Monday, August 18, 2008

Starting and Configuring Office SharePoint Server Search for a web server with Least Privilege Administration using Domain User Accounts

Updated on 2009 may 29 thanks to Michael Hanes (see this post comments)

Updated on 2009 may 20 from Configure search service account for a moss 2007 farm

Summary

Prerequisites
1 - Farm topology
2 - Installation
3 - Domain user accounts
3.1 Excerpt of Office SharePoint Server Security Account Requirements
3.2 MOSS Search Required Domain User Accounts

Required Tasks Overview
1 - Recommended required tasks sequence
2 - Reference documentations

Starting and Configuring Office SharePoint Server Search
 1 - Starting the Search
 2 - Creating the SSP Web Application and the MySite Web Application
2.1 create the SSP Web Application
2.1 create the MySite Web Application
3 - Creating the SSP
 4 - Configuring the basic Search within the Share Services Administration Site
4.1 Specify the default content access account
4.2 Create content sources
4 - Test the MOSS Search


Introduction

This post includes the key steps for starting and configuring:

  • Office SharePoint Server Search

for a small server farm.
A small server farm is defined as
Components scaled to two tiers (at least two servers) with either a dedicated WFE or dedicated database.
I have chosen for this post the topology with the dedicated database.

 

In this post, we are going to describe the required steps to start and configure the MOSS search for the single WFE of the small farm in order to be compliant with the Least Privilege Administration policy using Domain User Accounts.

this is a part of the Technet article Plan for administrative and service accounts (Windows SharePoint Services) explaining what Least-privilege administration is.
[...]

Least-privilege administration requirements when using domain user accounts

Least privilege administration is a recommended security practice in which each service or user is provided with only the minimum privileges needed to accomplish the tasks they are authorized to perform. This means that each service is granted access to only the resources that are necessary to its purpose. The minimum requirements to achieve this design goal include the following:

- Separate accounts are used for different services and processes. 
- No executing service or process account is running with local administrator permissions.

By using separate service accounts for each service and limiting the permissions assigned to each account, you reduce the opportunity for a malicious user or process to compromise your environment.
Least privilege administration with domain user accounts is the recommended configuration for most environments.

[...]

Prerequisites

1 - Farm topology

The configuration for this post is described in the following tables and illustration.

Roles and servers for physical server

Role

Server name

SQL Server 2005 database

SQL1

Index server

MOSS1

Front-end Web server

MOSS1

Query server

MOSS1

The following illustration shows the topology for the roles and servers described in the preceding table

2 - Installation

You have already installed  MOSS 2007 on the Web Front End server, and are just ready to start and configure MOSS search.

3 - Domain user accounts

3.1 Excerpt of Office SharePoint Server Security Account Requirements

Here is the HTML version of the part of Office SharePoint Server security account requirements dedicated to SSP and therefore to the MOSS search.

Account

Purpose

Single server standard requirements

Server farm standard requirements

Least privilege administration using domain user accounts

Least privilege administration using SQL authentication

Least privilege administration with domain user accounts when connecting to pre-created databases

SSP application pool account

Application pool identity for the shared services administration Web application.

No manual configuration is necessary.

No manual configuration is necessary.

The following are automatically configured:

-   Membership in the db_owner role for the SSP content database.

-   Access to read from and write to the SSP content database.

-   Access to read from and write to content databases for Web applications that are associated with the SSP.

-   Access to read from the configuration database.

-   Access to read from the Central Administration content database.

-   Additional permissions to front-end Web servers and application servers are automatically granted.

Server farm standard requirements with the following additions or exceptions:

-   Use a separate domain user account.

-   For security isolation, use a separate service account for each SSP.

Server farm standard requirements with the following additions or exceptions:

-   Use a separate domain user account.

-   NOT a member of the local Administrators group on any server in the farm, including the computer running SQL Server.

-   NOT a SQL Server login.

Server farm standard requirements with the following additions or exceptions:

-   Use a separate domain user account.

-   For security isolation, use a separate service account for each SSP.

SSP service account

Used by the following:

-   SSP Web services for inter-server communication

-   SSP Timer service to run specific types of jobs

-   Application pool identity of application pool associated with the virtual directory associated with a given SSP

-   No manual configuration is necessary.

-   This account should not be a member of the Administrators group on any computer in the server farm.

-   Use a domain user account.

-   No manual configuration is necessary. The same permissions as the SSP application pool account are automatically granted.

-   This account should not be a member of the Administrators group on any computer in the server farm.

Server farm standard requirements with the following additions or exceptions:

-   Use a separate domain user account.

 

Server farm standard requirements with the following additions or exceptions:

-   Use a separate domain user account.

-   NOT a member of the Administrators group on any server in the farm, including the computer running SQL Server.

-   NOT a SQL Server login.

Server farm standard requirements with the following additions or exceptions:

-   Use a separate domain user account.

After the configuration database and the Central Administration content databases are created, add this account to the following for these databases:

-   Users group

-   WSS_Content_Application_Pools database role

After the content database for the Shared Services Administration site, the SSP database, and the SSP search database are created, add this account to the following for each of these databases:

-   Users group

-   db_owner role

After My Sites are created, add this account to the following for the My Sites Web application content database:

-   Users group

-   db_owner role

After each content database is created, add this account to the following:

-   Users group

-   db_owner role

Office SharePoint Server Search service account

Used as the service account for the Office SharePoint Server Search service. There is only one instance of this service and it is used by all SSPs.

By default, this account runs as the Local System account.

If you want to crawl remote content by changing the default content access account or by using crawl rules, change this to a domain user account. If you do not change this account to a domain user account, you cannot change the default content access account to a domain user account or add crawl rules to crawl this content. This restriction is designed to prevent elevation of privilege for any other process running as the Local System account.

-   Must be a domain user account.

-   Although it is written in the Microsoft .doc documentation "Must be a member of the Farm Administrators group on the server" if you refer to the HTML documentation, it is written "Must not be a member of the Farm Administrators group". I flagged this mismatch as a bug to Technet and think that this account must not be a member of the Farm Administrators group. (see this post comments)

The following are automatically configured:

-   Access to read from the configuration database.

Server farm standard requirements with the following additions or exceptions:

-   Use a separate domain user account.

Server farm standard requirements with the following additions or exceptions:

-   Use a separate domain user account.

-   NOT a member of the Administrators group on any server in the farm, including the computer running SQL Server.

-   NOT a SQL Server login.

Server farm standard requirements with the following additions or exceptions:

-   Use a separate domain user account.

After the configuration database and the Central Administration content databases are created, add this account to the following for these databases:

-   Users group

-   WSS_Content_Application_Pools role

After the SSP database and the SSP search database are created, add this account to the following for each of these databases:

-   Users group

-   db_owner role

Default content access account

The default account used within a specific SSP to crawl content, unless a different authentication method is specified by a crawl rule for a URL or URL pattern.

No manual configuration is necessary if this account is only crawling local farm content. If you want to crawl remote content by using crawl rules, change this to a domain user account, and apply the requirements listed for a server farm.

-   Must be a domain user account.

-   Must not be a member of the Farm Administrators group.

-   Read access to external or secure content sources that you want to crawl by using this account.

-   For sites that are not a part of the server farm, this account must explicitly be granted Full Read permissions on the Web applications that host the sites.

The following are automatically configured:

-   Full Read permissions are automatically granted to content databases hosted by the server farm.

Server farm standard requirements with the following additions or exceptions:

-   Use a separate domain user account.

-   By default, in a server farm environment, the Office SharePoint Server Search service account is used until a different account is specified. After completing Setup and running the configuration wizard, change this account to a domain user account.

-   Do not grant the default content access account access to the directory service.

For added security, use a different default content access account for each SSP.

Server farm standard requirements with the following additions or exceptions:

-   Use a separate domain user account.

-   NOT a member of the Administrators group on any server in the farm, including the computer running SQL Server.

-   NOT a SQL Server login on the SQL Server Host.

Server farm standard requirements with the following additions or exceptions:

-   Use a separate domain user account.

-   By default, in a server farm environment, the Office SharePoint Server Search service account is used until a different account is specified. After completing Setup and running the configuration wizard, change this account to a domain user account.

-   Do not give the default content access account access to the directory service.

For added security, use a separate default content access account for each SSP.

After the configuration database and the Central Administration content databases are created, add this account to the following for these databases:

-   Users group

-   WSS_Content_Application_Pools database role

Content access account

A specific account that is configured to access a content source. This account is optional and is specified when you create a new crawl rule. For example, content sources that are external to Office SharePoint Server (such as a file share) might require a different content access account.

Same as the SSP default content access account listed previously.

-   Read access to external or secure content sources that this account is configured to access.

-   For Web sites that are not a part of the server farm, this account must explicitly be granted Full Read permissions on the Web applications that host the sites.

Server farm standard requirements with the following additions or exceptions:

-   Use a separate domain user account.

 

Server farm standard requirements with the following additions or exceptions:

-   Use a separate domain user account.

-   NOT a member of the Administrators group on any server in the farm, including the computer running SQL Server.

-   NOT a SQL Server login.

Server farm standard requirements with the following additions or exceptions:

-   Use a separate domain user account.

 

Profile import default access account

Used to:

-   Connect to a directory service, such as the Active Directory directory service, a Lightweight Directory Access Protocol (LDAP) directory, a Business Data Catalog application, or other directory source.

-   Import profile data from a directory service.

If no account is specified, the default content access account is used. If the default content access account does not have read access to the directory or directories that you want to import data from, use a different account. You can plan up to one account per directory connection.

Same requirements as server farm.

-   Read access to the directory service.

-   If Enable Server Side Incremental is selected for an Active Directory connection and the environment is Windows 2000 Server, the account must have the Replicate Changes permission in Active Directory. This permission is not required for Windows Server 2003 Active Directory environments.

-   Manage User Profiles personalization services permission.

-   View permissions on entities used in Business Data Catalog import connections.

Server farm standard requirements with the following additions or exceptions:

-   Use a separate domain user account.

-   This account can be the same account as the default content access account, or you can use a separate account.

-   Read access to the directory service.

-   Manage User Profiles personalization services permission.

-   This account should not be a member of the Administrators group on any computer in the server farm.

Server farm standard requirements with the following additions or exceptions:

-   Use a separate domain user account.

-   NOT a member of the Administrators group on any server in the farm, including the computer running SQL Server.

-   NOT a SQL Server login.

Server farm standard requirements with the following additions or exceptions:

-   Use a separate domain user account.

-   This account can be the same account as the default content access account or you can use a separate account.

-   Use an account that has read access to the directory service and the Manage User Profiles personalization services permission.

This account should not be a member of the Administrators group on any computer in the server farm.

Excel Services unattended service account

The account that Excel Calculation Services uses to connect to external data sources that require a non-Windows user name and password string for authentication. If this account is not configured, Excel Services will not attempt to connect to these types of data sources. Although the account credentials are used to connect to non-Windows data sources, the account must be a member of the domain in order for Excel Calculation Services to use it.

Must be a domain user account.

Must be a domain user account.

Must be a domain user account.

Must be a domain user account.

Must be a domain user account.

3.2 MOSS Search Required Domain User Accounts

If we follow the previous table recommendations, we need the following Domain User Accounts to start and configure the MOSS Search (I have used  orange color for the least privilege administration requirements and red color for manual operation)

Account Name SPS_WebAppSSP1
Account Description:

SSP application pool account

Application pool identity for the shared services administration Web application.

Account Least privilege administration using domain user accounts

No manual configuration is necessary.

The following are automatically configured:

-   Membership in the db_owner role for the SSP content database.

-   Access to read from and write to the SSP content database.

-   Access to read from and write to content databases for Web applications that are associated with the SSP.

-   Access to read from the configuration database.

-   Access to read from the Central Administration content database.

-   Additional permissions to front-end Web servers and application servers are automatically granted.

-   Use a separate domain user account.

-   For security isolation, use a separate service account for each SSP.

Account Name SPS_SSP1_Service
Account Description:

SSP service account

Used by the following:

-   SSP Web services for inter-server communication

-   SSP Timer service to run specific types of jobs

-   Application pool identity of application pool associated with the virtual directory associated with a given SSP

Account Least privilege administration using domain user accounts

-   Use a domain user account.

-   No manual configuration is necessary. The same permissions as the SSP application pool account are automatically granted.

-   This account should not be a member of the Administrators group on any computer in the server farm.

-   Use a separate domain user account.

Account Name SPS_MossSearch
Account Description:

Office SharePoint Server Search service account

Used as the service account for the Office SharePoint Server Search service. There is only one instance of this service and it is used by all SSPs.

Account Least privilege administration using domain user accounts

-   Must be a domain user account.

-   Although it is written in the Microsoft .doc documentation "Must be a member of the Farm Administrators group on the server" if you refer to the HTML documentation, it is written "Must not be a member of the Farm Administrators group". I flagged this mismatch as a bug to Technet and think that this account must not be a member of the Farm Administrators group. (see this post comments)

The following are automatically configured:

-   Access to read from the configuration database.

-  
Use a separate domain user account.

Account Name SPS_DefaultContent (cannot write "access" because logon name number of characters is limited to 20)
Account Description:

Default content access account

The default account used within a specific SSP to crawl content, unless a different authentication method is specified by a crawl rule for a URL or URL pattern.

Account Least privilege administration using domain user accounts

-   Must be a domain user account.

-   Must not be a member of the Farm Administrators group.

-   Read access to external or secure content sources that you want to crawl by using this account.

-   For sites that are not a part of the server farm, this account must explicitly be granted Full Read permissions on the Web applications that host the sites.

The following are automatically configured:

-   Full Read permissions are automatically granted to content databases hosted by the server farm.

-   By default, in a server farm environment, the Office SharePoint Server Search service account is used until a different account is specified. After completing Setup and running the configuration wizard, change this account to a domain user account.

-   Do not grant the default content access account access to the directory service.

For added security, use a different default content access account for each SSP.

Required Tasks Overview

1 - Recommended required tasks sequence

First we will start the Office SharePoint Server Search.
It can seem paradoxical, but we need to start SharePoint Server Search first before having created a SSP because when performing this task, we define an Index Server in the "Query and Indexing" section and we need to have an Index Server defined when creating a SSP. 
By the way because we are in a small server farm topology we will use our single Web Front End server for both search queries and indexing. 
Starting the Office SharePoint Server Search will also initialize its Service Account
You will notice that no specific permissions is required regarding the SSP's databases or the databases of Web Applications associated with the SSP's for this service account so as we can start the Office SharePoint Server Search before having created any SSP.

Then we will create 2 Web Applications one for the SSP and another for the MySite feature, because it is recommended to use 2 different Web Applications for them.

Finally we will configure the Office SharePoint Server Search within the new created SSP.

2 - Reference documentations

 Plan for administrative and service accounts

 Configure index and query servers

 Create and configure Shared Services Providers

Starting and Configuring Office SharePoint Server Search

 1 - Starting the Search

  1. In Central Administration, on the Operations tab, in the Topology and Services section, click Services on server.

  2. On the Services on Server page:

    1. If the server name that appears is not the server that you want to configure, click the arrow next to the server name, click Change Server, and then click the server for which you want to enable or disable the index server role or query server role.

    2. In the Start services in the table below section, in the Status column for Office SharePoint Server Search, if the status is Stopped, in the Action column click Start.

    3. Click Office SharePoint Server Search.




  3. On the Configure Office SharePoint Server Search Service Settings page, in the Query and Indexing section, enable server roles for the server as appropriate for your configuration:

    • select Use this server for indexing content.

    • select Use this server for serving search queries.


  4. On the Configure Office SharePoint Server Search Service Settings page, in the Farm Search Service Account section, type the Office Server search Account credentials:
    (Do not forget to specify the Domain name.)

    Although it is written in the Microsoft .doc documentation "Must be a member of the Farm Administrators group on the server" if you refer to the HTML documentation, it is written "Must not be a member of the Farm Administrators group". I flagged this mismatch as a bug to Technet and think that this account must not be a member of the Farm Administrators group. (see this post comments)




    Notice that the Index Server Default File is now defined.

    Web Front End and Crawling



    This section is to be taken into account, because unexpected issues can occur if you checked "Use a dedicated web front end computer for crawling". So read it carefully and choose a dedicated web front end only if necessary.

    For example problem may occur with the "C:\WINDOWS\system32\drivers\etc\hosts" file as desscribed in this post:

    Eventid 6482 - Reason: Access to the path 'C:\WINDOWS\system32\drivers\etc\HOSTS' is denied.

  5. To save changes and return to the Services on Server page, click OK.

    The search Service is now started.



    You can also check it in the Services MMC

 2 - Creating the SSP Web Application and the MySite Web Application

2.1 create the SSP Web Application

  1. In Central Administration, on the Operations tab, in the SharePoint Web Application Management section, click Create or extend Web application .

  2. On the Create or Extend Web Application page:
    Click "Create a new Web application"
  3. On the Create New Web Application :


    Choose your web application name, port and database name, let the other value as default.
    In the Application Pool section select configurable and type the credential for the SPS_WebAppSSP1 service account.



2.1 create the MySite Web Application

Perform the same operations as above for the MySite Web Application. I did not specify a specific service account for this web application, but in order to respect least privilege administration you should have created a service account for this web application that is not a member of the server local administrators group




3 - Creating the SSP

  1. In Central Administration, on the Quick Launch Menu, click Shared Services Administration

  2. In Manage this Farm's Shared Services  page click New SSP 
  3. In the New Shared Services Provider Page

    In the SSP Name section use the drop down list to retrieve the previously created SSP Web Application

    In the My Site Location section use the drop down list to retrieve the previously created MySite Web Application

    In the SSP Service Credentials section type the SPS_SSP1_Service service account credentials




    Notice that in the Index Server section the index server name and the Path for index file location have been retrieved

    Let the default values for the other fields and click OK

    Wait while SharePoint is provisioning htyour SSP...
    SharePoint then display the Success!  page


 4 - Configuring the basic Search within the Share Services Administration Site

  1. In the previous Success! page click the  shared services administration site link

    The shared services administration site home page  is opening.



    For a complete configuration, see Configure the Office SharePoint Server Search service (Office SharePoint Server)

  2. Specify the default content access account
    On the Shared Services Administration page, in the Search section, click Search settings.

    On the Configure Search Settings page, in the Crawl settings section, click Default content access account.



    On the Default Content Access Account page, in the Account box, type the domain and user name for the account (in the form domain\username).
    SPS_DefaultContent
    In the Password and Confirm Password boxes, type the password for the account.
    Be sure that this account has read access to external or secure content sources that you want to crawl by using this account.
    For sites that are not a part of the server farm, this account must explicitly be granted Full Read permissions on the Web applications that host the sites.



    Click OK.
    You are taken to the Configure Search Settings page and can check the new value for the Default Content Access Account



  3. Create content sources

    (On the Shared Services Administration page, in the Search section, click Search settings.)
    On the Configure Search Settings page, in the Crawl Settings section, click Content sources and crawl schedules.



    On the Manage Content Sources page, click New Content Source.
    On the Add Content Source page, in the Name section, in the Name box, type a name for the content source.
    Note: 
    Each content source name must be unique within the SSP in which it is created. 
    In the Content Source Type section, select the type of content you want to crawl by using this content source.
    In the Start Addresses section, in the Type start addresses below (one per line) box, type the URLs from which the search system should start crawling.
    Note: 
    For performance reasons, you cannot add the same start addresses to multiple content sources.
     
    In the Crawl Settings section, select the behavior for the type of content you selected.
    In the Crawl Schedules section, you can specify when to start full and incremental crawls.
    You can create a full crawl schedule by clicking the Create Schedule link below the Full Crawl list.
    You can create an incremental crawl schedule by clicking the Create Schedule link below the Incremental Crawl list.
    Click OK.




4 - Test the MOSS Search

By default the Search setting comes with a default Content Source: Local Office SharePoint Server sites



Using this default Content Source contextual menu, start a full crawl



The full crawl starts...



You can check the crawling progression by going back to the Configure Search Settings  page, and if you refresh the page, you will notice that the Items in index: field value is changing while SharePoint is crawling your Farm Content.





When the crawling is done the value of the indexing status come back to Idle within the Configure Search Settings page.
You can then go to one of your SharePoint site and perform a search operation in order to check your content was properly indexed and the MOSS search is working well.