Microsoft’s SharePoint Portal Server (SPS) 2 is due to ship in 2003, with new capabilities that look likely to include sign-on (SSO), user and application management services, and personalization. Meanwhile, though, SPS1 has already been deployed among more than seven million users. What can administrators do to make SPS1 more workable, while they wait for the next generation of product to come around?
Many observers view SharePoint as a good value for organizations interested in a cost-effective intranet server. SPS1’s document management features also win fairly high marks. SharePoint, though, is just about entirely Microsoft-centric. Other problem areas range from deployment to backup and recovery, security, and integration with other Microsoft products, particularly .NET servers. Some other features — such as approval routing and database queries — could stand improvement, too.
“Easy to install, but not to deploy”
“Microsoft is telling people left and right that SharePoint will be easy to deploy,” said Bill English, a consultant, trainer and author specializing in .NET platforms. “SharePoint is easy to install, but it isn’t easy to deploy,” Many of the difficulties center around setting up toxonomies such as categories and keywords. Major inconsistencies can make SharePoint virtually unusable. “Plan, plan, plan — and then train, train, train,” English advised.
“I’m sorry to be blatantly blunt, but (SP1’s) backup stinks,” English said during a recent presentation. “[It] does not integrate with the Windows backup API. There’s no per item backup. You can only restore an entire image.
“This is a huge sticking point for some organizations,” he added. SPS1’s workspace archive “does not restore portal or Web parts.”
To perform backup/restore, you must use the command line script msdmback.vbs, located in the bin directory. You can schedule backups by using either vbscript or jscript, or by producing a script file that can be called by Task Scheduler.
Backup to a remote disk can be tricky, experts say. To do so: at the command line, type:
msdmback/a domainuser password
This is the network account, and it becomes the default content access account, although it does not appear in the mmc. You must give this account the appropriate permissions, though, to avoid interference with indexing and crawling functions. To do this, replace domain/user name with a user account, as well as the domain it belongs to for the account running the backup. You should also replace the password with the password for that account. Then, run the msdmback/b command and pass in the path to the remote share.
For better backup/restore, English suggested using a third-party product from CommVault in conjunction with SPS1.
SPS vs. STS
Microsoft’s plans for SPS2 include tighter integration with SharePoint Team Server (STS), according to Steve Ballmer of Microsoft. Already, some administrators are crying out for greater architectural similarities between the two products.
“We would like something comparable to eRoom, which offers a document repository as well as collaboration features in a unified interface. Why was a totally different architecture used for SharePoint Team Services instead of integrating this into SharePoint Portal Server?” asked one administrator, during a recent Microsoft Webcast.
Microsoft initially bundled SPS1 with the FrontPage version 2002 website-creation tool, as well as editions of Office XP that include FrontPage. SPS has also been provided as a download from the Web. Integration with other .NET products has always been on the drawing boards.
Generally speaking, Microsoft has been positioning SPS as a solution for document management in large workgroups, and STS as a solution for collaboration in smaller workgroups. Some users, though, are interested in deploying STS instead of SPS among larger groups.
“Does Microsoft have examples of STS in use for large teams? How is performance impacted?” asked another administrator.
Microsoft, in fact, has issued another white paper dealing with this very subject. “Obviously, there are a couple of things that are important to remember. One is that you’re dependent on the hardware because you’re pretty much feeding HTML pages through your server to your browser. It is also very important to remember that you’re writing all this data to a database,” noted Joseph Khalaf, a member of Microsoft’s Product Support Services Business Applications Group, during the Webcast.
SPS’s Approval Routing
In terms of document management, STS currently handles document publishing and internal check-in and check-out, according to Khalaf. SPS adds support for versioning and approval routing.
With regard to approval routing, SPS1 supports multiple approvals, with either serial or parallel routing. English contended, though, that the workflow engine isn’t flexible enough for more sophisticated workflow patterns, such as clearing a document with “three out of five” requested approvals. English pointed to the existence of nine or ten third-party workflow engines that can be used to augment SPS.
Security: IIS Integration, Permissions
Integration between SPS and IIS is still problematic, according to English. “Do not install the latest IIS security hot fixes with SharePoint,” he recommended. Otherwise, SPS is likely to crash. “The anti-virus hot fixes between service pack releases is what we’re talking about.”
Also, SPS permissions are less fine-grained than those in STS. “How can I configure file and folder level security on documents? I want to be able to add a document and have myself and a select group of people view the document. I then want to take another document in the same folder and assign permissions. Is this possible yet?” asked one reader, in Microsoft’s SharePoint forum.
A Microsoft consultant responded: “You cannot do file level security and even if you could, why would you want that? You can do folder-level security and all coordinators will have to see the file. The only thing you can do is put a password in the document.”
Another administrator raised a similar kind of problem. “I am able to manage my workspace from any PC that I log in (to) with local ‘Administrator’ ID. What modification should I make on my SPS server so the local Admin ID of any PC cannot manage my workspace. Security settings on the SPS server are ‘Coordinator’: myself and server’s Local Administrator group; ‘Reader’: Everyone.'”
The administrator said he’d come up with two possible workarounds: “(1) Create a new ID for the coordinator and remove the local admin from coordinator rights; (2) Use a different password for the SharePoint administrator than for the workstation local admin.”
“As to (1), this cannot be done,” came the reply. “The Local Admin account automatically (has) access to SharePoint security and can add itself to the coordinator role no matter what. This is for data recovery.”
Due to the user roles in STS, though, “There is no need for you to go in and mess with the NTFS permissions any more. Roles can be configured through the Web page. You could give a certain user a certain role to be able to add something, but not the other; to be able to do certain tasks on the Web site, but not other tasks,” according to Khalaf.
STS’s customizable roles include administrator, advanced author, author, contributor, and browser. In contrast, roles in SPS are currently limited to administrator, coordinator, author, and reader.
Version 2 Waiting in the Wings
In version 2 of SPS/STS, greater integration with Commerce Server/BizTalk Server is also in the cards, according to a recent report by the Meta Group. Microsoft has already posted four demos of integration between STS and Commerce Server/BizTalk Server on its Web site. The scenariors include purchase orders and catalog management, for instance.
Microsoft’s existing SPS Integration Pack already offers some integration between SPS2001 and CMS2001, mainly in terms of integration between repositories and “publish to Web” features. “[But] central to Microsoft’s SPS2 plans are promises to resolve SPS1’s weaknesses — notably integrated personalization, single sign-on, stronger ties to Content Management Server [CMS] and BizTalk Server, and provision of user and application management servers,” according to Meta’s report.
“With SPS2 and CMS2002, Microsoft plans to provide stronger content publishing delegration, providing users with managed capability to publish documents directly to the Web (roles, approvals, etc.).”
Meta anticipates that Microsoft will enable single sign-on and personalization — name, group, basic roles, subscriptions — through integration with Active Directory.
“However, such personalization will be neither deep not dynamic — richer capabilities [e.g. integration to usage analysis] will likely come in later SPS versions. We also expect deeper personalization to emerge as coexisting infrastructure alongside the directory [e.g. a personalization database] to avoid bloating AD. IT planners should avoid putting all user attributes into a directory and isolate generic attributes that should live in the directory versus personalization-specific attributes living in the database,” according to the report.
Organizations planning integration between SPS2 and AD should focus on defining schema elements that support sign-on and simple role-based access access, while also involving “their security/privacy, server, and directory teams to identify likely changes and dependencies as part of AD and .Net deployment (e.g. operations, administration, and topology changes.”
The Meta Group analysts added that they don’t expect Microsoft to offer “generic” single sign-on capabilities beyond LDAP services. Instead, Microsoft will “cede cross-portal provisioning, policy management, and cross-portal unified access to companies such as IBM, Novell, CA, Netegrity, and possibly, Microsoft companion vendors with SSO expertise [e.g. Corechange.]”