SIMS in a MultiPlatform world…efficiency, productivity and cost savings for Schools

BETT is now over for another year, the hustle and bustle of a busy ExCel Arena are already just a memory as everyone settles back to their normal work routines.

Now many will have been expecting my first article “post-show” to have been about the launch of the Teacher App. Well…that is coming soon – but first, the new “multi-platform” access to SIMS. There are lots of links between the story of the App and the story of the platform that I’m going to explore here.

Continue reading

Playing with HyperV Clusters

Some of you may have read from my previous Microsoft School Blog posts that I run a HyperV Clustered network. This consists of 3 HyperV Hosts, running Server 2008 R2 (considering when to upgrade to 2012)… with the VHD server data files located on a SAN.

This allows me to use the Failover Clustering feature to manage the resilience of the network.

This week; I came across an odd problem.

I was getting ready to do some maintenance across the system – and running a backup across the Hosts of each of the VMs located on them. As part of this process I wanted to move the owner of a Cluster Shared Volume (CSV) disk first. Cluster Shared Volumes are the bit of power that allows you to seemlessly present the same pool of storage with all the VHDs on to all the servers simulataneously. This make the live migration work – yes, thats the feature in VMware land called VMotion – that you pay for!

Continue reading

Capita SIMS Developments for 2013 – SIMs Learning Gateway

A departure from my normal blog topics to something even more relevant to a lot of schools than my normal writings.

SIMS is a School Management database, written and supported by Capita Education Services. 6 months has passed since I was invited to join Capita at their Annual Conference to see and write about forthcoming changes, as well as report back on the year (and ask the awkward questions from the community). In this post, Im going to pick up on SIMS Learning Gateway (SLG for short) – which as I keep reminding them, needs to be renamed!

Continue reading

Intranet and Extranet SSO and Usability Project – Part 1

Its been a long time since I last wrote about Sharepoint – the platform for our Intranet; but now with the rest of the ongoing projects nearing completion – I’ve been able to return to this monster of a project.

So, lets go back to the start and show what the end goal was.

1. Intranet Portal – containing Departmental, Staff and Student Areas. Department areas would have staff and student storage as well as news, events, discussions, blogs and all the usual suspects

2. Booking System – does what is says on the tin, web system for booking rooms and resouces

3. Helpdesk System – does what is says on the tin, access to our existing online ICT helpdesk system

4. SSO (Single Sign On) – enter username and password once for all services, and transparently log in to all the others

Continue reading

Intranet and Extranet SSO and Usability Project – Part 2

This post is a continuation of my battle to compelte a cohesive intranet; and some more ramblings about Sharepoint. Its turned into a monster of a project this one. The external single sign on (SSO) was a breeze – thanks to Forefront Threat Management Gateway (TMG) – but this presented an issue – internal or external, you would be faced with a logon screen. Not ideal – internally we wanted a double SSO which would use your Active Directory logon session to SSO with the TMG HTTP session.

Lets pick up that story….

A quick review
Where did we get to? We had just finished with creating our Split DNS infrastructure – and Id outlined the need to then play with your web publishing and listeners in TMG.

We need a new web listener, which will be waiting for incoming requests only from the internal network. As you probably already know, a Web Listener is a software component that is used by Web Publishing Rules. The Web Listener accepts incoming connection requests for published Web servers. Web Listeners define the authentication methods that can be used by the TMG firewall to authenticate users before the connections are allowed to the published Web server. This is often referred to as “pre-authentication”. There are many security advantages to pre-authentication and if your site requires authentication, you should always take advantage of this option.

TMG Configuration – Step by step…

1. On the New menu, click the Web Listener option – which brings up the Welcome to the New Web Listener Wizard page
blogs/thescarfedone/attachments/16817-intranet-extranet-sso-usability-project-part-2-tmg1.png blogs/thescarfedone/attachments/16818-intranet-extranet-sso-usability-project-part-2-tmg2.png
2. Enter a name for the Web Listener here. In this example, we’ll name the Web Listener HTTP Listener, with the intent that this Web Listener will be used for accepting incoming connections to using HTTP Authentication.
3. To match up our external to internal (really just to not confuse users – and think here, we are using HTTP authentication; you should really use some kind of encryption for security) you should ensure that you choose “SSL”.
4. This will need HTTP authentication not forms authentication (which our external network will be using) – this allows it to use the same details that TMG/ISA itself is using to recognising our clients already for things like proxy (if you are using it).
NB-Image from the “Edit Properties” version, rather than the Wizard screen – so your screen may look slightly different)
5. Next up is telling this listener to only wait for traffic from our internal NIC. So – in the image below – you will see Internal network is selected only. Your other external listener needs to have Internal de-selected, which you can change by editing its properties.

That finishes off your listener configuration.

We than also need to change our existing rule so that it only listens on the external network. That’s not where it ends though – as we then need a load of new publishing rules for our services to match up to our listener. This should be relatively simple though, as you can copy (select rule, right click and choose copy, and then right click and paste. I would then disable the copied rule while you do the editing.

Your new “internal” rules should be above your external rules so make sure you move them up. You also need to change the listener used in the new rule, and the authentication delegation. When you change to internal http listener services, you cannot use ntlm as your authentication method.

For things like Sharepoint and Exchange, this means moving to Kerberos. Now, from the Application point of view, this is quite easy to do. You will need to set up several srv records, and also allow TMG to act on behalf of your Sharepoint and Exchange servers when it comes to credential delegation. Sounds scary? Well, some of it can be if you haven’t done it before. It also gets a bit more complicated if you are running a farm for these services, as you cannot authorise a server which to all intents and purposes doesn’t exist.

The rest of this article will cover the TMG steps, the next one will cover the Sharepoint/Exchange and Kerberos side of things.

Kerberos Constrained Delegation (KCD) is a primary functionality of the Kerberos protocol introduced in Windows Server 2000 domain environments for authenticating users, services and computers. If a published Web server like the SharePoint needs to authenticate a user that sends a request to it and if the Forefront TMG computer cannot delegate authentication to the published Web server by passing user credentials to the published Web server or impersonating the user, the published Web server will request the user to provide credentials for a second time. ISA Server 2006 introduced support for Kerberos constrained delegation to enable published Web servers to authenticate users by Kerberos, after their identity has been verified by the ISA Server using a non-Kerberos authentication method. The same continued into TMG 2010. When used in this way, Kerberos constrained delegation eliminates the need for requiring users to provide credentials twice. To get Kerberos Constrained Delegation to work, we must change the Authentication Delegation method to Kerberos Constrained Delegation in the Forefront TMG Management console for the SharePoint publishing rule. The Service Principal Name (SPN) is host/InternalDNSFQDN of the SharePoint Server.

So, on the properties of the rule (make sure you are still working on your internal rule here, and don’t break your external one), on Authentication delegation, choose Kerberos. You will then need to enter/amend the Kerberos SPN name.