Archive for October, 2009

Domain Certificate Authority Signing InfoPath 2007 Forms

October 28, 2009

InfoPath forms with custom code and those that have their Security Level set to Full Trust must be signed so that they can be run by the client.  That’s fine but who wants to pay for a code signing certificate for internally developed applications?  If we string together a couple of facts we can quickly realize that we shouldn’t have to pay for code signing certificate if we are developing code that will only ever be used by internal users.

First, certificates work because there are a set of trusted root certificate authorities.  Their responsibility is to issue certificates.  The organizations running the trusted root certificate authorities are responsible for only issuing certificates where the certificate matches the organization requesting the certificate.  They make no judgment about whether the person is good or bad – only that they are who they say they are.  The service that you pay for when you purchase a certificate from a trusted root certificate authority is that they have verified your identity.

Microsoft Windows has a list of trusted root certificate authorities – but when a computer is in a domain, it automatically trusts the Enterprise Certificate Authority for the domain.  The Enterprise certificate authority is an instance of certificate services which comes with Windows Server operating systems.  It allows an administrator to issue certificates.  There are several templates for the kinds of certificates to be issued.  The most common one is for a web server – an SSL certificate – but there are others as well.

Certificate Services has a template for code signing certificates.  If you put everything together you realize that when all of your computers are a member of a domain you can request and get granted a code signing certificate that’s valid for anyone using the certificate in the domain.

Here’s how to do it…

Install Certificate Services

If you don’t have an Enterprise Certificate Authority in your domain, go to a server and …

1)      Click Start- Control Panel-Add/Remove Programs

2)      Click Windows Components

3)      Click the checkmark to the left of Certificate Services

4)      Click Next

5)      Follow the wizard to create an Enterprise Certificate Authority.

Note: There are special precautions for protecting enterprise certificate authorities including creating sub-authorities, and taking the certificate authority offline.  If your organization is large, you should review the risks and guidelines for creating certificate authorities and manage security appropriately.  In smaller organizations it’s generally acceptable to create an enterprise CA and issue certificates from it.

Create a Copy of the Code Signing Template

The default out of box code signing certificate doesn’t allow the certificate’s private key to be exported.  This means that only the user to which the certificate is issued can use it.  Generally you don’t want to have developers to have enough permission to request the certificate themselves.  If you want to be able to move the certificate from user to another you’ll need to make a copy of the Code Signing certificate and change it so it can have exportable keys.  We’re going to show you how to do this.  If you follow these steps choose your duplicated code signing certificate in the following steps.

1)      Click Start-Run and enter certtmpl.msc.

2)      Right click the Code Signing template and select Duplicate.

3)      Enter a name for the new Template.  For instance, add your organization name in front.

4)      Click the Request Handling tab.

5)      Click the Allow private key to be exported.

6)      Click OK.

You now have your own code signing template that can be exported.

Enable the Code Signing Template

By default the  code signing certificate template isn’t available to be issued from your certificate authority.  To do that you need to enable the template which you can do by following these steps…

1)      Click Start-Administrative Tools-Certification Authority

2)      Expand the server that you installed certificate services on

3)      Click the Certificate Templates folder.

4)      Right click the Certificate Templates folder, select New, Certificate Template to Issue.

5)      Click Code Signing and click the OK button.

Now you can issue Code Signing Certificates

Issue the Certificate

Now that everything is in place you can issue the certificate.  Follow these steps to do that…

1)      Open a web browser and navigate to http://server/certsrv where server is the name of the server which you installed certificate services.

2)      Click the Request a certificate link

3)      Click the advanced certificate request link

4)      Click the Create and submit a request to this CA link

5)      In the certificate template drop down box select Code Signing.

6)      Enter a friendly name for the certificate in the friendly name textbox at the end of the page.

7)      Click Submit.  You may be prompted that the web site is requesting a certificate, click Yes.

8)      Click the Install Certificate link. Again you may be warned that you’re getting a certificate, click Yes.

You now have a certificate in your certificates store.  If you’ve not been doing this as the developer (and you probably haven’t), you’ll need to export the certificate and import it into the developer’s account.  You’ll only be able to do this if you created your own code signing template.

Exporting the Certificate

Here’s what you need to do to export the certificate:

1)      Click Start-Run enter certmgr.msc

2)      Expand the Personal Folder

3)      Expand the Certificates folder

4)      Locate the certificate that indicates that its intended purposes is Code Signing.

5)      Right click on that item and select All Tasks-Export

6)      Click Next

7)      Click Yes, export the private key.

8)      Click Next.

9)      Click Next

10)   Enter a password and confirm password.

11)   Click Next

12)   Enter a file name for the exported file

13)   Click Next

14)   Click Finish

You’ve exported the certificate.

Importing the Certificate

If you’ve exported the certificate you can move that over to the user or machine that will be signing the code and follow these steps to import the certificate.

1)      Double click the file to start the Certificate Import Wizard.

2)      Click Next

3)      Click Next

4)      Enter the password you entered when you exported the file.

5)      Click Mark the key as exportable.

6)      Click Next

7)      Click Next

8)      Click Finish

9)      Click OK.

You’ve now imported the certificate file.

Configure InfoPath to Use the Certificate

The final step in this journey is to tell InfoPath to use the certificate.  Do that by following these steps…

1)      Open an InfoPath form in design view.

2)      Click Tools-Form Options

3)      In the category pane, click Security and Trust

4)      Click Sign this form template

5)      Click the Select Certificate button

6)      Select the certificate that you just issued.

7)      Click OK.

8)      Click OK.

OK, you’re done.  That’s all you need to do in order to get a code signing certificate that will sign InfoPath forms that the users of the organization will recognize.

Advertisements

How to Fix Project Server Events Service and Queue Service

October 28, 2009

This is a great post to How to Fix Project Server Events Service and Queue Service Event ID: 7000 Error (Graphical Step-by-Step)

http://rperreaux.spaces.live.com/blog/cns!5D7BD18D324CBEEF!529.entry

Manually load Microsoft Certificate Revocation lists

October 27, 2009

When starting a .NET application, the .NET Framework will attempt to download the Certificate Revocation list (CRL) for any signed assembly. If your system does not have direct access to the Internet, or is restricted from accessing the Microsoft.com domain, this may delay startup of BizTalk Server (Non solo). To avoid this delay at application startup, you can use the following steps to manually download and install the code signing Certificate Revocation Lists on your system.

1.  Download the latest CRL updates from:
http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl
or
http://go.microsoft.com/fwlink/?LinkID=117794
and
http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl
or
http://go.microsoft.com/fwlink/?LinkId=117795.

2.  Move the CodeSignPCA.crl and CodeSignPCA2.crl files to the isolated system.

3.  From a command prompt, enter the following command to use the certutil utility to update the local certificate store with the CRL downloaded in step 1:

certutil -addstore CA c:\CodeSignPCA.crl
certutil -addstore CA c:\ CodeSignPCA2.crl

The CRL files are updated regularly, so you should consider setting a reoccurring task of downloading and installing the CRL updates. To view the next update time, double-click the .crl file and view the value of the Next Update field.
Trato da:

General Guidelines for Improving Operating System Performance:
http://msdn.microsoft.com/en-us/library/ee377075(BTS.10).aspx

E’ fondamentale riavviare il server dopo avere eseguito i comandi.

Update Rollup 7 for Microsoft Dynamics CRM 4.0

October 26, 2009

The Microsoft Dynamics CRM Sustained Engineering team will release Microsoft Dynamics CRM 4.0 Update Rollup 7 on Thursday, October 22, 2009.

Once the release is available the links below will take you to the necessary information about Update Rollup 7.

Il queue services e l’event services di Project Server 2007 non partono piu’ dopo l’installazione della SP1!

October 23, 2009

La settimana scorsa ho fatto una “migrazione” di una installazione di test di Project Server 2007 verso una farm di produzione. In altre parole ho preso i dati che c’erano sull ambiente di test e li ho portati sui server di produzione.
Visto che c’eravamo abbiamo installato la SP1 di WSS seguita dalla SP1 di Project Server 2007.
Tutto bene, salvo che i servizi queue e event non partivano piu’.
Spulciando la rete mi sono imbattuto in un thread che parlava del problema (http://www.eggheadcafe.com/software/aspnet/31389210/after-sp1-project-server.aspx).
Pare che dopo l’installazione della SP1 i suddetti servizi abbiano bisogno di accedere alla revocation list dei certificati di Microsoft ed in particolare ad un file che si chiama http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl . Peccato che l’account usato dai sopracitati servizi non aveva accesso a Internet ne si poteva sperare di ottenerlo in tempi brevi.
Interessante la soluzione proposta sul thread indicato sopra, di scaricare e pubblicare internamente la revocation list.

Portal Integration and Partner Relationship Management accelerators have been released!

October 22, 2009

Microsoft have released two new accelerators.

Portal Integration and Partner Relationship Management.

The Portal Integration Accelerator easily connects Microsoft Dynamics CRM to an organization’s Web experience. With this added capability, a business analyst can use point-and-click configuration — as opposed to Web development — to rapidly extend to the Internet any business process and drive costs out of everyday business interactions.

The Partner Relationship Management (PRM) Accelerator allows businesses to use Microsoft Dynamics CRM to distribute sales leads and centrally manage sales opportunities across channel partners. It provides pre-built extensions to the Microsoft Dynamics CRM sales force automation functionality, including new data entities, workflow and reports. Using the PRM Accelerator, companies can jointly manage sales processes with their channel partners through a centralized Web portal, as well as extend this integration to automate additional business processes.

You can download them here

Sharepoint Download Zipped List Items

October 21, 2009

Project Description
This Custom UI Actions for Sharepoint extends the lists action menu to allow users to zip document library items and download all of them either with or without version

Features

– Download all document library items
– Keep the folder hierarchy
– Versions: if you are caring about document versions you can download them as well
– Ability to download only the selected view items instead of all list items

Download: http://www.codeplex.com/MZakiCustomActions/

Clear List Items Capability for WSS V3

October 20, 2009

Release Notes
This is the initial release of the Clear List Items capability for Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007. The released file consists of a SharePoint solution deployment file. Use the stsadm.exe utility to deploy the solution file to your SharePoint farm. Activate the feature for each site using:
Site Actions -> Site Settings -> Site Features

Learn more about the Clear List Items capability at:
http://www.blackbladeinc.com/en-us/products/clearlist

Download: http://www.codeplex.com/CLIWSSV3/Release/ProjectReleases.aspx?ReleaseId=9895

List Item Workspace Capability for WSS V3

October 19, 2009

Project Description
The “List Item Workspace” for WSS V3 extends the capability of creating a SharePoint workspace site for a list item that is available for event items and documents to all SharePoint list items.

Learn more about List Item Workspaces at:
http://www.blackbladeinc.com/en-us/products/liworkspaces

The writeup for this project is available on my blog at:
http://thingsthatshouldbeeasy.blogspot.com/2007/10/creating-list-item-workspace-capability.html

PLEASE NOTE:
The source code for this project is a Visual Studio 2008 Beta 2 project. You can download the Visual Studio 2008 Beta 2 here:
http://msdn2.microsoft.com/en-us/evalcenter/bb655862.aspx

If you do not have Visual Studio 2008, you will not be able to open the project, but you will still be able to access of all the source code by opening in a standard text editor.

Download: http://www.codeplex.com/LIWWWV3

WSS 3.0 SP2 slipstream, disponibili i nuovi pacchetti per il setup

October 11, 2009

Per chi deve eseguire nuove installazioni dei Windows SharePoint Services 3.0, senza perdere troppo tempo nei numerosi passaggi di aggiornamento (service packs, cumulative updates, ecc), il consiglio è quello di scaricarsi i nuovi pacchetti di installazione.
Nei nuovi pacchetti, disponibili sul sito per il download di Microsoft, i bit sono infatti già aggiornati all’SP2: