Publishing SharePoint 2007 with ISA 2006 and Kerberos delegation

For a while, I’ve been trying to set up SharePoint 2007 publishing using ISA Server 2006 with Kerberos delegation.

There are numerous articles available on how to accomplish this task, but even when doing things just fine, I came across one nasty error.

Some user were not able to login to the SharePoint farm and were seeing this error message:

Value cannot be null.
Parameter name: ptr

After some try and error, I could reproduce this behavior by following these steps:

1. Create a new user on your AD
2. Do NOT log in with this user on any domain resource yet (website, workstation, …)
3. Log in from external (so via the ISA) with this user, specifying the username as the UPN username (username@domain)

The only solution I found was not using Kerberos delegation on the SharePoint publishing rule but instead using NTLM authentication.

Lately, I came across this Microsoft KB:
KB946358 - The LsaLookupSids function may return the old user name instead of the new user name if the user name has changed on a domain controller

Implementing this registry key with a value of 0 on the SharePoint front-end web servers did the trick and I was finally able to configure SharePoint publishing using Kerberos delegation through ISA 2006.

Running Word 2007 (or other Office programs) as Local System on Windows Server 2008

If you ever tried to run Word 2007 as Local System on Windows Server 2008, you probably came across two nasty problems:

1. circumvent the initial dialog box Word presents when opening Word for the first time
2. problem with the Building Blocks template (Building Blocks.dotx)

To solve these, use this two-way process:

1. Initial dialog box

To solve this, we need to be able to start Word in the Local System user context. The easiest way to do so is to get the psexec tool from Sysinternals (part of the PsTools suite) and run this command from and elevated command prompt:
psexec –i –s cmd.exe

From within this new command prompt, browse to
C:\Program Files\Microsoft Office\Office12\
and execute the command
WINWORD.EXE

You will now be presented with the initial dialog box and choose the needed options.

2. Building Blocks template problem

From the moment you have chosen the needed options in the previous step, you will probably see this warning message:

Following the solution in MS KB925175 won’t help you any further, since there is nothing wrong with the template itself.

The solution is very simple: create a Desktop folder within the Local System profile. To do so follow the steps below.

1. Get the correct user profile path:
At the same command prompt as above, execute the command echo %userprofile%
You will get an output like
C:\Windows\system32\config\systemprofile

2. Browse to this location and create a new folder called Desktop within this path. Make sure the permissions are set so that SYSTEM has Full control.

After following above two steps, you will now be able to start up Word in the Local System context without any problem.

How to enable Sharepoint debug logging

Open the web.config file from the website you want to debug.
Change these entries:

<SafeMode MaxControls="200" CallStack="true" ...>

<customErrors mode="Off" />

<compilation batch="true" debug="true">

Enable IE8 RunAs

By default in IE8, it is not possible anymore to start a new browser process as an other user. To restore this functionality, follow these steps:

1. open regedit
2. go to the key HKLM\Software\Microsoft\Internet Explorer\Main
3. add a DWORD TabProcGrowth with a value of 0

Cleanup Exchange SMTP Queues

Ever wanted to cleanup all mail sent from one user, through all Exchange SMTP queues?

Use the tool ‘Advanced Queuing Administration Command Line Interface tool (aqadmcli.exe)’!
The tool can be downloaded from the Microsoft PSS FTP Server.

Once downloaded, start up a command prompt and execute these commands to delete all mail sent from one specific user:

setserver "Servername"
delmsg flags=sender,sender=user@domain.com