Nauplius.SP.UserSync is a timer job that synchronizes the User Information List with Active Directory. It is targeted at SharePoint Foundation 2010 and 2013, where the User Profile Synchronization Services or AD Import is unavailable. This timer job runs between midnight and 4 AM across all Web Applications and Site Collections to update user properties in the User Information List. This solution is compatible with Classic and Claims-based (Windows Claims) Web Applications. The single change between releases 1.1 and 1.2 is to synchronize all users, regardless if they’ve visited the Site Collection or not (e.g. sync even “inactive” users). You can download the solution and find the documentation at the project site.
↧
Announcing the Release of Nauplius.SP.UserSync 1.2
↧
Announcing the Release of Nauplius.SharePoint.BlobCache 1.5
Nauplius.SharePoint.BlobCache is a SharePoint 2010 and 2013 solution that helps you manage the BLOB cache and all available settings, both documented and undocumented. New with this release is a re-vamped UI, moving to the Web Application list menu in Central Administration. In addition, the 2013 version adds support for two new 2013-only BLOB cache attributes: imageRenditionMaxFileSize imageRenditionMaxSourcePixels The new UI can be found under Central Administration, Manage Web Applications. Simply highlight the desired Web Application, then click the BLOB Cache button in the Manage group. You can download the solution and find the documentation at the project site.
↧
↧
SharePoint 2013 – Bug with Alert Me on a Discussion Item
If you attempt to set an Alert on a specific Discussion Post, like this: You will end up a yellow screen of death, like this: [crayon-529245f16fca6929960484/] This bug appears to be ‘long standing’, and still exists as of the October 2013 Cumulative Update for SharePoint Server. On the process of setting up the Alert, a process gets the Content Type ID of the Folder. We start in the Microsoft.SharePoint.SPViewContext.FolderContentTypeId method, executing: [crayon-529245f16fcc3501228304/] From there, entering GetValueFromUrlOrViewState, we enter: [crayon-529245f16fccd942837811/] Within this method, here are the key variable values: [crayon-529245f16fcd8389896544/] From there, we come back to the Microsoft.SharePoint.SPViewContext.FolderContentTypeId method and further on down, execute: [crayon-529245f16fce2638082976/] Where valueFromUrlOrViewState equals the variable “str”. So you want to generate a new SPContentTypeID object with a hex string and a URL. This is where things “go wrong”. [crayon-529245f16fcea112715408/] We’re calling SPUtility.Hex where chArray has invalid characters (values outside of 0 – 9 and A – F) in it. The first one that gets hit is the “,” (comma) character. SPUtility.Hex has no return statement, so it throws a System.ArgumentException. This particular bug will require Microsoft to resolve it. I’ve opened a PSS case on it.
↧
New SharePoint 2013 Cmdlet: Update-SPHelp
Update-SPHelp is a new PowerShell cmdlet that shipped with the October 2013 Cumulative Update for SharePoint 2013. There are only a couple of options with it, namely the -Force parameter allowing you to check for updates more than once per 24 hours, but the cmdlet is similar to Update-Help, that is, update the cmdlet help information.
↧
Targeting the Search Crawler to a Specific Server
In many medium to large SharePoint deployments, search is a critical piece of the farm architecture. An underperforming search instance can lead to severe discoverability issues as well as potentially missing critical business information. SharePoint Administrators can improve search crawl performance by dedicating a SharePoint server as a crawl target for one or more Web Applications. By creating this target, the SharePoint Administrator can greatly reduce the load on SharePoint servers that users interact with and potentially reduce crawl times. Much of the advise on how to target a crawler is around editing a servers host file to point the DNS entry of a Web Application at a specific server. A hosts file entry was not how Microsoft intend a crawl target to be set up! Microsoft created a new property with SharePoint 2010 named SiteDataServers. It allows an Administrator to target crawls at one or more SharePoint servers on a Web Application and Web Application Zone basis. In the SharePoint 2007 days, it was possible to target a specific server for crawling via Central Administration; in SharePoint 2010 and 2013, PowerShell must be used. In this example farm, there are three SharePoint servers: SPWFE SPSRC SPCRW SPWFE and SPCRW both run the Microsoft SharePoint Foundation Web service, but only SPWFE has DNS records pointed at it, and is the only server directly used by users. In the farm there is a Web Application of http://teamsites.example.com with a Default Zone. To target the crawler on SPSRC at SPCRW for http://teamsites.example.com, run the following PowerShell commands in the SharePoint Management Shell: [crayon-529d4bb51dc79157633918/] Since a dedicated crawl target has been specified, it is likely that removing the HTTP throttling can be disabled. This can be done on the crawl target via PowerShell: [crayon-529d4bb51dc93777071473/] To remove a crawl target, simply run: [crayon-529d4bb51dc9d055247198/] From now on, there should be no reason to edit a host file on a SharePoint search server in order to crawl a specific crawl target! This process can be done on a per-Web Application Zone basis. An Administrator can also specify multiple crawl targets, even per Zone!
↧
↧
Visio Services Missing Images
In SharePoint 2013, Visio Services may throw errors in the Application Event Log. This event appears to happen when you open the Web Part Options for the Visio Web Access web part: [crayon-52a15fbdbf07c954635236/] This appears after loading a Visio web document in the web part: [crayon-52a15fbdbf08d801414636/] Here we can see with the Visio Services DLL the use of these two embedded images: [crayon-52a15fbdbf098461251711/] And then again, the other embedded resource contained within VwaMessageBoxImage: [crayon-52a15fbdbf0a1429061279/] Here we can see all of the available resources in the Microsoft.Office.Visio.Server.dll, where we’re missing the two PNGs referenced in code: This issue appears to have existed since SharePoint 2013 RTM.
↧
The Magic of Get-SPProduct -Local
Many of us have run into that situation where you’ve installed an update, started the Config Wizard, and you get a message that such-and-such server doesn’t have these updates. But they’re installed, because you just installed them, and SharePoint patches often won’t let you reapply them as they “do not apply” to your system. So what do you do? Run [crayon-52a15fbdbc1ba409422726-i/] on the server “missing” the updates! And then you’re able to run the Config Wizard. But why would a cmdlet with a Get verb fix something? Let’s take a look… First, [crayon-52a15fbdbc1d2081561216-i/] enumerates the installed products on a SharePoint server. It does this by examining the registry key [crayon-52a15fbdbc1db968254889-i/]. It looks at the DisplayName key for each product (product being represented by the key in the form of a GUID), and from there looks at the RequiredOnAllServers key, marking it as required if the key value is “1″. Next, it takes the DisplayName value or registry key values from [crayon-52a15fbdbc1e4437647758-i/] and passes it through the Windows Installer service, calling MsiOpenProduct and MsiGetProperty to get the property of the ProductName, ProductVersion, and RequiredOnAllServers property. Next, SharePoint continues looking at the MSI data, attempting to detect MSI patches using MsiGetPatchInfoEx. From here, if it finds patches, it uses MsiOpenDatabase to open the MSI database (this is why the Product Versions timer job fails if the Farm Administrator does not have Local Administrator rights) and runs a couple of queries. It also makes version comparisons between patches at this point. Finally, it places all detected products into a collection for use later. The next step is to detect the upgrade status of the server, returning the status UpgradeRequired, UpgradeAvailabile, UpgradeInProgress, InstallRequired, UpgradeBlocked, or NoActionRequired. Now we get into the part where the Get verb no longer makes sense. A T-SQL query is built using the proc_RegisterProductVersion stored procedure into one large SQL statement containing all detected products (named “BuiltProductsString” for reference below). For each product, this string contains the product name, GUID, Display Name, and if applicable, the patch GUID, KB article link, and the patch friendly display name. Once the string has been built, the process executes a stored procedure within the SharePoint Configuration database: [crayon-52a15fbdbc1f1490619512/] When the stored procedure completes, the result of the installed products is written out to the SharePoint Management Shell. Another thing to note is that the process is the same for [crayon-52a15fbdbc1f9699026508-i/], the Product Version job timer job, joining a farm via Config Wizard or psconfig, and upgrading a SharePoint server via Config Wizard or psconfig.
↧
No Activity in User Profile Synchronization During User Sync
I had one client where during User Profile Synchronization, profiles were not being pulled in. After they checked the miisclient (located in C:\Program Files\Microsoft Office Server\15.0\Synchronization Service\UIShell), they saw no activity on the Operations tab. It did not appear as if the Management Agent was executing. The client sent me a copy of the ULS log from the run, and I found this particular error: [crayon-52a2bf23732f7775599231/] Looking at the method [crayon-52a2bf2373311854447478-i/], we can see that it is attempting to query a WMI namespace: [crayon-52a2bf237331a351761650/] Based on this information, on the server running the User Profile Synchronization Service, I had the client go to Computer Management -> Services, left click on WMI Control, then right click on WMI Control and select Properties, then go to the Advanced tab. Under Root, unlike my example here, the client’s server was missing the MicrosoftIdentityIntegrationServer namespace: Looking again at the code, this WMI namespace is provisioned during the User Profile Synchronization Service provisioning. After having the client reprovision the UPSS (by simply stopping it and then starting it again), the User Profile Synchronization ran successfully and the miisclient showed activity under the Operations tab.
↧
SharePoint 2013 December 2013 Cumulative Updates
SharePoint Foundation: http://support.microsoft.com/kb/2849961/en-us SharePoint Server 2013: Project Server 2013: Office Web Apps 2013: http://support.microsoft.com/kb/2850013/en-us Office 2013 December 2013 Cumulative Updates: http://support.microsoft.com/kb/2912738/en-us
↧
↧
New Release: Crawl Target Solution for SharePoint
Based on my previous post regarding targeting a crawler at a specific server running the Foundation Web service, I have built a Central Administration-UI to allow SharePoint Administrators to do this with ease. Currently, this solution is SharePoint 2013-only, but I will be back porting it to SharePoint 2010 in the near future. You can find the download and more about the project at the CodePlex site, SharePoint Crawl Target.
↧
New Release: Nauplius.SharePoint.FoundationSync 2.0
A new release of the Nauplius.SharePoint.FoundationSync solution is now available! This new release brings synchronization of Active Directory group information to the User Information List, as well as configurable logging for more verbose information if required. This solution supports SharePoint 2010 and 2013. For more information, check out the CodePlex project page, SharePoint Foundation Sync.
↧
Top 10 Posts of 2013
A lot has happened this past year, and I wanted to highlight the top 10 posts on this blog by traffic in 2013, as well as a few of my favorite posts. Installing SharePoint 2010 and SQL Server 2012 on Windows Server 2012 Release Preview This was an interesting one, as it was not supported at the time, but there appeared to be a high demand for how to do this. Even today, I see a high demand for wanting to install SharePoint 2013 on Windows Server 2012 R2, another unsupported installation scenario (until SharePoint 2013 with SP1 media is released). Using Application Request Routing as a Reverse Proxy for SharePoint Quite a fun blog post on how to use the IIS Application Routing Request module as a reverse proxy. With the demise of both TMG and UAG (functionality is partially replaced by the Web Proxy Role in Server 2012 R2), this provides a decent, free alternative non-authentication reverse proxy server. A Practical Guide to Implementing Incoming Email using the SharePoint Directory Management Service How to properly configure Incoming Email using Exchange. There are a lot of guides out there on how to do this, but very few end-to-end guides, from schema upgrades to integration. SharePoint 2013 April 2013 Cumulative Update Fails What a pain this bug is/was. There was a lot of manual work if you had MySites present when attempting to upgrade to this particular Cumulative Update. Supported file formats in the SharePoint 2013 Media Web Part Sometimes references can only be documented from code. This is one of those times. SharePoint 2013 for Education An unfortunately unsupported, beta feature! While it should later be stripped from SharePoint 2013 completely, many people in the community wished this feature had been completed by Microsoft to have a Microsoft-supported LMS again. It would have made a great Blackboard competitor. SharePoint 2010 and Active Directory Lightweight Directory Services – Better Together Always one of my favorite subjects, authentication, authorization, and Directory Services, like AD LDS! SharePoint Error “An error has occurred in the claim providers configured for this site collection” – Easy fix! At least the fix is easy… Browser File Handling and avoiding Permissive mode Friends don’t let friends use Permissive mode, and neither should you. Always make exceptions, rather than just turning off security. Enabling RBS on multiple content databases An older post, but also quite popular. Originally, Microsoft’s TechNet documentation did not cover enabling RBS on more than a single content database (as the Microsoft RBS solution is targeted to the small SharePoint Foundation farms). Now, onto my favorites of the year, which include a few of those above! Using an External Identity Manager for SharePoint User Profile Synchronization I have to admit, I had an absolute blast with the whole process of figuring this out from the fairly light documentation provided by Microsoft. In working on this, comparing both the built-in FIM, as well as working directly with the Product Group creating the SharePoint Connector for Forefront Identity Manager, large institutions, or institutions with special requirements can easily import users into the UPA from a variety of directory services while not being limited to those offered via the built-in FIM. Quickly Identifying Reporting Services Subscriptions in SharePoint This is what happens when you ask interesting questions on the MSDN/TechNet SharePoint forums. Sometimes you get a bit of research out of it. The goal of the particular poster was removing all SSRS Subscriptions across the entire farm. The Magic of Get-SPProduct -Local A cmdlet most SharePoint Administrators will use at some point, it resolves the question of why Get-SPProduct does more than “get”. Selective Authentication can Kill the People Picker in a Two-Way Trust This was an absolute blast of a problem! Another post from an MSDN/TechNet thread, this involved network traces working with someone 1/4 the way around the world to figure out why a Two-Way Trust did not function correctly. Turns out, Selective Trusts have additional requirements for the PeoplePicker to properly function. What Makes a Great SharePoint Administrator? What really makes a great SharePoint Admin? I have my definition, what is your’s? Using Application Request Routing as a Reverse Proxy for SharePoint See above for one of the more popular posts of the year, think of ARR as a potential candidate for your reverse proxy solution. The Fill Factor Mystery Fill factors in SharePoint 2013 changed quite a bit from 2010, see this post for more information. SharePoint TreeView When the built-in SPTreeView doesn’t fit your needs, sometimes you have to create your own. A Practical Guide to Implementing Incoming Email using the SharePoint Directory Management Service Another one of the more popular posts this year, creating end-to-end guides is always fun to do for those just getting started with the platform and need a little help to get to their destination. SharePoint Cannot Send Mail to Itself While USPS might wonder about why you’d want to pay to mail yourself, SharePoint just won’t let you. I hope everyone has had a great year, and it has been a blast to be part of the community for another year! Here is looking to 2014 to doing more of the same, and perhaps something a little different from time to time! Lastly, don’t forget my domain has changed from http://sharepoint.nauplius.net to http://thesharepointfarm. Redirection is in place, so all previous links will still properly route to where you want to get, so hopefully it isn’t too much of an inconvenience. Happy New Year, everyone!
↧
SharePoint Private Properties in PowerShell
Welcome to the New Year! Hope everyone is having a great start! Now back to SharePoint… Yet Another Originated From the MSDN/TechNet Forums Question (these are always fun). So there was a question about getting the databases that belonged to a specific User Profile Service Application. All of the UPA databases for the User Profile Service Application object are marked as Internal properties, in other words, not easily accessible. So how can we get the databases that belong to a particular UPA? First, we need to know the properties that we’re after, and for that I always use the handy .NET Reflector. The properties for the UPA Databases are: ProfileDatabase SocialDatabase SynchronizationDatabase Next, get the named User Profile Service Application in PowerShell: [crayon-52ce4c97a652f626660114/] Get the non-public Properties of the UPA object: [crayon-52ce4c97a6546428621353/] And then the non-public Property that we’re after: [crayon-52ce4c97a6550605552456/] This will output the Social database Name, ID, and Type! Here is the complete script: [crayon-52ce4c97a6558682448348/] I hope that helps!
↧
↧
PowerShell for People Picker Properties
As many SharePoint Administrators are aware, especially those dealing with one-way trusts or Selective trusts, the peoplepicker-* properties are very familiar to us. Since at least WSSv3, if not earlier, the peoplepicker-* properties have only been available via stsadm with no direct PowerShell replacement (it could be done, but it isn’t as pretty as ‘native’ PowerShell). For SharePoint 2010 and 2013, however, easier PowerShell-accessible properties were put into place. This allows the SharePoint Administrator to quickly configure these in a much more ‘modern’ way. Let’s say I need to configure the People Picker on a Web Application to filter out Groups. The classic way I would do this is: [crayon-52d8ac13db843607685684/] This property can be retrieved with [crayon-52d8ac13db86b122091007-i/]. While you can still set the People Picker properties this way, the nice PowerShell way of doing it moving forward, taking the previous example, is: [crayon-52d8ac13db875889687840/] To remove it, we simply nullify it: [crayon-52d8ac13db87e352269028/] This works with all of the properties displayed by [crayon-52d8ac13db886154064770-i/] except for SearchActiveDirectoryDomains (previous peoplepicker-searchadforests). For this particular property, we have to take some extra steps. First, use PowerShell to set the application credential key: [crayon-52d8ac13db88f650206597/] This will set the key used to encrypt the credentials of the password we set for the user in the SearchActiveDirectoryDomains connection. Next, setup the connection: [crayon-52d8ac13db897512669630/] If you need to search multiple domains (or forests), just create more of the SPPeoplePickerSearchActiveDirectoryDomain objects and add them to [crayon-52d8ac13db8a1262510747-i/]. To revert the changes, you can either clear all entries via [crayon-52d8ac13db8a9760356827-i/], a specific entry by using the zero-based index, like so [crayon-52d8ac13db8b1426506979-i/] or alternatively, we can retrieve a specific entry by retrieving it, then removing it, like so: [crayon-52d8ac13db8b9076801788/] Unfortunately, TechNet, even for SharePoint 2013, still leads us down the way of using stsadm to set these People Picker Properties. But hopefully this gives you insight on how to do it in a more ‘modern’ way, to help you further retire the use of stsadm.
↧
People Picker Troubleshooting Tips
This is a fairly common issue I see on forums, so I thought I’d have a pre-emptive post that is easy to reference. There are a handful of People Picker issues, where a particular user, group, or all objects cannot be resolved. Here are some common scenarios with easy resolutions. General When using Windows authentication, only objects with Security Identifiers (SID) can be searched with the standard permissions-based People Picker (Audience Targeting is a different story). This means the object must be a User account or an Active Directory Security account. Active Directory Distribution Lists will never be visible. If you need to be able to email the group, make sure that you use an Active Directory Mail-Enabled Security Group. It has the same functionality as a Distribution List, but it also has a SID. Validate that you have the correct ports opened from your SharePoint server(s) to all resolvable Domain Controllers. You can also leverage automated tools to help you validate this. You must be using a Domain Account or Machine Account (Network Service, Local Service, LocalSystem (bad admin)) for your Web Application Application Pool in order to query Active Directory by default. Using Local Accounts for your Web Application Application Pool will not work. And to state the obvious, the SharePoint server(s) must be domain-joined. Domain Trusts When dealing with Domain Trusts, it is often that there is a One-Way Trust configured (where the domain SharePoint is in trusts the domain where the user resides). In this case, you need to configure the SearchActiveDirectoryDomains property of the Web Application. With a One-Way Trust of the opposite way, that is, the domain SharePoint resides in is trusted by the domain the user resides in, nothing will work. Look for alternatives, such as a Two-Way Trust or Active Directory Federation Services. When a Two-Way Selective Trust is in place, you must provide the Application Pool Account with access to the Domain Controllers of the trusted domain in Active Directory. See the previously linked article. Validate NetBIOS name lookups for the remote domain. Yes, SharePoint still uses NetBIOS. There are workarounds, however. Missing All or Some Users and/or Groups Verify that there are no filters on the People Picker queries for the Web Application. This can be validated with PowerShell. Troubleshooting Quick and easy ways to troubleshoot are if you do not see the troublesome behavior on another Web Application, it is going to be the People Picker Settings or Application Pool account. If you see the issue farm-wide (that is, Central Administration and all Web Applications), it is likely a firewall or name resolution issue. In addition, often times there will be ULS entries about why a call to a particular domain failed. These can be invaluable for resolving People Picker-related issues. Typically it is going to be the stack trace that reveals what is going on, so hopefully you’re developer-enough to work through it. The last invaluable tool to help is a network trace, either Network Monitor or Wireshark. This is a topic for another blog post, but both of these tools can tell you what is happening under the covers with responses to and from the Domain Controllers. Feel free to ask here on or on the MSDN/TechNet SharePoint forums if you do run into anything you’re unable to resolve!
↧
Troubleshooting User Property Issues
Let’s ignore SharePoint Foundation for a bit, because that doesn’t automatically sync with Active Directory anyways (besides the initial add). Typically, with Standard and Enterprise, SharePoint leverages the User Profile Sync Service (or AD Import in 2013) to pull in user information from Active Directory to the User Profile Service Application. This is what stores the Display Name, First Name, Last Name, Telephone Number, and all of that stuff. This post takes the assumption that the User Profile Import is functioning, and under the User Profile Service Application -> Manage User Profiles, the data is up-to-date for the particular profile. If that isn’t working, that is another issue altogether! The situation is that you have a user, or a collection of users where you’ve changed a property, such as their Display Name in Active Directory and it shows as valid in the UPA, but on one or more Site Collections in one or more Web Applications, the Display Name hasn’t updated for more than 1 hour after it was updated in the UPA. The fix is often very simple, so let’s get to that part. First, if you want to validate “things aren’t working right”, then simply run: [crayon-52d8ac13d895e842343339/] What this does is get the last time all of the Content Databases were synchronized by the appropriate timer job (descriptions below). This information is stored in each Content Database under dbo.DatabaseInformation. You can also view this with PowerShell by running [crayon-52d8ac13d898d909133061-i/]. If this date is older than one day, the timer job is likely not functioning correctly for the particular Content Database, thus all Site Collections within that database. To resolve it, run: [crayon-52d8ac13d8997697086371/] Now, a parameter that says “DeleteOldDatabases” sounds really bad. And usually it would be. Except in this case, all it is doing is clearing the applicable information out of the DatabaseInformation table where the date stored in the value _System_LastProfileSyncTime is older than today. This is done via a stored procedure in each Content Database named proc_SetDatabaseInformation. Once this process has been completed, the next step to deploy changes from the UPA to the Site Collections is to either wait, or manually run the timer job User Profile Service Application – User Profile to SharePoint Full Synchronization (internal name is ProfSync). This job will ‘push’ out the User Profile Properties from the UPA to each Site Collection, making sure all Site Collections are up-to-date. This job will also make sure Memberships are up-to-date. Specifically, User Adds and Updates, as well as Group Adds, Deletes, Group Membership Adds, Deletes, and Updates. Finally, it also includes items that have been Restored. By default, this job runs every hour on the hour. There is another job, similar to the above job, named User Profile Service Application – User Profile to SharePoint Quick Synchronization (internal name is SweepSync). Unlike the User Profile to SharePoint Full Synchronization timer job, this job only synchronizes User Adds and Updates. By default, this job runs every five minutes. Note that the name of the job may be different as it pulls in the name of the User Profile Service Application. Queries for profile changes are done via a standard SPChangeQuery. In addition to the above processed changes, if any users are found to have a new sAMAccountName in the User Profile Service Application, but the old sAMAccountName is reflected on the Site Collection, SharePoint will execute the standard Migration process for that user (the same code that Move-SPUser executes). The comparison is done between the User Profile AccountName property and the LoginName property on the Site Collection. Hopefully this helps you have further understanding in what the legacy stsadm -o sync commands do and how to resolve this somewhat common issue of the UPA Profiles being unable to synchronize with the Site Collection User Information List. And to round things off, here is now my favorite Obsolete decoration: [crayon-52d8ac13d89a5588899344/]
↧
Unable to Move User Profile Property
When you look at the User Profile Property list in the UPA Manage User Profiles, notice the below defaults. Of note is the Resource Account SID property. It is not possible to move properties above this, regardless if it is Object Exists or a custom property. When you select Move Up on a property below Resource Account SID, it will simply fail to move up. This is due to some hidden properties! Let’s take a look at SQL… Here we see the property SPS-ResourceSID, which is Resource Forest SID, and SPS-ObjectExists, which is Object Exists in the Web UI. This data is from the PropertyList table in the Profile database. Next, we have the DisplayOrder values. These values are how the properties are displayed in the Manage User Properties UI, with a descending DisplayOrder. Again, this is from the ProfileSubtypePropertyAttributes table in the Profile database. Here we see Property ID 5021 (SPS-ResourceSID) with a DisplayOrder of 5021. But what else do we see? Property ID 5022 (SPS-ResourceAccountName) should be right below it in the UI, but instead in the Manage User Profiles UI we see Property ID 5028 (SPS-ObjectExists)! So where is SPS-ResourceAccountName and how does it relate to our issue of not being able to move a property up past Resource Forest SID? Well, there are two properties in the Manage User Profile UI that are removed from the SQL result set when the User Profile Properties are retrieved from the database, by this bit of code. [crayon-5304ac30bd5bc655258401/] As you can see, if the User Profile Property name is “SPS-ResourceAccountName” (or “SPS-MasterAccountName”), it is not added to the Manage User Properties list! Because of this, when you attempt to move a property above Resource Forest SID, you’re actually attempting to move the property above the hidden property SPS-ResourceAccountName, which is beneath Resource Forest SID per the DisplayOrder value. When the code attached to the Up Arrow attempts to make the move for the desired property, the DisplayOder of SPS-ResourceAccountName, or 5022, is also set for the desired property. Since both properties have the same DisplayOrder, it becomes impossible to move the desired property above the hidden SPS-ResourceAccountName. Unfortunately, there is no supported workaround for this issue.
↧
↧
SharePoint and the Web Application Proxy Role
Windows Server 2012 R2 includes a new role, the Web Application Proxy Role. This role is meant as a replacement for such technologies as Microsoft TMG and UAG, containing some of the functionality of those products. This post will go over how to implement the basics of the Web Proxy Role. The first requirement of the Web Proxy Role is that you must have Active Directory Federation Services in your environment. The Web Proxy Role communicates with the AD FS service endpoint, and asks for the federation service address during the configuration. In addition, the Web Proxy Role cannot reside on the same server as an AD FS instance. However, this does not mean that the site behind the Web Proxy Role is consuming SAML tokens, we can still use Classic Authentication on SharePoint! On the Web Proxy Role server, install two NICs. One NIC will be internal facing and should contain a gateway IP address for your internal network. The external NIC will have an IP and subnet mask assigned to it, but no further TCP/IP properties are necessary. The client will be an external client. Use a hosts file to configure name resolution for test lab purposes. You’ll want entries for your proxy server, the Federation Service Name, and of course the Web Application FQDN. All three of these entries should be pointing to the static IP address of the external NIC on the Web Proxy Role server. You will need a valid certificate implemented within AD FS and a certificate available for the Web Proxy Role, as well. In this example, I have a wildcard SSL certificate for *.nauplius.local. Wildcard is clearly the easiest solution for multiple hosts under the same domain, but validate that it meets your organizational security requirements. The last requirement for pre-authentication (not pass-through) via AD FS is to enable Constrained Kerberos Delegation for the SharePoint Web Application. This is a relatively simple process. First, record the account the Web Application’s Application Pool is running as. In this case, NAUPLIUS\s-sp2013apppool. Next, set the Service Principle Names on the Application Pool account, matching the FQDN and shortname of the Web Application Alternate Access Mapping. This particular Web Application only has a single AAM, https://adfstest.nauplius.local, so my SPN configuration would look like: [crayon-5304ac30bcf38038154490/] Delegate the Web Proxy Role computer account these particular SPNs. This is done through Active Directory Users and Computers. Find the computer account and select the Delegation tab. Choose “Trust this computer for delegation to specified services only” and then choose “Use any authentication protocol”. The next step is to click Add, then Users or Computers. Enter the Application Pool account (s-sp2013apppool) and find the SPN. It will be listed under a Service Type of HTTP and a User or Computer of the Web Application hostname or FQDN. When complete, the delegation will look similar to this: Enable Kerberos on the Web Application. To do this, go to Central Administration -> Manage Web Applications, highlight the configured Web Application and click Authentication Providers in the ribbon. Select the proper Zone, and then under the Integrated Windows authentication dropdown, select Negotiate (Kerber0s), and click Save. Attempt to log in with Windows authentication to the Web Application from a client to validate that it works. If you’re prompted for authentication 3 times or get a white screen, issue an iisreset on the SharePoint server to refresh any Kerberos tickets that have been issued. Record the Federation Service name. This is required during the Web Proxy Role setup. In addition, create any required Relying Parties for SAML-enabled applications, such as SharePoint. I won’t cover Relying Parties here, but there is an excellent AD FS end-to-end guide that continues to apply at the Share-in-dipity blog. Deploy the Web Proxy Role from Server Manager (or PowerShell). Under Server Manager -> Manage -> Add Roles or Features, select the Remote Access Server role. Then, select the Remote Access Management Tools feature, under Remote Administration Tools. Select the type of Remote Access role to install. Select Web Application Proxy, and complete the installation. The next step is to run the Web Application Proxy Configuration Wizard. The first thing it will ask for is the Federation Server information (AD FS). You’ll notice that it asks for an administrative username and password. The next step is to provide it with a certificate, again this is using a Wildcard SSL certificate due to covering numerous hosts. The last step is simply a confirmation, including the PowerShell cmdlet you could have used. Once the wizard has completed, run the Remote Access Management Console. This console provides information on published applications as well as the status of the proxy. As you can see here, I’ve already published two Web Applications, a Web Application on SharePoint 2010 running in Classic mode and another on SharePoint 2013 using SAML Claims integrated with AD FS. Publishing application is extremely easy. Simply Publish a new Web Application, which involves only a couple of steps. The first step is to choose whether to use AD FS or Pass-through Authentication. Pass-through Authentication is for applications that are not SAML-enabled, such as a Classic Auth SharePoint Web Application. The only difference between choosing AD FS or Pass-through is that AD FS includes one additional step, namely selecting a pre-existing Relying Party from the AD FS service. The next step applies to both AD FS and Pass-Through Authentication, Publishing Settings. Here you will want to give the published application a descriptive name, and then provide the external and internal URLs. Also select a valid SSL certificate for the external URL. As you can see, I’ve chosen a Wildcard SSL certificate. And that is it. Like when we configured the Web Proxy Role, the confirmation screen will helpfully display the PowerShell cmdlet to perform the same function that we just performed via the GUI. The next step is to test from a client. Like most reverse proxies, the Web Proxy Role is transparent to the end user. The end user is simply directed […]
↧
What is the SharePoint Configuration Cache?
SharePoint has what is known as the Configuration Cache. Sometimes we get recommendations to clear it, especially when timer jobs don’t appear to be operating properly. But what exactly is the Configuration Cache and how does it function? The Configuration Cache exists on each SharePoint server joined to the farm, regardless of role. The cache is sorted at C:\ProgramData\Microsoft\SharePoint\Config\<GUID>\ and consists of often thousands of XML files and a single cache.ini file. The XML files are simply farm objects from the SharePoint Configuration database within the Objects table. For example, take this file, 7fb0b296-fae7-45bd-88fc-9a4a4e69b484.xml. If we look at the internals of the file, it is simply an object! In this particular case, it is the User Profile Import Job. [crayon-5304ac30ba273109905027/] The XML file name matches the ID column in the Objects table, as well as the Persisted Object ID. From clearing the Configuration Cache, we know that cache.ini is involved in this process. It must exist, and it must have a numeral value contained within it (1 or higher). The cache.ini file closely mirrors the number contained within the Configuration database’s LastUpdate table. This table contains two columns, a Value column and a Version column. The Version column increments on a regular basis, and the cache.ini updates from the Version value. To accomplish this, there is a local Timer Job on each server with the internal name of “job-config-refresh”. This timer job runs on a 15 second interval. The timer job itself validates that the cache.ini has not been invalidated, then runs the stored procedure within the Configuration database, proc_getNewObjects. If the value in the cache.ini file is less than the value contained in the LastUpdate table, a SELECT statement is run against the Objects table where the value within the LastUpdate table is less than the value of the Version column in the Objects table; it also tombstones objects in the Tombstone table. From there, the timer job compares the objects on the file system in the Config folder with the newest returned versions of the objects. Expired objects (files) are deleted, and new or updated objects (files) are written to the Config folder. Now, as for how the value of the Version column is updated in the LastUpdate table? Within the Objects table there is also a column named Version. This is a timestamp column, which means the value is unique within the database (and doesn’t actually have anything to do with a date or time, it is just an incremental binary number). This data type is automatically incremented when the row has changed (or is inserted, etc.). When SharePoint makes a change to a row in the Objects table via the stored procedure proc_pubObjectTVP, that particular object has it’s Version column updated automatically. In addition, there is a SQL Trigger on the Objects table named trigger_OnTouchObjects. What this trigger does is simply update the value of the Value column in the LastUpdate table to 0 (the single row in this table always has a value of 0 for the Value column). By doing this, the Version column within the LastUpdate table is automatically updated, as it is also a timestamp column! And for a bonus, since the timestamp column is unique in the database, the LastUpdate Version column will always be one greater than the last Object updated! This will also explain why you may encounter the Concurrency Update exceptions from either PowerShell or commonly, the Configuration Wizard. A service has updated an object which then updates the Version of the object as well as the LastUpdate Version column, thus when attempting to execute against that “old” object, it is no longer valid and must be manually refreshed. Hopefully this helps demystify the Configuration Cache, what it does, and how it is associated with the Configuration database!
↧
Using SharePoint Automation Services Slides
Yesterday I spoke at the Puget Sound SharePoint User Group about Word Automation Services and PowerPoint Automation Services. Below are the slides. In addition, the demos used on the slides were completed in SharePoint 2013 using Nauplius.WAS and Nauplius.PAS, both freely available from CodePlex.com.
↧