Chart: Domain User Accounts Required before Installing MOSS 2007

Below is a chart of the user accounts required before installing MOSS 2007 / Sharepoint 2007 when installed in a server farm. This table is a must for every sharepoint developer/adminsitrator. Thanks to Clayton for his blog post who put the ever confusing user accounts in a neat descriptive table.

Account Purpose   Used By   Requirements
Setup User User account that is used to run setup on each server.   Person installing   Member of the administrator group on each Web front-end (WFE) server and application server computer in the farm. Member of the following SQL Server groups with SQL Security administrator and database creator rights on SQL servers.
SQL Server Service This is the security context used By Central Administration for creating databases and other SQL configurations.   MSSQLSERVER, SQLSERVERAGENT   Member of the administrators group on each server on which setup runs, administrators group on each SQL Server computer, database system administrator, and member of the SQL security administrator and database creator SQL Server groups.
Server Farm This account is also referred to as the database access account.   Central administration site application pool identity   Member of administrators group on each WFE server and application server computer in the farm with SQL security administrator and database creator rights on SQL Servers. Database Owner (DBO) for all databases and additional permissions on WFE server and application server computers are automatically configured for this account when SharePoint is installed.
SSP App Pool     SSP App Pool Identity   No configuration is necessary. The following permissions are automatically configured for this account when SharePoint is installed: DBO for the Share Service Provider (SSP) content database, read/write permissions for the SSP content database, read/write permissions for content databases for Web applications that are associated with the SSP, read permissions for the configuration database, read permissions for the central administration content database, and additional permissions on WFE server and application server computers
SSP Service Account Used to run timer jobs and for interserver communications.   SSP Timer service; SSP Web services   Same as SSP App Pool Account
Windows SharePoint Services Search Used as the service account for the Windows SharePoint Services Search service. There is only one instance of this service, and it is used by all SSPs.   Windows SharePoint Services 3.0 Search service   Must be a domain account, but must not be a member of the farm administrators group. Permissions automatically configured for this account when SharePoint is installed include the following: read/write permissions for content databases for Web applications, read permissions for the configuration database, and read/write permissions for the Windows SharePoint Services Search database
Search Default Content Access Account The default account used by a specific SSP to crawl content. It is used when an account is not specified for a content source.   Windows SharePoint Services 3.0 Search service   Must be a domain account, but must not be a member of the farm administrators group. It requires read access to external or secure content sources that you want to crawl using this account. Additional permissions for this account are automatically configured when SharePoint is installed.
Search Specific Content Access Account This is an optional account that is configured to replace the default content access account to crawl a specific content source.   Windows SharePoint Services 3.0 Search service   Read access to external or secure content sources that this account is configured to access.
User Profile and Properties Content Access Account Account used to connect to a directory service, such as Active Directory, a Lightweight Directory Access Protocol (LDAP) directory, Business Data Catalog (BDC) application, or other directory source and used to import profile data from a directory service. Note: If no account is specified, the Search Default Content Access account is used. If the Search Default Content Access account does not have read access to the directory or directories that you want to import data from, you will need to specify a different account. You should plan for one account per directory connection.   Profile Import   Read access to the directory service. For an Active Directory service connection that enables Server Side Incremental, the account must have the Replicate Changes permissions for Active Directory directory services provided by Windows 2000 Server. This permission is not required for Windows 2003 Active Directory. Manage user profiles right. View rights on entities used in Business Data Catalog import connections.
Excel Services Unattended Service Account Excel Calculation Services uses this account to connect to data sources that require user name and password strings for authentication. The SSP App Pool account is used if none is specified. For security, plan to use a low-privileged account that does not have the database privileges of the SSP App Pool Account.   Excel Services Service   Read/write access to the Excel data sources.
App Pool Identity Used to access content databases associated with the Web application. Plan one for each application pool.   Web Applications   No configuration is necessary. SQL Server privileges that are automatically assigned to this account are member of Database Owners Group for content databases associated with the Web application, read/write access to the associated SSP database only, and read permission for the configuration database. Additional privileges for this account on WFE servers and application servers are automatically configured by SharePoint

Below are the sample accounts in a more concise way for a quick reference in the following format:

Account username – password – Role – Rights/Permissions

  1. mosssetupusr – Pass12! – Moss Setup user – Member of: Administrator – SQL: dbcreator and security-admin
  2. sqlserversrvc – Pass12! – User to create db’s and sql configs – Member of: Administrator – SQL: dbcreator and security-admin
  3. caapooldbaccessusr – Pass12! – caa app pool usr acct and to access db – Member of: Administrator – SQL: dbcreator and security-admin
  4. sspappool@AIFSMOSS.local – Pass12! = SSP App Pool Identity – User rights and entitlements assigned automatically
  5. sspserviceusr – Pass12! – SSP Timer/Web Services – User rights and entitlements assigned automatically
  6. WssSearchSrvcUsr – Pass12! – used for wss search – User rights and entitlements assigned automatically
  7. searchcontentaccessusr – Pass12! – default user for search content access – User rights assigned automatically
  8. searchspccontentaccessusr – Pass12! – user for search specific content access – read access to external content source
  9. userprofilesaccessusr – Pass12! – usr who access the AD and user properties – read rights to AD
  10. excelservicesusr – Pass12! – usr to access excel content soruces – read rights to excel content sources

Free Trial Virtual Hard disks/ Virtual PC Images To Test Microsoft Technologies

Go to Microsoft’s Free Virtual HDD Site : You should be able to download the virtual images for all technologies and play aroudn with the cutting edge technologies like Windows 2008, VS 2008, Biztalk, Sharepoint(MOSS 2007), Office 2007 and etc. You need Virtual Server 2005 to run these images and its a 30 day evaluation software so be careful and save your data.

11 Essential Tools for Managing Active Directory

If you’ve ever been handed an Excel spreadsheet listing 200 new employees starting next week, or if your user accounts are configured incorrectly because help desk staff clicked something they shouldn’t have, or if you just want an easier way to manage Active Directory┬« besides opening Users and Computers every time, there are a number of free administration tools that can help. Some are built right into the Windows┬« OS, some come in a Resource Kit or the Windows Support Tools, and some are free third-party tools. What are these handy tools and where can you get them? Let’s find out. Read this post.

Custom Authentication using SiteMinder for MOSS

WSS 3.0 and MOSS custom authentication using a third-party component (SiteMinder). – Vlad’s Blog

I stumbled upon the above blog post which talks about implementing the custom authentication using Forms based authentication to authenticate users through SiteMinder. I have read couple of other blogs about the same topic but this blog is unique, it explains well in layman terms. However, this blog didn’t mention the technical implementations in detail and didn’t mention anything about providing multiple authentication providers. But it sure will help me for my case where I have to implement dual authentication i.e clients are authenticated through SiteMinder and the internal employees through Active Directory.

Multiple or Dual Authentication for a Single Web Application in Sharepoint Office System 2007

Below two blog posts are an excellent help if anyone is looking for implementing more than one authentication mechanism.

Let me clarify why would someone look for implementing multiple authentication: Usually companies and corporations have their user or employee accounts in Windows Active Directory. When Sharepoint/MOSS is installed by default it has the support to authenticate the users in the active directory. Thus, when a web application is extended the default zone which would be the intranet zone authenticates users against the Active Directory. The same application could be extended to an extranet zone still using the Activation Directory. But lets say a company want to provide the sharepoint site to its clients or partners who are not in their employee active directory. The company might have all of its clients/partners in a separate directory or data store like SQL Server or ther LDAP implementations like SiteMinder. So the webapplication should be able to authenticate users both from its employee active directory and the partners or clients who are in a separate directory.

Assuming that all of the users in a SQL Server, the same web application can be extended to internet zone and provide a form based authentication to authenticate users in the SQL Server. If the company wants to have anonymous access i.e anyone can see the default content on the site, the same internet zone properties can be changed to allow anonymous access. Thus a company can have:

  1. Internet Website which can be accessed by anyone (Limited access)
  2. Internet/Extranet access for the clients or partners using the form based authentication
  3. Intranet/Extranet for the employees of the company who could use their Active Directory Credentials.

Case Study:

Company name: orange
Extranet site: – Active Directory
Internet site: – Forms Base Authentication

I would like to add a point which the above 2 blogs didn’t mention but is crucial for the setup to work properly.

The Identity(User Account) of the Application Pool associated to the web application must be given access to both the site related database and the Membership database in SQL Server. Unless this is done, the form based authentication fails even though you are giving the correct user credentials.

On the Internet zone even after enabling the Forms base authentication, opening the site might ask for the windows credentials and then open up the sign in page. If this happens, Enable Anonymous access either through Central Administration or using IIS.

IIS Authentication Model and Options

IIS 6.0 Authentication Model: An important part of many distributed applications is the ability to identify someone, known as a principal or client, and to control the client’s access to resources. Authentication is the act of validating a client’s identity. Generally, clients must present some form of evidence, known as credentials, proving who they are for authentication. Typically, credentials include a username/password pair.

SharePoint Portal 2003 is built upon IIS 6.0. Lets first take a look at the authentication model of IIS.

IIS provides a variety of authentication schemes:

Anonymous (enabled by default):
Anonymous authentication allows a user to access web and FTP sites without having to provide a username and password. When a client user accesses a web or FTP site, IIS uses the Internet Guest Account to authenticate that user.

The Internet Guest Account is created when IIS is installed, and it is named IUSR_<Computername>, where <Computername> is the name of the host machine. Having an account to use for anonymous access allows you to configure which resources all anonymous users can access on your server. The anonymous account is also added to the Guests group when IIS is installed, so any restrictions or permissions applied to that group also apply to the account.

Basic Authentication:
When a server uses Basic Authentication, the Web browser (or the FrontPage client) prompts the user for a name and password. The user name and password are then transmitted across HTTP, in clear text. Using this user name and password, IIS authenticates the corresponding Windows NT user.
To use Basic authentication, a user account must be defined on either the local machine or on a trusted domain controller. The account-based access control is all done through the NT File System (NTFS) permissions on the file system.

Integrated Windows authentication:
Integrated Windows authentication is the most secure method of authentication, but it is available only with Internet Explorer. In Integrated Windows authentication, the user’s browser proves itself to the server using a cryptographic exchange during the authentication process.

Integrated Windows authentication supports both the Kerberos v5 and the NTLM (NT LAN Manager) protocols for authentication through the Negotiate package.

Digest Authentication:
Like Basic Authentication, Digest Access Authentication is based on a simple challenge-response method. The Digest scheme challenges using a nonce value (a server-specified data string which may be uniquely generated each time a 401 error is made.). A valid response contains a checksum of the user name, the password, the given nonce value, the HTTP method, and the requested URL. In this way, the password is never sent as easily decoded text, which is Basic Authentication’s biggest weakness.

.NET Passport Authentication:
IIS 6 can use Microsoft’s .NET Passport to authenticate users requesting resources from a web site or a web site virtual directory. The benefit that this solution offers is that the credentials are stored and managed on another server that you are not responsible for building or maintaining. Users can authenticate using the .NET Passport service and then be allowed access to the web site hosted on your WS03 server.

This is an extract from here. I will soon post on sharepoint authentication model and integration with SiteMinder LDAP.