Forefront Identity Manager 2010 R2 SP1 and SharePoint Server 2013 has introduced the ability to leverage FIM for User Profile Synchronization with Active Directory, versus the built-in version of FIM included with SharePoint Server. Currently, the process to support this is in beta. It also only official supports SharePoint Server 2013, but will unofficially support SharePoint Server 2010. You will need a few Domain accounts. An account to run the FIM Service (s-fim), an account to run the FIM Management Agents (s-fimma), the SharePoint farm administrator account (s-sp2013farm), and finally a synchronization account for Active Directory (s-sp2013sync). For the last account, this guide will be using the same account as the one used for the UPA connection. Configure the permissions appropriately for s-sp2013sync. Provision the UPA and UPSS per the standard instructions. Once both services have been configured, stop the FIM services on the SharePoint server and set them to Disabled. In the UPA under Configure Synchronization Settings, you have Enable External Identity Manager selected. First, we’ll start out with a SQL Server running SQL Server 2012 SP1 with the Database Engine, Integration Services, and Management Studio. All other settings are at their defaults. If you are using a SQL Server that is not running on the same server as the FIM services, make sure to install the SQL Server Native Client on the server running the FIM services. The FIM server will run SharePoint Foundation 2013, the FIM Synchronization Service as well as FIM Service and Portal, along with the SharePoint User Profile Connector. Install SharePoint Foundation 2013 and create a Classic Web Application for the FIM Portal. The FIM Portal does not currently work with Claims-based Authentication. Next, install the FIM Synchronization Service. During the installation, specify the FIM Synchronization Service account. Next, install the FIM Service and Portal. The Portal will leverage our SharePoint Foundation installation and Classic Web Application. The Classic Web Application has been configured with an Alternate Access Mapping of “FIM02″ in this example. Enter the SharePoint site collection URL. Enter the hostname of the FIM Service server. We’re installing the Portal and Service on the same server, so again we’ll use “FIM02″ here. Enter the hostname of the Synchronization Service, along with the Management Agent account. Again, enter the FIM Service service account information. You can either let FIM generate a self-signed certificate, or use a certificate signed by a Certificate Authority. For purposes of synchronization, a self-signed certificate will work. Enter the mail server information. Since we’re just after synchronization, the remaining options are unchecked (leaving the polling option checked, if not configured properly, will generate Event Log warnings). Enter the database server name and database name. Finish the installation of the FIM Service and Portal. Next, install the KB2832389 update for the FIM Synchronization Service and FIM Portal and Service. This update is required prior to installing the SharePoint User Profile Connector. Until the SharePoint User Profile Connector goes RTW, it can be downloaded from the Forefront Identity Manager 2010 Connect site. Install the SharePoint User Profile Connector on the FIM Synchronization Service server. The next step is to use the FIM client and FIM Portal to set up our Management Agents, Synchronization Rules, Workflows, and Management Policy Rules. This will cover the basics required, but you will want to adjust the attributes used and users targeted based on business requirements. Lastly, this will only cover User objects, but Contact and Group objects are also available for synchronization. First, let’s add a new attributes that we’ll use. Using the Synchronization Service client, under the Metaverse Designer, select the person object type. Create one attribute: Attribute name: sAMAccountName Attribute type: String (non-indexable) Next, create the Management Agents. Create a new Active Directory Domain Services MA. Go through the Management Agent, enter the appropriate information. For the username to connect to AD DS, specify the same account used for the User Profile Application connection (e.g. s-sp2013sync). Select the Directory Partition as well as specify any Containers (or all Containers) you want to synchronize objects from. Under object types, make sure at least User objects are selected. Under Attributes, select: displayName, givenName, mail, objectSid, sAMAccountName, sn, telephoneNumber Click Next until you complete the Management Agent. Create the FIM Service Management Agent. For this agent, under Connect to database, specify the values used to connect to the FIM Service. In this example, the values are: Server: localhost Database: FIMService FIM Service base address: http://localhost:5725 Using Windows Authentication, specify the FIM Service Management Agent account (not the FIM Service account): User name: s-fimma Password: <password> Domain: nauplius Under Object Types, make sure the Person, and optionally Group, object type is selected. All Attributes should be selected. Configure the Person Object Type Mapping to map from “Person” to “person”. This is the only Management Agent where we will configure the Attribute Flow. In this example, the flow is configured with these values: Click Next until you complete the Management Agent. The last Management Agent we will create is the SharePoint Profile Store Management Agent. Under Connectivity, specify the hostname and port number of the server running Central Administration. Enter the domain credentials of the SharePoint farm administrator account. For the picture flow directly, we are going to select “Export only (NEVER from SharePoint)”. This will flow pictures from Active Directory to SharePoint. Select all 3 Object Types. This Management Agent will throw errors when attempting to synchronize with SharePoint if any of the object types are left deselected. On the Attributes, select at least the following: AccountName, Anchor, domain, FirstName, LastName, Picture, PreferredName, ProfileIdentifier, SID, UserName You may also add other attributes, such as WorkEmail, WorkPhone, and so forth. This example will use some of these other attributes later in the Synchronization Rules. Complete the SharePoint Management Agent. If you export pictures from Active Directory to SharePoint, make sure you run the following on the SharePoint server: [crayon-51aa760490cf9/] Configure Run Profiles for each Management Agent. The Active Directory Management Agent requires Full Import, Full Synchronization, Delta Import, and Delta Synchronization. The FIM [...]
↧
Using an External Identity Manager for SharePoint User Profile Synchronization
↧
SharePoint 2013 June 2013 Cumulative Updates
SharePoint Foundation: http://support.microsoft.com/kb/2817346 SharePoint Server 2013: Project Server 2013: Office 2013 June 2013 Cumulative Updates: http://support.microsoft.com/kb/2855356
↧
↧
SharePoint 2013 June 2013 Cumulative Updates
SharePoint Foundation: http://support.microsoft.com/kb/2817346 SharePoint Server 2013: http://support.microsoft.com/kb/2817414 Project Server 2013: http://support.microsoft.com/kb/2817415 Office Web Apps 2013: http://support.microsoft.com/kb/2817350 Office 2013 June 2013 Cumulative Updates: http://support.microsoft.com/kb/2855356
↧
Nauplius.WAS 1.6 Released!
Today I have published Nauplius.WAS 1.6. The major change is the ability to convert entire Folders, including subfolders, in Document Libraries. This allows you to convert eligible documents within a Folder to a different file format. Another major change was the ability to save to an alternate location, such as another Document Library in the same Web or Subweb, etc. This is available both for each individual document conversion as well as Folder conversion. The Web Application workflow solution is no longer activated by default. The Web targeted solution continues to not be activated by default. Lastly, the PowerShell installation script will now indicate whether or not the Word Automation Services instance as well as Service Application are online or not. All of these changes are present in both the SharePoint 2010 and 2013 solutions. Download from the Nauplius.WAS project page. Also check out my other solutions in my portfolio!
↧
List of SharePoint Security Updates
TechNet has a great resource located on their Microsoft Security Bulletins page to list all of the security updates for all products, including SharePoint Server. To see the list of updates, go here, then under Search by Product or Component, select the appropriate version of SharePoint, then click the Search by Product or Component button. It will list all applicable security updates below. And of course, standard SharePoint updates can be found in the TechNet SharePoint Update Center for SharePoint 2010 and SharePoint 2013.
↧
↧
SharePoint 2013 Basic Search Center Navigation Settings Breaks in June 2013 CU
In the June 2013 Cumulative Update for SharePoint 2013, if you modify the navigation settings of a Basic Search Center (/_layouts/15/AreaNavigationSettings.aspx), the OK button generates the following error: [crayon-51f215dc68ded401492717/] To work around this, on the Navigation Settings page, you can create a node under “Structural Navigation: Editing and Sorting”. By placing a node underneath the Global or Current Navigation nodes, the error is bypassed.
↧
Using PowerShell to Manage SharePoint Information Rights Management Settings
Information Rights Management (IRM) allows users to restrict how documents are handled. With SharePoint, IRM settings are applied at the List/Library level. When a document is added to an IRM-enabled Library, the IRM is stripped from the document. When that document is downloaded from the Library, the document has the IRM settings from the Library applied to it. This allows SharePoint to crawl the content. You can use PowerShell to manage IRM settings for each Library, and it is straightforward. Properties that use the InformationRightsManagementSettings are available in SharePoint 2013 only. First, bind to the Web and the List: [crayon-51fa691ee2f2b655799493/] When making a change to a list property, make sure to call the Update() method, for example: [crayon-51fa691ee2f3b095569798/] Here are the various settings you can apply. I’ll be translating from the SharePoint UI to the PowerShell property. Restrict permissions on this library on download [crayon-51fa691ee2f45267452244/] Create a permission policy title [crayon-51fa691ee2f4d141925049/] Add a permission policy description: [crayon-51fa691ee2f55805716062/] Do not allow users to upload documents that do not support IRM [crayon-51fa691ee2f5d792512755/] Stop restricting access to the library at [crayon-51fa691ee2f65491607939/] Prevent opening documents in the browser for this Document Library [crayon-51fa691ee2f6d350732715/] Allow viewers to print [crayon-51fa691ee2f75410199513/] Allow viewers to run script and screen reader to function on downloaded documents [crayon-51fa691ee2f7e346976974/] Allow viewers to write on a copy of the downloaded document [crayon-51fa691ee2f86074380664/] After download, document access rights will expire after these number of days (1-365) [crayon-51fa691ee2f8e695792964/] Users must verify their credentials using this interval (days) [crayon-51fa691ee2f96061395537/] Allow group protection. Default group: [crayon-51fa691ee2f9f402897971/] As noted, those properties in InformationRightsManagementSettings are not available in SharePoint 2010. However, you can manipulate the properties directly. Again, get the list object into a variable. Permission policy title: [crayon-51fa691ee2fa8210383561/] Permission policy description: [crayon-51fa691ee2fb0022349726/] Allow users to print documents [crayon-51fa691ee2fb9571843247/] Allow users to access content programmatically [crayon-51fa691ee2fc1224433847/] Users must verify their credentials every: [crayon-51fa691ee2fc9352777049/] Stop restricting permission to documents in this library on: [crayon-51fa691ee2fd2093003839/]
↧
Using PowerShell to Manage SharePoint Email Settings
Each SharePoint Document Library is capable of accepting Incoming Email. Here is how to manage the settings via PowerShell. In SharePoint 2010, the SharePoint Management Shell must run as the Application Pool account when setting the EmailAlias property. Other properties can be set as a standard Shell Admin user. First, bind to the Web and the List: [crayon-51fa691edfeba091475511/] When making a change to a list property, make sure to call the Update() method, for example: [crayon-51fa691edfed1313224908/] Here are the various settings you can apply. I’ll be translating from the SharePoint UI to the PowerShell property. E-mail address (note this also sets Allow this document library to receive e-mail?) [crayon-51fa691edfedc624802760/] Group attachments in folders? [crayon-51fa691edfee5992048996/] Overwrite files with the same name? [crayon-51fa691edfeed974140638/] Save original e-mail? [crayon-51fa691edfef5294797981/] Save meeting invitations? [crayon-51fa691edfefe298092609/] E-mail security policy: [crayon-51fa691edff06697657595/] To disable Incoming Email on a Library, simply run: [crayon-51fa691edff0e044251659/]
↧
Creating a SQL Server Availability Group via PowerShell
This is tangibly related to SharePoint and this took me awhile to figure out the correct syntax. I’ve been building a SQL AG on Server 2012 with the Core installation option. To accomplish this, you will need a workstation with SQL Management Studio installed (which also installed the SQL PowerShell module). Some background on this setup: 2 servers with Windows Server 2012 and SQL Server 2012 SP1 CU5 3 network adapters per server Features installed (note that “D:” has the Windows Server ISO loaded) on the servers: [crayon-5201f77f32b56002117538/] IP all of the adapters appropriately. Next, rename the secondary and tertiary network adapters for clarity: [crayon-5201f77f32b65913570488/] Note that you may want to disable or modify the Firewall Policy for the “Domain” and “Private” profiles. You can do this via the Set-NetFirewallProfile cmdlet. On the client workstation with the RSAT tools installed (Failover Cluster), run the following to import the Failover Cluster module, create the cluster with a static IP address, then rename the network adapters to fit the adapter name on the server. Finally, set the Ethernet adapter (this is the adapter that is used for standard client to server communication) Host Record TTL to 300 seconds. [crayon-5201f77f32b70944126181/] Next, on each server, install SQL via batch script. Real quick hint here, make sure to exit the PowerShell prompt prior to running this. The SQL installation media needs .NET 3.5, but because we’re running Server 2012 and PowerShell 3.0, we’re using .NET 4. This will cause the installation to fail. The following will install SQL Server 2012 with the Database Engine, SQL Agent, Replication, Integration Services, and Client Connectivity with the specified username and password to the E: drive while the CD/ISO is present in the D: drive. Do not forget to edit the /PID value. It will also enable TCP/IP connectivity to the instance. [crayon-5201f77f32b7b758988239/] Once complete, download SQL Server 2012 SP1 and I’ve chosen to also install CU5. Once downloaded, extract the executable using the following command, making sure to extract each package to a unique path: [crayon-5201f77f32b87304013044/] Next, for each package, run: [crayon-5201f77f32b90043921309/] This will install the package applying the patch to all instances on the server. You may or may not need to reboot in between patches. Next, move to the workstation. I have a workstation running Windows 8 x64 with SQL Management Studio 2012 SP1. Open Management Studio and go to View -> Registered Servers. Add the two instances under Local Server Groups. Next, run PowerShell as Administrator on the Workstation. Run “sqlps” or [crayon-5201f77f32b99458091827-i/] to import the SQL PowerShell module. Validate the previous server registration by executing [crayon-5201f77f32ba1249627942-i/] , and running [crayon-5201f77f32ba9201104308-i/] . Both servers should appear here. The next step is to connect to each server, which can be done by executing [crayon-5201f77f32bb2601123300-i/] . For each SQL Server, the next step is to enable AlwaysOn and create the HADR Endpoint. Both cmdlets have a few options, so review them prior to execution. Note that when enabling AlwaysOn, the Database Engine service must be restarted, which the -Force switch does (or should do, it didn’t work in my case). [crayon-5201f77f32bba412164488/] Next, create the Availability Replicas (in memory), create the Availability Group with the Primary server specified, and finally Join the secondary server to the Availability Group. Again, these cmdlets have a lot of options, so it is best to review them so the setup fits your environment. [crayon-5201f77f32bc3710133041/] After this, via Management Studio, you should now be able to review the Availability Group status. In my case, I had a critical error which was due to my HADR endpoint being in a stopped state, preventing the secondary replica from connecting to the primary. To resolve this, I ran the following T-SQL: [crayon-5201f77f32bcf268695586/] Once this completed, the secondary replica joined automatically. Note it is normal to have warnings as there are no synchronized databases at this point. The final step to create the Availability Group is to create the Listener, which can be done with the following cmdlet: [crayon-5201f77f32bd8171113969/] And now you have two complete SQL Servers, ready to have SharePoint databases added to the Aavailabity Group! Make sure to test failover to validate functionality. Do not forget the following resources with regards to supportability of SharePoint databases on an Availability Group. Supported high availability and disaster recovery options for SharePoint databases (SharePoint 2013) Configure SQL Server 2012 AlwaysOn Availability Groups for SharePoint 2013
↧
↧
Adding and Removing SharePoint Templates from a Web
In certain cases you may not want Site Collection Administrators or otherwise delegated users to use a certain type of Web template. This can be achieved using 3rd party tools quite easily, or if Publishing is turned on at the Site Collection level. However, in some cases neither of these options are available. In this case, we can do it with PowerShell. You will need your LCID (Language ID), in this case, 1033, or English. [crayon-5201f77f2fe7c151787499/] To add a template back into the list, run: [crayon-5201f77f2fe92986660172/] The change will appear when a user attempts to create a new Web of the selected Web.
↧
Update on Incoming Email Job Lock Type Change Between SharePoint 2010 and 2013
Update on the change of the SPJobLockType between 2010 and 2013, the SPJobLockType was changed from None to Job due to a specific issue where documents may have been duplicated when there is more than one server processing Incoming Email using MX load balancing. However, Microsoft plans to fix a release for the duplication of documents issue and revert the SharePoint 2013 SPJobLockType back to None in the December 2013 Cumulative Update. This should restore the ability to use MX load balancing in SharePoint 2013.
↧
SharePoint 2013 August 2013 Cumulative Updates
SharePoint Foundation: http://support.microsoft.com/kb/2817517 SharePoint Server 2013: http://support.microsoft.com/kb/2817616 Project Server 2013: http://support.microsoft.com/kb/2817615 Office Web Apps 2013: http://support.microsoft.com/kb/2817521 Office 2013 August 2013 Cumulative Updates: http://support.microsoft.com/kb/2873346
↧
Nauplius.SP.UserSync – Update for SharePoint 2013
If you, or your company, loves SharePoint Foundation, this project is for you! I have updated the Nauplius.SP.UserSync project with various bug fixes, ULS logging, and best of all, SharePoint Foundation 2013 support! This solution consists of a timer job that updates the User Information List of each Site Collection from Active Directory on a nightly basis. The downloads are available from the Nauplius.SP.UserSync releases page.
↧
↧
Nauplius.ADLDS.Provider 1.5 Release
A new version of the AD LDS provider has been released for SharePoint 2010 and 2013. This release includes numerous bug fixes. Uninstall the previous version and restart. Install the new version and restart a second time. This is to prevent a cached copy of the DLL from being used, as well as making sure all processes pick up the new DLL. Both the SharePoint 2010 and 2013 versions can be downloaded from the SharePoint ADLDS Releases page.
↧
Excel Power Query – Loading SharePoint Document Library Data
With Excel Power Query, you can query SharePoint List data quickly and easily, as well as a variety of other types of data sources. However, when we do this, only SharePoint Lists appear! This is not helpful if, for instance, you have property promotion from an InfoPath form into a Document Library that you want to query. To work around this, we simply need to show the Formula Bar, which can be found in the Query Editor window under Settings. Next, edit the query to show all Contents of the SharePoint site. Once we change =SharePoint.Tables(“http://url”) to =SharePoint.Contents(“http://url”), click the Refresh button and all Document Libraries will appear! The other valid value for the SharePoint query type is =SharePoint.Files(“http://url”). With this type, all uploaded files on the SharePoint site will be displayed. There is a 4th query type, SharePoint.Count, which is ignored in the Power Query assemblies.
↧
Maximum Distance for Stretched SharePoint Farms
SharePoint 2010, and after a revision, SharePoint 2013 support stretched farms. Microsoft terms a ‘stretched’ farm by being a farm not contained within the same data center. There are some serious limitations on the performance of stretched farms, primarily with [network latency] distance and network speed. I would not recommend implementing a stretched farm. It requires careful planning between the SharePoint Admin and network admin (and possibly teleco). It may also require some fairly expensive equipment for proper implementation. Microsoft also does not recommend this, but will support it. Stretched farms require <= 1 ms one-way response time over an average of 10 minutes, and 1Gbps connectivity between the SharePoint servers and SQL Server(s). This is primarily due to certain service applications, e.g. the User Profile Service, not using the proxy to make calls to SQL Servers. Now, if you live in a vacuum and your network equipment introduces absolutely no latency, your maximum stretched farm distance is 186.3 miles, or 299.8 km. From personal experience, I haven’t seen an even moderate distance WAN (MPLS) provide 1ms latency over a period of 10 minutes. If the goal is content replication, look into 3rd party products like Metalogix Replicator or AvePoint Replicator (at least I’m not alone in lacking the ability to come up with marketing-based naming). With the Metalogix product, it replicates the content, but nothing below, for example Web Application, Farm settings, or Farm solutions so you will need to maintain those manually. As always, test, test, test, and avoid stretched farms.
↧
Office 2010 Update KB2760758 Incorrectly Checks Multi-Line Columns
EDIT: 9/19 – this is a known issue and will be resolved in the Office 2010 client December 2013 updates. If you have a custom content type with a multi-line site column added to it, and the client has Word 2010 SP1 or SP2 with KB2760758 installed, attempting to save the document will yield an error: If you only enter a single line of text in the multi-line document property, the save will succeed. Uninstallation of KB2760758 should also work. To validate which version of MSO.DLL is installed, look at C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSO.DLL. If the file version is 14.0.7106.5001, the issue is present. Earlier versions, such as the SP2 MSO.DLL, 14.0.7015.1000, do not have this issue.
↧
↧
Microsoft, Save Us From Your Plugins!
Plugins used to be one of the few ways to do anything interesting when integrating with the client. We’ve gone a long way with HTML5, JavaScript, and CSS over the years, but are sometimes still straddled with ActiveX or NSAPI controls. To give you an example, my company uses a helpdesk software that has roughly 5 ActiveX controls, and yes, Internet Explorer 6 optimized, just to view tickets! SharePoint is no exception. While SharePoint 2013 sheds some of our ActiveX/NSAPI (Firefox only) controls for this like the Datasheet View, they remain in other areas, such as the Name ActiveX controls or SharePoint 2010′s multiple upload control UI and so forth. Google has declared that Chrome will block NPAPI plugins in 2014 while Mozilla will be blocking NPAPI plugins for Firefox in December 2013. Not only is it time for the Internet Explorer PG to take a look at moving forward in this direction (which Modern IE has significantly helped, although there are a few ActiveX control exemptions), but the SharePoint PG as well. Exchange (Outlook Web App) has rid itself of ActiveX controls, no longer providing different levels of support to different browsers (given they’re “modern”, supporting HTML5) and Office Web Apps also does not require any browser plugins. Hopefully during the SharePoint 2013 cycle, Microsoft can look at eliminating the rest of the SharePoint/Office ActiveX controls in favor of light-weight cross-platform JavaScript solutions.
↧
Announcing Beta 1 of Nauplius.PAS – A SharePoint PowerPoint Automation Services User Interface
Like the counterpart Nauplius.WAS, Nauplius.PAS, for SharePoint Server 2013, is a user interface for the PowerPoint Automation Services. Currently in Beta 1, this farm solution provides a user interface to leverage the PowerPoint Automation Services API. Currently, the interface is limited to selecting one or more documents in a Document Library for conversion. Future builds will add folder conversion and workflow support. Please leave any feedback in the Discussions or any bugs/problems in the Issues tab on CodePlex. Also, review the Documentation for PowerPoint Automation Services as it does require PowerShell to set up, along with possible NTFS folder permission modification on the SharePoint Server(s) running the PowerPoint Automation Services service instance.
↧
Timer Jobs Stuck in Running Queue
If you have one or more timer jobs stuck in the “Running” queue after removing a SharePoint server from the farm, you can either let 7 days pass and they will be removed automatically, or force the removal via PowerShell: [crayon-52886f3e4f48c699982907/] Use [crayon-52886f3e4f4a4215800325-i/] to check the status of the job for completion. Once the job has completed, given the timer jobs from the defunct SharePoint server are older than the DaysToKeepHistory value, the jobs will be cleaned up (along with the history for all previous valid jobs). To reset the value for this job, run: [crayon-52886f3e4f4ae192744100/]
↧