Updated on 2009 may 29 thanks to Michael Hanes (see this post comments)
Updated on 2009 may 20 from Configure search service account for a moss 2007 farm
Summary
Prerequisites
1 - Farm topology
2 - Installation
3 - Domain user accounts
3.1 Excerpt of Office SharePoint Server Security Account Requirements
3.2 MOSS Search Required Domain User Accounts
Required Tasks Overview
1 - Recommended required tasks sequence
2 - Reference documentations
Starting and Configuring Office SharePoint Server Search
1 - Starting the Search
2 - Creating the SSP Web Application and the MySite Web Application
2.1 create the SSP Web Application
2.1 create the MySite Web Application
3 - Creating the SSP
4 - Configuring the basic Search within the Share Services Administration
Site
4.1 Specify the default content access account
4.2 Create content sources
4 - Test the MOSS Search
This post includes the key steps for starting and configuring:
- Office SharePoint Server Search
for a small server farm.
A small server farm is defined as
Components scaled to two tiers (at least two servers) with either a dedicated WFE
or dedicated database.
I have chosen for this post the topology with the dedicated database.
In this post, we are going to describe the required steps to start and configure
the MOSS search for the single WFE of the small farm in order to be compliant with
the Least Privilege Administration policy using Domain User Accounts.
this is a part of the Technet article
Plan for administrative and service accounts (Windows SharePoint
Services) explaining what Least-privilege administration
is.
[...]
Least-privilege administration requirements when using domain user accounts
Least privilege administration is a recommended security practice in which each
service or user is provided with only the minimum privileges needed to accomplish
the tasks they are authorized to perform. This means that each service is granted
access to only the resources that are necessary to its purpose. The minimum requirements
to achieve this design goal include the following:
- Separate accounts are used for different services and processes.
- No executing service or process account is running with local administrator permissions.
By using separate service accounts for each service and limiting the permissions
assigned to each account, you reduce the opportunity for a malicious user or process
to compromise your environment.
Least privilege administration with domain user accounts is the recommended configuration
for most environments.
[...]
The configuration for this post is described in the following tables and illustration.
Roles and servers for physical server
Role |
Server name |
SQL Server 2005 database |
SQL1 |
Index server |
MOSS1 |
Front-end Web server |
MOSS1 |
Query server |
MOSS1 |
The following illustration shows the topology for the roles and servers described in the preceding table
You have already installed MOSS 2007 on the Web Front End server, and are just ready to start and configure MOSS search.
3.1 Excerpt of Office SharePoint Server Security Account Requirements
Here is the HTML version of the part of Office SharePoint Server security account requirements dedicated to SSP and therefore to the MOSS search.
Account |
Purpose |
Single server standard requirements |
Server farm standard requirements |
Least privilege administration using domain user accounts |
Least privilege administration using SQL authentication |
Least privilege administration with domain user accounts when connecting to pre-created databases |
SSP application pool account |
Application pool identity for the shared services administration Web application. |
No manual configuration is necessary. |
No manual configuration is necessary. The following are automatically configured: - Membership in the db_owner role for the SSP content database. - Access to read from and write to the SSP content database. - Access to read from and write to content databases for Web applications that are associated with the SSP. - Access to read from the configuration database. - Access to read from the Central Administration content database. - Additional permissions to front-end Web servers and application servers are automatically granted. |
Server farm standard requirements with the following additions or exceptions:
- For security isolation, use a separate service account for each SSP. |
Server farm standard requirements with the following additions or exceptions:
- NOT a member of the local Administrators group on any server in the farm, including the computer running SQL Server. - NOT a SQL Server login. |
Server farm standard requirements with the following additions or exceptions:
- For security isolation, use a separate service account for each SSP. |
SSP service account |
Used by the following: - SSP Web services for inter-server communication - SSP Timer service to run specific types of jobs - Application pool identity of application pool associated with the virtual directory associated with a given SSP |
- No manual configuration is necessary. - This account should not be a member of the Administrators group on any computer in the server farm. |
- Use a domain user account. - No manual configuration is necessary. The same permissions as the SSP application pool account are automatically granted. - This account should not be a member of the Administrators group on any computer in the server farm. |
Server farm standard requirements with the following additions or exceptions:
|
Server farm standard requirements with the following additions or exceptions:
- NOT a member of the Administrators group on any server in the farm, including the computer running SQL Server. - NOT a SQL Server login. |
Server farm standard requirements with the following additions or exceptions:
After the configuration database and the Central Administration content databases are created, add this account to the following for these databases: - Users group - WSS_Content_Application_Pools database role After the content database for the Shared Services Administration site, the SSP database, and the SSP search database are created, add this account to the following for each of these databases: - Users group - db_owner role After My Sites are created, add this account to the following for the My Sites Web application content database: - Users group - db_owner role After each content database is created, add this account to the following: - Users group - db_owner role |
Office SharePoint Server Search service account |
Used as the service account for the Office SharePoint Server Search service. There is only one instance of this service and it is used by all SSPs. |
By default, this account runs as the Local System account. If you want to crawl remote content by changing the default content access account or by using crawl rules, change this to a domain user account. If you do not change this account to a domain user account, you cannot change the default content access account to a domain user account or add crawl rules to crawl this content. This restriction is designed to prevent elevation of privilege for any other process running as the Local System account. |
- Must be a domain user account. - Although it is written in the Microsoft .doc documentation "Must be a member of the Farm Administrators group on the server" if you refer to the HTML documentation, it is written "Must not be a member of the Farm Administrators group". I flagged this mismatch as a bug to Technet and think that this account must not be a member of the Farm Administrators group. (see this post comments) The following are automatically configured: - Access to read from the configuration database. |
Server farm standard requirements with the following additions or exceptions:
|
Server farm standard requirements with the following additions or exceptions:
- NOT a member of the Administrators group on any server in the farm, including the computer running SQL Server. - NOT a SQL Server login. |
Server farm standard requirements with the following additions or exceptions:
After the configuration database and the Central Administration content databases are created, add this account to the following for these databases: - Users group - WSS_Content_Application_Pools role After the SSP database and the SSP search database are created, add this account to the following for each of these databases: - Users group - db_owner role |
Default content access account |
The default account used within a specific SSP to crawl content, unless a different authentication method is specified by a crawl rule for a URL or URL pattern. |
No manual configuration is necessary if this account is only crawling local farm content. If you want to crawl remote content by using crawl rules, change this to a domain user account, and apply the requirements listed for a server farm. |
- Must be a domain user account. - Must not be a member of the Farm Administrators group. - Read access to external or secure content sources that you want to crawl by using this account. - For sites that are not a part of the server farm, this account must explicitly be granted Full Read permissions on the Web applications that host the sites. The following are automatically configured: - Full Read permissions are automatically granted to content databases hosted by the server farm. |
Server farm standard requirements with the following additions or exceptions:
- By default, in a server farm environment, the Office SharePoint Server Search service account is used until a different account is specified. After completing Setup and running the configuration wizard, change this account to a domain user account. - Do not grant the default content access account access to the directory service. For added security, use a different default content access account for each SSP. |
Server farm standard requirements with the following additions or exceptions:
- NOT a member of the Administrators group on any server in the farm, including the computer running SQL Server. - NOT a SQL Server login on the SQL Server Host. |
Server farm standard requirements with the following additions or exceptions:
- By default, in a server farm environment, the Office SharePoint Server Search service account is used until a different account is specified. After completing Setup and running the configuration wizard, change this account to a domain user account. - Do not give the default content access account access to the directory service. For added security, use a separate default content access account for each SSP. After the configuration database and the Central Administration content databases are created, add this account to the following for these databases: - Users group - WSS_Content_Application_Pools database role |
Content access account |
A specific account that is configured to access a content source. This account is optional and is specified when you create a new crawl rule. For example, content sources that are external to Office SharePoint Server (such as a file share) might require a different content access account. |
Same as the SSP default content access account listed previously. |
- Read access to external or secure content sources that this account is configured to access. - For Web sites that are not a part of the server farm, this account must explicitly be granted Full Read permissions on the Web applications that host the sites. |
Server farm standard requirements with the following additions or exceptions:
|
Server farm standard requirements with the following additions or exceptions:
- NOT a member of the Administrators group on any server in the farm, including the computer running SQL Server. - NOT a SQL Server login. |
Server farm standard requirements with the following additions or exceptions:
|
Profile import default access account |
Used to: - Connect to a directory service, such as the Active Directory directory service, a Lightweight Directory Access Protocol (LDAP) directory, a Business Data Catalog application, or other directory source. - Import profile data from a directory service. If no account is specified, the default content access account is used. If the default content access account does not have read access to the directory or directories that you want to import data from, use a different account. You can plan up to one account per directory connection. |
Same requirements as server farm. |
- Read access to the directory service. - If Enable Server Side Incremental is selected for an Active Directory connection and the environment is Windows 2000 Server, the account must have the Replicate Changes permission in Active Directory. This permission is not required for Windows Server 2003 Active Directory environments. - Manage User Profiles personalization services permission. - View permissions on entities used in Business Data Catalog import connections. |
Server farm standard requirements with the following additions or exceptions:
- This account can be the same account as the default content access account, or you can use a separate account. - Read access to the directory service. - Manage User Profiles personalization services permission. - This account should not be a member of the Administrators group on any computer in the server farm. |
Server farm standard requirements with the following additions or exceptions:
- NOT a member of the Administrators group on any server in the farm, including the computer running SQL Server. - NOT a SQL Server login. |
Server farm standard requirements with the following additions or exceptions:
- This account can be the same account as the default content access account or you can use a separate account. - Use an account that has read access to the directory service and the Manage User Profiles personalization services permission. This account should not be a member of the Administrators group on any computer in the server farm. |
Excel Services unattended service account |
The account that Excel Calculation Services uses to connect to external data sources that require a non-Windows user name and password string for authentication. If this account is not configured, Excel Services will not attempt to connect to these types of data sources. Although the account credentials are used to connect to non-Windows data sources, the account must be a member of the domain in order for Excel Calculation Services to use it. |
Must be a domain user account. |
Must be a domain user account. |
Must be a domain user account. |
Must be a domain user account. |
Must be a domain user account. |
3.2 MOSS Search Required Domain User Accounts
If we follow the previous table recommendations, we need the following Domain User Accounts to start and configure the MOSS Search (I have used orange color for the least privilege administration requirements and red color for manual operation)
Account Name | SPS_WebAppSSP1 |
Account Description: |
SSP application pool account Application pool identity for the shared services administration Web application. |
Account Least privilege administration using domain user accounts |
No manual configuration is necessary. The following are automatically configured: - Membership in the db_owner role for the SSP content database. - Access to read from and write to the SSP content database. - Access to read from and write to content databases for Web applications that are associated with the SSP. - Access to read from the configuration database. - Access to read from the Central Administration content database. - Additional permissions to front-end Web servers and application servers are automatically granted.
- For security isolation, use a separate service account for each SSP. |
Account Name | SPS_SSP1_Service |
Account Description: |
SSP service account
Used by the following: - SSP Web services for inter-server communication - SSP Timer service to run specific types of jobs - Application pool identity of application pool associated with the virtual directory associated with a given SSP |
Account Least privilege administration using domain user accounts |
- Use a domain user account. - No manual configuration is necessary. The same permissions as the SSP application pool account are automatically granted. - This account should not be a member of the Administrators group on any computer in the server farm. |
Account Name | SPS_MossSearch |
Account Description: |
Office SharePoint Server Search service account
Used as the service account for the Office SharePoint Server Search service. There is only one instance of this service and it is used by all SSPs. |
Account Least privilege administration using domain user accounts |
- Must be a domain user account. - Although it is written in the Microsoft .doc documentation "Must be a member of the Farm Administrators group on the server" if you refer to the HTML documentation, it is written "Must not be a member of the Farm Administrators group". I flagged this mismatch as a bug to Technet and think that this account must not be a member of the Farm Administrators group. (see this post comments) The following are automatically configured: - Access to read from the configuration database. |
Account Name | SPS_DefaultContent (cannot write "access" because logon name number of characters is limited to 20) |
Account Description: |
Default content access account The default account used within a specific SSP to crawl content, unless a different authentication method is specified by a crawl rule for a URL or URL pattern. |
Account Least privilege administration using domain user accounts |
- Must be a domain user account. - Must not be a member of the Farm Administrators group. - Read access to external or secure content sources that you want to crawl by using this account. - For sites that are not a part of the server farm, this account must explicitly be granted Full Read permissions on the Web applications that host the sites. The following are automatically configured: - Full Read permissions are automatically granted to content databases hosted by the server farm. - By default, in a server farm environment, the Office SharePoint Server Search service account is used until a different account is specified. After completing Setup and running the configuration wizard, change this account to a domain user account. - Do not grant the default content access account access to the directory service. For added security, use a different default content access account for each SSP. |
First we will start the Office SharePoint Server Search.
It can seem paradoxical, but we need to start SharePoint Server Search first before
having created a SSP because when performing this task, we define an Index Server
in the "Query and Indexing" section and we need to have an Index Server defined
when creating a SSP.
By the way because we are in a small server farm topology we will use our single
Web Front End server for both search queries and indexing.
Starting the Office SharePoint Server Search will also initialize its Service
Account
You will notice that no specific permissions is required regarding the SSP's databases
or the databases of Web Applications associated with the SSP's for this service
account so as we can start the Office SharePoint Server Search before having created any
SSP.
Then we will create 2 Web Applications one for the SSP and another for the MySite
feature, because it is recommended to use 2 different Web Applications for them.
Finally we will configure the Office SharePoint Server Search within the new created
SSP.
Plan for administrative
and service accounts
Configure
index and query servers
Create
and configure Shared Services Providers
Starting and Configuring Office SharePoint Server Search
-
In Central Administration, on the Operations tab, in the Topology and Services section, click Services on server.
-
On the Services on Server page:
-
If the server name that appears is not the server that you want to configure, click the arrow next to the server name, click Change Server, and then click the server for which you want to enable or disable the index server role or query server role.
-
In the Start services in the table below section, in the Status column for Office SharePoint Server Search, if the status is Stopped, in the Action column click Start.
-
Click Office SharePoint Server Search.
-
On the Configure Office SharePoint Server Search Service Settings page, in the Query and Indexing section, enable server roles for the server as appropriate for your configuration:
-
select Use this server for indexing content.
-
select Use this server for serving search queries.
-
On the Configure Office SharePoint Server Search Service Settings page, in the Farm Search Service Account section, type the Office Server search Account credentials:
(Do not forget to specify the Domain name.)
Although it is written in the Microsoft .doc documentation "Must be a member of the Farm Administrators group on the server" if you refer to the HTML documentation, it is written "Must not be a member of the Farm Administrators group". I flagged this mismatch as a bug to Technet and think that this account must not be a member of the Farm Administrators group. (see this post comments)
Notice that the Index Server Default File is now defined.
Web Front End and Crawling
This section is to be taken into account, because unexpected issues can occur if you checked "Use a dedicated web front end computer for crawling". So read it carefully and choose a dedicated web front end only if necessary.
For example problem may occur with the "C:\WINDOWS\system32\drivers\etc\hosts" file as desscribed in this post:
Eventid 6482 - Reason: Access to the path 'C:\WINDOWS\system32\drivers\etc\HOSTS' is denied.
-
To save changes and return to the Services on Server page, click OK.
The search Service is now started.
You can also check it in the Services MMC
2 - Creating the SSP Web Application and the MySite Web Application
2.1 create the SSP Web Application
-
In Central Administration, on the Operations tab, in the SharePoint Web Application Management section, click Create or extend Web application .
-
On the Create or Extend Web Application page:
Click "Create a new Web application" -
On the Create New Web Application :
Choose your web application name, port and database name, let the other value as default.
In the Application Pool section select configurable and type the credential for the SPS_WebAppSSP1 service account.
2.1 create the MySite Web Application
Perform the same operations as above for the MySite Web Application. I did not specify
a specific service account for this web application, but in order to respect least
privilege administration you should have created a service account for this web
application that is not a member of the server
local administrators group
-
In Central Administration, on the Quick Launch Menu, click Shared Services Administration
-
In Manage this Farm's Shared Services page click New SSP
-
In the New Shared Services Provider Page
In the SSP Name section use the drop down list to retrieve the previously created SSP Web Application
In the My Site Location section use the drop down list to retrieve the previously created MySite Web Application
In the SSP Service Credentials section type the SPS_SSP1_Service service account credentials
Notice that in the Index Server section the index server name and the Path for index file location have been retrieved
Let the default values for the other fields and click OKWait while SharePoint is provisioning htyour SSP...
SharePoint then display the Success! page
4 - Configuring the basic Search within the Share Services Administration Site
-
In the previous Success! page click the shared services administration site link
The shared services administration site home page is opening.
For a complete configuration, see Configure the Office SharePoint Server Search service (Office SharePoint Server)
-
Specify the default content access account
On the Shared Services Administration page, in the Search section, click Search settings.On the Configure Search Settings page, in the Crawl settings section, click Default content access account.
On the Default Content Access Account page, in the Account box, type the domain and user name for the account (in the form domain\username).
SPS_DefaultContent
In the Password and Confirm Password boxes, type the password for the account.
Be sure that this account has read access to external or secure content sources that you want to crawl by using this account.
For sites that are not a part of the server farm, this account must explicitly be granted Full Read permissions on the Web applications that host the sites.
Click OK.
You are taken to the Configure Search Settings page and can check the new value for the Default Content Access Account
-
Create content sources
(On the Shared Services Administration page, in the Search section, click Search settings.)
On the Configure Search Settings page, in the Crawl Settings section, click Content sources and crawl schedules.
On the Manage Content Sources page, click New Content Source.
On the Add Content Source page, in the Name section, in the Name box, type a name for the content source.
Note:
Each content source name must be unique within the SSP in which it is created.
In the Content Source Type section, select the type of content you want to crawl by using this content source.
In the Start Addresses section, in the Type start addresses below (one per line) box, type the URLs from which the search system should start crawling.
Note:
For performance reasons, you cannot add the same start addresses to multiple content sources.
In the Crawl Settings section, select the behavior for the type of content you selected.
In the Crawl Schedules section, you can specify when to start full and incremental crawls.
You can create a full crawl schedule by clicking the Create Schedule link below the Full Crawl list.
You can create an incremental crawl schedule by clicking the Create Schedule link below the Incremental Crawl list.
Click OK.
By default the Search setting comes with a default Content Source: Local Office
SharePoint Server sites
Using this default Content Source contextual menu, start a full crawl
The full crawl starts...
You can check the crawling progression by going back to the Configure Search
Settings page, and if you refresh the page, you will notice
that the Items in index: field value is changing while SharePoint
is crawling your Farm Content.
When the crawling is done the value of the indexing status come back to Idle within
the Configure Search Settings page.
You can then go to one of your SharePoint site and perform a search operation in
order to check your content was properly indexed and the MOSS search is working
well.