Office SharePoint Server Security Account Requirements.doc)
Also check this link: Plan for administrative and service accounts (Windows SharePoint Services)
Always install SharePoint using a domain account that is a local administrator on every machine in the farm. Never install SharePoint as simply a local administrator on the SharePoint server.
This guide assumes that you installed Windows 2003 Server/R2 or Windows Server 2008 and that you have completed Windows Update.
You can follow the steps in this section if you do not plan on deploying MOSS. If you are going to deploy MOSS, then check this link: MOSS 2007 Installation.aspx
Configure the server as a Web server
Internet Information Services (IIS) is not installed or enabled by default in the Microsoft Windows Server 2003 operating system. To make your server a Web server, you must install and enable IIS, and you must ensure that IIS is running in IIS 6.0 worker process isolation mode.
Install and configure IIS
1. Click Start, point to All Programs, point to Administrative Tools, and then click Configure Your Server Wizard. 2. On the Welcome to the Configure Your Server Wizard page, click Next. 3. On the Preliminary Steps page, click Next. 4. On the Server Role page, click Application server (IIS, ASP.NET), and then click Next. 5. On the Application Server Options page, click Next. 6. On the Summary of Selections page, click Next. 7. Click Finish. 8. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 9. In the IIS Manager tree, click the plus sign (+) next to the server name, right-click the Web Sites folder, and then click Properties. 10. In the Web Sites Properties dialog box, click the Service tab. 11. In the Isolation mode section, clear the Run WWW service in IIS 5.0 isolation mode check box, and then click OK. The Run WWW in IIS 5.0 isolation mode check box is only selected if you have upgraded to IIS 6.0 on Windows Server 2003 from IIS 5.0 on Microsoft Windows 2000. New installations of IIS 6.0 use IIS 6.0 worker process isolation mode by default.
Install the Microsoft .NET Framework version 2.0
Go to the Microsoft Download Center Web site (http://www.microsoft.com/downloads/details.aspx?FamilyID=0856EACB-4362-4B0D-8EDD-AAB15C5E04F5&displaylang=en), and on the Microsoft .NET Framework Version 2.0 Redistributable Package (x86) page, follow the instructions for downloading and installing the .NET Framework version 2.0. There are separate downloads for x86-based computers and x64-based computers. Be sure to download and install the appropriate version for your computer. The .NET Framework version 2.0 download contains the Windows Workflow Foundation technology, which is required by workflow features.
Install the Microsoft .NET Framework version 3.0
Go to the Microsoft Download Center Web site (http://go.microsoft.com/fwlink/?LinkID=72322&clcid=0x409), and on the Microsoft .NET Framework 3.0 Redistributable Package page, follow the instructions for downloading and installing the .NET Framework version 3.0. There are separate downloads for x86-based computers and x64-based computers. Be sure to download and install the appropriate version for your computer. The .NET Framework version 3.0 download contains the Windows Workflow Foundation technology, which is required by workflow features.
|
You can also use the Microsoft .NET Framework version 3.5. You can download the .NET Framework version 3.5 from the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=110508). |
Enable ASP.NET 2.0
ASP.NET 2.0 is required for proper functioning of Web content, the Central Administration Web Site, and many other features and functions of Office SharePoint Server 2007.
Enable ASP.NET 2.0
1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 2. In the Internet Information Services tree, click the plus sign (+) next to the server name, and then click the Web Service Extensions folder. 3. In the details pane, right-click ASP.NET v2.0.50727, and then click Allow.
Install and configure Windows SharePoint Services 3.0
Installing WSS on the server requires installation and then configuration. The installation is straightforward and only requires a few steps through a wizard interface. Configuration is performed after the software is installed.
Follow these steps to install Windows SharePoint Services on a Stand-Alone Installation:
Run Setup (Stand-Alone Installation)
1. On the Read the Microsoft Software License Terms page, review the terms, select the I accept the terms of this agreement check box, and then click Continue.
2. On the Choose the installation you want page, click Basic to install to the default location.
3. When Setup finishes, a dialog box prompts you to complete the configuration of your server. Be sure that the Run the SharePoint Products and Technologies Configuration Wizard now check box is selected.
4. Click Close to start the configuration wizard.
Run the SharePoint Products and Technologies Configuration Wizard
1. On the Welcome to SharePoint Products and Technologies page, click Next.
2. In the dialog box that notifies you that some services might need to be restarted or reset during configuration, click Yes.
3. On the Configuration Successful page, click Finish. Your new SharePoint site opens.
|
If you are prompted for your user name and password, you might need to add the SharePoint site to the list of trusted sites and configure user authentication settings in Internet Explorer. Instructions for configuring these settings are provided in the following procedure. |
Add the SharePoint site to the list of trusted sites for IE7 or to local intranet for IE6
1. In Internet Explorer, on the Tools menu, click Internet Options.
2. On the Security tab, in the Select a Web content zone to specify its security settings box, click Trusted Sites, and then click Sites.
3. Clear the require server verification (https :) for all sites in this zone check box.
4. In the Add this Web site to the zone box, type the URL to your site, and then click Add.
5. Click Close to close the Trusted Sites dialog box.
6. Click OK to close the Internet Options dialog box
You are now ready for the Post-installation steps in this guide!
Follow these steps to install Windows SharePoint Services on a Farm
Run Setup on all servers in the farm
Run Setup and then the SharePoint Products and Technologies Configuration Wizard on all your farm servers. Adding servers to the farm can be done at any time to add redundancy, such as additional load-balanced Web servers.
When you install Windows SharePoint Services 3.0 on the first server, you establish the farm. Any additional servers that you add must be joined to this farm.
Setting up the first server involves two steps: installing the Windows SharePoint Services 3.0 components on the server, and configuring the farm. After Setup finishes, you can use the SharePoint Products and Technologies Configuration Wizard to configure Windows SharePoint Services 3.0. The SharePoint Products and Technologies Configuration Wizard automates several configuration tasks, including: installing and configuring the configuration database, installing Windows SharePoint Services 3.0 services, and creating the Central Administration Web site.
It is recommend that you install and configure Windows SharePoint Services 3.0 on all of your farm servers before you configure Windows SharePoint Services 3.0 services and create sites. You must have SQL Server running on at least one back-end database server before you install Windows SharePoint Services 3.0 on your farm servers.
|
Setup installs the Central Administration Web site on the first server on which you run Setup. Therefore, we recommend that the first server on which you install Windows SharePoint Services 3.0 is a server from which you want to run the Central Administration Web site. |
Run Setup on the first server
1. From the product disc, run Setup.exe, or from the product download, run WSSv3.exe, on one of your Web server computers. 2. On the Read the Microsoft Software License Terms page, review the terms, select the I accept the terms of this agreement check box, and then click Continue. 3. On the Choose the installation you want page, click Advanced. The Basic option is for stand-alone installations. 4. On the Server Type tab, click Web Front End. The Stand-alone option is for stand-alone installations. 5. Optionally, to install Windows SharePoint Services 3.0 at a custom location, select the Data Location tab, and then type the location name or Browse to the location. 6. Optionally, to participate in the Customer Experience Improvement Program, select the Feedback tab and select the option you want. To learn more about the program, click the link. You must have an Internet connection to view the program information. 7. When you have chosen the correct options, click Install Now. 8. When Setup finishes, a dialog box appears that prompts you to complete the configuration of your server. Be sure that the Run the SharePoint Products and Technologies Configuration Wizard now check box is selected. 9. Click Close to start the configuration wizard. Instructions for completing the wizard are provided in the next set of steps. The SharePoint Products and Technologies Configuration Wizard
After Setup finishes, you can use the SharePoint Products and Technologies Configuration Wizard to configure Windows SharePoint Services 3.0. The configuration wizard automates several configuration tasks, including: installing and configuring the configuration database, installing Windows SharePoint Services 3.0 services, and creating the Central Administration Web site.
Use the following instructions to run the SharePoint Products and Technologies Configuration Wizard:
Run the SharePoint Products and Technologies Configuration Wizard
10. On the Welcome to SharePoint Products and Technologies page, click Next. 11. Click Yes in the dialog box that notifies you that some services might need to be restarted during configuration. 12. On the Connect to a server farm page, click No, I want to create a new server farm, and then click Next. 13. In the Specify Configuration Database Settings dialog box, in the Database server box, type the name of the computer that is running SQL Server. 14. Type a name for your configuration database in the Database name box, or use the default database name. The default name is "SharePoint_Config". 15. In the User name box, type the user name of the server farm account. (Be sure to type the user name in the format DOMAIN\SPConfigSVC.)
Important: |
This account is the server farm account and is used to access your SharePoint configuration database. It also acts as the application pool identity for the SharePoint Central Administration application pool and it is the account under which the Windows SharePoint Services Timer service runs. The SharePoint Products and Technologies Configuration Wizard adds this account to the SQL Server Logins, the SQL Server Database Creator server role, and the SQL Server Security Administrators server role. The user account that you specify as the service account must be a domain user account, but it does not need to be a member of any specific security group on your Web servers or your back-end database servers. We recommend that you follow the principle of least privilege and specify a user account that is not a member of the Administrators group on your Web servers or your back-end servers. |
16. In the Password box, type the user's password, and then click Next. 17. On the Configure SharePoint Central Administration Web Application page, select the Specify port number check box and type a port number if you want the SharePoint Central Administration Web application to use a specific port, or leave the Specify port number check box cleared if you do not care which port number the SharePoint Central Administration Web application uses. 18. On the Configure SharePoint Central Administration Web Application dialog box, do one of the following: 19. If you want to use NTLM authentication (the default), click Next. 20. If you want to use Kerberos authentication, click Negotiate (Kerberos), and then click Next. NOTE! See steps later in this guide on how to configure Kerberos
21. On the Completing the SharePoint Products and Technologies Configuration Wizard page, click Next. 22. On the Configuration Successful page, click Finish. 23. The SharePoint Central Administration Web site home page opens.
|
If you are prompted for your user name and password, you might need to add the SharePoint site to the list of trusted sites and configure user authentication settings in Internet Explorer. Instructions for configuring these settings are provided earlier in this guide! |
You are now ready for the Post-installation steps in this guide!
Run Setup on additional servers
1. From the product disc, run Setup.exe, or from the product download, run WSSv3.exe, on one of your Web server computers.
2. On the Read the Microsoft Software License Terms page, review the terms, select the I accept the terms of this agreement check box, and then click Continue.
3. On the Choose the installation you want page, click Advanced. The Basic option is for stand-alone installations.
4. On the Server Type tab, click Web Front End. The Stand-alone option is for stand-alone installations.
5. Optionally, to install Windows SharePoint Services 3.0 at a custom location, select the Data Location tab, and then type the location name or Browse to the location.
6. Optionally, to participate in the Customer Experience Improvement Program, select the Feedback tab and select the option you want. To learn more about the program, click the link. You must have an Internet connection to view the program information.
7. When you have chosen the correct options, click Install Now.
8. When Setup finishes, a dialog box appears that prompts you to complete the configuration of your server. Be sure that the Run the SharePoint Products and Technologies Configuration Wizard now check box is selected.
9. Click Close to start the configuration wizard. Instructions for completing the wizard are provided in the next set of steps.
The SharePoint Products and Technologies Configuration Wizard on additional servers
After Setup finishes, use the SharePoint Products and Technologies Configuration Wizard to configure Windows SharePoint Services 3.0. The configuration wizard automates several configuration tasks, including: installing and configuring the configuration database, and installing Windows SharePoint Services 3.0 services. Use the following instructions to run the SharePoint Products and Technologies Configuration Wizard.
Run the SharePoint Products and Technologies Configuration Wizard
1. On the Welcome to SharePoint Products and Technologies page, click Next. 2. Click Yes in the dialog box that notifies you that some services might need to be restarted during configuration. 3. On the Connect to a server farm page, click Yes, I want to connect to an existing server farm, and then click Next. 4. In the Specify Configuration Database Settings dialog box, in the Database server box, type the name of the computer that is running SQL Server. 5. Click Retrieve Database Names, and then from the Database name list, select the database name that you created when you configured the first server in your server farm. 6. In the User name box, type the user name of the account used to connect to the computer running SQL Server. (Be sure to type the user name in the format DOMAIN\username.) This must be the same user account you used when configuring the first server. 7. In the Password box, type the user's password, and then click Next. 8. On the Completing the SharePoint Products and Technologies Configuration Wizard page, click Next. 9. On the Configuration Successful page, click Finish
If you are prompted for your user name and password, you might need to add the SharePoint site to the list of trusted sites and configure user authentication settings in Internet Explorer. Instructions for configuring these settings are provided earlier in this guide! |
Configuring Kerberos Authentication
If you selected to use Kerberos as the authentication provider, you must perform additional configuration steps. The steps involve the definition of a Service Principal Name (SPN) for the application pool account. The SPN is used to authenticate the server to the client.
To configure the the WSS server to be trusted for delegation, follow these steps:
1. |
Start Active Directory Users and Computers. |
2. |
In the left pane, click Computers. |
3. |
In the right pane, right-click the name of the WSS server, and then click Properties. |
4. |
Click the General tab, click to select the Trust computer for delegation check box, and then click OK. |
5. |
Quit Active Directory Users and Computers. |
If the application pool identity is configured to use a domain user account, the user account must be trusted for delegation before you can use Kerberos authentication.
To configure the domain account to be trusted for delegation, follow these steps:
1. |
On the domain controller, start Active Directory Users and Computers. |
2. |
In the left pane, click Users. |
3. |
In the right pane, right-click the name of the user account (SPConfigSVC), and then click Properties. |
4. |
Click the Account tab, under Account Options, click to select the Account is trusted for delegation check box, and then click OK. Repeat steps 1-4 for the SPContentSVC account |
5. |
Quit Active Directory Users and Computers. If the application pool identity is a domain user account, you must configure an SPN for that account. To configure an SPN for the domain user account, follow these steps:
1. |
Download and install the Setspn.exe command-line tool. Setspn |
2. |
Use the Setspn.exe tool to add an SPN for the domain account. To do this, follow these steps:
a. |
Type the following line at the command prompt, and then press ENTER: Setspn -A HTTP/FQDNServerNameDomain\DOMAIN\UserName Note In this command, ServerName is the fully qualified domain name (FQDN) of the server, Domain is the name of the domain, and UserName is the name of the domain user account. (DOMAIN\SPConfigSVC) |
b. |
Type the following line at the command prompt, and then press ENTER: Setspn -A HTTP/NETBIOSServerNameDomain\DOMAIN\UserName Note In this command, ServerName is the NETBIOS name of the server, Domain is the name of the domain, and UserName is the name of the domain user account. (DOMAIN\SPConfigSVC) | | Step 1 and 2 must be completed for both the SPConfigSVC and the SPContenSVC account! |
Reference: How to configure a Windows SharePoint Services virtual server to use Kerberos authentication and how to switch from Kerberos authentication back to NTLM authentication:
http://support.microsoft.com/?kbid=832769
Post-installation steps
After Setup finishes, your browser window opens to the home page of your new SharePoint site. Although you can start adding content to the site or you can start customizing the site, we recommend that you perform the following administrative tasks by using the SharePoint Central Administration Web site
Start the Windows SharePoint Services Search service
You must start the Windows SharePoint Services Search service on every computer that you want to search over content. You must start it on at least one of your servers.
Start the Windows SharePoint Services Search service
1. On the SharePoint Central Administration home page, click the Operations tab on the top link bar. 2.