Loopback Check configuration Tool released – free download

Hi All.

It is here! Free for all! DOWNLOAD

I am happy to announce that the Loopback Check Tool has finally been made available at Codeplex – https://loopbackchecktool.codeplex.com
No more last minute t-shooting the loopback check and ending up disabling it, trying to find the KB or a decent blog post on how to do it.

This Tool takes care of it all for you. Download the exe, put it on your servers, run it to configure the Loopback Check feature simple and easy.

Its simple.
Its small (21kb zipped)
Only click and make it happen
No installation, one single exe that works on most Windows Servers (and clients)
Disable the Loopback check completely (Not recommended)
Enable or Disable the Loopback Check function
Enable it and add excluded URLs (Recommended, now easy to do)

This is a preview image of what the tool looks like

The tool works fine on:

Windows Server 2012
Windows Server 2012 R2
Windows Server 2008 R2
Windows Server 2008
Windows 7
Windows 8
Windows 8.1
And probably a few more…

References:

You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version
http://support.microsoft.com/kb/896861/en-us

A quick guide to configuring the Loopback check
https://blog.blksthl.com/2013/05/07/a-quick-guide-to-configuring-the-loopback-check/

DisableLoopbackCheck & SharePoint: What every admin and developer should know.
http://www.harbar.net/archive/2009/07/02/disableloopbackcheck-amp-sharepoint-what-every-admin-and-developer-should-know.aspx

Thanks to:

Herakles and Gutke!

___________________________________________________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

Export a document library using Export-SPWeb and itemurl

Export-SPWeb

(This is my better version of the TechNet articles on the same CMDlet that does a poor job with the details, I hope that it will help some of you)
SharePoint 2010 | SharePoint 2013

‘

Applies to: SharePoint Foundation 2010 | SharePoint Server 2010 | SharePoint Foundation 2013 | SharePoint Server 2013

‘

Exports a site, list, or library.

‘
Export-SPWeb [-Identity] <GUID/Name/SPWeb object> -Path <String> [-AssignmentCollection <SPAssignmentCollection>] [-CompressionSize <Int32>] [-Confirm [<SwitchParameter>]] [-Force <SwitchParameter>] [-HaltOnError <SwitchParameter>] [-HaltOnWarning <SwitchParameter>] [-IncludeUserSecurity <SwitchParameter>] [-IncludeVersions <LastMajor | CurrentVersion | LastMajorAndMinor | All>] [-ItemUrl <String>] [-NoFileCompression <SwitchParameter>] [-NoLogFile <SwitchParameter>] [-UseSqlSnapshot <SwitchParameter>] [-WhatIf [<SwitchParameter>]]

‘

——————–EXAMPLE———————–

Export-SPWeb http://site –Path "c:\temp\site export.cmp" -ItemURL "/subsite/documents"

This example exports the document library at http://site/subsite/documents to a new file called ‘site export.cmp' in the ‘C:\temp’ directory.

‘

Parameters

Parameter

Required

Description

Identity

Required

Specifies the URL or GUID of the Web to be exported. The type must be either
– a valid GUID, in the form ‘12345678-90ab-cdef-1234-567890bcdefgh’
– a valid name of a SharePoint site (for example, MySPSite1)
or a URL: http://blog.blksthl.com
or an instance of a valid SPWeb object

Path

Required

Specifies the name of the export file. If the -NoFileCompression parameter is used, a directory must be specified; otherwise, any file format is valid.
Example: “c:\temp\exportedsite.cmp” or with the -NoFileCompression “c:\temp\exportedsite\”

AssignmentCollection

Optional

Manages objects for the purpose of proper disposal. Use of objects, such as SPWeb or SPSite, can use large amounts of memory and use of these objects in Windows PowerShell scripts requires proper memory management. Using the SPAssignment object, you can assign objects to a variable and dispose of the objects after they are needed to free up memory. When SPWeb, SPSite, or SPSiteAdministration objects are used, the objects are automatically disposed of if an assignment collection or the Global parameter is not used.

Note:

When the Global parameter is used, all objects are contained in the global store. If objects are not immediately used, or disposed of by using the Stop-SPAssignment command, an out-of-memory scenario can occur.

CompressionSize

Optional

Sets the maximum file size for the compressed export files. If the total size of the exported package is greater than this size, the exported package will be split into multiple files.

Confirm

Optional

Prompts you for confirmation before executing the command. For more information, type the following command: get-help about_commonparameters

Force

Optional

-Force Forcefully overwrites the export package if it already exists.The type must be either of the following values:
–True
–FalseThe default value is False.

HaltOnError

Optional

Stops the export process when an error occurs.

HaltOnWarning

Optional

Stops the export process when a warning occurs.

IncludeUserSecurity

Optional

Preserves the user security settings except for SPLists that have broken inheritance and item level permissions set.
(Use Import-SPWeb with –IncludeUserSecurity to preserve security on import)

IncludeVersions

Optional

Indicates the type of file and list item version history to be included in the export operation. If the
-IncludeVersions parameter is absent, the Export-SPWeb cmdlet by default uses a value of CurrentVersion. The type must be any one of the following versions:
LastMajor “Last major version for files and list items (default)”
CurrentVersion “The current version, either the last major version or the last minor version”
LastMajorAndMinor “Last major and last minor version for files and list items”
All “All versions for files and list items”

ItemUrl

Optional

Specifies the relative path to the object to be exported. Can also be a GUIDThe type must be a valid relative path, for example, /Subsite/Documents
or a valid GUID in the form: 12345678-90ab-cdef-1234-567890bcdefgh

NoFileCompression

Optional

Either enables or disables file compression in the export package. The export package is stored in the folder specified by the Path parameter or Identity parameter. We recommend that you use this parameter for performance reasons. If compression is enabled, the export process can increase by approximately 30 percent.

NoLogFile

Optional

Suppresses the generation of an export log file. If this parameter is not specified, the Export-SPWeb cmdlet will generate an export log file in the same location as the export package. The log file uses Unified Logging Service (ULS).It is recommended to use this parameter. However, for performance reasons, you might not want to generate a log file.

UseSqlSnapshot

Optional

Specifies a SQL Database Snapshot will be created when the export process begins, and all exported data will be retrieved directly from the database snapshot. This snapshot will be automatically deleted when export completes.

WhatIf

Optional

Displays a message that describes the effect of the command instead of executing the command. For more information, type the following command: get-help about_commonparameters

References:

Export-SPWeb
http://technet.microsoft.com/en-us/library/ff607895(v=office.15).aspx

Export a site, list, or document library (Search Server 2010)
http://technet.microsoft.com/en-us/library/ff428101(v=office.14).aspx

Thanks to:

Mattias Gutke – CAG – My main man!

___________________________________________________________________________________________________

Good Luckl!!

Regards

Twitter | Technet Profile | LinkedIn

Move your SharePoint IIS sites from the systemdrive(C:)

Move your SharePoint IIS sites from the systemdrive(C:)
or avoid putting them there in the first Place.

Do you see the lion that is totally in the wrong Place…or is it the Jeeps that are…?

Deal fellow SharePointlovers!

This time, I’ll try to show you how to avoid the messed up situation most SharePoint installations are in, with everything on the systemdrive, or C:
Now, us people have over time been better and better at one thing, we understand that the logfiles should not be located on the systemdrive, so we have learned over time to move the ULS log and the Usage and Health log from C:, some have even been clever enough to move even the IIS log from C:

But, what do we still always, always, always, find installed on C:?… … …yes, C:\inetpub!

It not very strange though, the developers of Windows Server have made a point out of not giving us an option to install inetpub on a different path, not unless you do an unattended installation or otherwise script or Control your installation. The ‘Add/Remove roles’ wizards in Server 2008, 2008R2 and 2012 all lack this option (for a reason).

BUT! This is intentially, the default inetpub location should and must be in the systemdrive, IIS is considered an operating system Component and has to be there for a number of reasons. At the end you will find a link to a KB article that explains this in more detail. Leave inetpub and its subfolders where it is!

So, why would we want to do this anyway
why move the inetpub and all of its content, or at least the separate site catalogs to a different drive?
– Separation (Performance and Security)
– Compartmentalization (Performance and Security)
Having averything on the same drive is bad for a few reasons, primarily performance and security. Perfomance since the OS is on the C drive and security because if an attacker by some means gets access to a different less secure applications sitecatalog, they also get access to the systemdrive and possible also all other webapplication sitecatalogs. Moving them to other drives, same or different, helps mitigate both possible issues.
I therefore recommend doing this:

Do your regular installation, add the Web Server role and let the inetpub folder end up on C:, like I said, no worries. Whats important for us will not be located there anyway.
Next, edit the registry to make the default location of inetpub be for example D: (unless this is were you will be putting all of your logfiles, then select a third or fourth drive)
Install the SharePoint as you would normally do, Central administration will now end up were you pointed the default location.
Create your Web Applications using the GUI or PowerShell and leave out the path, the IIS sites will be were you wanted them.

So, how do we do this in more detail? A Guide…

Configure the Web Server(s)

1. Configure the default location

On all of your web servers in the farm, and on your Central Administration server(s), edit the registry key that Controls the default location:

Start regedit by, Right clicking in the very lower left corner and you will get a list of actions, click on Run.

Type Regedit and click Ok.

Click Yes in the UAC dialog.

In Registry Editor, we locate the following path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InetStp

Under ‘InetStp’ we have a number of keys.

Locate and Edit the key PathWWWRoot from the default: (%systemdrive%)

to: (D: or where you prefer to locate it, E: F: G: H:…)

There you go! All set, no IIS reset or restarts of any kind required.
Like said before, go on and do this on all servers that will host a webserver (WFE or CA). If you don’t, then you will have an inconsistent setup making Everything very hard to setup and t-shoot.

2. Add SharePoint
After this has been changed on all of you r web servers, you can go ahead and install the SharePoint binaries and configure your farm, The Central Administration site will now be located on the drive you have specified, it will be in the exact same path as it normally would but on a different drive. For example: ‘D:\inetpub\wwwroot\wss\VirtualDirectories\20000\’

Note that the Central Administration UI will now be default suggest a different path:

If you create a new site using PowerShell, it will also by default put it in D: even if you don’t specify any path:

New-SPWebApplication -Name TheVeryFirst -ApplicationPool SharePoint -HostHeader theveryfirst.corp.balkestahl.se -Port 80 -Url theveryfirst.corp.balkestahl.se -DatabaseServer blksthl-sql -DatabaseName SP11_Content_TheVeryFirst

As you can see, were done! 🙂

For the logfiles, I’ll make a separate post, they should also be moved, more so even than the sitefolders. Logfiles will fill up the disks, they will slow performance and maybe most importantly, they contain delicate information that you want to keep separated from the OS and IIS.

References:

Guidance for relocation of IIS 7.0 and IIS 7.5 content directories
http://support.microsoft.com/kb/2752331

Configure ULS log and Usage and Health log location
https://blog.blksthl.com/2013/06/05/configure-uls-log-and-usage-and-health-log-location/

Thanks to:

Mikael Nyström (The Deployment Bunny) – Truesec
Mattias Gutke – CAG

___________________________________________________________________________________________________

Good Luckl!!

Regards

Twitter | Technet Profile | LinkedIn

SharePoint Security – State of the Union

SharePoint Security – State of the Union

A call to action regarding SharePoint and Security

Citizens of SharePoint!
I would like to say a little something about SharePoint and Security.
The usual focus when talking about IT and Security is technical aspects of security, it is a global phenomenon and it has always been like that. My most private thinking on the reasons for this is, that technical solutions simply are a lot more fun than the boring processes and policies. Take a Windows laptop for example, when discussing security it always comes down to Bit locker instead of discussing how you work to be secure.
SharePoint is no different, but in the SharePoint industry I feel that we have taken it even further, we do not even feel that Security is that much fun, or even that important maybe, the SharePoint community feels that custom solutions and architectural designs, maybe even corporate branding are a lot more fun than any aspect of Security.

Titanic, the unsinkable ship that sunk

In my personal opinion this is a shame and my hope is that this will gradually change in the future toward a more Security aware SharePoint community.
Developing new solutions, new custom applications and designing the world’s most elaborate SharePoint architecture will for a while yet I realize, be more interesting to the individual engineer than promoting the importance of keeping your local admin groups clean and why you should not logon using the farm account, for the most experienced Certified Master same as for the SharePoint IT-Pro beginner.
This is a fact and the risk is that we will start to see downsides from this as SharePoint for real has by now, found its rightful place in most every company’s infrastructure, all over the world.
Now you are probably starting to wonder how I can be so bold to state these things unfounded and without proof? You are probably thinking that you yourself is not like that, you do care about Security and all this is just about everyone else, if even that. Maybe some of us are better and some are worse, but we can all do better.
I have a feeling and I have some proof:
– I have for a while now worked dedicated with SharePoint Security, reviewing existing SharePoint environments and designing and implementing fresh new environments. During this period I have yet to come by a Security aware design of a SharePoint environment (my own designs excluded obviously).
– I have customers that have come to me and stated that part of the reason that they have contacted me, is that there simply is no other partner that focuses on SharePoint and Security and that can offer the services that I do. I am according to my customer, without competition, at least in my part of the world.
– I have seen from the SharePoint conference participant surveys, that of all of the topics that the participants want to hear more about next year, Security is always at the very bottom of the list.
– The number one rated and watched session at TechEd this year, was about hacker tools…

I may be wrong but I doubt it, security is not really on our agenda.
In my experience, all of us in this larger and larger SharePoint community, should pay a little extra attention on Security in all that we do. Not only in the Security technical aspects that we implement because we have to, take for example Kerberos authentication (Link to guide). Kerberos is a great Security feature that will enhance the Security in most SharePoint environments, but not many implementations have been made for the Security aspects of it, but for the simple reason that a double-hop scenario required it and thus it was implemented (visit my blog for an easy step by step guide to Kerberos in SharePoint).
Also, many, many SharePoint environments out there are setup by developers, I beg your pardon developers, but your focus is often to get a working test and development platform up and running, not to make it secure and stable. Also, after a solution has been developed and tested for functionality, your job is often done. The result is often something that is less than perfect in terms of Security.

It would be really nice if we could all help to change this, if we could all do just a few things that will in fact make the SharePoint environment more secure or at least, make it harder to penetrate and easier to keep track of.

I have made a list of things that we could all easily think of and do, and that would help SharePoint Security awareness.

Keep the number of local server administrators down to a minimum (0).

In most SharePoint environments we can assume that a local server administrator can get access to all of the content in SharePoint. Use domain groups, add an individual’s user account only as needed and remove when he/she is done.
You’ll find a command at the end that will show you a course list of the members of the local administrators group.

Do not disable the Loopback check on your Web servers.

This is a great Security feature, it will make life a little harder on a possible intruder, so why disable it. Add the URLs you need instead. If you buy a house and it has an alarm installed, you do not disable it, you grant access to the members of your family. Also worth mentioning, you should always avoid browsing from the server, but some features like search may depend on accessing the local server so a configuration may be the best answer.
You’ll find a PowerShell script at the end how you can easily configure it to allow the URL’s you need instead of disabling it completely.

Disable the SQL authentication and especially the SA account.

These account are completely unmanaged and unmonitored, it is a popular backdoor for any hacker.
They are rarely used and when used often by legacy applications, if they are, find out why and reconfigure or put the legacy app on a separate instance or server.

Never use Shared accounts (Never ever!).

I still see people defending the ‘setup account’ (shared installation and configuration user) and they state that it is given special permissions that are required later on. Operations people with a lot of people coming and going often use a ‘server monitor’ account that can be borrowed and used to get easy and fast access to the server. It is often a local account and often has a password that is well known by all…
In my opinion, there is never or very rarely a reason to keep a shared account. If you absolutely feel that you must, use a domain account and more importantly, disable it when it is not used. Also, change the password regularly.

Keep the Windows Firewall On (Ports-Link/Conf-Link).

Need I even explain this? It is however a sad fact that it is often disabled even in a production environment. It should be used and on in all environments, the development environment would else make an easy target for the evil hacker.
Configure it even during development, there are many ways to do it, PowerShell may be the simplest, check my blog blksthl.com on how to.
If you don’t do it right away, you or your customer will most likely forget to enable and configure it when you are done.

Keep the IE ESC On – Internet Explorer Enhanced Security Configuration.

A server is not really meant for us to browse SharePoint sites or the internet, use a client machine or a separate test server if you have to. If you MUST browse from this particular SharePoint server, disable it for admins only and enable it when done.
You’ll find a PowerShell script at the end how you can easily configure it.

Use HTTPS on Central Administration site.

Often, too often, https is used for web applications bt usually not for the central administration site, it is a bit of configuring and thinking to get it working, but it is a recommended way to protect your Environment. Remember, passwords will at times be transfered in cleartext on the central admin site.
Follow the Word of Spencer Harbar to get it done:
Using SSL for Central Administration with SharePoint 2013
http://www.harbar.net/archive/2013/02/13/Using-SSL-for-Central-Administration-with-SharePoint-2013.aspx

***

Summary,
My hope is, that we will all try do something extra when it comes to Security in the future, do your best to leave a better more secure environment behind, take a while instructing the customer on the importance of keeping the environment secure even after you have left. Make them aware as well.
If you or your customers need a wakeup call, please watch my dear colleague’s session from TechEd North America this year voted no 1, Marcus Murray and Hasain Alshakarti at Truesec:
Live Demonstration: Hacker Tools You Should Know and Worry About
http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/ATC-B309#fbid=SxGCyIja7i5
After you or your customer has seen what can be done with simple tools avalable to all…perhaps the general attitude towards security processes may improve a bit?

Final word: It is not all about cool buzzwords/technologies like oauth or claims or federations, it is even more about processes and boring policies…

Configure Loopbackcheck (Link) In a PowerShell prompt running as administrator: Get-Item -path ”HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0” | new-Itemproperty -Name “BackConnectionHostNames” -Value (“coolsite.corp.balkestahl.se”, “alias.corp.balkestahl.se”) -PropertyType “MultiString” (Replace mine with your own URL’s and add more using double quotes and a comma and space as separator) Make the changes stick with: Restart-Service IISADMIN

Configure IE ESC (Link) In a PowerShell prompt running as administrator: function Disable-IEESC { $AdminKey = “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0 Stop-Process -Name Explorer } Disable-IEESC (You have to hit enter twice after pasting the script)

Crude list of all members of Local Administrators In a PowerShell prompt running as administrator: Gwmi win32_groupuser | where-object {$_.groupcomponent –like ‘*”Administrators”‘} | ft partcomponent There are better looking examples out there but this is a one-liner that does the trick…

References:

DisableLoopbackCheck & SharePoint: What every admin and developer should know. (Spencer Harbar folks)
http://www.harbar.net/archive/2009/07/02/disableloopbackcheck-amp-sharepoint-what-every-admin-and-developer-should-know.aspx

A quick guide to configuring the Loopback check
https://blog.blksthl.com/2013/05/07/a-quick-guide-to-configuring-the-loopback-check/

Configure automatic password change in SharePoint 2013 using PowerShell
https://blog.blksthl.com/2013/05/14/configure-automatic-password-change-in-sharepoint-2013-using-powershell/

TCP/IP Ports of SharePoint 2013
https://blog.blksthl.com/2013/02/21/tcpip-ports-of-sharepoint-2013/

A guide to https and Secure Sockets Layer in SharePoint 2013
https://blog.blksthl.com/2012/12/20/a-guide-to-https-and-secure-sockets-layer-in-sharepoint-2013/

How to disable IE Enhanced Security in Windows Server 2012
https://blog.blksthl.com/2012/11/28/how-to-disable-ie-enhanced-security-in-windows-server-2012/

The first Kerberos guide for SharePoint 2013 technicians
https://blog.blksthl.com/2012/09/26/the-first-kerberos-guide-for-sharepoint-2013-technicians/

Using SSL for Central Administration with SharePoint 2013
http://www.harbar.net/archive/2013/02/13/Using-SSL-for-Central-Administration-with-SharePoint-2013.aspx

Thanks to:

Hasain Alshakarti – TrueSec
Marcus Murray – TrueSec
TrueSec Sweden / TrueSec US
Spencer Harbar – harbar.net
Andrija Marcic – Microsoft

___________________________________________________________________________________________________

Consider?

Regards

Twitter | Technet Profile | LinkedIn

A guide to Alternate Access Mappings Basics in SharePoint 2013

Alternate Access Mapping Basics in SharePoint 2013

(This post is in its entirety valid for SharePoint 2010 as well)

Explains how you should look at Alternate Access Mappings – left to right.
Alternate Access Mappings is something that most SharePoint engineers or administrators struggles with. More often than not, you get it right in the end but we are not really sure why it works or if it really works the way we want it to.
This, is my attempt to make it easy to understand.

Note: This is part 1 in a series, the next part will show how to configure DNS and a simple scenario adding a new NetBIOS name as URL to a Web Application.

Note: For the complete guide, with DNS steps and 4 different scenarios including https, download the free Whitepaper from TechNet: The final guide to Alternate Access Mappings

In order to make AAMs simpler to understand, look at it a bit differently, start with this simple table:

Left area            Internal URL’s
Right area          Public URL’s with a zone
Middle area        Zones, is what connects Internal URL’s to Public URL’s, many to one.

Internal URL redirects or transforms to a Public URL, from left, to right. The URL on the left, is what you enter in the address field in your browser, the Public URL on the right is what you will see once there, this goes for visible and invisible links as well.
Internal URL format: Protocol + URL (+non default port)

Public URL is the address of the Web Application for one of the five zones available. The ‘Default’ must be filled out and has some special properties/uses, the other four are optional. You can only have five Public URL’s per Web Application.
This is the URL that the browser will be redirected to in the end.
Public URL format: Protocol + URL (+non default port)

Zone is a label representing a Public URL, the zone is used to ‘connect’ an Internal URL to a Public URL. The zone names has no relation what so ever with the four Internet Explorer security zones (Internet, Local Intranet, Trusted sites and Restricted sites) and could just as easily been named 1,2,3,4 and 5. A zone can also represent an authentication provider.
Zones: Default, Intranet, Internet, Custom, Extranet

Example:

Note: Based on the Zone selected for every Internal URL, they will be connected to a Public URL.

From left – to right…
The zones might as well be represented by numbers:

Note: Try to always use the most used URL as the default Public URL. This is what will be used by other services, like crawl and in certain other links.

Translated to SharePoint GUI, this same setup would look like this:

Note: Filtered on this Web Applications Alternate Access Mapping Collection only.
Same Alternate Access Mappings as in the Example table above.

You will see that if you click on any of the ‘Internal URLs’ that you can select zone, and with the zone, the Public URL it will be connected to:

In addition to the actual Alternate Access Mapping in SharePoint Central Administration, you also have to add a Binding in IIS, contrary to what many believe, except for the initial hostheader when you create the web application, SharePoint does not do that for you, so you have to do it manually.
The example above would show up in IIS Bindings like this:

As you can see, in IIS 8.0 and Windows Server 2012, the https binding does show up as a hostname, in IIS 7.5 and Windows Server 2008 R2, the hostname is determined by the name configured in certificate used when adding that binding and hidden in this view.

That’s it! When you have configured your AAM’s and Bindings correctly, given that you have name resolution and IP addresses in order and connectivity from the client to the server(s) and all other aspects in order, you can now start to use the URL’s you want.

_________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

Whitepaper: The final guide to Alternate Access Mappings

This 45 page Guide is now available as a Free PDF download from Microsoft Technet Gallery.
Download : The final guide to Alternate Access Mappings

A preview of the whitepaper:

_________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

Whitepaper: The final guide to SharePoint 2010 Site Settings

The Guide is now available as a PDF download from Microsoft Technet Gallery.
Download : The final guide to SharePoint 2010 Site Settings

A preview of the whitepaper:

_________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

Whitepaper: The final Kerberos guide for SharePoint technicians

The Guide is now available as a PDF download from Microsoft Technet Gallery.
Download : The final Kerberos guide for SharePoint technicians

A preview of the whitepaper:

_________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

Passphrases in SharePoint- why do we bother?

You all know about the passphrase in SharePoint (2010 and later) right? You name it during farm Creation using Powershell or the Config Wizard. It must be a complicated string of characters and it has to hold a certain length (exact requirements stated below)

Do we really need it?

Since you can replace the passphrase (Change your PassPhrase using PowerShell) without having the old one, all you need is to be a member of the farm administrators SharePoint Group. So…the use of the PassPhrase is what? You don’t need to save it since all you have to do when it is required (join farm) is to change it…and if you have the passphrase, you still have to enter the farm account (Database Access Account) username and password, so you still need the permissions…

The Passphrase in SharePoint 2013 Preview is described as:
(From the ‘Deployment guide for Microsoft SharePoint 2013 Preview’)
Although a passphrase resembles a password, it is usually longer to improve security. It is used to encrypt credentials of accounts that are registered in SharePoint 2013 Preview. For example, the SharePoint 2013 Preview system account that you provide when you run the SharePoint Products Configuration Wizard. Ensure that you remember the passphrase, because you must use it every time that you add a server to the farm.

Ensure that the passphrase meets the following criteria:

Contains at least eight characters
Contains at least three of the following four character groups:
- English uppercase characters (from A through Z)
- English lowercase characters (from a through z)
- Numerals (from 0 through 9)
- Nonalphabetic characters (such as !, $, #, %)

So…now that you have read all this, do we really need it? Why bother? Is it one more layer of real security or more more layer of persieved security?

-It’s easily replaced/reset (see Change your PassPhrase using PowerShell)
-You still need the farmaccount credentials to join
-It’s seldom used and thus easily lost (in real life! yes)
-For the encryption purposes, SharePoint could use a random key that you never have to see or know about…
_________________________________________________________

Please Comment!

Regards

Twitter | Technet Profile | LinkedIn

The final Kerberos guide for SharePoint technicians

Kerberos…the two headed dog? Three heads? A weird kind of German sausage? Anything to do with a sidewalk? It is something you learn to respect deeply but don’t really know exactly just what it is…or how to manage? (At least this statement goes for the three headed dog…don’t know about the sausage…)

(Kerberos and Herakles)

I have had problems with getting SharePoint to work with Kerberos, I can’t lie about that. Most of the time, I have had TechNet articles, The Whitepaper (242 pages) and other peoples great blog posts to help me. All have been good and have aimed to help get it going, but none have given me the easy way to configure and verify. This is what I’m aiming at here with this bold title:

‘The final Kerberos guide for SharePoint technicians’

I hope to accomplish what others have failed at, not to try and explain everything about Kerberos and SharePoint, but only to show how to get it working easy and how to verify that you have succeeded, with as little work as possible and with the Tools at hand if possible.

Looking for the 2013 version of this guide? You will find it here.

I have during my struggles found that there are a few steps that you always need to take, and most of the time you do these steps and then nothing else. Follow this guide and most of you will be all right, I will later on try to add the same simple steps for more ‘advanced’ scenarios as well, like with SSRS or RSS feeds, SQL and such.

The steps I am talking about, what are they then…? Follow the guide below and you will find out.

Scenario 1 – Basic

Kerberos authentication to SharePoint 2010 site on default port 80 with a single SharePoint Web Server(Windows Server 2008 R2) from Windows 7, IE 9. (using Basic delegation/Unconstrained delegation)
This guide can be downloaded as a whitepaper from the Microsoft Technet Gallery.
The final Kerberos guide for SharePoint technicians

This guide is also available in a SharePoint 2013 version, adapted to the slight differences in SharePoint 2013 preview.
The first Kerberos guide for SharePoint 2013 technicians

(This guide assumes that a normal NTLM authentication to the same Web Application with the same user has been verified, by adding this line I’m among other things taking AAM and site permissions out of the equation. These things have to work before attempting to use this guide)

Note: To perform some of these procedures, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory and you have to be a member of the Farm Administrators Group in SharePoint, or you must have been delegated the appropriate authorities. As a security best practice, consider using ‘Run as’ when applicable to perform these procedures.

Checklist:

Step	Summary
1. Name Resolution	An entry for the Web Applications URL must exist in either DNS or in the clients hosts file.
2. Service Principal Names	HTTP SPN’s must be created for the Web Application URL(s) and its Application Pool service account.
3. Delegation	The SharePoint Web Server must be ‘Trusted for delegation’ in Active Directory.
4. Authentication Provider	The Web Applications Authentication provider must be set toAuthentication type: WindowsIIS Authentication setting: Integrated Windows authentication/Negotiate(Kerberos)
5. Verification of functionality(IMPORTANT!)	Klist.exe on client must have a HTTP ticket for URL and User accountSecurity log on SharePoint Web Server must have event ID 4624 with user and kerberos. (If Kerberos fails NTLM authentication will be used!)
References and Credits

–

Step 1

Name Resolution

There are two ways to do this, one excellent and one less excellent, the lesser of the two is really only ‘allowed’ for developing or testing purposes, but it exists and should be taken into consideration. Testing is also something that you will want to do here, and the less modifications you must do that requires a service down or a (Service Management) change order at an early stage, the better. Use Hosts for testing, then DNS in production.

DNS

Make sure that the URL of the Web Application has a A-Record in DNS, if not, you need to create it.

A server that is joined to an Active Directory Domain gets a A-record created automatically, but verify that it is there.

Create a A-Record in DNS using the following:

1.1 Open DNS Management in Administrative Tools on a DNS server.

1.2 Expand forward lookup zones container.

1.3 Right click on the zone (domain name) and click on new host (A or AAAA).

1.4 Type in the name of the record, this is the URL of the Web Application (minus the domain part in a FQDN)

1.5 Type in the IP Address of the SharePoint Web Server

1.6 Click on ‘Add Host’

1.7 Click on ‘Done’

1.8 Verify that the record has been created in the right pane.

1.9 In a Command Prompt, ping the Web Application URL.

1.10 You are now done with step 1, Name Resolution. Move on to step 2. Service Principal Name(SPN).

Note: A known issue exists with some clients (IE7 and IE8 included) that causes kerberos authentication to fail with the use of DNS alias instead of an A-Record.

Hosts (not recommended method)

1.x1 Locate the hosts file on your client or server if this is what you are using as client. It is located in the following path: C:\Windows\System32\Drivers\etc\hosts. Use Notepad to open it(open notepad using right click and ‘Run as Administrator’ and you will be allowed to save the changes)

1.x2 At the bottom of the file, add a row with the following: IP-Address<tab>hostname/FQDN <enter>

– Example:

192.168.1.112 sharepoint

– Also add any FQDN’s needed, like in my example:

192.168.1.112 sharepoint.corp.balkestahl.se

Note: Always end the last line with a Linefeed/Enter, else you may experience issues using the hosts file.

1.x3 Save the file using the same filename(hosts only, no extension)

You are now done with step 1, Name Resolution. Move on to step 2. Service Principal Name(SPN).
Back to main menu

–

Step 2

Service Principal Name(SPN)

Note: To perform these procedures, you must have membership in Domain Admins, Enterprise Admins, or you must have been delegated the appropriate authority. For information on delegating the permissions to modify SPNs, see Delegating Authority to Modify SPNs.

Note: To use setspn, you must run the setspn command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click ‘Run as administrator’.

When creating or setting up your SPN’s, you need some basic information first, as you will be creating HTTP SPN’s you need a URL and a Service account name. If the SharePoint Web Application has both a NetBIOS name and an FQDN, then you need to create separate SPN’s for both.

2.1 Start by opening a Command Prompt ‘Running as administrator’ (See note at the start of this step 2)

2.2 Next, list all SPN already in Place for the Service Account, type:

setSPN -L domain\serviceaccount (hit enter) or without the domain name setSPN -L serviceaccount (hit enter)

Wait for it…

Most likely, you get back nothing. This is ok. If you do get some registered SPN’s back, just make sure that they are not the same as the ones you are about to add, if they aren’t they you can leave them be.

2.3 Next, we create our own SPN’s for the service account paired with the Web Application and SPN type, to create this SPN type:

setspn -S HTTP/mywebappurl domain\serviceaccount (hit enter) Note: HTTP can be upper or lowercase, does not matter.

2.4 Next, verify that it has been created ok, type:

setspn -L domain\serviceaccount (hit enter)

Wait for it…

Now, the result should be one more entry than you had before, you should see your new SPN listed.

HTTP/mywebappurl

2.5 For good measure, add also an SPN for the FQDN, type:

setspn -S HTTP/mywebappurl.domain.com domain\serviceaccount (hit enter)

2.6 Listing the SPN’s now should list one additional SPN, type:

setspn -L domain\serviceaccount (hit enter)

If Everything has gone well and you had no previous SPN’s created from this service account, then the result from the command will be:

HTTP/mywebappurl

HTTP/mywebappurl.domain.com

The necessary SPN’s have now been created successfully and the service will be able to request tickets in your name.

Note: Using the -S parameter with setspn when creating an SPN will check for duplicates before creating a new one, thus eliminating the risk of duplicate SPN’s, which would cause Kerberos to fail.

You are now done with step 2, Service Principal Name(SPN). Move on to step 3. Trust for delegation.
Back to main menu

–

Step 3

Trust for delegation

Note: To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure.

By default, no server is trusted for delegation, meaning that a service on a server in the Active Directory, cannot act on a user’s behalf, basically this means that a service if trusted for delegation, can impersonate a user and request a Kerberos ticket in the users name.

Change this setting in Active Directory using the following:

3.1 Open Active Directory Users and Computers.

3.2 In the console tree, click Computers. (Or the appropriate OU where your SharePoint Web Server resides)

3.3 Right-click the computer you want to be trusted for delegation, and click Properties

3.4 On the Delegation tab, click ‘Trust this computer for delegation to any service (Kerberos only)’.

3.5 Click OK.

You are now done with step 3. Trust for delegation. Move on to step 4. Authentication Provider.
Back to main menu

–

Step 4

Authentication Provider

Note: To perform this procedure, you must be a member of the SharePoint Farm Administrators group, or you must have been delegated the appropriate authority.

Note: If you are creating a new Web Application at this Point, simply select ‘Classic Mode Authentication’ as authentication and ‘Negotiate(Kerberos)’ as Authentication provider in the Security Configuration dialog during Web Application creation.

In order for the Web Application and SharePoint to use Kerberos instead of the default NTLM, we have to configure SharePoint to use just that. Unlike what many Think, there is no way to force SharePoint to use only Kerberos, what we have available is the option to use Kerberos if possible, else use NTLM. Don’t ask me why this is so, but this is what we have. However, if all of the Kerberos Components are configured correctly, this is what will be used for authentication at all times.

So…the last configuration Before testing it all out…configure SharePoint to use Kerberos using the following:

4.1 In the Central Administration, go to ‘Application Management’ – ‘Manage Web Applications’

4.2 Select the Web Application you want to configure, and click on Authentication providers in the top ribbon.

4.3 In the ‘Authentication Providers’ dialog, click on the authentication provider you want to alter, usually its default.

4.4 In the ‘Edit Authentication’ dialog, verify that ‘Authentication Type’ is set to: ‘Windows’.

4.5 Scroll down the dialog to ‘IIS Authentication Settings’, there change the setting from ‘Integrated Windows Authentication’ and NTLM, to ‘Integrated Windows Authentication’ and ‘Negotiate (Kerberos)’

4.6 Click OK in the popup dialog saying that ‘you have chosen to use Kerberos…’

4.7 Scroll down to the end of the dialog and click Save.

You have now made the modifications needed in SharePoint for Kerberos authentication to function, now we have to verify that the Changes has been made to IIS by SharePoint.

To verify the IIS Web Site Authentication settings, follow these steps:

4.8 In Internet Information Services (IIS) Manager, locate the Web Application under ‘Sites’.

4.9 Select the Web Application and in the middle pane under the heading ‘IIS’, locate ‘Authentication’

4.10 Select the ‘Authentication’ Icon and in the right ‘Actions’ pane, clikc on ‘Open Feature’.

4.11 In the Authentication dialog, select Windows Authentication (usually at the bottom).

4.12 Click on ‘Providers’ in the right ‘Actions’ pane.

4.13 Verify that ‘Negotiate’ and ‘NTLM’ are the only ones listed and that they are listed in that order, ‘Negotiate’ at the top.

4.14 Click Cancel and then again in the right ‘Actions’ pane click on ‘Advanced Settings’.

4.15 Verify in the ‘Advanced Settings’ dialog that ‘Extended Protection’ is ‘Off’ and that ‘Enable Kernel-mode authentication’ is unchecked.

4.16 Click Cancel.

4.17 Exit Internet Information Services Manager.

You are now done with step 4. Authentication Provider. Move on to step 5. Verification of functionality.
Back to main menu

Note: DO NOT make any Changes using the Internet Information Services Manager, if Changes need to be made, Always use the SharePoint Central Administration interface.
Another way to make changes to SharePoint is PowerShell, which is also a recommended way if you really know what you are doing.

–

Step 5

Verification of functionality

Many Tools exist that can be used to verify that Kerberos authentication actually occurs, Tools such as NetMon(Network Monitor), WireShark, Fiddler, KerbTray and many more can be used for this step. I have however focused on two Tools that will be sufficient and that exists already in the Environment. I have chosen to focus on these two:

Klist (Client)

Security Log (Server)

Klist

(Klist is available on Windows server 2008 and later and on Windows 7 and later, for Windows Server 2003, see note at the end of this step)

Before anything, Close down all open Internet Explorers or other browser sessions you have open.

5.1 On the client, start a command prompt as administrator (Right click, ‘Run as administrator’).

5.2 Flush the DNS cache, type:
Ipconfig -flushdns (hit enter)

5.3 List all tickets on the system, type:
klist (hit enter)
Note: this does not affect any other functionality on the client or server

The tickets listed does not necessarily have anything to do with us at this point (SharePoint).

5.4 Now, we want to clean up this list so that we can see if a new ticket is granted to our user when logging on to SharePoint.

Clear the list, type:
klist purge (hit enter)
Note: this does not affect any other functionality on the client or server

In the prompt you will see:

Deleting all tickets:

Ticket(s) purged!

5.5 Try again listing all tickets, type:

klist (hit enter)

This time the list should be empty. (if not, then some service has managed to connect again during the time from that you purged until you ran Klist again)

5.6 With an empty Kerberos ticket list, open up a new Internet Explorer session and go to the URL of the Web Application.

5.7 When authenticated and logged into the site, all loaded ok

5.8 Switch back to the command prompt and again, type:

klist (hit enter)

Now, with Kerberos working, you will see two tickets, the most important one is the second ticket(#1) that contains:

Client: username@domain.com

Server: HTTP/mywebappurl

KerbTicket Encryption Type:

And a few timestamps and similar stuff. This is good!

If you see this ticket, things are working! Now, all we have to do is verify that it looks good on the Web Server as well.

Close down the Command Prompt and move on to the next task in this guide, the security log.

Note: For Windows Server 2003, KLIST is available as a free download in the Windows Server 2003 Resource Kit Tools. To obtain the tools, visit the following Microsoft Web site: Download Klist here

Security Log

Verify that the Web Server Authenticates the user using Kerberos using the following:

5.9 On the SharePoint Web Server, in Administrative Tools, open up Event Viewer.

5.10 Expand the ‘Windows Logs’ container and locate the ‘Security’ Log.

5.11 In the Security log, locate a recent event with the ID of 4624. This event should be a successfull logon, and hold the security ID and accountname of the user that accessed the SharePoint Web Application using Internet Explorer on the client, and it should also state:

Logon process: Kerberos

Authentication Package: Kerberos.

If you can verify that you do have this event, then you are done, Kerberos works!

You are now done with step 5. Verification of functionality, there are no more steps from here…

This means that if you have successfully completed all steps in this guide, you have managed to configure Kerberos for SharePoint.

CONGRATULATIONS!
Back to main menu

–

Thanks to, for technical and spiritual support!

Hasain Alshakarti – Truesec

Mattias Gutke – Enfo Zipper

Anders Grönlund – Enfo Sweden

Markus Murray – Truesec

Herakles – Unknown

–

References

Configure Kerberos authentication for SharePoint 2010 Products
http://technet.microsoft.com/en-us/library/ff829837.aspx

Plan for Kerberos authentication (SharePoint Server 2010)
http://technet.microsoft.com/en-us/library/ee806870.aspx

Setspn (Windows Server 2008, Windows Server 2008 R2)
http://technet.microsoft.com/en-us/library/cc731241(v=ws.10).aspx

Klist (Windows Server 2008 R2)
http://technet.microsoft.com/en-us/library/hh134826(v=ws.10).aspx

Plan authentication methods (SharePoint Server 2010)
http://technet.microsoft.com/en-us/library/cc262350.aspx

DNS Server Overview (Windows Server 2008)
http://technet.microsoft.com/en-us/library/cc770392(v=ws.10).aspx

Trust for delegation (Windows Server 2003 but this still goes)
http://technet.microsoft.com/en-us/library/cc739764(v=ws.10).aspx

How the Kerberos Version 5 Authentication Protocol Works
http://go.microsoft.com/fwlink/p/?LinkID=196644

Kerberos Explained (old but still good)
http://technet.microsoft.com/en-us/library/bb742516.aspx

Microsoft Kerberos
http://msdn.microsoft.com/en-us/library/aa378747(VS.85).aspx

Kérberos (lat. Cérberus)
http://en.wikipedia.org/wiki/Cerberus

_________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn