Updated on 2009 may 29 thanks to Michael Hanes (see this post comments)
Updated on 2009 may 20 from Configure search service account for a moss 2007 farm
Summary
Prerequisites
1 - Farm topology
2 - Installation
3 - Domain user accounts
3.1 Excerpt of Office SharePoint Server Security Account Requirements
3.2 MOSS Search Required Domain User Accounts
Required Tasks Overview
1 - Recommended required tasks sequence
2 - Reference documentations
Starting and Configuring Office SharePoint Server Search
1 - Starting the Search
2 - Creating the SSP Web Application and the MySite Web Application
2.1 create the SSP Web Application
2.1 create the MySite Web Application
3 - Creating the SSP
4 - Configuring the basic Search within the Share Services Administration
Site
4.1 Specify the default content access account
4.2 Create content sources
4 - Test the MOSS Search
This post includes the key steps for starting and configuring:
- Office SharePoint Server Search
for a small server farm.
A small server farm is defined as
Components scaled to two tiers (at least two servers) with either a dedicated WFE
or dedicated database.
I have chosen for this post the topology with the dedicated database.
In this post, we are going to describe the required steps to start and configure
the MOSS search for the single WFE of the small farm in order to be compliant with
the Least Privilege Administration policy using Domain User Accounts.
this is a part of the Technet article
Plan for administrative and service accounts (Windows SharePoint
Services) explaining what Least-privilege administration
is.
[...]
Least-privilege administration requirements when using domain user accounts
Least privilege administration is a recommended security practice in which each
service or user is provided with only the minimum privileges needed to accomplish
the tasks they are authorized to perform. This means that each service is granted
access to only the resources that are necessary to its purpose. The minimum requirements
to achieve this design goal include the following:
- Separate accounts are used for different services and processes.
- No executing service or process account is running with local administrator permissions.
By using separate service accounts for each service and limiting the permissions
assigned to each account, you reduce the opportunity for a malicious user or process
to compromise your environment.
Least privilege administration with domain user accounts is the recommended configuration
for most environments.
[...]
The configuration for this post is described in the following tables and illustration.
Roles and servers for physical
server
Role
Server name
SQL Server 2005 database
SQL1
Index server
MOSS1
Front-end Web server
MOSS1
Query server
MOSS1
The following illustration shows the topology for the roles and servers described
in the preceding table
You have already installed MOSS 2007 on the Web Front End server, and are
just ready to start and configure MOSS search.
3.1 Excerpt of Office SharePoint Server Security Account Requirements
Here is the HTML version of the part of onclick="javascript:Track('ctl00_mainContentContainer_ctl00|ctl00_mainContentContainer_ctl01',this);"
href="http://go.microsoft.com/fwlink/?LinkID=92883&clcid=0x409">
Office SharePoint Server security account requirements dedicated
to SSP and therefore to the MOSS search.
Account
Purpose
Single server standard requirements
Server farm standard requirements
Least privilege administration using domain
user accounts
Least privilege administration using SQL authentication
Least privilege administration with domain
user accounts when connecting to pre-created databases
SSP application pool account
Application
pool identity for the shared services administration Web application.
No manual
configuration is necessary.
No manual
configuration is necessary.
The following
are automatically configured:
-
Membership in the db_owner role for
the SSP content database.
-
Access to read from and write to the SSP content database.
-
Access to read from and write to content databases for Web applications that are
associated with the SSP.
-
Access to read from the configuration database.
-
Access to read from the Central Administration content database.
-
Additional permissions to front-end Web servers and application servers are automatically
granted.
Server
farm standard requirements with the following additions or exceptions:
-
Use a separate domain user account.
-
For security isolation, use a separate service account for each SSP.
Server
farm standard requirements with the following additions or exceptions:
-
Use a separate domain user account.
-
NOT a member of the local Administrators group on any server in the farm, including
the computer running SQL Server.
-
NOT a SQL Server login.
Server
farm standard requirements with the following additions or exceptions:
-
Use a separate domain user account.
-
For security isolation, use a separate service account for each SSP.
SSP service account
Used
by the following:
-
SSP Web services for inter-server communication
-
SSP Timer service to run specific types of jobs
-
Application pool identity of application pool associated with the virtual directory
associated with a given SSP
-
No manual configuration is necessary.
-
This account should not be a member of the Administrators group on any computer
in the server farm.
-
Use a domain user account.
-
No manual configuration is necessary. The same permissions as the SSP application
pool account are automatically granted.
-
This account should not be a member of the Administrators group on any computer
in the server farm.
Server
farm standard requirements with the following additions or exceptions:
-
Use a separate domain user account.
Server
farm standard requirements with the following additions or exceptions:
-
Use a separate domain user account.
-
NOT a member of the Administrators group on any server in the farm, including the
computer running SQL Server.
-
NOT a SQL Server login.
Server
farm standard requirements with the following additions or exceptions:
-
Use a separate domain user account.
After
the configuration database and the Central Administration content databases are
created, add this account to the following for these databases:
-
Users group
-
WSS_Content_Application_Pools
role
After
the content database for the Shared Services Administration site, the SSP database,
and the SSP search database are created, add this account to the following for each
of these databases:
-
Users group
-
db_owner role
After
My Sites are created, add this account to the following for the My Sites Web application
content database:
-
Users group
-
db_owner role
After
each content database is created, add this account to the following:
-
Users group
-
db_owner role
Office SharePoint Server Search service account
Used
as the service account for the Office SharePoint Server Search service. There is
only one instance of this service and it is used by all SSPs.
By default,
this account runs as the Local System account.
If you
want to crawl remote content by changing the default content access account or by
using crawl rules, change this to a domain user account. If you do not change this
account to a domain user account, you cannot change the default content access account
to a domain user account or add crawl rules to crawl this content. This restriction
is designed to prevent elevation of privilege for any other process running as the
Local System account.
-
Must be a domain user account.
-
Although it is written in the Microsoft .doc documentation "Must be a member of the Farm Administrators group on the server" if you refer to the HTML documentation, it is written "Must not be a member of the Farm Administrators group". I flagged this mismatch as a bug to Technet and think that this account must not be a member of the Farm Administrators group. (see this post comments)
The following
are automatically configured:
-
Access to read from the configuration database.
Server
farm standard requirements with the following additions or exceptions:
-
Use a separate domain user account.
Server
farm standard requirements with the following additions or exceptions:
-
Use a separate domain user account.
-
NOT a member of the Administrators group on any server in the farm, including the
computer running SQL Server.
-
NOT a SQL Server login.
Server
farm standard requirements with the following additions or exceptions:
-
Use a separate domain user account.
After
the configuration database and the Central Administration content databases are
created, add this account to the following for these databases:
-
Users group
-
WSS_Content_Application_Pools
After
the SSP database and the SSP search database are created, add this account to the
following for each of these databases:
-
Users group
-
db_owner role
Default content access account
The default
account used within a specific SSP to crawl content, unless a different authentication
method is specified by a crawl rule for a URL or URL pattern.
No manual
configuration is necessary if this account is only crawling local farm content.
If you want to crawl remote content by using crawl rules, change this to a domain
user account, and apply the requirements listed for a server farm.
-
Must be a domain user account.
-
Must not be a member of the Farm Administrators group.
-
Read access to external or secure content sources that you want to crawl by using
this account.
-
For sites that are not a part of the server farm, this account must explicitly be
granted Full Read permissions on the Web applications that host the sites.
The following
are automatically configured:
-
Full Read permissions are automatically granted to content databases hosted by the
server farm.
Server
farm standard requirements with the following additions or exceptions:
-
Use a separate domain user account.
-
By default, in a server farm environment, the Office SharePoint Server Search service
account is used until a different account is specified. After completing Setup and
running the configuration wizard, change this account to a domain user account.
-
Do not grant the default content access account access to the directory service.
For added
security, use a different default content access account for each SSP.
Server
farm standard requirements with the following additions or exceptions:
-
Use a separate domain user account.
-
NOT a member of the Administrators group on any server in the farm, including the
computer running SQL Server.
-
NOT a SQL Server login on the SQL Server Host.
Server
farm standard requirements with the following additions or exceptions:
-
Use a separate domain user account.
-
By default, in a server farm environment, the Office SharePoint Server Search service
account is used until a different account is specified. After completing Setup and
running the configuration wizard, change this account to a domain user account.
-
Do not give the default content access account access to the directory service.
For added
security, use a separate default content access account for each SSP.
After
the configuration database and the Central Administration content databases are
created, add this account to the following for these databases:
-
Users group
-
WSS_Content_Application_Pools
role
Content access account
A specific
account that is configured to access a content source. This account is optional
and is specified when you create a new crawl rule. For example, content sources
that are external to Office SharePoint Server (such as a file share) might require
a different content access account.
Same
as the SSP default content access account listed previously.
-
Read access to external or secure content sources that this account is configured
to access.
-
For Web sites that are not a part of the server farm, this account must explicitly
be granted Full Read permissions on the Web applications that host the sites.
Server
farm standard requirements with the following additions or exceptions:
-
Use a separate domain user account.
Server
farm standard requirements with the following additions or exceptions:
-
Use a separate domain user account.
-
NOT a member of the Administrators group on any server in the farm, including the
computer running SQL Server.
-
NOT a SQL Server login.
Server
farm standard requirements with the following additions or exceptions:
-
Use a separate domain user account.
Profile import default access account
Used
to:
-
Connect to a directory service, such as the Active Directory directory service,
a Lightweight Directory Access Protocol (LDAP) directory, a Business Data Catalog
application, or other directory source.
-
Import profile data from a directory service.
If no
account is specified, the default content access account is used. If the default
content access account does not have read access to the directory or directories
that you want to import data from, use a different account. You can plan up to one
account per directory connection.
Same
requirements as server farm.
-
Read access to the directory service.
-
If Enable Server Side Incremental is selected for an Active Directory connection
and the environment is Windows 2000 Server, the account must have the Replicate
Changes permission in Active Directory. This permission is not required for Windows
Server 2003 Active Directory environments.
-
Manage User Profiles personalization services permission.
-
View permissions on entities used in Business Data Catalog import connections.
Server
farm standard requirements with the following additions or exceptions:
-
Use a separate domain user account.
-
This account can be the same account as the default content access account, or you
can use a separate account.
-
Read access to the directory service.
-
Manage User Profiles personalization services permission.
-
This account should not be a member of the Administrators group on any computer
in the server farm.
Server
farm standard requirements with the following additions or exceptions:
-
Use a separate domain user account.
-
NOT a member of the Administrators group on any server in the farm, including the
computer running SQL Server.
-
NOT a SQL Server login.
Server
farm standard requirements with the following additions or exceptions:
-
Use a separate domain user account.
-
This account can be the same account as the default content access account or you
can use a separate account.
-
Use an account that has read access to the directory service and the Manage User
Profiles personalization services permission.
This
account should not be a member of the Administrators group on any computer in the
server farm.
Excel Services unattended service account
The account
that Excel Calculation Services uses to connect to external data sources that require
a non-Windows user name and password string for authentication. If this account
is not configured, Excel Services will not attempt to connect to these types of
data sources. Although the account credentials are used to connect to non-Windows
data sources, the account must be a member of the domain in order for Excel Calculation
Services to use it.
Must
be a domain user account.
Must
be a domain user account.
Must
be a domain user account.
Must
be a domain user account.
Must
be a domain user account.
3.2 MOSS Search Required
Domain User Accounts
If we follow the previous table recommendations,
we need the following Domain User Accounts to start and configure the MOSS Search
(I have used orange color for the least privilege administration requirements and red color for manual operation)
Account Name | SPS_WebAppSSP1 |
Account Description: |
|
Account Least privilege administration using domain user accounts |
|
Account Name | SPS_SSP1_Service |
Account Description: |
|
Account Least privilege administration using domain user accounts |
- Use a separate domain user account. |
Account Name | SPS_MossSearch |
Account Description: |
|
Account Least privilege administration using domain user accounts | style="font-size: 8pt; color: windowtext; font-family: Wingdings; ">
account. |
Account Name | SPS_DefaultContent (cannot write "access" because logon name number of characters is limited to 20) |
Account Description: |
|
Account Least privilege administration using domain user accounts |
|
First we will start the Office SharePoint Server Search.
It can seem paradoxical, but we need to start SharePoint Server Search first before
having created a SSP because when performing this task, we define an Index Server
in the "Query and Indexing" section and we need to have an Index Server defined
when creating a SSP.
By the way because we are in a small server farm topology we will use our single
Web Front End server for both search queries and indexing.
Starting the Office SharePoint Server Search will also initialize its Service
Account
You will notice that no specific permissions is required regarding the SSP's databases
or the databases of Web Applications associated with the SSP's for this service
account so as we can start the Office SharePoint Server Search before having created any
SSP.
Then we will create 2 Web Applications one for the SSP and another for the MySite
feature, because it is recommended to use 2 different Web Applications for them.
Finally we will configure the Office SharePoint Server Search within the new created
SSP.
Plan for administrative
and service accounts
Configure
index and query servers
Create
and configure Shared Services Providers
Starting and Configuring Office SharePoint Server Search
In Central Administration, on the Operations tab, in the Topology
and Services section, click Services on server.
On the Services on Server page:
If the server name that appears is not the server that you want to configure, click
the arrow next to the server name, click Change Server, and then
click the server for which you want to enable or disable the index server role or
query server role.
In the Start services in the table below section, in the Status
column for Office SharePoint Server Search, if the status is
Stopped, in the Action column click Start.
Click Office SharePoint Server Search.
On the Configure Office SharePoint Server Search Service Settings page, in the
Query and Indexing section, enable server roles for the server as appropriate
for your configuration:
select Use this server for indexing content.
select Use this server for serving search queries.
On the Configure Office SharePoint Server Search Service Settings page, in the
Farm Search Service Account section, type the Office Server search
Account credentials:
(Do not forget to
specify the Domain name.)
Although it is written in the Microsoft .doc documentation "Must be a member of the Farm Administrators group on the server" if you refer to the HTML documentation, it is written "Must not be a member of the Farm Administrators group". I flagged this mismatch as a bug to Technet and think that this account must not be a member of the Farm Administrators group. (see this post comments)
border="0" alt="" id="BLOGGER_PHOTO_ID_5337823900740671634" />
Notice that the Index Server Default File is now defined.
Web Front End and Crawling
This section is to be taken into account, because unexpected issues can occur if
you checked "Use a dedicated web front end computer for crawling". So read it carefully and choose a dedicated web front end only if necessary.
For example problem may occur with the " href="file:///C:/WINDOWS/system32/drivers/etc/hosts">C:\WINDOWS\system32\drivers\etc\hosts"
file as desscribed in this post:
Eventid 6482 - Reason: Access to the path 'C:\WINDOWS\system32\drivers\etc\HOSTS' is denied.
To save changes and return to the Services on Server page, click OK.
The search Service is now started.
border="0" alt="" id="BLOGGER_PHOTO_ID_5337823903319681858" />
You can also check it in the Services MMC
border="0" alt="" id="BLOGGER_PHOTO_ID_5337823908735801170" />
border="0" alt="" id="BLOGGER_PHOTO_ID_5337823900659323490" />
border="0" alt="" id="BLOGGER_PHOTO_ID_5337823900740671634" />
border="0" alt="" id="BLOGGER_PHOTO_ID_5337823903319681858" />
border="0" alt="" id="BLOGGER_PHOTO_ID_5337823908735801170" />
2 - Creating the SSP Web Application and the MySite Web Application
2.1 create the SSP Web Application
In Central Administration, on the Operations tab, in the SharePoint
Web Application Management section, click Create or extend Web application
.
On the Create or Extend Web Application page:
Click "Create a new Web application"
On the Create New Web Application :
Choose your web application name, port and database name, let the other value
as default.
In the Application Pool section select configurable and type the credential for
the SPS_WebAppSSP1 service account.
border="0" alt="" id="BLOGGER_PHOTO_ID_5337823910087605570" />
border="0" alt="" id="BLOGGER_PHOTO_ID_5337823910087605570" />
2.1 create the MySite Web Application
Perform the same operations as above for the MySite Web Application. I did not specify
a specific service account for this web application, but in order to respect least
privilege administration you should have created a service account for this web
application that is not a member of the server
local administrators group
In Central Administration, on the Quick Launch Menu, click
Shared Services Administration
In Manage this Farm's Shared Services page click New
SSP
In the New Shared Services Provider Page
In the SSP Name section use the drop down list to retrieve the
previously created SSP Web Application
In the My Site Location section use the drop down list to retrieve
the previously created MySite Web Application
In the SSP Service Credentials section type the SPS_SSP1_Service
service account credentials
Notice that in the Index Server section the index server
name and the Path for index file location have been retrieved
Let the default values for the other fields and click OK
Wait while SharePoint is provisioning
htyour SSP...
SharePoint then display the Success! page
4 - Configuring the basic Search within the Share Services Administration
Site
In the previous Success! page click the shared services administration
site link
The shared services administration site home page is opening.
For a complete configuration, see
Configure the Office SharePoint Server Search service (Office SharePoint Server)
Specify the default content
access account
On the Shared Services Administration page, in the Search section, click Search
settings.
On the Configure Search Settings page, in the Crawl settings section, click Default
content access account.
On the Default Content Access Account page, in the Account box, type the domain
and user name for the account (in the form domain\username).
SPS_DefaultContent
In the Password and Confirm Password boxes, type the password for the account.
Be sure that this account has read access to external or secure content sources that you want to crawl by using this account.
For sites that are not a part of the server farm, this account must explicitly be granted Full Read permissions on the Web applications that host the sites.
Click OK.
You are taken to the Configure Search Settings page and can check the new value
for the Default Content Access Account
Create content sources
(On the Shared Services Administration page, in the Search section, click Search
settings.)
On the Configure Search Settings page, in the Crawl Settings section, click Content
sources and crawl schedules.
On the Manage Content Sources page, click New Content Source.
On the Add Content Source page, in the Name section, in the Name box, type a name
for the content source.
Note:
Each content source name must be unique within the SSP in which it is created.
In the Content Source Type section, select the type of content you want to crawl
by using this content source.
In the Start Addresses section, in the Type start addresses below (one per line)
box, type the URLs from which the search system should start crawling.
Note:
For performance reasons, you cannot add the same start addresses to multiple content
sources.
In the Crawl Settings section, select the behavior for the type of content you selected.
In the Crawl Schedules section, you can specify when to start full and incremental
crawls.
You can create a full crawl schedule by clicking the Create Schedule link below
the Full Crawl list.
You can create an incremental crawl schedule by clicking the Create Schedule link
below the Incremental Crawl list.
Click OK.
By default the Search setting comes with a default Content Source: Local Office
SharePoint Server sites
Using this default Content Source contextual menu, start a full crawl
The full crawl starts...
You can check the crawling progression by going back to the Configure Search
Settings page, and if you refresh the page, you will notice
that the Items in index: field value is changing while SharePoint
is crawling your Farm Content.
When the crawling is done the value of the indexing status come back to Idle within
the Configure Search Settings page.
You can then go to one of your SharePoint site and perform a search operation in
order to check your content was properly indexed and the MOSS search is working
well.
No comments:
Post a Comment