setup user The Setup user • Domain user Server farm standard
account account is used to run account requirements with the
the following: • Member of the following additions or
• Setup on each Administrators group exceptions:
server. on each server on • Use a separate
• The which Setup is run domain user
SharePoint • SQL Server login account.
Products and on the computer that • The Setup
Technologies is running SQL user account
Configuration Server should not be a
Wizard. • Member of the member of the
• The Psconfig following SQL Server Administrators
command-line security roles: group on the
tool. computer that is
•
running SQL
• The Stsadm
securityadmin Server.
command-line
tool. fixed server role
• dbcreator
fixed server role
If you run Stsadm
command-line commands
that read from or write to
a database, the Setup
user account must be a
member of the db_owner
fixed database role for
the database.
113
Account Purpose Server farm standard Least-privilege
requirement administration using
domain user accounts
requirements
Server farm The server farm • Domain user Server farm standard
account or account is used to: account. requirements with the
database access • Configure and • If the server farm following additions or
account manage the server is a child farm with exceptions:
farm. Web applications that • Use a separate
• Act as the consume shared domain user
application pool services from a larger account.
identity for the farm, this account • The server
SharePoint must be a member of farm account is not
Central the db_owner fixed a member of the
Administration database role on the Administrators
Web site. configuration group on any
database of the larger server in the server
• Run the
farm. farm. This includes
Windows
SharePoint Additional permissions the computer that
Services Timer are automatically granted is running SQL
service. for the server farm Server.
account on Web servers The server farm
and application servers account does not
that are joined to a server require permissions to
farm. SQL Server before you
The server account is create the
automatically added as a configuration database.
SQL Server login on the
computer that is running
SQL Server and added to
the following SQL Server
security roles:
• dbcreator fixed
server role
• securityadmin
fixed server role
• db_owner fixed
database role for all
databases in the
server farm.
114
The minimum requirements to achieve least-privilege administration include the following:
• Separate accounts are used for different services and processes.
• No executing service or process account is running with local administrator permissions.
By using separate service accounts for each service and limiting the permissions assigned to
each account, you reduce the opportunity for a malicious user or process to compromise the
environment.
Least-privilege administration can be implemented in many ways, depending on the security
configuration of each scenario. The configurations for least-privilege administration include:
• Separate domain user accounts
• SQL Server authentication
• Domain user accounts connecting to existing databases
Install Microsoft Office SharePoint Server 2007 by

using least-privilege administration
After you have determined the required accounts for the installation, you can install Office
SharePoint Server 2007. The product DVD contains examples of configuration (Config.xml) files.
These example files are stored under the \Files folder in the root directory of the DVD, in folders
that correspond to different scenarios. These example files are described in the following table.
Configuration file Description
Setup\Config.xml Stand-alone server installation, using Microsoft

SQL Server 2005 Express Edition
SetupFarm\Config.xml Server farm installation
SetupFarmSidebySide\Config.xml Gradual upgrade of an existing farm
SetupFarmSilent\Config.xml Server farm installation in silent mode
SetupFarmUpgrade\Config.xml In-place upgrade of an existing farm
SetupSilent\Config.xml Stand-alone server installation, using SQL

Server 2005 Express Edition, in silent mode
SetupSingleUpgrade\Config.xml In-place upgrade of an existing single-server

installation
Important:
The example configuration files that are included with Office SharePoint Server 2007 omit
the <Setting Id="SETUP_REBOOT" Value="Never"/> setting. You must include this
setting if you want to suppress restarts during a command-line installation.
115
Example
The following example shows the configuration for setting up a single server in silent mode
(SetupSilent).
<Configuration>
<Package Id="sts">
<Setting Id="LAUNCHEDFROMSETUPSTS" Value="Yes"/>
<Setting Id="SETUPTYPE" Value="CLEAN_INSTALL"/>
</Package>
<Package Id="spswfe">
<Setting Id="SETUPCALLED" Value="1"/>
<Setting Id="OFFICESERVERPREMIUM" Value="1" />
</Package>
<Logging Type="verbose" Path="%temp%" Template="Office Server Setup(*).log"/>
<Display Level="none" CompletionNotice="no" />
<PIDKEY Value="Enter PID Key Here" />
<Setting Id="SERVERROLE" Value="SINGLESERVER"/>
<Setting Id="USINGUIINSTALLMODE" Value="0"/>
</Configuration>
Run Setup with a Config.xml file at a command prompt

1. On the drive on which the Office SharePoint Server 2007 product DVD is located,
change to the root directory to locate the setup.exe file.
2. Run Setup with the selected Config.xml file.
setup /config<path and file name>
Note:
You can select one of the example files, or customize your own configuration file.
3. Press ENTER.
Setup is now complete.

Example
To run Setup in silent mode, type the following command at a command prompt, and then press
ENTER:
• setup /config Files\SetupSilent\config.xml (for a single server deployment)
• setup /config Files\SetupFarmSilent\config.xml (for a farm deployment)
You can also customize the configuration file. To control the installation, first edit the Config.xml
file in a text editor to include the elements that you want with the appropriate settings for those
116
elements. Then run setup /config<path and file name> to specify that Setup runs and uses the
options that you set in the Config.xml file.
Some typical configuration options include:
• Bypassing the prompt for the product key by providing the key as a value, <PIDKEY
Value="Enter PID Key Here" />, in the Config.xml file.
• Adding a location for a log file, <Logging Type="off" | "standard"(default) | "verbose"
Path="path name"Template="file name.log"/>, which you can view if command-line
installation fails.
Important:
Use a text editor, such as Notepad, to edit Config.xml. Do not use a general-purpose
XML editor such as Microsoft Office Word 2007.
For more information about the options available for customizing the configuration file, see
Config.xml reference (http://technet.microsoft.com/en-us/library/cc261668.aspx).
For more information about the command-line options for Setup, see Setup.exe command-line
reference (http://technet.microsoft.com/en-us/library/cc262897.aspx).
For more information about command-line installation, see Install Office SharePoint Server 2007
by using the command line.
Configure the server by using the Psconfig

command-line tool
You use the Psconfig command-line tool to configure Office SharePoint Server 2007 after Setup
has finished. The tool is located at %COMMONPROGRAMFILES%\Microsoft shared\Web server
extensions\12\Bin. The configuration options are different depending on whether you install Office
SharePoint Server 2007 on a stand-alone server or on a server farm.
For more information about the Psconfig command-line tool and its operations and parameters,
see Command-line reference for the SharePoint Products and Technologies Configuration Wizard
(http://technet.microsoft.com/en-us/library/cc263093.aspx). For more information about the
services and features that are registered during the configuration, see Using PSConfig.exe
command-line options to complete SharePont Server Configuration
Configure SharePoint Server 2007 on a stand-alone server

In stand-alone server deployments that use least-privilege administration, you can run the
Psconfig command-line tool with the setup command.
After you have logged on by using the Setup user account that you previously created and
configured, you configure Office SharePoint Server 2007.
Configure SharePoint Server 2007 by using the Psconfig command-line tool

117
extensions\12\Bin.
psconfig -cmd
The Psconfig command-line tool describes the configuration steps as they occur, and notes the
successful completion of configuration. For a stand-alone-server installation, this is the final step
in a command-line installation.
Configure SharePoint Server 2007 on a farm

In server farm deployments that use least-privilege administration, you use the Psconfig
command-line tool to create a new farm or connect to an existing farm. The Psconfig command-
line tool installs the SharePoint Central Administration Web site on the first server in the farm.
Therefore, we recommend that the first server on which you install Office SharePoint Server 2007
is a server from which you want to run the Central Administration Web site.
The following procedure describes how to configure the first server in the farm.
Note:
Ensure that you follow the procedure in the order that it is written to avoid configuration
problems.
Configure SharePoint Server 2007 on a farm by using the Psconfig command-line tool
1. Log on by using the Setup user account that you previously created and configured.
extensions\12\Bin.
3. Create the configuration database:
psconfig-cmd configdb -create -server <database server name>-database<database
name>
-dbuser<domain\user name>-dbpassword<password>
-user<domain\user name>-password<password>
-addomain<domain name>-adorgunit<org unit>
-admincontentdatabase<Central Administration Web application content database
name>
Note:
The dbuser and dbpassword parameters are only used in deployments that use
SQL Server authentication. If you are using Windows authentication, these
parameters are not required.
4. Install all Help collections:
psconfig-cmd helpcollections installall
118
5. Perform resource security enforcement:
psconfig-cmd secureresources
6. Register services in the server farm:
psconfig-cmd services -install
Note:
After installing services, you must start and configure two services, Windows
SharePoint Services Search and Office SharePoint Server Search, by using the
Stsadm command-line tool:
a. stsadm-o spsearch -action start -farmserviceaccount <domain\user name>
-farmservicepassword<password>[-database name<content database name>][-
database server<server instance>][-search server<search server name>]
For more information, see Spsearch: Stsadm operation
Note:
Use the domain and user account information for the server farm account
that you previously created and configured.
b. stsadm -o osearch -action start -role IndexQuery -farmserviceaccount
<domain\user name>-farmservicepassword<password>-
farmcontactemail<user@domain.com>
For more information, see Osearch: Stsadm operation
Note:
Use the domain and user account information for the server farm account
that you created and configured previously.
c. Provision the services of the farm:
psconfig -cmd services -provision
7. Register all features:
psconfig-cmd installfeatures
8. Provision the SharePoint Central Administration Web application:
psconfig-cmd adminvs -provision -port<port>-windowsauthprovider onlyusentlm
9. Install shared application data:
psconfig-cmd applicationcontent -install
The Central Administration Web site has now been created.

servers before you create sites.
119
Note:
If any of these commands fail, look in the post-Setup configuration log files. The log files
are available at %COMMONPROGRAMFILES%\Microsoft shared\Web server
extensions\12\Logs. They can be identified by a file name starting with “PSC” and the .log
file name extension.
To connect to an existing configuration database and join the server to an existing server farm,
you must run the configdb command together with the -connect parameter instead of the
-create parameter.
psconfig -cmd configdb -connect -server<server name>-database<database name>
Note:
Omit the -admincontentdatabase command because you have already included this
command when you created the configuration database.
Use the psconfig -cmd adminvs -provision -port<port>-windowsauthprovider onlyusentlm
command if you want to provision the SharePoint Central Administration Web application on
additional servers, which reduces the risk if the server that is running the SharePoint Central
Administration Web application fails.
To successfully complete command-line installation on a server farm, you must use the Stsadm
command-line tool to create an SSP, and then a site collection for the farm. However, before you
create a Shared Services Provider and a site collection, we recommend that you first perform
some additional configuration tasks.

After you have installed Office SharePoint Server 2007, we recommend that you perform the
following administrative tasks:
• Χο ν φ ι γ υ ρ ε ι ν χ ο µ ι ν γ ε−µ α ι λ σ ε τ τ ι ν γ σ
• Χο ν φ ι γ υ ρ ε ο υ τ γ ο ι ν γ ε−µ α ι λ σ ε τ τ ι ν γ σ
• Configuring workflow settings
• Configuring diagnostic logging settings
• Χο ν φ ι γ υ ρ ε α ν τ ι ϖ ι ρ υ σ σ ε τ τ ι ν γ σ
Create a Shared Services Provider by using the

Stsadm command-line tool
After you create and configure Office SharePoint Server 2007 on a farm, you must use the
Stsadm command-line tool to create the SSP and site collection for the farm.
Important:
120
The recommended procedure for creating an SSP is to create a Web application for the My Sites
host location, and a separate Web application for the Shared Services Administration Web site.
Create a Web application by using the Stsadm command-line tool

extensions\12\Bin.
stsadm -o extendvs
-url<URL name>
[-lcid<language>]
[-donotcreatesite]
[-description]
[-sethostheader]
[-allowanonymous]
The extendvs operation creates the Web application. The donotcreatesite parameter creates
the Web application without creating a site collection on the Web application.
After creating the Web applications for the My Sites host location and for the Shared Services
Administration Web site, you create the SSP.
Create an SSP by using the Stsadm command-line tool

121
extensions\12\Bin.
stsadm -o createssp
-title<SSP name>
-url<Web application URL>
-mysiteurl<My Sites Web application URL>
-ssplogin<user name>
-ssppassword<password>
-sspdatabaseserver<SSP database server>
-sspdatabasename<SSP database name>
-indexserver<index server name>
-indexlocation<index file path>
[-ssppassword<SSP password>]
[-sspdatabaseserver<SSP database server name>]
[-sspdatabasename<SSP database name>]
[-sspsqlauthlogin<SQL user name>]
[-sspsqlauthpassword<SQL password>]
[-searchdatabaseserver<search database server name>]
[-searchdatabasename<search database name>]
[-searchsqlauthlogin<SQL user name>]
[-searchsqlauthpassword<SQL password>]
[-ssl {Yes | No}]
Example
The following command creates a Web application with the URL http://intranet:8080 that can be
used to host the SSP Administration site.
<user@domain.com> -exclusivelyusentlm -databaseserver <database server name >
-databasename <SSP content database name> -donotcreatesite -apidname <SSP application
pool> -apidtype configurableID -apidlogin <domain\user name> -apidpwd<password>
Similarly, you can create another Web application as the My Sites host location by using the
following command:
<user@domain.com> -exclusivelyusentlm -databaseserver <SQL Server> -databasename
<site content database name> -donotcreatesite -apidname <site application pool> -apidtype
configurableID -apidlogin <domain\user name> -apidpwd <password>
Then you create the SSP, named MySSP1_db:
stsadm -o createssp -title MySSP1 -url http://intranet -mysiteurl http://intranet:8090
-ssplogin <domain\user name> -ssppassword <password> -sspdatabaseserver <database
122
server name > -sspdatabasename MySSP1_db -indexserver <index server name>
-indexlocation "D:\Program Files\Microsoft Office Servers\12.0\Data\Office
Server\Applications"-searchdatabaseserver<search database server name>-
searchdatabasename<search database name>
us/library/cc263040.aspx) and Createssp: Stsadm operation (http://technet.microsoft.com/en-
Create a site collection by using the Stsadm

command-line tool
You create the top-level site collection by using the same extendvs operation that you used to
create the Web applications for My Sites and the Shared Services Administration Web site.
Important:
Create a site collection by using the Stsadm command-line tool

extensions\12\Bin.
stsadm -o extendvs
-url<URL name>
[-lcid<language>]
[-donotcreatesite]
[-description]
[-sethostheader]
123
[-apidtype {configurableID | NetworkService} ]
[-allowanonymous]
For more information about how to create a site collection, see Createsite: Stsadm
operation (http://technet.microsoft.com/en-us/library/cc262594.aspx).
Example
The following example creates a site collection at http://intranet that uses the corporate intranet
site template.
stsadm -o extendvs -url http://intranet -ownerlogin <domain\user name> -owneremail
<user@domain.com> -exclusivelyusentlm -sitetemplate SPSPORTAL -apidname
"SharePoint AppPool" -apidtype configurableID -apidlogin <domain\user name> -apidpwd
<password>
This command can also be used to add other site collections and sites.
If you do not specify the site template to use, the site collection administrator can choose the site
template when he or she first browses to the site.
The extendvs operation also enables you to specify the language of the site collection by using
the Locale ID (LCID) parameter. If you do not specify an LCID, the language of the server is used
for the top-level site collection. For more information about the available LCID values, see List of
Locale ID (LCID) Values as Assigned by Microsoft (http://go.microsoft.com/fwlink/?
LinkId=63028&clcid=0x409).
For more information about the Stsadm command-line tool, see Stsadm command-line tool

written to the trace log to determine what configuration changes were made in Office SharePoint
are using the Windows SharePoint Services Search service, we recommend that you configure
the trace log to save seven days of events.
124
number of trace log files to maintain, and how long (in minutes) to capture events to each log file.
You can also specify where the log files are written or accept the default path.
Trace log files can help you troubleshoot issues related to configuration changes of the Windows
SharePoint Services Search service. Because problems related to configuration changes are not
always immediately discovered, we recommend that you save all trace log files that the system
creates on any day that you make any configuration changes. Store these log files for an
extended period of time in a safe location that will not be overwritten. We recommend that you
store log files on a hard disk drive partition that is used to store log files only.
See Also
Plan for security roles (http://technet.microsoft.com/en-us/library/cc262918.aspx)
Plan for administrative and service accounts (http://technet.microsoft.com/en-
Office SharePoint Server Security Account Requirements (http://go.microsoft.com/fwlink/?
125
Migrate a stand-alone installation to a server
farm installation
In this section:
• Install Office SharePoint Server 2007 on a new farm
• Migrate data from the single-server installation
• Create and attach data from the Shared Services Provider (SSP)
• Attach site collection data from content databases
Installing Microsoft Office SharePoint Server 2007 as a stand-alone installation on a single server
computer simplifies deployment. A stand-alone installation of Microsoft Office SharePoint Server
2007 is a good choice for:
• A low-capacity deployment with a small number of Web sites
• A small number of concurrent users
• The initial evaluation of Office SharePoint Server 2007 before you begin testing and
implementing a more complex deployment.
Many deployments have greater performance and capacity requirements that can only be
achieved with a farm deployment. You can migrate a stand-alone installation of Office SharePoint
Server 2007 to a server farm installation to meet expanded performance, capacity, or scalability
requirements. Migration enables you to meet these requirements while also retaining the data,
content, and sites from your single-server installation. A direct upgrade from a stand-alone server
to a farm is not available.
It is usually easier to expand an existing farm deployment by adding servers to meet
performance, capacity, or scalability requirements than it is to migrate a stand-alone deployment
to a farm deployment. If you know that your organization is going to require a server farm
eventually, it is a better idea to start with a simple farm deployment.
For more information about installing Office SharePoint Server 2007 on a simple server farm, see
Deploy in a simple server farm. For more information about installing Office SharePoint Server
2007 on a stand-alone server, see Install Office SharePoint Server 2007 on a stand-alone
computer.
You have two options for a migration from a stand-alone installation to a farm installation of Office
SharePoint Server 2007:
• SQL Backup and Restore, followed by using the Stsadm command-line tool to attach the
databases
• Central Administration Backup and Restore
This section describes the first option. For more information about using Central Administration to
migrate from a stand-alone installation to a farm installation, see Migrate to another farm by using
the Central Administration Web site (http://technet.microsoft.com/en-us/library/cc262281.aspx).
126
To migrate from a stand-alone server to a server farm, you perform the following steps:
1. Install Office SharePoint Server 2007 on a new farm.
2. Migrate data from the stand-alone server to the Microsoft SQL Server 2005 database
server that is part of the new server farm by using SQL Backup and Restore.
3. Create and attach data from the Shared Services Provider (SSP) by using the Stsadm
command-line tool.
4. Attach the restored databases to the new server farm by using the Stsadm command-line
tool.
Install SharePoint Portal Server 2007 on a new

farm
Before you can migrate data from a single-server to a server farm, you must install Office
SharePoint Server 2007 on the farm. A farm installation typically requires the following steps:
1. Prepare the database server and one or more Office SharePoint Server 2007 servers.
2. Install Office SharePoint Server 2007, and configure the server by using the SharePoint
Products and Technologies configuration wizard or the PSConfig.exe command-line tool.
3. Create a Shared Services Provider (SSP).
4. Create a site collection for the top-level site.
When you are installing Office SharePoint Server 2007 on a server farm for the purposes of
migration from a stand-alone server, do not create an SSP or site collection until you have
migrated data from the single-server installation by using SQL Backup and Restore. After
restoring the databases, you create an SSP and attach the new SSP database and the content
database to the new server farm.
For more information about installing Office SharePoint Server 2007 on a server farm, see
Chapter overview: Install Office SharePoint Server 2007 in a server farm environmentChapter
overview: Install Office SharePoint Server 2007 in a server farm environment.
Prepare servers for installation

The following software is required before you run Setup:
• You must install Office SharePoint Server 2007 on a clean installation of Windows Server
2003 with the most recent service pack.
• You must install the Microsoft .NET Framework version 3.0. The .NET Framework version
3.0 download contains the Windows Workflow Foundation technology, which is required by
workflow features.
Note:
You can also use the Microsoft .NET Framework version 3.5. You can download the
.NET Framework version 3.5 from the Microsoft Download Center
127
• You must enable ASP.NET 2.0 in the Internet Information Services (IIS) Manager on all
Office SharePoint Server 2007 servers.
• You must have Microsoft SQL Server 2005 or Microsoft SQL Server 2000 with the most
recent service pack running on at least one database server before you install Office
SharePoint Server 2007 on your Web servers.
You must also create and configure the following accounts:
• SQL Server service account
• Setup user account
• Server farm account
It is possible to use the same account for each of these account roles, unless you are using least
privilege administration. For more information about these required accounts and other account
requirements for Office SharePoint Server 2007, see Plan for administrative and service accounts
For more information about preparing servers for installation, see the following articles:
• Χηα π τ ε ρ ο ϖ ε ρ ϖ ι ε ω: Ι ν σ τ α λ λ Οφ φ ι χ ε
Σ ηα ρ ε Π ο ι ν τ Σ ε ρ ϖ ε ρ 2007 ι ν α σ ε ρϖ ε ρ φ α ρ µ
ε ν ϖ ι ρ ο ν µ ε ν τ Χηαπ τ ε ρ οϖ ε ρϖ ι ε ω: Ι ν σ τ α λ λ Ο φ φ ι χ ε
Σ ηα ρ ε Π ο ι ν τ Σ ε ρ ϖ ε ρ 2007 ι ν α σ ε ρϖ ε ρ φ α ρ µ
ε ν ϖ ι ρ ο ν µ ε ν τ
• Πρ ε π α ρ ε τ η ε δ α τ α β α σ ε σ ε ρϖ ε ρ σ
• Πρ ε π α ρ ε τ η ε Ωε β α ν δ α π π λ ι χ α τ ι ο ν σ ε ρϖ ε ρ σ
• ∆ ε π λ οψ ι ν α σ ι µ π λ ε σ ε ρϖ ε ρ φ α ρ µ
Install SharePoint Server 2007 and configure the server by using

the SharePoint Products and Technologies configuration
wizard
You can install Office SharePoint Server 2007 by using the Setup wizard or running Setup.exe
from a command prompt. After completing Setup, you configure the server by using the
SharePoint Products and Technologies configuration wizard. The SharePoint Products and
Technologies configuration wizard creates the Central Administration site.
When you have completed the wizard, do not create an SSP or other site collection until you have
finished migrating data from the stand-alone server and have attached the restored databases to
the new server farm.
For more information about installing and configuring SharePoint Server 2007, see the following
articles:
Install Office SharePoint Server 2007 and run the SharePoint Products and Technologies
configuration wizard
Install Office SharePoint Server 2007 by using the command line
128
Migrate data from the stand-alone server
A single-server installation of Office SharePoint Server 2007 includes Microsoft SQL Server 2005
Express Edition. A server farm installation uses a separate Microsoft SQL Server 2005 database
server. To successfully migrate from a stand-alone server to a farm, you must migrate databases
from the stand-alone server to the database server in the farm by using SQL Server Management
Studio Express and Microsoft SQL Server Management Studio.
SQL Server Management Studio Express is installed on the stand-alone server by running Setup
for SQL Server Express with Advanced Services or SQL Server Express Toolkit. It is used to
enable a connection from the database server that is running SQL Server Management Studio.
SQL Server Management Studio is used to back up databases from the stand-alone server and
restore the databases to the database server in the farm.
For more information about managing SQL Server Express, see Managing SQL Server Express
with SQL Server 2005 Management Studio Express Edition (http://go.microsoft.com/fwlink/?
To download SQL Server Management Studio Express, visit the Visual Studio Download Center
Migrate data from the stand-alone server to the database server on the farm
1. Set the databases on the stand-alone server to be read-only:
a. In SQL Server Management Studio Express, right-click the name of the database
that you want to set to read-only, and then click Properties.
b. In the Select a page section, click Options.
c. In the Other options section of the right pane, expand State, click the drop-
down arrow for the values of Database Read-Only, and then click True.
2. Connect to the stand-alone server by using SQL Server Management Studio and
back up the following databases:
• Shared Services DB
• Shared Services Search DB
• Shared Services Content DB
• WSS Content DB
• All additional content databases associated with Web applications on the stand-
alone server:
d. On your database server, click Start, point to All Programs, point to

Microsoft SQL Server 2005, and then click SQL Server Management
Studio.
e. In the Connect to Server box, fill in the connection information, and
then click Connect.
f. After connecting to the appropriate instance of the SQL Server 2005
129
Database Engine, in Object Explorer, expand the server tree by clicking
the plus sign next to the server name.
Note:
The SQL Server Express instance name that is used to connect
to the databases on the stand-alone server is set to
OfficeServers by default.
g. Expand Databases, right-click the database that you want to back
up, point to Tasks, and then click Back Up. The Back Up Database
dialog box appears.
h. In the Source section, in the Database box, verify the database
name.
i. In the Backup type box, click the drop-down arrow for the values,
and then click Full.
j. Under Backup component, select Database.
k. In the Backup set section, in the Name box, either accept the
default value or type a different name.
l. In the Destination section, specify the type of backup destination by
selecting Disk or Tape, and then specify a destination. To create a
different destination, click Add.
m. Click OK to start the backup process.
1. Restore databases to the database server on the farm by using Microsoft SQL Server
Management Studio:
a. After connecting to the appropriate instance of the SQL Server 2005 Express, in
Object Explorer, expand the server tree by clicking the plus sign next to the server
name.
b. Right-click Databases, and then click New Database.
c. In the Database name box, type the name of the database you want to restore.
d. In the Owner box, specify an owner if desired.
e. In the Database files section, in the Logical Name box for the Data file type,
verify that the logical name is the one you want to use.
f. In the Initial Size (MB) box, adjust the size to approximately the size of the
database you want to restore.
g. In the Logical Name box for the Log file type, verify that the logical name is the
one you want to use.
h. In the Initial Size (MB) box, adjust the size to approximately three or four times
the size of the log file for the database you want to restore.
Make the log file large to accommodate entries during the upgrade process. You can
always shrink the transaction log after you have completed the upgrade.
130
i. In the Autogrowth column for the log file, set the value to By 10 percent,
unrestricted growth.
You can change this setting after you perform the upgrade, but again, you do not
want to have the log file run out of space during the upgrade process.
j. Click OK to create the database.
For more information about migrating databases including different backup and restore options
for different versions of SQL Server, see Migrate databases (http://technet.microsoft.com/en-
Stsadm Command-Line Tool

Microsoft Office SharePoint Server 2007 includes the Stsadm command-line tool for
administration of Office SharePoint Server 2007 servers and sites. The Stsadm command-line
tool is located at the following path on the drive where SharePoint Products and Technologies is
installed: %COMMONPROGRAMFILES%\microsoft shared\web server extensions\12\bin. You
must be an administrator on the local computer to use the Stsadm command-line tool.
The Stsadm command-line tool provides a method for performing the Office SharePoint Server
2007 administration tasks at a command prompt or by using batch files or scripts. The Stsadm
command-line tool provides access to operations that are not available by using the Central
Administration site, such as changing the administration port. The command-line tool has a more
streamlined interface than Central Administration, and it allows you to perform the same tasks.
There are certain operations and certain parameters that are only available by using the Stsadm
command-line tool.
The Stsadm command-line tool will be used to attach the restored stand-alone databases to the
SQL Server database on the farm so that the site content (including the Shared Services
Provider) will be available on the new installation on the farm.
To see what actions are available with the tool you can run stsadm –help which returns the
operations that can be performed and stsadm –help <operation name> to get detailed
documentation about a particular operation.
For more details about Stsadm command-line operations and parameters, see: Index for Stsadm
operations and properties (http://technet.microsoft.com/en-us/library/cc263384.aspx).
To start and configure the required services:
• Start the Windows SharePoint Services Search:
stsadm -o spsearch -action start -farmserviceaccount Redmond\user
-farmservicepassword MyPassword
• Start the Office SharePoint Server Search service:
stsadm -o osearch -action start -role IndexQuery -farmserviceaccount domain\user
-farmservicepassword MyPassword -farmcontactemail user@domain.com
131
For additional information, see Osearch: Stsadm operation (http://technet.microsoft.com/en-
Create and attach data from the Shared Services

Provider (SSP)
After you migrate data from the stand-alone server to the farm, you must use the Stsadm
command-line tool to create the SSP Web application for the farm and attach the restored SSP
database to the farm. The Stsadm command-line tool is available on the installation drive for
Office SharePoint Server 2007 at %Common Program Files%\Microsoft Shared\Web Server
Extensions\12\bin.
You create the SSP Web application by using the following command:
stsadm -o extendvs
-url <URL>
-ownerlogin <domain/username>
-owneremail <emailed>
-exclusivelyusentlm
-databaseserver <DBservername>
-databasename <NewcontentDBname>
-apcreatenew
-apidname <Apppoolname>
-apidtype configurableid
-apidlogin <domain/username>
-apidpwd <Password>
Example
stsadm -o extendvs -url http://intranet:8080 -ownerlogin domain\username -owneremail
user@domain.com -exclusivelyusentlm -databaseserver SQLServer -databasename
SSPContentDB -apcreatenew -apidname SSPAppPool -apidtype configurableid -apidlogin
domain\username -apidpwd MyPassword
This command creates a Web application with the URL http://intranet:8080 that can be used to
host the SSP.
Note:
The databasename parameter is the Shared Services content database that was
restored from the stand-alone server.
The stand-alone installation uses the default Web application for the My Site host location. When
you migrate to a farm, we recommend that the My Site host location use a separate Web
application.
Example
132
stsadm -o extendvs -url http://intranet:8090 -ownerlogin domain\username -owneremail
user@domain.com -exclusivelyusentlm -databaseserver SQLServer -databasename
MySiteContentDB -apcreatenew -apidname MySiteAppPool -apidtype configurableid
-apidlogin domain\username -apidpwd MyPassword
After creating both Web applications, you restore the SSP by using the restoressp command.
The sspdatabasename and searchdatabasename for the databases that were restored to the
farm from the stand-alone server:
stsadm –o restoressp
–title <SSP name>
-url <Web application url>
-mysiteurl <MySite Web application url>
-ssplogin <username>
-ssppassword <password>
-sspdatabaseserver <SSP database server>
-sspdatabasename <SSP database name>
-searchdatabaseserver <Search database server>
-searchdatabasename <Search database name)
-indexserver <index server>
-indexlocation <index file path>
Example
stsadm -o restoressp -title Migrated_SSP1 -url http://intranet:8080 -mysiteurl
http://intranet:8090 -ssplogin domain\username -ssppassword MyPassword
-sspdatabaseserver SQLServer -sspdatabasename MySSP1_db -searchdatabaseserver
SearchServer-searchdatabasename SharedServices1_Search
–indexserver MyServer -indexlocation "D:\Program Files\Microsoft Office
Servers\12.0\Data\Office Server\Applications"
For more information about the Stsadm command-line tool, see Stsadm command-line tool
For additional information about how to perform this procedure using the Stsadm command-line
tool, see Restoressp (http://technet.microsoft.com/en-us/library/cc262163.aspx), Extendvs
(http://technet.microsoft.com/en-us/library/cc263040.aspx), and Createssp
Attach site collection data from content databases

The final step of migrating a stand-alone installation to a server farm installation is the migration
of content databases for each site collection. For each site collection on the stand-alone server,
run the following command by using the Stsadm command-line tool:
stsadm -o extendvs
-url <URL>
133
-ownerlogin <domain/username>
-owneremail <emailed>
-exclusivelyusentlm
-databaseserver <DBservername>
-databasename <NewcontentDBname>
-apcreatenew
-apidname <Apppoolname>
-apidtype configurableid
-apidlogin <domain/username>
-apidpwd <Password>
Example
stsadm -o extendvs -url http://intranet -ownerlogin domain\username -owneremail
user@domain.com -exclusivelyusentlm -databaseserver intranet-databasename WSSContent
-apcreatenew -apidname SharePoint_80_AppPool -apidtype configurableid -apidlogin
domain\username -apidpwd MyPassword
This command restores the top-level site collection http://intranet that also contains the My Site
content.
The databasename parameter is the restored database from the stand-alone installation that will
now be attached to the top-level site.
For additional information, see Extendvs: Stsadm operation (http://technet.microsoft.com/en-
See Also
Chapter overview: Install Office SharePoint Server 2007 in a server farm environment
Install Office SharePoint Server 2007 on a stand-alone computer
Migrate to another farm by using the Central Administration Web site
(http://technet.microsoft.com/en-us/library/cc262281.aspx)
Install Office SharePoint Server 2007 by using the command line
Stsadm command-line tool (http://technet.microsoft.com/en-us/library/cc261956.aspx).
134
Perform a stand-alone installation of Office
SharePoint Server 2007 on Windows
Server 2008
In this section:
• Hardware and software requirements
• Perform installation steps
• Perform post-installation steps
• Configure Windows Server Backup
As of the release of Microsoft Office SharePoint Server 2007 Service Pack 1 (SP1), you can
install Office SharePoint Server 2007 on a server running Windows Server 2008. As with the
Windows Server 2003 operating system, you must download and run Setup and the SharePoint
Products and Technologies Configuration Wizard. You cannot install Office SharePoint Server
2007 without service packs on Windows Server 2008.
Important:
This section discusses how to perform a clean installation of Office SharePoint Server
2007 with SP1 in a stand-alone environment on Windows Server 2008. It does not cover
upgrading the operating system from Windows Server 2003 to Windows Server 2008.
Note:
This section does not cover installing Office SharePoint Server 2007 in a server farm on
Windows Server 2008. For more information, see Deploy a simple farm on the Windows
Server 2008 operating system.
Note:
You can quickly publish a SharePoint site by deploying Office SharePoint Server 2007 on a single
server computer. A stand-alone configuration is useful if you want to evaluate Office SharePoint
Server 2007 features and capabilities, such as collaboration, document management, and
search. A stand-alone configuration is also useful if you are deploying a small number of Web
sites and you want to minimize administrative overhead. When you deploy Office SharePoint
Server 2007 on a single server using the default settings, the Setup program automatically
installs the Windows Internal Database and uses it to create the configuration database and an
initial content database for your SharePoint sites. In addition, Setup installs the SharePoint
Central Administration Web site and creates your first SharePoint site collection and site.
135
Important:
Office SharePoint Server 2007 requires the following components: the Web Server role,
Windows Internal Database, and the Microsoft .NET Framework. Office SharePoint
Server 2007 will cease to run if you uninstall these components.
Hardware and software requirements

Before you install and configure Office SharePoint Server 2007, be sure that your server has the
required hardware and software. For more information about these requirements, see Determine
hardware and software requirements (http://technet.microsoft.com/en-us/library/cc262485.aspx).
Also, make sure the Management Compatibility role service is added to your server and the .NET
Framework is installed, as described below.
Notes
• Server Manager is designed to guide server administrators through the process of
installing, configuring, and managing server roles and features that are part of Windows
Server 2008. For more information on using the Server Manager, see the Windows
Server 2008 Server Manager Technical Overview (http://go.microsoft.com/fwlink/?
LinkID=109936&clcid=0x409).
IIS 6.0 Management Compatibility role service

If you use the Server Manager to perform a default Internet Information Services (IIS) 7.0
installation, the IIS 6.0 Management Compatibility role service is not included. Since this is a
required role service, you must use the following procedure.
Add the IIS 6.0 Management Compatibility role service

2. In the left navigation pane, expand Roles, and then right-click Web Server (IIS) and
select Add Role Services.
3. In the Add Role Services wizard, under Role services, select IIS 6 Management
Compatibility.
4. From the Select Role Services pane, click Next, and then at the Confirm
Installations Selections pane, click Install.
5. To complete the Add Role Services wizard, click Close.
Microsoft .NET Framework version 3.0

Before you install Office SharePoint Server 2007 on Windows Server 2008, you must install
the .NET Framework version 3.0. You do not need to install the Web Server role or the Windows
Process Activation Service; these are installed automatically—along with Windows Internal
Database—when you install Office SharePoint Server 2007 SP1. Use the following procedure to
install the .NET Framework version 3.0.
136
Install Microsoft .NET Framework version 3.0
2. In Server Manager, on the Action menu, click Add features.
3. In the Features list, select the .NET Framework 3.0 Features check box, and then
click Next.
4. Follow the wizard steps to install the.NET Framework version 3.0.
Note:
Framework version 3.5 from the Microsoft Download Center
Perform installation steps

You can only install Office SharePoint Server 2007 with SP1 on Windows Server 2008. We
recommend that you create a slipstreamed installation source for Office SharePoint Server 2007.
This installation source must include the files from both Windows SharePoint Services 3.0 SP1
and Office SharePoint Server 2007 SP1. For more information on using the updates folder to
create a slipstream source, see the topic Create an installation source that includes software
updates (http://technet.microsoft.com/en-us/library/cc261890.aspx).
Note:
If you have not created an updated installation source, you must first install Office
SharePoint Server 2007 without any software updates and, without running the
SharePoint Products and Technologies Configuration Wizard at the end of the
installation, install Service Pack 1. After the installations are complete, you can run the
To install and configure Office SharePoint Server 2007, you must first install Office SharePoint
Server 2007 with SP1 and then run the SharePoint Products and Technologies Configuration
Wizard. When you install Office SharePoint Server 2007 on a single server, run the Setup
program using the Basic option. This option uses the Setup program's default parameters to
install Office SharePoint Server 2007 and Windows Internal Database.
Notes
• If you uninstall Office SharePoint Server 2007, and then later reinstall Office
SharePoint Server 2007 on the same computer, the Setup program could fail when
creating the configuration database, causing the entire installation process to fail. You
can prevent this failure by either deleting all the existing Office SharePoint Server 2007
databases on the computer or by creating a new configuration database. You can create
a new configuration database by running the following command from the directory
%COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\12\Bin:
• psconfig -cmd configdb -create -database <unique database name>
137
Install Office SharePoint Server 2007 with SP1
1. From your slipstreamed installation source, run Setup.exe.
Continue.
Note:
is not valid, Setup places a red circle next to the text box and displays a message
that the key is incorrect.
4. On the Choose the installation you want page, click Basic to install to the default
location. To install to a different location, click Advanced, and then on the File Location
tab, specify the location you want to install to and finish the installation.
server. Make sure that the Run the SharePoint Products and Technologies
6. Click Close to start the configuration wizard.
The SharePoint Products and Technologies Configuration Wizard starts, and you can go
directly to the procedure "To run the SharePoint Products and Technologies Configuration
Wizard."
Note:
Do not add any server roles in Windows Server 2008 Server Manager before the setup
for Office SharePoint Server 2007 is complete. If you add a server role, the setup process
will fail, and you will need to uninstall and reinstall Office SharePoint Server 2007.
Configure SharePoint Products and Technologies

Once you have finished installing Office SharePoint Server 2007 with SP1, you can run the
SharePoint Products and Technologies Configuration Wizard to configure the installation.

2. In the dialog box that notifies you that some services might need to be restarted or
reset during configuration, click Yes.
3. On the Configuration Successful page, click Finish. Your new SharePoint site
opens.
Note:
SharePoint site to the list of trusted sites and configure user authentication
138
settings in Internet Explorer. Instructions for configuring these settings are
provided in the following procedure.
Note:
If you see a proxy server error message, you might need to configure your proxy
configuring proxy server settings are provided later in this section.
If you want to configure the installation from the command line, use the following procedure.
Run the SharePoint Products and Technologies Configuration Wizard from the
command line
• Type the following command, and then press ENTER:
psconfig.exe -cmd setup -cmd standaloneconfig -lcid 0 -cmd configdb -create
-server<servername>\OfficeServers -cmd helpcollections -installall -cmd
secureresources -cmd services -install -provision -cmd installfeatures -cmd
adminvs -provision -cmd evalprovision -provision -cmd applicationcontent -install
After you have configured the Office SharePoint Server 2007 installation, you should add the
SharePoint site to the list of trusted sites, using the following steps.
Add the SharePoint site to the list of trusted sites

settings box, click Trusted Sites, and then click Sites.
4. In the Add this Web site to the zone box, type the URL of your site, and then click
Add.
5. Click Close to close the Trusted Sites dialog box.
If you are using a proxy server in your organization, use the following steps to configure Internet
Explorer to bypass the proxy server for local addresses.
LAN Settings.
check box.
box.
5. In the Address box, type the address of the proxy server.
139
6. In the Port box, type the port number of the proxy server.
Perform post-installation steps

Although you can start adding content to the site, or start customizing the site, we recommend
that you perform the following administrative tasks by using the SharePoint Central Administration
Web site.
mail settings.
settings enable you to control whether documents are scanned on upload or download and
antivirus settings.
• Create SharePoint sites When Setup finishes, you have a single Web application that
contains a single SharePoint site collection that hosts a SharePoint site. You can create more
SharePoint site collections, sites, and Web applications if your site design requires multiple
sites or multiple Web applications. For more information, see Chapter overview: Deploy and
configure SharePoint sites.
140
Note:
If you create additional Web applications to host SharePoint sites, you must also
configure Windows Firewall to allow communication on the ports for those Web
applications. For more information, see Deploy a simple farm on the Windows Server
2008 operating system.

2. On the Central Administration home page, under Administrator Tasks, click the task
you want to perform.

Trace log files can help you to troubleshoot issues related to configuration changes of the
Windows SharePoint Services Search service. The trace log can also be useful for analyzing
problems that might occur. For example, you can use events that are written to the trace log to
identify what configuration changes were made in Office SharePoint Server 2007 before the
problem occurred.
configuration changes related to the search service. Store these log files for an extended period
of time in a safe location that will not be overwritten.
By default, Office SharePoint Server 2007 saves two days of events in the trace log files; trace
log files that contain events that are older than two days are deleted. When using the Windows
SharePoint Services Search service, we recommend that you configure the trace log to save
seven days of events.
number of trace log files to maintain and the duration (in minutes) to capture events to each log
file. By default, 96 log files are kept, each one containing 30 minutes of events.
You can also specify the location where the log files are written or accept the default path. See
step 3 in this procedure to determine the location that the system stores trace log files for your
system.

141
Tip:
To save 10,080 minutes (seven days) of events, you can use any combination of
number of log files and minutes to store in each log file.
files or change the path to another location.
Tip:
4. Click OK.
Configure Windows Server Backup

If you want to use Windows Server Backup with Windows SharePoint Services 3.0, you must
configure the following registry keys. If you do not configure these registry keys, Windows Server
Backup will not work properly with Windows SharePoint Services 3.0.
Important:
You must be logged on as a member of the Administrators group on the local server
computer to edit the registry. Incorrectly editing the registry might severely damage your
system. Before making changes to the registry, you should back up any valued data on
the computer.
Configure registry keys for Windows Server Backup

1. Click Start, click Run, and in the Open box, type regedit, and then click OK.
2. In the User Account Control dialog box, click Continue to open the Registry Editor.
3. In the Registry Editor, locate the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
4. On the Edit menu, click New, and then click Key.
5. Type WindowsServerBackup and then press ENTER.
6. Select the WindowsServerBackup key, and then on the Edit menu, click New, and
then click Key.
7. Type Application Support, and then press ENTER.
8. Select the Application Support key, and then on the Edit menu, click New, and then
click Key.
9. Type {c2f52614-5e53-4858-a589-38eeb25c6184} as the key name, and then press
ENTER.
This is the GUID for the WSS Writer.
10. Select the new key, and then on the Edit menu, click New, and then click String
142
Value.
11. Type Application Identifier as the new value, and then press ENTER.
12. Right-click the Application Identifier value, and then click Modify.
13. In the Value Data box, type Windows SharePoint Services, and then click OK.
14. On the Edit menu, click New, and then click DWORD (32-bit) Value.
15. Type UseSameVssContext as the new value name, and then press ENTER.
16. Right-click the UseSameVssContext value, and then click Modify.
17. In the Value Data box, type 00000001, and then click OK.
143
II. Install Office SharePoint Server 2007 in a
server farm environment
144
Chapter overview: Install Office SharePoint
Server 2007 in a server farm environment
In this section:
• Suggested topologies
• Before you begin deployment
• Overview of the deployment process
Important:
This section discusses how to do a clean installation of Microsoft Office SharePoint
Server 2007 in a server farm environment. It does not cover upgrading from previous
releases of Office SharePoint Server 2007 or how to upgrade from Microsoft Office
SharePoint Portal Server 2003. For more information about upgrading from
SharePoint Portal Server 2003, see Upgrading to Office SharePoint Server 2007
Note:
computer as a stand-alone installation. For more information, see Install Office
multi-tier topology. A server farm consists of one or more servers dedicated to running the Office
SharePoint Server 2007 application.
Note:
Server farm environments can encompass a wide range of topologies, and can include many
A small server farm typically consists of a database server running either Microsoft SQL Server
2005 or Microsoft SQL Server 2000 with the most recent service pack, and one or more servers
running Internet Information Services (IIS) and Office SharePoint Server 2007. In this
configuration, the front-end servers are configured as Web servers and application servers. The
145
Web server role provides Web content to clients. The application server role provides Office
SharePoint Server 2007 services such as servicing search queries, and crawling and indexing
content.
A medium server farm typically consists of a database server, an application server running Office
SharePoint Server 2007, and one or two front-end Web servers running Office SharePoint Server
2007 and IIS. In this configuration, the application server provides indexing services and Excel
Calculation Services, and the front-end Web servers service search queries and provide Web
content.
balanced front-end Web servers running Office SharePoint Server 2007, and two or more
application servers running Office SharePoint Server 2007. In this configuration, each of the
application servers provides specific Office SharePoint Server 2007 services such as indexing or
Excel Calculation Services, and the front-end servers provide Web content.
Note:
All of the Web servers in your server farm must have the same SharePoint Products and
Technologies installed. For example, if all of the servers in your server farm are running
Office SharePoint Server 2007, you cannot add to your farm a server that is running only
Microsoft Office Project Server 2007. To run Office Project Server 2007 and Office
SharePoint Server 2007 in your server farm, you must install Office Project Server 2007
and Office SharePoint Server 2007 on each of your Web servers. To enhance the
security of your farm and reduce the surface area that is exposed to a potential attack,
you can turn off services on particular servers after you install SharePoint Products and
Technologies.

deployment.
Important
• The account that you select for installing Office SharePoint Server 2007 needs to be
a member of the Administrators group on every server on which you install Office
SharePoint Server 2007. However, you can remove this account from the Administrators
group on the servers after installation.
• For information about assigning users to be SSP administrators, see “Shared
Services Providers” in Plan for security roles (http://technet.microsoft.com/en-
• To deploy Office SharePoint Server 2007 in a server farm environment, you must provide
credentials for several different accounts. For information about these accounts, see “Plan for
administrative and service accounts” in the Planning and architecture for Office SharePoint
Server 2007 (http://technet.microsoft.com/en-us/library/cc261834.aspx) guide.
• You must install Office SharePoint Server 2007 on the same drive on all load-balanced
146
• You must install Office SharePoint Server 2007 on a clean installation of the Microsoft
Windows Server 2003 operating system with the most recent service pack. If you uninstall a
previous version of Office SharePoint Server 2007, and then install Office SharePoint Server
2007, Setup might fail to create the configuration database and the installation will fail.
Note:
We recommend that you read the Known Issues/Readme documentation before you
install Office SharePoint Server 2007 on a domain controller. Installing Office
SharePoint Server 2007 on a domain controller requires additional configuration
steps that are not discussed in this section.
• You must install the same language packs on all servers in the farm. For more
information about installing language packs, see Deploy language packs.
• All the instances of Office SharePoint Server 2007 in the farm must be in the same
2007 and a Japanese version of Office SharePoint Server 2007 in the same farm.
• You must use the Complete installation option on all computers you want to be index
servers, query servers, or servers that run Excel Calculation Services.
• If you place a query server beyond a firewall from its index server, you must open the
NetBIOS ports (TCP/User Datagram Protocol (UDP) ports 137, 138, and 139) on all firewalls
that separate these servers. If your environment does not use NetBIOS, you must use direct-
hosted server message block (SMB); this requires that you open the TCP/UDP 445 port.
• If you want to have more than one index server in a farm, you must use a different
Shared Services Provider (SSP) for each index server.

The deployment process consists of three phases: deploying and configuring the server
infrastructure, creating and configuring one or more Shared Services Providers (SSPs), and
deploying and configuring SharePoint site collections and sites.

• Preinstalling the databases (optional).
• Running Setup on all servers you want to be in the farm.
• Installing available language template packs on front-end Web servers (optional). For
more information about installing language template packs, see Deploy language packs.
• Running the SharePoint Products and Technologies Configuration Wizard.
• If you want to search over the Help content for Office SharePoint Server 2007, starting
the Windows SharePoint Services Search service.
147
Phase 2: Create and configure a Shared Services Provider
Creating and configuring an SSP consists of the following steps:
• Creating a Web application to host the SSP.
• Creating the SSP.
• Configuring the Web application and the SSP.
• Configuring services on the servers.
For more information about creating and configuring SSPs, see III. Create and configure Shared
Services Providers.
Phase 3: Deploy and configure SharePoint site collections and

sites
Deploying and configuring SharePoint site collections and sites consists of the following steps:
• Creating a Web Application to host the site collections and sites.
• Creating the site collections.
• Creating the sites.
For more information about creating site collections and sites, see Deploy and configure
SharePoint sites (http://technet.microsoft.com/en-us/library/cc262442.aspx).
148
Prepare the database servers
In this section:
• SQL Server and database collation
• Required accounts
• Preinstall databases (optional)
Before installing Microsoft Office SharePoint Server 2007, you must prepare the database server.
The database server must be running Microsoft SQL Server 2005 or Microsoft SQL Server 2000
with the most recent service pack.
databases when you install and configure Office SharePoint Server 2007. Optionally, you can
preinstall the required databases if your IT environment or policies require this.
If you are using SQL Server 2005, you must also change the surface area settings.


sensitive. This is to ensure file name uniqueness consistent with the Windows operating system.
For more information about collations, see "Selecting a SQL Collation" or "Collation Settings in
Setup" in SQL Server Books Online (http://www.microsoft.com/downloads/details.aspx?
familyid=BE6A2C5D-00DF-4220-B133-29C1E0B6585F&displaylang=en).
Required accounts
The following table describes the accounts that are used to configure Microsoft SQL Server and
to install Office SharePoint Server 2007. For more information about the required accounts,
149
including specific privileges required for these accounts, see Plan for administrative and service
accounts (http://technet.microsoft.com/en-us/library/cc263445.aspx).
Account Purpose
SQL Server service account SQL Server prompts for this account during SQL Server Setup.
This account is used as the service account for the following SQL
Server services:
• MSSQLSERVER
• SQLSERVERAGENT
If you are not using the default instance, these services will be
shown as:
• SQLAgent$InstanceName
Setup user account The user account that is used to run Setup on each server.
Server farm account This account is also referred to as:

• Database access account
This account is:
• The application pool account for the Central
Administration site
• The process account for the Windows SharePoint
Services Timer (SPAdmin) service
Preinstall databases (optional)

required by Office SharePoint Server 2007. This topic provides details about how the DBA can
create these databases before beginning the Office SharePoint Server 2007 installation or
creation of a Shared Services Provider (SSP). For more information about preinstalling
databases, including detailed procedures, see Deploy using DBA-created databases.
150
Prepare the Web and application servers
In this section:
• Install the Microsoft .NET Framework version 3.0
• Enable ASP.NET 2.0
Before you install and configure Microsoft Office SharePoint Server 2007, be sure that your
servers have the recommended hardware and software. To deploy a server farm, you need at
least one server acting as a Web server and an application server, and one server acting as a
database server.
For more information about these requirements, see Determine hardware and software
requirements (http://technet.microsoft.com/en-us/library/cc262485.aspx).

LinkID=72322&clcid=0x409), and on the Microsoft .NET Framework 3.0 Redistributable Package
page, follow the instructions for downloading and installing the .NET Framework version 3.0.
There are separate downloads for x86-based computers and x64-based computers; be sure to
download and install the appropriate version for your computer. The .NET Framework version 3.0
download contains the Windows Workflow Foundation technology, which is required by workflow
features.
Enable ASP.NET 2.0

You must enable ASP.NET 2.0 on all Office SharePoint Server 2007 servers.
Enable ASP.NET 2.0

2. In the IIS Manager tree, click the plus sign (+) next to the server name, and then click
the Web Service Extensions folder.
3. In the details pane, click ASP.NET v2.0.50727, and then click Allow.
151
Install Office SharePoint Server 2007 and run
the SharePoint Products and Technologies
configuration wizard
In this section:
• Recommended order of configuration
• Run Setup on the first server
• Run the SharePoint Products and Technologies Configuration Wizard
• Add the SharePoint Central Administration Web site to the list of trusted sites
• Configure proxy server settings to bypass the proxy server for local addresses
• Add servers to the farm
• Run the SharePoint Products and Technologies Configuration Wizard on additional
servers
• Start the Windows SharePoint Services Search service
• Stop the Central Administration service on all index servers
• Disable the Windows SharePoint Services Web Application service on all servers not
serving content
After preparing your database and the servers in your farm, run Setup and then run the
SharePoint Products and Technologies Configuration Wizard on all your farm servers. Do this on
all farm servers before going on to create a Shared Services Provider (SSP).
Note:
We recommend that you run Setup on all the servers that will be in the farm before you
configure the farm.
You can add servers to the farm at this point, or after you have created and configured an SSP.
You can add servers after you have created and configured an SSP to add redundancy, such as
additional load-balanced Web servers or additional query servers. It is recommended that you run
Setup and the configuration wizard on all your application servers before you create and
configure the SSP.
Recommended order of configuration

We recommend that you configure Microsoft Office SharePoint Server 2007 in the order listed
below. This order makes configuration easier, and ensures that services and applications are in
place before they are required by server types.
1. We recommend that the Central Administration site be installed on an application server.
In a server farm that includes more than one application server, install the Central
Administration site on the application server with the least overall performance load. If your
152
farm will have an application server, install Office SharePoint Server 2007 on that server first;
this also installs the Central Administration Web site.
2. All your front-end Web servers.
3. The index server (if using a separate server for search queries and indexing).
4. The query servers, if separate from the index server.
Note:
To configure more than one query server in your farm, you cannot configure your
index server as a query server.
5. Other application servers (optional).
Because the SSP configuration requires an index server, you must start the Office SharePoint
Server Search service on the computer that you want to be the index server, and configure it as
an index server before you can create an SSP. Because of this, you must deploy and configure
an index server before other servers. You can choose any server to be the first server on which
you install Office SharePoint Server 2007. However, the Central Administration Web site is
automatically installed on the first server on which you install Office SharePoint Server 2007.
You can configure different features on different servers. The following table shows which
installation type should be used for each feature set.
Server type Installation type
Central Administration Web application Complete or front-end Web
Application server (such as Excel Calculation Complete

Services)
Search index server Complete
Search query server Complete
Web server Complete or front-end Web (subsequent

servers must join an existing farm)
Note:
If you choose the front-end Web
installation option, you will not be able
to run additional services, such as
search, on the server.
When you install Office SharePoint Server 2007 on the first server, you establish the farm. Any
servers that you add you will join to this farm.
Setting up the first server involves two steps: installing the Office SharePoint Server 2007
components on the server, and configuring the farm. After Setup finishes, you can use the
several configuration tasks, including installing and configuring the configuration database,
153
site.

servers before you configure Office SharePoint Server 2007 services and create sites.
Regardless of how many Web servers you have in your server farm, you must have Microsoft
SQL Server 2005 database software running on at least one database server before you install
Office SharePoint Server 2007 on your Web servers. By default, when you add servers to the
farm and run the SharePoint Products and Technologies Configuration Wizard, the wizard does
not create additional Central Administration Web sites on the servers that you add, nor does it
create any databases on your database server. However, you can use the wizard to create
additional Central Administration Web sites on the servers that you add.

Important:
Note:
SharePoint Server 2007 be a server from which you want to run the Central
Administration Web site.

Officeserver.exe, on one of your Web servers.
Continue.
Note:
4. On the Choose the installation you want page, click Advanced. The Basic option is
for stand-alone installations.
154

configuration tasks, including installing and configuring the configuration database, installing
Office SharePoint Server 2007 services, and creating the Central Administration Web site. Use
the following instructions to run the SharePoint Products and Technologies Configuration Wizard.

default database name. The default name is "SharePoint_Config".
6. In the User name box, type the user name of the server farm account. (Be sure to
type the user name in the format DOMAIN\username.)
Important
This account is the server farm account and it is used to access your configuration database.
It also acts as the application pool identity for the SharePoint Central Administration
application pool, and it is the account under which the Windows® SharePoint Services Timer
service runs. The SharePoint Products and Technologies Configuration Wizard adds this
account to the SQL Server Logins, the SQL Server Database Creator server role, and the
155
SQL Server Security Administrators server role.
The user account that you specify for this service account must be a domain user account.
Because this account does not require a high level privilege, we recommend that you follow
the principle of least privilege, and specify a user account that is not a member of the
Administrators group on your Web servers or your back-end servers.
Specify port number check box; type a port number if you want the SharePoint Central
Administration Web application to use a specific port, or leave the Specify port number
check box cleared if you do not care which port number the SharePoint Central
click Next.
Note:
Negotiate (Kerberos) option requires you to configure a Service Principal
Name (SPN) for the domain user account. To do this, you must be a member
page, click Next.
Notes
If you are prompted for your user name and password, you might need to add the SharePoint
Central Administration Web site to the list of trusted sites, and configure user authentication
settings in Internet Explorer. Instructions for configuring these settings are provided in the
next set of steps.
If a proxy server error message appears, you might need to configure your proxy server
settings so that local addresses bypass the proxy server. Instructions for configuring this
setting are provided later in this section.
156
Add the SharePoint Central Administration Web
site to the list of trusted sites
Add the SharePoint Central Administration Web site to the list of trusted sites
Configure proxy server settings to bypass the

proxy server for local addresses
LAN Settings.
check box.
box.

We recommend that you install and configure Office SharePoint Server 2007 on all of your Web
servers and the index server before you configure Office SharePoint Server 2007 services and
create sites. If you want to build a minimal server farm configuration, and incrementally add Web
servers to expand the farm, you can install and configure Office SharePoint Server 2007 on a
single Web server, and configure the Web server as both a Web server and an application server.
Regardless of how many Web servers you have in your server farm, you must have SQL Server
157
2005 running on at least one back-end database server before you install Office SharePoint
Server 2007 on your Web servers.
Important:

Continue.
Note:

Continue.
Note:
158

Configuration Wizard on additional servers
configuration tasks, including installing Office SharePoint Server 2007 services. Use the following
instructions to run the SharePoint Products and Technologies Configuration Wizard.

servers
159
DOMAIN\username.) This must be the same user account you used when you configured
the first server.
page, click Next.
Start the Windows SharePoint Services Search

service (optional)
want to search over Help content. If you do not want users to be able to search over Help
content, you do not need to start this service.

the top link bar.
server.
3. On the Services on Server page, next to Windows SharePoint Services Search,
click Start.
Service Account section, type the user name and password for the user account under
which the Windows SharePoint Services Search service account will run.
5. In the Content Access Account section, type the user name and password for the
user account that the Search service will use to search over content. This account must
have read access to all the content you want it to search over. If you do not specify
credentials, the same account used for the Search service will be used.
schedule that you want the Search service to use when searching over content.
Stop the Central Administration service on all

index servers
In farms with more than one index server, stop the Central Administration service on all index
servers. This service is used for the Central Administration Web site and is not required on index
servers. Stopping this service on index servers can help avoid URL resolution problems with
indexing. On the other hand, you must be sure that this service is started on the server that hosts
160
the Central Administration Web site, even if that server is also an index server. You do not need to
stop this service for installations where the farm has only one index server.
Before stopping the service on the index server, make sure that the service is running another
server.
Stop the Central Administration service on an index server

1. On the Services on Server page, select the index server from the Server drop-down
list.
2. Under Select server role to display services you will need to start in the table
below, select the Custom option.
3. In the table of services, next to Central Administration, in the Action column, click
Stop.
Disable the Windows SharePoint Services Web

Application service on all servers not serving
content
Disable the Windows SharePoint Services Web Application service on all servers that are not
serving content, especially index servers. On the other hand, you must be sure that this service is
enabled on the servers that are serving content.
Disable the Windows SharePoint Services Web Application service on a server

the top link bar.
server.
3. On the Services on Server page, next to Windows SharePoint Services Web
Application, click Stop.
161
Deploy language packs
In this section:
• About language IDs and language packs
• Preparing your front-end Web servers for language packs
• Installing language packs on your front-end Web servers
Language packs enable site owners and site collection administrators to create SharePoint sites
and site collections in multiple languages without requiring separate installations of Microsoft
Office SharePoint Server 2007. You install language packs, which contain language-specific site
templates, on your front-end Web servers. When an administrator creates a site or a site
collection based on a language-specific site template, the text that appears on the site or the site
collection is displayed in the site template's language. Language packs are typically used in
multinational deployments where a single server farm supports people in different locations or in
situations where sites and Web pages must be duplicated in one or more languages. For more
information about language packs, see Plan for multilingual sites
Note:
You cannot change an existing site, site collection, or Web page from one language to
another by applying different language-specific site templates; once you choose a
language-specific site template for a site or a site collection, the site or site collection will
always display content in the language of the original site template.
Word breakers and stemmers enable you to efficiently and effectively search across content on
SharePoint sites and site collections in multiple languages without requiring separate installations
of Office SharePoint Server 2007. Word breakers and stemmers are not installed with language
packs. Instead, they are automatically installed on your front-end Web servers by the Setup
wizard. For more information about word breakers and stemmers, see the "Plan word breakers
and stemmers" section in Plan to crawl content (http://technet.microsoft.com/en-
You can install language packs for Microsoft Office Server products from the Microsoft Download
site, at 2007 Office System Language Packs (http://www.microsoft.com/downloads/details.aspx?
FamilyId=2447426B-8689-4768-BFF0-CBB511599A45&displaylang=en).
Important:
If you are uninstalling a Microsoft Office Server product, you must uninstall all language
packs before you uninstall the product.
About language IDs and language packs

When site owners or site collection administrators create sites or site collections, they can choose
a language for the each site or site collection
162
The language they choose represents the language identifier (ID), and the language ID
determines the language that is used to display text and interpret text that is put on the site or site
collection. For example, when a site administrator chooses to create a site in French, the site's
toolbars, navigation bars, lists, and column headings appear in French. Likewise, if a site
administrator chooses to create a site in Arabic, the site's toolbars, navigation bars, lists, and
column headings appear in Arabic, and the default left-to-right orientation of the site changes to a
right-to-left orientation to properly display Arabic text.
The list of available languages that a site administrator can use to create a site or site collection is
generated by the language packs that are installed on your front-end Web servers. By default,
sites and site collections are created in the language in which Office SharePoint Server 2007 was
installed. For example, if you install the Spanish version of Office SharePoint Server 2007, the
default language for sites, site collections, and Web pages is Spanish. If a site administrator
needs to create sites, site collections or Web pages in a language other than the default Office
SharePoint Server 2007 language, you must install the language pack for that language on your
front-end Web servers. For example, if you are running the French version of Office SharePoint
Server 2007, and a site administrator wants to create sites in French, English, and Spanish, you
must install the English and Spanish language packs on your front-end Web servers.
Note:
By default, when a site administrator creates a new Web page within a site, the Web
page uses the site's language ID to display text.
Language packs for Office SharePoint Server 2007 are not bundled into multilingual installation
packages. You must install a specific language pack for each language that you want to support.
Also, language packs must be installed on each of your front-end Web servers to ensure that
each Web server can render content in the specified language.
The following table lists the language packs that are available for Office SharePoint Server 2007.
Language Country/Region Language ID
German Germany 1031
English United States 1033
Japanese Japan 1041
Although a site administrator specifies a language ID for a site, some user interface elements
such as error messages, notifications, and dialog boxes do not display in the language that was
specified. This is because Office SharePoint Server 2007 relies on several supporting
technologies — for example, the Microsoft .NET Framework, Microsoft Windows Workflow
Foundation, Microsoft ASP.NET, and Microsoft SQL Server 2005 — some of which are localized
into only a limited number of languages. If a user interface element is generated by any of the
supporting technologies that is not localized into the language that the site administrator specified
for the site, the user interface element appears in English. For example, if a site administrator
creates a site in Hebrew, and the.NET Framework component displays a notification message,
the notification message will not display in Hebrew because the .NET Framework is not localized
163
into Hebrew. This situation can occur when sites are created in any language except the
following: Chinese, French, German, Italian, Japanese, Korean, and Spanish.
In some cases, some text might originate from the original installation language, which can create
a mixed-language experience. This type of mixed-language experience is typically seen only by
content creators or site administrators and is not seen by site users.
Preparing your front-end Web servers for

language packs
Before you install language packs on your front-end Web servers, you must do the following:
• Install the necessary language files on your front-end Web servers.
• Install Office SharePoint Server 2007 on each of your front-end Web servers.
• Run the SharePoint Products and Technologies Configuration Wizard on each of your
Language files are used by the operating system and provide support for displaying and entering
text in multiple languages. Language files include:
• Keyboard files
• Input Method Editors (IMEs)
• TrueType font files
• Bitmap font files
• Code page conversion tables
• National Language Support (.nls) files
• Script engines for rendering complex scripts
Most language files are installed by default on the Microsoft Windows Server 2003 operating
system. However, you must install supplemental language files for East Asian languages and
languages that use complex script or require right-to-left orientations. The East Asian languages
include Chinese, Japanese, and Korean; the complex script and right-to-left oriented languages
include Arabic, Armenian, Georgian, Hebrew, the Indic languages, Thai, and Vietnamese.
Instructions for installing these supplemental language files are provided in the following
procedure.
We recommend that you install these language files only if you need them. The East Asian files
require about 230 megabytes of hard disk space. The complex script and right-to-left languages
do not use much disk space, but installing either set of files might reduce performance when
entering text.
Note:
You must be a member of the Administrators group on the computer to install these
language files. After the language files are installed, the languages are available to all
users of the computer.
164
Note:
You will need your Windows Server 2003 product disc to perform this procedure, or you
will need to know the location of a shared folder that contains your operating system
installation files.
Note:
You must restart your computer after you install supplemental language files.
Install additional language files

1. On your front-end Web server, click Start, point to Settings and then Control Panel,
and then click Regional and Language Options.
2. In the Regional and Language Options dialog box, on the Languages tab, in the
Supplemental Language Support section, select one or both of the following
checkboxes:
• Install files for complex script and right-to-left languages
• Install files for East Asian languages
3. Click OK in the dialog box that alerts you that additional disk space is required for the
files.
4. Click OK to install the additional language files.
5. When prompted, insert your Windows Server 2003 product disc or provide the
location of your Windows Server 2003 installation files.
6. When prompted to restart your computer, click Yes.
After you install the necessary language files on your front-end servers, you need to install Office
SharePoint Server 2007 and run the SharePoint Products and Technologies Configuration
Wizard. The wizard creates and configures the configuration database and performs other
configuration tasks that must be done before you install language packs. For more information
about installing Office SharePoint Server 2007 and running the SharePoint Products and
Technologies Configuration Wizard, see Deploy in a simple server farm and Install Office
Installing language packs on your front-end Web

servers
After you install the necessary language files on your front-end servers, you can install your
language packs. Language packs are available as individual downloads (one download for each
supported language). If you have a server farm environment, and you are installing language
packs to support multiple languages, you must install the language packs on each of your front-
end Web servers.
165
Important:
The language pack installs in its native language, for example the Russian language
pack executable file is localized into Russian. The procedure provided below is for the
English language pack.
Install a language pack

1. Run setup.exe.
3. The setup wizard runs and installs the language pack.
4. Rerun the SharePoint Products and Technologies Configuration Wizard, using the
default settings. If you do not run the SharePoint Products and Technologies
Configuration Wizard after you install a language pack, the language pack will not be
installed properly.
Rerun the SharePoint Products and Technologies Configuration Wizard

3. Click Yes in the dialog box that alerts you that some services might need to be
4. On the Modify server farm settings page, click Do not disconnect from this server
farm, and then click Next.
5. If the Modify SharePoint Central Administration Web Administration Settings page
appears, do not modify any of the default settings, and then click Next.
page, click Next.
When you install language packs, the language-specific site templates are installed in the
\Program Files\Common Files\Microsoft Shared\web server extensions\12\template\number
directory, where number is the Language ID for the language that you are installing. For example,
the US English language pack installs to the \Program Files\Common Files\Microsoft Shared\web
server extensions\12\template\1033 directory. After you install a language pack, site owners and
site collection administrators can create sites and site collections based on the language-specific
site templates by specifying a language when they are creating a new SharePoint site or site
collection.
Uninstalling language packs

If you no longer need to support a language for which you have installed a language pack, you
can remove the language pack by using Add/Remove Programs in Control Panel. Removing a
166
language pack removes the language-specific site templates from your computer. All sites that
were created with those language-specific site templates will no longer work (the URL will
produce a HTTP 500 - Internal server error page). Reinstalling the language pack will make the
site functional.
Note:
You cannot remove the language pack for the version of Office SharePoint Server 2007
that you have installed on your server. For example, if you are running the Japanese
version of Office SharePoint Server 2007, you cannot uninstall the Japanese language
support for Office SharePoint Server 2007.
167
III. Create and configure Shared Services
Providers
168
Chapter overview: Create and configure
Shared Services Providers
After you have installed Microsoft Office SharePoint Server 2007, you must configure the primary
Shared Services Provider (SSP) that your SharePoint sites will rely on to provide services such
as search, personalization, or business intelligence. This chapter helps you create the primary
Shared Services Provider, and configure settings for the shared services that are hosted by that
SSP.
In this chapter:
• Χο ν φ ι γ υ ρ ε τ η ε π ρ ι µ α ρψ Σηα ρ ε δ Σ ε ρϖ ι χ ε σ
Προϖ ι δ ε ρ
• Χο ν φ ι γ υ ρ ε τ η ε Οφ φ ι χ ε Σ ηα ρ εΠ ο ι ν τ Σ ε ρϖ ε ρ
Σ ε α ρ χ η σ ε ρϖ ι χ ε
• Α. Χ ο ν φ ι γ υ ρ ε π ε ρ σ ο ν α λ ι ζ α τ ι ο ν
• Β. Χ ο ν φ ι γ υ ρ ε β υ σ ι ν ε σ σ ι ν τ ε λ λ ι γ ε ν χ ε
φ ε α τ υ ρ ε σ
• Χ. Χ ο ν φ ι γ υ ρ ε Ε ξ χ ε λ Σ ε ρϖ ι χ ε σ
• ∆. Χ ο ν φ ι γ υ ρ ε Ι ν φ οΠα τ η Φορ µ σ Σ ε ρϖ ι χ ε σ
• Ε. Χ ο ν φ ι γ υ ρ ε Οφ φ ι χ ε Πρ οϕ ε χ τ Σ ε ρϖ ε ρ
169
Configure the primary Shared Services
Provider
Create the Shared Services Provider

Management tab on the top navigation bar.
3. On the Manage this Farm's Shared Services page, click New SSP.
Important:
If you have not created a Web application for the SSP administration site, you need
to create one before you create the SSP. If you have already created a Web
application for the SSP administration site, skip to step 14.
4. On the New Shared Services Provider page, click Create a new Web application.
5. On the Create New Web Application page, in the IIS Web Site section, click Create a
new IIS web site, and do not modify the default settings in this section.
6. In the Security Configuration section, under Authentication provider, select the
appropriate option for your environment, and do not modify the default settings in the
remainder of this section.
Note:
By default, the authentication provider is set to NTLM. Use the Negotiate (Kerberos)
setting only if Kerberos is supported in your environment. This option will require
configuring a Service Principal Name for the domain user account, for which you
must have Domain Administrator credentials. For more information about configuring
Kerberos, see Microsoft Knowledge Base article KB 832769: HOW TO: Configure
Windows SharePoint Services to Use Kerberos Authentication
(http://support.microsoft.com/?kbid=832769).
7. In the Load Balanced URL section, do not modify the default settings.
8. In the Application Pool section, click Create new application pool.
9. In Application pool name, enter the name of your application pool or use the default
name.
10. Click Configurable, and in User name and Password, type the user name and
password for the user account that you want to act as the application pool identity for your
SSP Web application.
The user account must be a domain user account, but the user account does not have to be
a member of any particular security group. It is recommended that you use the principle of
170
least privilege and select a unique user account that does not have administrative rights on
your front-end servers or on your back-end database servers. You can use the user account
that you specified as the Microsoft Office SharePoint Server 2007 service account; however,
if that user account is a member of a security group that has administrative rights on your
front-end servers or your back-end database servers, you will not be following the principle of
least privilege. The user name must be in the format DOMAIN\username.
11. In the Database Name and Authentication section, verify the database information and
make sure that Windows Authentication (recommended) is selected.
12. In the Search Server section, do not modify the default settings.
13. Click OK.
Upon successful creation of the Web application, the New Shared Services Provider page
appears.
14. In the SSP Name section, in Web Application, select the Web application that you
created for the SSP, and do not modify any of the default settings in this section.
15. In My Site Location section, choose the correct Web application.
Note:
It is recommended that you run My Sites and the SSP administration site in different
Web applications so that you can back up and restore My Sites separately from the
SSP administration site.
16. In the SSP Service Credentials section, in User name and Password, type the user
name and password for the user account under which you want the SSP to run.
The user account must be a domain user account, but the user account does not have to be
a member of any particular security group. It is recommended that you use the principle of
least privilege and select a unique user account that does not have administrative rights on
your front-end servers or on your back-end database servers. You can use the user account
that you specified as the Office SharePoint Server 2007 service account; however, if that user
account is a member of a security group that has administrative rights on your front-end
servers or your back-end database servers, you will not be following the principle of least
privilege. The user name must be in the format DOMAIN\username.
17. In the SSP Database section, you can either accept the default settings (recommended),
or specify your own settings for the database server, the database name, or the SQL
authentication credentials.
18. In the Search Database section, you can either accept the default settings
(recommended), or specify your own settings for the search database server, the database
name, or the SQL Server authentication credentials.
19. In the Index Server section, in Index Server, click the server on which you configured
the Search service.
If there is no index server listed in the Index Server section, then no server in your farm has
been assigned the index server role. To assign the index server role to a server in your farm,
follow the instructions in Configure a dedicated front-end Web server for crawling
171
20. In the SSL for Web Services section, click No.
21. Click OK.
Upon successful creation of the SSP, the Success page appears.
22. On the Success page, click OK to return to the Manage this Farm's Core Services page.
Shared Services Provider: Stsadm operation (http://technet.microsoft.com/en-
Create a new SSP

Important:
To configure an SSP, you must have already configured an index server for the farm.
Without an index server, creation of a new SSP will fail. For more information about
configuring an index server, see the topic Configure the primary Shared Services
Provider (http://technet.microsoft.com/en-us/library/cc262649.aspx).
To create and configure a new SSP:

1. In a Web browser, open the Central Administration page for your farm.
2. On the top navigation bar, click Application Management.
3. On the Application Management page, under Office SharePoint Server Shared
Services, click Create or configure this farm's shared services.
4. On the Manage this Farm's Shared Services page, on the top navigation bar, click
New SSP.
5. In the SSP Name section, specify a unique, descriptive name for this SSP. This name
will be used to identify the SSP in administration pages.
6. In the My Site location section, select the Web application for this SSP.
7. In the SSP Service Credentials section, specify the credentials which will be used
by SSP Web services for inter-server communication and for the SSP timer service to run
jobs.
8. In the SSP Database section, specify the database server and database name for
storing session data. Use of the default database server and database name is
recommended for most cases.
9. In the Index Server section, select the index server which will crawl content in all
Web applications associated with this SSP. You may also specify the path on the index
server where the indexes will be located if you do not want to use the default path.
10. In the SSL for Web Services section, choose whether or not to use SSL to protect
communications to and from Web services.
Note:
If you choose to enable SSL for Web services, you must add the certificate on
each server in the farm by using the IIS administration tool. Until this is done, the
172
Web services will not be available.
11. Click OK to create the SSP.
Associate an SSP with a Web application

A Web application may be associated with only one SSP, but each SSP may be associated with
multiple Web applications.
To associate an SSP with a Web application:

1. On the taskbar, click Start, point to Administrative Tools, and then click SharePoint
3.0 Central Administration.
2. In the Quick Launch, click Shared Services Administration.
3. On the Manage this Farm's Shared Services page, on the top navigation bar, click
Change Associations.
Note:
In the SSP Name column in the SSP list, you will see all the Web applications
with which each SSP is currently associated.
4. On the Change Association between Web Applications and SSPs page, under
Shared Services Provider, select the SSP you want to configure.
5. In the Web applications section, select the Web applications you want to associate
with the SSP.
6. Click OK to associate the SSP with the selected Web applications.
173
Configure the Office SharePoint Server
Search service
In this section:
• Server-level configuration
• Farm-level configuration
• SSP-level configuration
• Site collection-level configuration
This section describes the process of deploying the search features for Microsoft Office
SharePoint Server 2007 that are related to crawling content. If you have not already done so, we
highly recommend that you first read the topics described in Plan search
(http://technet.microsoft.com/en-us/library/cc263400.aspx) and fill out the companion Plan to
crawl content worksheet (http://go.microsoft.com/fwlink/?LinkID=73748&clcid=0x409). As you
proceed through this section, refer to this worksheet so that you have the information you need to
configure these search features.
Osearch: Stsadm operation (http://technet.microsoft.com/en-us/library/cc262920.aspx).
Server-level configuration
The procedures in this section are performed at the server level. To perform these procedures,
you must be a member of the Administrators group for each server on which you want to perform
them.
Install protocol handlers

The following protocols are supported by the default protocol handlers:
• bdc
• bdc2
• file
• http
• https
• rb
• rbs
• sps
• sps3
• sps3s
• spsimport
174
• spss
• sts
• sts2
• sts2s
• sts3
• sts3s
Refer to the Protocol handlers section of the Plan to crawl content worksheet to review your
decisions for installing additional protocol handlers. When installing the protocol handlers on your
index server, follow the appropriate installation instructions provided by the manufacturer of each
protocol handler.
Note:
You must be a member of the Administrators group on each server on which you want to
install an additional protocol handler.
Install and register IFilters

The procedures used to install and register IFilters vary among different IFilters. Refer to the File
type inclusions section of the Plan to crawl content worksheet for the IFilters you decided to
add.
This section includes instructions for installing and registering the following IFilters. If an IFilter
that you need is not listed here, contact the manufacturer for instructions for installing third-party
IFilters. If you do not need to install additional IFilters, skip to the next section.
Note:
You must be a member of the Administrators group on each server on which you want to
install an IFilter.
Install and register the OneNote IFilter

Before Microsoft Office OneNote 2007 files can be crawled and indexed, you must first do the
following:
• Install Office OneNote 2007 on the index server. This installs the OneNote IFilter.
Note:
The Office OneNote 2007 IFilter can crawl both OneNote 2003 and Office OneNote
2007 files. The Office OneNote 2003 IFilter can crawl OneNote 2003 files only.
• Add the OneNote file extension to the File Types list.
• Register the OneNote IFilter.
Note:
You must be a member of the Administrators group on the index server to perform
the following procedures.
175
Add the OneNote file extension to the File Types list
1. Open the administration page for the Shared Services Provider (SSP).
To open the administration page for the SSP, do the following:
a. In Central Administration, on the top link bar, click Application Management.
b. On the Application Management page, in the Office SharePoint Server Shared
c. On the Manage this Farm's Shared Services page, click the SSP for which you
want to open the administration page.
2. On the Shared Services Administration page, in the Search section, click Search
settings.
3. On the Configure Search Settings page, in the Crawl Settings section, click File
Types.
4. On the Manage File Types page, click New File Type.
5. On the Add File Type page, in the File extension box, type one, and then click OK.
Note:
Do not type the period character "." before the file extension.
Register the OneNote IFilter

1. On the index server, click Start, and then click Run.
2. In the Open box, type notepad, and then click OK.
3. Type or copy the following text into Notepad:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office
Server\12.0\Search\Setup\Filters\.one]
"Extension"="one"
"FileTypeBucket"=dword:00000001
"MimeTypes"="application/msonenote"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office
Server\12.0\Search\Setup\ContentIndexCommon\Filters\Extension\.one]
@="{B8D12492-CE0F-40AD-83EA-099A03D493F1}"
4. In Notepad, on the File menu, click Save As.
5. In the Save As dialog box, in the File name box, type onenote.reg, and then click
Save.
6. On the index server, double-click the onenote.reg file that you just created.
Note:
176
This step starts the process of setting the necessary registry keys for registering
the OneNote IFilter.
7. If the Open File - Security Warning dialog box appears, click Run.
8. In the Registry Editor dialog box, click Yes.
9. Click OK to close the Registry Editor box.
10. Restart the index server.
Note:
The index server must be restarted for the IFilter registration to take effect.
After you restart the index server, you must start a full crawl of the locations that contain Office
OneNote 2007 files before they can appear in search queries. If your document libraries require
check-out to edit the files, Office OneNote 2007 files will often be in checked-out state. Any
updates to the checked-out files that are saved to the library will not be crawled until the files are
checked in. In general, we recommend that administrators do not require that files be checked out
before they can be edited for document libraries that are intended for storing OneNote files.
Farm-level configuration
The procedures in this section are performed at the farm level. To perform these procedures, you
must be a farm administrator.
Create crawler impact rules

Use the following procedure, along with the decisions you recorded in the Crawler impact rules
section of the Plan to crawl content worksheet, to create crawler impact rules.
Create crawler impact rules

1. In Central Administration, on the Application Management tab, in the Search section,
click Manage search service.
2. On the Manage Search Service page, in the Farm-Level Search Settings section,
click Crawler impact rules.
3. On the Crawler Impact Rules page, click Add Rule.
4. On the Add Crawler Impact Rule page, in the Site section, in the Site box, type the
site name that will be associated with this crawler impact rule.
Note:
When typing the URL, you must exclude the protocol. For example, do not
include http:// or file://.
5. In the Request Frequency section, select one of the following options:
• Request up to the specified number of documents at a time and do not wait
between requests. If you choose this option, use the Simultaneous requests list to
select how many documents you want the crawler to request at one time when
177
crawling this URL. You can specify the maximum number of requests that the Office
SharePoint Services Search service can make at one time when crawling this URL.
• Request one document at a time and wait the specified time between
requests. You can specify a delay (in seconds) between requests, when crawling this
URL. When this option is selected, the Office SharePoint Services Search service
makes one request per site at one time, and then it waits for the specified amount of
time before making the next request. In the Time to wait (in seconds) box, type the
time to wait (in seconds) between requests. The minimum time to wait between
requests is one second, and the maximum time is 1,000 seconds.
6. Click OK.
Configure farm-level search settings

Use the following procedure, along with the decisions you recorded in the Farm-level search
settings section of the Plan to crawl content worksheet, to configure your farm-level search
settings.
Configure farm-level search settings

1. In Central Administration, on the Application Management tab, in the Search section,
click Manage search service.
2. On the Manage Search Service page, in the Farm-Level Search Settings section,
click Farm-level search settings.
3. On the Manage Farm-Level Search Settings page, in the Contact E-mail Addresses
section, type the e-mail address of the person in your organization whom external site
administrators can contact if problems arise when their site is being crawled.
4. In the Proxy Server Settings section, if you want to use a proxy server when
crawling, select Use the proxy server specified and then do the following:
• In the Address box, enter either the NetBIOS name or the IP address of the
proxy server.
• In the Port box, type the port to use for this proxy server.
• To bypass this proxy server when crawling local addresses, select the Bypass
proxy server for local (intranet) addresses check box.
• To specify addresses for which to bypass the proxy server when crawling, enter
those addresses in the Do not use proxy server for addresses beginning with
box.
5. In the Timeout Settings section, do the following:
• In the Connection time (in seconds) box, enter the number of seconds you
want the server to wait while connecting to other services.
• In the Request acknowledgement time (in seconds) box, enter the number of
seconds you want the server to wait for another service to acknowledge a request to
connect to that service.
178
6. In the SSL Certificate Warning Configuration section, select the Ignore SSL
certificate name warnings check box if you want to trust that sites are legitimate even if
their certificate names are not exact matches. Otherwise, ensure that this check box is
unselected.
7. Click OK.

The trace log can be very useful for analyzing problems that may occur. Events that are written to
the trace log are especially helpful because you can use them to determine what configuration
changes where made in Office SharePoint Server 2007 before the problem occurred.
are using either the Office SharePoint Server Search service or the Windows SharePoint
Services Search service, we recommend that you configure the trace log to save seven days of
events.
number of trace log files to maintain and how long (in minutes) to capture events to each log file.
You can also specify the location where the log files are written or accept the default path.

Tip:
You can use any combination of number of log files and minutes to store in
each log file you want to achieve 10,080 minutes (seven days) of events.
files, or change the path to another location.
Tip:
4. Click OK.
Trace log files are invaluable for troubleshooting issues related to configuration changes of either
the Office SharePoint Server Search service or the Windows SharePoint Services Search
service. Because problems related to configuration changes are not always discovered right
179
away, we recommend that you save all trace log files that the system creates on any day that you
make any configuration changes related to either search service. Store these log files for an
extended period of time in a safe location that will not be overwritten. See step 3 in the procedure
above to determine the location where the system stores trace log files for your system.
SSP-level configuration
The procedures in this section are performed at the Shared Services Provider (SSP) level. To
perform these procedures, you must be an SSP administrator for Search.
Open the administration page for the SSP

Use the following procedure to open the administration page for the SSP that you want to
configure.
Open the administration page for the SSP

1. In Central Administration, on the top link bar, click Application Management.
3. On the Manage this Farm's Shared Services page, click the SSP for which you want
to open the administration page.
Specify the default content access account

Use the following procedure, along with the decision you recorded in the Default content access
account section of the Plan to crawl content worksheet, to specify the content access account
that the crawler will use, by default, when crawling content.
Specify the default content access account

settings.
2. On the Configure Search Settings page, in the Crawl settings section, click Default
content access account.
3. On the Default Content Access Account page, in the Account box, type the domain
and user name for the account (in the form domain\username).
4. In the Password and Confirm Password boxes, type the password for the account.
5. Click OK.
Create content sources

Use the following procedure, along with the decisions you recorded in the Content sources
section of the Plan to crawl content worksheet, to create your content sources.
180
Use the following procedure to create a content source of any of the following content source
types:
• SharePoint sites
• Web sites
• File shares
• Microsoft Exchange public folders
Create content sources

settings.
2. On the Configure Search Settings page, in the Crawl Settings section, click Content
sources and crawl schedules.
3. On the Manage Content Sources page, click New Content Source.
4. On the Add Content Source page, in the Name section, in the Name box, type a
name for the content source.
Note:
Each content source name must be unique within the SSP in which it is created.
5. In the Content Source Type section, select the type of content you want to crawl by
using this content source.
6. In the Start Addresses section, in the Type start addresses below (one per line)
box, type the URLs from which the search system should start crawling.
Note:
For performance reasons, you cannot add the same start addresses to multiple
content sources.
7. In the Crawl Settings section, select the behavior for the type of content you
selected.
8. In the Crawl Schedules section, you can specify when to start full and incremental
crawls.
• You can create a full crawl schedule by clicking the Create Schedule link below
the Full Crawl list.
• You can create an incremental crawl schedule by clicking the Create Schedule
link below the Incremental Crawl list.
9. Click OK.
10. Repeat steps 4 through 10 for any additional content sources you want to create.
Use the following procedure to create a content source of the business data content source type.
Create content source for business data

181
settings.
3. On the Manage Content Sources page, click New Content Source.
4. On the Add Content Source page, in the Name section, in the Name box, type a
name for the content source.
Note:
Each content source name must be unique within the SSP in which it is created.
5. In the Content Source Type section, select Business Data.
6. In the Applications section, select Crawl entire Business Data Catalog to crawl all
applications registered in the Business Data Catalog or select Crawl selected
applications and select the specific applications you want to crawl.
7. In the Crawl Schedules section, you can specify when to start full and incremental
crawls.
• You can create a full crawl schedule by clicking the Create Schedule link below
the Full Crawl list.
• You can create an incremental crawl schedule by clicking the Create Schedule
link below the Incremental Crawl list.
8. Click OK.
9. Repeat steps 4 through 9 for any additional content sources you want to create.
Create crawl rules

Use the following procedure, along with the decisions you recorded in the Crawl rules section of
the Plan to crawl content worksheet, to create crawl rules.
Create crawl rules

settings.
2. On the Configure Search Settings page, in the Crawl Settings section, click Crawl
rules.
3. On the Manage Crawl Rules page, click New Crawl Rule.
4. On the Add Crawl Rule page, in the Path section, in the Path box, type the path
affected by this rule. You can use standard wildcard characters in the path. For example:
• http://server1/folder* contains all Web resources with a URL that starts with
http://server1/folder.
• *://*.txt includes every document with the txt file extension.
5. In the Crawl Configuration section, select one of the following:
• Exclude all items in this path. Select this option if you want all items in the
182
specified path to be excluded from the crawl.
• Include all items in this path. Select this option if you want all items in the path
to be crawled.
6. If you chose to exclude all items in this path, skip to step 8. Otherwise, you can
further refine the inclusion by selecting any combination of the following:
• Follow links on the URL without crawling the URL itself. Select this option if
you want to crawl links contained within the URL, but not the URL itself.
• Crawl complex URLs (URLs that contain a question mark (?)). Select this
option if you want to crawl URLs that contain parameters that use the question mark
(?) notation.
• Crawl SharePoint content as HTTP pages. Normally, SharePoint content is
crawled by using a special protocol. Select this option if you want SharePoint content
to be crawled as HTTP pages instead. When the content is crawled by using the
HTTP protocol, item permissions are not stored.
7. In the Specify Authentication section, do one of the following:
• To use the default content access account when crawling URLs affected by this
crawl rule, select Use the default content access account.
• If you want to use a different content access account, select Specify a different
content access account, and then do the following:
In the Account box, type the account name that can access the paths defined by this
crawl rule. Examples are user_name and DOMAIN\user_name.
In the Password and Confirm Password boxes, type the password for this account.
If you want to prevent basic authentication from being used, select the Do not allow
Basic Authentication check box.
• To use a client certificate for authentication, select Specify client certificate,
and then click a certificate on the Certificate menu.
8. Click OK.
9. Repeat steps 4 through 8 for each new crawl rule you want to create.
Reorder your crawl rules

After you create all your crawl rules, we recommend that you specify the order in which you want
the rules to be applied while content is being crawled. Crawl rules are applied in the order in
which they are listed. Therefore, if two rules cover the same or overlapping content, the first rule
that is listed is applied. Use the following procedure to specify the order of your crawl rules.
Reorder crawl rules

settings.
2. On the Configure Search Settings page, in the Crawl Settings section, click Crawl
rules.
183
3. On the Manage Crawl Rules page, in the Order column in the list of crawl rules,
select a value in the drop-down list that specifies the position you want the rule to occupy.
Other values are shifted accordingly.
Configure the file type inclusions list

Use the following procedure, along with the decisions that you recorded in the File-type
inclusions section of the Plan to crawl content worksheet, to add file types from the file type
inclusions list.
Add file types

settings.
2. On the Configure Search Settings page, in the Crawl Settings section, click File
types.
3. On the Manage File Types page, click New File Type.
4. On the Add File Type page, in the File extension box, type the file name extension
for the file type that you want to add (for example, type doc).
Note:
Do not precede the file type with the period "." character.
5. Click OK.
6. Repeat steps 4 through 7 for any other file types you want to add.
You can also delete file types from this list for the file types you don't want the crawler to include
in the content index. Use the following procedure, along with the decisions you recorded in the
File-type inclusions section of the Plan to crawl content worksheet, to delete file types from the
file type inclusions list.
Delete file types

1. On the Manage File Types page, position the cursor over the file name extension that
you want to delete, and then click Delete on the menu that appears.
2. In the message box, click OK to confirm that you want to delete the file type.
Crawl the content

Before the content can be indexed, you must first crawl the content. You can either crawl the
content defined in a particular content source individually, or crawl all the content specified by all
content sources at one time.
Crawl content defined in a particular content source

Use the following procedure to crawl content defined in a particular content source.
184
Crawl content defined in a particular content source
settings.
3. On the Manage Content Sources page, position the cursor over the content source
you want to crawl, and then click Start full crawl on the menu that appears.
Crawl content specified by all content sources

Use the following procedure to crawl content specified by all content sources.
Crawl content specified by all content sources

settings.
3. On the Manage Content Sources page, in the Quick Launch, click Start all crawls.
Create managed properties

Use the following procedure, along with the decisions you recorded in the Plan managed
properties section of the Plan the end-user search experience worksheet
(http://go.microsoft.com/fwlink/?LinkId=74967&clcid=0x409), to create managed properties.
Create managed properties

settings.
2. On the Configure Search Settings page, in the Crawl Settings section, click
Metadata property mappings.
3. On the Metadata Property Mappings page, click New Managed Property.
4. On the New Managed Property page, in the Name and type section, in the Property
name box, type the name of the managed property you want to create.
5. In the Description box, type a description for this managed property.
6. Under The type of information in this property, select a property type.
7. In the Mappings to crawled properties section, select one of the following:
• Include values from all crawled properties mapped. Select this option if you
want values from all crawled properties to be mapped. A query for a property in a
document in which all crawled properties are mapped returns a result if any of the
crawled properties that are mapped match the query.
• Include values from a single crawled property based on the order specified.
185
Select this option if you want only a single value mapped. When multiple crawled
properties are mapped to a managed property, the one that is chosen will be the first
in the list that has a value for a given document. You can reorder the list by using the
Move up and Move down buttons.
8. If you selected Include values from all crawled properties mapped, skip to step
12.
9. Click Add Mapping to add a mapping to the list.
10. The Crawled property selection dialog box appears. Configure the settings as
follows:
a. On the Select a category menu, click either All categories or a specific type of
document category (for example, Office or SharePoint).
b. In Select a crawled property, select a crawled property to map to the managed
property that you are adding.
Because the list of crawled properties is likely to be long, you can type the name (or
the first part of the name) of the property that you are looking for in the Crawled
property name box and then click Find.
c. Click OK.
11. Repeat steps 9 through 10 for each additional crawled property that you want to map
to this managed property.
12. On the New Managed Property page, in the Use in scopes section, select the Allow
this property to be used in scopes check box if you want this managed property to be
available for defining scopes.
13. Click OK.
Note:
Changes to the property mappings take effect on a document-by-document basis
as soon as a document is crawled, regardless of the type of the crawl. A full crawl
ensures that the changes are consistently applied to the entire index.
Create shared scopes

Use the following procedure, along with the decisions you recorded in the Plan scopes section of
the Plan the end-user search experience worksheet (http://go.microsoft.com/fwlink/?
LinkId=74967&clcid=0x409), to create shared scopes.
Create shared scopes

settings.
2. On the Configure Search Settings page, in the Scopes section, click View scopes.
3. On the View Scopes page, click New Scope.
4. On the Create Scope page, in the Title and Description section, in the Title box,
186
type a title for the scope.
5. In the Description box, type a description for the scope that informs administrators
what the purpose of the scope is.
Note:
These descriptions are not visible to users.
6. Your credentials are automatically entered in the read-only Last modified by box.
Note:
Last modified by settings are not visible to users.
7. In the Target Results Page section, select one of the following:
• Use the default Search Results Page. Select this option if you want search
results from this scope to be presented by using the standard Search Results page.
• Specify a different page for searching this scope. Select this option if you
want search results from this scope to be presented on a custom page. If you select
this option, type the URL for the custom Search Results page in the Target results
page box.
8. Click OK.
Create scope rules

Use the following procedure, along with the decisions you recorded in the Plan scopes section of
the Plan the end-user search experience worksheet (http://go.microsoft.com/fwlink/?
LinkId=74967&clcid=0x409), to create scope rules.
187
The following table describes the four scope rule types that you can choose from when creating a
scope rule. For simplicity, a separate procedure is provided for each scope rule type.
Scope rule type Purpose
Web address Select this option if you want the scope to include or exclude
content from any resource in the search index that can be
identified either by a URL (such as Web sites, file shares, and
Exchange public folders) or by a host name, domain name, or
subdomain name.
• Folder. Select this option if you want to include or exclude
items in the folder and subfolders of the indicated URL (for
example, http://site/subsite/folder).
• Hostname. Select this option if you want to specify a host
name. All items in the host name will be included or excluded
from the scope (according to the behavior rules).
• Domain or subdomain. Select this option if you want to
specify a domain or subdomain (for example,
widgets.contoso.com). All items in the domain or subdomain
will be included in or excluded from the scope.
Property query Select this option if you want the scope to include or exclude
content that has a managed property with a particular value. For
example, Author="John Doe".
Content source Select this option if you want the scope to include or exclude
content that was crawled by using a particular content source.
All content Select this option if the rule should not restrict the scope (the
scope will include or exclude all content in the search index).
Use the following procedure to open the Add Scope Rule page.
Open the Add Scope Rule page

settings.
2. On the Configure Search Settings page, in the Scopes section, click View scopes.
3. On the View Scopes page, position the cursor over the scope that you want to edit,
click the arrow that appears, and then click Edit Properties and Rules on the menu that
appears.
4. On the Scope Properties and Rules page, in the Rules section, click New rule.
188
Use the following procedure to create scope rules by using the Web address scope rule type.
Create scope rules by using the Web address scope rule type
1. On the Add Scope Rule page, in the Scope Rule Type section, select Web Address.
2. In the Web Address section, select one of the following options and provide the
address you want to associate with this rule:
• Folder. Select this option if you want to include or exclude items in the folder and
subfolders of the indicated URL (for example, http://site/subsite/folder).
• Hostname. Select this option if you want to specify a host name. All items in the
host name will be included or excluded from the scope (according to the behavior
rules).
• Domain or subdomain. Select this option if you want to specify a domain or
subdomain (for example, widgets.contoso.com). All items in the domain or
subdomain will be included in or excluded from the scope.
3. In the Behavior section, select one of the following options:
• Include. Select this option if you want the rule to be applied (if another rule
precludes its inclusion, it won't be included). The Include option is analogous to the
logical operator AND.
• Require. Select this option if you want the rule to be applied regardless of other
rules. The Require option is analogous to the logical operator OR.
• Exclude. Select this option if you want items that match this rule to be excluded
from the scope. The Exclude option is analogous to the logical operator AND NOT.
4. Click OK.
Use the following procedure to create scope rules by using the Property query scope rule type.
Create scope rules by using the Property query scope rule type
1. On the Add Scope Rule page, in the Scope Rule Type section, select Property
Query.
2. In the Property Query section, select the managed property that you want to use to
limit the scope from the Add property restrictions menu.
3. In the = box, type the string (value) that the managed property needs to match.
189
5. Click OK.
190
Use the following procedure to create scope rules by using the Content source scope rule type.
Create scope rules by using the Content source scope rule type
1. On the Add Scope Rule page, in the Scope Rule Type section, select Content
source.
2. In the Content Source section, in the corresponding menu, select the content source
from the list that you want to associate with this rule.
4. Click OK.
Use the following procedure to create scope rules by using the All content scope rule type.
Create scope rules by using the All content scope rule type
1. On the Add Scope Rule page, in the Scope Rule Type section, select All Content.
2. Click OK.
Specify authoritative pages

Use the following procedure, along with the decisions you recorded in the Authoritative pages
section of the Plan the end-user search experience worksheet (http://go.microsoft.com/fwlink/?
LinkId=74967&clcid=0x409), to specify authoritative pages.
Specify authoritative pages

settings.
2. On the Configure Search Settings page, in the Authoritative Pages section, click
Specify authoritative pages.
3. On the Specify Authoritative Pages page, in the Authoritative Web Pages section, in
the Most authoritative pages box, list the URLs that are central or authoritative.
Note:
Separate the URLs by hard returns so that you list one full URL per line.
4. In the Second-level authoritative pages box, list the URLs that are secondary.
5. In the Third-level authoritative pages box, list the URLs that are tertiary.
191
6. In the Non-authoritative Sites section, in the Sites to demote box, list the URLs
that you want to mark as unimportant when search results are returned (for example,
URLs of sites that contain outdated information but are kept for record-keeping).
Note:
Any URL or item whose prefix matches the provided URLs in the Sites to
demote box is demoted.
7. If you want the ranking calculations to begin after you click OK, in the Refresh Now
section, select the Refresh now check box. If the check box is cleared, ranking
calculations occur according to a predetermined schedule.
8. Click OK.
Create server name mappings

Use the following procedure, along with the decisions you recorded in the Server name
mappings section of the Plan the end-user search experience worksheet
(http://go.microsoft.com/fwlink/?LinkId=74967&clcid=0x409), to specify server name mappings.
Specify server name mappings

settings.
2. On the Configure Search Settings page, in the Crawl Settings section, click Server
name mappings.
3. On the Server Name Mappings page, click New Mapping.
4. On the Add Server Name Mapping page, in the Address in index box, type the
address for the crawled content.
5. In the Address in search results box, type the address that you want users to see
on the Search Results page when they receive query results for the address you typed in
the Address in index box.
6. Click OK.
Manage search-based alerts

Search-based alerts are active, by default. However, you can deactivate them. Refer to the
decision you recorded in the Search-based alerts section of the Plan the end-user search
experience worksheet (http://go.microsoft.com/fwlink/?LinkId=74967&clcid=0x409), and do the
following steps if you want to deactivate search-based alerts.
Deactivate search-based alerts

settings.
2. On the Configure Search Settings page, in the Crawl Settings section, click Search-
192
based alerts.
3. On the Configure Search-based Alerts page, click Deactivate.
Site collection–level configuration

The procedures in this section are performed at the site collection level. To perform these
procedures, you must be a site collection administrator for the site collection on which you want to
perform them.
Create scopes at the site collection level

Site collection administrators can choose to use scopes that were created at the SSP level, copy
scopes that were created at the SSP level and modify them, or create new site collection level
scopes.
Use the following procedure, along with the decisions you recorded in the Site-collection level
scopes section of the Plan the end-user search experience worksheet
(http://go.microsoft.com/fwlink/?LinkId=74967&clcid=0x409), to copy shared scopes at the site
collection level.
Copy shared scopes

1. On the top-level site of the site collection on which you want to create a scope, click
Site actions, point to Site Settings, and then click Modify All Site Settings.
2. On the Site Settings page, in the Site Collection Administration section, click
Search scopes.
3. On the View Scopes page, position the cursor over the name of the shared scope
you want to copy, and then click Make Copy on the menu that appears.
Note:
The copy of the shared scope appears in the Unused Scopes section of the
View Scopes page.
(http://go.microsoft.com/fwlink/?LinkId=74967&clcid=0x409), to create scopes at the site
collection level.
Create scopes at the site collection level

1. On the top-level site of the site collection on which you want to create a scope, click
Search scopes.
3. On the View Scopes page, click New Scope.
4. On the Create Scope page, in the Title and Description section, type a brief title for
193
the scope that will best explain it to your users. You can also type a fuller description for
reference by site administrators.
5. Ignore the Display Groups section for now. We will assign display groups to scopes
later in this section.
6. In the Target Results Page section, select one of the following:
• Use the default Search Results Page. Select this option if you want search
results from this scope to be presented by using the standard Search Results page.
• Specify a different page for searching this scope. Select this option if you
want search results from this scope to be presented on a custom page. If you select
this option, type the URL for the custom Search Results page in the Target results
page box.
7. Click OK.
Create scope rules at the site collection level

(http://go.microsoft.com/fwlink/?LinkId=74967&clcid=0x409), to create scope rules.
The following table describes the scope rule types that you can choose from when creating a site-
collection level scope rule. For simplicity, a separate procedure is provided for each scope rule
type.
Web address Select this option if you want the scope to include or exclude
content from any resource in the search index that can be
identified either by a URL (such as Web sites, file shares, and
Exchange public folders) or by a host name, domain name, or
subdomain name.
• Folder. Select this option if you want to include or exclude
items in the folder and subfolders of the indicated URL (for
example, http://site/subsite/folder).
• Hostname. Select this option if you want to specify a host
name. All items in the host name will be included or excluded
from the scope (according to the behavior rules).
• Domain or subdomain. Select this option if you want to
specify a domain or subdomain (for example,
widgets.contoso.com). All items in the domain or subdomain
will be included in or excluded from the scope.
Property query Select this option if you want the scope to include or exclude
content that has a managed property with a particular value. For
example, Author="John Doe".
194
All content Select this option if the rule should not restrict the scope (the
scope will include or exclude all content in the search index).
Use the following procedure to open the Add Scope Rule page.
Open the Add Scope Rule page

1. On the top-level site of the site collection on which you want to create a scope rule,
click Site actions, point to Site Settings, and then click Modify All Site Settings.
Search scopes.
3. On the View Scopes page, position the cursor over the scope that you want to edit,
click the arrow that appears, and then click Edit Properties and Rules on the menu that
appears.
Note:
You cannot add scope rules to shared scopes at the site collection level.
4. On the Scope Properties and Rules page, in the Rules section, click New rule.
Use the following procedure to create scope rules by using the Web address scope rule type.
Create scope rules by using the Web address scope rule type
1. On the Add Scope Rule page, in the Scope Rule Type section, select Web Address.
2. In the Web Address section, select one of the following options and provide the
address you want to associate with this rule:
• Folder. Select this option if you want to include or exclude items in the folder and
subfolders of the indicated URL (for example, http://site/subsite/folder).
• Hostname. Select this option if you want to specify a host name. All items in the
host name will be included or excluded from the scope (according to the behavior
rules).
• Domain or subdomain. Select this option if you want to specify a domain or
subdomain (for example, widgets.contoso.com). All items in the domain or
subdomain will be included in or excluded from the scope.
195
4. Click OK.
Use the following procedure to create scope rules by using the Property Query scope rule type.
Create scope rules by using the Property Query scope rule type
1. On the Add Scope Rule page, in the Scope Rule Type section, select Property
Query.
2. In the Property Query section, select the managed property that you want to use to
limit the scope from the Add property restrictions list.
3. In the = box, type the string (value) that the managed property needs to match.
5. Click OK.
Use the following procedure to create scope rules by using the All content scope rule type.
Create scope rules by using the All content scope rule type
1. On the Add Scope Rule page, in the Scope Rule Type section, select All Content.
2. Click OK.
Manage display groups

To support a customized search experience, you can set up new display groups with which to
associate your scopes, and you can assign scopes to the default display groups. Site
administrators can also control the order in which scopes appear within a particular display group.
After you create a display group, designers can modify the Search Box Web Part to display it.
Create a new display group

Use the following procedure, along with the decisions you recorded in the Display groups
section of the Plan the end-user search experience worksheet (http://go.microsoft.com/fwlink/?
LinkId=74967&clcid=0x409), to create display groups at the site collection level and to assign the
scopes you want to them.
Create display groups

1. On the top-level site of the site collection on which you want to create a display
group, click Site actions, point to Site Settings, and then click Modify All Site Settings.
196
Search scopes.
3. On the View Scopes page, click New Display Group.
4. On the Create Scope Display Group page, type a title and description that easily
identifies the purpose of the group.
5. In the Scopes section, select the check box next to each scope that you want to
include in this display group. You can manage the ordering of the scopes in the group by
using the Position from Top lists.
6. In the Default Scope section, in the Default Scope list, select the scope that you
want to be applied if users do not make a choice on their own.
7. Click OK.
Assign scopes to default display groups

Use the following procedure, along with the decisions you recorded in the Display groups section
of the Plan the end-user search experience worksheet (http://go.microsoft.com/fwlink/?
LinkId=74967&clcid=0x409), to assign scopes to the default Search Drop-down and Advanced
Search display groups.
Assign scopes to default display groups

1. On the top-level site of the site collection on which you want to assign scopes, click
Search scopes.
3. On the View Scopes page, in the Title column, click Search Dropdown.
4. On the Edit Scope Display Group page, in the Scopes section, select the check
boxes for the scopes you want to be included in this display group, and clear the check
boxes for the scopes you want to remove from this display group.
5. Optionally use the Position from Top lists to specify the order in which the scopes
will appear to the user for this display group.
6. Click OK.
7. On the View Scopes page, in the Title column, click Advanced Search.
8. On the Edit Scope Display Group page, in the Scopes section, select the check
boxes for the scopes you want to be included in this display group, and clear the check
boxes for the scopes you want to remove from this display group.
9. Optionally use the Position from Top lists to specify the order in which the scopes
will appear to the user for this display group.
10. Click OK.
197
Modify the Search Box Web Part for a new display group
Use the following procedure to modify the Search Box Web Part for a new display group.
Modify the Search Box Web Part for a new display group
1. Go to the Search Center page on the site collection on which you want to modify the
Search Box Web Part.
2. Click Site actions, and then click Edit Page.
3. In the search box, click Edit, and then click Modify Shared Web Part.
4. In the Search Box tool pane, click the plus sign (+) next to Miscellaneous.
5. In the Scope Display Group text box, type the name of the display group that you
want to use, and then click Apply.
6. Click OK to close the tool pane.
7. On the Search Center page, click either Publish or Check In to Share Draft,
depending on your site permissions and workflow.
Create keywords and Best Bets

Search keywords and Best Bets enable you to provide two important features to help your users
get the search results they need:
• Search keywords enable you to create a glossary of important terms within your
organization. When a user types the keyword in a search query, the definition that has been
created for that keyword is displayed at the top of the Search Results page.
• Best Bets enable you to prominently present editorially selected search results. Best Bets
are URLs to pages, documents, or external Web sites that you associate with particular
search keywords. When a user types a keyword in a search query that has one or more Best
Bets, the Search Results page prominently displays the Best Bet URLs, including the title and
description of each one.
Best Bets are most helpful in situations in which a site administrator wants to promote specific
pages. Because the Best Bet URLs are displayed prominently on the Search Results page, end
users may be more inclined to view them.
Use the following procedure, along with the decisions you recorded in the Keywords and Best
Bets section of the Plan the end-user search experience worksheet
(http://go.microsoft.com/fwlink/?LinkId=74967&clcid=0x409), to create keywords and Best Bets.
Create keywords and Best Bets

1. On the top-level site of the site collection on which you want to create keywords and
Best Bets, click Site actions, point to Site Settings, and then click Modify All Site
Settings.
Search keywords.
3. On the Manage Keywords page, click Add Keyword.
198
4. On the Add Keyword page, in the Keyword Information section, in the Keyword
Phrase box, type the keyword phrase you want to create.
5. In the Synonyms box, type the synonyms you want to associate with this keyword
phrase. You can type more than one synonym by separating them with semicolons.
6. If you want to associate a Best Bet with this keyword, in the Best Bets section, click
Add Best Bet. Otherwise, skip to step 13.
7. If this is the first Best Bet you will create on this site collection, skip to step 9.
Otherwise, in the Add Best Bet dialog box, do one of the following:
• To create a new Best Bet, select Add new best bet and then skip to step 9.
• To select an existing Best Bet, select Select existing best bet, click the Best Bet
you want from the Select best bets from the list below box, and then click OK. Skip
to step 13.
8. In the URL box, type the URL you want to associate with this Best Bet.
9. In the Title box, type the title you want to associate with this Best Bet. This title
appears in the Select best bets from the list below box, when selecting an existing
Best Bet.
10. In the Description box, type a description for this Best Bet. This description appears
with the Best Bet on the Search Results page.
11. Click OK.
12. If you want to create a definition for this keyword, in the Keyword Definition section,
type the definition that you want to appear next to Best Bets for this keyword on the
Search Results page (optional).
13. In the Contact section, type the user name of the person to inform when the keyword
is past its review date (optional).
14. In the Publishing section, you can optionally choose end and review dates for this
keyword.
15. Click OK.
16. Repeat steps 4 through 16 to create additional keywords and best bets.
199
A. Configure personalization
200
Chapter overview: Configure personalization
In this section:
• Configure personalization permissions
• Configure connections to personalization services
• Configure targeted content
• Configure personalization sites
• Configure policies for Profile Services
The personalization service in Microsoft Office SharePoint Server 2007 uses information about
users in your organization that is stored in directory services. That information can be
supplemented with information about users from line-of-business applications. Personalization
information can then be displayed in user profiles, and the properties in user profiles can be used
to target content.
Consult the plan for personalization in your initial deployment, and then configure the options that
you have selected.
Configure personalization permissions

Before you can use personalization properties in your deployment, you must configure access to
the service. You must enable access for administrators of the Shared Services Provider (SSP) to
the service and to the associated Web application on which the SSP is hosted. You must also
configure user permissions to view and share personalization information from My Sites.
For more information about configuring personalization permissions, see Configure
personalization permissions.
Configure connections to personalization services

The administrator of personalization services for the SSP configures connections to directory
services to include properties for the accounts of all users who view and share information across
the organization. If some groups of users work entirely separately, those accounts connect to
separate SSPs. Directory services can include Active Directory directory services and Lightweight
Directory Access Protocol (LDAP) directory services.
After configuring connections to personalization services, you must also configure the settings to
regularly import properties from each directory services connection. Each property is mapped to a
property in the user profile.
For more information about configuring connections to personalization services, see Configure
policies for Profile Services.
201
Configure targeted content
After the SSP administrator has configured access to directory services and has configured user
profiles, it is time to configure targeted content.
Content is primarily targeted by using audiences. Audiences are defined by using rules based on
properties from directory services. Lists, sites, and other content are then targeted to those
audiences so that only members of targeted audiences can see the content.
Some kinds of content are not targeted to users until their locations are selected by
administrators as trusted. The SSP administrator configures trusted My Site locations, published
links to Office client applications, and personalization site links so that the correct content is
available for the right users.
For more information about targeting content, see Configure targeted content.
Configure personalization sites

Personalization sites use targeted Web Parts and the Current User Filter Web Part to target
information to users based on their account name or display name, so that each person sees
personalized information on the site. This differs from other targeted Web Parts in that the
information is targeted by user and not by audience.
For more information about configuring personalization sites, see Configure personalization sites.
Configure policies for Profile Services

After configuring user profiles, targeted content, and personalization sites, SSP administrators for
the personalization service can configure privacy policies that determine how that information is
viewed and how it can be shared.
For more information about configuring policies, see Configure policies for Profile Services.
See Also
Plan for personalized content and sites (http://technet.microsoft.com/en-
202
Configure personalization permissions
In this section:
• Configure SSP administrator permissions for Profile Services
• Configure access to SSP pages
• Configure user permissions for personalization
• Configure access to trusted My Site host locations
Before enabling personalization features in your deployment, you must first configure permissions
to personalization features. Although some permissions are configured by default for deployments
using Active Directory directory services, other configuration options vary according to the specific
plan for deployment.
Administrators of the Shared Services Provider (SSP) have limited ability to configure
personalization services. The administration options for personalization services are associated
with a set of permissions for different personalization features. Administrators can have access to
some or all of these administration options.
The users of the SSP have access to personal features associated with My Sites. Administrators
of personalization permissions are responsible for configuring any changes to the default
permissions for users.
Configure SSP administrator permissions for

Profile Services
SSP administrators can view the SSP Home page and some configuration options, but many of
the personalization management tasks are only available to administrators that have additional
permissions. These additional configuration tasks include:
• Managing permissions.
• Managing user profiles.
• Managing audiences.
• Managing portal usage for personalization.
By default, the account that was used to install Microsoft Office SharePoint Server 2007 on the
server has all of these permissions. This account can be used to delegate permissions to other
users.
In some organizations, one SSP administrator will have all permissions, and access to every
management task. In other organizations, the permissions will be distributed among more than
one administrator. Refer to your deployment plan when adding permissions for administrators.
Use the following procedure to configure administrator permissions to the SSP for personalization
services.
203
Configure administrator permissions to the SSP for personalization sites
1. Open the administration page for the SSP.
To open the administration page for the SSP, perform the following:
a. On the top navigation bar, click Application Management.
Services section, click Create or configure this farm’s shared services.
c. On the Manage this Farm’s Shared Services page, there is a link to each SSP
and links to the Web applications for each SSP. Click the link for the SSP that you
want to open.
You can also access the SSP by clicking the link to the SSP Home page in the Quick
Launch.
2. On the SSP Home page, in the User Profiles and My Sites section, click
Personalization services permissions.
3. On the Manage Permissions page, click Add Users/Groups.
4. On the Add Users/Groups page, in the Choose Users section, type the name of the
users and groups that you want to add. If a user or group is already on the list, select the
check box for that user or group, and then click Modify Permissions of Selected Users.
5. In the Choose Permissions section, select the permissions that you want for the
added users and groups:
• To enable administration of user profiles, select Manage user profiles. Users
who have this permission can access the User profiles and properties page and the
Profile services policies page.
• To enable administration of permissions to personalization services, select
Manage permissions.
• To enable administration of audiences, select Manage Audiences.
• To enable administration of the portal usage reporting service, select Manage
usage analytics.
6. Click Save.
Configure access to the SSP pages

SSP administrators managing Profile Services must have access to the SSP pages for Profile
Services. This access is in addition to the separate permissions to the service. To access the SSP
Home page, an account must be a member of the Site Collection Administrators group.
By default, the account that set up the SSP is a member of the Site Collection Administrators
group. For the first SSP in the initial deployment, that is the account that was used to install Office
SharePoint Server 2007. If that same account is used to administer the SSP, no additional steps
are necessary. In most organizations, SSP administration will be delegated to one or more
additional users. The account used to set up the SSP can be used to add other accounts to the
Site Collection Administrators group.
204
Use the following procedure to configure access to SSP pages.
Configure access to SSP pages

want to open.
Launch.
2. On the SSP Home page, click the Site Actions menu.
3. In the Site Action menu, click Site Settings.
4. On the Site Settings page, in the Users and Permissions section, click Site
collection administrators.
5. On the Site Collection Administrators page, in the Site Collection Administrators
section, perform the following:
a. Type the name or account that you want to add to the Site Collection
Administrators group.
b. Click the Check Names icon. If the name or account is found in directory
services, it will appear as a link in the text box.
c. If the name or account was not found, or if you want to search for more users,
click the Browse icon.
d. On the Select People dialog box, in the Find box, type part or all of the user's
name or account name, and then press Enter. All accounts that match appear in the
text box.
e. Select one or more accounts that you want to add, and then click Add.
f. When you are done adding SSP administrators, click OK.
6. On the Site Collection Administrators page, click OK.
Configure user permissions for personalization

After configuring permissions for administrators, it is time to configure permissions for other
users. By default, all users have both of the following permissions:
• Use personal features
• Create personal site
Users who have the Use personal features permission can see personalized information in sites,
including user profiles for other users. Users who have both the Use personal features permission
205
and the Create personal site permission can create a My Site by clicking the My Site link in the
top navigation bar.
In some organizations, personalization features may not be enabled. In these scenarios, the
administrator with permission to manage permissions would remove these permissions for all
authenticated users.
In other organizations, only some users will have access to personalization features. In these
scenarios, the personalization permissions would be removed for the All Authenticated Users
group, and another group would be created containing users who have both permissions.
In some organizations, My Sites will be created on a case-by-case basis, or created by managers
during deployment. In these scenarios, users would have the Use personal features permission,
but not the Create personal site permission.
Because these permissions are managed in the same place as administrator permissions, it is
possible to create several groups with different combinations of permissions. It is recommended
that you carefully plan group permissions during the initial deployment so that you can minimize
administration tasks during regular operations.
Use the following procedure to configure user permissions for personalization.
Configure user permissions for personalization

1. On the SSP home page, in the User Profiles and My Sites section, click
Personalization services permissions.
2. On the Manage Permissions page, click Add Users/Groups.
3. On the Add Users/Groups page, in the Choose Users section, type the name of the
users and groups that you want to add. If a user or group is already on the list, select the
check box for that user or group, and then click Modify Permissions of Selected Users.
added users and groups:
• To enable creation of My Sites, select Create personal site.
• To enable access to personalization features, select Use personal features.
5. Click Save.
Access to personalized information can also be modified by configuring profile services policies
for users. For more information about configuring profile services policies, see Configure policies
for Profile Services.
Configure access to trusted My Site host

locations
Users of personalization services have the permissions given to them by administrators, but
these permissions are limited to the services consumed from a single SSP.
While good planning can avoid many situations where users need access to multiple My Sites,
some scenarios may require that a user have access to more than one My Site host location. The
206
typical scenario that requires multiple My Site host locations is a geographically distributed
deployment with multiple sets of shared services in different locations. In these scenarios, it is
common for each region to have its own set of My Sites and personalization features based on
the needs of each region.
Use the following procedure to add trusted My Site host locations.
Add trusted My Site host locations

1. On the SSP home page, in the User Profiles and My Sites section, click Trusted
My Site host locations.
2. On the Trusted My Site Host Locations page, click New to add another Trusted My
Site host location.
3. On the Trusted My Site Host Locations: New Item page, in the URL section, type the
URL of the trusted My Site host location, and type a description for the location.
4. In the Target Audiences section, select one or more audiences to use. For trusted
My Site locations, the relevant audiences typically represent the set of users that belong
to each My Site host location.
5. Click OK.
During regular operations, in response to changes in directory services, one or more users often
end up with My Sites in different locations. Trusted My Site host locations can be used to provide
access to personalization features targeted for only these users, without enabling access to all
users.
See Also
207
Configure connections to Profile Services
In this section:
• Add import connections
• Configure import connections
• Configure user profiles
Personal information about the users in your organization is stored in directory services and line-
of-business applications and imported to the user profile store so that it can be used to present
personalized or targeted content in sites, and to search for people in your organization.
When the administrator of the Shared Services Provider (SSP) configures user profile imports,
the import connections necessary for those settings are configured automatically except for
custom connections. Custom import connections must be configured separately.
Configure import settings

Import settings are used to regularly import properties from each directory services connection.
Each property is mapped to a property in the user profile.
Use the following procedure to configure import settings.
Configure import settings

want to open.
You can also access the SSP by clicking the link to the SSP home page in the Quick
Launch.
2. On the SSP home page, in the User Profiles and My Sites section, click User
profiles and properties.
3. On the User Profiles and Properties page, in the Profiles and Import Settings
section, click Configure profile import.
4. On the Configure Profile Import page, in the Source section, select the source for the
import. This is usually the current domain, or the entire forest.
208
Note:
Changing this setting will delete any manually configured connections for the
current source.
5. In the Default Access Account section, select Specify Account and type a name
and password for the access account.
Note:
It is recommended that you specify an account, rather than relying on the default
content access account. To use the default content access account, select Use
Default Content Access Account.
6. Depending on your plan for scheduling user profile imports, select Schedule full
import in the Full Import Schedule section, or select Schedule incremental import in
the Incremental Import Schedule section, and then select the day and time to schedule
the import.
7. Click OK.
Before continuing with configuration of personalization features, ensure that you have imported all
user profiles at least once. To run a full import of user profiles:
• On the User Profiles and Properties page, in the Profile and Import Settings section,
click Start full import.
Add import connections

The administrator of personalization services for the SSP configures import connections, adding
accounts for all users who are sharing personalized information by using the SSP. In deployments
that have groups of isolated users, personalized information is isolated by using multiple SSPs. In
deployments that have multiple SSPs, the SSP administrator must add connections between
SSPs.
Connections to directory services can include Active Directory directory services and Lightweight
Directory Access Protocol (LDAP) directory services. You can add a connection to the Business
Data Catalog, but it is recommended that you first add import connections for directory services.
Most of these connections are configured automatically when import settings are configured. You
can change the default configuration options or add custom import connections.
Use the following procedure to add an import connection.
Add an import connection

c. On the Manage this Farm's Shared Services page, there is a link to each SSP
209
want to open.
Launch.
profiles and properties.
3. On the User Profiles and Properties page, in the Profile and Import Settings
section, click View import connections.
4. On the View Import Connections page, click Create New Connection.
5. To add a connection to Active Directory directory services:
a. On the Add Connection page, in the Connection Settings section, on the Type
menu, click Active Directory.
b. In the Domain name text box, type the domain name for the domain that
contains the information that you want to import.
c. Select Auto discover domain controller if the specific domain controller is not
important. To select a specific domain controller, select Specify a domain
controller, and then in the Domain controller name menu, click the name of a
specific domain controller.
d. In the Port text box, type the number of the port to use to connect to the domain.
To use SSL to help secure the connection, select the Use SSL-secured connection
check box, and type a port number that is configured to use SSL in the Port text
box.
e. To minimize the performance impact on the domain controller, type a number of
seconds in the Time out text box, and select Enable Server Side Incremental.
Note:
The Enable Server Side Incremental option must be selected if you are
planning to perform incremental imports.
6. To add a connection to an Active Directory resource:
a. In the Connection Settings section, on the Type menu, click Active Directory
Resource.
b. In the Domain name text box, type the domain name for the domain that
contains the information that you want to import.
c. Select Auto discover domain controller if the specific domain controller is not
important. To select a specific domain controller, select Specify a domain
controller, and then in the Domain controller name menu, click the name of a
specific domain controller.
box.
210
f. In the Master Forest Connection Settings section, in the Domain name text
box, type the domain name for the master forest associated with the Active Directory
resource that you want to import.
g. Select Auto discover domain controller if the specific domain controller for the
master forest is not important. To select a specific domain controller, select Specify a
domain controller, and then in the Domain controller name menu, click the name
of a specific domain controller.
h. In the Port text box, type the number of the port to use to connect to the domain.
box.
Select Specify Account and type the account name and password that you want to
use to import user profiles from this connection.
Note:
It is recommended that you specify an account, rather than relying on the
default content access account. To use the default content access account,
select Use Default Account.
7. To add a connection to LDAP directory services:
a. On the Add Connection page, in the Connection Settings section, in the Type
menu, click LDAP Directory.
b. In the Connection name text box, type the name of the connection.
c. In the Directory service server name text box, type the name of the server for
the directory service.
box.
f. In the Providername text box, type the name of the provider for this connection.
g. In the Username attribute text box, type the name of the attribute to import.
Note:
This attribute is the identification attribute for each entry in LDAP directory
services, associated with a single user or account. By default, this is the uid
attribute.
8. In the Search Settings section, in the Search base text box, type the distinguished
name of the directory node from which to import the users. If you do not know the
distinguished name, click the Auto Fill Root Search Base button.
211
9. In the User filter text box, you can add new query clauses to the default query to
filter which user profiles are imported.
10. Under Scope, select One level to import one level of user profiles, or Subtree to
import all user profiles under the search base.
11. To improve performance, you can type a maximum number of user profiles to import
in the Page Size text box, and type a maximum number of seconds for the import in the
Page time out text box.
12. In the Authentication Information section, select Specify Account and type the
account name and password that you want to use to import user profiles from this
connection.
Note:
It is recommended that you specify an account, rather than relying on the default
content access account. To use the default content access account, select Use
Default Account.
13. Click OK.
For most connections, unless you have a specific need to narrow the scope of the import or limit
the impact on the servers for directory services, you can accept the default values that appear on
the Add Connection page. If you have non-user accounts in Active Directory, such as accounts
used for testing, you might want to filter out those accounts. Configuration settings for
connections can be modified to improve performance as part of regular operations.
For more information about the exact settings to use when importing user profiles, see the
technical reference documentation for Microsoft SharePoint Office Server 2007. For more
information about Active Directory, see the documentation for Active Directory.
After you have configured import connections to directory services, you can add a connection for
additional properties imported from the Business Data Catalog. Unlike directory services, it is not
possible to create user profiles from the Business Data Catalog. You can only add Business Data
Catalog data to existing user profiles imported from directory services, although you can add as
much or as little data as you want.
Use the following procedure to add an import connection to the Business Data Catalog.
Add an import connection to the Business Data Catalog

1. On the View Import Connections page, click Create New Connection.
2. On the Add Connection page, in the Connection Settings section, in the Type
menu, click Business Data Catalog.
3. In the Connection name text box, type the name of the connection.
4. In the Domain name text box, type the domain name for the domain that contains
the information that you want to import.
5. In the Business Data Catalog Entity menu, select the name of the business data
type that contains the data field to import as a user profile property.
6. Under Connection, select Connect User Profile Store to Business Data Catalog
212
Entity as a 1:1 mapping, and then select a profile property that maps to the business
data type in the Return items identified by this profile property menu.
7. To import multiple items for the business data type, select Connect User Profile
Store to Business Data Catalog Entity as a 1:many mapping, select a property to
filter by in the Filter items by menu, and then type a property for the filter value in the
Use this profile property as the filter value menu.
8. Select Auto discover domain controller if the specific domain controller is not
important. To select a specific domain controller, select Specify a domain controller,
and then in the Domain controller name menu, click the name of a specific domain
controller.
9. In the Port text box, type the number of the port to use to connect to the domain. To
use SSL to help secure the connection, select the Use SSL-secured connection check
box, and type a port number that is configured to use SSL in the Port text box.
10. To minimize the performance impact on the domain controller, type a number of
11. In the Providername text box, type the name of the provider for this connection.
12. In the Username attribute text box, type the name of the attribute to import.
Note:
This attribute is the identification attribute for each entry in the Business Data
Catalog for this business data type.
Configure user profiles

You can add properties to user profiles other than those that are imported from directory services
and the business data catalog. These properties can be mapped to existing properties so that
their values can be automatically updated during profile imports.
During initial deployment, add the additional properties that you identified during user profile
planning.
Use the following procedure to add properties to user profiles.
Add properties to user profiles

1. On the User Profiles and Properties page, in the User Profile Properties section,
click Add profile property.
2. On the Add User Profile Property page, in the Property Settings section, type a
name and display name for the property.
Note:
If your deployment uses multiple languages, you can provide alternative display
names for each language by clicking the Edit Languages button, clicking Add
Language, selecting a language from the menu, and then typing the display
name in the new language. You can add display names for any of the available
213
languages. The display name that appears depends on the language used by the
user viewing the property.
3. On the Type menu, select the data type for the property.
4. On the Length menu, type the maximum number of characters allowed for values for
this property.
5. To allow multiple values for this property, select the Allow multiple values check
box, and then select an option from the Multivalue Separator menu.
Note:
If you select the Allow multiple values check box, the property will be
permanently set as a multi-valued property. You cannot change this setting after
you have selected it.
6. To allow users to select values from a list of choices, select the Allow choice list
check box
7. In the User Description section, type a description that provides instructions for
users who are adding values for this property.
Note:
If your deployment uses multiple languages, you can provide alternative
descriptions for each language by clicking the Edit Languages button, clicking
Add Language, selecting a language from the menu, and then typing the display
name in the new language. You can add descriptions for any of the available
languages. The description that appears depends on the language used by the
user viewing the property.
8. In the Policy Settings, Edit Settings, and Display Settings sections, select a policy
setting and default privacy setting for this property, select whether users can edit values
for this property, and configure display options. For more information about privacy
policies, see Configure policies for Profile Services.
9. In the Choice List Settings section, choose whether the property uses a defined
choice list, add the choices, and select whether users can add to the choice list.
Note:
This section is only available if you selected the Allow choice list check box in
the Property Settings section. For more information about choice lists, see Plan
for people and user profiles.
10. In the Search Settings section, select the Alias check box if the property is
equivalent to the user's name for purposes of search. Select Indexed if this property is
part of the search schema for users, so that it can be used to find users or is displayed in
users search results.
11. In the Property Import Mapping section, select the data source and data type field
to use when mapping this property.
12. Click OK.
214
See Also
Plan for people and user profiles (http://technet.microsoft.com/en-us/library/cc262095.aspx)
215
In this section:
• Create and configure audiences
• Configure published links to Office client applications
• Configure personalization site links
• Configure access to trusted My Site host locations
In Microsoft Office SharePoint Server 2007, content in a site can be targeted to individuals and
groups of users so that a site can provide a personalized experience for all users. This
encourages collaboration across an organization.
Content is primarily targeted by using audiences. Audiences are defined by using audience rules
based on properties in user profiles or membership in distribution lists and SharePoint groups.
Properties and distribution list membership information are imported from directory services or
from line-of-business applications that are registered in the Business Data Catalog. SharePoint
groups are configured within each site or site collection.
SharePoint lists and Web Parts can be targeted by using audiences, so that only members of the
targeted audience can view content.
Links to certain sites can be targeted by audience. Examples of targeted links include published
links to Office client applications and personalization site links. Targeted links appear in Office
client applications and My Sites only for users who are members of the target audiences.
Administrators of the Shared Services Provider (SSP) create and configure audiences, and then
configure the compilation schedules for audiences. After audiences are created by SSP
administrators, any other user with the correct permissions can use audiences to target content.
SSP administrators also configure the settings for published links to the Office client applications
and personalization site links. In configurations that have more than one My Site location, the
SSP administrator for personalization services configures trusted My Site locations so that some
groups of users can view personalized content across all My Site locations.
Create and configure audiences

Audiences use the information from directory services and user profiles to target information in
links, lists, Web Parts, document libraries, and sites. Before you can create, configure, and
compile audiences, you must import user profiles from directory services.
After creating audiences, you can target content by configuring the audience targeting properties
of the content.
Use the following procedures to create and configure audiences
Create and configure audiences

1. On the SSP home page, in the Audiences section, click Audiences.
216
2. On the Manage Audiences page, click Create audience.
3. On the Create Audience page, type a name and description.
4. In the Owner text box, type or select a person to own this audience.
5. Select Satisfy all of the rules or Satisfy any of the rules depending on the rules
you have planned for each audience.
Note Complex rules containing AND and OR can be created by developers using the
SharePoint object model.
6. Click OK.
7. On the Add Audience Rule page, to add a rule based on a user:
a. In the Operand section, select User.
b. In the Operator section, select Reports Under to create a rule based on
organizational hierarchy or select Member Of to target by group or distribution list.
c. Type or select the user that you want to use to test this rule. For a Reports Under
rule, select the person who is the manager of the users that you want to include in
the audience. For a Member Of audience, select the group or distribution list to
include for the audience rule.
8. To add a rule based on a property of user profiles:
a. In the Operand section, select Property, and then select a property from the
menu.
b. In the Operator menu, select an operator for the property. The operators vary by
property, but common operators include =, Contains, and <>. Full descriptions of the
operators are available in the planning and operations documentation for Office
c. Type a value to use when evaluating the property against this rule.
9. Click OK.
Use the following procedure to configure audience compilation and compile audiences.
Configure audience compilation and compile audiences

1. On the Manage Audiences page, click Specify compilation schedule.
2. On the Specify Compilation Schedule page, select Enable scheduling.
3. Select a start time in the Start at menu.
• To compile audiences at the same time each day, select Every day.
• To compile audiences at the same time once per week, select Every week on,
and then select a day of the week
• To compile audiences once a month, select Every month on this date, and then
select a day of the month.
4. Click OK.
On the Manage Audiences page, click Start compilation at any time to compile audiences. All
audiences will be compiled.
217
Note:
You can compile audiences individually from the View Audiences page by clicking the
audience, and then clicking Compile.
Actual targeting of content based on audiences is performed by site administrators or
contributors. As part of planning for your initial deployment, your planning team will identify the
key content to target. Audience administrators should work with site administrators during
deployment to ensure that content is targeted according to plan.
Configure published links to Office client

applications
Users of Office 2007 client applications can see links to SharePoint sites from those applications.
This allows users to quickly and easily access sites and save documents to sites or document
libraries.
SSP administrators configure published links to Office applications during initial deployment, and
can add or change links as part of regular operations. Links can be visible for all users or only
specific groups of users by using audiences.
Administrators configure published links to Office client applications and target them to
audiences.
Use the following procedure to configure published links to Office client applications.
Configure published links to Office client applications

1. On the SSP Home page, in the User Profiles and My Sites section, click Published
links to Office client applications.
2. On the Published links to Office client applications page, click New to add a link to
Office client applications.
3. On the Published links to Office client applications: New Item page, in the URL
section, type the URL of the link that you want to appear in Office applications, and type a
description for the link.
4. In the Type section, select the kind of site for the URL. This will affect how client
applications display the link.
5. In the Target Audiences section, select one or more audiences to use. Only
members of these audiences will have access to the link in Office client applications.
6. Click OK.
Configure personalization site links

Personalization sites are sites that present information that is personalized based on the current
user of a site by using a filter Web Part to display only the information relevant for the current
user. Creating a personalization site link adds the link to the My Site navigation bar.
218
Every user who is a member of a targeted audience can see the personalization link when
viewing their personal site, along with other relevant personalization sites. This enables each user
to have a single access point for personalized content.
The configuration page for personalization sites does not check the template of linked sites, so
SSP administrators can theoretically create a link to any kind of sites. However, to focus the
purpose of My Sites, it is recommended that only personalization site links or links to sites that
use a similar template be added to the list on the Personalization site links page.
SSP administrators select an owner for each personalization site link. This provides a contact for
the personalization link, but does not configure any permissions for audiences. The visibility of
each link can be modified by the relevant site administrator of each site during regular operations,
by changing the targeted audiences. Audience creation and membership can only be configured
by the audiences administrator from the SSP administration pages.
Configure the personalization site links for the key personalization sites identified during site
hierarchy and personalization planning. Additional links can be added as necessary as part of
regular operations.
Use the following procedure to configure personalization site links.

1. On the SSP Home page, in the User Profiles and My Sites section, click
Personalization site links.
2. On the Personalization site links page, click New to add a link to a personalization
site.
3. On the Personalization site links: New Item page, in the URL section, type the URL of
the link that you want to appear in the My Site navigation bar, and type a description for
the link.
4. In the Owner section, type the account name of an owner for the site link. This user
is typically the site administrator for the personalization site.
members of these audiences will see the link in the My Site navigation bar.
6. Click OK.
Configure access to trusted My Site host

locations
Users of personalization services have the permissions given to them by administrators, but
these permissions are limited to a single SSP. While good planning can avoid many situations
where users need access to multiple My Sites, some scenarios require that a user have access to
more than one My Site host location. These scenarios typically involve geographically distributed
server farms, each with its own set of shared services.
219
Consult your planning for SSPs and trusted My Site host locations to determine which trusted My
Site host locations you need to add and the audiences you need to use when targeting those
locations.
Use the following procedure to add trusted My Site host locations.
Add trusted My Site host locations

1. On the SSP Home page, in the User Profiles and My Sites section, click Trusted
My Site host locations.
2. On the Trusted My Site Host Locations page, click New to add another Trusted My
Site host location.
3. On the Trusted My Site Host Locations: New Item page, in the URL section, type the
URL of the trusted My Site host location, and type a description for the location.
4. In the Target Audiences section, select one or more audiences to use. For trusted
My Site locations, the relevant audiences typically represent the set of users that belong
to each My Site host location.
5. Click OK.
During regular operations, in response to changes in directory services, one or more users can
end up with My Sites in different locations. This can happen when an account is migrated from
one SSP to another, such as when an employee changes geographic divisions in an organization
that uses different SSPs for geographically distributed locations. Trusted My Site host locations
can be used to provide access to personalization features targeted for only these users, without
enabling access to all users.
See Also
Plan for audiences (http://technet.microsoft.com/en-us/library/cc261958.aspx)
220
In this section:
• Create personalization sites
• Design personalization sites
• Target personalization site links
Microsoft Office SharePoint Server 2007 provides a template for creating personalization sites.
Personalization sites use a Current User Filter Web Part that can be connected to other Web
Parts on the page to display content that is personalized for each user who visits the site.
Unlike personal sites, which combine Web Parts that display information configured by Shared
Services Provider (SSP) administrators by configuring user profiles and personalization policies
with content customized by each user, personalization sites are designed to be customized by
site owners for a larger audience.
Site owners are selected during initial deployment by SSP administrators when they configure
personalization links. The site owner of each site is typically the site administrator for the site, and
decides which audiences to use when targeting the display of the personalization link on the My
Site navigation bar.
Site administrators, possibly working with site designers, create and customize personalization
sites based on recognized business needs.
Create personalization sites

Creation of personalization sites is straightforward. A personalization site can be created by any
user who has the create sites permission. Use the following procedure to create a personalization
site.
Create a personalization site

1. On the Site Actions menu, click Create Site.
and description for the personalization site.
3. In the Web Site Address section, type a directory name to complete the URL in the
URL name text box.
4. In the Permissions section, select the desired permissions.
5. In the Template Selection section, click the Enterprise tab, and then click
Personalization Site.
6. Configure navigation options and site categories depending on the purpose of the
site and your site hierarchy and site navigation plans.
7. Click Create.
221
Design personalization sites
Design of personalization sites can be simple or complex depending on the need of the site. The
key personalization sites for the initial deployment are identified during site hierarchy planning
based on the needs of your organization. Consult site hierarchy planning, and then design each
personalization site to meet your identified needs.
The list of Web Parts that can be used in designing personalization sites is provided in part in the
planning documentation, developer documentation, and technical reference documentation for
Office SharePoint Server 2007. For more information about the full capabilities of Web Parts, see
this documentation. The key concept to understand regardless of the exact Web Parts used is
how to connect the Current User Filter Web Part to other Web Parts.
Use the following procedure to connect the Current User Filter Web Part to other Web Parts.
Connect the Current User Filter Web Part to other Web Parts
1. On the Site Actions menu, click Edit Page.
2. Add the Web Parts that you want to connect to the filter Web Parts, based on your
plan for the design of this site.
3. On the Current User Filter Web Part, click the Edit menu, point to Connections,
point to Send Values To, and then click the name of the Web Part that you want to
connect to the filter Web Part.
Note:
Some connected Web Parts can accept a default value from the Current User
Web Part. The procedure to connect these Web Parts uses the Send Default
Value To connection option, but is otherwise the same.
4. On the Configure Connection Webpage dialog, in the Consumer Field Name
menu, select the property to filter by.
For example, to filter the contents of a Documents Web Part, select Modified By to filter
the list in the Documents Web Part to display only the documents modified by the current
user.
5. Click Finish.
6. Click Exit Edit Mode when you are done connecting Web Parts.
Target personalization site links

Personalization site links determine how personalization site links appear in the My Site
navigation bar. Links to personalization sites are targeted by using audiences. The SSP
administrator creates audiences and assigns an owner and set of audiences for each
personalization site link. The owner is responsible for maintaining the targeting of the link over
time by selecting new audiences, but typically cannot create audiences.
Personalization sites do not have to appear in the My Site navigation bar. However, users are
much more likely to view a personalization site and work on the information they see on a
personalization site if it is one of the sites that appears in the My Site navigation bar.
222
Because the personalization sites created during initial deployment represent key business
processes identified during planning, it is usually a good idea to include links to the sites in the My
Site navigation bar and carefully consider how those links are targeted.
Use the following procedure to configure personalization site links.

1. On the SSP home page, in the User Profiles and My Sites section, click
Personalization site links.
2. On the Personalization Site Links page, click New to add a link to a personalization
site.
3. On the Personalization Site Links: New Item page, in the URL section, type the URL
of the link that you want to appear in the My Site navigation bar, and type a description
for the link.
4. In the Owner section, type the account name of an owner for the site link. This user
is typically the site administrator for the personalization site.
members of these audiences will see the link in the My Site navigation bar.
6. Click OK.
For more information on configuring personalization site links, see Configure targeted content.
223
In this section:
• Configure policies for personalization features
• Configure policies for user profiles
In Microsoft Office SharePoint Server 2007, Shared Services Provider (SSP) administrators for
personalization services configure the policies that determine who can view personalized
information and how that information can be shared. Every kind of personalized information is
affected by these policies, including:
• Memberships in SharePoint sites and distribution lists.
• Social networking features, such as My Colleagues.
• Links on personal sites.
• Personalization site link pinning.
• User profile properties.
Consult your planning for personalization policies, and then configure settings for each of these
personalization features.
Configure policies for personalization features

Policies for profile services are used to configure the access and privacy settings for My Site
personalization features and user profile properties. Although all users with the Use personal
features permission can view personalized information, SSP administrators can configure policies
for each specific feature or user profile to achieve greater precision in preserving privacy and
sharing information according to the needs of each organization.
Use the following procedure to configure policies for personalization features.
Configure policies for personalization features

1. On the SSP home page, in the User Profiles and My Sites section, click Profile
services policies.
2. On the Manage Policy page, click the policy that you want to set, and then click Edit
Policy.
3. On the Edit Policy page, in the Policy Settings section, in the Policy Setting menu,
select the policy setting for the feature or property.
• Click Enabled to enable the information to be shared by users other than the
SSP administrator. The visibility of enabled features is configured in the Default
Privacy Settings menu. This option is only available for policies for features and not
policies for user profile properties.
• Select Disabled to prevent anyone but the SSP administrator from viewing the
224
property or feature.
• Select Required if the property must contain information. The visibility of the
property is configured in the Default Privacy Settings menu.
• Select Optional if the property is not required. Each user decides whether
optional properties contain information based on the user's preference.
4. In the Default Privacy Setting menu, select the people who can view information for
the feature or property.
• Click Only Me to limit visibility to the user.
• Click My Manager to limit visibility to the user and the user's manager.
• Click My Workgroup to limit visibility to the user and all users who report to the
same manager.
• Click My Colleagues to limit visibility to the user and all colleagues for that user.
• Click Everyone to share the information with all users who have the "use
personal features" permission.
5. To enable users to change the default privacy setting, select the User can override
check box.
6. To enable a property to be available in user information lists for SharePoint sites
other than My Site, select the Replicable check box. This property and its values from
the user profile will be replicated to other sites.
Note:
If you clear a check box that has already been selected, any information that was
replicated before the change will remain on other SharePoint sites until it is
changed on each site. This can occur during deployment if you clear a check box
for a property that is replicable by default if the property has already been
imported from directory services or the Business Data Catalog.
7. Click OK.
Configure policies for user profiles

Use the following procedure to configure policies for user profiles.
Configure policies for user profiles

profile and properties.
2. On the User Profiles and Properties page, in the User Profile Properties section,
click View profile properties.
3. On the View Profile Properties page, click the property that you want to configure,
and then click Edit.
4. On the Edit User Profile Property page, in the Policy Settings section, from the
Policy Setting menu, click the policy setting for the property.
225
• Select Required if the property must contain information. The visibility of the
property is configured in the Default Privacy Settings menu, as discussed in step 5.
• Select Optional if the property is not required. Each user decides whether or not
to provide values for optional properties.
• Select Disabled to prevent anyone but the SSP administrator from viewing the
property or feature.
5. In the Default Privacy Setting menu, select the people who can view information for
the feature or property.
• Click Only Me to limit visibility to the user.
• Click My Manager to limit visibility to the user and the user's manager.
• Click My Workgroup to limit visibility to the user and all users who report to the
same manager.
• Click My Colleagues to limit visibility to the user and all colleagues for that user.
• Click Everyone to share the information with all users who have the Use
personal features permission.
6. To enable users to change the default privacy setting, select the User can override
check box.
7. To enable a property to be available in user information lists for SharePoint sites
other than My Site, select the Replicable check box. This property and its values from
the user profile will be replicated to other sites.
Note:
Replication occurs during profile imports. The information list is replaced by the
values for the property in the imported user profile. Changes made to properties
in the user profile that are not replicated will not appear on other sites. If you
clear a Replicable check box that was previously selected, any information that
was replicated before the change will remain on other SharePoint sites until it is
changed on each site. This can occur during deployment if you clear a check box
for a property that is replicable by default after the property has been imported
from directory services or the Business Data Catalog.
8. In the Edit Settings section, click an option to allow or not allow users to edit values
for properties in their user profiles.
• To allow users to edit values for the property in their user profiles, click Allow
users to edit values for this property.
• To prevent users from editing values for the property, click Do not allow users to
edit values for this property.
9. In the Display Settings section, select where the property is displayed on My Site.
• To display the property in the profile properties section of the user's profile page,
select Show in the profile properties section of the user's profile page.
• To display the property on the Edit Details page available from the personal page
of My Site, select Show on the Edit Details page.
226
• To display changes to the property in the Colleagues section of My Site and all
other instances of the Colleague Tracker Web Part, click Show changes in the
Colleague Tracker web part.
10. Click OK.
See Also
Plan for people and user profiles (http://technet.microsoft.com/en-us/library/cc262095.aspx)
Policies for Profile Services (http://technet.microsoft.com/en-us/library/cc263160.aspx)
227
B. Configure business intelligence features
228
Chapter overview: Configure business
intelligence features
In this section:
• Configure access to business data
• Register line-of-business applications in the Business Data Catalog
• Customize business data lists, Web Parts, and sites
• Χο ν φ ι γ υ ρ ε β υ σ ι ν ε σ σ δ α τ α σ ε α ρ χ η
Microsoft Office SharePoint Server 2007 enables the integration of data from line-of-business
applications with features that enable that data to be found, displayed, and analyzed along with
other content by users who use SharePoint sites.
After you have planned the line-of-business applications, SharePoint lists, and sites for your
organization, you must configure the connection between data in applications and the features in
your deployment that use data.
Configure access to business data

The first step to enabling business data within your deployment involves configuring access to
business data. You must configure access to the Business Data Catalog for a Shared Services
Provider (SSP) administrator. For each line-of-business application, you configure access to the
underlying database, or to a database that contains a copy of the data that has been isolated
from the data. Finally, you configure access to the business data that is made available by the
Business Data Catalog, so that business data features are available for the users who use that
data and unavailable to other users.
For more information about configuring access to business data, see Configure access to
business data.
Register line-of-business applications in the

Business Data Catalog
When you register line-of-business applications in the Business Data Catalog, you select the
business data types and properties for each business data type to import. You select fields in the
line-of-business application and then map them to business data properties that appear in
SharePoint lists, Web Parts, business dashboards, and the Report Center site.
For more information about registering line-of-business applications in the Business Data
Catalog, see Register business applications in the Business Data Catalog.
229
Customize business data lists, Web Parts, and
sites
After you configure access to business data and imported business data types and properties,
you can include the data in SharePoint lists and Web Parts. These lists and Web Parts are used
in sites across your organization, particularly business dashboards and the Report Center site.
Business data displayed in dashboard sites enables complex data analysis and action through
business intelligence features, such as Excel Web Access Web Parts and key performance
indicators (KPIs).
These features are implemented by site administrators and end users, but business planners and
SSP administrators should work closely with these users during initial deployment to implement
the decisions made during planning.
For more information about customizing business data in lists, Web Parts, and sites, see
Customize business data lists, Web Parts, and sites.
Configure business data search

A key step to making business data easily available is to integrate business data into your initial
search deployment. For more information about finding business data, see Configure business
data search.
See Also
Chapter overview: Plan for business intelligence (http://technet.microsoft.com/en-
230
In this section:
• Configure SSP administrator rights for the Business Data Catalog
• Configure access to the SSP pages
• Configure application definitions and single sign-on for the Business Data Catalog
• Configure data warehousing
• Configure permissions for business data
In Microsoft Office SharePoint Server 2007, the Business Data Catalog enables users to find and
analyze business data and take effective actions directly from SharePoint sites that use business
data. When configuring the Business Data Catalog, it is critical that you protect the security and
integrity of the data in line-of-business applications.
One of the most important ways to protect your data is to carefully enable access to data to users
who can use it effectively, and preventing access by other users. During planning for your
deployment, you identify the purpose of your sites, the business applications associated with key
business purposes, and the users who use each application. During deployment, you enable
access to the groups of users identified during planning.
To enable access to business data, you should:
• Configure Shared Services Provider (SSP) administrator rights for the Business Data
Catalog.
• Configure access to the SSP pages.
• Configure single sign-on for the Business Data Catalog.
• Configure data warehouses for data security.
• Configure user permissions for business data.
Configure SSP administrator rights for the

SSP administrators must have permissions to both the Business Data Catalog service and the
SSP administration pages for the Business Data Catalog.
Use the following procedure to configure SSP administrator rights to the Business Data Catalog
service.
Configure SSP administrator rights to the Business Data Catalog service

231
want to open.
Launch.
2. On the SSP home page, in the Business Data Catalog section, click Business Data
Catalog permissions.
3. On the Manage Permissions: Business Data Catalog page, click Add Users/Groups.
4. On the Add Users/Groups: Business Data Catalog page, in the Choose Users
section, enter the name or account of the user that you want to add.
5. In the Choose Permissions section, select one or more permissions for the user.
For the main administrator of the Business Data Catalog, it is common to select all
permissions.
• Edit: Select this permission to enable users to import application definitions and
add, edit, or delete application definitions, business data types, and data fields for
business data types.
• Execute: Select this permission to enable users to change the properties of
business data.
• Select in Clients: Select this permission to enable the user to refer to business
data types and fields in SharePoint lists, Web Parts, sites, and client applications.
• Set permissions: Select this permission to enable the user to configure
permissions for other users.
6. Click Save.

SSP administrators who manage the Business Data Catalog must have access to the SSP pages
for the Business Data Catalog. This access is in addition to the separate permissions to the
Business Data Catalog service. To access the SSP home page, an account must be a member of
the Site Collection Administrators group.
By default, the account that set up the SSP is a member of the Site Collection Administrators
group. For the first SSP in the initial deployment, that is the account that was used to install Office
SharePoint Server 2007. If that same account is used to administer the SSP, no additional steps
are necessary. In most organizations, SSP administration will be delegated to one or more
additional users. The account used to set up the SSP can be used to add other accounts to the
Site Collection Administrators group.
Use the following procedure to configure access to the SSP pages.

232
want to open.
Launch.
2. On the SSP home page, click the Site Actions menu.
3. On the Site Actions menu, click Site Settings.
4. On the Site Settings page, in the Users and Permissions section, click Site
collection administrators.
5. On the Site Collection Administrators page, in the Site Collection Administrators
section, do the following:
a. Type the name or account that you want to add to the Site Collection
Administrators group.
b. Click the Check Names icon. If the name or account is found in directory
services, it will appear as a link in the text box.
c. If the name or account was not found, or if you want to search for more users,
click the Browse icon.
d. On the Select People dialog box, in the Find box, type part or all of the user's
name or account name, and then press Enter. All accounts that match appear in the
text box.
e. Select one or more accounts that you want to add, and then click Add.
f. When you are done adding SSP administrators, click OK.
6. On the Site Collection Administrators page, click OK.
Configure application definitions and single sign-

on for the Business Data Catalog
Line-of-business applications are added to the Business Data Catalog by importing application
definitions authored in XML. In most scenarios, access to applications from a single account is
accomplished by using the single-sign on (SSO) feature of Office SharePoint Server 2007.
SSO maps permissions from external data sources including line-of-business applications to
permissions in Office SharePoint Server 2007. This enables a user to access multiple data
sources regardless of platform or authentication requirements without having to re-enter
credentials for each system. This enables more accessible use and sharing of data without
sacrificing security.
233
The Business Data Catalog is only one of several features and services that take advantage of
SSO. SSO is also used by Excel Services in Microsoft Office SharePoint Server 2007, InfoPath
Forms Services, and in a variety of Web Parts, lists, and search features that access external
data sources. With SSO, all of these data sources can be accessed securely by using a single
sign-on.
The Business Data Catalog relies on application definitions to translate the data types and fields
of data sources into metadata that is useful in sites and applications that use Office SharePoint
Server 2007. The SSP administrator for the Business Data Catalog, or a Web designer author the
XML file for the application definition, includes authentication information and the business data
types and fields in the planned business data schema. The SSP administrator then imports the
application definitions to the Business Data Catalog. This data can then be viewed and analyzed
in SharePoint sites to improve business data collaboration and business intelligence.
To use SSO for applications in the Business Data Catalog, the farm administrator must configure
SSO on the server farm. Then, the farm administrator must create application definitions for each
line-of-business application that match the separate application definitions already imported into
the Business Data Catalog.
By the end of server farm configuration of SSO, enterprise application definitions should exist for
all of the line-of-business applications in the Business Data Catalog. The administrator of the
Business Data Catalog should work closely with farm administrators to ensure that the necessary
application definitions are created. For more information on the configuration of SSO on the
server farm, see Configure single sign-on.
After SSO is configured on the server farm and enterprise application definitions have been
created for the line-of-business applications that will be added to the Business Data Catalog, the
administrator of the Business Data Catalog imports the application definitions to the Business
Data Catalog. Then, you can import the business data types and fields for those applications. For
more information about importing application definitions, see Register business applications in the
Business Data Catalog. For more information about managing single sign-on, see Central
Administration Help (http://technet.microsoft.com/en-us/library/cc263179.aspx).
Configure data warehousing

While it is possible to enable access directly to your line-of-business applications, you might
choose to copy a relevant subset of data from the application to a data warehouse. This protects
more sensitive data by keeping it accessible to a small number of people on a relatively isolated
server, while the data more useful for collaboration and business intelligence across your
organization is copied to a server to which a broader number of people have direct access. You
might also want to limit the load on your line-of-business application server by using the copied
data, and limit direct access to the application to business data actions designed to update data
based on analysis and business intelligence. This practice decreases the freshness of the data
displayed in SharePoint lists and sites, and creates a greater need to ensure data normalization
during regular operations.
During planning for your deployment, you considered these trade-offs, and identified the data that
you want to copy to a data warehouse.
234
To copy data from a line-of-business application to a data warehouse, follow the procedures for
copying the data relevant to the particular application. When you configure the connections to
business applications, use the location of the business data warehouse instead of the line-of-
business application. When configuring business data actions that are intended to update the
underlying data, you will have to separately configure access to the business data application.
Configure permissions for business data

After you have configured administrator permissions, you will register business data applications
in the Business Data Catalog. For more information about registering applications and importing
business data types and properties, see Register business applications in the Business Data
Catalog.
To use the data from the applications registered in the Business Data Catalog, you must then
configure SharePoint permissions for groups of users that collaborate on projects that use
business data.
Use the following procedure to configure permissions for business data.
Configure permissions for business data

1. On the SSP home page, in the Business Data Catalog section, click Business Data
Catalog permissions.
2. On the Manage Permissions: Business Data Catalog page, click Add Users/Groups.
3. On the Add Users/Groups: Business Data Catalog page, in the Choose Users
section, enter the name or account of the user that you want to add.
4. In the Choose Permissions section, select one or more permissions for the user.
• Edit: Select this permission to enable users to import application definitions and
add, edit, or delete application definitions, business data types, and data fields for
business data types.
• Execute: Select this permission to enable users to change the properties of
business data.
• Select in Clients: Select this permission to enable the user to refer to business
data types and fields in SharePoint lists, Web Parts, sites, and client applications.
• Set permissions: Select this permission to enable the user to configure
permissions for other users.
5. Click Save.
235
See Also
Register business applications in the Business Data Catalog
Customize business data lists, Web Parts, and sites
Plan for business intelligence (http://technet.microsoft.com/en-us/library/cc262935.aspx)
236
Register business applications in the
In this section:
• Create application definitions
• Import application definitions
• Configure enterprise application definitions for single sign-on
• Configure business data types and fields
Before you can use data from any line-of-business application in Microsoft Office SharePoint
Server 2007, you must register that information in the Business Data Catalog. The Business Data
Catalog is the service that manages connections among line-of-business applications and the
SharePoint lists, Web Parts, and sites that use data from those applications.
To register line-of-business applications in the business data catalog, you should:
• Create application definitions for each application or database in your organization.
Application definitions contain connection settings, authentication mode, and definitions for
the business data types and properties imported for a particular application.
• Import application definitions to the Business Data Catalog.
• Configure single sign-on (SSO) enterprise application definitions for applications that will
be using SSO.
• Configure business data types and the fields for each business data type.
After completing these steps for each line-of-business application in your organization, you can
then use the data from applications in SharePoint lists, Web Parts, and business data-enabled
sites such as business dashboards and the Report Center site. Data can also be imported for use
in user profiles or used in enterprise search to find business data.
Create application definitions

An application definition is a file that describes a database or Web service. An application
includes the following information:
• Connection settings
• Authentication mode
• Definitions of business data types
• Other information, depending upon the application
Application definitions are XML files that are authored by Business Data Catalog administrators or
Web designers who understand the business data schema established in the plan for business
data. During deployment, an application definition is created for each line of business application.
For each application, the business data types (also known as entities) and properties for each
entity are defined within the application definition file according to the schema. The application
237
definition files can be imported into the Business Data Catalog, and can be exported as a backup
for disaster recovery scenarios.
For more information about authoring application definitions, see the Microsoft Office SharePoint
Server 2007 Software Development Kit (SDK).
Import application definitions

To use application definitions in the Business Data Catalog, you must import the application
definitions. During initial deployment, you can add newly created application definitions for each
line-of-business application. During regular operations, you will have to export your existing
application definitions before importing them to ensure that you do not overwrite a new
application definition with one that is out of date. Because application definitions include security
settings, it is important that you always ensure that you are updating the correct version of any
application definition so that your security settings are retained.
Use the following procedure to import an application definition.
Import an application definition

1. On the SSP home page, in the Business Data Catalog section, click Import
application definition.
2. On the Import Application Definition page, in the Application Definition section,
enter the location of the application definition.
3. In the File Type section, select the type of application definition to import.
Note: The author of the application definition file should know the file type for the
application definition. If you don't know the file type, use the default option.
4. In the Resources to import section, select the resources to import.
• Select Localized Names to import names for business data fields in multiple
languages.
• Select Properties to import properties from the application definition.
• Select Permissions to import permissions from the application definition.
5. Click Import.
Configure enterprise application definitions for

single sign-on
If you are using SSO to access line of business applications, you must configure SSO for your
line-of-business applications. For more information about configuring SSO for the Business Data
Catalog, see Configure access to business data, or see Configure single sign-on. Server farm
administrators create application definitions for line-of-business applications and other data
sources.
238
Use the following procedure to create an application definition.
Create an application definition

1. In Central Administration, on the top navigation bar, click Operations.
2. On the Operations page, in the Security Configuration section, click Manage
settings for single sign-on.
3. On the Manage Settings for Single Sign-On page, click Manage settings for
enterprise application definitions.
4. On the Manage Enterprise Application Definitions page, click New Item.
5. On the Create Enterprise Application Definition page, in the Application and
Contact Information section, in the Display name box, type the name that is displayed
to users.
6. In the Application name box, type the name that Web Parts use to refer to the
enterprise application definition. Single sign-on components use the application name to
specify which enterprise application definition to use. This name should match the name
used in the application definition in the Business Data Catalog.
7. In the Contact e-mail address box, type the e-mail address that users can contact
for the enterprise application.
8. In the Account type section, select one of the following:
a. Group. Select this option if users will connect to the enterprise application
through a group account. If you select this option, you need to configure account
information for the application definition.
b. Individual. Select this option if each user has an account in the application
definition.
c. Group using restricted account. Select this option if users will connect to the
enterprise application through a group that uses a restricted account. If you select
this option, credentials are stored separately for regular credentials and a different
API is used to access the credentials. Select this option only when all of the following
is true:
9. The account is a group account.
10. An intermediary application such as Business Data Catalog imposes further security
restrictions.
11. The data is highly sensitive.
12. In the Authentication type section, select the Windows authentication check box.
Warning:
If Windows authentication is not used, the logon credentials are not encrypted.
13. In the Logon Account Information section, configure each of the Field boxes for
soliciting required logon information from users. Selecting Yes for Mask hides the text
typed by the user. This helps to keep sensitive information such as passwords secret.
239
14. Click OK.
Administrators for the Business Data Catalog should work closely with farm administrators to
ensure that the necessary application definitions are created that correspond to the configuration
plans for the Business Data Catalog.
Configure business data types and fields

The business data types (also known as entities) and the fields for each business data type are
included and defined in the application definition file. Application definitions created according to
the business schema will already be properly configured. However, some configurations might
still be necessary if:
• If the business data schema changes during the process of deployment, you might have
to update entities and fields for existing applications. These changes are made by changing
and re-importing the application definition file.
• If you want to change the list of people with access to a particular application or entity,
you can configure permissions in the business data catalog.
• If you plan additional business data actions for one or more entities, you can configure
the business data actions in the Business Data Catalog.
• If you want to change how business data profiles appear, you can edit the profile page
template.
To add or edit fields for existing business data types or to import new business data types, you
must edit the application definition file.
Manage permissions for an application or entity

Use the following procedure to manage permissions for an application or entity.
Manage permissions for an application or entity

1. On the SSP home page, in the Business Data Catalog section, click View
applications or View entities.
2. On the Business Data Catalog Applications or Business Data Catalog Entities page,
click the application or entity you want to manage.
3. On the View Application or View Entity page, click Manage Permissions.
4. On the Manage Permissions page, click Add Users/Groups to add users and groups.
5. On the Add Users/Groups page, in the Choose Users section, enter the new users
and groups that you want to add.
users and groups.
7. Click OK.
8. To remove users or groups, on the Manage Permissions page, select the check
boxes for the users and groups that you want to remove, and then click Remove
240
Selected Users.
9. To modify the permissions of selected users, click Modify Permissions of Selected
Users.
10. On the Modify Permissions page, in the Choose Permissions section, select the
permissions that you want for the user or group.
11. Click OK.
12. To copy permissions for an application to all entities for that application, or to copy
permissions for an entity to all child entities, click Copy all permissions to
descendants, and click OK on the dialog box that appears.
For more information about business data catalog permissions, see Configure access to business
data.
Add business data actions for an entity

Use the following procedure to add business data actions for an entity.
Add business data actions for an entity

1. On the SSP home page, in the Business Data Catalog section, click View entities.
2. On the Business Data Catalog Entities page, click the entity that you want to edit.
3. On the View Entity page, in the Actions list, click Add Action.
4. On the Add Action page, in the Name section, type a name for the action in the
Action Name text box.
5. In the URL section, type the URL that will appear in the browser when this action is
selected in the Navigate to this URL text box.
6. To assign properties and add them as parameters to the URL:
a. In the URL Parameters section, click the Add Parameter button.
b. Select a parameter from the dropdown list that appears.
c. To remove a parameter, click the Remove button next to the parameter that you
want to remove.
d. Note: Properties assigned to parameters are sent to the target URL and can be
processed by business data Web Parts on that page, such as filter Web Parts.
7. In the Icon section, to use a standard icon, select Standard icon, and then click the
standard icon that is relevant for this action.
8. To use a custom icon, in the Icon section, select The image at this URL, and then
type the URL of the image.
9. Click OK.
241
Edit the profile page template
Use the following procedure to edit the profile page template.
Edit the profile page template

1. On the SSP home page, in the Business Data Catalog section, click Edit profile
page template.
2. On the profile template page, click Site Actions, and then click Edit Page.
3. In Edit Mode, add and modify Web Parts according to the planned template.
Note:
To view business data profiles in a complex business dashboard, you can
replace the default profile page template with the dashboard page template, and
then modify the new template. This enables you to use key performance
indicators, filters, and other tools for business intelligence and analysis directly
from business data profiles.
242
Customize business data lists, Web Parts,
and sites
In this section:
• Create business data lists
• Create KPIs and KPI lists
• Create and configure reports in the Report Center site
• Create and configure dashboard sites
• Create other business data sites
After configuring access to business data and registering applications in the Business Data
Catalog, business data is available for use in lists, Web Parts, and sites in your deployment. The
initial creation and customization of lists, Web Parts, and sites is performed by site administrators,
designers, and contributors. While these tasks are daily operations for different users, and not the
responsibility of IT professionals, it is important to set up key lists, Web Parts, and sites as part of
an initial deployment of Microsoft Office SharePoint Server 2007.
The relevant customization tasks during deployment include:
• Creating SharePoint lists that use business data that can be used by business data Web
Parts and sites that use business data.
• Creating key performance indicators (KPIs) based on business data lists, other
SharePoint lists, Excel workbooks, or data sources made available in data connection
libraries.
• Creating reports and adding KPI lists and business data lists to the Reports Library of the
Report Center site or any site that uses the Report Center template.
• Creating and configuring dashboard sites in the Report Center site.
• Creating additional Report Center sites and other sites that use business data.
Create business data lists

Business data lists are any SharePoint lists that include business data. The data is imported from
properties of line-of-business applications registered in the Business Data Catalog. Business data
lists are typically stored in document libraries for sites related to the applications that are the
source of data, and can also be used to configure business data Web Parts that are used in sites,
such as personalization sites and the Report Center site.
Use the following procedure to create a business data list.
Create a business data list

1. In the Quick Launch, click Lists.
2. On the All Site Content page in the list view, click Create to create a custom list, or
243
click the link to an existing list.
3. On the list page, on the Settings menu, click Create Column.
4. On the Create Column page, in the Name and Type section, type a name and then
select the Business data check box.
5. In the Additional Column Settings section, select the business data type and field
that contains the data you want to add to the list.
6. To display the action menu for the selected business data type, click Display the
actions menu.
7. To link the column to the business data profile for the type, click Link this column to
the profile page.
8. Click OK.
You can add as many business data columns as you want. For more information about business
data lists, see the User's Guide.
Create KPIs and KPI lists

KPIs provide a quick graphical indication of the state of a key business process. KPIs calculate a
single value based on a range of data from one of several sources, and then test that value
against a value that represents progress toward a business goal.
For each KPI planned in your initial configuration, you create a KPI list. Then, you add one or
more KPIs to the list, grouping KPIs for related business processes. For organizational purposes,
each KPI list is typically created and stored in the site that will be displaying KPIs, such as the
Reports Library of a Report Center site.
Use the following procedure to create KPIs and KPI lists.
Create KPIs and KPI lists

1. On the Quick Launch, click Lists.
2. On the All Site Content page, click Create.
3. On the Create page in the Custom Lists section, click KPI list.
4. On the New page, in the Name and Description page, type a name and description.
5. In the Navigation section, click Yes if you want the KPI to be visible on the Quick
Launch.
6. Click Create.
7. On the KPI list page, click the New menu, and then click the type of indicator that you
want to add. You can use data from a SharePoint list, an Excel workbook, a SQL Server
2005 Analysis Services cube from a data connection library, of from a manual list of
values.
8. On the New Item page, enter values for the relevant properties.
For more information on creating and configuring KPIs, see the User's Guide.
244
Create and configure reports in the Report Center
site
For business data lists and KPI lists that are based on data from the Business Data Catalog that
you plan to use in the Report Center site, you can create the lists the Reports Library of the
Report Center site. These lists can then be used in dashboards for the Report Center site.
In the Report Center site, you can also create reports based on Excel data Use the following
procedure to create a report.
Create a report in the Report Center site

1. In the Reports Library, click the New menu, and then click Report.
2. On the Reports Library: Report page, enter properties for the report, and then click
OK.
3. In the Reports Library, click the menu for the report, and then click Edit in Microsoft
Office Excel to add data to the report.
During deployment, you will only add the key reports that you identified during planning. The
other reports can be added by users during normal operations.
For more information about using reports to display Excel data, see C. Configure Excel Services.
Create and configure dashboard sites

Dashboard sites are configured by adding and configuring the relevant Web Parts.
Dashboard sites use filter Web Parts to provide both automatic and user-selected filtering of data
displayed in KPI List Web Parts and Excel workbooks. In some cases, they may also include
business data Web Parts. Each filter is connected to the Web Parts it filters by the site
administrator. Dashboard sites can be created from the Report Center site, or from any site that is
created by using the Report Center template.
KPI List Web Parts are used to display either a list of several KPIs for your organization, or the
details of a single KPI from a KPI list. Excel Web Access Web Parts are used to display
information from Excel workbooks. Business data Web Parts can be used to display data from
line-of-business applications, by using a business data list that includes data from the relevant
applications.
Use the following procedure to create and configure a dashboard site.
Create and configure a dashboard site

1. On the home page of the site, in the Quick Launch, click Reports to open the Report
Center site.
Note:
If your site template does not include a Report Center site, you must first create a
site by using the Report Center template, and then open that site.
2. On the home page of the Report Center site, in the Quick Launch, click Dashboards
245
to open a list of dashboards in the Reports Library page of the Report Center site.
3. On the Reports Library page, click the New menu, and then click Dashboard Page.
4. On the New Dashboard page, in the Page Name section, provide a name, title, and
description for the dashboard site.
5. In the Key Performance Indicator section, select Allow me to select an existing
KPI later.
Note:
Alternatively, you can select Create a KPI list for me automatically, and then
configure the KPI list later.
6. Click OK.
7. On the Dashboard page, in the Site Actions menu, click Edit Page.
8. For the Web Part Page zone in which you want to add a Web Part, click Add a Web
Part.
9. On the Add Web Parts Web page, in the Suggested Web Parts section, select the
check box for the type of Web Part you want to add, and then click Add.
10. To configure the Web Part, click the Edit menu, and then click Modify Shared Web
Part.
For more information about the configuration options for Business Data Web Parts, see Plan
business data Web Parts (http://technet.microsoft.com/en-us/library/cc261941.aspx).
Use the following procedure to configure filter Web Parts.
Configure filter Web Parts

1. On the Add Web Parts Web page, select the checkbox for the filter Web Part that you
want to add, and then click Add.
2. On the filter Web Part, click Edit, point to Connections, and then select the Web
Part to connect to the filter.
For more information about the configuration options for filter Web Parts, see Plan dashboards
and filters (http://technet.microsoft.com/en-us/library/cc262682.aspx).
For more information about configuring Excel Web Access Web Parts, see Chapter overview:
Configure Excel Services.
Create other business data sites

Business data Web Parts and KPI List Web Parts can be used in any site. Site administrators can
add business data to personalization sites so that each person views a personalized view of the
data in each Web Part. KPIs for key business processes are often available on portal home
pages, or pages in the Search Center site organized around business data. Refer to your site
hierarchy plan for your initial deployment, and add business data and KPI Web Parts for each
relevant site.
246
See Also
B. Configure business intelligence features
Plan business data lists (http://technet.microsoft.com/en-us/library/cc261850.aspx)
Plan business data Web Parts (http://technet.microsoft.com/en-us/library/cc261941.aspx)
Plan key performance indicators (http://technet.microsoft.com/en-us/library/cc263321.aspx)
Plan reports (http://technet.microsoft.com/en-us/library/cc263506.aspx)
Plan business data actions (http://technet.microsoft.com/en-us/library/cc262684.aspx)
Plan dashboards and filters (http://technet.microsoft.com/en-us/library/cc262682.aspx)
247
In this section:
• Ensure availability of business data
• Configure and crawl business data content sources
• Configure and customize query options for business data
Administrators of the search service and administrators of individual site collections must
configure several options before business data is available in search results. To make business
data available for search, you should:
• Ensure that the data you want users to find is available in the Business Data Catalog,
and ensure that users have the intended permissions.
• Configure and crawl business data content sources.
• Configure and customize query options for business data.
Most of these tasks are performed by the administrator of the search shared service or by the
administrator of the Business Data Catalog. Some tasks are performed by site collection
administrators. Both shared services administrators and site collection administrators will help
plan search for business data.
Ensure availability of business data

Users can only search for business data for line-of-business applications if it is available in the
Business Data Catalog, and only if users have the intended permissions. The Shared Services
Provider (SSP) administrator for the Business Data Catalog must configure access to business
data and register business data types and properties for all line-of-business applications that use
the SSP.
For more information on configuring access to business data, see Configure access to business
data. For more information about registering line-of-business applications in the Business Data
Catalog, see Register business applications in the Business Data Catalog.
Configure and crawl business data content

sources
Business data, as any other content, can only be found during search queries if a content source
has been created that includes a start address for the data. SSP administrators for the search
service must create and configure all content sources for business data, based on the data
identified during planning.
When you add start addresses for business data, you must use a location that respects the
security settings configured in the Business Data Catalog. For example, if the Business Data
Catalog connects to a server containing a copy of data instead of the server that is running the
248
line-of-business application, you must use the location of the copied data in the start address for
the business data content source.
Use the following procedure to configure business data content sources.
Configure business data content sources

1. Create one or more content sources for the data in line-of-business applications,
using one start address per application. Use a start address that respects your security
configuration.
2. To use a crawling account other than the default content access account to crawl a
particular business data start address, create a crawl rule for that start address. All
content sources that include that start address will use that account.
3. To change how a particular start address is crawled, configure a crawl rule for that
start address.
4. Crawl all business data content sources.
5. Some properties for business data might appear as crawled properties in the search
schema. Based on search schema planning, select relevant properties in the Configure
Search section of the Business Data Catalog and map them to managed properties for
search. These properties will be available for use during search queries.
6. Crawl the content sources again to complete the mapping of managed properties.
Configure and customize query options for

business data
After crawling business data content sources, the SSP administrator for the search service
creates and configures shared search scopes for business data. Then site administrators create
site search scopes and keywords, and configure relevance settings for queries performed on the
sites that they manage.
Both SSP administrators and site administrators configure query options based on decisions
made during planning for the initial deployment. Many of these settings will be changed as part of
regular operations, but it is helpful to configure the initial query options for your deployment of
Office SharePoint Server 2007.
Use the following procedure to configure the initial query options.
Configure initial query options

1. Create shared search scopes for business data (SSP administrator).
2. Create site-specific search scopes for business data (site administrators).
3. Configure keywords for business data (site administrators).
4. Configure relevance settings (site administrators).
5. Customize the Search Center tabs for business data.
See Also
249
Register business applications in the Business Data Catalog
250
C. Configure Excel Services
251
Chapter overview: Configure Excel Services
Configure Excel Services in Microsoft Office SharePoint Server 2007 to centrally manage user
access to system resources and external databases. From the Central Administration Web
application in Microsoft Office SharePoint Server 2007, you can configure the SharePoint
document libraries, UNC paths, and HTTP Web sites from which Excel Calculation Services can
open workbooks.
You can also configure which external databases workbook authors are allowed to access. You
can configure restrictions on the use of data connections, single sign-on (SS0) authentication,
and the use of user-defined functions.
About Excel Services configuration

• Trusted file locations These are SharePoint document libraries, UNC paths, or HTTP
Web sites that have to be explicitly trusted before Excel Calculation Services is allowed to
access them. For more information, see Add a trusted file location.
• Single sign-on SSO enables authentication against external data sources without
having to provide authentication credentials more than once. SSO authentication is required
in a trusted subsystem environment. For more information, see Start the Single Sign-On
service and Manage settings for single sign-on.
• Trusted data providers These are databases that reside outside of the Excel Services
farm and that Excel Calculation Services is explicitly configured to trust when processing data
connections in workbooks. Excel Calculation Services attempts to process a data connection
only if the connection is to a database that has been added to the Excel Services trusted data
providers list. For more information, see Add a trusted data provider.
• Trusted data connection libraries These are SharePoint document libraries that
contain Office data connection (.odc) files that are used to manage workbook connections to
trusted data providers. In the trusted subsystem model, front-end Web servers and
application servers running Excel Calculation Services trust the accounts of the associated
Office SharePoint Server 2007 applications. For more information, see Add a trusted data
connection library.
• User-defined functions These are functions that enable users to extend the
functionality of Excel Web Services. For more information, see Enable user-defined functions.
See Also
Plan Excel Services security (http://technet.microsoft.com/en-us/library/cc263086.aspx)
252
Add a trusted file location
In this section:
• About trusted file locations
• Add a trusted file location
About trusted file locations

In Microsoft Office SharePoint Server 2007, a trusted file location is a SharePoint document
library, a UNC path, or an HTTP Web site that is configured as a trusted repository for workbooks
that Excel Calculation Services can access. Excel Calculation Services opens workbooks that are
stored in trusted file locations only.
If you are planning to use a new SharePoint document library as a trusted file location for Excel
Services in Microsoft Office SharePoint Server 2007, create the new document library on a
SharePoint site. To create the new document library, click the Site Actions menu, select Create,
and then click Document Library. On the New page, type a name for the new document library
and click Create.

Use the following procedure to add a trusted file location.

1. From Administrative Tools, open the SharePoint Central Administration Web
application.
3. On the Application Management page, in the Office SharePoint Server 2007
Shared Services section, click Create or Configure this Farm's Shared Services.
4. On the Manage this Farm's Shared Services page, click SharedServices1 (Default).
This is the Shared Services Provider (SSP) that you will configure.
5. On the Shared Services home page, in the Excel Services Settings section, click
Trusted file locations.
6. On the Excel Services Trusted File Locations page, click Add Trusted File Location.
7. In the Address section, type the location and name of the SharePoint Office
SharePoint Server 2007 document library that you want to add as a trusted file location in
Excel Services. If the document library is stored in the Windows SharePoint Services 3.0
content database, ensure that Windows SharePoint Services 3.0 is selected as the
Location Type.
253
8. In the External Data section, select the type of data connections that you will allow
workbooks in this trusted file location to contain and click OK.
In the External Data section, you can determine whether workbooks stored in trusted file
locations and opened in Excel Calculation Services sessions can access an external data source.
You can designate whether Allow External Data is set to None, Trusted data connection
libraries only, or Trusted data connection libraries and embedded.
If you select either Trusted data connection libraries only or Trusted data connection
libraries and embedded, the workbooks stored in the trusted file locations are allowed to access
external data sources. External data connections can be accessed only when they are embedded
in or linked from a workbook. Excel Calculation Services checks the list of trusted file locations
before opening a workbook. If you select None, Excel Calculation Services will block any attempt
to access an external data source. If you manage data connections for a large number of
workbook authors, you might want to select Trusted data connection libraries only.
Add-ecsfiletrustedlocation (http://technet.microsoft.com/en-us/library/cc262818.aspx).
See Also
Add a trusted data connection library
254
Start the Single Sign-On service
In this section:
• About single sign-on authentication
• Start the Single Sign-On service
About single sign-on authentication

In Microsoft Office SharePoint Server 2007, single sign-on (SSO) authentication enables users to
access multiple system resources without having to provide authentication credentials more than
once. Office SharePoint Server 2007 implements SSO authentication by including a Windows
service and a secure credentials database.
To authenticate a data connection in a workbook against an external data source, you can
configure Excel Calculation Services to retrieve authentication credentials from an SSO store. To
enable SSO functionality for Office SharePoint Server 2007, you need to start the Microsoft
Single Sign-On service and then manage SSO settings in the SharePoint Central Administration
Web application.

Use the following procedure to start the Single Sign-On service.

1. From Administrative Tools, click Services.
2. Double-click Microsoft Single Sign-On Service.
3. On the Log On tab of the Single Sign-On Service Properties page, click This
account, and then type the domain, user name, and password that you have used to
install and manage your server.
4. Click Apply.
5. On the General tab of the Single Sign-On Service Properties page, change the
startup type to Automatic, click Start, and then click OK.
Note:
Start the Single Sign-On service on all front-end Web servers and all application
servers in your farm that run Excel Calculation Services.
See Also
Manage settings for single sign-on
255
Manage settings for single sign-on
In this section:
• About single sign-on settings
• Manage single sign-on settings
About single sign-on settings

Excel Services in Microsoft Office SharePoint Server 2007 supports three data authentication
methods: Integrated Windows authentication, single sign-on (SSO) authentication, and None.
Imagine a data connection in a workbook opened in an Excel Calculation Services application
server that uses stored credentials for authentication against an external data source. In this
scenario, Excel Calculation Services has to retrieve valid credentials from an SSO authentication
database, and then use the credentials to authenticate against a data source before the data
connection can be established.
To enable SSO functionality for Microsoft Office SharePoint Server 2007, you need to start the
Microsoft Single Sign-On service, and then manage SSO settings in the SharePoint Central
Administration Web application.
Manage single sign-on settings

Use the following procedure to manage SSO settings.
Manage SSO settings

application.
2. On the Central Administration home page, click Operations.
3. In the Security Configuration section, click Manage settings for single sign-on.
4. On the Manage Settings for Single Sign-On page, click Manage server settings.
5. In the Account Name box for the SSO Administrator account, type the same domain
and user name that you used to configure the Single Sign-On service. If the user name
you used to configure the Single Sign-On service is a member of a Windows security
group, you can type the name of the Windows security group instead of a user name.
6. In the Enterprise Application Definition Administrator Account box, type the
same domain and user name that you used to configure the Single Sign-On service.
See Also
256
Add a trusted data provider
In this section:
• About trusted data providers
• Add a trusted data provider
About trusted data providers

Trusted data providers are external databases that Excel Calculation Services is explicitly
configured to trust when processing data connections in workbooks. Excel Calculation Services
attempts to process a data connection only if the connection is to a trusted data provider.
You can control access to external data by explicitly defining the data providers that are trusted
and recording them in the list of trusted data providers. The list of trusted data providers
designates specific external data providers to which workbooks opened in Excel Calculation
Services are permitted to connect.
Before instantiating a data provider to enable a workbook to connect to an external data source,
Excel Calculation Services checks the connection information to determine whether the provider
appears on the list of trusted data providers. If the provider is on the list, a connection is
attempted; otherwise, the connection request is ignored.

Use the following procedure to add a trusted data provider.

application.
Shared Services section, click Create or Configure this Farm’s Shared Services.
4. On the Manage this Farm’s Shared Services page, click SharedServices1 (Default).
Trusted data providers.
6. On the Excel Services Trusted Data Providers page, click Add Trusted Data
Provider.
7. In the Provider ID section, type the identifier of the external database you want to
add as a trusted data provider in Excel Services in Microsoft Office SharePoint Server
2007. Click OK.
257
tool, see Add-ecssafedataprovider (http://technet.microsoft.com/en-
See Also
258
In this section:
• About trusted data connection libraries
• Add a trusted data connection library
About trusted data connection libraries

In Microsoft Office SharePoint Server 2007, a trusted data connection library is a data connection
library from which you have determined that it is safe to access Office data connection (.odc)
files. The .odc files are used to centrally manage connections to external data sources.
Instead of allowing embedded connections to external data sources, Excel Calculation Services
can be configured to require the use of .odc files for all data connections. The .odc files are stored
in data connection libraries, and the data connection libraries have to be explicitly trusted before
Excel Calculation Services will allow workbooks to access them.
If a data connection is linked from a workbook that is accessed by a server running Excel
Calculation Services, the server checks the connection information and the list of trusted data
connection libraries. If the data connection library is on the list, a connection is attempted by
using the .odc file from the data connection library; otherwise, the connection request is ignored.
Before you can configure a data connection library as a trusted data connection for Excel
Services in Microsoft Office SharePoint Server 2007, you must create a data connection library
on a SharePoint site. To create a data connection library, click the Site Actions menu, select
Create, and then click Data Connection Library. On the New page, type a name for the new
data connection library and click Create.

Use the following procedure to add a trusted data connection library.

application.
Shared Services section, click Create or Configure this Farm’s Shared Services.
4. On the Manage this Farm’s Shared Services page, click SharedServices1 (Default).
Trusted data connection libraries.
6. On the Excel Services Trusted Data Connection Libraries page, click Add Trusted
259
Data Connection Library.
7. Type the address of the data connection library that you want to configure as a
trusted data connection library and click OK.
For information about how to perform this procedure by using the Stsadm command-line tool, see
Add-ecstrusteddataconnectionlibrary (http://technet.microsoft.com/en-us/library/cc261726.aspx).
See Also
260
Enable user-defined functions
In this section:
• About user-defined functions
• Enable user-defined functions
• Enable user-defined functions for workbooks in a trusted file location
About user-defined functions

User-defined functions extend the capabilities of Excel Services in Microsoft Office SharePoint
Server 2007 by enabling you to define and create custom functions. To enable this functionality,
you need to configure Excel Services to support user-defined functions.
To configure this support, you must enable user-defined functions on trusted file locations
containing workbooks that require access to this functionality. In addition, you must register user-
defined function assemblies on the Excel Services user-defined function assembly list.

Use the following procedure to enable user-defined functions.

application.
Shared Services section, click Create or Configure this Farm's Shared Services.
4. On the Manage this Farm's Shared Services page, click SharedServices1 (Default).
User-defined function assemblies.
6. On the Excel Services User-Defined Functions page, click Add User-Defined
Function Assembly.
7. In the Assembly box, type the assembly strong name or the file path of the user-
defined function assembly that you want to register.
8. In Assembly Location, perform the following actions:
a. Select the global assembly cache (GAC) if you are deploying a user-defined
function assembly to the GAC on each Excel Calculation Services application server
in your farm.
b. Select Local file if you want to save a user-defined function to a directory on an
261
Excel Calculation Services application server (a local path), or to a network share (a
UNC path).
c. Ensure that the Enable Assembly check box is selected, and then click OK.
tool, see Add-ecsuserdefinedfunction (http://technet.microsoft.com/en-
Enable user-defined functions for workbooks in a

trusted file location
Use the following procedure to enable user-defined functions for workbooks in a trusted file
location.
Enable user-defined functions for workbooks in a trusted file location

1. In the Excel Services section of the Shared Services Administration home page,
click Trusted file locations.
2. On the Excel Services Trusted File Locations page, click the URL of the trusted file
location whose properties you want to edit.
3. In the User-Defined Functions section of the Excel Services Edit Trusted File
Location page, select User-defined functions allowed, and then click OK.
tool, see Add-ecsuserdefinedfunction (http://technet.microsoft.com/en-
262
D. Configure InfoPath Forms Services
263
Configure InfoPath Forms Services for Office
SharePoint Server
InfoPath Forms Services provides you with the ability to deploy your organization's forms to
Microsoft Office SharePoint Server and enable users to fill out these forms using a Web browser.
There are many ways you can configure InfoPath Forms Services depending on the needs of
your organization. For example, by default, form templates deployed by non-administrators ("user
form templates") can be opened in a browser, but you can disable this feature so that only
administrator-approved templates are browser-enabled.
You should configure InfoPath Forms Services before you begin to deploy form templates in order
to avoid unexpected behavior.
Before you begin to configure InfoPath Forms Services, you should read the planning articles in
Plan Forms Services (http://technet.microsoft.com/en-us/library/cc262498.aspx) to ensure your
configuration choices are aligned with the needs of your organization.
Configure InfoPath Forms Services using Central

Administration
To configure InfoPath Forms Services, you will need to navigate to the Configure InfoPath Forms
Services page in the SharePoint Central Administration Web site.
Configure InfoPath Forms Services

1. On the taskbar, click Start, point to Administrative Tools, and then click SharePoint
3.0 Central Administration.
2. In the navigation bar, click the Application Management tab.
3. On the Application Management page, in the InfoPath Forms Services section, click
Configure InfoPath Form Services.
4. On the Configure InfoPath Forms Services page, in the User Browser-enabled
Form Templates section, you can choose settings that determine how user form
templates are processed by InfoPath Forms Services.
a. Select the Allow users to browser-enable form templates check box to allow
users to deploy browser-enabled form templates.
b. Select the Render form templates that are browser-enabled by users check
box to allow browser-enabled form templates deployed by users to be rendered in a
Web browser. If this option is not selected, users can still deploy browser-compatible
form templates, but these form templates are not accessible through a Web browser.
5. In the Data Connection Timeouts section, specify default and maximum timeouts
for data connections from a browser-enabled form. The connection timeout can be
changed by code in the form template, but it will never exceed the maximum timeout
264
specified.
a. In the Default data connection timeout box, enter the time in milliseconds that
will elapse before a data connection times out. The default timeout is 10000
milliseconds. You can override this setting with code within a form template that
specifies the data connection timeout value.
b. In the Maximum data connection timeout box, enter the maximum time in
milliseconds that will elapse before a data connection times out. The default timeout
is 20000 milliseconds. This is an absolute setting, and it overrides any data
connection timeout values specified within form template code.
6. In the Data Connection Response Size section, type a value in kilobytes in the box
to specify the maximum size of responses data connections are allowed to process. Data
connection responses that exceed this value will generate an error message.
7. In the HTTP data connections section, select the Require SSL for HTTP
authentication to data sources box to require an SSL-encrypted connection for data
connections that use Basic authentication or Digest authentication. You must have
configured Secure Sockets Layer (SSL) properly in order for this setting to function.
8. In the Embedded SQL Authentication section, select the Allow embedded SQL
authentication box to allow forms to use embedded SQL credentials. Forms that
connect to databases may embed SQL user name and password data in the connection
string. The connection string can be read in plaintext in the universal data connection file
associated with the solution, or in the solution manifest.
9. In the Authentication to data sources (user form templates) section, select the
Allow user form templates to use authentication information contained in data
connection files box to allow user form templates to use embedded authentication
information such as an explicit user name and password or a Microsoft Single Sign-On
application ID.
10. In the Cross-Domain Access for User Form Templates section, select the Allow
cross-domain data access for user form templates that use connection settings in
a data connection file box to allow user form templates to access data from another
domain.
11. In the Thresholds section, specify the thresholds at which to end user sessions and
log error messages. Form operations that exceed these thresholds will terminate the user
session, resulting in the loss of all form data entered during the session, and generate an
error message.
a. In the Number of postbacks per form session state box, type the maximum
number of postbacks you want to allow. The default value is 75.
b. In the Number of actions per postback box, type the maximum number of
actions per postback you want to allow. The default value is 200.
12. Before you configure form session state, you should read Configure session state for
InfoPath Forms Services. Correct configuration of form session state requires that you
understand how session state is configured for Office SharePoint Server, and it can
dramatically affect the behavior of InfoPath Forms Services operations and system
265
performance.
Form session state stores data necessary to maintain a user session. File attachment
data in the form will receive an additional 50 percent of session state space.
Note:
The default parameters should work for most scenarios. If you change the default
settings, verify that form-filling sessions are working properly.
13. In the Form Session State section, configure the following parameters:
a. In the Active sessions should be terminated after text box, type the maximum
session duration in minutes. Form-filling sessions that exceed this value will
terminate, an error message will be generated, and all form data entered during the
session will be lost. The default value is 1440 minutes.
b. In the Maximum size of form session state text box, type the maximum
session state size in kilobytes. Form-filling sessions that exceed this value will
terminate, an error message will be generated, and all form data entered during the
session will be lost. The default value is 4096 kilobytes.
c. In the Select the location to use for storing form session state section,
choose from the following options:
Choose this option To do this
Session State Service (best for low- Store session state data on the
bandwidth users) computer running Microsoft SQL Server
Form view (reduces database load on Store session state data on the client
server) computer. If form session state is larger
than the value specified in the
associated text box, the Session State
Service will be used instead.
d. In the associated text box, type the session state size in kilobytes at which form
view will be automatically transitioned to the Session State Service. Once this
threshold is reached, session state data will be saved to the SQL Server database,
and the session will continue to use the Session State Service. The default value is
40 kilobytes.
14. Click OK to save your settings.
See Also
Configure session state for InfoPath Forms Services
266
Configure session state for InfoPath Forms
Services
In this section:
• Configure session state for Forms Services
• Session state vs. Form view
InfoPath Forms Services uses session state to store the large amount of transient data generated
while filling out a form. As a result, front-end Web servers can remain stateless between round
trips, and each postback is not burdened with carrying large amounts of session state information
over narrow bandwidth pipes. Other methods of state management, such as in process, are not
supported for farms with multiple front-end Web servers. Session state can only be used with
Web applications that are associated with a Shared Services Provider (SSP). For more
information about SSPs, see Plan Shared Services Providers (http://technet.microsoft.com/en-
Note:
In order for the session state database to be properly maintained, the SQL Agent must be
turned on for the instance of Microsoft SQL Server where session data is stored. If the
SQL Agent is not turned on, expired sessions are not automatically expunged from the
session table and may eventually pose a storage problem.
Note:
If you are deploying Microsoft Office SharePoint Server 2007 with Microsoft SQL Server
2005 Express Edition, such as in a single-server deployment, expired sessions must be
expunged manually. SQL Server 2005 Express Edition does not include the SQL Agent,
and it cannot run automated stored procedures.
Configure session state for Forms Services

You can configure session state settings such as state type and session thresholds for InfoPath
Forms Services across the entire farm. If any of the thresholds are exceeded, the user's session
is terminated, resulting in the loss of all form data, and an error is entered in the event log for the
server. The error message shown to the user is "session has exceeded the amount of allowable
resources."
To configure form session state, see step 12 in Configure InfoPath Forms Services for Office
SharePoint Server.
Session state versus Form view

You can configure InfoPath Forms Services to use the Session State service (the default option)
or Form view (ASP.NET view state) to control how user sessions are managed. When you
267
configure InfoPath Forms Services to use the Session State service, all browser sessions are
maintained on the SQL Server database, which uses little network bandwidth, but has a
cumulative performance impact on the computer running SQL Server. When you are using Form
view, sessions are maintained on the client browser, and all session data is included in each
postback to the server, up to 40 KB of session data. This approach uses more bandwidth than
using session state does, but it does not affect the performance of the computer running SQL
Server. Once session data reaches 40 KB in size, the session automatically transitions to
session-state management.
We recommend the use of Form view in environments with smaller groups of users, because it
reduces the impact on the computer running SQL Server. If your InfoPath Forms Services
deployment will have many users, particularly if session data is below 40 KB for many high-usage
form templates, session state is likely a better choice. If Form view is used, the bandwidth used
by browser sessions of 40 KB or fewer can be monitored if there is a concern that network
performance might be adversely affected.
See Also
Manage session state for Microsoft Office SharePoint Server 2007
Configure InfoPath Forms Services for Office SharePoint Server
268
E. Configure Office Project Server
269
Deploy Project Server 2007 with Office
Microsoft Office Project Server 2007 is the core of Microsoft Office Enterprise Project
Management (EPM) Solutions. The Microsoft Office Enterprise Project Management (EPM)
Solution allows you to effectively manage and prioritize projects and resources across your
organization. With it your teams can share knowledge, collaborate smoothly to complete tasks
and deliverables, and adjust activities quickly to accommodate project changes and updates. And
you can accurately assess your needs and effectively deploy resources across the organization.
For more information about Office Project Server 2007 and EPM Solutions, see What's new in
Office Project 2007 (http://technet.microsoft.com/en-us/library/cc197654.aspx).
Note:
Additional information can be found in the Microsoft Office Enterprise Project
Management Solution and Microsoft Office Project Server 2007 Product Guide
(http://www.microsoft.com/office/preview/solutions/epm/guide.mspx).
You can easily install and configure Office Project Server 2007 on an existing Office SharePoint
Server 2007 farm. For detailed information and procedures, see Deploy Project Server 2007 to an
existing deployment of Office SharePoint Server 2007 (http://technet.microsoft.com/en-
270
IV. Perform additional configuration tasks
271
Chapter overview: Additional configuration
tasks
After the initial installation and configuration of Microsoft Office SharePoint Server 2007, you can
configure several additional settings. The configuration of additional settings is optional, but many
key features are not available unless these settings are configured.
Configure additional administrative settings

To take full advantage of the administrative features and capabilities of Microsoft Office
SharePoint Server 2007, perform the following optional administrative tasks by using SharePoint
Central Administration:
mail settings.
"Reply" e-mail address that appear in outgoing alerts. You can also configure outgoing e-mail
settings for all Web applications or for only one Web application. For more information, see
Configure outgoing e-mail settings and Configure outgoing e-mail settings for a specific Web
application.
• Configure workflow settings You can configure workflow settings to enable end users
to create their own workflows by using code pre-generated by administrators. You can also
configure whether internal users without site access can receive workflow alerts, and whether
external users can participate in workflows by receiving copies of documents by e-mail. For
more information, see Configure workflow settings.
settings to help with troubleshooting. These include enabling and configuring trace logs,
event messages, user-mode error messages, and Customer Experience Improvement
Program events. For more information, see Configure diagnostic logging settings.
• Configure single sign-on You can configure single sign-on settings in the farm. Single
sign-on enables you to connect to external data sources by using Excel Calculation Services
or the Business Data Catalog. For more information, see Configure single sign-on.
• Configure antivirus settings You can configure several antivirus settings if you have
an antivirus program that is designed for Office SharePoint Server 2007. Antivirus settings
272
allow you to control whether documents are scanned on upload or on download, and whether
users can download infected documents. You can also specify how long you want the
antivirus program to run before it times out, and you can specify how many execution threads
the antivirus program can use on the server. For more information, see Configure antivirus
settings.
You can use the following procedure to configure optional administrative settings using
SharePoint Central Administration.
Configure administrative settings using SharePoint Central Administration

2. On the SharePoint Central Administration home page, under Administrative
Tasks, click the administrative task that you want to perform.
3. On the Administrative Tasks page, next to Action, click the task.
273
Configure incoming e-mail settings
In this section:
• Install and configure the SMTP service
• Configure Active Directory
• Configure permissions to the e-mail drop folder
• Configure DNS Manager
• Configure attachments from Outlook 2003
• Configure incoming e-mail settings
• Configure incoming e-mail on SharePoint sites
Use this procedure to configure the incoming e-mail settings for Microsoft Office SharePoint
Server 2007.
The features of Office SharePoint Server 2007 that use incoming e-mail are not available until
these settings are configured.
Before you configure incoming e-mail settings in Office SharePoint Server 2007, confirm that:
• You have read the topic Plan incoming e-mail (http://technet.microsoft.com/en-
• One or more servers in your server farm are running the Internet Information Services
(IIS) Simple Mail Transfer Protocol (SMTP) service, or you know the name of another server
that is running the SMTP service. This server must be configured to accept relayed e-mail
from the mail server for the domain.
• One or more servers in your server farm are running the Microsoft SharePoint Directory
Management Service, or you know the name of another server that is running the SharePoint
Directory Management Web Service.
• The application pool account for the SharePoint Central Administration Web site has the
Create, delete, and manage user accounts right to the container in the Active Directory
directory service.
• The application pool account for Central Administration, the logon account for the
Windows SharePoint Services Timer service, and the application pool accounts for your Web
applications have the correct permissions to the e-mail drop folder.
• The domain controller running Active Directory has a Mail Exchanger (MX) entry in DNS
Manager for the mail server that you plan to use for incoming e-mail.
Note:
All of these configuration steps are described in detail in the following sections.
274
Install and configure the SMTP service
Incoming e-mail for Office SharePoint Server 2007 uses the SMTP service. The SMTP service
can be either installed on one or more servers in the farm, or administrators can provide an e-mail
drop folder for e-mail forwarded from the service on another server. The drop folder option is not
recommended because administrators of the other server can affect the availability of incoming e-
mail by changing the configuration of SMTP, and because this requires the additional step of
configuring permissions to the e-mail drop folder.
If a drop folder is not used, the SMTP service must be installed on each server that is used to
receive and process incoming e-mail. Typically, this includes every front-end Web server in the
farm.
Start the Windows SharePoint Services Web Application service

Each server that is running the SMTP service must also be running the Windows SharePoint
Services Web Application service. These servers are called front-end Web servers. In many
cases, this service will have already been configured.
Important:
Membership in the Farm Administrators group of the Central Administration site is
required to complete this procedure.
Start the Windows SharePoint Services Web Application service

1. On the top navigation bar, click Operations.
server.
3. On the Services on Server page, find Windows SharePoint Services Web
Application in the list of services, and click Start.
Install the SMTP service

The SMTP service is a component of IIS. It must be installed on every front-end Web server in
the farm that you want to configure for incoming e-mail.
Important:
Membership in the Administrators group on the local computer is required to complete
this procedure.

1. In Control Panel, click Add or Remove Programs.
2. In Add or Remove Programs, click Add/Remove Windows Components.
3. In the Windows Components Wizard, in the Components box, click Application
Server, and then click the Details button.
4. In the Application Server dialog box, in the Subcomponents of Application
275
Server box, click Internet Information Services (IIS), and then click the Details button.
5. In the Internet Information Services (IIS) dialog box, select the SMTP Service
check box.
6. Click OK to return to the Application Server dialog box.
7. Click OK to return to the main page of the Windows Components Wizard.
8. Click Next.
9. When Windows has finished installing the SMTP service, on the Completing the
Windows Components Wizard page, click Finish.
Configure the SMTP service

After installing the SMTP service, you must configure the service to accept relayed e-mail from
the mail server for the domain.
You can decide to accept relayed e-mail from all servers except those you specifically exclude.
Alternatively, you can block e-mail from all servers except those you specifically include. You can
include servers individually, or in groups by subnet or domain.
Important:
this procedure.

2. In IIS Manager, expand the server name that contains the SMTP server that you want
to configure.
3. Right-click the SMTP virtual server that you want to configure, and then click
Properties.
4. On the Access tab, under Access control, click Authentication.
5. In the Authentication dialog box, under Select acceptable authentication
methods for this resource, verify that Anonymous access is selected.
6. Click OK.
7. On the Access tab, under Relay restrictions, click Relay.
8. To enable relaying from any server, under Select which computer may relay
through this virtual server, select All except the list below.
9. To accept relaying from one or more specific servers, follow these steps:
a. Under Select which computer may relay through this virtual server, select
Only the list below.
b. Click Add, and then add servers one at a time by IP address, or in groups by
using a subnet or a domain.
276
c. Click OK to close the Computer dialog box.
10. Click OK to close the Relay Restrictions dialog box.
11. Click OK to close the Properties dialog box.
Add an SMTP connector in Exchange Server

In some scenarios, mail from Microsoft Exchange Server computers might not be automatically
relayed to the Office SharePoint Server 2007 servers that are running the SMTP service. In these
scenarios, administrators of Exchange mail servers can add an SMTP connector so that all mail
sent to the Office SharePoint Server 2007 domain uses the Office SharePoint Server 2007
servers that are running the SMTP service.
For more information about SMTP connectors, see the Help documentation for Exchange Server.
Configure Active Directory

Incoming e-mail uses the Microsoft SharePoint Directory Management Service to connect
SharePoint sites to the directory services used by your organization. If you enable the Microsoft
SharePoint Directory Management Service, users can create and manage distribution groups
from SharePoint sites. SharePoint lists that use e-mail can then be found in directory services,
such as the Address Book. You must also select which distribution group requests from
SharePoint lists require approval. The Microsoft SharePoint Directory Management Service can
be installed on a server in the farm, or you can use a remote Microsoft SharePoint Directory
Management Service.
To use the Microsoft SharePoint Directory Management Service on a farm or server, you must
configure the Central Administration application pool identity account to have the Create, delete,
and manage user accounts right to the container that you specify in Active Directory. The
preferred way to do this is by delegating the right to the Central Administration application pool
identity account. An Active Directory administrator must set up the organizational unit (OU) and
delegate the Create, delete, and manage user accounts right to the container. The advantage
of using the Microsoft SharePoint Directory Management Service on a remote farm is that you do
not have to delegate rights to the organizational unit for multiple farm service accounts.
If the application pool account for Central Administration is different from the application pool
account for the Web application of the list or site that is enabled for e-mail, you must use the
application pool account for the Web application when completing the following procedures. You
must then delegate additional rights to the Central Administration application pool account.
The following procedures are performed on a domain controller that runs Microsoft Windows
Server 2003 SP1 (with DNS Manager) and Microsoft Exchange Server 2003 SP1. In some
deployments, these applications might run on multiple servers in the same domain.
Important:
Membership in the Domain Administrators group or delegated authority for domain
administration is required to complete this procedure.
277
Create an organizational unit in Active Directory
1. Click Start, point to Control Panel, point to Administrative Tools, and then click
Active Directory Users and Computers.
2. In Active Directory Users and Computers, right-click the folder for the second-level
domain that contains your server farm, point to New, and then click Organizational Unit.
3. Type the name of the organizational unit, and then click OK.
After creating the organization unit, we recommend that you delegate the Create, delete, and
manage user accounts right to the container.
Important:
Membership in the Domain Administrators group or the Enterprise Administrators group in
Active Directory, or delegated authority for administration, is required to complete this
procedure.
Delegate right to the application pool account

1. In Active Directory Users and Computers, find the organizational unit that you just
created.
2. Right-click the organizational unit, and then click Delegate control.
3. On the Welcome page of the Delegation of Control Wizard, click Next.
4. On the Users and Groups page, click Add, and then type the name of the application
pool identity account that the Web application uses.
5. In the Select Users, Computers, and Groups dialog box, click OK.
6. On the Users or Groups page of the Delegation of Control Wizard, click Next.
7. On the Tasks to Delegate page of the Delegation of Control Wizard, select the
Create, delete, and manage user accounts check box, and then click Next.
8. On the last page of the Delegation of Control Wizard, click Finish to exit the wizard.
If you must add permissions for the application pool identity account directly, complete the
following procedure.
Important:
Membership in the Account Operators group, Domain Administrators group, or the
Enterprise Administrators group in Active Directory, or delegated authority for
administration, is required to complete this procedure.
Add permissions for the application pool account

1. In Active Directory Users and Computers, click the View menu, and then click
Advanced Features.
2. Right-click the organizational unit that you just created, and then click Properties.
3. In the Properties dialog box, click the Security tab, and then click Advanced.
4. Click Add, and then type the name of the application pool identity account for the
278
Web application.
5. Click OK.
6. In the Permission Entries section, double-click the application pool identity account.
7. In the Permissions section, under Allow, select the Modify permissions check box.
8. Click OK to close the Permissions dialog box.
10. Click OK to close the Active Directory Users and Computers plug-in.
If you decide instead to use the remote Microsoft SharePoint Directory Management Service, you
must know the URL for the Web service. This URL is typically in the following format:
http://server:adminport/_vti_bin/SharePointEmailWS.asmx.
Configure Active Directory under atypical circumstances

If you are using the Directory Management Service and the Central Administration application
pool uses a different account from the Web application for the list or site on which you want to
enable incoming e-mail, you must delegate additional rights to the Central Administration
application pool account. If you do not delegate these rights, then you cannot enable incoming e-
mail for the list or site.
Note:
Before you delegate the following rights to the Central Administration application pool
account for the organizational unit, you must delegate rights to the application pool
account for the Web application. The procedures for delegating those rights are explained
in the previous section.
Administrators must delegate full control of the organizational unit to the Central Administration
application pool account. After this delegation is complete, administrators can enable incoming e-
mail.
To delegate full control of the organizational unit to the Central

Administration application pool account
Important:
Membership in the Domain Administrators group or the Enterprise Administrators group in
Active Directory, or delegated authority for administration, is required to complete this
procedure.
Delegate full control of the organizational unit to the Central Administration application
pool account
1. Right-click the organizational unit, and then click Delegate control.
2. In the Delegation of Control wizard, click Next.
3. Click Add, and then type the name of the application pool account for Central
Administration.
279
4. Click OK.
5. Click Next.
6. On the Tasks to Delegate page of the Delegation of Control wizard, select Create a
custom task to delegate, and then click Next.
7. Select This folder, existing objects in this folder, and creation of new objects in
this folder, and then click Next.
8. In the Permissions section, select Create all Child Objects and Delete all Child
Objects.
9. Click Next.
10. On the last page of the Delegation of Control wizard, click Finish to exit the wizard.
Delegating full control of the organizational unit to the Central Administration application pool
account enables administrators to enable e-mail for a list. Administrators cannot disable e-
mail for the list or document library after delegating full control because the Central
Administration account tries to delete the contact from the entire organizational unit rather
than deleting the contact from the list.
To add the Delete Subtree permission for the Central

Administration application pool account
To enable administrators to disable incoming e-mail on a list, you must add the Delete Subtree
permission for the Central Administration application pool account.
Important:
Membership in the Account Operators group, Domain Administrators group, or the
Enterprise Administrators group in Active Directory, or delegated authority for
administration, is required to complete this procedure.
Add the Delete Subtree permission for the Central Administration application pool
account
1. In Active Directory Users and Computers, click the View menu, and then click
Advanced Features.
2. Right-click the organizational unit and then click Properties.
3. In the Properties dialog box, click the Security tab, and then click Advanced.
4. In the Permission Entries section, double-click the Central Administration
application pool account.
5. In the Permissions section, under Allow, select Delete Subtree.
6. Click OK to close the Permissions dialog box.
8. Click OK to close the Active Directory Users and Computers plug-in.
After adding the permission, you must restart Internet Information Services (IIS) for the farm.
280
For more information about Active Directory, see the Help documentation for Active Directory.
Configure permissions to the e-mail drop folder

When incoming e-mail settings are set to advanced mode, you must ensure that certain accounts
have the correct permissions to the e-mail drop folder.
Configure e-mail drop folder permissions for the logon account

for the Windows SharePoint Services Timer service
Ensure that the logon account for the Windows SharePoint Services Timer service has the Modify
permission on the e-mail drop folder. If the logon account for the service does not have the Modify
permission, e-mail enabled document libraries will receive duplicate e-mail messages.
Important:
Membership in the Administrators group on the local computer that contains the e-mail
drop folder is required to complete this procedure.
Configure e-mail drop folder permissions

1. In Windows Explorer, right-click the drop folder, click Properties, and then click the
Security tab.
2. On the Security tab, under the Group or user names box, click the Add button.
3. In the Select Users, Computers, or Groups dialog box, in the Enter objects to
select box, type the name of the logon account for the Windows SharePoint Services
Timer service, and then click OK.
Note:
This account is listed on the Log On tab of the Properties dialog box for the
service in the Services console.
4. In the Permissions for User or Group box, next to Modify, select the Allow check
box.
5. Click OK.
Configure e-mail drop folder permissions for the application

pool account for a Web application
If your deployment uses different application pool accounts for Central Administration and one or
more Web applications for front-end Web servers, each application account must have
permissions to the e-mail drop folder. If the application pool account for the Web application does
not have the required permissions, e-mail will not be delivered to document libraries on that Web
application.
In most cases, when you configure incoming e-mail settings and select an e-mail drop folder,
permissions are added for two worker process groups:
281
• WSS_Admin_WPG, which includes the application pool account for Central
Administration and the logon account for the Windows SharePoint Services Timer service,
has Full Control permission.
• WSS_WPG, which includes the application pool accounts for Web applications, has
Read & Execute, List Folder Contents, and Read permissions.
In some cases, these groups might not be configured automatically for the e-mail drop folder. For
example, if Central Administration is running as the Network Service account, the groups or
accounts needed for incoming e-mail will not be added when the e-mail drop folder is created. It
is a good idea to check whether these groups have been added automatically to the e-mail drop
folder. If the groups have not been added automatically, you can add them or add the specific
accounts that are required.
Important:
Membership in the Administrators group on the local computer that contains the e-mail
drop folder is required to complete this procedure.
Configure e-mail drop folder permissions

1. In Windows Explorer, right-click the drop folder, click Properties, and then click the
Security tab.
2. On the Security tab, under the Group or user names box, click the Add button.
3. In the Select Users, Computers, or Groups dialog box, in the Enter objects to
select box, type the name of the worker process group or application pool account for the
Web application, and then click OK.
Note:
This account is listed on the Identity tab of the Properties dialog box for the
application pool in IIS.
4. In the Permissions for User or Group box, next to Modify, select the Allow check
box.
5. Click OK.
Configure DNS Manager

Incoming mail requires a Mail Exchanger (MX) resource record to be added in DNS Manager for
the host or subdomain running Office SharePoint Server 2007. This is distinct from any existing
MX records in the domain.
Important:
this procedure.
Add a Mail Exchanger (MX) resource record for the subdomain

1. In DNS Manager, select the forward lookup zone for the domain that contains the
282
subdomain for Office SharePoint Server 2007.
2. Right-click the zone, and then click New Mail Exchanger.
3. In the Host or domain text box, type the host or subdomain name for Office
4. In the Fully qualified domain name (FQDN) of mail server text box, type the fully
qualified domain name for the server that is running Office SharePoint Server 2007. This
is typically in the format subdomain.domain.com.
5. Click OK.
Configure attachments from Outlook 2003

Attachments to messages sent from Microsoft Outlook 2003 must be encoded in UUEncode or
Binhex format to appear separately in e-mail enabled document libraries. Attachments from
Outlook 2003 that use different encoding will not be listed, but e-mail messages that contain
attachments will be listed.

Before you can enable incoming e-mail on the server that is running Office SharePoint Server
2007, you must have configured the SMTP service on front-end Web servers in the farm and the
Active Directory and DNS Manager on the domain controller, or you must know the name of other
servers that are running these services.
This procedure configures the settings that are used for incoming e-mail. You can also configure
options for safe e-mail servers and the incoming e-mail display address.
Important:
Membership in the Administrators group of the Central Administration site is required to
complete this procedure.

2. On the Operations page, in the Topology and Services section, click Incoming e-
mail settings.
3. If you want to enable sites on this server to receive e-mail, on the Incoming E-mail
Settings page, in the Enable Incoming E-Mail section, click Yes.
4. Select either the Automatic or the Advanced settings mode.
If you select Advanced, you can specify a drop folder instead of using an SMTP server.
5. If you want to connect to the Microsoft SharePoint Directory Management Service, in
the Directory Management Service section, click Yes.
a. In the Active Directory container where new distribution groups and
contacts will be created box, type the name of the container in the format
283
OU=ContainerName, DC=domain, DC=com, where ContainerName is the name of
the organizational unit in Active Directory, domain is the second-level domain, and
com is the top-level domain.
Note:
The Central Administration application pool account must be delegated the
Create, delete, and manage user accounts task for the container. Access
is configured in the properties for the organizational unit in Active Directory.
b. In the SMTP mail server for incoming mail box, type the name of the SMTP
mail server. The server name must match the fully qualified domain name in the MX
entry for the mail server in DNS Manager.
c. To accept only messages from authenticated users, click Yes for Accept
messages from authenticated users only. Otherwise, click No.
d. To allow creation of distribution groups from SharePoint sites, click Yes for Allow
creation of distribution groups from SharePoint sites. Otherwise, click No.
e. Under Distribution group request approval settings, select the actions that
will require approval. Actions include the following:
• Create new distribution group
• Change distribution group e-mail address
• Change distribution group title and description
• Delete distribution group
6. If you want to use a remote SharePoint Directory Management Web Service, select
Use remote.
a. In the Directory Management Service URL box, type the URL of the Microsoft
SharePoint Directory Management Service that you want to use.
b. In the SMTP mail server for incoming mail box, type the name of the SMTP
mail server. The server name must match the fully qualified domain name in the MX
entry for the mail server in DNS Manager on the domain server.
c. To accept messages from authenticated users only, click Yes for Accept
messages from authenticated users only. Otherwise, click No.
d. To allow creation of distribution groups from SharePoint sites, click Yes for Allow
creation of distribution groups from SharePoint sites. Otherwise, click No.
7. If you do not want to use the Microsoft SharePoint Directory Management Service,
click No.
8. In the Incoming E-Mail Server Display Address section, type a display name for
the e-mail server (for example, mail.fabrikam.com) in the E-mail server display address
box.
Tip:
You can specify the e-mail server address that is displayed when users create an
incoming e-mail address for a list or group. Use this setting together with the
284
Microsoft SharePoint Directory Management Service to provide an e-mail server
address that is more user-friendly.
9. In the Safe E-Mail Servers section, select one of the following options:
• Accept mail from all e-mail servers
• Accept mail from these safe e-mail servers. If you select this option, type the
IP addresses (one per line) of the e-mail servers that you want to specify as safe in
the corresponding box.
10. In the E-mail Drop Folder section, in the E-mail drop folder box, type the name of
the folder in which Microsoft Windows SharePoint Services polls for incoming e-mail from
the SMTP service.
This option is available only if you selected advanced mode.
11. Click OK.
Configuring incoming e-mail on SharePoint sites

After configuring incoming e-mail settings, site administrators can configure e-mail enabled lists
and document libraries. For more information about e-mail enabled document libraries, see the
Help documentation for site administrators.
Contact addresses created for these document libraries appear automatically in Active Directory
Users and Computers under the organizational unit for Office SharePoint Server 2007, and must
be managed by the administrator of Active Directory. The Active Directory administrator can add
more e-mail addresses for each contact. For more information about how to manage contacts in
Active Directory, see the Help documentation for Active Directory.
Alternatively, the Exchange Server computer can be configured by adding a new Exchange
Server Global recipient policy to automatically add external addresses that use the second-level
domain name and not the subdomain or host for Office SharePoint Server 2007. For more
information about how to manage Exchange Server, see the Help documentation for Exchange
Server.
See Also
Plan incoming e-mail (http://technet.microsoft.com/en-us/library/cc263260.aspx)
Demo: Configure a SharePoint Server 2007 site to receive e-mail (http://office.microsoft.com/en-
us/sharepointserver/HA102047921033.aspx)
285
Configure outgoing e-mail settings
In this section:
• Install and configure the SMTP service4
• Configure outgoing e-mail settings
Use this procedure to configure the default outgoing e-mail settings for all Web applications. You
can override the default outgoing e-mail settings for specific Web applications by using the
procedure that is described in Configure outgoing e-mail settings for a specific Web application.

Before you can enable outgoing e-mail, you must install the Internet Information Services (IIS)
Simple Mail Transfer Protocol (SMTP) service. After determining which SMTP server to use, the
SMTP server must be configured to allow anonymous access and to allow e-mail messages to be
relayed. Additionally, the SMTP server must have Internet access if you want the ability to send
messages to external e-mail addresses, or it must be able to relay authenticated e-mail to a
server that has Internet access. The SMTP server that you use can be a server in the farm, or
another server.

The SMTP service is a component of IIS.
Important:
this procedure.

check box.
8. Click Next.
286

After installing the SMTP service, configure the service to accept relayed e-mail from servers in
your farm.
By enabling both anonymous access and e-mail relaying, you increase the possibility that the
SMTP server will be used to relay unsolicited commercial e-mail (spam). It is important to limit
this possibility by carefully configuring your mail servers to help protect against spam. One way
that you can do this is by limiting relaying to a specific list of servers or domain, and preventing
relaying from all other servers.
Important:
this procedure.

to configure.
Properties.
6. Click OK.
using a subnet or domain.
287
Important:

1. On the top navigation bar of the SharePoint Central Administration Web site, click
Operations.
2. On the Operations page, in the Topology and Services section, click Outgoing e-
mail settings.
3. On the Outgoing E-Mail Settings page, in the Mail Settings section, type the SMTP
server name for outgoing e-mail (for example, mail.example.com) in the Outbound
SMTP server box.
4. In the From address box, type the e-mail friendly address as you want it to appear to
e-mail recipients.
5. In the Reply-to address box, type the e-mail address to which you want e-mail
recipients to reply.
6. In the Character set menu, select the character set that is appropriate for your
language.
7. Click OK.
tool, see Email: Stsadm operation (http://technet.microsoft.com/en-
See Also
Plan outgoing e-mail (http://technet.microsoft.com/en-us/library/cc262844.aspx)
288
Configure outgoing e-mail settings for a
specific Web application
In this section:
• Install and configure the SMTP service
• Configure outgoing e-mail settings
Use this procedure to configure the outgoing e-mail settings for a specific Web application. Before
using this procedure, you must first configure the default outgoing e-mail settings for all Web
applications by using the procedure described in Configure outgoing e-mail settings.

Before you can enable outgoing e-mail, you must install the Internet Information Services (IIS)
Simple Mail Transfer Protocol (SMTP) service. After determining which SMTP server to use, the
SMTP server must be configured to allow anonymous access and to allow e-mail messages to be
relayed. Additionally, the SMTP server must have Internet access if you want the ability to send
messages to external e-mail addresses, or it must be able to relay authenticated e-mail to a
server that has Internet access. The SMTP server that you use can be a server in the farm, or
another server.

The SMTP service is a component of IIS.
Important:
this procedure.

check box.
289
8. Click Next.

After installing the SMTP service, configure the service to accept relayed e-mail from servers in
your farm.
By enabling both anonymous access and e-mail relaying, you increase the possibility that the
SMTP server will be used to relay unsolicited commercial e-mail (spam). It is important to limit
this possibility by carefully configuring your mail servers to help protect against spam. One way
that you can do this is by limiting relaying to a specific list of servers or domain, and preventing
relaying from all other servers.
Important:
this procedure.

to configure.
Properties.
6. Click OK.
using a subnet or domain.
290

Important:

1. On the top navigation bar of the SharePoint Central Administration Web site, click
Application Management.
Management section, click Web application outgoing e-mail settings.
3. On the Web Application E-Mail Settings page, select a Web application by using the
Web Application menu in the Web Application section.
4. In the Mail Settings section, type the SMTP server name for outgoing e-mail (for
example, type mail.fabrikam.com) in the Outbound SMTP server box.
5. In the From address box, type the e-mail friendly address as you want it to appear to
e-mail recipients.
6. In the Reply-to address box, type the e-mail address to which you want e-mail
recipients to reply.
7. On the Character set menu, click the character set that is appropriate for your
language.
8. Click OK.
See Also
Plan outgoing e-mail (http://technet.microsoft.com/en-us/library/cc262844.aspx)
291
Configure workflow settings
Use this procedure to configure the workflow settings for Microsoft Office SharePoint Server
2007.
Workflow settings are configured at the Web application level, enabling you to configure different
settings for different Web applications. When you configure workflow settings, you must first
select the Web application to configure.
Site administrators can create workflows from the Site Settings page for the site or site collection.
By default, end users can create their own workflows by using code already deployed by an
administrator. You can also choose to limit workflow creation to site administrators.
By default, workflows can include users who do not have site access. Users without site access
who attempt to complete the task assigned to them will be directed to the Error: Access Denied
page, where they can request access to the site. If you do not enable alerts for internal users
without site access, workflows that include those users will not generate alerts for those users.
By default, external users cannot participate in workflows, and external users included in
workflows will not be alerted. You can choose to allow external users to participate in workflows
by sending copies of documents to those users by e-mail.
Configuring workflow settings

Note:
Configure workflow settings

2. On the Application Management page, in the Workflow Management section, click
Workflow settings.
3. On the Workflow Settings page, in the Web Application section, the current Web
application is displayed in the Web Application menu. To configure the settings for a
different Web application, click Change Web Application, and then select a new Web
application on the Select Web Application page.
4. In the User-Defined Workflows section, select Yes if you want to enable user-
defined workflows, or select No if you do not want to enable user-defined workflows.
5. In the Workflow Task Notifications section, under Alert internal users who do not
have site access when they are assigned a workflow task, select Yes if you want
internal users without site access to be sent an e-mail alert when a task is assigned to
them. Users attempting to complete the task by using the link in the alert will be directed
to the Request Permissions page. If you do not want internal users without site access to
292
be sent an e-mail alert when a task is assigned to them, select No.
6. Under Allow external users to participate in workflow by sending them a copy
of the document, select Yes if you want documents to be sent to external users by e-
mail when those users are part of the workflow but they do not have access permissions
to the documents. If you do not want documents to be sent to external users who do not
have access permissions, select No.
Note:
If the object in the workflow is not a document but a list item, the list item
properties are displayed in a table as part of the e-mail message.
7. Click OK.
tool, see Workflow management: Stsadm operation (http://technet.microsoft.com/en-
293
Configure diagnostic logging settings
In this section:
• Customer Experience Improvement Program
• Error reports
• Event throttling
• Configuring diagnostic logging settings
Use this procedure to configure the diagnostic logging settings for Microsoft Office SharePoint
Server 2007.
You can configure how diagnostic events are logged according to their criticality. Additionally, you
can set the maximum number of log files that can be maintained, and you can set how long to
capture events to a single log file.
You can also indicate whether or not to provide Microsoft with continuous improvement and Dr.
Watson event data.
Customer Experience Improvement Program

The Customer Experience Improvement Program (CEIP) is designed to improve the quality,
reliability, and performance of Microsoft® products and technologies. With your permission,
anonymous information about your server will be sent to Microsoft to help us improve
SharePoint® Products and Technologies.
For more information, see the Customer Experience Improvement Program privacy statement
Error reports
Error reports are created when your system encounters hardware or software problems. Microsoft
and its partners actively use these reports to improve the reliability of your software. Error reports
include the following: information regarding the condition of the server when the problem occurs;
the operating system version and computer hardware in use; and the Digital Product ID, which
can be used to identify your license. The IP address of your computer is also sent because you
are connecting to an online service to send error reports; however, the IP address is used only to
generate aggregate statistics.
Microsoft does not intentionally collect any personal information. However, error reports could
contain data from log files, such as user names, IP addresses, URLs, file or path names, and e-
mail addresses. Although this information, if present, could potentially be used to determine your
identity, the information will not be used in this way. The data that Microsoft collects will be used
only to fix problems and to improve software and services. Error reports will be sent by using
encryption technology to a database with limited access, and will not be used for marketing
purposes.
294
For more information, see the Microsoft Error Reporting Service privacy statement
If you want to provide error reports to Microsoft and its partners, select the option to collect error
reports. Base your decision on your organization's policies about sharing the information
collected by error reports, and the potential impact of error collection on users and administrators.
Two options are available for error reports:
• You can choose to periodically download a file from Microsoft that can help identify
system problems based on the error reports that you provide to Microsoft.
• You can change the error collection policy to silently send all reports. This changes the
computer's error reporting behavior to automatically send reports to Microsoft without
prompting users when they log on.
Event throttling
You can configure the diagnostic options for event logging. Events can be logged in either the
Windows® event log or the trace log. You can configure event throttling settings to control how
many events are recorded in each log, according to the criticality of the events. To provide more
control in event throttling, you can decide to throttle events for all events, or for any single
category of events. Several categories of events are available, based on different services and
features of SharePoint Products and Technologies.
Categories of events can be defined by individual services or by groupings of related events.
Selected event categories include:
• All
• Categories defined by product, such as Office SharePoint Server 2007 and Microsoft
Office Project Server 2007
• Administrative functions such as Administration, Backup and Recovery, Content
Deployment, and Setup and Upgrade
• Feature areas such as Document Management, E-Mail, Forms Services, Information
Policy Management, Information Rights Management, Publishing, Records Center, Site
Directory, Site Management, User Profiles, and Workflow
• SharePoint Services and other services such as the Load Balancer Service
• Shared services such as all Office Server Shared Services, Business Data, and Excel
Calculation Services
For the selected category, select the least-critical event to record, for both the Windows event log
and the trace log. Events that are equally critical to or more critical than the selected event will be
recorded in each log. The list entries are sorted in order from most-critical to least-critical.
The levels of events for the Windows event log include:
• None
• Error
• Warning
• Audit Failure
295
• Audit Success
• Information
The levels of events for the trace log include:
• None
• Unexpected
• Monitorable
• High
• Medium
• Verbose
For more information about the Windows event log or the trace log, see the Windows
documentation.
Configuring diagnostic logging settings

Note:
Configure diagnostic logging settings

2. On the Operations page, in the Logging and Reporting section, click Diagnostic
logging.
3. On the Diagnostic Logging page, in the Customer Experience Improvement
Program section, under Sign Up for the Customer Experience Improvement Program,
select one of the following options:
• Yes, I am willing to participate anonymously in the Customer Experience
Improvement Program (Recommended).
• No, I don't wish to participate.
If you select Yes, users can decide whether they want to report Customer Experience
Improvement Program events to Microsoft.
4. In the Error Reports section, under Error reporting, select one of the following:
• Collect error reports.
If you select this option, you can also select or clear two options to control how error
reports are collected:
• Periodically download a file that can help identify system problems.
• Change this computer's error collection policy to silently send all reports.
This changes the computer's error reporting behavior to automatically send reports to
Microsoft without prompting users when they log on.
• Ignore errors and don't collect information.
296
5. In the Event Throttling section, in the Select a category menu, select a category of
events:
a. In the Least critical event to report to the event log menu, select the least-
critical event to report to the event log for the selected category.
b. In the Least critical event to report to the trace log menu, select the least-
critical event to report to the trace log for the selected category.
6. In the Trace Log section, in the Path text box, type the local path to use for the trace
log on all servers in the farm. The location must exist on all servers in the farm.
a. In the Number of log files text box, type the maximum number of files that you
want to maintain.
b. In the Number of minutes to use a log file text box, type the number of minutes
to use each log file.
7. Click OK.
Setlogginglevels (http://technet.microsoft.com/en-us/library/cc261740.aspx) and Listlogginglevels
297
Configure single sign-on
Single sign-on (SSO) is a Microsoft Office SharePoint Server feature that provides storage and
mapping of credentials such as account names and passwords. Using SSO, portal site–based
applications can retrieve information from third-party applications and back-end systems such as
Enterprise Resource Planning (ERP) and Customer Relations Management (CRM) systems.
The use of single sign-on functionality enables users to authenticate only once when they access
portal site–based applications that need to obtain information from other business applications
and systems.
Configuring single sign-on consists of five tasks:
• Configure and start the Microsoft Single Sign-On service
• Χ ο ν φ ι γ υ ρ ε Σ ι ν γ λ ε Σ ι γ ν−Ο ν φ ο ρ Ο φ φ ι χ ε
Σ η α ρ ε Π ο ι ν τ Σ ε ρ ϖ ε ρ 2007
• Manage the encryption key
• Manage enterprise application definitions
• Manage account information for an enterprise application definition
Note that you must be logged into the SharePoint Central Administration Web site on a farm
server to configure single sign-on (SSO) for Office SharePoint Server 2007. If you attempt to
configure SSO on a workstation or any computer that is not a farm server, you will see an error
message that reads "Single sign-on cannot be configured from this server. To configure single
sign-on, go to the computer running the single sign-on service and specify these settings locally."
Follow the procedures in the sections that follow to configure SSO for your Office SharePoint
Server 2007 environment.
Configure and start the Microsoft Single Sign-On

service
To use single sign-on, the Microsoft Single Sign-On service (SSOSrv) must be installed on all
Microsoft Windows front-end Web servers in the farm. SSOSrv must also be installed on all
servers running Excel Services. If the Business Data Catalog search is used, SSOSrv must also
be installed on the index server.
SSOSrv is configured by using the Services console. When configuring the service, a logon
account is required. The logon account must meet all of the following criteria:
• Must be a domain user account. It cannot be a group account.
• Must be an Office SharePoint Server farm account.
• Must be a member of the local Administrators group on the encryption-key server. (The
encryption-key server is the first server on which you start SSOSrv.)
298
• Must be a member of the Security Administrators role and db_creator role on the
computer running Microsoft SQL Server.
• Must be either the same as the single sign-on administrator account, or a member of the
group account that is the single sign-on administrator account.
Configure and start the Microsoft Single Sign-On service

1. On the server, click Start, Control Panel, Administrative Tools, and then click
Computer Management.
2. In the Computer Management console, expand Services and Applications, and
then click Services.
3. Right-click Microsoft Single Sign-On Service, and then choose Properties.
4. On the General tab, change the Startup type to Automatic.
5. On the General tab, under Service Status, click Start.
6. Click OK to save your changes and close the Properties window.
7. Repeat steps 1 through 6 for each applicable server in the farm.
Configure Single Sign-On for Office SharePoint

Server 2007
Managing server settings for single sign-on includes specifying the appropriate administrator
accounts, the single sign-on database server and server name, and time-out and audit log
settings.
Note:
You must open Central Administration on the computer that runs Office SharePoint
Server 2007 to manage server settings for single sign-on.
Configure SSO for Office SharePoint Server 2007

1. On Central Administration, on the top navigation bar, click Operations.
3. On the Manage Settings for Single Sign-On page, in the Server Settings section,
click Manage server settings.
4. On the Manage Settings for Single Sign-On page, in the Account name box in the
Single Sign-On Administrator Account section, type the single sign-on administrator
account name by using the form domain/group or domain/username.
Note:
The single sign-on administrator account specifies the set of people who can
create, delete, or modify application definitions. The administrator account can
also back up the encryption key.
299
The user or group that you specify as the single sign-on administrator must be all of the
following:
• Either a Windows global group or an individual user account. This account
cannot be a domain local group account or a distribution list.
• The same account as the single sign-on service account, if a user is specified. If
a group is specified, the single sign-on service account must be a member of that
group.
• The same as the configuration account for single sign-on, if a user is specified. If
a group is specified, the configuration account for single sign-on must be a member
of that group.
• A member of the Farm Administrators group on Central Administration.
If a group is specified, all users who are added to the group for the purpose of
administering single sign-on must be members of the local Administrators group on the
encryption-key server. Do not make this account a member of the local Administrators
group on the encryption-key server.
5. In the Enterprise Application Definition Administrator Account section, in the
Account name box, type the account name of the group or user who can set up and
manage enterprise application definitions. Type the name by using the form
domain/group or domain/username.
The enterprise application definition administrator account can manage credentials of an
enterprise application definition, including changing the password of a group enterprise
application definition and changing or deleting credentials for an individual enterprise
The user or group that you specify must be the following:
• Either a Windows global group or an individual user account. This account
cannot be a domain local group account or a distribution list.
• A member of the Reader SharePoint group on Central Administration.
6. In the Database Settings section, in the Server name box, type the NetBIOS name
of the single sign-on database server (for example, computer_name or
computer_name\SQL_Server_instance). Do not type the fully qualified domain name.
7. In the Database name box, enter the name of the single sign-on database server.
Note:
Unless you are pre-creating databases, we recommend that you use the default
database server and single sign-on database server.
8. In the Time Out Settings section, in the Ticket time out (in minutes) box, type a
value for how many minutes passes before a single sign-on ticket expires. The time-out
should be long enough to last between the time that the ticket is issued and the time that
the enterprise application redeems the ticket. Two minutes is the recommended value.
9. In the Delete audit log records older than (in days) box, type a value for how many
days the audit log holds records before deleting them.
300
10. Click OK.
Manage the encryption key

The first server that SSOSrv is enabled on becomes the encryption-key server. The encryption-
key server generates and stores the encryption key. The encryption key is used to encrypt and
decrypt the credentials that are stored in the SSO database.
Because the encryption key protects security credentials, we recommend that you create a new
encryption key on a regular schedule (for example, every 90 days). We also recommend that you
create a new encryption key immediately if you suspect that account credentials have been
compromised.
The encryption key must be backed up each time a new key is created. You do not need to back
up the encryption key at any other time (except when you are moving the encryption-key server
role from one server to another). You must back up the encryption key from the encryption-key
server locally; the key cannot be backed up remotely.
You can also use encryption key backup and restore to move the encryption-key server role from
one server to another. (Other tasks must also be completed to move the encryption-key server
role.)
Note:
You must open Central Administration on the computer that runs Office SharePoint
Server 2007 to manage the encryption key.
Manage the encryption key

3. On the Manage Settings for Single Sign-On page, in the Server Settings section,
click Manage encryption key.
From the Manage Encryption Key page, you can perform three management tasks:
• Create a new encryption key
• Back up an encryption key
• Restore an encryption key
Create a new encryption key
1. On the Manage Encryption Key page, in the Encryption Key section, click Create
Encryption Key.
2. On the Create Encryption Key page, select the Re-encrypt all credentials by using
the new encryption key check box.
301
Important:
If you do not re-encrypt the existing credentials with the new encryption key,
users must retype their credentials for individual application definitions, and
administrators must retype group credentials for group application definitions.
3. Click OK.
Back up an encryption key
1. On the Manage Encryption Key page, in the Drive list in the Encryption Key
Backup section, click the removable media drive on which you want to store the
encryption-key backup.
2. Click Back Up.
Restore an encryption key

You should always back up the encryption key when you back up the single sign-on database,
because the database is useless without the encryption key. Also, before you replace an
encryption-key server, make sure to back up the encryption key so that it can be restored on the
new encryption-key server.
1. On the Manage Encryption Key page, in the Drive list in the Encryption Key
Restore section, click the removable media drive from which you want to restore the
encryption-key backup.
2. Click Restore.
Manage enterprise application definitions

In the single sign-on environment, the back-end external data sources and systems are referred
to as enterprise applications. For each enterprise application that Office SharePoint Server 2007
connects to, a corresponding enterprise application definition needs to be configured.

3. On the Manage Settings for Single Sign-On page, click Manage settings for
enterprise application definitions.
302
Manage account information for an enterprise
application definition
If you are using a group to connect to the enterprise application, you need to provide account
credentials for the group to use. If individual users are connecting directly to the enterprise
application, you can preset or reset user passwords, or you can delete users from the enterprise

3. On the Manage Settings for Single Sign-On page, in the Enterprise Application
Definition Settings section, click Manage account information for enterprise
application definitions.
4. On the Manage Account Information for an Enterprise Application Definition page, in
the Enterprise application definition list in the Account Information section, click the
application definition for which you want to manage account information.
5. In the Group account name box, type the name of the group that is allowed access
to the enterprise application.
6. In the Enterprise Application Definition section, select one of the following:
Option Purpose
Update account information Enter credentials for the first time or

update the credentials used to connect to
the enterprise application.
Delete stored credentials for this Delete the credentials currently used to
account from this enterprise connect to the enterprise application.
application definition
Delete stored credentials for this Delete the credentials currently used to
account from all enterprise application connect the selected enterprise application
definitions from all enterprise application definitions.
Deleting stored credentials deletes
credentials only for individual accounts; it
does not delete credentials for group
accounts.
If you select Update account information, complete the following steps:

a. Click Set.
b. On the Provide Account Information page, in the Logon Information section,
type the user name and password of the account that will be used to connect to the
303
enterprise application.
c. Click OK.
7. Click Done.
304
Configure antivirus settings
Use this procedure to configure the antivirus settings for Microsoft Office SharePoint Server 2007.
You can activate antivirus measures only after installing a compatible antivirus scanner. In a
server farm, you must install antivirus software on every front-end Web server in the server farm.
You can configure four antivirus settings:
• Scan documents on upload Select this setting to scan uploaded documents. This
helps prevent users with infected documents from distributing them to other users.
• Scan documents on download Select this setting to scan downloaded documents.
This helps prevent users from downloading infected documents by warning them about
infected files. Users can still choose to download infected files, unless the option to allow
users to download infected documents is not selected.
• Allow users to download infected documents If this option is selected, users can
download infected documents. In most cases, do not select this option. Unless you have a
specific reason to download infected documents, such as troubleshooting a virus infection on
your system, do not select this option.
• Attempt to clean infected documents Select this setting to automatically clean
infected documents that were discovered during scanning.
Administrative credentials
Membership in the Administrators group of the Central Administration site is required to complete
this procedure.
Configure antivirus settings

2. On the Operations page, in the Security Configuration section, click Antivirus.
3. On the Antivirus page, in the Antivirus Settings section, select one or all of the
following:
• Scan documents on upload
• Scan documents on download
• Allow users to download infected documents
• Attempt to clean infected documents
4. Click OK.
Antivirus: Stsadm properties (http://technet.microsoft.com/en-us/library/cc261683.aspx).
305
Configure authentication
In this section:
• Χο ν φ ι γ υ ρ ε α ν ο νψ µ ο υ σ α χ χ ε σ σ
• Χο ν φ ι γ υ ρ ε δ ι γ ε σ τ αυ τ η ε ν τ ι χ α τ ι ο ν
• Χο ν φ ι γ υ ρ ε φ ο ρ µ σ−β α σ ε δ α υ τ η ε ν τ ι χ α τ ι ο ν
• Χο ν φ ι γ υ ρ ε Ω ε β Σ ΣΟ αυ τ η ε ν τ ι χ α τ ι ο ν βψ υ σ ι ν γ
Α∆ΦΣ
• Χο ν φ ι γ υ ρ ε Κ ε ρ β ε ρ ο σ αυ τ η ε ν τ ι χ α τ ι ο ν
Authentication is the process of validating client identity, usually by means of a designated
authority. Web site authentication helps establish that a user who is trying to access Web site
resources can be verified as an authenticated entity. An authentication application obtains
credentials from a user who is requesting Web site access. Credentials can be various forms of
identification, such as user name and password. The authentication application tries to validate
the credentials against an authentication authority. If the credentials are valid, the user who
submitted the credentials is considered to be an authenticated identity.
Office SharePoint Server authentication

To determine the most appropriate Office SharePoint Server authentication mechanism to use,
consider the following issues:
• To use a Windows authentication mechanism, you need an environment that supports
user accounts that can be authenticated by a trusted authority.
• If you use a Windows authentication mechanism, the operating system performs user
credential management tasks. If you use an authentication provider other than Windows,
such as forms authentication, you must plan and implement a credential management system
and determine where to store user credentials.
• You might need to implement an impersonation/delegation model that can pass a user's
operating system–level security context across tiers. This enables the operating system to
impersonate the user and delegate the user's security context to the next downstream
subsystem.
Microsoft Office SharePoint Server is a distributed application that is logically divided into three
tiers: the front-end Web server tier, the application server tier, and the back-end database tier.
Each tier is a trusted subsystem and authentication can be required for access to each tier.
Credential validation requires an authentication provider. Authentication providers are software
components that support specific authentication mechanisms. Office SharePoint Server 2007
authentication for is built on the ASP.NET authentication model and includes three authentication
providers:
• Windows authentication provider
306
• Forms authentication provider
• Web SSO authentication provider
You can use the Active Directory directory service for authentication, or you can design your
environment to validate user credentials against other data stores, such as a Microsoft SQL
Server database, a lightweight directory access protocol (LDAP) directory, or any other directory
that has an ASP.NET 2.0 membership provider. The membership provider specifies the type of
data store you are going to use. The default ASP.NET 2.0 membership provider uses a SQL
Server database. Office SharePoint Server 2007 includes an LDAP v3 membership provider, and
ASP.NET 2.0 includes a SQL Server membership provider.
You can also deploy multiple authentication providers to enable, for example, intranet access by
using Windows authentication and external access by using forms authentication. Using multiple
authentication providers requires the use of multiple Web applications. Each Web application
must have a designated zone and a single authentication provider.
The authentication providers are used to authenticate against user and group credentials that are
stored in Active Directory, in a SQL Server database, or in a Non-Active Directory LDAP directory
service (such as NDS). For more information about ASP.NET membership providers, see
Configuring an ASP.NET Application to Use Membership (http://go.microsoft.com/fwlink/?
Windows authentication provider

The Windows authentication provider supports the following authentication methods:
• Anonymous authentication
Anonymous authentication enables users to find resources in the public areas of Web sites
without having to provide authentication credentials. Internet Information Services (IIS)
creates the IUSR_computername account to authenticate anonymous users in response to a
request for Web content. The IUSR_computername account, where computername is the
name of the server that is running IIS, gives the user access to resources anonymously under
the context of the IUSR account. You can reset anonymous user access to use any valid
Windows account. In a stand-alone environment, the IUSR_computername account is on the
local server. If the server is a domain controller, the IUSR_computername account is defined
for the domain. By default, anonymous access is disabled when you create a new Web
application. This provides an additional layer of security, because IIS rejects anonymous
access requests before they can ever be processed if anonymous access is disabled.
• Basic authentication
Basic authentication requires previously assigned Windows account credentials for user
access. Basic authentication enables a Web browser to provide credentials when making a
request during an HTTP transaction. Because user credentials are not encrypted for network
transmission, but are sent over the network in plaintext, using basic authentication over an
unsecured HTTP connection is not recommended. To use basic authentication, you should
enable Secure Sockets Layer (SSL) encryption.
307
• Digest authentication
Digest authentication provides the same functionality as basic authentication, but with
increased security. User credentials are encrypted instead of being sent over the network in
plaintext. User credentials are sent as an MD5 message digest in which the original user
name and password cannot be deciphered. Digest authentication uses a challenge/response
protocol that requires the authentication requestor to present valid credentials in response to
a challenge from the server. To authenticate against the server, the client has to supply an
MD5 message digest in a response that contains a shared secret password string. The MD5
Message-Digest Algorithm is described in detail in Internet Engineering Task Force (IETF)
RFC 1321 (http://www.ietf.org).
To use digest authentication, note the following requirements:
• The user and IIS server must be members of, or trusted by, the same domain.
• Users must have a valid Windows user account stored in Active Directory on the
domain controller.
• The domain must use a Microsoft Windows Server 2003 domain controller.
• You must install the IISSuba.dll file on the domain controller. This file is copied
automatically during Windows Server 2003 Setup.
• Integrated Windows authentication
Integrated Windows authentication can be implemented using either NTLM or constrained
Kerberos delegation. Constrained Kerberos delegation is the most secure authentication
method. Integrated Windows authentication works well in an intranet environment where
users have Windows domain accounts. In Integrated Windows authentication, the browser
attempts to use the current user's credentials from a domain logon, and if the attempt is
unsuccessful, the user is prompted to enter a user name and password. If you use Integrated
Windows authentication, the user's password is not transmitted to the server. If the user has
logged on to the local computer as a domain user, the user does not have to authenticate
again when the user accesses a network computer in that domain.
• Kerberos authentication
This method is for servers that are running Active Directory on Microsoft Windows 2000
Server and more recent versions of Windows. Kerberos is a secure protocol that supports
ticketing authentication. A Kerberos authentication server grants a ticket in response to a
client computer authentication request that contains valid user credentials. The client
computer then uses the ticket to access network resources. To enable Kerberos
authentication, the client and server computers must have a trusted connection to the domain
Key Distribution Center (KDC). The client and server computers must also be able to access
Active Directory. For more information about configuring a virtual server to use Kerberos
authentication, see Microsoft Knowledge Base article 832769: How to configure a Windows
SharePoint Services virtual server to use Kerberos authentication and how to switch from
Kerberos authentication back to NTLM authentication (http://go.microsoft.com/fwlink/?
308
• Constrained Kerberos delegation
Constrained authentication is the most secure configuration for communication between
multiple application tiers. You can use constrained delegation to pass the original caller's
identity through multiple application tiers: for example, from a Web server to an application
server to a database server. Constrained Kerberos delegation is also the most secure
configuration for accessing back-end data sources from application servers. Impersonation
enables a thread to run in a security context other than the context of the process that owns
the thread. In most server farm deployments in which front-end Web servers and application
servers run on different computers, impersonation will require constrained Kerberos
delegation.
• Impersonation and Kerberos delegation
Kerberos delegation enables an authenticated entity to impersonate the credentials of a user
or computer within the same forest. When impersonation is enabled, the impersonating entity
is allowed to use credentials for performing tasks on behalf of the impersonated user or
computer.
During impersonation, ASP.NET applications can run by using the credentials of another
authenticated entity. By default, ASP.NET impersonation is disabled. If impersonation is
enabled for an ASP.NET application, then that application runs using the credentials of the
access token IIS passes to ASP.NET. That token can be either an authenticated user token,
such as a token for a logged-in Windows user, or the token that IIS provides for anonymous
users (typically, the IUSR_computername identity).
When impersonation is enabled, only your application code runs under the context of the
impersonated user. Applications are compiled and configuration information is loaded by
using the identity of the ASP.NET process.
For more information about impersonation, see ASP.NET Impersonation
• NTLM authentication
This method is for Windows servers that are not running Active Directory on a domain
controller. NTLM authentication is required for networks that receive authentication requests
from client computers that do not support Kerberos authentication. NTLM is a secure protocol
that supports user credential encryption and transmission over a network. NTLM is based on
encrypting user names and passwords before sending the user names and passwords over
the network. NTLM authentication is required in networks where the server receives requests
from client computers that do not support Kerberos authentication. NTLM is the
authentication protocol that is used in Windows NT Server and in Windows 2000 Server
workgroup environments, and in many Active Directory deployments. NTLM is used in mixed
Windows 2000 Active Directory domain environments that must authenticate Windows NT
systems. When Windows 2000 Server is converted to native mode where no down-level
Windows NT domain controllers exist, NTLM is disabled. Kerberos then becomes the default
authentication protocol for the enterprise.
309
Forms authentication provider
The forms authentication provider supports authentication against credentials stored in Active
Directory, in a database such as a SQL Server database, or in an LDAP data store such as Novell
eDirectory, Novell Directory Services (NDS), or Sun ONE. Forms authentication enables user
authentication based on validation of credential input from a logon form. Unauthenticated
requests are redirected to a logon page, where the user must provide valid credentials and
submit the form. If the request can be authenticated, the system issues a cookie that contains a
key for reestablishing the identity for subsequent requests.
Web single sign-on (SSO) authentication provider

Web SSO is also referred to as federated authentication or delegate authentication, because it
supports secure communication across network boundaries.
SSO is an authentication method that enables access to multiple secure resources after a single
successful authentication of user credentials. There are several different implementations of SSO
authentication. Web SSO authentication supports secure communication across network
boundaries by enabling users who have been authenticated in one organization to access Web
applications in another organization. Active Directory Federation Services (ADFS) supports Web
SSO. In an ADFS scenario, two organizations can create a federation trust relationship that
enables users in one organization to access Web-based applications that are controlled by
another organization. For information about using ADFS to configure Web SSO authentication,
see Configure Web SSO authentication by using ADFS. For information about how to perform
this procedure using the Stsadm command-line tool, see Authentication: Stsadm operation
310
Configure anonymous access
In this section:
• About anonymous access
• Enable anonymous access for a zone
• Enable anonymous access for individual sites
• Enable anonymous access for individual lists
Anonymous access enables users to find resources in the public areas of Web sites without
having to provide authentication credentials.
About anonymous access

Internet Information Services (IIS) creates the IUSR_computername account to authenticate
anonymous users in response to a request for Web content. The IUSR_computername account,
where computername is the name of the server that is running IIS, gives the user access to
resources anonymously under the context of the IUSR account. You can reset anonymous user
access to use any valid Windows account.
Note:
You can set up different anonymous accounts for different Web sites, virtual or physical
directories, and files.
In a stand-alone environment, the IUSR_computername account is on the local server. If the
server is a domain controller, the IUSR_computername account is defined for the domain.
By default, anonymous access is disabled by Office SharePoint Server 2007 when you create a
new Web application. This provides an additional layer of security because IIS rejects anonymous
access requests before they can ever be processed by Office SharePoint Server 2007 if
anonymous access is disabled.
Enable anonymous access for a zone

Use the following procedures to enable anonymous access for a zone of a Web application.
Within each Web application, you can categorize different classes of users into one of the
following five zones:
• Internet is the zone used for customers. Typically, the Internet zone is the only zone you
would configure for anonymous access.
• Intranet is the zone used for internal employees.
• Default is the zone used for remote employees.
• Custom is the zone used for administrators.
• Extranet is the zone used for partners.
311
Enable anonymous access for a zone of a Web application
1. From Administrative Tools, open the SharePoint Central Administration Web site
application.
3. On the Application Management page, in the Application Security section, click
Authentication providers.
4. On the Authentication Providers page, make sure the Web application that is listed in
the Web Application box (under Site Actions) is the one that you want to configure. If
the listed Web application is not the one that you want to configure, click the drop-down
arrow to the right of the Web Application drop-down list box and select Change Web
Application.
5. In the Select Web Application dialog box, click the Web application that you want to
configure.
6. On the Authentication Providers page, click the zone of the Web application on which
you want to enable anonymous access. The zones that are configured for the selected
Web application are listed on the Authentication Providers page.
7. On the Edit Authentication page, in the Anonymous Access section, select Enable
Anonymous Access, and then click Save.
At this point, the Web application zone has been enabled for anonymous access.
Enable anonymous access for individual sites

Now you need to enable anonymous access for individual sites in the site collection.
Enable anonymous access for individual sites

1. Go to the site on which you want to enable anonymous access and click the Site
Actions menu.
3. On the Site Settings page, in the Users and Permissions section, click Advanced
Permissions.
4. On the Permissions page, on the Settings menu, click Anonymous Access. The
settings for anonymous access lists three options:
• Entire Web site Select this option if you want to enable anonymous access for
the entire Web site.
• Lists and libraries Select this option if you want to limit anonymous access to
only the lists and libraries on your site.
• Nothing Select this option if you want to prevent anonymous access from being
used on your site.
5. Click OK.
312
At this point, your site is configured for anonymous access based on the options that you have
selected.
Enable anonymous access for individual lists

If you select Lists and libraries, enable anonymous access for individual lists.
Enable anonymous access for individual lists

1. Go to the home page of your Web site and, in the left navigation pane, click View All
Site Content.
2. Click the list on which you want to enable anonymous access.
3. On the Settings menu, click List Settings.
4. On the Customize List page, in the Permissions and Management section, click
Permissions for this list.
5. On the Permissions page, on the Actions menu, click Edit Permissions. A dialog
box is displayed informing you that you are about to create unique permissions for this
list. Click OK.
6. On the Settings menu, click Anonymous Access.
7. Select permissions for users who have anonymous access to the list, and then click
OK.
At this point, users have anonymous access to the list you have configured. You can control
whether users have anonymous access to other lists, the home page, or other pages on this site.
313
Configure digest authentication
In this section:
• About digest authentication
• Enable digest authentication for a zone of a Web application
• Configure IIS to enable digest authentication
About digest authentication

Basic authentication requires previously assigned Windows account credentials for user access.
Basic authentication enables a Web browser to provide credentials when making a request during
an HTTP transaction. Because user credentials are not encrypted for network transmission, but
are sent over the network in plaintext, using basic authentication over an unsecured HTTP
connection is not recommended. To use basic authentication, you should enable Secure Sockets
Layer (SSL) encryption.
Digest authentication provides the same functionality as basic authentication, but with increased
security. User credentials are encrypted instead of being sent over the network in plaintext. User
credentials are sent as an MD5 message digest in which the original user name and password
cannot be deciphered. Digest authentication uses a challenge/response protocol that requires the
authentication requestor to present valid credentials in response to a challenge from the server.
To authenticate against the server, the client has to supply an MD5 message digest in a response
that contains a shared secret password string. The MD5 Message-Digest Algorithm is described
in detail in RFC 1321. For access to RFC 1321, see Internet Engineering Task Force (IETF)
(http://www.ietf.org).
To use digest authentication, note the following requirements:
• The user and IIS server must be members of, or trusted by, the same domain.
• Users must have a valid Windows user account stored in Active Directory on the domain
controller.
• The domain must use a Microsoft Windows Server 2003 domain controller.
• You must install the IISSuba.dll file on the domain controller. This file is copied
automatically during Windows Server 2003 Setup.
• You must install Windows Server 2003 with SP2 or later. Microsoft Office SharePoint
Server 2007 does not support digest authentication on Windows Server 2003 with SP1 or
earlier.
• To enable digest authentication to work with browsers other than Microsoft Internet
Explorer 6.0 or Internet Explorer 7.0, you must install the IIS hotfix described in Knowledge
Base article 932729. For information about this hotfix, see FIX: Error message when you try
to access a Web site that is hosted on IIS 6.0: Access Denied
314
Enable digest authentication for a zone of a Web
application
Use the following procedures to enable digest authentication for a zone of a Web application.
Within each Web application, you can categorize different classes of users into one of the
following five zones:
• Internet is the zone used for customers.
• Intranet is the zone used for internal employees.
• Default is the zone used for remote employees.
• Custom is the zone used for administrators.
• Extranet is the zone used for partners.
Enable digest authentication for a zone of a Web application

1. From Administrative Tools, open the SharePoint Central Administration Web site
application.
4. On the Authentication Providers page, make sure the Web application that is listed in
the Web Application box (under Site Actions) is the one that you want to configure. If
the listed Web application is not the one that you want to configure, click the drop-down
arrow to the right of the Web Application drop-down list box and select Change Web
Application.
5. In the Select Web Application dialog box, click the Web application that you want to
configure.
6. On the Authentication Providers page, click the zone of the Web application on which
you want to enable digest authentication. The zones that are configured for the selected
Web application are listed on the Authentication Providers page.
7. On the Edit Authentication page, in the IIS Authentication section, clear the
Integrated Windows authentication and Basic authentication check boxes, and then
click Save.
At this point use the IIS Management Console to configure IIS to enable digest authentication.
Configure IIS to enable digest authentication

Use the following procedures to configure IIS to enable digest authentication.
Configure IIS to enable digest authentication

1. From Administrative Tools on the Start menu, click Internet Information Services
to start the IIS Management Console.
315
2. Under the Web Sites node on the console tree, right-click the IIS Web site that
corresponds to the Web application zone on which you want to configure digest
authentication, and then click Properties.
3. On the Web Site Properties page, click the Directory Security tab.
4. In the Anonymous access and authentication control section, click the Edit
button.
5. In the Authenticated access section of the Authentication Methods dialog box,
select Digest authentication for Windows domain servers. A dialog box is displayed
informing you that digest authentication only works with Active Directory domain
accounts, and asking you if you want to continue. Click Yes.
6. In the Realm section of the of the Authentication Methods dialog box, click the
Select button.
7. Select the appropriate realm and click OK. On the other open dialog boxes, click OK.
At this point, your Web site is configured to use digest authentication.
316
Configure forms-based authentication
In this section:
• About forms-based authentication
• Configure forms-based authentication across multiple zones
• Configure forms-based authentication for My Sites Web applications
• Configure the SSP for forms-based authentication
• Configure user profiles and people search
Microsoft Office SharePoint Server 2007 authentication is performed by an authentication
mechanism that is supported by one of the available authentication providers. Providers are
modules that contain the code necessary to authenticate the credentials of a requestor
Authentication for Office SharePoint Server 2007 is built on the ASP.NET authentication model
and includes three authentication providers:
• Windows authentication provider
• Forms-based authentication provider
• Web Single Sign-On (SSO) authentication provider
In addition, ASP.NET supports the use of pluggable authentication providers, which means that
you can write an authentication provider to support any credential store that you want to use.
About forms-based authentication

The forms-based authentication provider supports authentication against credentials stored in
Active Directory, in a database such as a SQL Server database, or in a Lightweight Directory
Access Protocol (LDAP) data store such as Novell eDirectory, Novell Directory Services (NDS),
or Sun ONE. Forms-based authentication enables user authentication based on validation of
credential input from a logon form. Unauthenticated requests are redirected to a logon page,
where the user must provide valid credentials and submit the form. If the request can be
authenticated, the system issues a cookie that contains a key for reestablishing the identity for
subsequent requests.
The forms-based authentication provider supports authentication against credentials stored in
one of the following:
• The Active Directory directory service
• A database
• An LDAP data store
To enable forms-based authentication for a Office SharePoint Server 2007 Web site and add
users to the user account database, perform the following procedures.
317
Create a new site
1. On the home page of the SharePoint Central Administration Web site, click
3. On the Create or Extend Web Application page, click Create a new Web
application.
4. On the Create New Web Application page, in the Security Configuration section,
make sure NTLM is selected under Authentication provider. Also, select Yes under
Allow Anonymous.
5. Use the default entries to complete the new Web application creation procedure and
click OK.
At this point, you have created a new site placeholder. Use the following procedure to create a
site collection.

1. On the top link bar, click Application Management.
3. On the Create Site Collection page, in the Web Application section, verify that the
Web application in which you want to create the site collection is selected.
If it is not, click Change Web Application on the Web Application menu. Then, on the
Select Web Application page, click the Web application in which you want to create the
site collection.
collection.
5. In the Web Site Address section, under URL, select the path to use for your URL.
Note:
If you select a wildcard inclusion path, you must also type the site name to use in
the URL of your site. The paths available for the URL option are taken from the
list of managed paths that have been defined as wildcard inclusions.
form domain\username) for the user who will be the site collection administrator.
318
10. Click OK.
At this point, you have created a site collection. Use the following procedure to configure a forms-
based authentication provider.
Configure a forms-based authentication provider

1. On the home page of the SharePoint Central Administration Web site, click
Management section, click Web application list.
3. On the Web Application List page, double-click the new Web application that you
created in the previous procedure.
5. On the Authentication Providers page, click the zone name for the authentication
provider whose settings you want to configure.
6. On the Edit Authentication page, in the Authentication Type section, select Forms.
If you need to explicitly grant anonymous access to a site collection, in the Anonymous
Access section, select the Enable anonymous access check box for all sites within the
Web application. To disable anonymous access for all sites within the Web application,
clear the Enable anonymous access check box.
Note:
If you enable anonymous access here, anonymous access can still be denied at
the site collection level or at the site level. However, if you disable anonymous
access here, it is disabled at all levels within the Web application.
7. In the Membership Provider Name section, in the Membership provider name
box, type the name of the membership provider that you want to use.
Note:
If the Web application is going to support forms-based authentication, the
membership provider must be correctly configured in the Web.config file for the
IIS Web application that hosts SharePoint content on each Web server. The
membership provider must also be added to the Web.config file for the IIS Web
application that hosts Central Administration.
8. In the Client Integration section, under Enable Client Integration, make sure No is
selected, and then click Save.
• If you select Yes, features that start client applications according to document
types will be enabled. This option will not work correctly with some types of forms-
based authentication.
• If you select No, features that start client applications according to document
319
types will be disabled. Users will have to download documents and then upload them
after they make changes.
Notes
For forms-based authentication, client integration is disabled by default. When client
integration is disabled, links to client applications are not visible and documents cannot be
opened in client applications; documents can only be opened in a Web browser. However,
users can download documents, edit them in client applications locally, and then upload them
to the site.
Client integration is disabled by default when you use forms-based authentication. This is
because client integration does not natively support forms-based authentication. You might be
able to use many client integration features with forms-based authentication, and there are
workarounds available to implement varying levels of client integration functionality with
forms-based authentication. However, if published workarounds are inadequate, or if you find
unexpected issues using workarounds, we do not provide support and there are no product
changes to address these issues. If you plan to use client integration with forms-based
authentication, you must fully test any available solutions or workarounds to determine if the
performance and functionality are acceptable in your environment.
Product Support can provide commercially reasonable support to help you troubleshoot
published workarounds.
After a user provides credentials, the system issues a cookie that identifies the user. On
subsequent requests, the system first checks the cookie to see whether the user has already
been authenticated, so the user does not have to supply credentials again.
If the user has not selected the Remember me? box on the logon page, the credential
information is not cached on the client computer, and is valid only during the current session. This
is especially important in a scenario where users are connecting from public computers or kiosks,
where you would not want user credentials to be cached. Users are required to reauthenticate if
they close the browser, log off from a session, or navigate to another Web site. Also, you can
configure a maximum idle session time-out value to force reauthentication if a user is idle for a
prolonged period of time during a session.
Configure forms-based authentication across

multiple zones
Implementing forms-based authentication can interfere with enterprise search functionality. To
enable search across content authenticated using a custom authentication mechanism, you must
have the Default zone configured to support NTLM authentication. The Office SharePoint Server
2007 search crawler polls zones in the following order:
• Default zone
• Intranet zone
• Internet zone
• Custom zone
320
• Extranet zone
Note:
If you use forms-based authentication and the Office SharePoint Server 2007 search
crawler polls a zone that is configured to support Kerberos authentication, the Office
SharePoint Server 2007 search crawler will fail. If you use forms-based authentication
and the Office SharePoint Server 2007 search crawler polls a zone that is configured to
support basic or certificate authentication, you have to configure a crawl rule and provide
credentials or certificates in the Shared Services Provider (SSP) search settings. If a
crawl rule is not configured, the crawler will cycle through all of the zones until it finds a
zone that is configured with NTLM. If the crawler finds a zone configured with NTLM, the
crawl will succeed. If the crawler finds a zone configured with Kerberos or Digest
authentication, the crawl will fail and polling will stop.
Office SharePoint Server 2007 does not allow a Web application to work with the same provider
name across multiple zones. You can configure the Web.config file to use the same provider for
each zone; however, the name of the provider has to be unique for each zone.
For additional information on authentication mechanisms and samples for configuring forms-
based authentication with multiple providers, see Plan for authentication
Configure forms-based authentication for My

Sites Web applications
To plan a forms-based authentication implementation across your Office SharePoint Server 2007
deployment, you need to determine how to configure forms-based authentication to interoperate
with My Sites Web applications. To ensure that forms-based authenticated users can perform
people searches and create My Sites Web applications in an Office SharePoint Server 2007 farm,
perform the following procedure:
1. Create a Web application with NTLM authentication configured for the Default zone. For
information about creating a Web application, see Create or extend Web applications.
2. Create an SSP. For information about creating an SSP, see Chapter overview: Create
and configure Shared Services Providers.
At this point, all the Web applications are extended to the Default zone, and the
authentication mechanism is configured as NTLM.
321
3. To ensure that the crawler can access the content, configure the extended content
Web application for forms-based authentication by selecting the Web application from the
Web Application list in Central Administration, as shown in the following figure:
4. Follow the link to Create or Extend Web Application and choose the option to extend a
Web application. Type in the details, such as choosing a port number where the new Web
application will be hosted in IIS, and choosing the zone that this extended Web application
will reside under.
The following figure shows the original Web application, which is always created in the
Default zone, and the extended Web application created under the Custom zone.
Each of the zones identifies the logical separation of access restrictions to the same content.
Note:
You cannot increase the number of zones.
5. Configure the membership provider name of the extended Web application for forms-
based authentication, as shown in the following figure.
After extending the content Web application to a different zone, you can configure
authentication providers and enable different authentication mechanisms using different
URLs. At this point, add a provider section in the Web.config file of the extended Web
application.
322
Note:
Adding the provider section in the Web.config file for the default zone will have no
impact on Office SharePoint Server 2007 awareness of the provider for the new
zone. Practically, the two zones are isolated from each other as far as IIS Web sites
are concerned, even though they will still share the same application pool.
6. Modify the authentication provider by following the link to the Authentication Providers
page. This page displays all of the zones on which the Web application has been extended.
Select the appropriate zone and configure the authentication provider. In the preceding
example, the authentication provider is configured as the
PeopleDCLDAPMemberShipProvider for the Custom zone.
7. Add the first administrative user who will have administrative access on all site collections
within the Web application. In this example, the content is the same and the site collections
are identical across all the extended zones (Default and Custom), even though the URLs are
different. When the Web application is first created, the application pool identity is granted
Full Read permissions on the Web application for all zones. For the Default zone, access is
controlled by the primary site collection administrator who was specified during the creation of
the site collection at the root of the Web application. For the extended zone, you have to add
a specific user with Full Control on the Web application to enable initial logon to the site
collections and to perform administrative tasks. To add a user, click Add Users on the Policy
for Web Application page, and select a zone. Run the People Picker and resolve the name of
the user.
Note:
The user will be added as provider:username because the People Picker will resolve
the user by using the provider configured in the Web.config file for the extended Web
application. Office SharePoint Server 2007 ignores the custom provider if All Zones
is selected in the Zone drop-down list. Therefore, it is very important to ensure that
the appropriate zone is selected.
8. After the user has been added, verify that forms-based authentication is functioning and
browse to the URL for the extended zone. In this example, the content Web application is in
the Default zone on port 2000 and is extended to the Custom zone on port 2001. Browse to
the extended port.
9. At this point, the forms-based authentication logon screen is displayed. Type the
credentials for the user you added earlier, and click Submit. You are then redirected to the
Default.aspx page of the site.
The Default.aspx page is very similar to a standard Default.aspx page of a default zone site.
However, in this example, the My Site creation link is not displayed. My Sites and personalization
are services provided by the Shared Services Provider (SSP). There is an existing SSP that
provides these services to this Web application. At this point in the procedure, the SSP is
unaware of the new user, whose credentials you used to log in. Because links are security
trimmed, they are not displayed and, in this example, the current user is not recognized by the
SSP. To correct this situation, enable the SSP for forms-based authentication, as described in the
following procedure.
323
Configure the SSP for forms-based authentication
To configure the Shared Services Provider (SSP) for forms-based authentication, extend the SSP
administration Web application to map to the same zone as the content Web application. On the
Manage this Farm's Shared Services page, the administration site host for the SSP is listed on
port 80, and the SSP is only aware of NTLM authentication. To make the SSP aware of the
custom provider, configure the SSP for forms-based authentication.
1. Extend the Web application on port 80 (the administration site host) to the same zone on
which the content Web application was extended, and then configure the extended Web
application for forms-based authentication.
Note:
Typically, users are not aware of this new Web application and this Web application
only provides forms-based authentication awareness to the SSP.
2. Browse to the new SSP administration site. After the administration Web application is
forms-based authentication enabled, you can point the browser to a URL such as
http://<server>:<extended port>/ssp/admin/default.aspx. This is similar to the URL for the
SSP administration site (with a different port number). However, now you are prompted for
credentials on the forms-based authentication logon page.
After you enter the credentials of the user that you added during the Add Users procedure on
the Policy for Web Application page, you are redirected to the Administration page.
Note:
If you try to browse to Personalization Services Permissions in the User Profiles and
My Sites section of the Shared Services Administration page, access is denied.
This is because the logged-on user does not have permissions to modify
personalization services permissions even though the forms-based authenticated
user has permissions to browse the site. To change this behavior, the user has to
have permissions explicitly provided in a different account, and the account itself has
to have permissions to modify personalization services permissions. In this example,
that configuration would be difficult to configure because you are currently browsing
using the one account that has been added with Full Control over the SSP. Users in a
Windows authenticated zone are the only ones who have permissions to edit
personalization services permissions. To enable forms-based authenticated users to
edit personalization services permissions, you must be logged on as a user in a
Windows authenticated zone.
3. Add permissions for personalization links by logging in to the SSP administration site
using the Default zone.
Note:
Make sure the welcome control displays the identity of the Windows user.
4. Browse to the Personalization Services Permissions page, and launch the People Picker.
324
5. Try resolving the forms-based authenticated user here. The People Picker will not resolve
the forms-based authenticated user because this zone is not aware that there is another
provider that can be queried to find these users.
6. To make this zone aware of the provider, modify the Web.config file for this zone and add
the same provider section that you added for enabling forms-based authentication.
Important:
In the Web.config file, do not set the defaultProvider attribute. If you set this
attribute, the People Picker and security trimmer will always use this provider to
resolve and authenticate users.
7. Browse back to the Personalization Services Permissions page and launch the People
Picker, which now resolves the forms-based authentication user and displays all users who
meet the same criteria.
8. Select a user and a choose the permissions you want to assign to this user:
• Create Personal Site: This permission is required to make the My Site link visible,
and enables users to create a My Site.
• Use Personal Features: This permission enables users to access SSP and My Site
features.
• Manage user profiles: This permission enables users to view and manage user
profiles from the Profile Store.
• Manage Audiences: This permission enables users to manage audiences.
• Manage Permissions: This permission enables permission management on an SSP.
• Manage Usage Analytics: This permission enables users to manage and configure
usage analysis.
9. Click Save.
At this point, you can log back on to the Custom zone SSP site as a forms-based authenticated
user and add additional users. In addition, you can configure sets of permissions for these
additional users. After the user is enabled with the Create Personal Site permissions, the My Site
link will be displayed. You can browse to the Custom zone portal using the forms-based
authenticated user and note the Welcome control suite displays the My Site link. However,
clicking the link will not actually create a My Site. This is because the SSP still only refers to the
default zone for the My Site host, even though the SSP is extended on the Custom zone. The
Web application is not yet aware of the forms authenticated users. You can address this by
extending the My Site Web application and configuring it for forms-based authentication.
Because you can manually set the My Site host from within the SSP, it does not matter if the My
Site host is extended to a different zone than the SSP administration Web application. If you are
implementing a scenario in which these two zones have to be different, you can browse to the
SSP, using forms-based authentication, and manually set the My Site host. Browse to the SSP
administration Web site using forms-based authentication and then browse to the My Site
Settings page.
Now you can edit the personal site provider to point to the newly extended My Site Web
application. If you extend the My Site Web application onto the same zone as the SSP
325
administration Web application, Office SharePoint Server 2007 will automatically realign the My
Sites and this manual configuration is not necessary.
In addition, you can go to the content site, log on by using forms-based authentication, and create
a My Site for the forms-based authenticated user.
Configure user profiles and people search

To plan a forms-based authentication implementation across your Office SharePoint Server 2007
deployment, you need to determine how to configure forms-based authentication to interoperate
with user profiles and people search. Office SharePoint Server 2007 imports user profiles using
the active authentication provider. For people search to work with forms-based authentication, the
user profiles have to be imported with the forms-based authentication provider. If the same set of
users is imported using Windows authentication over the Default zone, and forms-based
authentication over the Custom zone, profile import will import the same set of users at the same
time, identifying them differently. For example, the user, "domain\user1" is treated differently from
the user "provider:user1". This is true even though all of the properties are identical, including the
source from which they were imported. It is the provider that differentiates the two users and
treats them as two different users.
Assuming that you have already configured the SSP administration Web application to work with
forms-based authentication, perform the following procedures to enable people search. Make
sure that the SSP administration Web application is extended and correctly configured to use
forms-based authentication. In addition, note that the administrative user should be explicitly
assigned permission to manage user profiles from the Personalization Service Permissions page.
1. To configure a user profile import, browse to the SSP administration site for the Custom
zone. Because this has already been configured with forms-based authentication, you can
logon using the credentials of the administrative user.
2. Click User Profiles and Properties and configure a new import connection.
The available options are Active Directory, LDAP Directory, Active Directory Resource, and
Business Data Catalog. In this example, because the source is a user store on a domain, an
LDAP directory is selected as the connection type.
3. Populate the connection name and the name of the LDAP server, as defined in the
provider section.
4. Type the provider name, as listed in the Web.config file, and the user name attribute from
the provider section. The rest of the information should be filled in automatically.
5. Start the import using the newly added import connection.
326
6. Verify that the profiles are imported by clicking View User Profiles, as shown in the
following figure:
After the import is performed, the user profile store in Office SharePoint Server 2007 is
updated with the new profiles. To enable people search, perform the next procedure.
7. Initiate a crawl of the people content source. When the crawl is complete, you will be able
to perform a people search on the forms-based authentication site.
327
Configure Web SSO authentication by using
ADFS
In this section:
• About federated authentication systems
• Before you begin
• Configuring your extranet Web application to use Web SSO authentication
• Allowing users access to your extranet Web site
• Working with the People Picker
• Working with E-mail and UPN claims
• Working with groups and organizational group claims
About federated authentication systems

Microsoft Office SharePoint Server 2007 provides support for federated authentication scenarios
where the authentication system is not local to the computer that hosts Office SharePoint Server
2007. Federated authentication systems are also known as Web single sign-on (SSO) systems.
With Active Directory Federation Services (ADFS), people in one company can access servers
hosted by a different company by using their existing Active Directory accounts. ADFS also
establishes a trust relationship between the two companies and a seamless one-time logon
experience for end users. ADFS relies on 302 redirects to authenticate end users. Users are
issued an authentication token (cookie) after they are authenticated.
Before you begin

Before you use ADFS to configure Web SSO authentication for your extranet Web application,
you should become familiar with the following resources:
• Microsoft SharePoint Products and Technologies Team Blog entry about configuring
multiple authentication providers
(http://blogs.msdn.com/sharepoint/archive/2006/08/16/configuring-multiple-authentication-
providers-for-sharepoint-2007.aspx).
• Step-by-Step Guide for Active Directory Federation Services
(http://go.microsoft.com/fwlink/?LinkId=145396). The server names and examples used in
this section are based on this step-by-step guide, which describes setting up ADFS in a small
lab environment. In this environment, a new server named Trey-SharePoint is joined to the
Trey Research forest. Follow the steps in the step-by-step guide to configure your ADFS
infrastructure. However, because this section describes how to configure Office SharePoint
Server 2007 in a claims-aware application mode, you do not have to implement all the steps
328
for building Windows NT token agent applications that are described in the step-by-step
guide.
Note:
When you use the People Picker to add users to Windows SharePoint Services 3.0,
Windows SharePoint Services 3.0 validates the users against the provider, which in this
example is ADFS. Therefore, you should configure the Federation Server before you
configure Windows SharePoint Services 3.0.
Important:
The setup process has been captured in a VBScript file that you can use to configure
Office SharePoint Server 2007 to use ADFS for authentication. This script file is
contained in the file (SetupSharePointADFS.zip) and is available on the Microsoft
SharePoint Products and Technologies blog, listed in the Attachments section. For more
information, see the blog page A script to configure SharePoint to use ADFS for
authentication (http://go.microsoft.com/fwlink/?LinkId=113894).
Configuring your extranet Web application to use

Web SSO authentication
1. Install the Web Agent for Claims Aware Applications.
2. Download and install the hot fix for ADFS described in The role provider and the
membership provider cannot be called from Windows SharePoint Services 3.0 on a Windows
Server 2003 R2-based computer that is running ADFS and Microsoft Windows SharePoint
Services 3.0 (http http://go.microsoft.com/fwlink/?LinkId=145397). This hot fix will be included
in Windows Server 2003 Service Pack 2 (SP2).
3. Install Office SharePoint Server 2007, configure all the services and servers in the farm,
and then create a new Web application. By default, this Web application will be configured to
use Windows authentication, and it will be the entry point through which your intranet users
will access the site. In the example used in this section, the site is named http://trey-moss.
4. Extend the Web application that you created in step 2 in another zone. On the Application
Management page in the SharePoint Central Administration Web site, click Create or Extend
Web Application, click Extend an existing Web Application, and then do the following:
a. Add a host header. This is the DNS name by which the site will be known to users in
the extranet. In this example, the name is extranet.treyresearch.net.
b. Change the zone to Extranet.
c. Give the site a host header name that you will configure in DNS for your extranet
users to resolve against.
d. Click Use Secure Sockets Layer (SSL), and change the port number to 443. ADFS
requires that sites be configured to use SSL.
e. In the Load Balanced URL box, delete the text string :443. Internet Information
Services (IIS) will automatically use port 443 because you specified the port number in
the previous step.
329
f. Complete the rest of the steps on the page to finish extending the Web application.
5. On the Alternate Access Mappings (AAM) page, verify that the URLs resemble the
following table.
Internal URL Zone Public URL for Zone
http://trey-moss Default http://trey-moss
https://extranet.treyresearch.net Extranet https://extranet.treyresearch.net
6. Add an SSL certificate to the Extranet Web Site in IIS. Make sure that this SSL certificate
is issued to extranet.treyresearch.net, because this is the name that clients will use when
they access the sites.
7. Configure the Authentication provider for the extranet zone on your Web application to
use Web SSO by doing the following:
a. On the Application Management page of your farm’s Central Administration site, click
Authentication Providers.
b. Click Change in the upper-right corner of the page, and then select the Web
application on which you want to enable Web SSO.
c. In the list of two zones that are mapped for this Web application (both of which
should say Windows), click the Windows link for the Extranet zone.
d. In the Authentication Type section, click Web Single Sign On.
e. In the Membership provider name box, type
SingleSignOnMembershipProvider2
Make a note of this value; you will be adding it to the name element of the <membership>
section in the web.config files that you will edit later in this procedure.
f. In the Role manager name box, type
SingleSignOnRoleProvider2
Make a note of this value; you will be adding it to the name element of the
<roleManager> section in the web.config files you will edit later in this procedure.
g. Make sure the Enable Client Integration setting is set to No.
h. Click Save.
Your extranet Web application is now configured to use Web SSO. However, at this point, the site
will be inaccessible because no one has permissions to it. The next step is to assign permissions
to users so that they can access this site.
Note:
After selecting WebSSO as the Authentication Provider, Anonymous Authentication will
be automatically enabled for the SharePoint site in IIS (no user action is required). This
setting is required for the site to allow access using only claims.
330
Allowing users access to your extranet Web site
1. Use a text editor to open the web.config file for the Web site on the default zone that is
using Windows authentication.
2. Add the following entry anywhere in the <system.web> node.
<membership>
<providers>
<add name="SingleSignOnMembershipProvider2"
type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvide
r2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
Culture=neutral, PublicKeyToken=31bf3856ad364e35" fs="https://fs-
server/adfs/fs/federationserverservice.asmx" />
</providers>
</membership>
<roleManager enabled="true"
defaultProvider="AspNetWindowsTokenRoleProvider">
<providers>
<remove name="AspNetSqlRoleProvider" />
<add name="SingleSignOnRoleProvider2"
type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2,
System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
</providers>
</roleManager>
3. Change the value for fs-server to reflect your resource Federation Server
(adfsresource.treyresearch.net). Ensure that you entered the correct membership provider
and the role manager names on the Central Administration Authentication Providers page.
When this entry is added to web.config, the People Picker on the default zone site that is
using Windows authentication is able to know about the ADFS providers and, therefore, can
resolve the ADFS claims. This enables you to grant permissions to the ADFS claims on your
Web site.
4. Grant ADFS claims access to the site by doing the following:
a. Navigate to the Web site on the default zone that uses Windows authentication as an
administrator of the site.
b. Click the Site Actions menu, point to Site Settings, and then click Advanced
Permissions.
c. Click New, and then click Add Users.
331
d. To add a user claim, specify their e-mail address or User Principal Name in the
Users/Groups section. If both UPN and e-mail claims are sent from the federation
server, then SharePoint will use UPN to verify against the MembershipProvider.
Therefore, if you want to use e-mail, you will have to disable the UPN claim in your
federation server. See “Working with UPN and e-mail Claims” for more information.
e. To add a group claim, type the name of the claim you want the SharePoint site to use
in the Users/Groups section. For example, create an organizational group claim named
Adatum Contributers on the Federation Server. Add the claim name Adatum
Contributers to the Sharepoint site as you would a Windows user or group. You can
assign this claim Home Members [Contribute], and then any user who accesses the
SharePoint site by using this group claim will have Contributor access to the site.
f. Select the appropriate permission level or SharePoint group.
g. Click OK.
5. Use the text editor of your choice to open the web.config file for the extranet site, and add
the following entry in the <configSections> node.
<sectionGroup name="system.web">
<section name="websso"
type="System.Web.Security.SingleSignOn.WebSsoConfigurationHandler,
System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35, Custom=null" />
</sectionGroup>
6. Add the following entry to the <httpModules> node
<add name="Identity Federation Services Application Authentication
Module"
type="System.Web.Security.SingleSignOn.WebSsoAuthenticationModule,
System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35, Custom=null" />
Note:
The ADFS authentication module should always be specified after the Sharepoint
SPRequest module in the <httpModules> node of the web.config file. It is safest to
add it as the last entry in that section.
7. Add the following entry anywhere under the <system.web> node.
<membership defaultProvider="SingleSignOnMembershipProvider2">
<providers>
Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</providers>
</membership>
332
defaultProvider="SingleSignOnRoleProvider2">
<providers>
Culture=neutral, PublicKeyToken=31bf3856ad364e35 />
</providers>
</roleManager>
<websso>
<authenticationrequired />
<auditlevel>55</auditlevel>
<urls>
<returnurl>https://your_application</returnurl>
</urls>
<fs>https://fs-server/adfs/fs/federationserverservice.asmx</fs>
<isSharePoint />
</websso>
Note:
Change the value for fs-server to your Federation Server computer, and change the
value of your_application to reflect the URL of your extranet Web application.
8. Browse to the https://extranet.treyresearch.net Web site as an ADFS user who has
permissions to the extranet web site.
About using Central Administration

You can also use Central Adminstration policy to grant rights to ADFS users, but it is best not to
use that method for the following reasons:
• Granting rights by policy is a very coarse operation. It allows the user (or group) to have
the same set of rights in every Web site, in every site collection on the whole Web
application. It should be used very judiciously; in this particular scenario, we can grant access
to ADFS users without using this method.
• After the sites are being used in an extranet environment, it is very likely that the internal
users will be responsible for granting access to sites and content. Because only the farm
administrators have access to the Central Administration site, it makes the most sense that
internal users can add ADFS claims from the default zone site that is using Windows
authentication.
333
• As you extend Web applications by using different providers, you can configure one or
more of them to be able to find users and groups from various providers that you are using on
that Web application. In this scenario, we configured our site that uses Windows
authentication in a way that allows users of that site to select other Windows users, Windows
groups, and ADFS claims, all from one site.
Working with the People Picker

The People Picker cannot perform wildcard searches for searching roles. If you have a Web SSO
Role provider role named Readers, and you type Read in the People Picker search dialog box, it
will not find your claim. If you type Readers, it will. This is not a bug, you just cannot perform
wildcard searching by using the Role provider.
Command-line executable files like stsadm.exe will not be able to resolve the ADFS claims by
default. For example, you might want to add a new user to the extranet site by using the
stsadm.exe –o adduser command. To enable Stsadm (or other executable file) to resolve users,
create a new config file by doing the following:
• Create a new file named stsadm.exe.config in the same directory where stsadm.exe is
located (%programfiles%\Common Files\Microsoft Shared Debug\Web Server
Extensions\12\BIN). Add the following entry in the stsadm.exe.config file:
<configuration>
<system.web>
<membership defaultProvider="SingleSignOnMembershipProvider2">
<providers>
</providers>
</membership>
defaultProvider="SingleSignOnRoleProvider2">
<providers>
</providers>
</roleManager>
334
</system.web>
</configuration>
Note:
Change the value of fs-server to your resource Federation Server
(adfsresource.treyresearch.net).
Working with E-mail and UPN claims

To configure whether or not the Federation Server is enabled to send e-mail or UPN claims to
Office SharePoint Server 2007, perform the following procedure.
1. From Administrative Tools on your Federation Server, open the ADFS snap-in.
Note:
You can also open the ADFS snap-in by typing ADFS.MSC in the Run dialog
box.
2. Select your Office SharePoint Server 2007 application node (your application should
already be added to the list of nodes).
3. In the claims list on the right, right-click E-mail, and select Enable or Disable.
4. In the claims list on the right, right-click UPN, and select Enable or Disable.
Note:
If both UPN and E-mail are enabled, Office SharePoint Server 2007 will use UPN
to perform user claim verification. Therefore, when configuring the Office
SharePoint Server 2007, be careful about which user claim you enter. Also note
that the UPN claim will only work consistently if the UPN suffixes and the e-mail
suffixes that are accepted by the Federation Server are identical. This is because
the membership provider is e-mail based. Because of this complexity in
configuring UPN claims, e-mail is the recommended user claim setting for
membership authentication.
Working with groups and organizational group

claims
In Office SharePoint Server 2007, rights can be assigned to Active Directory groups by adding
them to a SharePoint group or directly to a permission level. The level of permissions a given
user has on a site is calculated based on the Active Directory groups the user is a member of, the
SharePoint groups the user belongs to, and any permission levels that the user has been directly
added to.
When you use ADFS as a role provider in Office SharePoint Server 2007, the process is different.
There is no way for the Web SSO provider to directly resolve an Active Directory group; instead, it
335
resolves groups by using organizational group claims. When you use ADFS with Office
SharePoint Server 2007, you must create a set of organizational group claims in ADFS. You can
then associate multiple Active Directory groups with an ADFS organizational group claim.
For group claims to work with the latest version of ADFS, you need to edit the web.config file for
the ADFS application in IIS on your ADFS server.
Open the web.config file and add <getGroupClaims /> to the
<FederationServerConfiguration> node inside the <System.Web> node, as shown in the
following example.
<configuration>
<system.web>
<FederationServerConfiguration>
<getGroupClaims />
</FederationServerConfiguration>
</system.web>
</configuration>
In the Adatum (Account Forest), do the following:
1. Create an Active Directory group named Trey SharePoint Readers.
2. Create an Active Directory group named Trey SharePoint Contributors.
3. Add Alansh to the Readers group and Adamcar to the Contributors group.
4. Create an organizational group claim named Trey SharePoint Readers.
5. Create an organizational group claim named Trey SharePoint Contributors.
6. Right-click the Active Directory account store, and then click New Group Claim
Extraction.
a. Select the Trey SharePoint Readers organizational group claim, and then associate it
with the Trey SharePoint Readers Active Directory group.
b. Repeat step 6, and then associate the Trey SharePoint Contributors organizational
group claim with the Trey SharePoint Contributors Active Directory group.
7. Right-click the Trey Research Account Partner, and then create the outgoing claim
mappings:
a. Select the Trey SharePoint Reader claim, and then map to outgoing claim adatum-
trey-readers.
b. Select the Trey SharePoint Contributor claim, and then map to outgoing claim
adatum-trey-contributors.
Note:
The claim mapping names must be agreed on between the organizations, and they must
match exactly.
336
On the Trey Research side, start ADFS.MSC, and then do the following:
1. Create an organizational group claim named Adatum SharePoint Readers.
2. Create an organizational group claim named Adatum SharePoint Contributors.
3. Create incoming group mappings for your claims:
a. Right-click the Adatum account partner, and then click Incoming Group Claim
Mapping.
b. Select Adatum SharePoint Readers, and then map it to the incoming claim name
adatum-trey-readers.
c. Select Adatum SharePoint Contributors, and then map it to the incoming claim name
adatum-trey-contributors.
4. Right-click the Office SharePoint Server 2007 Web application, and then click Enable on
both the Reader and Contributor claims.
Browse to the http://trey-moss site on the Trey Research side as the site administrator, and then
do the following:
1. Click the Site Actions menu, point to Site Settings, and then click People and Groups.
2. If it is not already selected, click the Members group for your site.
3. Click New, and then click Add Users on the toolbar.
4. Click the address book icon next to the Users/Groups box.
5. In the Find box in the People Picker dialog box, type
Adatum SharePoint Readers
In the Give Permission section, select SharePoint group homeVisitors [Readers].
6. In the Find box, type
Adatum SharePoint Contributors
In the Give Permission section, select SharePoint group homeMembers [Contribute].
337
Configure Kerberos authentication
In this section:
• About Kerberos authentication
• Before you begin
• Configure Kerberos authentication for SQL communications
• Configure Internet Explorer to include port numbers in Service Principal Names
• Χρ ε α τ ε Σ ε ρϖ ι χ ε Πρ ι ν χ ι π α λ Ναµ ε σ φ ο ρ ψο υ ρ
Ωε β α π π λ ι χ α τ ι ο ν σ υ σ ι ν γ Κ ε ρ β ε ρ ο σ
αυ τ η ε ν τ ι χ α τ ι ο ν
• Deploy the server farm
• Configure services on servers in your farm
• Create Web applications using Kerberos authentication
• Create a site collection using the Collaboration Portal template in the portal site Web
application
• Create a Shared Services Provider for your farm
• Confirm successful access to the Web applications using Kerberos authentication
• Confirm correct Search Indexing functionality
• Confirm correct Search Query functionality
• Configure your SSP infrastructure for Kerberos authentication
• Register new custom-format SPNs for your SSP service account in Active Directory
• Run the Stsadm command-line tool to set the SSP infrastructure to use Kerberos
authentication
• Add a new registry key to all of your servers running Office SharePoint Server to enable
generation of the new custom-format SPNs
• Confirm Kerberos authentication for root-level shared services access
• Confirm Kerberos authentication for virtual-directory-level shared services access
• Configuration limitations
• Additional resources and troubleshooting guidance
About Kerberos authentication

Kerberos is a secure protocol that supports ticketing authentication. A Kerberos authentication
server grants a ticket in response to a client computer authentication request, if the request
contains valid user credentials and a valid Service Principal Name (SPN). The client computer
then uses the ticket to access network resources. To enable Kerberos authentication, the client
and server computers must have a trusted connection to the domain Key Distribution Center
338
(KDC). The KDC distributes shared secret keys to enable encryption. The client and server
computers must also be able to access Active Directory directory services. For Active Directory,
the forest root domain is the center of Kerberos authentication referrals.
To deploy a server farm running Microsoft Office SharePoint Server 2007 using Kerberos
authentication, you must install and configure a variety of applications on your computers. This
section describes an example server farm running Office SharePoint Server 2007 and provides
guidance for deploying and configuring the farm to use Kerberos authentication to support the
following functionality:
• Communication between Office SharePoint Server 2007 and Microsoft SQL Server
database software.
• Access to the SharePoint Central Administration Web application.
• Access to other Web applications, including a portal site Web application, a My Site Web
application, and an SSP Administration site Web application.
• Access to the shared services for the Office SharePoint Server 2007 Web applications in
the Office SharePoint Server 2007 Shared Services Provider (SSP) infrastructure.
Before you begin

This section is intended for administrative-level personnel who have an understanding of the
following:
• Windows Server 2003
• Active Directory
• Internet Information Services (IIS) 6.0 (or IIS 7.0)
• Windows SharePoint Services 3.0
• Office SharePoint Server 2007
• Windows Internet Explorer
• Kerberos authentication, as implemented in Active Directory for Windows Server 2003
• Network Load Balancing (NLB) in Windows Server 2003
• Computer accounts in an Active Directory domain
• User accounts in an Active Directory domain
• IIS Web sites and their bindings and authentication settings
• IIS application pool identities for IIS Web sites
• The SharePoint Products and Technologies Configuration Wizard
• Windows SharePoint Services 3.0 and Office SharePoint Server 2007 Web applications
• Central Administration pages
• Service principal names (SPNs) and how to configure them in an Active Directory domain
Important:
To create SPNs in an Active Directory domain, you must have domain administrative-
level permissions.
339
Kerberos authentication for the SSP infrastructure in Office SharePoint Server 2007 requires the
installation of the Infrastructure Update for Microsoft Office Servers.
Note:
An SSP is a logical grouping of a common set of services and service data that can be
provided to Web applications and their associated Web sites. An SSP infrastructure
enables the sharing of services across server farms, Web applications, and site
collections. The Office Server Web Services Web site is the SSP infrastructure. The SSP
infrastructure exists on any server running Office SharePoint Server 2007 that is
deployed using the Complete installation option. Kerberos authentication does not work
with the Office Server Web Services Web site unless the Infrastructure Update for
Microsoft Office Servers is installed.
This section does not provide an in-depth examination of Kerberos authentication. Kerberos is an
industry-standard authentication method that is implemented in Active Directory.
This section does not provide detailed, step-by-step instructions for installing Office SharePoint
Server 2007 or using the SharePoint Products and Technologies Configuration Wizard.
This section does not provide detailed, step-by-step instructions for using Central Administration
to create Office SharePoint Server 2007 Web applications.
Software version requirements

The guidance provided in this section, and the testing performed to confirm this guidance, are
based on results using systems running Windows Server 2003 and Internet Explorer with the
latest updates applied from the Windows Update site (http://go.microsoft.com/fwlink/?
LinkID=101614&clcid=0x409). The following software versions were installed:
• Windows Server 2003 Service Pack 2 (SP2) with the latest updates from the Windows
Update site (http://go.microsoft.com/fwlink/?LinkID=101614&clcid=0x409)
• Windows Internet Explorer 7, version 7.0.5730.11
• The released version of Office SharePoint Server 2007
You should also make sure that your Active Directory domain controllers are running Windows
Server 2003 SP2 with the latest updates applied from the Windows Update site
Known issues
Kerberos authentication cannot be configured to work with the SSP infrastructure in Office
SharePoint Server 2007 unless the Infrastructure Update for Microsoft Office Servers is installed.
Therefore, if you do not have the Infrastructure Update for Microsoft Office Servers installed,
disregard the guidance in this section for configuring Kerberos authentication for the SSP
infrastructure.
Office SharePoint Server 2007 can crawl Web applications configured to use Kerberos
authentication if those Web applications are hosted on IIS virtual servers that are bound to default
ports (TCP port 80 and Secure Sockets Layer (SSL) port 443). However, Office SharePoint
340
Server 2007 Search cannot crawl Office SharePoint Server 2007 Web applications that are
configured to use Kerberos authentication if the Web applications are hosted on IIS virtual
servers that are bound to non-default ports (ports other than TCP port 80 and SSL port 443).
Currently, Office SharePoint Server 2007 Search can only crawl Office SharePoint Server 2007
Web applications hosted on IIS virtual servers bound to non-default ports that are configured to
use either NTLM authentication or Basic authentication.
For end-user access using Kerberos authentication, if you need to deploy Web applications that
can only be hosted on IIS virtual servers that are bound to non-default ports, and if you want end-
users to get search query results, then:
• The same Web applications must be hosted on other IIS virtual servers on non-default
ports.
• The Web applications must be configured to use either NTLM or Basic authentication.
• Search Indexing must crawl the Web applications using NTLM or Basic authentication.
This section provides guidance for:
• Configuring the Central Administration Web application using Kerberos authentication
hosted on an IIS virtual server bound to non-default ports.
• Configuring portal and My Site applications, and shared services using Kerberos
authentication hosted on IIS virtual servers bound to default ports and with an IIS host header
binding.
• Ensuring that Search Indexing successfully crawls Office SharePoint Server 2007 Web
applications using Kerberos authentication.
• Ensuring that users accessing Kerberos-authenticated Web applications can successfully
get search query results for those Web applications.
• Configuring Kerberos authentication for the SSP infrastructure (if the Infrastructure
Update for Microsoft Office Servers is installed).
Additional background
It is important to understand that when you use Kerberos authentication, accurate authentication
functionality is dependant in part on the behavior of the client that is attempting to authenticate
using Kerberos. In an Office SharePoint Server 2007 farm deployment using Kerberos
authentication, Office SharePoint Server 2007 is not the client. Before you deploy a server farm
running Office SharePoint Server 2007 using Kerberos authentication, you must understand the
behavior of the following clients:
• The browser (in the context of this section, the browser is always Windows Internet
Explorer).
• The Microsoft .NET Framework.
The browser is the client used when browsing to a Web page in an Office SharePoint Server
2007 Web application. When Office SharePoint Server 2007 performs tasks such as crawling the
local Office SharePoint Server 2007 content sources or making calls to the SSP infrastructure,
the .NET Framework is functioning as the client.
341
For Kerberos authentication to work correctly, you must create SPNs in Active Directory. If the
services to which these SPNs correspond are listening on non-default ports, the SPNs should
include port numbers. This is to ensure that the SPNs are meaningful. It is also required to
prevent the creation of duplicate SPNs.
When a client (Internet Explorer or the .NET Framework) attempts to access a resource using
Kerberos authentication, the client must construct an SPN to be used as part of the Kerberos
authentication process. If the client does not construct an SPN that matches the SPN that is
configured in Active Directory, Kerberos authentication will fail, usually with an “access denied”
error.
There are versions of Internet Explorer that do not construct SPNs with port numbers. If you are
using Office SharePoint Server 2007 Web applications that are bound to non-default port
numbers in IIS, you might have to direct Internet Explorer to include port numbers in the SPNs
that it constructs. In a farm running Office SharePoint Server 2007, the Central Administration
Web application is hosted, by default, in an IIS virtual server that is bound to a non-default port.
Therefore, this section addresses both IIS port-bound and IIS host-header-bound Web sites, and
it provides a link to instructions for directing Internet Explorer to include port numbers in SPNs.
In a farm running Office SharePoint Server 2007, by default the .NET Framework does not
construct SPNs that contain port numbers. This is the reason why Search cannot crawl Web
applications using Kerberos authentication if those Web applications are hosted on IIS virtual
servers that are bound to non-default ports. It is also the reason why Kerberos authentication
cannot be correctly configured and made to work for the SSP infrastructure unless the
Infrastructure Update for Microsoft Office Servers is installed.
Server farm topology

This section targets the following Office SharePoint Server 2007 server farm topology:
• Two computers running Windows Server 2003 that are acting as front-end Web servers,
with Windows NLB configured.
• Three computers running Windows Server 2003 that are acting as application servers.
One of the application servers hosts the Central Administration Web application. The second
application server is running Search Query, and the third application server is running Search
Indexing.
• One computer running Windows Server 2003 that is used as the SQL host for the farm
running Office SharePoint Server 2007. For the scenario described in this section, you can
use either Microsoft SQL Server 2000 SP4 or Microsoft SQL Server 2005 SP2.
This section provides guidance for configuring one SSP in the farm.
342
Active Directory, computer naming, and NLB conventions
The scenario described in this section uses the following Active Directory, computer-naming, and
NLB conventions:
Server role Domain name
Active Directory mydomain.net
A front-end Web server running Office mossfe1.mydomain.net

A front-end Web server running Office mossfe2.mydomain.net

Office SharePoint Server 2007 Central mossadmin.mydomain.net

Administration
Search Indexing running Office SharePoint mosscrawl.mydomain.net

Server 2007
Search Query running Office SharePoint Server mossquery.mydomain.net

2007
SQL Server host running Office SharePoint mosssql.mydomain.net

Server 2007
An NLB VIP is assigned to mossfe1.mydomain.net and mossfe2.mydomain.net as a result of

configuring NLB on these systems. A set of DNS host names that point to this address is
registered in your DNS system. For example, if your NLB VIP is 192.168.100.200, you have a set
of DNS records that resolve the following DNS names to this IP address (192.168.100.200):
• kerbportal.mydomain.net
• kerbmysite.mydomain.net
• kerbsspadmin.mydomain.net
343
Active Directory domain account conventions
The example in this section uses the naming conventions listed in the following table for service
accounts and application pool identities used in the farm running Office SharePoint Server 2007.
Domain account or application pool identity Name
Local administrator account mydomain\pscexec

• On all servers running Office
SharePoint Server 2007 (but not on the
host computer running SQL Server)
• For Office SharePoint Server 2007
setup and for the SharePoint Products and
Technologies Configuration Wizard run-as
user
Local administrator account on the SQL Server mydomain\sqladmin

host computer
SQL Server service account used to run the mydomain\mosssqlsvc

SQL Server service on the SQL host
Office SharePoint Server 2007 farm mydomain\mossfarmadmin

administrator account This is used as the application pool identity for
Central Administration and as the service
account for the SharePoint Timer Service.
Office SharePoint Server 2007 application pool mydomain\portalpool

identity for the portal site Web application
Office SharePoint Server 2007 application pool mydomain\mysitepool

identity for the My Site Web application
Office SharePoint Server 2007 application pool mydomain\sspadminpool

identity for the Shared Services Administration
Web site
Office SharePoint Server 2007 SSP service mydomain\sspsvc

account
Windows SharePoint Services 3.0 search mydomain\wsssearch

service account
Windows SharePoint Services 3.0 search mydomain\wsscrawl

content access account
Office SharePoint Server 2007 search service mydomain\mosssearch

account
344
Domain account or application pool identity Name
Office SharePoint Server 2007 content access mydomain\mosscrawl

account
Preliminary configuration requirements

Before you install Office SharePoint Server 2007 on the computers in your server farm, make
sure you have performed the following procedures:
• All servers used in the farm, including the SQL host, are set up with Windows Server
2003 SP2, including the latest updates applied from the Windows Update site
• All servers in the farm have Internet Explorer 7 (and the latest updates for it) installed
from the Windows Update site (http://go.microsoft.com/fwlink/?LinkID=101614&clcid=0x409).
• SQL Server (either SQL Server 2000 SP4 or SQL Server 2005 SP2) is installed and
running on the SQL host computer, and the SQL Server service is running as the account,
mydomain\sqlsvc. A default instance of SQL Server is installed and is listening on TCP port
1433.
• The SharePoint Products and Technologies Configuration Wizard run-as user has been
added:
• As a SQL Login on your SQL host.
• To the SQL Server DBCreators role on your SQL host.
• To the SQL Server Security Administrators role on your SQL host.
Configure Kerberos authentication for SQL

communications
Configure Kerberos authentication for SQL communications before installing and configuring
Office SharePoint Server 2007 on your servers running Office SharePoint Server 2007. This is
necessary because Kerberos authentication for SQL communications has to be configured, and
confirmed to be working, before your computers running Office SharePoint Server 2007 can
connect to your SQL Server.
The process of configuring Kerberos authentication for any service installed on a host computer
running Windows Server 2003 includes creating an SPN for the domain account used to run the
service on the host. SPNs are made up of the following parts:
• A Service Name (for example, MSSQLSvc or HTTP)
• A host name (either real or virtual)
• A port number
345
The following list contains examples of SPNs for a default instance of SQL Server running on a
computer named mosssql and listening on port 1433:
• MSSQLSvc/mosssql:1433
• MSSQLSvc/mosssql.mydomain.com:1433
These are the SPNs that you will create for the instance of SQL Server on the SQL host that will
be used by the farm described in this section. You should always create SPNs that have both a
NetBIOS name and a full DNS name for a host on your network.
There are different methods that you can use to set an SPN for an account in an Active Directory
domain. One method is to use the SETSPN.EXE utility that is part of the resource kit tools for
Windows Server 2003. Another method is to use the ADSIEDIT.MSC snap-in on your Active
Directory domain controller. This section addresses using the ADSIEDIT.MSC snap-in.
There are two core steps for configuring Kerberos authentication for SQL Server:
• Create SPNs for your SQL Server service account.
• Confirm Kerberos authentication is used to connect servers running Office SharePoint
Server 2007 to servers running SQL Server.
Create the SPNs for your SQL Server service account

1. Log on to your Active Directory domain controller using the credentials of a user that has
domain administrative permissions.
2. In the Run dialog box, type ADSIEDIT.MSC.
3. In the management console dialog box, expand the domain container folder.
4. Expand the container folder containing user accounts, for example CN=Users.
5. Locate the container for the SQL Server Service account, for example CN=mosssqlsvc.
6. Right-click this account, and then click Properties.
7. Scroll down the list of properties in the SQL Server Service account dialog box until you
find servicePrincipalName.
8. Select the servicePrincipalName property and click Edit.
9. In the Value to Add field, in the Multi-Valued String Editor dialog box, type the SPN
MSSQLSvc/mosssql:1433 and click Add. Next, type the SPN
MSSQLSvc/mosssql.mydomain.com:1433 in this field and click Add.
10. Click OK on the Multi-Valued String Editor dialog box, and then click OK on the
properties dialog box for the SQL Server service account.
Confirm Kerberos authentication is used to connect servers

running Office SharePoint Server 2007 to SQL Server
Install the SQL Client Tools on one of your servers running Office SharePoint Server 2007, and
use the tools to connect from your server running Office SharePoint Server 2007 to those running
SQL Server. This section does not address the steps for installing the SQL Client Tools on one of
346
your servers running Office SharePoint Server 2007. The confirmation procedures are based on
the following assumptions:
• You are using SQL Server 2005 SP2 on your SQL host.
• You have logged on to one of your servers running Office SharePoint Server 2007, using
the account mydomain\pscexec, and have installed the SQL 2005 Client Tools on the server
running Office SharePoint Server 2007.
1. Run the SQL Server 2005 Management Studio.
2. When the Connect to Server dialog box appears, type the name of the SQL host
computer (in this example, the SQL host computer is mosssql), and click Connect to connect
to the SQL host computer.
3. To confirm that Kerberos authentication was used for this connection, run the event
viewer on the SQL host computer and examine the Security event log. You should see a
Success Audit record for a Logon/Logoff category event that is similar to the data shown in
the following tables:
Event Type Success Audit
Event Source Security
Event Category Logon/Logoff
Event ID 540
Date 10/31/2007
Time 4:12:24 PM
User MYDOMAIN\pscexec
Computer MOSSSQL
Description
An example of a successful network logon is depicted in the following table.
User Name pscexec
Domain MYDOMAIN
Logon ID (0x0,0x6F1AC9)
Logon Type 3
Logon Process Kerberos
Workstation Name
Logon GUID {36d6fbe0-2cb8-916c-4fee-4b02b0d3f0fb}
Caller User Name
347
Caller Domain
Caller Logon ID
Caller Process ID
Transited Services
Source Network Address 192.168.100.100
Source Port 2465
Examine the log entry to confirm that:

1. The user name is correct. The mydomain\pscexec account logged on over the network to
the SQL host.
2. The logon type is 3. A type 3 logon is a network logon.
3. The logon process and authentication package both use Kerberos authentication. This
confirms that your server running Office SharePoint Server 2007 is using Kerberos
authentication to communicate with the SQL host.
4. The Source Network Address matches the IP address of the computer from which the
connection was made.
If your connection to the SQL host fails with an error message similar to Cannot generate SSPI
context, it is likely that there is an issue with the SPN being used for your instance of SQL
Server. To troubleshoot and correct this, please refer to the article How to troubleshoot the
"Cannot generate SSPI context" error message (http://go.microsoft.com/fwlink/?LinkId=76621)
from the Microsoft Knowledge Base.
Configure Internet Explorer to include port

numbers in Service Principal Names
Many versions of Internet Explorer do not include port numbers in the SPNs that they construct.
To determine if you are using a version of Internet Explorer 6 that has this problem, and for steps
necessary to correct it, refer to the article Internet Explorer 6 cannot use the Kerberos
authentication protocol to connect to a Web site that uses a non-standard port in Windows XP
and in Windows Server 2003 (http://go.microsoft.com/fwlink/?LinkId=99681) from the Microsoft
Knowledge Base. You should very carefully examine the version number of the DLL referenced in
this section to determine if the version of Internet Explorer that you are using requires the fix
described in the article. If your version of Internet Explorer does not construct an SPN with port
numbers, and you are using Office SharePoint Server 2007 Web applications hosted on IIS virtual
servers bound to non-default ports, you must apply this fix to be able to go to the Web
applications that are using your version of Internet Explorer. Within the context of this section, you
must ensure that the version of Internet Explorer you are using includes port numbers in the
SPNs that it constructs, because the SPN that you add to your Active Directory for the Central
Administration Web application will contain a port number.
348
Create Service Principal Names for your Web
applications using Kerberos authentication
As far as Kerberos authentication is concerned, there is nothing special about IIS-based Office
SharePoint Server 2007 Web applications—Kerberos authentication treats them as just another
IIS Web site.
This process requires knowledge of the following items:
• The Service Class for the SPN (in the context of this section, for Office SharePoint Server
2007 Web applications, this is always HTTP).
• The URL for all of your Office SharePoint Server 2007 Web applications using Kerberos
authentication.
• The host name portion of the SPN (either real or virtual; this section addresses both).
• The port number portion of the SPN (in the scenario described in this section, both IIS
port-based and IIS host-header-based Office SharePoint Server 2007 Web applications are
used).
• The Windows Active Directory accounts for which your SPNs must be created.
The following table lists the information for the scenario described in this section:
URL Active Directory SPN

account
http://mossadmin.mydomain.net:10000 mossfarmadmin • HTTP/mossadmin.mydomain.net:1

0000
• HTTP/mossadmin.mydomain.net:1
0000
http://kerbportal.mydomain.net portalpool • HTTP/kerbportal.mydomain.net

• HTTP/kerbportal
http://kerbmysite.mydomain.net mysitepool • HTTP/kerbmysite.mydomain.net

• HTTP/kerbmysite
http://kerbsspadmin.mydomain.net/ssp/admin sspadminpool • HTTP/kerbsspadmin.mydomain.ne

t
• HTTP/kerbsspadmin
Notes for this table:

• The first URL listed above is for Central Administration, and uses a port number. You
don’t have to use port 10000. This is just an example used for consistency throughout this
section.
• The next three URLs are for the portal site, My Site, and Shared Services Administration
site, respectively.
349
Use the guidance provided above to create the SPNs you need in Active Directory to support
Kerberos authentication for your Office SharePoint Server 2007 Web applications. You need to
log on to a domain controller in your environment using an account that has domain
administrative permissions. To create the SPNs, you can use either the SETSPN.EXE utility
mentioned previously, or you can use the ADSIEDIT.MSC snap-in mentioned previously. If using
the ADSIEDIT.MSC snap-in, please refer to the instructions provided earlier in this section for
creating the SPNs. Be sure to create the correct SPNs for the correct accounts in Active
Directory.
Deploy the server farm

Deploying the server farm includes the following steps:
1. Set up Office SharePoint Server 2007 on all of your servers running Office SharePoint
Server 2007.
2. Run the SharePoint Products and Technologies Configuration Wizard and create a new
farm. This step includes creating an Office SharePoint Server 2007 Central Administration
Web application that will be hosted on an IIS virtual server bound to a non-default port and
use Kerberos authentication.
3. Run the SharePoint Products and Technologies Configuration Wizard and join the other
servers to the farm.
4. Configure Services on Servers in your farm for:
• Windows SharePoint Services 3.0 Search service
• Office SharePoint Server 2007 Search Indexing
• Office SharePoint Server 2007 Search Query
5. Create Web applications that are used for the portal site, My Site, and the Shared
Services Administration site using Kerberos authentication.
6. Create a site collection using the Collaboration Portal template in the portal site Web
application.
7. Create a Shared Services Provider for your farm.
8. Confirm successful access to the Web applications using Kerberos authentication.
9. Confirm correct Search Indexing functionality.
10. Confirm correct Search Query functionality.
11. Configure your SSP infrastructure for Kerberos authentication. This is an optional step
that requires the installation of the Infrastructure Update for Microsoft Office Servers.
12. Confirm SSP functionality using Kerberos authentication. This is an optional step that
requires the installation of the Infrastructure Update for Microsoft Office Servers.
Install Office SharePoint Server 2007 on all of your servers

This is the straightforward process of running Office SharePoint Server 2007 setup to install the
Office SharePoint Server 2007 binaries on your servers running Office SharePoint Server 2007.
350
Log on to each of your computers running Office SharePoint Server 2007 using the account
mydomain\pscexec. No step-by-step instructions are provided for this. For the scenario described
in this section, do a Complete installation of Office SharePoint Server 2007 on all servers that
require Office SharePoint Server 2007.

Wizard and create a new farm
For the scenario described in this section, run the SharePoint Products and Technologies
Configuration Wizard from the MOSSADMIN Search Indexing server first, so that MOSSADMIN
hosts the Office SharePoint Server 2007 Central Administration Web application.
On the server named MOSSCRAWL, when setup completes, a Setup Complete dialog box
appears with a check box selected to run the SharePoint Products and Technologies
Configuration Wizard. Leave this check box selected and close the setup dialog box to run the
When running the SharePoint Products and Technologies Configuration Wizard on this computer,
direct the Wizard to create a new farm using the following settings:
• Provide the database server name (in this section, it is the server named MOSSSQL).
• Provide a configuration database name (you can use the default, or stipulate a name of
your choice).
• Provide the database access (farm administrator) account information. Using the
scenario in this section, that account is mydomain\mossfarmadmin.
• Provide the information required for the Office SharePoint Server 2007 Central
Administration Web application. Using the scenario in this section, that information is:
• Central Administration Web application port number: 10000
• Authentication Method: Negotiate
When you have provided all the required information, the SharePoint Products and Technologies
Configuration Wizard should finish successfully. If it completes successfully, confirm that you can
access the Office SharePoint Server 2007 Central Administration Web application home page
using Kerberos authentication. To do this, perform the following steps:
1. Log on to a different server running Office SharePoint Server 2007 or another computer
in the domain mydomain as mydomain\pscexec. You should not verify correct Kerberos
authentication behavior directly on the computer hosting the Office SharePoint Server 2007
Central Administration Web application. This should be done from a separate computer in the
domain.
2. Start Internet Explorer on this server and attempt to go to the following URL:
http://mossadmin.mydomain.net:10000. The home page of Central Administration should
render.
351
3. To confirm that Kerberos authentication was used to access Central Administration,
go back to the computer named MOSSADMIN and run the event viewer and look in the
security log. You should see a Success Audit record that looks similar to the following
table:
Event ID 540
Date 11/1/2007
Time 2:22:20 PM
Computer MOSSADMIN
Description
User Name pscexec
Domain MYDOMAIN
Logon ID (0x0,0x1D339D3)
Logon Type 3
Authentication Package Kerberos
Workstation Name
Logon GUID {fad7cb69-21f8-171b-851b-3e0dbf1bdc79}
Caller User Name
Caller Domain
Caller Logon ID
Caller Process ID
Transited Services
Source Port 2505
352
Examination of this log record shows the same type of information as in the previous log entry:
• Confirm that the user name is correct; it is the mydomain\pscexec account that logged on
over the network to the server running Office SharePoint Server 2007 that is hosting Central
Administration.
• Confirm that the logon type is 3; a logon type 3 is a network logon.
• Confirm that the logon process and authentication package both use Kerberos
authentication. This confirms that Kerberos authentication is being used to access your
Central Administration Web application.
• Confirm that the Source Network Address matches the IP address of the computer from
which the connection was made.
If the Central Administration home page fails to render and instead an unauthorized error
message is displayed, Kerberos authentication is failing. There are usually only two causes for
this failure:
• The SPN in Active Directory was not registered for the correct account. It should have
been registered for mydomain\mossfarmadmin.
• The SPN in Active Directory does not match the SPN being constructed by Internet
Explorer or is otherwise invalid. The most common cause of this is that Internet Explorer is
not constructing an SPN containing the correct port number. See the previous section titled
Configure Internet Explorer to include port numbers in Service Principal Names to correct this
problem. You also might have omitted the port number from the SPN that you registered in
Active Directory. Either way, ensure that this is corrected and that Central Administration is
working, using Kerberos authentication, before proceeding.
Note:
A diagnostic aid you could use to see what is going on over the network is a network
sniffer, such as Microsoft Network Monitor, to take a trace during browsing to Central
Administration. After the failure, examine the trace and look for KerberosV5 Protocol
packets. Find a packet with an SPN constructed by Internet Explorer. If that SPN does
not contain a port number, you need to apply the fix described in the section titled
Configure Internet Explorer to include port numbers in Service Principal Names. If the
SPN in the trace looks correct, either the SPN in Active Directory is invalid, or it has been
registered for the wrong account.

Wizard and join the other servers to the farm
Now that your farm has been created and you can successfully access Central Administration
using Kerberos authentication, you need to run the SharePoint Products and Technologies
Configuration Wizard and join the other servers to the farm.
On each of the other four servers running Office SharePoint Server 2007 (mossfe1, mossfe2,
mossquery, and mosscrawl), Office SharePoint Server 2007 installation should have completed,
and the setup completion dialog box should appear with the SharePoint Products and
Technologies Configuration Wizard check box selected. Leave this check box selected and close
353
the setup completion dialog box to run the SharePoint Products and Technologies Configuration
Wizard. Perform the procedure to join each of these servers to the farm.
Upon completion of the SharePoint Products and Technologies Configuration Wizard on each
server you add to the farm, verify that each of these servers can render Central Administration,
which is running on the server, MOSSADMIN. If any of these servers fail to render Central
Administration, take the appropriate steps to solve the problem before you proceed.
Configure services on servers in your farm

Configure specific Windows SharePoint Services 3.0 and Office SharePoint Server 2007 services
to run on specific servers running Windows SharePoint Services 3.0 and Office SharePoint
Server 2007 in the farm, using the accounts indicated in the following sections.
Note:
This section does not provide an in-depth description of the user interface. Only high-
level instructions are provided. You should be familiar with Central Administration and
how to perform the required steps before you proceed.
Access Central Administration and perform the following steps to configure the services on the
servers indicated, using the accounts indicated.
Windows SharePoint Services Search

On the Services on Server page in Central Administration:
1. Select the server MOSSQUERY.
2. In the list of services that appears, close to the middle of the page, locate the Windows
SharePoint Services 3.0 Search service, and then click Start in the Action column.
3. On the subsequent page, provide the credentials for the Windows SharePoint Services
3.0 search service account and for the Windows SharePoint Services 3.0 Content Access
account. In the scenario in this section, the Windows SharePoint Services 3.0 search service
account is mydomain\wsssearch, and the Windows SharePoint Services 3.0 content access
account is mydomain\wsscrawl. Type the account names and passwords in the appropriate
locations on the page, and then click Start.
Index server
1. Select the server MOSSCRAWL.
2. In the list of services that appears close to the middle of the page, locate the Office
SharePoint Server 2007 Search service, and then click Start in the Action column.
On the subsequent page, check the Use this server for indexing content check box and then
provide the credentials for the Office SharePoint Server 2007 search service account. In the
scenario in this section, the Office SharePoint Server 2007 search service account is
354
mydomain\mosssearch. Type the account names and passwords in the appropriate locations on
the page, and then click Start.
Query server
1. Select the server MOSSQUERY.
2. In the list of services that appears close to the middle of the page, locate the Office
SharePoint Server 2007 Search service, and then click the service name in the Service
column.
On the subsequent page, check the Use this server for serving search queries check box and
click OK.
Create Web applications using Kerberos

authentication
In this section, create Web applications that are used for the portal site, a My Site, and the
Shared Services Administration site in your farm.
Note:
Create the portal site Web application

1. On the Application Management page in Central Administration, click Create or extend
Web application.
2. On the subsequent page, click Create a new Web application.
3. On the subsequent page, make sure Create a new IIS Web site is selected.
• In the Description field, type PortalSite.
• In the Port field, type 80.
• In the Host Header field, type kerbportal.mydomain.net.
4. Make sure Negotiate is selected as the authentication provider for this Web application.
5. Create this Web application in the Default zone. Do not modify the zone for this Web
application.
6. Make sure Create new application pool is selected.
• In the Application Pool Name field, type PortalAppPool.
• Make sure Configurable is selected. In the User name field, type the account
mydomain\portalpool.
7. Click OK.
355
8. Confirm that the Web application is successfully created.
Note:
If you want to use an SSL connection and bind the Web application to port 443, type 443
in the Port field and select Use SSL on the Create New Web Application page. In
addition, you must install an SSL wildcard certificate. When using an IIS host header
binding on an IIS Web site configured for SSL, you must use an SSL wildcard certificate.
For more information about SSL host headers in IIS, see Configuring SSL Host Headers
(IIS 6.0) (http://go.microsoft.com/fwlink/?LinkId=111285&clcid=0x409).
Create the My Site Web application

Web application.
• In the Description field, type MySite.
• In the Host Header field, type kerbmysite.mydomain.net.
application.
• In the Application Pool Name field, type MySiteAppPool.
mydomain\mysitepool.
7. Click OK.
Note:
Create the Shared Services Administration site Web application

Web application.
356
• In the Description field, type SSPAdminSite.
• In the Host Header field, type kerbsspadminsite.mydomain.net.
application.
• In the Application pool name field, type SSPAdminSiteAppPool.
mydomain\sspadminpool.
7. Click OK.
Note:
Create a site collection using the Collaboration

Portal template in the portal site Web
application
In this section, you create a site collection on the portal site in the Web application that you
created for this purpose.
Note:
1. On the Application Management page in Central Administration, click Create site
collection.
2. On the subsequent page, make sure you select the correct Web application. For the
example in this section, select http://kerbportal.mydomain.net.
3. Provide the title and description you want to use for this site collection.
4. Leave the Web site address unchanged.
5. In the Template Selection section under Select a Template, click the Publishing tab
and select the Collaboration Portal template.
357
6. In the Primary Site Collection Administrator section, type mydomain\pscexec.
7. Specify the Secondary Site Collection Administrator you want to use.
8. Click OK.
9. Confirm that the portal site collection is successfully created.
Create a Shared Services Provider for your farm

Create a Shared Services Provider for the farm.
Note:
1. On the Application Management page in Central Administration, click Create or
configure this farm’s shared services.
2. On the subsequent page, click New SSP.
3. On the subsequent page, in the SSP Name section, type SSP1 in the SSP Name field.
Then, in the Web application field, select the Web application you created for the Shared
Services Administration site Web application. For the example in this section, select the Web
application named SSPAdminSite.
• In the MySite section, in the Web application field, select the Web application you
created for the My Site Web site. For the example in this section, select the Web
application named MySite.
• In the SSP service credentials section, in the User name field, type
mydomain\sspsvc.
4. Click OK.
5. Confirm that your farm’s SSP is successfully created.
Confirm successful access to the Web

applications using Kerberos authentication
Confirm that Kerberos authentication is working for the recently created Web applications. Start
with the portal site.
To do this, perform the following steps:
1. Log on to a server running Office SharePoint Server 2007 rather than either of the two
front-end Web servers that are configured for NLB as mydomain\pscexec. You should not
verify correct Kerberos authentication behavior directly on one of the computers hosting the
load-balanced Web sites using Kerberos authentication. This should be done from a separate
computer in the domain.
2. Start Internet Explorer on this other system and attempt to go to the following URL:
http://kerbportal.mydomain.net.
358
The home page of the Kerberos-authenticated portal site should render.
To confirm that Kerberos authentication was used to access the portal site, go to one of the load-
balanced front-end Web servers and run the event viewer and look in the security log. You should
see a Success Audit record, similar to the following table, on one of the front-end Web servers.
Note that you may have to look on both front-end Web servers before you find this, depending on
which system handled the load-balanced request.
Event ID 540
Date 11/1/2007
Time 5:08:20 PM
Computer mossfe1
Description
User Name pscexec
Domain MYDOMAIN
Logon ID (0x0,0x1D339D3)
Logon Type 3
Logon Process Kerberos authentication
Workstation Name
Logon GUID {fad7cb69-21f8-171b-851b-3e0dbf1bdc79}
Caller User Name
Caller Domain
Caller Logon ID
Caller Process ID
Transited Services
Source Port 2505
359
Examination of this log record shows the same type of information as in the previous log entry:
• Confirm that the user name is correct; it is the mydomain\pscexec account that logged on
over the network to the front-end Web server running Office SharePoint Server 2007 that is
hosting the portal site.
• Confirm that the logon type is 3; a logon type 3 is a network logon.
• Confirm that the logon process and authentication package both use Kerberos
authentication. This confirms that Kerberos authentication is being used to access your portal
site.
• Confirm that the Source Network Address matches the IP address of the computer from
which the connection was made.
If the home page of the portal site fails to render, and displays an “unauthorized” error message,
then Kerberos authentication is failing. There are usually only a couple of causes for this:
• The SPN in Active Directory was not registered for the correct account. It should have
been registered for mydomain\portalpool, for the Web application of the portal site.
• The SPN in Active Directory does not match the SPN being constructed by Internet
Explorer or is invalid for another reason. In this case, because you are using IIS host headers
without explicit port numbers, the SPN registered in Active Directory differs from the IIS host
header specified when you extended the Web application. You need to correct this to get
Kerberos authentication working.
Note:
A diagnostic aid you could use to see what is going on over the network is a network
sniffer such as Microsoft Network Monitor to take a trace during browsing to Central
Administration. After the failure, examine the trace and look for KerberosV5 Protocol
packets. You should find a packet with an SPN constructed by Internet Explorer. If that
SPN does not contain a port number, then you need to apply the fix described in the
section Configure Internet Explorer to include port numbers in Service Principal Names. If
the SPN in the trace looks correct, then either the SPN in Active Directory is invalid or the
SPN has been registered for the wrong account.
After you have Kerberos authentication working for your portal site, go to your Kerberos-
authenticated My Site and the Shared Services Administration site using the following URLs:
• http://kerbmysite.mydomain.net
• http://kerbsspadmin.mydomain.net/ssp/admin
Note:
The first time you access the My Site URL, it will take some time for Office SharePoint
Server 2007 to create a My Site for the logged-on user. However, it should succeed, and
the My Site page for that user should render.
These should both work correctly. If they don’t, refer to the preceding troubleshooting steps.
360
Confirm correct Search Indexing functionality
Confirm that Search Indexing is successfully crawling the content hosted on this farm. This is the
step you must take prior to confirming the Search Query results for users accessing the sites
using Kerberos authentication.
Note:
1. Access the Shared Services Administration site Web application at
http://kerbsspadmin.mydomain.net/ssp/admin.
2. On this page, click Search Settings.
3. On the subsequent page, click Content Sources and Crawl Schedules.
4. On the subsequent page, access the ECB for the Office SharePoint Server Content
Sources, and from the drop-down list, select Start Full Crawl.
5. Wait for the crawl to complete. If the crawl fails, you must investigate and correct the
failure, and then run a full crawl. If the crawl fails with "access denied" errors, it is either
because the crawling account does not have access to the content sources, or because
Kerberos authentication has failed. Whatever the cause, this error must be corrected before
proceeding to subsequent steps.
You must complete a full crawl of the Kerberos-authenticated Web applications before
proceeding.
Confirm correct Search Query functionality

To confirm that Search Query returns results for users accessing the portal site that uses
Kerberos authentication:
1. Start Internet Explorer on a system in mydomain.net and go to
http://kerbportal.mydomain.net.
2. When the home page of the portal site renders, type a search keyword in the Search
field and press ENTER.
3. Confirm that Search Query results are returned. If they are not, confirm that the keyword
you have entered is valid in your deployment, that Search Indexing is running correctly, that
the Search service is running on your Search Indexing and Search Query servers, and that
there are no problems with search propagation from your Search Index server to your Search
Query server.
361
Configure your SSP infrastructure for Kerberos
authentication
Note:
This is an optional procedure that requires installation of the Infrastructure Update for
Microsoft Office Servers. Without the installation of the Infrastructure Update for Microsoft
Office Servers, Kerberos authentication cannot be correctly configured for Office
The Infrastructure Update for Microsoft Office Servers includes a new, custom-format SPN for
Kerberos authentication for the SSP infrastructure. This custom-format SPN introduces a new
Service Class: MSSP. The custom-format SPN is in the following format: MSSP/<host:port>/<SSP
name>.
This new custom-format SPN sets a .NET Framework property to direct the .NET Framework to
use a specific SPN for a given URI. It is the .NET Framework that is used to make inter-server
calls to the Office SharePoint Server 2007 SSP infrastructure Web services.
If you examine the SSP infrastructure on an Office SharePoint Server 2007 application server,
you will see that there is a Search shared service at both the root level and the virtual directory
level in IIS. There is also an Excel Calculation Services (ECS) shared service at the virtual
directory level in IIS. After the SSP infrastructure is configured for Kerberos authentication,
Kerberos will be used for accessing shared services at both the root level and the virtual directory
level.
You do not need to register SPNs for the root-level Web services. You only need to register SPNs
for the virtual-directory-level Web services. This is because when joining a computer to a domain,
a HOST-class SPN is automatically registered for the computer account in the domain, and the
SPN will work for the root-level Web service. However, you do need to register SPNs
corresponding to the virtual directories that actually correlate to the SSPs in your farm.
To successfully configure your SSP infrastructure for Kerberos authentication you must perform
the following steps:
1. Register new custom-format SPNs for your SSP service account in Active Directory.
2. Run the Stsadm command-line tool to set the SSP infrastructure to use Kerberos
authentication.
3. Add a new registry key to all of your servers running Office SharePoint Server 2007 to
enable the generation of new custom-format SPNs.
4. Confirm Kerberos authentication for root-level shared Web service access.
5. Confirm Kerberos authentication for virtual-directory-level shared Web service access.
Note:
In the preceding procedure, steps 4 and 5 pertain to the searchadmin.asmx shared Web
service. This Search-related shared Web service is located at both the root level of the
SSP infrastructure and at the virtual directory level of the SSP infrastructure. The root-
level Search shared service can be thought of as a global Web service that pertains to
the configuration of the Office SharePoint Server 2007 Search service settings at the
362
Services on Server level in Office SharePoint Server 2007 Central Administration. The
virtual-directory-level Search shared service corresponds to a specific SSP in your farm,
and is used when configuring Search settings specific to that SSP on the Shared
Services Administration site. When performing the steps to verify Kerberos authentication
for root-level shared services access, you will not see the generation or use of the new-
format SPNs. You will only see the new-format SPNs when accessing the virtual directory
level Web service; however, you need to verify that access to the shared service works at
both levels.
Register new custom-format SPNs for your SSP

service account in Active Directory
In this section, the SSP service account is mydomain\sspsvc, and the name of the SSP you
created is SSP1. The SSP infrastructure exists on all servers in the farm; therefore, SPNs that
refer to all servers running Office SharePoint Server 2007 must be created. Because the SSP
infrastructure is bound to TCP port 56737 and SSL port 56738, you need SPNs that include both
port numbers. Because of this, two SPNs are required for each application server. For the
examples used in this section, you need to create 10 SPNs.
Perform the following procedure to create the SPNs for your SSP infrastructure:
2. In the Run dialog box, type ADSIEDIT.MSC.
3. In the Management Console dialog box, expand the domain container folder.
4. Expand the container folder containing user accounts, for example CN=Users.
5. Locate the container for the SSP service account, for example CN=sspsvc.
6. Right-click the SSP service account, and then click Properties.
7. Scroll down the list of properties in the SSP Service account dialog box until you find
servicePrincipalName.
8. Select the servicePrincipalName property and click Edit.
9. In the Value to Add field, in the Multi-Valued String Editor dialog box, add the following
SPNs:
• MSSP/mossfe1:56737/SSP1
• MSSP/mossadmin:56737/SSP1
• MSSP/mossadmin:56738/SSP1
• MSSP/mosscrawl:56737/SSP1
• MSSP/mosscrawl:56738/SSP1
• MSSP/mossquery:56737/SSP1
363
• MSSP/mossquery:56738/SSP1
Run the Stsadm command-line tool to set the SSP

infrastructure to use Kerberos authentication
To configure your SSP infrastructure to use Kerberos authentication, perform the following
procedure:
2. On one of your servers running Office SharePoint Server 2007, open a command prompt.
3. Change to the following directory: %COMMONPROGRAMFILES%\microsoft shared\web
server extensions\12\bin.
4. Type the following command: stsadm –o setsharedwebserviceauthn –negotiate, and
then press ENTER.
Ensure that this command runs successfully before proceeding.
When you have completed this procedure, the command applies to all of the SSPs that you
create in your farm, including SSPs that you create after you have successfully run this
command.
Add a new registry key to all of your servers

running Office SharePoint Server to enable
generation of the new custom-format SPNs
The generation of the new, custom-format SPNs is controlled through the setting of a new registry
key introduced with the Infrastructure Update for Microsoft Office Servers. To enable the
generation of the new, custom-format SPNs, this registry key must be added to all servers in the
farm, and all servers must be restarted.
Perform the following steps to enable the new behavior. On each server in the farm:
1. Log on as a local administrator.
2. Run the Registry Editor, and add the following new registry key:
HKLM\Software\Microsoft\Office Server\12.0\KerberosSpnFormat” (REG_DWORD) = 1
3. Restart the server. It is important to be aware that you must restart the server for the new
registry key to take effect.
Caution:
Incorrectly editing the registry might severely damage your system. Before making
changes to the registry, you should back up any valued data on the computer.
364
Confirm Kerberos authentication for root-level
shared services access
To confirm Kerberos authentication for the root-level shared services, perform the following
procedure:
1. Log on to the computer that is hosting the Central Administration Web application. If you
are using the example in this section, log on to MOSSADMIN.
2. Go to Central Administration at http://mossadmin.mydomain.net:10000
4. On the Operations page, click Services on Server.
5. In the Server section, click the drop-down arrow to display the list of servers in the farm,
and then click your Search Query server. If you are using the example in this section, select
MOSSQUERY.
6. After the page refreshes, confirm that you are pointing to the correct query server, and in
the Service section, click Office SharePoint Server Search.
7. Confirm that the Configure Office SharePoint Server Search Service Settings on server
mossquery page is displayed.
8. Perform the following steps to confirm that Kerberos authentication was used to render
the page:
• Log on to your Search Query server—using the example in this section, log on to the
MOSS machine named MOSSQUERY.
• Run the Windows event viewer.
• Examine the Security event log.
• You should see a log record that is similar to the data shown in the following table:
Event ID 540
Date 5/6/2008
Time 12:12:17 PM
Computer MOSSQUERY
Description
365
User Name pscexec
Domain MYDOMAIN
Logon ID (0x0,0x7252B10)
Logon Type 3
Workstation Name
Logon GUID {a96a9450-3af5-d82e-3bb3-8cd65c8e5c49}
Caller User Name
Caller Domain
Caller Logon ID
Caller Process ID
Transited Services
Source Port 1964
Important:
Repeat this procedure for your Search Indexing server to confirm that the page renders
and that there is a security event viewer log record indicating that the Kerberos
authentication package was used for accessing the page.
Confirm Kerberos authentication for virtual-

directory-level shared services access
This is the final step in configuring and deploying a server farm running Office SharePoint Server
2007 using Kerberos authentication.
To confirm that Kerberos authentication is used for accessing the virtual-directory-level shared
services, perform the following procedure:
1. Go to the Shared Services Administration home page.
2. Determine which of your load-balanced front-end Web servers is responding to this
request.
366
3. On the front-end Web server that is responding to the request, run Network Monitor and
apply a capture filter to capture KerberosV5 protocol packets. Using Network Monitor 3.2, this
capture filter would be protocol.KerberosV5.
4. Start a Network Monitor sniff.
5. On the Shared Services Administration site home page, click Search Settings.
6. Confirm that the Search Settings page is displayed.
7. Stop the sniff and examine captured packets. You should see Kerberos protocol packets
with descriptions that are similar to those shown in the following example:
The Sname value in the preceding example (MSSP/mosscrawl:56738/SSP1) is the new-format
SPN being generated and sent to the Kerberos KDC as a result of the changes included in the
Infrastructure Update for Microsoft Office Servers.
Log on to your index server (in the example in this section, the index server is MOSSCRAWL).
Run the event viewer and examine the security log. You should see an entry that is similar to the
data shown in the following table:
Event ID 540
Date 5/6/2008
Time 1:21:04 PM
User MYDOMAIN\sspadminpool
Computer MOSSCRAWL
Description
User Name sspadminpool
Domain MOSSCRAWL
Logon ID (0x0,0xD84A6)
Logon Type 3
Workstation Name
Logon GUID {2f1cccb3-c10d-27e5-9896-0f918e8ad796}
367
Caller User Name
Caller Domain
Caller Logon ID
Caller Process ID
Transited Services
Source Port 1513
Configuration limitations
There are a few configuration limitations with respect to utilizing Kerberos authentication for the
SSP infrastructure using the Infrastructure Update for Microsoft Office Servers:
• The host name portion of the new-format SPNs that are created will be the NetBIOS
name of the host running the service, for example: MSSP/kerbtest4:56738/SSP1. This is
because the host names are fetched from the Office SharePoint Server 2007 configuration
database, and only NetBIOS computer names are stored in the Office SharePoint Server
2007 configuration database. This might be ambiguous in certain scenarios. Currently, the
Stsadm command-line tool to rename a server running Office SharePoint Server 2007 cannot
be successfully used to rename a server running Office SharePoint Server 2007, so there is
no workaround for this issue.
• Do not use SSP names containing extended characters. An SPN with an SSP name
containing extended characters cannot be selected as the target for delegation. Therefore,
avoid using extended characters in your SSP names.
Additional resources and troubleshooting

guidance
Product/technology Resource
Windows Server 2003 Event ID 10017 error messages are logged in the System log
after you install Windows SharePoint Services 3.0
SQL Server How to make sure that you are using Kerberos
authentication when you create a remote connection to an
instance of SQL Server 2005
368
Product/technology Resource
SQL Server How to troubleshoot the "Cannot generate SSPI context"

error message (http://go.microsoft.com/fwlink/?
SQL Server How to configure SQL Server 2005 Analysis Services to use
Kerberos authentication (http://go.microsoft.com/fwlink/?
.NET Framework AuthenticationManager.CustomTargetNameDictionary

Property (http://go.microsoft.com/fwlink/?
Windows Internet Explorer Internet Explorer 6 cannot use the Kerberos authentication
protocol to connect to a Web site that uses a non-standard
port in Windows XP and in Windows Server 2003
Windows Internet Explorer Error message in Internet Explorer when you try to access a
Web site that requires Kerberos authentication on a Windows
XP-based computer: "HTTP Error 401 - Unauthorized:
Access is denied due to invalid credentials"
Kerberos authentication Kerberos Authentication Technical Reference

Kerberos authentication Troubleshooting Kerberos Errors

Kerberos authentication Kerberos Protocol Transition and Constrained Delegation

IIS Configuring SSL Host Headers (IIS 6.0)

About the author

Mark Grossbard is a Test Engineer, MOSS Core Test, for Office SharePoint Server at Microsoft.
369
Run the Best Practices Analyzer tool
You can run the Best Practices Analyzer tool to check for common issues and best security
practices. The tool generates a report that can help you optimize the configuration of your
system. The tool can be run locally or from a server that is not attached to the server farm. To
download the tool, click Microsoft Best Practices Analyzer for Windows SharePoint Services 3.0
and the 2007 Microsoft Office System (http://go.microsoft.com/fwlink/?
LinkID=83335&clcid=0x409).
370
Configure usage reporting
In this section:
• About usage reporting
• Configure Windows SharePoint Services usage logging
• Enable usage reporting
• Activate usage reporting
• Monitor usage reporting
About usage reporting

Usage reporting is a service that enables site administrators, site collection administrators, and
Shared Services Provider (SSP) administrators to monitor statistics about the use of their sites.
Usage reporting also includes usage reporting for search queries that can be viewed by SSP
administrators for search and site collection administrators.
To configure usage reporting, a farm administrator must first enable Windows SharePoint
Services usage logging for the farm that hosts the Web application containing the SSP. The SSP
administrator enables and configures the usage reporting service. Then, site collection
administrators can activate the reporting feature to enable usage reports on the site collection.
After usage reporting is enabled, site administrators and site collection administrators can view
site usage summary pages that have the following information for their sites and site collections:
• Requests and queries in the last day and the last 30 days.
• Average number of requests per day over the last 30 days.
• A chart of requests per day over the last 30 days.
• A list of the top page requests over the last 30 days.
• A list of top users over the last 30 days.
• A chart of top referring hosts over the last 30 days.
• A chart of top referring pages over the last 30 days.
• A list of top destination pages over the last 30 days.
• Top queries for the last 30 days (if search usage reporting is enabled).
• Search results top destination pages (if search usage reporting is enabled).
SSP administrators for the search service can view a search usage reports page that tracks the
following information.
• Number of queries per day over the previous 30 days.
• Number of queries per month over the previous 12 months.
• Top queries over the previous 30 days.
• Top site collections originating queries over the previous 30 days.
371
• Queries per search scope over the previous 30 days.
Site collection administrators for the SSP site can view a usage summary page that tracks the
following information:
• Total amount of storage used by the site collection.
• Percent of storage space used by Web Discussions.
• Maximum storage space allowed.
• Number of users for all sites in the hierarchy.
• Total hits and recent bandwidth usage across all sites.
Site collection administrators can also view a site usage report that includes monthly and daily
page hit totals filtered by the following criteria:
• Page
• User
• Operating system
• Browser
• Referrer URL
Usage reporting is very useful for managing complex site hierarchies with many sites, a large
number of page hits, and a large number of search queries, and it is recommended that the
service be enabled for deployments of complex site hierarchies. For less complex deployments,
usage reporting might not be necessary. It is also possible to disable the service temporarily to
conserve resources when other those resources are needed for other processes.
Enable Windows SharePoint Services usage

logging
Before you can enable usage reporting in a SSP, you must first enable Windows SharePoint
Services usage logging for the farm hosting the Web application containing the SSP.
Use the following procedure to enable usage logging for the farm.
Enable usage logging for the farm

2. On the Operations page, in the Logging and Reporting section, click Usage
analysis processing.
3. On the Usage Analysis Processing page, in the Logging Settings section, select
Enable logging.
4. Type a log file location and number of log files to create.
5. In the Processing Settings section, select Enable usage analysis processing, and
then select a time to run usage processing.
6. Click OK.
372
tool, see Usage Analysis: Stsadm properties (http://technet.microsoft.com/en-
Enable usage reporting

After Windows SharePoint Services usage logging is enabled in the server farm, SSP
administrators must enable the usage reporting service. SSP administrators can control the
complexity of usage analysis processing, and select whether or not reporting is enabled for
search queries.
Use the following procedure to enable usage reporting.
Enable usage reporting

1. On the SSP home page, in the Office SharePoint Usage Reporting section, click
Usage reporting.
2. On the Configure Advanced Usage Analysis Processing page, in the Processing
Settings section, click Enable advanced usage analysis processing.
3. In the Search Query Logging section, select Enable search query logging.
4. Click OK.
If advanced usage analysis processing is not selected, usage reporting statistics will be minimal.
Usage Analysis: Stsadm properties (http://technet.microsoft.com/en-us/library/cc263478.aspx).
Activate usage reporting

After usage reporting is enabled for the SSP, site collection administrators must activate the
reporting feature. Until the reporting feature is activated on a site collection, usage reports are not
available.
Use the following procedure to activate the reporting feature.
Activate the reporting feature

2. On the Site Settings page, in the Site Collection Administration section, click Site
collection features.
3. On the Site Collection Features page, click the Activate button for the Reporting
feature.
tool, see Usage Analysis: Stsadm properties (http://technet.microsoft.com/en-
373
Monitor usage reporting
Usage reporting can be viewed in several places:
• Site administrators, including administrators of the SSP administration site, can view
usage reporting for their site by clicking Site usage reports in the Site Administration
section of the Site Settings page.
• Site collection administrators can view usage reporting by clicking Site collection usage
reports in the Site Collection Administration section of the Site Settings page.
• Site collection administrators for the SSP administration site can view a usage summary
by clicking Usage summary in the Site Collection Administration section of the Site
Settings page.
• SSP administrators for search can view search usage reports by clicking Search usage
reports in the Search section of the SSP home page.
For information about how to perform this procedure using the Stsadm command-line tool,
see Usage Analysis: Stsadm properties (http://technet.microsoft.com/en-
374
V. Deploy and configure SharePoint sites
375
Chapter overview: Deploy and configure
SharePoint sites
After you have installed Microsoft Office SharePoint Server 2007, configured shared services,
and performed the other configuration tasks for your servers, you are ready to begin creating
SharePoint sites.
In this chapter:
• Χ ρ ε α τ ε ο ρ ε ξ τ ε ν δ Ω ε β α π π λ ι χ α τ ι ο ν σ SharePoint sites
are hosted by Web applications, so you must create one or more Web applications before
you can create any sites. This section covers how to create a Web application, or how to
extend a Web application to host the same content as another Web application.
• Create zones for Web applications Each Web application can have as many as five
zones, and each zone can have a different authentication method. A default zone is
automatically created when you create a Web application. This section helps you configure
any additional zones you need.
• Χ ο ν φ ι γ υ ρ ε α λ τ ε ρ ν α τ ε α χ χ ε σ σ µ α π π ι ν γ Alternate
access mapping enables you to assign different URLs to the same site (for example, you can
configure access via the HTTP protocol for internal users and via the HTTPS protocol for
external users). Alternate access mapping settings are configured per zone at the Web
application level. Although the settings can be configured at any time, it is useful to configure
alternate access mapping before you create your SharePoint sites. This section helps you
configure alternate access mapping for a Web application.
• Χ ρ ε α τ ε θ υ ο τ α τ ε µ π λ α τ ε σ Quota templates enable you to set a
limit on how large a site collection can become. This section helps you configure the quota
templates that you want to use for any site collections you create.
• Χ ρ ε α τ ε α σ ι τ ε χ ο λ λ ε χ τ ι ο ν After you have configured the settings
that the previous articles describe, you can create a site collection. This section helps you
create a site collection from Central Administration and assign primary and secondary
owners. If you want to allow users to create their own sites, you need to configure Self-
Service Site Management for the Web application. For more information about choosing a
method to use for site creation, see Plan process for creating sites
• Χρ ε α τ ε α β λ α ν κ σ ι τ ε τ ο µ ι γ ρ α τ ε χ ο ν τ ε ν τ ι ν τ ο
If you are moving a site collection from one Web application or server farm to another, or
using the content deployment features to deploy an existing site collection to a new site
collection on a different server farm or Web application, you need to create a blank site
collection as the destination for the content. This section helps you create a blank site
collection, either for migrating sites or for content deployment.
376
• Α δ δ σ ι τ ε χ ο ν τ ε ν τ After you have created your site collection, you can
begin adding site content. This section provides links to information that can help you add
content to your sites.
• Ε ν α β λ ε α χ χ ε σ σ φ ο ρ ε ν δ υ σ ε ρ σ After you have created your
site, you can add users and grant them access to the site. This section helps you add users
to a site collection.
377
Create or extend Web applications
Before you can create a site or a site collection, you must first create a Web application. A Web
application is comprised of an Internet Information Services (IIS) site with a unique application
pool and can be assigned to an SSP (Shared Services Provider) to enable features such as
InfoPath Forms Services, Excel Calculation Services, and Workflows.
In this section:
• Create a new Web application
• Extend an existing Web application

the drop-down menu.
b. To choose to create a new Web site, select Create a new IIS Web site, and type
the name of the Web site in the Description box.
378
NTLM.
The Zone box is automatically set to Default for a new Web application, and cannot be
changed from this page. To change the zone for a Web application, see Extend an
existing Web application later in this section.
name of the account you wish to use, and type the password for the account into the
Password box.
9. In the Reset Internet Information Services section, choose whether to allow
Windows SharePoint Services to restart IIS on other farm servers. The local server must
be restarted manually for the process to finish. If this option is not selected and you have
servers and then run iisreset /noforce on each Web server. The new IIS site is not
usable until that action is completed. The choices are unavailable if your farm only
10. Under Database Name and Authentication, choose the database server, database
name, and authentication method for your new Web application.
379
Item Action

format <SERVERNAME\instance>.You may
also use the default entry.
Database Name Type the name of the database, or use the

default entry.
Database Authentication Choose whether to use Windows

authentication (recommended) or SQL
authentication.
• If you want to use Windows
authentication, leave this option
selected.
• If you want to use SQL
authentication, select SQL
authentication. In the Account
box, type the name of the account
you want the Web application to use
to authenticate to the SQL Server
database, and then type the
password in the Password box.
11. Click OK to create the new Web application, or click Cancel to cancel the process
and return to the Application Management page.
Extend an existing Web application

You can extend an existing Web application if you need to have separate IIS Web sites that
expose the same content to users. This is typically used for extranet deployments where different
users access content using different domains. This option reuses the content database from an
existing Web application.
Extend an existing Web application

4. On the Create or extend Web application page, in the Adding a SharePoint Web
Application section, click Extend an existing Web application.
5. On the Extend Web Application to Another IIS Web Site page, in the Web
380
Application section, click the Web application link and then click Change Web
application.
6. On the Select Web Application page, click the Web application you want to extend.
7. On the Extend Web Application to Another IIS Web Site page, in the IIS Web Site
section, you can select Use an existing IIS Web site to use a Web site that has already
been created, or you can choose to leave Create a new IIS Web site selected. The
Description, Port, and Path boxes are populated for either choice. You can choose to
use the default entries or type the information you want into the boxes.
the extended Web application.
NTLM.
9. Under Load Balanced URL, type the URL for the domain name for all sites that
users will access in this Web application. This URL domain will be used in all links shown
on pages within the Web application. By default, the text box is populated with the current
server name and port.
10. In the Load Balanced URL section, under Zone, select the zone for the extended
Web application from the drop-down menu. You can choose Intranet, Internet, Custom,
or Extranet.
11. Click OK to extend the Web application, or click Cancel to cancel the process and
return to the Application Management page.
tool, see Extendvs: Stsadm operation (http://technet.microsoft.com/en-
381
Configure alternate access mapping
Each Web application can be associated with a collection of mappings between internal and
public URLs. Both internal and public URLs consist of the protocol and domain portion of the full
URL (for example, https://www.fabrikam.com). A public URL is what users type to get to the
SharePoint site, and that URL is what appears in the links on the pages. Internal URLs are in the
URL requests that are sent to the SharePoint site. Many internal URLs can be associated with a
single public URL in multi-server farms (for example, when a load balancer routes requests to
specific IP addresses to various servers in the load-balancing cluster).
Each Web application supports five collections of mappings per URL; the five collections
correspond to five zones (default, intranet, extranet, Internet, and custom). When the Web
application receives a request for an internal URL in a particular zone, links on the pages returned
to the user have the public URL for that zone. For more information, see Plan alternate access
mappings (http://technet.microsoft.com/en-us/library/cc261814.aspx).
Manage alternate access mappings

2. On the Operations page, in the Global Configuration section, click Alternate access
mappings.
Addalternatedomain: Stsadm operation (http://technet.microsoft.com/en-
Add an internal URL

1. On the Alternate Access Mappings page, click Add Internal URLs.
2. If the mapping collection that you want to modify is not specified, then choose one. In the
Alternate Access Mapping Collection section, click Change alternate access mapping
collection on the Alternate Access Mapping Collection menu.
3. On the Select an Alternate Access Mapping Collection page, click a mapping collection.
4. In the Add internal URL section, in the URL protocol, host and port box, type the new
internal URL (for example, https://www.fabrikam.com).
5. In the Zone list, click the zone for the internal URL.
6. Click Save.
Addpath: Stsadm operation (http://technet.microsoft.com/en-us/library/cc263161.aspx ).
382
Edit or delete an internal URL
Note:
You cannot delete the last internal URL for the default zone.
1. On the Alternate Access Mappings page, click the internal URL that you want to edit or
delete.
2. In the Edit internal URL section, modify the URL in the URL protocol, host and port
box.
3. In the Zone list, click the zone for the internal URL.
4. Do one of the following:
• Click Save to save your changes.
• Click Cancel to discard your changes and return to the Alternate Access Mappings
page.
5. Click Delete to delete the internal URL.
Edit public URLs

Note:
There must always be a public URL for the default zone.
1. On the Alternate Access Mappings page, click Edit Public URLs.
2. If the mapping collection that you want to modify is not specified, then choose one. In the
Alternate Access Mapping Collection section, click Change alternate access mapping
collection on the Alternate Access Mapping Collection menu.
3. On the Select an Alternate Access Mapping Collection page, click a mapping collection.
4. In the Public URLs section, you may add new URLs or edit existing URLs in any of the
following text boxes:
• Default
• Intranet
• Extranet
• Internet
• Custom
5. Click Save.
Map to an external resource

You can also define mappings for resources outside internal Web applications. To do so, you
must supply a unique name, initial URL, and a zone for that URL. (The URL must be unique to
the farm.)
1. On the Alternate Access Mappings page, click Map to External Resource.
383
2. On the Create External Resource Mapping page, in the Resource Name box, type a
unique name.
3. In the URL protocol, host and port box, type the initial URL.
4. Click Save.
384
Create zones for Web applications
If your solution architecture includes Web applications with more than one zone, use the
guidance in this section to create additional zones.
Create a new zone

You can create a new zone by extending an existing Web application. Follow the "Extend an
existing Web application" procedure in Create or extend Web applications to create a new zone.
The new zone is created when you select a zone in step 10 of the procedure.
Refer to your planning architecture documents and worksheets to determine which zones you
need to create and what authentication method should be associated with each zone.
You can change the authentication provider for a zone on the Authentication Providers page. For
more information, see Plan authentication methods (http://technet.microsoft.com/en-
View existing zones

On the Alternate Access Mappings page, you can view the zones that have been created for your
farm.
1. Click the Start button, point to All Programs, then point to Microsoft Office Server, and
then click SharePoint 3.0 Central Administration.
3. On the Operations page, in the Global Configuration section, click Alternate access
mappings.
On the Alternate Access Mappings page, each Web application is displayed with its associated
zone.
Enumalternatedomains: Stsadm operation.
See Also
Create or extend Web applications
Configure alternate access mapping
Plan authentication methods (http://technet.microsoft.com/en-us/library/cc262350.aspx)
385
Create quota templates
In this section:
• Create a new quota template
• Edit an existing quota template
• Delete a quota template
A quota template consists of storage limit values that specify how much data can be stored in a
site collection and the storage size that triggers an e-mail alert to the site collection administrator
when that size is reached. You can create a quota template that can be applied to any site
collection in the farm.
Note:
When you apply a quota template to a site collection, the storage limit applies to the site
collection as a whole. In other words, the storage limit applies to the sum of the content
sizes for the top-level site and all subsites within the site collection.
You can also modify existing quota templates. When a quota template is modified, the new
storage limits you defined in the template will apply to any new site collection you create that uses
that quota template. However, existing site collections to which the quota template has been
previously applied will not be automatically updated to reflect the new storage limits.
Create a new quota template

click Quota templates.
4. On the Quota Templates page, in the Template Name section, select Create a new
quota template.
5. Type the name of the new template in the New template name box.
• If you want to base your new template on an existing quota template, click the
Template to start from down arrow and select the desired template from the drop-down
menu.
6. In the Storage Limit Values section, set the values you want to apply to the template.
a. If you want to restrict the amount of data that can be stored, click the Limit site
storage to a maximum of check box and type the storage limit in megabytes into the
text box.
386
b. If you want an e-mail to be sent to the site collection administrator when a certain
storage threshold is reached, click the Send warning E-mail when site storage
reaches check box and type the threshold in megabytes into the text box.
7. Click OK to create the new quota template, or click Cancel to cancel the operation and
return to the Application Management page.
Edit an existing quota template

4. In the Template Name section, click the Template to modify down arrow and select the
template you want to edit from the drop-down menu.
5. In the Storage Limit Values section, set the values you want to apply to the template.
a. If you want to restrict the amount of data that can be stored, click the Limit site
storage to a maximum of check box and type the storage limit in megabytes into the
text box.
b. If you want an e-mail to be sent to the site collection administrator when a certain
storage threshold is reached, click the Send warning E-mail when site storage
reaches check box and type the threshold in megabytes into the text box.
6. Click OK to modify the quota template, or click Cancel to cancel the operation and return
to the Application Management page.
Delete a quota template

4. In the Template Name section, click the Template to modify down arrow and select the
template you want to delete from the drop-down menu.
5. Click the Delete button.
6. Click OK on the dialog box that appears to delete the quota template.
387
When you create a site collection, you also create the top-level site within that site collection.
Select the appropriate template for your scenario, such as: Publishing Portal for an Internet
presence Web site, or Collaboration Portal for an Intranet portal Web site.

3. On the Create Site Collection page, in the Web Application section, if the Web
application in which you want to create the site collection is not selected, click Change
Web Application on the Web Application menu, and then on the Select Web
Application page, click the Web application in which you want to create the site collection.
collection.
5. In the Web Site Address section, under URL, select the path to use for your URL
(such as an included path like /sites/ or the root directory, /).
If you select a wildcard inclusion path, such as /sites/, you must also type the site name
to use in your site's URL.
Note:
managed paths, see Define managed paths in the Central Administration Help
form DOMAIN\username) for the user who will be the site collection administrator.
388
10. Click OK.
For information about how to perform this procedure by using the Stsadm command-line
389
Create a blank site to migrate content into
You must create the site collection that is assigned as the destination for content migration by
using the Blank Site template.

Create a site collection by using the Blank Site template
3. On the Create Site Collection page, in the Web Application section, if the Web
application in which you want to create the site collection is not selected, on the Web
Application menu, click Change Web Application.
4. On the Select Web Application page, click the Web application in which you want to
create the site collection.
collection.
6. In the Web Site Address section, under URL, select either the root directory ("/") or
an included path (for example, "/sites/") to use for your URL.
If you select a wildcard included path such as /sites/, type the site name to use in your
site's URL.
Note:
managed paths, see the topic Define managed paths in the Central
Administration Help (http://technet.microsoft.com/en-us/library/cc263179.aspx)
system.
7. In the Template Selection section, in the Select a template list, on the
Collaboration tab, click Blank Site.
8. In the Primary Site Collection Administrator section, specify the user name for the
user who will be the site collection administrator.
You can type the user name in the User name box or use the Browse button to search
for a user.
9. If you want to designate a user as the secondary administrator of the new top-level
Web site (recommended), in the Secondary Site Collection Administrator section,
specify the user name for the secondary administrator of the site collection.
10. If you want to use a quota to limit resource use for site collections, in the Quota
390
Template section, select a template in the Select a quota template list.
11. Click OK.
us/library/cc262594.aspx) and Addpath: Stsadm operation
391
Add site content
In this section:
• Use Web site designers to design and add content
• Migrate content from another site
• Allow users to add content directly
There are several methods that you can use to add content to sites, including:
• Using Web site designers to design and add content.
• Migrating content from another site.
• Allowing users to add content directly.
Depending on your scenario, you may find particular methods more appropriate.
Use Web site designers to design and add content when you are working with:
• A published intranet portal site
• A published Internet Web site
Migrate content from another site when you are working with:
• A published Internet site in which authors create content in the authoring site. After you
migrate content, you use content deployment to deploy the content to the production site.
• A site or set of sites that is being reorganized.
Allow users to add content directly when you are working with:
• A collaboration site in which the site owner can create the lists and libraries that are
needed, and then grant site members access so that they can begin contributing content.
• A blog site in which the blog owner can set up the structure for the blog, and then start
creating posts.
• A wiki site in which the wiki site owner can grant access to users and the users can start
creating topics in the wiki.
Use Web site designers to design and add content

When you create a published site, Web site owners and designers must plan and implement
many elements, such as site navigation, site design (including master pages, page layouts, and
.css files), and the overall information architecture for the site. For more information about
planning for these elements, see Planning and architecture for Office SharePoint Server 2007
Follow the steps in Enable access for end users to give the Web site designers permissions to
the site. When they have completed their work, you can then optionally grant access to authors to
contribute content before you grant access to the other users in your organization or before you
make the site available to the public on the Internet.
392
Migrate content from another site
When you are using a published site, you can author content in one site collection and then
publish it to another. For this scenario, you must create a blank site collection to migrate the
content into. For more information, see Create a blank site to migrate content into.
If you are reorganizing an existing site and need to migrate content to a different site collection,
you can use several methods to migrate the content. You can use:
• The Export and Import operations for the Stsadm command-line tool to migrate site
collections or subsites.
For more information about using Stsadm operations, see the following resources:
• Export: Stsadm operation (http://technet.microsoft.com/en-us/library/cc262759.aspx)
• Import: Stsadm operation (http://technet.microsoft.com/en-us/library/cc261866.aspx)
• The Content Migration object model to programmatically move content at any level in the
site (Web site, list, library, folder, file, or list item).
For more information about using the Content Migration object model, see "Content Migration
Overview" in the Windows SharePoint Services 3.0 Software Development Kit
• Microsoft Office SharePoint Designer 2007 to migrate individual lists or libraries to the
appropriate place in the new site hierarchy.
For more information about using Office SharePoint Designer 2007, see the following articles
in the Office SharePoint Designer 2007 Help system:
• Export or import a Web package (http://go.microsoft.com/fwlink/?
• Back up, restore, or move a SharePoint site (http://go.microsoft.com/fwlink/?
Allow users to add content directly

If you want your site owners to begin adding content directly to a site, you can immediately grant
them access and allow them to control the site's organization and design.
Follow the steps in Enable access for end users to give your end users permissions to the site.
After you grant permissions, users can begin adding content. For more information about adding
content to sites, see the Help system for Microsoft Office SharePoint Server 2007.
393
Enable access for end users
In this section:
• Add site collection administrators
• Add site owners or other users
After you create your site collection and populate it with content, you are ready to grant access to
end users. This section helps you configure administrative and user permissions for a site
collection. Note that you can also configure permissions for the following securable objects within
a site collection: site, list, library, folder, document, or item. For more information about assigning
permissions for different securable objects within a site collection, see Plan site security
In Microsoft Office SharePoint Server 2007, you can enable access to the site collection by using
different methods, based on the type of site collection. The following list describes some
examples of these methods:
• If this is a published site collection intended for an Internet audience, you can publish it to
the blank site collection that you created as a destination by using the content deployment
features. After you publish it, you can then configure the appropriate permissions for the new
environment. For more information about publishing a site collection by using content
deployment, see Plan content deployment (http://technet.microsoft.com/en-
us/library/cc263428.aspx) and the Content Deployment topics in the Central Administration
Help (http://technet.microsoft.com/en-us/library/cc263179.aspx) system.
• If this is a site collection in a development or pilot environment, you can migrate the site
collection to your production environment by using import and export, and then configure the
appropriate permissions for the new environment. For more information about using import
and export, see Export: Stsadm operation (http://technet.microsoft.com/en-
us/library/cc262759.aspx) and Import: Stsadm operation (http://technet.microsoft.com/en-
• If this is a site collection intended to facilitate collaboration on the intranet, you can easily
add the users and groups that need access to the site collection. This section describes how
to perform these actions.
In most cases, these actions are not performed by farm administrators, but are performed by site
collection administrators or site owners. Moreover, these steps are performed in the site collection
itself, not in Central Administration. (However, you can add site collection administrators by using
Central Administration and by using the Site Settings page in the site collection.) Nonetheless,
this information is presented in the Deployment Guide because it is truly the final stage of
deployment — the stage when the site collection is made available for end users.
394
This section does not cover how to enable anonymous access. When you create a Web
application, you decide whether to allow anonymous access for site collections on that Web
application. For more information about anonymous access, see the following resources:
• Overview: Plan environment-specific security (http://technet.microsoft.com/en-
• Plan authentication settings for Web applications in Office SharePoint Server
• Choose which security groups to use (http://technet.microsoft.com/en-
• "Enable anonymous access” in the Central Administration Help
Add site collection administrators

When you created the site collection, you were required to supply the user name for at least one
site collection administrator. If the user name you supplied was not that for the actual
administrator for the site collection — for example, if you did not know who was going to be actual
administrator and you used your own user name — or if you need to change or add a user name
for a site collection administrator, you can do so by using the following procedure.
Note:
This procedure uses the Central Administration Web site, but you can also add a site
collection administrator from the top-level site in the site collection by using the Site
Settings page for the top-level site. On the Site Settings page, in the Users and
Permissions section, click Site collection administrators.
Add a site collection administrator

click Site collection administrators.
3. If the selected site is not the site for which you want to manage administrators, on the
Site Collection Administrators page, on the Site Collection menu in the Site Collection
section, click Change Site Collection.
• In the Select Site Collection dialog box, select the site for which you want to
manage administrators.
• Click OK.
4. In either the Primary site collection administrator box or the Secondary site
collection administrator box, enter the user name of the user to whom you want to
assign that role.
5. Click OK.
395
Add site owners or other users
If you have not yet set up any groups for this site or site collection, you must set up groups before
you can add any users to groups. (You can also add users individually, without setting up groups,
but if you want to manage users efficiently, we recommend that you use groups.) To specify which
group to assign to site visitors, site members, site owners, or other groups, use the following
procedure. This procedure helps you set up the default groups, but you can also create additional
groups.
Note:
The SiteName Owners group has the Full Control permission level on the site, so you
can add users to that group to give them administrative access for that site. For more
information about groups and permission levels, see Determine permission levels and
groups to use (http://technet.microsoft.com/en-us/library/cc262690.aspx).
Set up Members, Visitors, and Owners groups for a site

1. On the site home page, click the Site Actions menu, point to Site Settings, and then
click People And Groups.
2. On the People and Groups page, on the Quick Launch, click Groups.
3. On the People and Groups: All Groups page, on the Settings menu, click Set Up
Groups.
4. On the Set Up Groups for this Site page, select a group for each set of users that you
want to change. Alternatively, select Create a new group to assign a custom group to a
set of users.
After you have configured groups for the site, you can add users and grant them permissions by
using the following procedure.
Add users to groups

1. On the site home page, click the Site Actions menu, point to Site Settings, and then
click People And Groups.
2. On the People and Groups page, on the Quick Launch, click Groups.
3. Click the name of the group to which you want to add users.
4. On the People and Groups: Group name page, on the New menu, click Add Users.
5. On the Add Users page, type the account names that you want to add, or browse to
find users from Active Directory directory service.
6. In the Give Permission section, be sure that Add users to a SharePoint group is
selected and that the correct group is displayed.
Note:
In rare cases, you might want to give individual permissions to a user by clicking
Give users permission directly. However, assigning individual permissions to
many users can quickly become difficult and time-consuming to manage. We
396
recommend that you use groups as much as possible to efficiently manage site
access.
7. Click OK.
For more information about managing users and groups, see "Grant access to the portal site" in
the Help system for Office SharePoint Server 2007.
397

Deployment For MOSS 2007

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Deployment For MOSS 2007

Caricato da

Copyright:

Formati disponibili

Deployment for Office SharePoint Server

Roadmap to Office SharePoint Server 2007 content................................................................1

Deployment worksheets for Office SharePoint Server 2007.....................................................8

I. End-to-end deployment scenarios.......................................................................................11

Chapter overview: End-to-end deployment scenarios............................................................12

Install Office SharePoint Server 2007 on a stand-alone computer.........................................14

Deploy in a simple server farm ..............................................................................................20

Deploy using DBA-created databases....................................................................................48

Deploy a simple farm on the Windows Server 2008 operating system...................................58

Install Office SharePoint Server 2007 by using the command line.........................................96

Migrate a stand-alone installation to a server farm installation.............................................126

II. Install Office SharePoint Server 2007 in a server farm environment................................144

Prepare the database servers..............................................................................................149

Prepare the Web and application servers.............................................................................151

Deploy language packs........................................................................................................162

III. Create and configure Shared Services Providers............................................................168

Chapter overview: Create and configure Shared Services Providers...................................169

Configure the primary Shared Services Provider..................................................................170

Chapter overview: Configure personalization.......................................................................201

Configure personalization permissions.................................................................................203

Configure connections to Profile Services............................................................................208

Configure targeted content...................................................................................................216

Configure personalization sites.............................................................................................221

Configure policies for Profile Services..................................................................................224

B. Configure business intelligence features..........................................................................228

Chapter overview: Configure business intelligence features................................................229

Configure access to business data.......................................................................................231

Register business applications in the Business Data Catalog..............................................237

Customize business data lists, Web Parts, and sites............................................................243

C. Configure Excel Services.................................................................................................251

Chapter overview: Configure Excel Services........................................................................252

Add a trusted file location.....................................................................................................253

Start the Single Sign-On service...........................................................................................255

Manage settings for single sign-on.......................................................................................256

Add a trusted data provider..................................................................................................257

Add a trusted data connection library...................................................................................259

Enable user-defined functions..............................................................................................261

D. Configure InfoPath Forms Services.................................................................................263

Configure InfoPath Forms Services for Office SharePoint Server........................................264

Configure session state for InfoPath Forms Services...........................................................267

E. Configure Office Project Server........................................................................................269

Deploy Project Server 2007 with Office SharePoint Server 2007.........................................270

IV. Perform additional configuration tasks.............................................................................271

Configure incoming e-mail settings.......................................................................................274

Configure outgoing e-mail settings.......................................................................................286

Configure outgoing e-mail settings for a specific Web application........................................289

Configure workflow settings..................................................................................................292

Configure diagnostic logging settings...................................................................................294

Configure single sign-on.......................................................................................................298

Configure antivirus settings..................................................................................................305

Configure anonymous access...............................................................................................311

Configure digest authentication............................................................................................314

Configure forms-based authentication..................................................................................317

Configure Web SSO authentication by using ADFS.............................................................328

Configure Kerberos authentication.......................................................................................338

Run the Best Practices Analyzer tool....................................................................................370

Configure usage reporting....................................................................................................371

V. Deploy and configure SharePoint sites.............................................................................375

Chapter overview: Deploy and configure SharePoint sites...................................................376

Create or extend Web applications.......................................................................................378

Configure alternate access mapping....................................................................................382

Create zones for Web applications.......................................................................................385