Friday 23 March 2012

Converting Self-Signed Certificates into certificates with a Private Key that IIS can use


Enabling SSL on SharePoint test sites will display the standard IE or Firefox certificate error.
To avoid this and provide a smooth experience for test users you can generate a Self-Signed certificate and  convert this to a .pfx file that can be imported into IIS.

When generating self-signed certificates for test systems this method will allow you to get a self-signed certificate with Private Key

Generate a self-signed  cert and Private Key

Copy the Certificate and Private key to their own respective text file and save with relevant names.
Change the extension of the certificate to a .pem or .crt file


Convert to usable self-signed certificate including private key (Convert PEM To PKCS12 (PFX) Format)

Paste in the Private Key and self-signed certificate, create a password.
Download the .zip file containing the .pfx certificate with Private Key
This .pfx file can now be imported into IIS.

You will still need to import the .pem/.crt self-signed certificate into your own PC “Trusted Root Certification  Authorities > Certificates” certificate store.
This can be done manually or via Group Policy if required for a large environment.
This will prevent the certificate errors when accessing a SSL enabled SharePoint site in your test environments.


Wikipedia has more information on the file extensions used for SSL certificates here :
http://en.wikipedia.org/wiki/X.509

Thursday 22 March 2012

Setting ADFS Token Expiration times.

The SAML token lifetime is set by the token issuer (resource ADFS Server). You may find that this is too short and want to extend it.

Note that the valid session time is set by the ADFS SAML TokenLifeTime and the LogonTokenCacheExpirationWindow in SharePoint.
The SAML TokenLifeTime always needs to be greater than the LogonTokenCacheExpirationWindow in SharePoint.

The formula to apply here is as follows.
Valid Session time = TokenLifeTime - LogonTokenCacheExpirationWindow




To change the session times


On the resource ADFS server
The following script example shows you how to change the lifetime of the SAML token issued by the "SharePoint Adatum Portal" relying party in ADFS to 480 minutes.

Add-PSSnapin Microsoft.ADFS.PowerShell
Set-AdfsRelyingPartyTrust –TargetName "SharePoint Adatum Portal" –TokenLifeTime 480

On the Resource SharePoint Farm
The following script example shows you how to change the LogonTokenCacheExpirationWindow in SharePoint to two minutes.

$ap = Get-SPSecurityTokenServiceConfig
$ap.LogonTokenCacheExpirationWindow = (New-TimeSpan -minutes 2)
$ap.Update();
IIsreset


SAML Token Expiration in SharePoint on this page is worth a read to understand the principles
http://msdn.microsoft.com/en-us/library/hh446526.aspx


To display the current ADFS relying party trust settings
Set-AdfsRelyingPartyTrust

To display the SharePoint Security Token Service Config
Get-SPSecurityTokenServiceConfig

Tuesday 20 March 2012

How to find ADFS Reference Number errors

ADFS error reference numbers displayed on the adfs login page (see below) can be found in the Windows Server logs.

Open the Server Event Viewer.
Navigate to Applications and Services Logs > AD FS 2.0 > Admin.
Select 'View' from the main menu > Add/Remove Columns... > add the "Correlation Id" column.

You can now look up the reference number in the "Correlation Id" column.


Scheduled Task run results

List of Task result codes and what they mean.
Why not just put the info in the task scheduler MS?

SCHED_S_TASK_READY
0x00041300
The task is ready to run at its next scheduled time.

SCHED_S_TASK_RUNNING
0x00041301
The task is currently running.

SCHED_S_TASK_DISABLED
0x00041302
The task will not run at the scheduled times because it has been disabled.

SCHED_S_TASK_HAS_NOT_RUN
0x00041303
The task has not yet run.

SCHED_S_TASK_NO_MORE_RUNS
0x00041304
There are no more runs scheduled for this task.

SCHED_S_TASK_NOT_SCHEDULED
0x00041305
One or more of the properties that are needed to run this task on a schedule have not been set.

SCHED_S_TASK_TERMINATED
0x00041306
The last run of the task was terminated by the user.


Complete List here :
Task Scheduler Error and Success Constants
http://msdn.microsoft.com/en-us/library/aa383604%28VS.85%29.aspx

Monday 19 March 2012

SharePoint Website Warm up options

There are many warm up scripts and exe's that can run against your SharePoint environments to speed up the first time access to any site. These options have worked the best for our infrastructure. personally the first works well and has useful options.

Setup a scheduled windows task which launches your selection, running under an account that has relevant access, every morning before start of business. The web application is hit and every page iterated in the site.




SPWakeup : http://spwakeup.codeplex.com/
A simple application that touches each site and site collection on a Sharepoint or WSS server to rebuild the IIS cache.
This is compatible with Win 2008 R2 and SharePoint 2010, nice touch is the email letting you know it's been run.

Powershell Script : http://www.jonthenerd.com/2011/04/19/easy-sharepoint-2010-warmup-script-using-powershell/
The script loads the SharePoint plugin, enumerates the zones, and sends a request to each one.


MS Application Warm-up : http://forums.iis.net/t/1176740.aspx
The MS IIS team had a nice warm up optiont that i've used before, but this has been removed at present (19/03/2012)
Keep an eye on any new developments as it was a good option.
SP George had a good how to : http://sharepointgeorge.com/2010/warm-sharepoint-web-applications-windows-2008-r2-iis-75-application-warmup-module/



For reasons on why we get IIS resets and reasons to use Warm up scripts check out this link : http://social.technet.microsoft.com/Forums/en-US/sharepointadmin/thread/8547eaed-5420-4cca-af29-206d71898322/

Thursday 15 March 2012

Setting up Kerberos Authentication for Sharepoint



To understand the basics, read the articles at the end of this how to. In short you permit your web service account to connect from a specified URL, to a specific Server with a specific SQL account.



For the SQL Service account

A : Manual Process For SQL
Open a cmd prompt with Run as (run as the domain admin account) or add the following with ADSI Edit.
Enter the following in the cmd prompt
setspn -A MSSQLSvc/servername.mydomain.tld:1443 mydomain\SQLserviceaccount
press enter

if successful enter the following
setspn -A MSSQLSvc/servername:1443 mydomain\SQLserviceaccount
press enter


B : Else, open ADSI edit
Browse to the SQL Server Service account used (mydomain\SQLserviceaccount)
right click > properties.
In the Attribute section, select ServicePrincipleName > click Edit
Add the following :
MSSQLSvc/servername:1443
MSSQLSvc/servername
MSSQLSvc/servername.mydomain.tld:1443
MSSQLSvc/servername.mydomain.tld


For the Web application Account

A : Manual Process
Open a cmd prompt with Run as (run as the domain admin account) or add the following with ADSI Edit.
Enter the following in the cmd prompt
Setspn -A HTTP/myURL.mydomain.tld mydomain\webappserviceaccount


B : Else, open ADSI edit
Browse to the Web Application Service account used (mydomain\webappserviceaccount)
right click > properties.
In the Attribute section, select ServicePrincipleName > click Edit
Add the following :
HTTP/myURL
HTTP/myURL.mydomain.tld

Note : it's always HTTP even if you site is HTTPS





Enable Constrained Delegation for the Web Application account

Browse to the web application Active Directory service account (mydomain\webappserviceaccount)
Edit the Object > Select the Delegation Tab > Trust this user for Delegation to any service (Kerberos only)
Click Ok



Test the Kerberos Setup

1. Setup a new site in Central Admin
Central Admin > Manage Web Applications > New
Select Claims Based Auth
Create a new IIS Site
Port : 80
HostHeader : enter name of site users will browse to
Edit Path to D:\etc...
Allow Anonymous : Yes
Enable Windows Auth : checked
Intergrated Windows Auth : checked and Negotiate (Kerberos) set
Create new Applicaiton pool : enter pool name or leave as default.
Select the Web application Service account : (mydomain\webappserviceaccount)
Amend you DB name if required.
Select OK to create the new web application

2. Create a site collection
Any site will do, use the same name as the host header and enter a site collection admin.
Click ok

3. Open DNS Manager > Create an A record for the Site name pointing to the IP i.e. MyURL
FQDN should be myURL.mydomain.tld

4. Open the Servers' Event Viewer > Select the Security logs > Filter the log to event ID 4624


5. Access the site from your PC browser : http://myURL
Check the Servers' Event Viewer for 4624 events, Logon Process and Authentication package should read : Kerberos


This is a really good site for further info : http://technet.microsoft.com/en-us/magazine/ee914605.aspx

These websites contain good explanations
http://www.thesharepointblog.net/Lists/Posts/Post.aspx?List=815f255a%2Dd0ef%2D4258%2Dbe2a%2D28487dc9975c&ID=43
http://blogs.msdn.com/b/russmax/archive/2009/10/20/configuring-kerberos-authentication-in-sharepoint-2010-part-1.aspx

The first was pretty clear to me and was used to create this page.

Wednesday 14 March 2012

Developer Dashboard

The Developer Dashboard helps diagnose issues with custom code, load times and heaps more.


There are a few ways to enable/disable/ondemand it.
Note : you may need an IIS reset to see the developer dash appear / disappear


1. Powershell 

PS commands in blue

onDemand Mode (makes the icon available to expand the info window on each relevant page)
$service = [Microsoft.SharePoint.Administration.SPWebService]::ContentService
$addsetting =$service.DeveloperDashboardSettings
$addsetting.DisplayLevel = [Microsoft.SharePoint.Administration.SPDeveloperDashboardLevel]::OnDemand
$addsetting.Update()

Enable for all
$service = [Microsoft.SharePoint.Administration.SPWebService]::ContentService
$addsetting =$service.DeveloperDashboardSettings
$addsetting.DisplayLevel = [Microsoft.SharePoint.Administration.SPDeveloperDashboardLevel]::On
$addsetting.Update()

Remember to Turn Off
$service = [Microsoft.SharePoint.Administration.SPWebService]::ContentService
$addsetting =$service.DeveloperDashboardSettings
$addsetting.DisplayLevel = [Microsoft.SharePoint.Administration.SPDeveloperDashboardLevel]::Off
$addsetting.Update()



2. STSADM

Run stsadm from command prompt in the hive\bin dir unless you have it as a path in windows.
hive = C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\

onDemand Mode
stsadm –o setproperty –pn developer-dashboard –pv “OnDemand”

Enable for all
stsadm –o setproperty –pn developer-dashboard –pv “On”


Remember to Turn Off
stsadm –o setproperty –pn developer-dashboard –pv “Off”


Sunday 11 March 2012

AD Permissions on SharePoint Administrative accounts.

A common mistake that produces the various errors below on install or when adding service accounts to SharePoint.

Solution :
"Authenticated Users" should have "read" permissions on all Service accounts you add to SharePoint.
From the AD consol > edit the AD service account object > Security tab > Select "Authenticated Users" > ensure "Read" permissions are enabled.

Error on SP installation : 
Failed to create the configuration database.
An exception of type System.Collections.Generic.KeyNotFoundException was thrown.  Additional exception information: The given key was not present in the dictionary.
System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.
at System.ThrowHelper.ThrowKeyNotFoundException()
at System.Collections.Generic.Dictionary`2.get_Item(TKey key)

Error on adding AD account as managed SharePoint account : 
The given key was not present in the dictionary.

Windows TIFF iFilter

Built-in Windows TIFF iFilter, simple to install and comes with Windows Server 2008 R2. 
permits you to index Tiff Files in SharePoint 2010

Install instructions :
Open Server manager > Features > Add Features > Windows TIFF iFilter > Next > Install.

Next,  check the Group policy to ensure OCR filter is enabled.
Open mmc > add group policy object snapin > Local computer policy > administrative templates > OCR > Force TIFF iFilter to perform OCR for every page in a document > edit > Enable.

Install on your SharePoint Servers doing the indexing the Farm.
In the case of a multi tier farm, if you have no compatibility concerns or security issues, install on all servers in the Farm in case you move the indexing role around.


Lastly, upload a .TIFF with some text, run an indexing job and check the search results.


Thanks to Mr Liu : http://johnliu.net/blog/2010/8/13/sharepoint-enable-ifilter-for-tiff-ocr.html

Monday 5 March 2012

SharePoint 2010 Farm Backups via PowerShell

There are a few ways to do this but this method gave good results.

Overview :
Setup a share on a Server you will use to store the farm backups. This can be any one of your SP servers in the Farm. We normally backup to a share on the SQL box.
Setup scheduled tasks to trigger a batch file which runs the PS scripts to backup the farm, or cleanup the backups. This seems like an extra step but worked for me on Win 2008 R2 where nothing else would after a long day.
A good place to run this task would be an application server that most folk don't have access to as i set the script execution policy to unrestricted.



Pre-reqs :

Script execution status :
Check the server that you will be running the PS scripts on.
Ensure the execution policy for PS scripts are set to unrestricted.
(run PS as admin) PS commands in blue
To check : Get-ExecutionPolicy
To Set : Set-ExecutionPolicy Unrestricted


Setup your File share to store you backups :
Share the folder with the following settings
Everyone full access
NTFS permissions : SQL account & SP Admin account full access. (you need both accounts listed here)
Share name : \\Servername\FarmBackups



PS Scripts setup : 

Place you backup scripts in a relevant folder
\\Servername\FarmBackups\backupscripts


1. Setup a .bat file to be triggered by the scheduled task
File name : 1schedfarmbakup.bat
Insert the following line in the file and save. Batch file command in red
powershell -command "&{D:\FarmBackups\backupscripts\2backupSPfarm.ps1}"




2. Setup the powershell script file to backup the Farm.
File name : 2backupSPfarm.ps1
Insert the following lines and save
Add-PsSnapin Microsoft.SharePoint.Powershell
Backup-SPFarm -Directory \\Servername\FarmBackups -BackupMethod full -BackupThreads 10 -percentage 10 -verbose –force

Note : backup farm to specified directory using full backup with 10 threads, display the results every 10 percent verbosely and force the script to run even if there is not enough space on the drive. so make sure you have monitoring on you drive space!


3. Setup the bat file to clean out old Farm backups from the server.
File name : 3clean.bat
Insert line below and save
powershell -command "&{D:\FarmBackups\backupscripts\4cleanbackups.ps1 }"


4. Setup the powershell cleanup script

Filename  : 4cleanbackups.ps1
Insert the following, with correct path, in italic below, and your required number of backups and save

#///Start of ps script
# Location of spbrtoc.xml
$spbrtoc = "\\servername\FarmBackups\spbrtoc.xml"

# Days of backup that will be remaining after backup cleanup.
$days = 2

# Import the Sharepoint backup report xml file
[xml]$sp = gc $spbrtoc

# Find the old backups in spbrtoc.xml
$old = $sp.SPBackupRestoreHistory.SPHistoryObject |
? { $_.SPStartTime -lt ((get-date).adddays(-$days)) }
if ($old -eq $Null) { write-host "No reports of backups older than $days days found in spbrtoc.xml.`nspbrtoc.xml isn't changed and no files are removed.`n" ; break}

# Delete the old backups from the Sharepoint backup report xml file
$old | % { $sp.SPBackupRestoreHistory.RemoveChild($_) }

# Delete the physical folders in which the old backups were located
$old | % { Remove-Item $_.SPBackupDirectory -Recurse }

# Save the new Sharepoint backup report xml file
$sp.Save($spbrtoc)
Write-host "Backup(s) entries older than $days days are removed from spbrtoc.xml and harddisc."

#///end of ps script



Setup Scheduled tasks.

Login to the Server running the backups as SP setup account


Setup new task (Backup the farm)

General:
Name - Backup SharePoint Farm
Run whether user is logged in or not
Run  with highest privileges
Configure for : windows 2008 R2

Trigger :
Schedule
Daily at 18:00
Stop if runs longer than 5 hours (enter appropriate time)
Enabled

Actions :
start a program
Browse to the 1schefarmbackup.bat
Fill in appropriate start in dir

Conditions :
Start task only if computer is on AC

Settings :
Allow run on demand
Stop if runs longer than 3 days
If task does not end, force to stop.

Click OK to create task and enter PWD for SP Setup account.



Setup new task  (cleanup old backups)

General:
Name – Cleanup SP Farm Backups
Run whether user is logged in or not
Run  with highest privileges
Configure for : windows 2008 R2

Trigger :
Schedule
Daily at 04:00
Stop if runs longer than 2 hours (enter appropriate time)
Enabled

Actions :
start a program
Browse to the 3clean.bat
Fill in appropriate start in dir

Conditions :
Start task only if computer is on AC

Settings :
Allow run on demand
Stop if runs longer than 4 hours
If task does not end, force to stop.

Click OK to create task and enter PWD for SP Admin account.



Lastly, test your scheduled tasks and ensure the backup folders and .xml files are created on your share. Then check your cleanup scripts run successfully and cleanup the relevant folders a day or two later.



This came from somewhere but never kept the reference, apologies if came from you.

PowerShell script not running as Scheduled Task Server 2008
http://social.technet.microsoft.com/Forums/en-US/ITCG/thread/0ea10ab8-8dd3-4c4c-977c-bbfd0bb17a1d/

PowerShell remoting

PowerShell remoting gives you the ability to run powershell scripts remotely on another machine.
Pretty cool if you have to run recurring scripts on multiple machines from your own PC.



On your target server ::
Open a powershell window as admin and run the following commands in blue

Enable-PSRemoting
Accept all prompts

Set-Item WSMan:\localhost\Shell\MaxMemoryPerShellMB 1000
Accept all prompts

Enable-WSManCredSSP –Role Server
Accept all prompts



If your account running the script needs ShellAdmin permissions to run the script, check if the account is shell admin with the following on your target server. This was only relevant to what I was doing in SharePoint, ignore if not applicable.
get-spshelladmin

If its not listed, add the account to shell admin on the target server.
add-spshelladmin accountname


Add the account (or SP account in my case) used to run code to the server local admin group.
In case of a multi-server farm, add on all servers. This again may not be relevant in your case.



On your Client Server ::
(where you want to run your script)
Open a powershell window as admin and run the following commands in blue
 
Enable-WSManCredSSP -Role client -DelegateComputer *


Test access from the client server to the target server by entering the following PS command in a PS window
Enter-PSSession -ComputerName servername -Authentication CredSSP -Credential domain\accountname




All thanks to Abid the code Yoda and this URL :
http://blogs.msdn.com/b/opal/archive/2010/03/07/sharepoint-2010-with-windows-powershell-remoting-step-by-step.aspx

PowerShell cheat sheet

Random basic commands I keep forgetting, this list will surely keep growing


Add the SharePoint snap in :

Add-PSSnapIn Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue


Set a path :

Set-location "path"

Output the PS command in a formatted table

"randomPS-command" | Format-Table –AutoSize

Check DB status for upgrade status

Get-SPDatabase | ?{$_.NeedsUpgrade –eq $true} | Select Name

Install SP Solution to all web applications  
Add-SPSolution -LiteralPath "c:\source\CodeMonkeySolution.wsp"

Install SP Solution to all web applications, to the GAC and force it in
Install-SPSolution -Identity CodeMonkeySolution.wsp -allwebapplications -GACDeployment -force

Adding and Removing dll's from the GAC using Powershell

To add a .dll to the GAC

Run the SharePoint PowerShell console as Administrator

type : Set-location <path to dll's here>

[System.Reflection.Assembly]::Load("System.EnterpriseServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")

$publish = New-Object System.EnterpriseServices.Internal.Publish

$publish.GacInstall( <path>\RandomcodemonkeyDLL.dll)


 
To remove a .dll from the GAC

$publish.GacRemove( <path>\RandomcodemonkeyDLL.dll)





A good way of getting the names of you assemblies from  :
 Simplest way to get the strong name of an assembly
http://nileshmandekar.blogspot.co.uk/2012/03/simplest-way-to-get-strong-name-of.html


A very elegant way of getting the dll's in and out via script is like this from Fred :
http://fredericloud.com/2011/01/08/no-gacutil-no-problem/

AntiVirus exclusions for MS SharePoint 2010

AntiVirus exclusions for MS SharePoint 2010


Foundation and SharePoint Server

Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions

If you do not want to exclude the whole "Web Server Extensions" folder from antivirus scanning, you can exclude only the following two folders:

Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\Logs
Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\Data\Applications

Drive:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files
Drive: \Users\service account\AppData\Local\Temp\WebTempDir

Drive\ProgramData\Microsoft\SharePoint\
Drive\Users\the account that the search service is running as\AppData\Local\Temp

Note The search account creates a folder in the "gthrsvc_spsearch4 Temp" folder to which it periodically needs to write.
Drive:\WINDOWS\system32\LogFiles
On 64 Bit Windows 2008 Server with 64 Bit Product, the location is Drive:\Windows\Syswow64\LogFiles

Note If you use a specific account for SharePoint services or application pools identities, you may also have to exclude the following folders:
Drive:\Users\ServiceAccount\AppData\Local\Temp
Drive:\Users\Default\AppData\Local\Temp



SharePoint Server

You may have to configure the antivirus software to exclude the "Drive:\Program Files\Microsoft Office Servers" folder from antivirus scanning for SharePoint Server 2010. If you do not want to exclude the whole "Microsoft Office Servers" folder from antivirus scanning, you can exclude only the following folders: Drive:\Program Files\Microsoft Office Servers\14.0\Data.

(This folder is used for the indexing process. If the Index files are configured to reside in a different folder, you also have to exclude that location.)
Drive:\Program Files\Microsoft Office Servers\14.0\Logs
Drive:\Program Files\Microsoft Office Servers\14.0\Bin
Drive:\Program Files\Microsoft Office Servers\14.0\Synchronization Service
Any location you chose to store Disk-based BLOB cache. For example: C:\blobcache For more information on BLOB cache, see: http://technet.microsoft.com/en-us/library/ee424404.aspx#Section1



Full list of exclusions for other SharePoint version here : http://support.microsoft.com/kb/952167

Sunday 4 March 2012

Just a blog to help myself keep track of tips and tricks. If anything comes directly from another blog i'll mention you along the way.
Hope its of help to a few of you too.