Good Share Server Installation and Administration Guide

(1)

Good Share Server Installation

and Administration Guide

Product Version: 3.1.3 Doc Rev 3.4 Last Updated: 30-Jun-15

(2)

Legal Notice

This document, as well as all accompanying documents for this product, is published by Good Technology Corporation (“Good”). Good may have patents or pending patent applications, trademarks, copyrights, and other intellectual property rights covering the subject matter in these documents. The furnishing of this, or any other document, does not in any way imply any license to these or other intellectual properties, except as expressly provided in written license agreements with Good. This document is for the use of licensed or authorized users only. No part of this document may be used, sold, reproduced, stored in a database or retrieval system or transmitted in any form or by any means, electronic or physical, for any purpose, other than the purchaser’s authorized use without the express written permission of Good. Any unauthorized copying, distribution or disclosure of information is a violation of copyright laws.

While every effort has been made to ensure technical accuracy, information in this document is subject to change without notice and does not represent a commitment on the part of Good. The software described in this document is furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with the terms of those written agreements.

The documentation provided is subject to change at Good’s sole discretion without notice. It is your responsibility to utilize the most current documentation available. Good assumes no duty to update you, and therefore Good recommends that you check frequently for new versions. This documentation is provided “as is” and Good assumes no liability for the accuracy or completeness of the content. The content of this document may contain information regarding Good’s future plans, including roadmaps and feature sets not yet available. It is stressed that this information is non-binding and Good creates no contractual obligation to deliver the features and functionality described herein, and expressly disclaims all theories of contract, detrimental reliance and/or promissory estoppel or similar theories.

Legal Information

© Copyright 2015. All rights reserved. All use is subject to license terms posted atwww.good.com/legal. GOOD, GOOD TECHNOLOGY, the GOOD logo, GOOD FOR ENTERPRISE, GOOD FOR GOVERNMENT, GOOD FOR YOU, GOOD APPCENTRAL, GOOD DYNAMICS, SECURED BY GOOD, GOOD MOBILE MANAGER, GOOD CONNECT, GOOD SHARE, GOOD TRUST, GOOD VAULT, and GOOD DYNAMICS APPKINETICS are trademarks of Good Technology Corporation and its related entities. All third-party technology products are protected by issued and pending U.S. and foreign patents.

(3)

Overview

Note: This document is primarily written to help with the initial installation of the Good Share server. However,

if you are upgrading, skip ahead toUpgrading the Good Share Server.

Good Share provides a secure mobile collaboration solution that allows mobile workers to access, sync, and share their file server and SharePoint documents natively without requiring VPN software, firewall reconfiguration, or duplicate data stores.

Good Share provides the following capabilities to balance the needs of a mobile workforce with the needs of enterprise security:

l Access to data that may be in multiple places such as a file server or SharePoint site l Synchronization across multiple devices that connect only intermittently

l Data ownership for separating corporate data from personal data without using duplicate storage on the cloud

l Data security through protection mechanisms that span multiple layers to prevent unauthorized access or leakage

l Data governance with robust policy management and a full audit trail to meet compliance standards

l Complete control by the enterprise IT admin over a mobile document’s life cycle, the app, and the stored data on the mobile device.

This document organizes the installation and configuration process for Good Share server and the Good Share app into the following general steps:

1. Server-side requirements verification. 2. Client-side device requirements verification.

3. Selecting, installing, and configuring a database appropriate for your enterprise. 4. Downloading and running the Good Share Server installer.

5. Configuring the Good Share server. 6. Configuring Good Control.

7. Configuring Good Mobile Control(if you also use GFE). 8. Provisioning user devices for the Good Share application. 9. Downloading the Good Share app to the device and activating it.

Requirements

Check to make sure you meet the following requirements before you begin the installation. If you do not meet the requirements, the GS Server installation can fail.

(7)

Installation Prerequisites

Check to make sure your supporting infrastructure and environment meets the following Good Share prerequisites before you begin the installation. These include:

l Upgrade considerations

l Platform requirements

l Database requirements

l Hardware requirements

l Software and OS requirements

l Client device requirements

Important:Administrator privileges are required for the host machine on which you will install Good Share. If you do not install the required software or fail to configure the requirements correctly prior to beginning installation of Good Share, the server may fail or behave in an unexpected manner.

Upgrade Compatibility with Earlier Versions

Note: Never uninstall the old version of the product until you have verified that your new Good Share Server

deployment is operating properly. Before you upgrade a production system, validate it in a test environment first.

Upgrading to Good Server 3.1 from the following versions is fully supported: l 2.8.4

l 3.0 l 3.0.1

Good Share 3.1 clients (iOS and Android) are backward compatible with the same Good Share Server versions listed above.

Administrator Privileges

The person who installs the Good Share server must have administrative privileges on the host machine otherwise the installer issues an error message.

Platform Requirements

The following software must be installed and configured before you install the Good Share Server software: l The Good Dynamics platform with Good Control Server 1.5.33.x or later.

l A Microsoft Active Directory domain which consists of either a single-domain forest or a multi-domain forest in which two-way trusts exist between domains.

(8)

Database Requirements

A Microsoft SQL Enterprise Server 2012 (x64) Express, Standard, or Enterprise edition database or Microsoft SQL Server 2008 (x64 or x86), Express, Standard, or Enterprise edition database.

Note: Good Share no longer supports a Postgres database. If you are currently using a Postgres database,

create a new database using SQL Server. There is currently no automatic migration from Postgres.

These instructions assume that you have a working knowledge of both Microsoft Windows Server and Microsoft SQL Server. MS SQL Server must be installed and working properly prior to Good Share installation. The Good Share server must have network and firewall access to the MS SQL Server if it is installed on another server or at another location.

For POC purposes, downloadMS SQL Server 2008 R2 Expressdirectly from Microsoft. Otherwise, download MicrosoftSQL Server 2008 R2 SP 3.

SQL Server Management Studio is bundled with the SQL Server 2008 R2 Express download, and is required to correctly set up the Good Share database. If your current SQL Server installation does not include the SQL Server Management Studio, clickhereto download it.

Server Hardware Requirements (POC)

Minimum hardware requirements for the Good Share Server host include: l Processor: One 2 GHz CPU

l RAM: 2 GB if the host machine is connecting to an enterprise database, 4 GB if you opt to run the database locally

l Hard Drive Space: minimum 50 GB free.

Server Software and Operating System Requirements

The requirements cited here apply to the machine on which the Good Share Configuration Console is installed, not for other server components comprising Good Dynamics. It is recommended that you run Good Share and Good Control on separate machines, although for POC (non-production) purposes, both GC and the Good Share Configuration Console running on a single machine is supported.

l Operating System:

o Microsoft Windows Server 2012 R2 o Microsoft Windows Server 2012

o Microsoft Windows Server 2008 (64-bit)orMicrosoft Windows Server 2008 R2 l Windows Role and Feature Requirements:

o .NET Framework 4.0or higher. o Windows Installer 4.5 Redistributable

(9)

l Internet Information Services (IIS):

The IIS role must be installed on the Docs machine in order to install the web console. This role is added using

Server Manager > Add Roles > IIS.

Enable the following role features: o Static Content

o Default Document o ASP.NET Extensibility o ASP

o IIS Management Console

SeeEnabling the IIS Rolefor Windows 2012 guidance.

Important:Make sure you are a member of the Web Server Administrator IIS role on the Docs Configuration Console host.

l Network capabilities and resources:

o The server must be a domain member and have access to Active Directory o Network shares must be accessible from the server

o SharePoint sites must be accessible from the server

o Good Share Configuration Console users must be in the Allow Logon Locally local security policy or Group Policy.

Enabling the IIS Role

For supported versions of Windows Server 2008, IIS 7.x configuration is based on the existing .NET Framework configuration store, which lets you store IIS configuration settings alongside ASP.NET configuration settings in Web.config files. IIS 7.x also offers compatibility with other technologies such as Active Server Pages (ASP), Common Gateway Interface (CGI), and Internet Server API (ISAPI). Most settings can be configured at the local level (Web.config) and also at the global level (ApplicationHost.config), with redirect settings (Redirection.config) to configuration files and schema located on another computer. VisitMicrosoft's IIS Learning Centerfor a complete introduction to IIS features and capabilities.

You can install IIS 7.5 by using the Add Roles and Features wizard in Server Manager or by using the command line.

Specifically in Windows 2012:

1. Open Add Roles and Features , then select Server Roles and enable the checkbox for Application Server in the Roles list.

(10)

2. Click Next.

3. Under Application Server, select Roles Services, then add .NET Framework 4.5, Web Server (IIS) Support, and HTTP Activation by enabling each respective checkbox in the Roles Services list.

(11)

4. Click Next.

5. Under Web Server Role (IIS), select Role Services, then expand Application Development and enable .NET

Extensibility 4.5, ASP, ASP.NET 4.5, along with ISAPI Extensions and Filters.

6. Click Next.

Important:The account under which the Docs Service application pool will run must belong to the Local

Administrators group.

7. Continue to click the Next button until the Install button is enabled, then click it to complete IIS role configuration for the Docs Service.

Software Restrictions

Do not install the Good Share Server on an Active Directory Domain Controller.

Client Device Requirements

Devices running the Good Share client app must meet the following minimum requirements: l Minimum iOS version: 6.0

l Minimum Android version: Ice Cream Sandwich 4.0

(12)

Installing Your Good Share Server

To install and launch the Good Share server:

1. Download the Good Share installer fromGood Technical Resources.

Note: Make sure the logged on user has sysadmin permissions on the SQL Server.

2. Launch the installation wizard and follow the prompts for: a. Welcome

b. License Agreement c. Customer Information

d. Specify your installation location and select your options:

l Default or Custom Installation (choose the components you wish to install—Good Share Server or Web Console or both; by default, both components will be installed)

l Database Server Name. This can be local or remote using the syntax <server_name>\<instance_

name>, <port_number>.

l Authentication Credentials. Choose Windows Authentication if the logged on user has sysadmin privileges on the SQL Server. If not, choose SQL Server Authentication and specify your sa account credentials.

l Database and Log Location. Specify the location for the database and log files. Make sure these paths exist on your local or remote instance of SQL server.

l Service Account. Specify the service account which will be used to run the Good Share Server Service (e.g., GoodAdmin). This service account will be given db_owner privileges to the Good Share database. l Management Console Settings:

o Web site– the web site under which the Good Share management console will be installed. o HTTPS Port– the port which the Good Share management console will use. The default is 443. o SSL Certification – select A new Self-Signed Certificate. The certificate can be changed after

installation using the IIS Management Console.

o Process Identity – the account under which the Good Share application pool will run.

3. When the InstallShield Wizard completes the installation, the Good Share Server management console is launched automatically.

Server Configuration

After successfully installing your Good Share server, you will need to: l Access the Good Share console

l Add users

(13)

l Configure Good Control

l Configure GMC

Accessing the Good Share Console

To access the Good Share Console:

1. Open a new browser window or tab and enter the URL corresponding to your environment; i.e.,

https://<GoodShareServerFQDN>/GoodShareConsole.

2. Supply the service account credentials you specified underInstalling Your Good Share Server.

The Good ShareSERVER STATISTICSpanel contains the following details:

l License expires – this date is not currently being used for app enforcement and licensing.

l User Licenses – Good Share Server licensing is set to a significantly large number; the number of licenses is currently not being used for enforcement and licensing.

l Users – number of active users currently using the Good Share Server. l Policies – number of policies created for Good Share users.

l File Shares – number of total file shares in all policies. l SharePoint Sites – number of SharePoint sites in all policies.

Adding Users to the Good Share Console

1. Open/launch the Good Share console as described underAccessing the Good Share Consoleabove. 2. Click Users in the navigation pane, then click the Options list box and choose Add.

3. To add an individual new user, specify the user’s Active Directory username and domain, then open the Policy list box and select the appropriate option. Click Save to commit.

(14)

4. To import users, specify the requisite AD credentials and filtering options, then click Find Now and select any user from the Active Directory lookup. Click Add User to add the user to the Users list. If you do not want to manually add users, seeAuto-Add Users to Policyfor guidance on setting up users automatically based on membership in a security group.

Note: Any user can be removed in the future without impacting configuration.

5. Click the Options list box, click Save, then choose Save Config and save this configuration file to your Desktop or a shared location.

6. Open the configuration file using a text editor and copy the contents of the configuration file to the clipboard for the next task,Configuring Good Control.

7. After a user has been added, mark the checkbox in the corresponding user row and click Edit. This opens the

User Edit window. one for General Settings (username, domain, and policy), and the second for Data Sources, listing all data sources for this user.

Here, for admin-defined data sources, you can optionally enter an Override Path by selecting a data source from the list and clicking Edit. In the popup displayed, click Override Path for this user to specify an alternate path.

Configuring Good Control for Good Share

Good Control (GC) is the management and configuration component of the Good Dynamics platform.

Adding Good Share Servers

Follow the steps here to configure Good Control (GC) connectivity and communication with the Good Share server.

To configure one or more servers in Good Control:

1. Launch a web browser and use the https://localhost address to access the GC console if the browser is on the same machine as the GC server. If the browser is on a different machine, use https://<GC_host_

name>.<domain_name>.

2. When the console opens, click Manage Applications underAPPLICATIONSand verify that Good Share is

registered as a Good application. Consult the Good Control OLH for general details on registering and managing Good Dynamics apps.

3. Click Good Share or click the pencil icon under Actions. 4. Click the Servers tab.

5. In the Host Name field, enter the Good Share server FQDN.

Important:Make sure the FQDN is entered in lower case. Good Control will not accept upper case characters.

(15)

6. In the Port field, enter the server port (default = 9999), then click under Actions.

7. Paste the contents of the clipboard you copied inStep 6ofAdding Users to the Good Share Consoleinto the

Configuration field and click Submit.

Configuring Server Affinity

Caution:When a distributed computer system is truly load balanced, each request is routed to a different server. This load balancing approach is diminished when server affinity techniques are applied. Be aware that once you set affinity, it takes precedence.

To enable server affinity for Good Share clients:

1. In the Good Control console navigator, click Policy Sets, then locate the policy you want to apply and click it. 2. Click the APPLICATION POLICIES tab.

3. Scroll down to Good Share and click it, then click the Server Configuration tab.

(16)

4. In the Good Share Preferred Servers field, enter in the FQDN of your GEMS host and a colon, followed by the desired port. Again, if no port is specified, default port 9999 is assumed. Add more servers separated by a comma with no space.

5. Click Update.

Configuring the Good Mobile Control Console

Complete the instructions in this section if your users are going to provision their devices for both Good Share and Good For Enterprise.

To configure GMC for Good Share:

1. Launch a web browser and use the https://localhost address to access the GMC console if the browser is on the same machine as the GMC server. If the browser is on a different machine, use the Good Share server's

https://GMC_host_name.domain_name address instead.

2. Click the Settings tab.

3. Click Third-Party Applications.

4. Click Add, then apply the following configuration settings: l Platform: select iOS.

l Application Name= Good Share. l Application ID= com.good.goodshare

Note: (the Application ID is case sensitive so be sure to enter it exactly as shown)

5. Repeat Step for Android.

(17)

To modify the appropriate policies that enable import/export between Good and third-party applications:

1. Click the Policies tab. 2. Click the policy desired. 3. Click File Handling on the left.

4. Turn on either the Enable importing/exporting between Good and third-party applications or the Enable

importing to Good Only radio button.

If you select Enable importing to Good Only, add Good Share to the list of trusted external applications. 5. Click Add Apps and select Good Share – iOS and Good Share – Android from the drop-down menu.

Provisioning Users

To grant users permission to provision their devices with the Good Share app.

1. Launch the Good Control console in a web browser and use the https://localhost address to access the GC console if the browser is on the same machine as the GC server. If the browser is on a different machine, use the https://GC_host_name.domain_name address instead.

2. UnderUSER ACCOUNTS, click Manage Users.

If no users are present in the system, click Add Users and then search for a user by their Active Directory username.

(18)

3. Select a user and then click the Applications tab.

Verify that the user has Good Share listed under Allowed Applications. If not, click Add More and add Good Share.

4. Click the Access Keys tab.

5. Select 1 access key and then click Provision to generate one an access key for this user. This access key is sent to the user’s email address to use during app activation on a mobile device. This allows the Good Share app to connect to the Good Technology NOC.

Activating the Good Share App on a Mobile Device

To quickly install the Good Share app on a mobile device:

1. Download an install Good Share from the App Store or Google Play, respectively. 2. Launch the app.

3. As prompted, enter an email address and access key, or choose another GD app to provide the key, if GD's Easy Activation feature is been enabled.

4. Create an app password and confirm it.

5. When prompted, enter your Active Directory credentials.

Note: You must have manually added users in Good Share Server or configured policies to auto-add users

based on security groups in order for users to access their data sources. See the respective client user guide for additional details:

l Good Share Client User Guide for iOS

l Good Share Client User Guide for Android

Upgrading the Good Share Server

Important:Good Share no longer supports a Postgres database. If you are currently using a Postgres database, create a new database using SQL Server. There is currently no automatic migration from Postgres. This following topics outline the steps to upgrade an existing instance of the Good Share Server to the latest version.

Note: Good Share is designed to be backwards compatible. In other words, the app functions correctly even if

end-users update the app before the server is upgraded. There may be instances, however, where end-users will not be able to take advantage of certain new features until the server is also upgraded.

Server Upgrade

The server upgrade binaries are typically made available one week before the app upgrade is published in the Apple App Store or Google Play.

(19)

Important:If you are upgrading your server from version 2.8.x, you must run the installer a second time in order to select the option to install the Good Share Web Console.

To upgrade from a supported earlier version of Good Share: 1. Download the latest version of theGood Share serversoftware. 2. Copy this file over to your existing Good Share server machine.

3. Make sure the account with which you’re logged in to the Good Share Server has administrative privileges. 4. Double-click on the executable and choose the Upgrade option when prompted.

5. The installer performs the necessary upgrade steps automatically.

App Upgrade

The app upgrades can be downloaded from their respective app store and installed by the users. The end-users are not required to perform any steps upon upgrade.

Working with the Good Share Console

The Good Share administration console runs as an application on the Good Share Server. You can launch it by going to Start > Programs > Good Technology > Good Share Server.

This Good Share console opens and displays a toolbar along with server statistics which detail the following:

The Good ShareSERVER STATISTICSpanel contains the following details:

l License expires – this date is not currently being used for app enforcement and licensing.

l User Licenses – Good Share Server licensing is set to a significantly large number; the number of licenses is currently not being used for enforcement and licensing.

l Users – number of active users currently using the Good Share Server.

(20)

l Policies – number of policies created for Good Share users. l File Shares – number of total file shares in all policies. l SharePoint Sites – number of SharePoint sites in all policies.

Changing the Default Firewall Port Number

The Good Share Server only uses port 9999 if it is on the enterprise network. This port can be changed from the Server Settings menu. Make sure that the Good Proxy server is able to communicate with the Good Share Server on Port 9999, or the port specified. If you change the default port number, you must update the Good Control server with the new port number.

Viewing and Working with a List of Users

You can view a list of users by clicking Users in the Good Share console’s tool bar.

Add more users via the Options list box as follows: l Select Add for a single new user

l Select Import to add users from the Active Directory.

Note: If you do not want to manually add users, refer to SectionAuto-Add Users to Policyon how to setup users to automatically be configured in a policy based on their security group members.

Click the list box on the right to filter the list of users based on the policy to which they belong.

You can also search for a particular user by entering the user name in the search field. This will search for users that have already been added to the Good Share database.

Select a user to access additional command buttons:

(21)

Click:

l Edit to specify the user’s override path or change the user’s policy l Delete to remove a user

l Move to Policy to move a list of users to a selected policy

l Assign Roles to give the user an additional role such as Default Admin, Compliance Officer. By default, all users are assigned the ‘Default User’ role.

Working with Policies

Policies contain a list of shares and permissions that are applied to all the end-users assigned to that policy.

Policies can be defined on a departmental level or a site-level, depending on the use-case that best serves the organization.

l Policy Name and Description

l No. of Users = number of users belong to that policy.

l No. of File Shares = number of public share paths that belong to this policy. l No. of SharePoint sites = number of SharePoint sites that belong to the policy.

Each policy is then associated with the specified File Shares, SharePoint Sites, User Defined Shares, and trusted apps (under the Open In tab).

Creating a New Policy

To create a new policy:

(22)

1. Click the Options list box and then select Add. The Policy dialog box opens.

2. Enter the new policy name and description under the General Settings tab.

Auto-Add Users to Policy

Optionally, you can also link this new policy to a Security Group in Active Directory to enable auto-addition of users to the Good Share console. Users in this Security Group are automatically added to the Good Share admin console and assigned to the respective policy.

To auto-add users to policies based on their security group membership:

1. Open the Security Groups tab.

2. Enable the Link to Active Directory check box.

3. Select the appropriate security group. If there are none listed, click the Add Security Groups button to see a list of available security groups. Select the appropriate group and click Add.

4. Select the security group you wish to associate with the policy and click Save.

Editing Policies

Click the check box next to a listed policy to activate the additional Edit, Delete, and Duplicate command buttons.

(23)

Sharing Files for File Shares (Admin-Defined)

Good Share allows sharing private and public file shares for groups of users. Private shares have a path that has a unique user specific attribute, whereas public shares have a static path. Support for Active Directory wildcard attributes enable the configuration of multiple private shares. For instance, a user's home directory can be setup using an Active Directory wildcard.

File Shares are added as data sources in policy. Users in a policy have access to the data sources added in the policy.

Adding Private File Shares to a Policy

To add multiple file shares for a particular user, defined by using a variety of wild cards from the user’s AD profile:

1. Click the policy name you name you want. 2. Click Options > Add Home Directory.

(24)

Enter the following information:

l Display Name – name displayed on the end user’s mobile device for the share.

l Path – specified using the complete path to the private shares or wild cards from the user’s AD profile. For instance, if you enter the wild card <homedirectory>, the path is automatically populated from the user’s home directory attribute in their AD profile. Similarly, admins can also specify a base folder followed by the AD name wild card.

Thus, if Path = \\fileserver1\files\<user_login_name>, this makes the home directory for user jdoe=

\\fileserver1\files\jdoe

l Keep Synchronized with mobile device– forces all contents within this folder to be cached locally to the end-user’s device. This folder is automatically synchronized between the app with the backend once every 24 hours. Users also have the ability to manually sync from the app.

l Permissions – restricts the operations an end-user can perform when accessing network resources from the Good Share application. These permissions will act on top of the inherent AD permissions.

Note: The same permissions can be defined at a per data source level or at a per policy level. SharePoint

data sources will have the added option to restrict Check In/Check Out of documents. l List (Browse) – allows end-users to list files.

l Delete Files – allow end-user to delete files.

l Read (Download) – allows end-users to download files to the mobile device. This file is stored in the secure container and is deleted as soon as the user browses to a different location or exits the app (unless it is a ‘Keep In Sync’ data source).

l Write (Upload) – allows end-users to upload and overwrite existing files.

(25)

l Cache (Favorites) – allows end-users to cache files and subfolders to be saved locally on the mobile device for offline availability.

l Allow Native Email – allows end-users to use the native email on their mobile device, but this means the document will no longer be in the secure container. If GFE is installed on the device, users can click the Mail option and the document will be sent to GFE automatically.

l Open In – allows end-users to open files in other 3rd party applications. l Create Folder – allows end-users to create new folders.

l Print – allows end-users to use the native air-print option on their mobile device. The document will no longer be in the secure container. When available, they can also use a GD-enabled app like ‘Breezy’ to securely print documents.

l Copy/Paste – allows end-users to copy/paste contents from files to the local clipboard.

Adding Public File Shares to a Policy

Public shares are folders shared between a set of users.

To add public file shares to a policy:

1. Click on the Policy Name . then click on Options and then click Add.

Note: The status icon reflects the permissions of the currently logged on user on the share specified. This

may not display a checkbox if the logged on user does not have permissions to view the share. This will not have any functional impact on the app as long as the end-user has the necessary permissions to view the contents of the path specified.

(26)

2. Add appropriate policy details for the selected public shares.

l Display Name – sets the name displayed on an end user’s mobile device for the share. l Path – sets the path to the public share.

l Keep Synchronized with mobile device – forces all contents within this folder to be cached locally to the end-user’s device. This folder is automatically synchronized to the app with the backend once every 24 hours. Users also have the ability to force sync.

You also have the ability to add a particular file share to different policies, if appropriate.

To copy a File Share to other policies:

1. Click on the check box next to the public share and select Add To Policies. 2. Select the policies to which you want to add this public share, then hit Apply.

Note: This option is also available for adding a particular SharePoint site to multiple policies.

Sharing Files for a SharePoint Site (Admin-Defined)

Good Share allows SharePoint sites to be added in two different ways:

1. Specifying the URLto the site for which a particular set of users have access

2. Integration withSharePoint’s MySite feature, providing access to a user’s personal site.

Adding Sites via URL

To specify the URL of a site to which a particular set of users will have access:

1. Click on the Policy Name, then open the SharePoint Sites tab.

The folders listed under SharePoint Sites can be viewed by all users assigned to the policy.

(27)

2. Enter the following information in the field indicated:

l SharePoint Site URL – sets the URL of the SharePoint site in the following format: http://mySharePointurl/default.aspx = http://mySharePointurl Also, make sure the URL is pointing to a site, rather than a document library or a list. l Display Name – sets the name displayed on an end user’s mobile device for the share.

Adding Sites via MySite

To add a share using MySite:

1. Click on Options > Add.

2. Specify a wild card in brackets ("<>"). If you want to use the Active directory username attribute, specify it as

<username> in the SharePoint Site URL path; e.g., https://MySiteHost/my/<username>.

Sharing Files for File Shares and SharePoint Sites

(User-Defined)

You can enable users to add their own File Shares or SharePoint sites. There are three ways end-users can add User-Defined Shares. These include:

(28)

1. Login to the self-service web console to add File Shares or SharePoint sites. On Microsoft Windows PC’s, users can use the “Map My Drives” feature to easily add mapped drives to mobile on the IE browser with a few clicks.

2. Use the mobile app to add file shares or SharePoint sites.

3. Users can simply “Follow” sites on SharePoint and they will show up on mobile.

Shares added automatically show up on each of a user’s devices. As the admin, you can also set ‘Permissions’ around these shares just as you do for administrator-defined shares. The following steps explain how to set these options.

To set user-defined shares permissions:

1. Click on the Policy Name.

2. Click on the User Defined Shares tab.

Access

You have three options for permitting user access to data sources:

1. Check Enable User Defined Shares to allow users to add their own data sources.

2. Automatically add those sites followed by users. This option takes advantage of the followed site feature in SharePoint. Admins can define a parent site, and then enable this option. All sub-sites within the primary site that end-users have chosen to ‘follow’ will automatically appear on their mobile device.

3. Allow Web Services to Add User Defined Shares. Good Share exposes several REST APIs which can be integrated into existing consoles and work flows used by the enterprise. These APIs allow Web Server to enable Add User Defined Shares. ContactGood Technology Supportfor more information on integrating these APIs with Good Share.

Data Sources

The following settings allow you to control which repositories end-users are allowed to add with the self-service console.

(29)

l Allow File Shares – permits end-users to add file shares.

l Allow SharePoint sites – permits end-users to enter SharePoint sites.

Permissions

User-defined permissions work the same way Permissions work for admin-defined shares.

Screening Files by App

To allow or block a user’s ability to open files based on the app used:

1. Click the Policy Name, then click the Open In tab.

2. Select from the following options:

l Good Dynamics Apps only – permits users to open files in GD-enabled apps only. l Any app – permits users to open their files in any app.

l Good Dynamics apps plus whitelisted apps – permits users to open their files in GD-enabled apps as well as select whitelisted non-GD applications.

3. Click How to retrieve an App IDto view instructions on retrieving an application's App ID.

Once a whitelisted app has been added to a policy, you can apply it to other policies by checking the box next to the app and clicking Add to Policies.

Accessing and Configuring the Server Settings

To access your Good Share server’s settings, click Settings console tool bar.

(30)

Security Settings

The Security settings are organized into the following three groups: 1. Kerberos Constrained Delegation

a. Enable or disable Kerberos constrained delegation. b. Specify the FQDN of the Good Proxy server.

Note: Certain environmental configurations need to be performed by the administrator before enabling

this option. Please contactGood Technology Supportfor assistance. 2. Auto Add User and Home Directory

a. Enable/disable the automatic addition of users through the app. This setting is used in combination with the linking policies to Active Directory. SeeWorking with Policies.

b. If the user’s home directory is not recorded in the Default attribute in AD, you can specify the appropriate attribute.

3. General

a. Allow or block preview of media files on iOS devices. This file is unencrypted on the iOS devices for the duration of playback.

b. Enable/disable the app from remembering the user’s password.

c. Enable/Disable the display of event details for SharePoint Calendar alerts.

d. Force User to save Pending Uploads. Because there may be instances where a user works on an offline version of a file and does not have the necessary network coverage to upload the file to the backend repository, the user can save the file to the local Pending Files container within the app. For compliance reasons, enterprises may not want data to reside in this offline location for an indeterminate amount of time. The next time the user launches the application and has network connectivity, they will be greeted with a prompt window asking them to upload the pending file. They will then be prompted to take an action based to the following settings:

l Unchecked – user receives the prompt to upload but has the option to cancel the prompt. They will get this prompt again every 24 hours when the app is launched and the device has network connectivity.

(31)

This will continue as long as the file resides in the Pending Files container.

l Checked – user receives the prompt but is not given the option to cancel the upload. The user is forced to upload the file before continuing to use the application.

Server Settings

The Server settings screen displays a list box of available Good Share servers. Select a server from this list box to see the server’s associated port number for apps that are inside the enterprise network and the location of the server’s log files.

Audit Settings

The Audit settings screen provides options for managing audit log operations and the number of audit log records in the database. Every operation from every app can be recorded to an audit report. These records are stored in the Good Share database and can be used to meet compliance and e-discovery requirements.

Check Enable Audit Logs to enable the audit operations selected.

Audit Logs

You can choose to record every operation that is performed by users with the Good Share application. You can then access these records from the Good Share console by selecting File > Audit Log Reports.

For generating audit reports, the following filters are available :

l Date – sets the time frame for which you want to generate the reports. l Operation – sets the operations for which you want to generate a report.

l Users – filters the report by specific users, displaying only users who have actually used the application. l Search – full or partial file name (key-word search) to filter which users have accessed a particular file.

(32)

Administration Roles

Because Good Share supports role-based administration, enterprises wishing to have well-defined, tiered administration can choose from the existing predefined roles or create their own roles with specific functions. Good Share ships with three predefined roles, including:

l Compliance Officer – this role can change audit settings and run audit reports.

l Default Admin – this role can perform all available operations within the Good Share Management Console. l Default User – this role only permits end-user permissions, able to view the drives that are available to them

via the policy assigned by the administrator. By default, all users are assigned this role.

As mentioned, admins can also create enterprise-defined roles by choosing the Options list box, selecting

Addand then defining the specific operations permitted by that role.

An example of an IT Helpdesk role is pictured here.

Of special significance here is the permission called Good Share Admin API Access. When this permission is granted, it enables the role to add user-defined data sources with REST API calls.

(33)

Self-Service Console

An end-user can log into the self-service console to view the list of their data sources. Users with the Default

User role will only be able to see this screen when they log into the web console. If the admin has chosen to allow

end-users to add their own Data Sources according toSharing Files for File Shares and SharePoint Sites(User-Defined), the Options tab will also be visible. End-users can click this listbox and select from two options: either

Add Data Sourceor Add Mapped Drives, defined as follows:

Add Data Source

This option allows end-users to choose between adding a File Share and a SharePoint Site. The user can type in the respective UNC path or a URL and assign a Display Name for the data source to make it available across all devices running Good Share for this particular user. However, to view the contents of the share, the user must have corresponding AD permissions to the share.

Add Mapped Drives

Used to automatically add the drives currently mapped on the user’s PC, making them accessible via the Good Share app, this option requires an ActiveX Control to be enabled on the browser used and is only available on Windows machines.

Here, clicking on Option presents the user with a selection of currently mapped drives. The drives desired can then be selected.

(34)

Support for SharePoint Online (Hosted SharePoint)

Good Share Server 3.1.351 or above can support SharePoint Online as a data source. SharePoint Online locations can be added to policies in the Good Share Console just like an on-premise SharePoint site. Both administrator-defined and user-defined data sources are supported.

SharePoint Online furnishes two different ways for on-premises Active Directory (AD) users to authenticate and perform normal SharePoint operations. These include:

l DirSync with Password Hash – wherein users and their passwords on AD are synchronized with Office 365 (O365). Users are presented with a login page where they can enter their credentials to access SharePoint Online.

l Active Directory Federation Service (ADFS) – wherein ADFS serves as a Secure Token Service. Behind the scenes (in background), users are redirected to ADFS for authentication and are issued security tokens that are then used by SharePoint Online to sign in. SharePoint Online users will not need to enter credentials when accessing from the corporate network, which typically enables SSO scenarios.

Either authentication mechanisms is supported by Good Share.

Deployment Prerequisites

All preparations are server side only. No device changes are required. Here, the prerequisite is that SharePoint Online is already deployed based on either of the authentication mechanisms—DirSync with Password Hash or ADFS. ConsultMicrosoft O365 resourcesregardingSharePoint Online deployment for details and procedures.

Authentication Setup

For Kerberos Constrained Delegation (KCD), which allows for Single Sign-On credential-less access to network resources from devices, only ADFS authentication to SharePoint Online is supported.

To help with configuring KCD, please follow the procedure specified in Good Share KCD Authentication

Instructions. Contact your Good representative for a copy of this document.

Note: When adding Kerberos delegation constraints for Good Share process users, add the ADFS server HTTP

service. Do not attempt to add SharePoint Online servers for delegation here.

For non-KCD configurations—in which users must enter their credentials on the device—both DirSync with Password Hash and ADFS authentication mechanisms to SharePoint Online are supported. No extra authentication-related steps are needed to use this configuration.

ADFS Version and Location

Good recommends ADFS 2.0. ADFS may be installed on either Windows 2008 R2 or Windows 2012. The ADFS server is automatically identified by Good Share based on the SharePoint Online location and therefore does not need to be specified.

(35)

ADFS HTTPS Certificate

If your ADFS server uses a self-signed certificate for HTTPS communication, the certificate must be added as a trusted CA on the Good Share server machine.

To add the certificate, navigate to IIS Manager on the ADFS machine, then go to Server Certificates and export the certificate to a file. Next, on the Good Share Server machine, import this certificate into the trusted CA list. Once you have deployed SharePoint Online, you’re ready to configure Good Share for your SharePoint Online users.

Configuring Good Share for SharePoint Online Users

To configure SharePoint Online for Good Share:

1. Click Settings, then select Security.

2. Add one or more SharePoint Online Domains in the field provided, separated by commas. 3. Save your changes.

(36)

Local Folder Synchronization

Users who work remotely on content creation and save files locally for offline access, can now access these files on-the-go from their mobile devices without having to open their local machine. Good Share provides authorized users access to their Home Directory hosted on NAS shares and exposed through Active Directory. However, this synchronization feature—synching folders on the user’s remote laptop or desktop with their home directory—is only available on local machines running Microsoft Windows.

Windows Folder Redirection (Native)

This feature gives administrators the ability to redirect the path of a folder to a new location, which can be on the local computer or a directory on a network file share. Users can work with documents on a server as if the documents were based on a local drive. The documents in the folder are available to the user from any computer on the network.

Folder Redirection is located under Windows Settings in the console tree when you edit domain-based Group Policy by using the Group Policy Management Console (GPMC). The path is [Group Policy Object Name]\User

Configuration\Policies\Windows Settings\Folder Redirection.

Offline File technology (turned on by default) gives users access to the folder even when they are not connected to the network, and is especially useful on laptops and mobile devices. Offline folders do not, however, work out of the box with Samba network drives. SeeOffline Folders (Native) below for details. Otherwise, Windows Folder Redirection can be enabled for any of the predefined folders in the Group Policy Management Editor as pictured next.

In Windows Server 2008, a total of 13 different folders can be redirected. Pictured above, these include:

l AppData(Roaming) l Music l Saved Games

(37)

l Desktop l Start Menu l Documents l Pictures l Favorites l Contacts l Downloads l Links l Searches l Videos

As an administrator, you will need to create the root folder for the destination location. This folder can be created on a local or remote machine (NAS), but it is important that all members of the group who will have Windows Folder Redirection enabled are given full access to the root folder.

To enable Folder Redirection and configure access:

1. Create a root folder (e.g., RedirectShare) for the redirect destination.

2. In the Group Policy Management Editor, select a specific folder (e.g., Documents) and add one or more rules to determine which users/groups can redirect the selected folder to the root folder.

3. Set an environment variable %USERNAME% to the path [Root]\<username>\Documents\. The tree structure of the root —for example, RedirectShare—will look something like:

Now the user’s folder has exclusive user permissions. No other user can see the files. The user can update these files, add new files, and delete files. Then, when the user connects to the corporate network again, the files are automatically synchronized with the redirected location.

If modifications are attempted on the same file in both locations at the same time, an alert is issued (pictured next), and the user is responsible for resolving the conflict; i.e., keep source, keep destination, keep both files).

(38)

Thus, if a user uploads a file through the Good Share mobile app directly to the share, it will be visible on the local PC in the Documents folder. Moreover, when the Good Share server is configured with “User Private Shares” pointing to the redirected root folder—e.g., C:\RedirectShare\— users can automatically use their own folders inside the Good Share app from the “Home Directory” on their phone or tablet.

Note: For users with their home folder defined in AD, Folder Redirection works when the redirection path is

the same as the user’s home folder in AD.

Offline Folders (Native)

When you select a network file or folder to make it available offline, Windows automatically creates a copy of that file or folder on your computer. Thereafter, any time you reconnect to the network folder, Windows synchronizes these files with those in the network folder. You can also synchronize them manually any time you want. As pointed out above, this feature does not work out of the box with a Samba network drive, and workarounds are not currently supported by Microsoft. Otherwise, the feature can be enabled from Windows Explorer and used for any shared folder as pictured.

Now that the shared folder is available offline, it can be used offline. Users can even make a shortcut to the shared folder on their desktop for convenience. Moreover, when working offline and changes are made to offline

(39)

files in a network folder, Windows automatically syncs the changes the very next time you connect to that network folder. You can also manually sync changes by clicking the Sync Center tool .

Additionally, there are more advanced sync scheduling controls available in the Windows Sync Center.

If the user is working offline while someone else changes a file in a shared network folder, Windows syncs those changes with the offline file on the local computer the next time it connects to that network folder. If a sync conflict occurs—meaning changes were made to both the network and offline versions of the file between sync-ups—Windows will prompt the user to decide which change takes precedence.

Files that were cached automatically are removed on a least-recently used basis once the maximum cache size is reached. Files cached manually are never removed from the local cache. When the total cache size limit is reached and all files that were cached automatically have already been removed, files cannot be made available offline until you specify a new limit or delete files from the local cache by using the Offline Files control panel applet (pictured below).

(40)

The default size limit for the Offline Files cache is 25-percent of the total disk space of the drive where the cache is located. The cache size can be configured through the Group Policy by setting the limit on disk space used by Offline Files—go to Computer Configuration > Policies > Administrative Templates > Network > Offline

Files—on each client separately.

Synchronization takes place a few minutes after the user logs in and connects/opens a shared network folder containing offline files and is schedule- or event-based. However, this must still be enabled manually by each user. Even so, through the Group Policy editor, the domain administrator can set various synchronization triggers; e.g., On Logon, On Logoff, Sync Interval, etc.

Pictured above, these settings are available in User Configuration\Administrative Templates\

Network\Offline Files and in Computer Configuration\Administrative Templates\Network\Offline Files in

the Group Policy Object Editor snap-in. For more information about policy settings, see the Explain tab on the

Properties page of each policy.

(41)

See alsoConfiguring Group Policy for Offline Fileson Technet.

These options—Folder Redirection and Offline Folders—offer these advantages compared to a proprietary laptop/desktop agent furnished by Good:

l IT does not have to manage and deploy another desktop agent

l Microsoft Folder Redirection is integrated with GPO and manages conflicts l Existing compliance tools and processes govern the data.

Again, once the files are synchronized to the “Home Directory,” IT administrators can make use of the Good Share – Private Share functionality to expose the user’s “Home Directory” to the Good Share App running on provisioned mobile devices. It is also important to remember that for users who have their home folder defined in AD, Folder Redirection works when the folder redirection path is the same as the user’s home folder in AD.

(42)

Appendix A – Good Share Scalability Guidelines

Scalability of the Good Share Server is strongly influenced by maximum peak concurrency and end-user mobile usage patterns. Accordingly, Good’s guidelines for scalability are based on three concurrency profiles: High, Medium, and Low. As a baseline for the “Medium” concurrency profile we assume maximum peak concurrency of 10%, which is based onMicrosoft’s Capacity Planning for Windows SharePoint Servicesguide and uses a

maximum peak concurrency assumption of 10%, inclusive of both mobile and web traffic. We then conservatively assume that a “High” concurrency system will have greater mobile usage concurrency than Microsoft’s guidelines, while the “Low” concurrency system will have lower mobile usage concurrency than Microsoft’s guidelines. In practice, we do expect that mobile usage will have generally lower maximum peak concurrency than the overall SharePoint system, since the latter includes both mobile and web traffic. Based on this approach and assumptions, the Good Share scalability guidelines are set forth below. When planning their individual deployments, we recommend that customers measure their actual current SharePoint maximum peak concurrency and then use that as the baseline for determining which of these concurrency profiles best fits their environment.

Concurrency # of users per server Max concurrent users

High (12%) 5,000 600

Medium (10%) 6,000 600

Low (8%) 7,500 600

Published Good Share Scalability Numbers

Good Share Scalability with SharePoint Only

The scalability of a Good Share Server running only a SharePoint environment influences the maximum peak concurrency. Similar assumptions can be made based on the same three-concurrency profiles as above: High, Medium and Low. Stress testing the Good Share Server running only SharePoint showed Max Concurrent users to be greater than the standard Good Share Scalability above. Good Share running a SharePoint-only

environment increases the maximum concurrent users to 750. The same concurrency profiles of High (12%), Medium (10%) and Low (8%) assume greater maximum concurrent users, allowing for more total users per server.

High (12%) 6,250 750

Medium (10%) 7,500 750

Low (8%) 9,375 750

SharePoint-Only Scalability Numbers

(43)

Good Share Server Integration with GEMS

Planned integration of the Good Share Server within the Good Enterprise Mobility Server (GEMS) as a Document Service (using the service-based architecture of GEMS) will reduce the Total Cost of Ownership (TCO) of our solution. This is targeted for General Availability in Q4, 2014.

Our long-term target in GEMS is to achieve 1,200 concurrent connections for the Document Service that can support from 10,000 users to 15,000 users per server, depending on the concurrency mode assumptions. We will make incremental progress towards this and plan to achieve this goal by end of 2015.

The targets may change based on technical complexities and other findings. GEMS can run multiple services on the same server and the actual capacity planning will involve planning across all the services being deployed in a given environment. These targets are for supporting GEMS Documents service without other services. We will provide capacity planning tools to guide customers through this process.

High (12%) 10,000 1,200

Medium (10%) 12,000 1,200

Low (8%) 15,000 1,200

Targeted Goal for GEMS Docs Service Scalability by 2015 Year-End

As more social capabilities are added and File Explorer is made to work across multiple Good Dynamics apps, customers which enable these features or use apps that leverage the file explorer service may see higher concurrency for the Documents service.

Overall, we believe that the new application service architecture should significantly lower the TCO of our solution.

Note about Performance Testing

In running performance tests we use simulation clients. These simulation clients open a connection to the Good Share server (8 Core, 20 GB RAM, Windows 2008 R2) and execute the same operations a mobile device would execute— Upload/Download/Browse Files/Browse Folders/Delete Files/Update Files. All these operations are done at a variable and random time gap from 5 to 15 seconds. The test data uses files of 1KB, 5KB, 50KB, 100KB, 500KB, 10 MB and 100 MB with the total size of the data set being 1.34 GB. The SharePoint tests are performed on a SharePoint farm with two SharePoint 2013 Servers talking to same remote SQL Server 2008 Server. The pseudo user profiles are added to Active Directory and divided into security groups with 100 users in each group. On the Good Share server, the users/user groups are divided into 4 policies. The SQL Server used by the Good Share server is on a remote machine.

(44)

Appendix B – Troubleshooting

Major errors and the recommended fixes are discussed here on an advisory basis. For additional troubleshooting resources and support, please visitGood's Public KB.

Remember to check back often for updates to this list.

Error 404: Connecting to Good Share Server

Situation

Unable to connect to Good Share Server. Receiving Error 404 after IIS HTTPS Bindings changed from Port 443 to Port 5443.

Issue

Trying to install Good Share on the same server as Good Dynamics. When we attempt to launch the Good Share Console via IE, we get a 404 error.

Cause

The root issue is a result of IIS HTTPS Bindings changes made because Good Share is on the same host server as your Good Control (GD) and Good Proxy servers, which means you'll need to bind IIS to a port other than 443 as Good Control will be using that with Apache. Go to a command prompt and type netstat -ab and pipe the output to a text file to identify what is using 443.

Solution

Good Dynamics listens on port 443 and 80. If you try to enable IIS on a GD server, Windows will let you add it; however, the default Web Site in IIS will not start. The reason for this is because IIS's default website is configured to listen on port 80, which creates a conflict with GD. But no worries. After you enable IIS, just open the IIS manager and change the binding port to something other than 80. For example, 81. After you do this, IIS will let you start the default website.

Start -> Administrative Tools -> Internet Information Services Manager

Expand the Server name, then click on Default Web Site. On the right, click on Binding.

By default, GS's web console UI wants to use port 443, but as we noted earlier, GD is already using port 443. Once again, no worries. When you install GS, the installer will give you an option to change the default port. Change it to something other than 443 ( 5443 is a safe choice) and the installer will take care of the rest. You should be good to go after this.

If not, and you continue receiving Error 404 after changing IIS HTTPS Bindings, you probably need to reinstall the GS Web Console. Here's how:

Uninstall the Web Console 1. Run the installer package. 2. Select Modify.

(45)

3. In the drop-down list for Web Console, select This feature will not be available. 4. Click Next.

5. Select Update.

6. Uncheck Launch Good Share Server, then click Finish. Reinstall the Web Console

1. Run the installer package. 2. Select Modify.

3. On the drop-down list for Web Console, select This feature and all subfeatures will be installed on local

hard drive.

4. Click Next.

5. Make sure that Windows Authentication using the current user's credentials is selected and click Next. 6. For HTTPS port, enter 5443.

7. Enter your UID and PWD (no need for domain) and click Next. 8. Click Update.

9. Click Finish.

(46)

Appendix C – Configuring KCD for Good Share

Kerberos Constrained Delegation (KCD) authenticates user access to both Files Shares and SharePoint sites without requiring an Active Directory password.

Requirements

To implement KCD for the Good Share, your environment must meet the following prerequisites:

l Your Good Dynamics infrastructure must meet the version requirements specified underGood Dynamics Requirements.

l Your Good Share Server will need the following additional inbound ports available (not blocked by any firewall):

o 17080 to the Good Proxy server o 17433 to the Good Proxy server

l Kerberos authentication must be enabled in SharePoint.

l IP addresses cannot be used when referring to SharePoint URLs and file shares.

Summary of Process

Enabling KCD authentication for accessing SharePoint sites and File Shares using Good Share entails three primary steps:

1. Finding the Application Pool Identity and port number for each SharePoint web application. 2. Creating the Service Principal Names (SPN) in Active Directory.

3. Adding KCD constraints in Active Directory.

Finding the Application Pool Identity and Port Number

To determine the Application Pool ID and port number for all the web applications containing SharePoint sites that will be made available to share:

1. Create a list of all web apps that need to be shared through Good Share.

2. Open IIS Manager on each SharePoint server. If a web application was extended to create alternate access mappings, it may not include any additional unique port numbers.

3. Find the Application Pool Identity in the Application Pools list view (pictured) or in Central Administration >

Security > Configure service accounts.

(47)

Caution:For KCD to work properly in most instances, the Application Pool Identity user must be the same for all application pools whose applications will be accessed by Good Share. This means you cannot have different application pools running under different users.

4. Find the port numbers for each of the web apps listed in the Web Applications view (pictured next). You can also look in the Alternate Access Mappings view.

5. Navigate to Central Administration > Application Management, choose the web application, then click

Authentication Providers in the ribbon bar. Make sure that the authentication type for each web application

is set to Windows and that Kerberos is enabled. Authentication Type is set/verified as pictured next.

(48)

Note: In certain scenarios, switching to Negotiate (Kerberos)may also require enabling Kernel-mode

authentication in IIS for the corresponding IIS site. For additional information, see MSDN'sSPN Checklist for Kerberos Authentication.

Creating Service Principal Names (SPNs) in Active Directory

To create SPNs in AD for the SharePoint locations and the Good Share user:

1. Create a dedicated user that will run as Good Share. In the example here, the user is <domain>\Good

ShareUser.

2. Set the password for GoodShareUser to not expire and do not require a password change for logging on. 3. Create a Service Principal Name (SPN) for each web application that will need to be shared using cmdlets like

the following:

setspn –S HTTP/SPHOST:PORT domain\AppPoolUser setspn –S HTTP/SPHOST.FQDN:PORT domain\AppPoolUser setspn –S HTTP/SPHOST domain\AppPoolUser

setspn –S HTTP/SPHOST.FQDN domain\AppPoolUser

If the port is a default port (80 or 443), omit the first two lines above.

Note: Some lines only need a host name while others need a fully qualified host name.

If the application pool identity is for a built-in user such as Network Service, then specify the host name instead of domain\AppPoolUser as follows:

setspn –S HTTP/SPHOST:PORT domain\SPHOST setspn –S HTTP/SPHOST.FQDN:PORT domain\SPHOST setspn –S HTTP/SPHOST domain\SPHOST

setspn –S HTTP/SPHOST.FQDN domain\SPHOST

Important:If you are using SSL, the SPN must refer to HTTPS, rather than HTTP. 4. Create a SPN for the Good Share process user as follows:

setspn –S HTTP/GSSHOST domain\GEMSDocsUser setspn –S HTTP/GSSHOST.FQDN domain\GEMSDocsUser

Good Share Server Installation and Administration Guide