DirectoryEntry, and DirectorySearch class in System.DirectoryService namespace can be used to access and search Windows Active Directory.  When you create DirectoryEntry without any credential, the system will use your default credential to access Active Directory.  In ASP.NET web application, if you set impersonate=true, the application will use your login to access Active Directory.

 

However, in SharePoint 2007 web part, this does not work.  You have to explicitly specify the username and password.  Therefore, in SharePoint 2007 web part, you have to use service account to access Active Directory. 

 

Microsoft Project Server 2003 Web Access provides a mechanism for developer to customize the menu.  However, any menu added by “server configuration” in admin page will no security validation, that all user can view it, even if it is under admin submenu.

 

Solution

 

The reason is that the default global permission of a custom menu is 0, which means every user has permission to view it.  Since the PWA does not provide an interface to change the permission setting, the custom menu cannot act like other menus.  However, the custom menu uses the same data structure as the build-in menu.  Therefore developers can directly modify the database to make menu secure.

 

The project server database uses two tables to store the menu information, MSP_WEB_SECURITY_MENUS and MSP_WEB_SECURITY_PAGES.  MSP_WEB_SECURITY_MENUS saves the information of each menu, such as menu ID, menu name, indicator that menu is a top-menu or submenu, sequence of menu, the web page a menu link to, and etc.  MSP_WEB_SECURITY_PAGES saves the information of each page, such as URL of page and etc.  Among them, there is a property, WSEC_PAGE_ACT_ID, which is the feature action ID of the menu, defined in MSP_WEB_SECURITY_FEATURES_ACTIONS. 

 

When a developer added a custom menu to PWA, the project server will add a record in MSP_WEB_SECURITY_MENUS table and a record in MSP_WEB_SECURITY_PAGES table.  By default, the WSEC_PAGE_ACT_ID is set to 0 of custom page.  To make the page secure, developer can modify the value with any valid feature action ID.  For example, a developer adds a function page in admin menu.  It can be set as the same permission as “Manage Views” menu in admin menu.  To set so, developer can simply set the WSEC_PAGE_ACT_ID to 730.  Then the new page will have the permission setting as manage views page, and only those user who can manage views, have permission to view the new custom page.

Project Server 2007 can work with SQLServer 2000 and SQLServer 2005.  To setup OLAP cube for project server 2007, here is some references and some tips:

 

1. For Analysis Service 2000

You can just follow the microsoft MSDN document: http://technet2.microsoft.com/Office/en-us/library/5d90076f-bbcc-48c1-a569-bd236862d47c1033.mspx?mfr=true

 

2. For Analysis Service 2005

Here is the microsoft MSDN document:

http://technet2.microsoft.com/Office/en-us/library/86910044-701c-4b02-89d7-e094e9cb7dcd1033.mspx?mfr=true

 

It is working if you install analysis service on the same computer of project server.  However, it does not work if you separate those two, which is the most case.

 

You will get the following error:

Failed to build the OLAP cubes. Error: Analysis Services session failed with the following error: Failed to delete the Olap database: PWA_AnalysisServices. Error: Your permissions on the server computer do not allow you to administer this Analysis server.

 

The reason is because the SSP account does not have permission to manage analysis service remotely by using DSO.  To enable remote administer analysis service through DSO, you will need to create shared folder for analysis service: MSOLAPRepository$.  This is just for back compatible to DSO.  Analysis service 2000 will create it during the installation.  However, since analysis service 2005 no longer need it.  It will not create the shared folder.  Then you have to do it yourself.  The folder will only be used for remote administer.  So if you install analysis service on the same box of project server, you don't need it.

 

Use this two steps with the MSDN document, you can setup OLAP cube.

Create the shared folder

1.     In Windows Explorer, browse to the folder containing the Analysis Services installation. By default, it is located at:
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP

2.     In this folder, create a new folder and name it DSO9.

3.     Right-click the DSO9 folder, and choose Sharing and Security.

4.     On the Sharing and Security page, in the Sharing tab, select Share this folder. In the Share Name box, type MSOLAPRepository$ as the share name for the folder.

5.     On the Sharing tab, in the Group or user names list, click Add. On the Select User, Computers, or Groups page, add the SQLServer2005MSOLAPUser$<Servername>$MSSQLServer account from the local computer. Click OK.

6.     In the Group or user names list, select the SQLServer2005MSOLAPUser$<Servername>$MSSQLServer account. In the Permissions for SQLServer2005MSOLAPUser$<Servername>$MSSQLServer box, select Allow next to Full Control. Click OK.

7.     On the Security tab, in the Group or user names list, select SQLServer2005MSOLAPUser$SERVERNAME$MSSQLSERVER. Select the Allow check box next to the Full Control item in the Permissions list, and then click OK.

8.     On the New Folder Properties page, click OK.

Configure Analysis Services For DSO

1.     In SQL Server 2005, start SQL Server Management Studio. On the Connect to Server window, select Analysis Services, and then click Connect.

2.     In SQL Server Management Studio, in the Object Explorer pane, right-click the Analysis Services name, and then choose Properties.

3.     On the Analysis Services Properties page, in the Select a page section select General. Select Show Advanced (All) Properties.

4.     Select DSO\RepositoryConnectionString from the Name list.
a.   Select the corresponding value for the string in the Value column, and then click the box that appears to the right of the value to display the Connection Manager page.
b.   On the Connection Manager page, in the Provider list, select Native OLE DB\SQL Native Client.
c.   In the Server Name list, select the server on which the repository database is located.
d.   In the Logon to the server field, enter the account information to log onto the server.
e.   In the Connect to database section, select Select or enter a database name and enter the name of the repository file.
f.    Click OK.

5.     Select DSO\RemoteRepositoryConnectionString from the Name list.
a.   Select the corresponding value for the string in the Value column, and then click the box that appears to the right of the value to display the Connection Manager page.
b.   On the Connection Manager page, in the Provider list, select Native OLE DB\SQL Native Client.
c.   In the Server Name list, select the server on which the repository database is located.
d.   In the Logon to the server field, enter the account information to log onto the server.
e.   In the Connect to database section, select Select or enter a database name and enter the name of the repository file.
f.    Click OK.

6.     Select DSO\LocksDirectory from the Name list, enter the local path of the shared folder.  For example: E:\MSSQL.3\OLAP\DSO9\

7.     Select DSO\RemoteLocksDirectory from the Name list, enter the UNC name of the shared folder.  For example: \\HACSSDB028\MSOLAPRepository$\

8.     On the Analysis Server Properties page, click OK.

NOTES:

1.     When you configure analysis service 2005, MSDN gaves you two choices: creating Access MDB file or SQLServer 2005 database.  You can do either one of them.  However, you cannot migrate from MDB to SQLServer 2005.

2.     To view project server OLAP view in PWA, the client computer (with Windows XP.  Vista already has those component) has to install the following components:

• Microsoft Core XML Services (MSXML) 6.0
• Microsoft SQL Server 2005 Analysis Services 9.0 OLE DB Provider

You can find them in SQLServer 2005 feature pack: http://www.microsoft.com/downloads/details.aspx?FamilyID=50b97994-8453-4998-8226-fa42ec403d17&DisplayLang=en

Sometimes, you need to create a very complex formula for indicator.  It's very hard to understand and maintain.   

For example, client wants to show schedule indicator green when duration variance within 10% of baseline duration, 11%~20% for yellow and above 20% shows red. 

 

Sample formula:

SWITCH([Finish Variance]=0,"On Target",[Finish Variance]<0,CSTR(CINT([Finish Variance]*(-100)/[Baseline Duration]))+"% Ahead Of Schedule", true,CSTR(CINT([Finish Variance]*100/[Baseline Duration]))+"% Over Schedule")

Then when you set graphic indicator, use "Is Less Than" or "Is Greater Than".  You can set as

Is Less Than     11      Green

Is Less Than     21      Yellow

Any Value                  Red

 

Project Professional is smarter enough to compare the percent as number.  You can event put percent in the middle of the data, such as "Task 10% Behind Schedule".

 

I have experienced Project Server 2007 Active Directory Synchronization failure on client.  As the result, Active Directory cannot be synchronized and even worse, the user/resource edit page shows error when you tried to edit a synchronized user/resource.  It may potentially create corrupted assignments in project plan.

 

In the event log on project server, there are errors in application category.

 

 

Error Message:

 

Standard Information:PSI Entry Point:

Project User: IHESS\sdai

Correlation Id: 837bfd5f-9502-4e09-a193-2af20c8392b0

PWA Site URL: http://hacssia021/PWA

SSP Name: SharedServices_MOPS

PSError: Success (0)

A general exception occurred during communication with Active Directory. Context: SyncGroup. Additional Information: An exception occurred while syncing a project server group with active directory. GroupName: '%s'. PWA Group Guid: '%s' Exception: '%s'.. Exception Info: EPIS Team Members

 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

 

 

 

There also are errors in system category:

 

 

 

 

Error Message:

 

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID

{61738644-F196-11D0-9953-00C04FD919C1}

 to the user IHESS\SRV_PROJSVR_DB SID (S-1-5-21-789336058-2052111302-839522115-106752).  This security permission can be modified using the Component Services administrative tool.

 

 

 

From the error message, I decided to change the DCOM configuration first.  By searching the registry, I found that (S-1-5-21-789336058-2052111302-839522115-106752) is the ID of IIS WAMREG Admin Service component.

 

Open the Component Services on project server and select “Component Services” – “DCOM Config”.

 

 

Right click on component and select “Property”.  Then select “Security”.

 

 

Select “Edit” button in “Launch and Activation Permissions”, then add the SharePoint farm service user in and give it “Local Launch” and “Local Activation” permissions.

 

 

 

After done, I tried to synchronize the users again.  However, I still got errors.  When I check the event log, the errors are different.

 

 

 

 

Error Message:

 

Standard Information:PSI Entry Point:

Project User: IHESS\sdai

Correlation Id: 837bfd5f-9502-4e09-a193-2af20c8392b0

PWA Site URL: http://hacssia021/PWA

SSP Name: SharedServices_MOPS

PSError: Success (0)

Changes were detected for a resource during Project Server Active Directory Synchronization. However, the changes could not be applied because the resource could not be checked out. The checkout failed because the resource is checked out to another user. Resource GUID: 67581218-21cd-4f5e-9ee0-6ad4f0e25799

 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

 

 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

It shows some resource has been checked out.  But in force-in resource page, I did not find any check-out resources.  Actually, those resources are checked-out by AD synchronization process. 

 

I used “SQL Server Management Studio” to open the Project Server 2007 published database. 

 

Run the script to check back in the resources

 

UPDATE MSP_RESOURCES
SET RES_CHECKOUTBY = NULL
WHERE RES_UID in (
SELECT
RES_UID
FROM MSP_Resources
WHERE RES_CHECKOUTBY = '00000000-0000-0000-0000-000000000000')

 

 

If you have corrupted assignments, you may use the script to find out:

 

SELECT MSP_PROJECTS.PROJ_NAME,
MSP_ASSIGNMENTS_SAVED.TASK_NAME,
MSP_RESOURCES.RES_NAME,
MSP_ASSIGNMENTS_SAVED.ASSN_UID,
MSP_ASSIGNMENTS_SAVED.PROJ_UID,
MSP_ASSIGNMENTS_SAVED.TASK_UID,
MSP_ASSIGNMENTS_SAVED.RES_UID
FROM MSP_ASSIGNMENTS_SAVED INNER JOIN
MSP_PROJECTS ON MSP_ASSIGNMENTS_SAVED.PROJ_UID =
MSP_PROJECTS.PROJ_UID INNER JOIN
MSP_RESOURCES ON MSP_ASSIGNMENTS_SAVED.RES_UID =
MSP_RESOURCES.RES_UID
WHERE (NOT EXISTS
(SELECT TASK_UID
FROM MSP_TASKS_SAVED
WHERE (TASK_UID = MSP_ASSIGNMENTS_SAVED.TASK_UID)))

 

 

 

Reference:

 

http://connect.microsoft.com/feedback/ViewFeedback.aspx?FeedbackID=288068&SiteID=235