But, what happens when you want to add additional information from external systems to supplement the richness of you Active Directory data? Well, you need to use BCS (Business Connectivity Services). BCS is an evolution to the functionality of MOSS’s (Microsoft Office SharePoint Server) 2007 BDC (Business Data Catalog).

What started out as a simple lab to get a proof of concept up and running really turned into a bit of a hair pulling ordeal. I’ll go through it here so that someone else doesn’t have to go through the same stress as I had to. From what I gather there’s quite a few people out there who are trying to get this running but are faced with the dreaded error;

“Microsoft.MetadirectoryServices.NoSuchObjectTypeException: No such object type “user”.
at Microsoft.MetadirectoryServices.Impl.TypeDescriptionCollectionImpl.get_Item(String Name)

So. Onto the Step by Step guide to enlightenment, so I hope. Just as a note, I’ll be importing some Customer details into my profile from the Northwinds sample database. This database can be downloaded from;

http://www.microsoft.com/downloads/details.aspx?familyid=06616212-0356-46a0-8da2-eebc53a68034&displaylang=en

Firstly go ahead and download the database. You can either run the .sql file to create the DB or simple to an attach. Once you have the DB attached to your SQL back-end you should be able to query the sample data as follows;

This is the sample data we’ll be using. In our simple test I’ll be adding an Alternate Company to my Active Directory profiles, this data will be pulled from the Customers table using the CompanyName table.

The first thing we need to do is create and ECT (External Content Type). With BCS the focul point is, it’s all about External Content Types definitions. The simplest method of generating these ECTs is using SPD (SharePoint Designer) 2010. Once we’ve created our ECT it’ll be stored in the ECT Catalog, also known as the metadata catalog.

So lets fire up SPD and create an External Content Type. Open up a Team Site where you want to test out your ECT. To ensure our ECTs are working we’ll create a list afterwards and display the Northwinds customers using the SharePoint native interface.

In SPD go to External Content Types in Site Objects.  Click External Content Type. You’ll be presented with a new ECT page;

Enter a Name such as NorthwindCustomers. Enter a Display Name as Northwind Customers. In my example I’ve changed the Office Item Type to Contact as I want to take the list offline for later use. It’s up to you, the only extra step you need to do is map the properties in the Northwinds database to Office properties.

Click the Click here to discover external data sources an…  Click Add Connection and select SQL Server. Fill in  your Database Server, Database Name and optional name. Leave Connect with User’s Identity as the default. Once you have done this, you’ll notice that your Northwinds database has been added to your Data Source Explorer as follows;

Expand your Northwindows database and right click Customers. Select Create All Operations.

You should be presented with Operations Properties wizard now. For the ease of this guide I’ve selected All Operations but in your day to day BCS solutions you might want to limit what you want you users to perform using CRUD (create, replace, update, delete) for security sake.

Select Next on the Operations Properties wizard. Since I’ve chosen the Office Item Type as Contact I will now need to map the Data Source Elements such as CompanyName to an Office Property like Company Name (CompanyName). I will also check the Show In Picker box as I want to be able to view the results from any searches. Perform these steps for as many elements as you see fit. A word of warning too, leave the CustomerID Data Source Element as Read-Only in the Properties. You dont want your users overwriting your identifier for the field that we’ll use later for our 1 to 1 profile relationship.

Click Finish. Then select Summary View in SPD to view your settings and save your changes. They should look something like this.

Congratulations. You’ve just created your first ADO.NET ECT and now we’re ready to expose the contents of our Customers table from the Northwinds database. The simplest method to create your External List and InfoPath form is to use the Create Lists & Form button on the SPD ribbon. Select the newly created ECT and then select Create Lists & Form from the ribbon to bring up the. Fill in the List Name details and also check the Create InfoPath Form checkbox. Your entry should look something like this;

Once you click OK this will go ahead and create the External List and InfoPath form in the Team Site that you used when creating the ECT. If you refresh your Team Site home page you should see a new list in the Quicklaunch bar. Before you can use the your new ECT you need to set the permissions for your ECT else you will receive the following message;

Access Denied by Business Data Connectivity.

To apply the permissions for your ECT you need to go to your Central Administration > Manage Service Applications > Business Data Connectivity Service > Select the Set Permissions action on your ECT. Open your People Picker up and search for All. Select your All Authenticated Users and check each Permissions that you would apply to this user/group. For our guide we’re allowing all permissions on this ECT for the All Authenticated Users group.

Once you set your permissions on the ECT you will be able retrieve the Customers table from the Northwind database as follows. A word of caution, you will need to close down your browser session and open your Team Site up again as you need to re-authenticate against the site again for the External List to work work.

Congratulations, you’ve now you’ve created your first External List based on a ADO.NET External Content Type. Imagine the possibilities in connecting out disparate LOB (Line of Buiness) systems out there in your organisation and having them surfaced by using native SharePoint External Lists, this is only the tip of the ice berg on what is possible.

Now I’m going to assume that your profile imports are working correctly when importing from Active Directory (AD). If you’re AD imports aren’t working then please get that up and running and move on to the next steps. A word of notice is that the BCS profile import cannot be the primary data source for profile imports, we can only supplement information from LOB systems and add them to our AD Profiles.

In this example as I mentioned initially, I’ll be adding an Alternate Company to my Active Directory profiles, this data will be pulled from the Customers table using the CompanyName table. The first step we need to perform is by adding a new User Property. In my example I will add to each user a Alternate Customer ID field that will have this fields data correlate back to the CustomerID column of the Customers table, this is how we establish our 1 to 1 relationship between our AD profiles and our BCS profiles. This Alternate Customer ID propoerty will only be a SharePoint local property, but in a real world example this can be brought in from Active Directory via one of the other attributes.

To create the new User Property go to Central Administration > Manage Service Applications > User Profile Service Applications > Manage User Properties. Select New Property and fill in the contents as follows.

Name: CustomCustomerID
Display Name: Alternate Customer ID
Type: String
Length: 5 (Since our column CustomerID is on 5 nchar in the Customers table)

Under Policy Settings change the Required Policy Setting to Optional. The rest of the property settings can be set however you like. Click OK and we’re ready to start setting up our BCS User Profile Synchonrization Connetion. Go to your User Profile Service Application > Configure Synchronization Connections > Create New Connection.

Enter a Connection Name as Northwinds, Type as Business Data Connectivity. In the Business Data Connectivity Entity select your Northwind Customers External Content Type. Now this is the import part, we need to map our CustomCustomerID to our Extrernal Content Type to create the 1 to 1 relationship. Select our CustomCustomerID property as the identifier.

Click OK and save your now synchronization connection settings. Now, we need to quickly jump back in the Manage User Profiles page and add the Alternate Customer ID data in. This will then be used to import the Alternate Company Name via BCS. Like I mentioned previously, instead of an Alternate Customer ID property that we have here, you can use an AD attribute to perform the same function, usually a mail or employeeid attribute is the way to go, anything which correlates your HR systems and AD will work.

Before we can start the profile import we need to add another User Property that will surface the Alternate Company Name data from the CompanyName column. Create a New Property with the follow values;

Name: CustomCompanyName
Display Name: Alternate Company Name
Type: String
Length: 40 (Since our column CustomerID is on 40 nvarchar in the Customers table)

Under Policy Settings change the Required Policy Setting to Optional. The rest of the property settings can be set however you like util you scroll to Property Mapping for Synchonization. Select Northwinds as the Source Data Connection, select CompanyName as the Attribute. Click Add to the add the Property Mapping to the new User Property.

Click OK and you are done with User Properties.

Lets go ahead and populate our Alternate Customer ID properties in some test profiles. I’ve got several properties imported here from my dev box so I’ll go ahead and add the CustomerID data from the Customers table in the Northwind database. As a simple test, you can add 1 or 2 Alternate Customer ID entries initially and the profile import will only import those 1 or 2 BCS profiles. So I’ll add 2 for now and we’ll check the Forefront Identity Manager 2010 client that those 2 profile are only imported.

Lets add ALFKI as the Alternate Customer ID to one of our profiles, which is the first record in the Customers table. Lets find another profile and add ANATR to the Alternate Customer ID. Once we perform a Full Import will expect to have the Alternate Company Name supplemented by our BCS import.

We’ve pretty much set up all the plumbing, lets kick off our Full Import. Go to Central Administration > Manage Service Applications > User Profile Service Application > Start Profile Synchonization > Start Full Synchronization.

With Microsoft SharePoint Sever (MSS) 2010, Microsoft has opted to use Forefront Identity Manager (FIM) 2010 instead of the SharePoint Search engine to perform the profile imports. With the install of MSS we also have the miisclient.exe that allow us to view and check certain preoprties during and after the import. You can find the tool in the following directory;

C:\Program Files\Microsoft Office Servers\14.0\Sychonization Service\UIShell

Open up miisclient.exe and view the impending profile import.

If all the steps were carried our correctly you will have success as the resultant message in the Status column all the way through. Success! All done.

Now if you check any of you modified user profiles that you added your Alternate Customer ID, you will notice that the Alternate Company Name has been supplemented. Phew! That was a long guide.

When I initually ran across the No such object type “user” error message what finally allowed to me fix the problem was drilling further into the workings of the miisclient.  Open the miisclient, go to Management Agents > Select MOSSBDC-Northwinds > Select Proprties in the Actions Menu > Configure Additional Parameters.

Notice on the righthand side the MossJoinAttribute and BDCJoinAttribute.

Ensure that these attributes are the correct entries for the 1 to 1 relationship between your LOB system and your MOSS profile. BCS needs to know how to correlate these two fields together to supplement each user’s profile, hence the error.

Hope this helps quite a few of you out there as I know this was a major feature we had to get up and running for our global rollout.

Kristof Kowalski / kristof@kowalski.ms

Share

Our organisation is a large multinational with major regional sites around the world, unfortunately not every regional site has SharePoint Administrators available for their disposal.

With that in mind we wanted to cut down on the administrative overhead around the regions and also centralise most of the common Service Applications. In SharePoint server you can publish certain Service Applications across farms as outlined in the following TechNet article;

Share service applications across farms (SharePoint Server 2010)
http://technet.microsoft.com/en-us/library/ff621100.aspx

For now we are very much interested in publishing the User Profile and Search Service Applications. I’ll delve further into the others in later posts. Since we’re embarking on a worldwide My Sites launch, we wanted to centralise the User Profile Service Application on our Enterprise Service Applications Farm and have it consumed by our regional Collaborative farms. We wanted a simple way of allowing the primacy of user profile data without the need of replicating this data by using tools such as the User Profile Replication Engine (UPRE).

On top of this we wanted to centralise our Search Service Application to allow a greater level of relevancy from our search results. One caveat is that the Crawl Components would have to reside on our Enterprise Farm and then crawl all the regional farms, we took this decisions as relevancy takes place this central farm. If we opted for the whole Federation scenario we’d have a disjoined solution where each farm calculates its own relevancy and returns the results back to the end user without taking into effect the results of all the other farms. After all in the search world, relevancy is king.

I’ve been battling away at the steps that Microsoft provided and from what I can see it partially gets you there, so I’ll try and fill in the blanks for everyone. There are several steps you need to take, so grab yourself a strong caffeinated drink and let’s crack on.

Firstly we need to establish a trust between our Publishing (Enterprise) Farm and Consuming (Collaboration) farm. Lets go ahead and exchange trusts certificates between the farms;

- To export the root certificate from the consuming farm
- $rootCert = (Get-SPCertificateAuthority).RootCertificate
- $rootCert.Export(“Cert”) | Set-Content C:\ConsumingFarmRoot.cer -Encoding byte

- To export the STS certificate from the consuming farm
- $stsCert = (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate
- $stsCert.Export(“Cert”) | Set-Content C:\ConsumingFarmSTS.cer -Encoding byte

- To export the root certificate from the publishing farm
- $rootCert = (Get-SPCertificateAuthority).RootCertificate
- $rootCert.Export(“Cert”) | Set-Content C:\PublishingFarmRoot.cer -Encoding byte

- Copy all certificates to publishing and consuming farm

- To import the root certificate and create a trusted root authority on the consuming farm
- $trustCert = Get-PfxCertificate C:\PublishingFarmRoot.cer
- New-SPTrustedRootAuthority EnterprisePublishingFarm -Certificate $trustCert

- To import the root certificate and create a trusted root authority on the publishing farm
- $trustCert = Get-PfxCertificate C:\ConsumingFarmRoot.cer
- New-SPTrustedRootAuthority EUConsumingFarm -Certificate $trustCert

- To import the STS certificate and create a trusted service token issuer on the publishing farm
- $stsCert = Get-PfxCertificate c:\ConsumingFarmSTS.cer
- New-SPTrustedServiceTokenIssuer EUConsumingFarm -Certificate $stsCert

On the Publishing farm go the Central Administration > Manage Service Applications

-          For each Service Application you want to publish, select the service application and click Publish

-          In our case we select the User Profile Service Application and Search Service Application

-          Select your connection type. Since I want to user encsyrpted communication I select https.

-         Select Publish this Service Application to other farms check box

-          Now the important part, write down the Service Application Published URL. Not down the urn:….

-          You can place a Description or Information URL. We stick in details of who published it, when and who to contact in case of issues.

On the consuming farm, set the permission to the appropriate service applications.

- To set permission to the Application Discovery and Load Balancing Service Application for a consuming farm
- Get-SPFarm | Select Id
- Write down the Farm Id for later use, in my example the Consuming Farm Id is 66cc8542-a854-4155-8557-27e47ef363e4.

- To set permission to the Application Discovery and Load Balancing Service Application for a publishing farm

- $security=Get-SPTopologyServiceApplication | Get-SPServiceApplicationSecurity
- $claimprovider=(Get-SPClaimProvider System).ClaimProvider
- $principal=New-SPClaimsPrincipal -ClaimType “http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid” -ClaimProvider $claimprovider -ClaimValue 66cc8542-a854-4155-8557-27e47ef363e4
- Grant-SPObjectSecurity -Identity $security -Principal $principal -Rights “Full Control”
- Get-SPTopologyServiceApplication | Set-SPServiceApplicationSecurity -ObjectSecurity $security
- Go to Permissions of Published Search SAs and search for 66cc8542-a854-4155-8557-27e47ef363e4, add Full Control
- Check Permissions of Publishing Farm Application Discovery Load Balancer Service Application to ensure the claim provider of the Remote Farm is set

On the consuming farm, connect to the remote service application, go to Central Administration > Manage Service Applications

-          For each Service Application you want to connect, select the service application and click Connect

-          In our case we select the User Profile Service Application Proxy and Search Service Proxy

-          Paste in the Published URL of the Service Application you want consume

-          Select the Service Application and Click OK.

-          Double check in Service Applications that you have each of the Connected to:…  entries listed.

All that is left to do now is test. Create a simple Enterprise Search Centre site and perform a search. Assuming all the steps have been followed correctly we should receive our search results and you will also have a richly populated People Picker with the Enterprise Farms profile properties.

Cheers,

Kristof Kowalski // kristof@kowalski.ms

UPDATE 1: If you get any of the following errors in the ULS logs make sure you re-connect your Service Applications to the Publishing farm again and ensure that you have the correct Claim added to the Application Discovery and Load Balancing Service Application as well as the Search Service Application.

SearchServiceApplicationProxy::GetLocationConfigurations–Error occured: System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied.    Server stack trace:      at System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply, MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter)     at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)     at System.ServiceModel.Channel…

Share

One compelling reason for a multinational company like ours is to use the new phonetic search. An example a phonetical search is someone looking for Geoff Bridges.  A user can type in either Geoff or Jeff Bridges and be presented with the correct user details. Another example search is if you plug in Mike Jones, you will return back either Mike Jones or a Michael Jones.

We’ve noticed that the phonetic search hasn’t been working on our instances at all so a bit of digging around and I’ve come with some interesting facts.

All the phonetics and synonyms of each word are held in a text file, about 25MB in size in the following location;

C:\Program Files\Microsoft Office Servers\14.0\Bin\languageresources.txt

Upon further investigation since all our clients have the English (United Kingdom – LCID 2057) set in the regional settings and the the phonetics dictionary has mostly English (United States – LCID 1033), we got no phonetical search at all. A simple case of changing the browser’s user agent language settings to en-US (1033) gives you a workaround but not necessarily a total solution.

Hope this helps someone out as we were scratching our head for a little while. I’ll update the site again once I have a solution.

Kristof Kowalski // kristof@kowalski.ms

UPDATE 1: I’ve managed to find some more details about the Phonetic and Nickname Search issue. Here is what I have thus far.

• Phonetic / fuzzy matching on names, i.e. searching for  “Peat” and getting results for Pete  are done via  Speech Server in 2010 People Search.
• Different results for each different LCID (locale/language ID ) at query time – this is to be expected for both the above new features in People Search. Given that this behaviour is by design.
• Nickname matches are done via  the MSSLanguageResources table of the Search Service application database. This table is partitioned on LCID for different languages. indicates nickname matches and it is a separate  to phonetic matching.
• If you look into MSSLanguageResources table of Search Service application database, you can see mappings for the nick-names.
• What happens in the scenario of searching with the locale as en-US is: we are matching nickname results in en-US  - which mean with search term Mike we return:

Mike Scott (exact match )
Michael Scott (nickname match) – As per the above said table, Pete is  a valid nickname match for peter in the EN US LCID [i.e. 1033]

• For non English language LCIDs, the above said table does not have nickname entries by design for English names. In other words, there is no nick-name assigned for the LCID 2057 [which is EN-GB].

From all intensive purposes we should be able to add/remove nicknames via the New-spenterprisesearchlanguageresourcephrase cmdlet. In a simple test case we would be able to perform the following commands, my Search Application Id is df4fdf37-0fc3-45ab-b42f-64650e42d1a5;

New-spenterprisesearchlanguageresourcephrase –Name Michael -Language "en-GB" –Type "Nickname" –Mapping Mike -SearchApplication df4fdf37-0fc3-45ab-b42f-64650e42d1a5

New-spenterprisesearchlanguageresourcephrase –Name Mike -Language "en-GB" –Type "Nickname" –Mapping Michael -SearchApplication df4fdf37-0fc3-45ab-b42f-64650e42d1a5

That’s using Mike and Michael as the test users. When I added them to the Search Service Application and then need invoke the “Prepare query suggestions” job, as it only runs once every 24 hours;

Start-SPTimerJob -Identity “Prepare query suggestions”

I still don’t get the nickname matching at all. I can see that the job runs successfully but we don’t get back any results. Strange. To ensure that the new nicknames are added to Search Service Applicaiton DB, I ran the following query;

SELECT * FROM dbo.MSSLanguageResources WHERE Locale like ’2057′

Hmmm… All there. More investigation needed.

UPDATE 2: Have logged a call with Microsoft UK Premier support and this is reproducible, so it looks like it could be a bug. More to come, stay tuned.

UPDATE 3: With the help of Microsoft I’ve now been able to fix the issue. The crux of the problem is, when you install the pre-reuisites it installes the Microsoft Speech Platform Server Runtimes for en-US only. Since nicknames and phonetic search are done by the Speech server we were missing the language files for the localised searches to take place. So the fix is as follows;

• To install the desired runtimes, apart from en-US go to the following link;
  http://www.microsoft.com/downloads/details.aspx?FamilyID=E16641DB-B20C-4BB5-AB22-F382EB4F22F3&displaylang=en&displaylang=en#filelist
• Download only the SR (Server Runtime) languages and not the TTS (Text to Speech) files.
• Run the msi, it’ll finish the install without giving you a confirmation dialogue.
• Run “net stop osearch14″
• Run “net start osearch14″

You’ll be ready to rock n’ roll after this. From my above example, Mike and Micheal should work now based on the en-GB (2057 LCID). By adding the new language you will still manually have to manually add the nicknames using New-spenterprisesearchlanguageresourcephras, so rather then making up the nicknames on the fly I’ve gone ahead and converted the languageresources.txt to a CSV file and only kept the en-US (1033) nicknames. With this CSV file I can simply read the contents using the Import-CSV command. Here is the csv file as well as the PowerShell commands to import your nicknames for your particular language, remember to get your Search Application Id in my above example prior to running this command;

Download languageresources.zip.
$names = Import-Csv d:\temp\languageresources.csv
foreach ($line in $names) {
New-spenterprisesearchlanguageresourcephrase –Name $($line.name) -Language "en-GB" –Type "Nickname" –Mapping $($line.nickname) -SearchApplication df4fdf37-0fc3-45ab-b42f-64650e42d1a5
}

Start-SPTimerJob -Identity "Prepare query suggestions"

(Get-SPTimerJob -Identity "Prepare query suggestions").HistoryEntries | Format-Table -Property Status,StartTime,EndTime,ErrorMessage

Share

The Local Farm Is Not Accessible. Cmdlets With FeatureDependencyId Are Not Registered

Being early in the morning and all, I was kind of spooked as the error is not really that descriptive. Essentially what the error means is that you don’t have the necessary permissions to access the SharePoint configuration database.

In my case it was a stupid move on my part where UAC (User Account Control) was on and I didn’t run the SharePoint 2010 Management Shell as Administrator. Remember to elevate your privileges before running the shell!

For the people out there with genuine permisions issues on this error, Add-SPShellAdmin is your friend. Check out more information here;

Add-SPShellAdmin

http://technet.microsoft.com/en-us/library/ff607596(office.14).aspx

Kushdie!

– Kristof Kowalski // kristof@kowalski.ms

Share

Now before I started on this journey I didn’t realise what a pullava it would be to install trusted public certificates on BlackBerry Enterprise Server (BES) Express 5.0. If anyone from Research in Motion (RIM) or O2 is reading, wake up to yourselves! It’s ridiculous that we have to go through these steps I’m about to outline. Also, if someone from a large Enterprise calls up the support line and states that you would like to replace the self signed certificate with a publicly trusted one and publish the BES WebDesktop via ISA, don’t reply back, what would you want to do that? Fail.

I’m writing this little blurb to save someone out the mental anguish and therapy bills I had to go through!

So once you have your BES server up and running with the self signed certificate and ensured that your WebConsole and WebDesktop sites are working you’re good to go. A lot of these steps are a gathering of scattered resources, so I’ll provide links but everything should work step by step on this page. There are two directories you need to be aware of first of all, I’m running this on a x64 machine;

# Jave Runtime Environment Keytool Path
“C:\Program Files (x86)\Java\jre1.6.0_15\bin\keytool.exe”

# BlackBerry Administration Service Keystore path
“C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore”

Lets go ahead and check what is in the web.keystore first of all, this will check which certificates are in a Java keystore. Notice one alias called httpssl, this is the certificate we’ll need to change. The password of the keystore was generated when you first installed the product, so note it down as you will be asked to enter over and over again. There’s heaps of links on how to change this if you’ve forgotten it;

“C:\Program Files (x86)\Java\jre1.6.0_15\bin\keytool.exe” -list -v -keystore “C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore”

So lets go ahead and look at our httpssl certifcate to ensure it’s there. If it’s there, all good, else we’ll need to create another one later on;

“C:\Program Files (x86)\Java\jre1.6.0_15\bin\keytool.exe” -list -v -alias httpssl -keystore “C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore”

Now this is where it all starts to get a little ‘exciting’. You can delete the httpssl alias from the keystore and still have the WebDesktop and WebConsole sites accessible, just DON’T restart your server or the BlackBerry Administration Service (BAS) services! Word of warning, if you do, then your users won’t be able to access those sites. So let’s delete the httpssl alias as we’ll be creating a new one. If you perform a generate a new key and generate a new certificate request with the current certificate VeriSign will moan that you do not have all the Owner details entered correctly.

“C:\Program Files (x86)\Java\jre1.6.0_15\bin\keytool.exe” -delete -alias httpssl -keystore “C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore”

Let’s go ahead and generate the new key and certificate request for the httpssl alias. When generating your certificate request the Full Name is your intended URL you will be publishing to your users, which intern should be the same as the Administration Service – High Availability – Poll Name setting in the BlackBerry Server Configuration application;

“C:\Program Files (x86)\Java\jre1.6.0_15\bin\keytool.exe” -genkey -keyalg RSA -alias httpssl -keystore “C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore”

“C:\Program Files (x86)\Java\jre1.6.0_15\bin\keytool.exe” -certreq -alias httpssl -file certreq.csr -keystore “C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore”

This will not generate your certreq.csr file which you can upload to VeriSign. It might take a couple of days for your certificate to come through so you can go ahead and install the VeriSign Intermediate certificates to complete the certificate chain. Get your VeriSign Intermediate CA Certificates;

https://knowledge.verisign.co.uk/support/ssl-certificates-support/index?page=content&id=AR657&actp=LIST&viewlocale=en_US

Once you have your certificates, import the public root or intermediate CA certificate into your Java keystore;

“C:\Program Files (x86)\Java\jre1.6.0_15\bin\keytool.exe” -import -trustcacerts -alias evprimary -file primary_EV_inter.cer -keystore “C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore”

“C:\Program Files (x86)\Java\jre1.6.0_15\bin\keytool.exe” -import -trustcacerts -alias evsecondary -file secondary_EV_inter.cer -keystore “C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore”

Hopefully by this time you will have received your signed certificate from VeriSign and you’re good to go for the last import. Import your signed certificate to your Java keystore;

“C:\Program Files (x86)\Java\jre1.6.0_15\bin\keytool.exe” -import -trustcacerts -alias httpssl -file blackberry.cer -keystore “C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore”

You are done. All that remains now is the big test of restarting the BAS services and ensuring it works. After speaking to RIM at great length, you will know if your certificates were successfully imported as when you restart your BAS services. An easy way of checking this is bring up Task Manager, watch the BAS-AS.exe*32 service, if it sites at 19MB then you have issues. Wait till the service consumes about 190MB as the RIM engineer put it and then try logging into your WebDesktop or WebConsole site.

With any luck you are done and you’ve removed any certificate warnings from your BES WebDesktop and WebConsole sites.

If you work for a large enterprise then you no doubt will want to publish the WebDesktop site to your users, so they can configure their BlackBerrys on the go. For this to work you need to export the certificate we imported, with its associated private key and install it on each ISA Array member. I’m not going to go through the publishing of the WebDesktop site as that is the easy bit, what’s annoying about this whole procedure is exporting the certificate again with its private key! Ahhhh! Hair pulling time again.

So without further ado here is the procedure to create your certificate’s pfx file so you can then go ahead install it on your Windows machine private certificate store. For this to work you need to install OpenSSL for Windows which can be downloaded from;

http://www.openssl.org

Once you have OpenSSL up and running you need to go ahead and download jks2pfx.zip from;

http://www.myssl.cn/download/jks2pfx.zip

Extract the contents to a folder and then run the JKS2PFX.bat file with your particular details. If all goes well, it will ask your enter a password and this will be the password you need to enter importing the pfx file into your ISA Array member’s certificate store.

Hopefully this little guide will save your sanity as it was driving me around the bend.

PS. If you copy and paste the commands you’ll need to change the “quote” marks to the generic command line ones. You’ve been warned.

Kristof Kowalski – kristof@kowalski.ms

Share

Anyway, in my test lab I’ve been getting the following error when access Communicator Web Access (CWA) from a remote machine;

Cannot sign in because your computer clock is not set correctly or your account is invalid. (Error code: 0-1-492)

Now Microsoft has a KB article about this error;

http://support.microsoft.com/kb/968978

.. but from what I notice a lot people out there don’t know how to apply Service Principal Names (SPNs) correctly. So to resolve this issue, add a Kerberos SPN to the CWAService account that matches the CWA Web site alias, such as https://im.contoso.com.

To perform the task you must have membership in Domain Admins, Enterprise Admins, or you must have been delegated the appropriate authority;

setspn -A HOST/im.contoso.com CONTOSO\CWAService

Enjoy.

Kristof Kowalski

Share

LookSee 2.6 came out at the end of November and for the foreseeable future this will be final release.

The project will be on hold indefinitely, a bit like Tiger Woods’ golf career!    .. I need to focus all my time and energy on the new Microsoft SharePoint Portal Server 2010 release and get to grips with this. Along with the major feature upgrades one would expect, I’ll be expanding my horizons into the .NET world a little bit more and getting to grips with the new SDK.

So for now, it’s been fun, but not necessarily the end of the iPhone development life.

Kristof Kowalski | kristof@kowalski.ms

Share

This update was relatively quick, for Apple’s standards. Just under two weeks from upload to approval, so looks like things are improving. It’s no where near the one week approval it used to be back in the day, but at least it’s not the three months I waited before.

This 2.1 release addresses the page jumping issue when zooming in/out of a PDF file and also a small crash when you cancelled the Feedback email.

There will b a 2.5 release out shortly and then it’s onto the big mumma, version 3.0.

Enjoy.

Kristof Kowalski | kristof@kowalski.ms

Share

It’s been a busy several days, especially so since version 2.0 was released. This was a massive step forward in functionality but with that there is sometimes the odd defect gets through. Once 2.0 was released and some feedback was received, I had the 2.1 update on there a couple of days afterwards.

In that time version 2.5 has been coming along quite nicely. This is to tie up some lose ends and features that did not make it into the 2.0 time frame. Some more quality testing needs to be done on this release and it’s pretty much done, which I’m thinking the update will be up in a couple of days.

Version 3.0 has already started and I have to say this is the grand daddy of updates. This is finally where I want LookSee to be as a complete product. It’s quite an ambitions step as to the features that will come in but I’m sure it can be done. Can’t really mention anything yet but rest assured that it will firmly place the App up the top in terms of features.

Kristof Kowaklski | kristof@kowalski.ms

Share

Just wanted to say there was a slight quality control issue with the release of the 2.0 version.

When you Zoom In and Out the page numbers will jump when viewing PDF files. How this escaped this eagle eye is beyond me, but there is a 2.1 release sitting in the App Store approval process already.

Apologies and rest assured the the offending party has been reprimanded! … Ah yeah that, would be me!?! <spank>

Kristof Kowalski | kristof@kowalski.ms

Share