Thursday, June 21, 2012

Advanced SharePoint Extranet Management: Implementing Extranet Collaboration Manager (ExCM) 2010 Advanced Features – Part 3 - User Automation



by Matthew McBride, SharePoint Solutions

One problem that SharePoint Server Administrators regularly encounter is this:
How can I know when an extranet user from a partner company leaves the company, and how can I avoid accumulating inactive accounts for users that no longer exist that are just “sitting out there?” 


Unfortunately, it is nearly impossible to keep up with the “comings and goings” of extranet users who are employees of partner companies.

But Extranet Collaboration Manager 2010 (ExCM) contains within it the capability of helping our clients with specific extranet user security needs like this. The ExCM User Automation (UA) feature can be used to apply recurring policies to accounts residing in the ExCM user database.  These policies are applied by a SharePoint Timer Job, which periodically inspects each account.  UA can be used to expire user accounts based on attributes such as periods of inactivity or failure to update their password within a specified period, solving the problem of user account “housekeeping.”



Configuration
As with the other ExCM Advanced Features, (see the previous two posts) you first need to enable the SharePoint Service object, which is used to provide farm-wide services and configuration data.  To activate the service, open the SharePoint Management Shell and type the following command:


                                                   (Click the images to make them larger.)
Next, create a new User Automation job:



Now, provide values for a few parameters:
PolicySite – URL of SharePoint site running ExCM 2010

Schedule – frequency the job will be executed

               Examples
"every 5 minutes between 0 and 4”
"hourly between 0 and 59"
"daily at 15:00:00"
"weekly between Fri 22:00:00”
"monthly at 15 15:00:00"
"yearly at Jan 1 15:00:00"
In this example, I will have the job run daily:


Once that is configured, a new menu appears under “Extranet Settings” from the Site Settings page:
From within this menu, all UA options are available.  You can expire accounts based on two attributes: activity and password change.  You can also choose to use both attributes in combination.  Available options include when the policy will go into effect; how far ahead of that time the user will receive an email notification; and how often the expiration notification will be repeated:


In this case, I would like to expire accounts based on inactivity. To achieve this, I will disable all the password attributes using the default values provided:


Now that the User Automation options have been configured via the ExCM user interface, I’ll need to edit the OWSTIMER.EXE configuration. Specifically, the job must be able to read and write data to the database where the extranet users are located.  This file is found at the following location:

C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\OWSTimer.exe.config

Below is a sample configuration file that allows the service to connect to the extranet database:
<?xml version="1.0" encoding="utf-8" ?>
<
configuration>
 <
connectionStrings>
   <
add name="ExtranetDirectory" connectionString="Data Source=[servername];Initial Catalog=ExtranetDirectory;Integrated Security=SSPI"/>
 </
connectionStrings>
 <
system.web>
   <
membership defaultProvider="Ext">
     <
providers>
     <
add name="Ext" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"connectionStringName="ExtranetDirectory" enablePasswordRetrieval="false" passwordFormat="Hashed" applicationName="/" requiresUniqueEmail="true"enablePasswordReset="true" requiresQuestionAndAnswer="true" maxInvalidPasswordAttempts="10" passwordAttemptWindow="10" minRequiredPasswordLength="6"minRequiredNonalphanumericCharacters="0" passwordStrengthRegularExpression=""/>
     </
providers>
   </
membership>
   <
roleManager defaultProvider="ExtRole" enabled="true" cacheRolesInCookie="false">
     <
providers>
       <
add name="ExtRole" connectionStringName="ExtranetDirectory" applicationName="/" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
     </
providers>
   </
roleManager>
 </
system.web>
</
configuration>

Please note that some values in the example above, such as SQL server name and membership providers, may be different in your file.  Once the edits have been made and the file has been saved, be sure to perform an IIS reset.
Now that I have configured the UA options and subsequently configured the timer job, I want to monitor the job’s execution.  Here’s how you do it.  Navigate to Central Administration:

  1. From Central Administration’s Home page, click Monitoring
  2. On the Monitoring page, under the Timer Job section, click Check job status
  3. From the Timer Job Status page, in the view filter, click Service
  4. In the Service filter, click Change Service
  5. From the Select Service dialog, click Extranet Service


In summary, many organizations using ExCM to manage their extranet need to provide specific and ongoing security for extranet user accounts.  For example, if an employee with an extranet account leaves the company, a “live” account with working security credentials is potentially abandoned.  Realistically, it is nearly impossible for a client running a SharePoint extranet to manually keep up with the employment status of extranet users from partner companies. Without ExCM 2010’s User Automation functionality, abandoned extranet user accounts would accumulate and could pose a security threat.  With ExCM 2010’s UA feature, SharePoint Administrators can have the peace of mind of knowing that abandoned accounts can be expired automatically based on periods of inactivity, failure to update passwords, or both.