A quick-guide to setting up OWA with SharePoint 2013 – start to finish

Future and existing Office Web Apps – OWA Lovers!
😁
This time, I just found that a quick guide like this was something that I needed myself, and since I could not find anything that was short and compact enough, I made my own guide…
This Little guide is completely based on the TechNet articles mentioned in the references section, but this is nontheless a lot shorter and easier to follow.

–

The old Clock at Oakwood station
–

–
–

Click your OWA task of choice:

Step 1

Prepare a 2008 R2 Server to run OWA

Prepare a 2012 Server to run OWA

Step 2

Install Office Web Apps Server

Step 3

Deploy a single-server Office Web Apps Server farm that uses HTTPS

Step 4

Configure SharePoint to use OWA over https (recommended)

Configure SharePoint to use OWA over http

Additional

Disconnect SharePoint from OWA farm

Configure the Default open behavior for documents

Credits and References

–
–
Prepare a 2008 R2 server to run Office Web Apps Server

1. Install the following software (Minimum required):

2. Import the server module
(In a PowerShell prompt running as administrator and with the SharePoint snapin loaded)
Import-Module ServerManager

3. Add the required Features and Roles by running this command:
Add-WindowsFeature Web-Server,Web-WebServer,Web-Common-Http,Web-Static-Content,Web-App-Dev,Web-Asp-Net,Web-Net-Ext,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Includes,Web-Security,Web-Windows-Auth,Web-Filtering,Web-Stat-Compression,Web-Dyn-Compression,Web-Mgmt-Console,Ink-Handwriting,IH-Ink-Support

4. Restart the server if prompted when the command finishes.

5. Done

TechNet Reference
Back to menu

–
–
Prepare a 2012 server to run Office Web Apps Server

1. In a PowerShell prompt running as administrator, add the required Features and Roles by running this command:
Add-WindowsFeature Web-Server,Web-Mgmt-Tools,Web-Mgmt-Console,Web-WebServer,Web-Common-Http,Web-Default-Doc,Web-Static-Content,Web-Performance,Web-Stat-Compression,Web-Dyn-Compression,Web-Security,Web-Filtering,Web-Windows-Auth,Web-App-Dev,Web-Net-Ext45,Web-Asp-Net45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Includes,InkandHandwritingServices

2. Done

TechNet Reference
Back to menu

–
–
Install Office Web Apps Server
1. Download Office Web Apps Server from the Microsoft Download Center (Link).

2. Run Setup and walk through the steps in the wizard.
Windows Server 2012, open the .img file directly and run Setup.exe
Windows Server 2008 R2 SP1, use any program that can mount or extract .img files. Then run Setup.exe

3. Download and install the Office Web Apps Server update KB2810007.

TechNet Reference–
Back to menu

–
–
Deploy a single-server Office Web Apps Server farm that uses HTTPS

If components of the .NET Framework 3.5 were installed and then removed, you might see “500 Web Service Exceptions” or “500.21 – Internal Server Error” messages when you run OfficeWebApps cmdlets. To fix this, run the following sample commands from an elevated command prompt to clean up settings that could prevent Office Web Apps Server from functioning correctly:
In Windows Server 2008 R2:
%systemroot%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -iru
iisreset /restart /noforceIn Windows Server 2012:
dism /online /enable-feature /featurename:IIS-ASPNET45

1. Create the Office Web Apps Server farm

New-OfficeWebAppsFarm -InternalUrl <InternalURL> -ExternalUrl <ExternalURL> -CertificateName <CertificateName> -EditingEnabled

<InternalURL> FQDN name of the server that runs Office Web Apps Server
<ExternalURL> FQDN name that can be accessed on the Internet
<CertificateName> Is the friendly name of the https/SSL certificate used
-EditingEnabled, optional and is added to enable editing in Office Web Apps

2. Verify that the Office Web Apps Server farm was created successfully

Go to the https://internal.url.com/hosting/discovery
If you see a (WOPI)-discovery XML file in your web browser then all is good.

Depending on the security settings of your web browser, you might see a message that prompts you to select Show all content before the contents of the discovery XML file are displayed.

3. Done

TechNet Reference –
Back to menu

–
–
Configure SharePoint to use OWA over https (recommended)
(In a PowerShell prompt running as administrator and with the SharePoint snapin loaded)

The Web Application to be used must be configured to use Claims as authentication method, else OWA will not work.

1. Create new binding:
New-SPWOPIBinding -ServerName <WacServerName>
(<WacServerName> must be the FQDN internal URL)

2. Verify current zone:
Get-SPWOPIZone

3. Change to internal-https if it is set to http:
Set-SPWOPIZone –zone “internal-https

4. Verify https:
Get-SPWOPIZone

5. Verify functionality in a document library (Not using the system account, appearing as sharepoint\system)
Click on the ‘Three dots’ after a documents name and see if you get a preview, if you do, its all good!

6. Done

TechNet Reference –
Back to menu

–
–
Configure SharePoint to use OWA over http
(In a PowerShell prompt running as administrator and with the SharePoint snapin loaded)

The Web Application to be used must be configured to use Claims as authentication method, else OWA will not work.

1. Create new binding:
New-SPWOPIBinding -ServerName -AllowHTTP
( must be the FQDN internal URL)

2. Verify current zone:
Get-SPWOPIZone

3. Change to internal-http:
Set-SPWOPIZone –zone “internal-http”

4. Verify http:
Get-SPWOPIZone

5. Check AllowoverHttp setting:
(Get-SPSecurityTokenServiceConfig).AllowOAuthOverHttp

6. Set AllowOAuthOverHttp to True.
$config = (Get-SPSecurityTokenServiceConfig)
$config.AllowOAuthOverHttp = $true
$config.Update()

7. Verify change:
(Get-SPSecurityTokenServiceConfig).AllowOAuthOverHttp

8. Verify functionality in a document library (Not using the system account, appearing as sharepoint\system)
Click on the ‘Three dots’ after a documents name and see if you get a preview, if you do, its all good!

9. Done

TechNet Reference –
Back to menu

–
–
Disconnect SharePoint from OWA farm
(In a PowerShell prompt running as administrator and with the SharePoint snapin loaded)

1. Remove the binding
Remove-SPWOPIBinding –All:$true

2. Done

TechNet Reference –
Back to menu

–
–
Configure the Default open behavior for documents

1. On a per farm level: Adjust the default open behavior on a per-file-type basis by using the New-SPWOPIBinding and Set-SPWOPIBinding Windows PowerShell cmdlets.

2. On a per Site Collection level by activating the ‘Open Documents in Client Applications by Default’ site Collection feature.

3. On a per Document library level using the Library setting – Advanced setting – ‘Default open behavior for browser-enabled documents’

4. Done

TechNet Reference –
Back to menu

–
–
References:

Deploy Office Web Apps Server
http://technet.microsoft.com/en-us/library/jj219455.aspx

Configure SharePoint 2013 to use Office Web Apps
http://technet.microsoft.com/en-us/library/ff431687.aspx

Configure the default open behavior for browser-enabled documents (Office Web Apps when used with SharePoint 2013)
http://technet.microsoft.com/en-us/library/ee837425.aspx

Set-SPWOPIBinding
http://technet.microsoft.com/en-us/library/jj219454.aspx

Plan Office Web Apps (Used with SharePoint 2013)
http://technet.microsoft.com/en-us/library/ff431682.aspx

SharePoint authentication requirements for Office Web Apps
http://technet.microsoft.com/en-us/library/ff431682.aspx#authentication

Configuring Office Web Apps in SharePoint 2013 (Steve Peschka – Microsoft)
http://blogs.technet.com/b/speschka/archive/2012/07/23/configuring-office-web-apps-in-sharepoint-2013.aspx

Enabling Licensing and Editing for Office Web Apps in SharePoint 2013 (Steve Peschka – Microsoft)
http://blogs.technet.com/b/speschka/archive/2012/12/31/enabling-licensing-and-editing-for-office-web-apps-in-sharepoint-2013.aspx

Thanks to:

Mattias Gutke! All the time dude!
Ankie D – a great customer who has forced me to learn more on OWA
Stefan K – Another customer who made me refresh my knowledge
Steve Peschka, he wrote the original guide…see ref section

___________________________________________________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

Revised A guide to quick SharePoint 2013 branding – part 2 – with Javascript

NO DEVELOPMENT IN VISUAL STUDIO OR SHAREPOINT DESIGNER REQUIRED

This is revision 2 of the A guide to quick SharePoint 2013 branding – part 2 – with Javascript. A few of the javasnippets turned out to stop working if MDS, Minimal Download Strategy was in affect which made the branding miss the target. The lines of javacode in this revised post has been corrected and will now work just as well with MDS.
I have to send a BIG thank you to Anurag Yagnik for getting me on the right track and for verifying the functionality. THANKS!

Hi dear SharePointies and SharePoints.

Welcome to the revised part 2, the revised version has some changes and rather updating the original post, I’ll keep some history and get a new post out with slightly different content.
I assume that you have seen and followed part 1, A guide to quick SharePoint 2013 branding so I will not cover every step needed, some you will have to get from part 1.
This is for all of you SharePoint technicians and enthusiasts out there who are not developers or don’t really have time or feel like learning the new ‘Design Manager’. All of the steps here can be done using only a Windows client and appropriate permissions.

This guide has been verified in SharePoint Online. If you have done the steps in Onpremise server and/or Foundation, please drop me a comment and I will add that here and also give you credit for it.

In part 1, we added a custom masterpage, a css/stylesheet file, a favicon and a logo image. We configured SharePoint to use the custom masterpage and in that we referenced the custom css, the favicon and the logo. All good.
Now, we want to get rid of the annoying default blue ‘banner’ with the Office 365 logo(SPO), the SharePoint text (Onprem/Foundation).
Without using Visual Studio…or SharePoint Designer…

In this short guide, I will use a site located in SharePoint Online (2013/Preview, link at the end), but the steps are exactly the same in an onprem environment.

For the permanent production branding, I have to recommend using Visual Studio to create a wsp package, as long as you add the same files as I do here it will work the same. That way you will have an installable package that can be reinstalled and used in test and dev environment. You can also make sure the package works Before moving it into production.

We will in part 2, make this (pretty good):

Look like this (even better):

In my opinion, a whole lot better!
Now let’s get on with branding our site:

Use the sitecollection you used before, or simply any site collection will do. Work with the rootsite as usual.

To do what I am going to do, we need two new and one modified file:

truesec.js – New (Contains all the actual JavaScript code)
TrueSec_transparent_white.png – New (New logo, White on transparent for a nice effect)
truesec.master – Old (only modified to load the JavaScript file)

I will start by creating a simple JavaScript file, use a local folder to store your files in, we will later upload them to SharePoint.

Yes, you want to change the extension.
I added this JavaScript lines to my truesec.js file, see inline comments to see what it does

_spBodyOnLoadFunctionNames.push(“myinit”);

function myinit()
{
// This function makes sure that the script is executed after the page has completed loading
ExecuteOrDelayUntilScriptLoaded(function () {
if (typeof asyncDeltaManager != “undefined”)
asyncDeltaManager.add_endRequest(ConfigureBrandingsuite);
else ConfigureBrandingsuite();
}, “sp.js”);
}

function ConfigureBrandingsuite()
{
// Thanks to Anurag Yagnik for the enhanced script
var v_icon, v_iconbox;
var v_suiteBarLeftm, v_ribbonbox;
var v_link;
// Replace the default logo with my own shiny white with transparant background, oh-yeah!
var v_newImageSrc=”../_catalogs/masterpage/truesec/TrueSec_transparent_white.png”;

// get link reference so that we can point to our website, replace with your own
v_link = document.getElementById(“suiteBrandingLink”);
v_link.href=”https://blog.blksthl.com“;

// get icon reference so that we can change properties
v_icon = document.getElementById(“suiteBrandingIcon”);
v_iconbox = document.getElementById(“suiteBrandingIconBox”);
v_suiteBarLeft = document.getElementById(“suiteBarLeft”);
v_ribbonbox = document.getElementById(“s4-ribbonrow”);

// customize icon, icon box, background color and title
// Setting the background of the entire suitebarleft to jet-black for maximum effect
v_suiteBarLeft .style.background = “#000000”;
// v_ribbonbox.style.display=”none”;
// Setting the width to a little more than default, else the image may be cropped
v_iconbox.style.width=”200px”;
v_icon.src = v_newImageSrc;
v_icon.style.width=”150px”;
v_icon.style.left=”0″;
v_icon.style.top=”0″;
v_icon.alt=”Go to My Portal”;
v_icon.title=”Go to My Portal”;

// site specific – hide logo since we already have on on top left now
//document.getElementById(“ctl00_onetidHeadbnnr2″).style.display=”none”;

return false;
}

Make sure that your quotes and double quotes are correct, copying from a webpage often result in misformatted quotes. Avoid this by reviewing the code thoroughly in notepad. The ‘wrong’ kind usually leans to one or the other direction, whilst the ‘correct’ kind are straight. Example:

Ok, thats one out of three files, moving on to the masterpage.
This you may allready have stored locally, but if you don’t, download a copy from SharePoint. I’ll use my custom truesec.master from part 1.

In your SharePoint site collection root, select Site Settings, then ‘Web Designer Galleries/Master pages’

In the master page gallery, navigate to your custom folder, mine is named ‘TrueSec’ obviously…

Open the custom branding folder and in it, locate you master page.
Select the file in the checkbox and click on ‘Download a Copy’.

Save the file to your local folder.

Now, we will add a simple line to the masterpage, right click on the masterpage and select edit in notepad.

Locate the following SharePoint:Scriptlinks:

After the line:
<SharePoint:ScriptLink language=”javascript” name=”suitelinks.js” OnDemand=”true” runat=”server” Localizable=”false” />

Add:
<SharePoint:ScriptLink ID=”ScriptLink1″ runat=”server” Defer=”False” Name=”~siteCollection/_catalogs/masterpage/TrueSec/truesec.js”></SharePoint:ScriptLink>

Make sure that your quotes and double quotes are correct, copying from a webpage often result in misformatted quotes.
Avoid this by reviewing the code thoroughly in notepad. The ‘wrong’ kind usually leans to one or the other direction, whilst the ‘correct’ kind are straight.
Example:

With the code added, that part of the masterpage will now look like this:

<SharePoint:ScriptLink language=”javascript” name=”sharing.js” OnDemand=”true” runat=”server” Localizable=”false” />
<SharePoint:ScriptLink language=”javascript” name=”suitelinks.js” OnDemand=”true” runat=”server” Localizable=”false” />

<SharePoint:ScriptLink ID=”ScriptLink1″ runat=”server” Defer=”False” Name=”~siteCollection/_catalogs/masterpage/TrueSec/truesec.js”></SharePoint:ScriptLink>

<SharePoint:CustomJSUrl runat=”server” /> <SharePoint:SoapDiscoveryLink runat=”server” />

or:

Save the file and leave it for now. We will upload all the files later.

So, two out of three done.
Time for the simplest one, the image. I wanted to add something a bit different than the logo I have already added, so I went with a logo in white on black instead of black on white. The image file is White on transparent and then the java script sets the background to jet-black which makes it all perfect. You use the images you want and for your customer/company/organization and make the decisions based on the colors you have there, I bet it will be beautiful!

Ok, if you started out like I did with the ‘light branding’ already in Place, then you are pretty much done, all we need to do is upload the files and reload the page to see the result. Go to your site, open ‘Site settings’, ‘Master page’, browse to your folder, in my case its ‘/TrueSec’. Once here, select the ‘Files’ tab and ‘Upload Document’.

Now, if you already had the custom master selected in the site, it will load automatically with the JavaScript and all. Load the site in a browser to see the result:

If any of the branding does not show up, one good T-shooting step is to go to the MasterPage gallery again and the ‘truesec’ folder. In here, click on the dropdown for each file and make sure they are all published, if you get the option to ‘Publish a major version’ do it. That helps a lot of times when anything is wrong.
If anything is so wrong so that you can’t access any of the sites, use this link: [URL to your team site]/_layouts/15/ChangeSiteMasterPage.aspx, it will allow you to switch back to the ‘Seattle master’ and get access to the libraries and settings again. Make Changes, fix the problem, upload the new file and switch back to your custom master again to test.

Where to go from here?
In addition to the objects I have modified using java, there are several you can figure out how to configure for yourselves. If you want to find the objects, you can use F12 – Developer Toolbar that is built into IE.
Or, use any of these that are part of the 2013 default objects:
suiteBarLeft
suiteBarRight
suiteBrandingBox
DeltaSuiteLinks
suiteBarRight
RibbonContainer-TabRowRight

All og these have different properties to be configured, google, test, play around and find out what can be done.

References:

SharePoint 2013 Execute Javascript function after MDS load
http://blog.symprogress.com/2013/09/sharepoint-2013-execute-javascript-function-after-mds-load/

SharePoint 2013 Top links – Name, ID and How to Hide them (Excellent post on the objects and a start, how to hide them completely)
http://www.tuyrcorp.com/sharepoint-2013-top-links-name-id-and-how-to-hide-them/

A great place to learn html and css
http://www.w3schools.com/

Great overall branding blogger
http://blog.drisgill.com/

Map a network drive to the SharePoint 2013 Master Page Gallery
http://msdn.microsoft.com/en-us/library/jj733519.aspx

How to: Convert an HTML file into a master page in SharePoint Server 2013
http://msdn.microsoft.com/en-us/library/jj822370.aspx

Starter Master Pages for SharePoint 2013 (more advanced branding)
http://startermasterpages.codeplex.com/

Office 365 Preview
http://www.microsoft.com/office/preview/en/office-365-enterprise

___________________________________________________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

Export a document library using Export-SPWeb and itemurl

Export-SPWeb

(This is my better version of the TechNet articles on the same CMDlet that does a poor job with the details, I hope that it will help some of you)
SharePoint 2010 | SharePoint 2013

‘

Applies to: SharePoint Foundation 2010 | SharePoint Server 2010 | SharePoint Foundation 2013 | SharePoint Server 2013

‘

Exports a site, list, or library.

‘
Export-SPWeb [-Identity] <GUID/Name/SPWeb object> -Path <String> [-AssignmentCollection <SPAssignmentCollection>] [-CompressionSize <Int32>] [-Confirm [<SwitchParameter>]] [-Force <SwitchParameter>] [-HaltOnError <SwitchParameter>] [-HaltOnWarning <SwitchParameter>] [-IncludeUserSecurity <SwitchParameter>] [-IncludeVersions <LastMajor | CurrentVersion | LastMajorAndMinor | All>] [-ItemUrl <String>] [-NoFileCompression <SwitchParameter>] [-NoLogFile <SwitchParameter>] [-UseSqlSnapshot <SwitchParameter>] [-WhatIf [<SwitchParameter>]]

‘

——————–EXAMPLE———————–

Export-SPWeb http://site –Path "c:\temp\site export.cmp" -ItemURL "/subsite/documents"

This example exports the document library at http://site/subsite/documents to a new file called ‘site export.cmp' in the ‘C:\temp’ directory.

‘

Parameters

Parameter

Required

Description

Identity

Required

Specifies the URL or GUID of the Web to be exported. The type must be either
– a valid GUID, in the form ‘12345678-90ab-cdef-1234-567890bcdefgh’
– a valid name of a SharePoint site (for example, MySPSite1)
or a URL: http://blog.blksthl.com
or an instance of a valid SPWeb object

Path

Required

Specifies the name of the export file. If the -NoFileCompression parameter is used, a directory must be specified; otherwise, any file format is valid.
Example: “c:\temp\exportedsite.cmp” or with the -NoFileCompression “c:\temp\exportedsite\”

AssignmentCollection

Optional

Manages objects for the purpose of proper disposal. Use of objects, such as SPWeb or SPSite, can use large amounts of memory and use of these objects in Windows PowerShell scripts requires proper memory management. Using the SPAssignment object, you can assign objects to a variable and dispose of the objects after they are needed to free up memory. When SPWeb, SPSite, or SPSiteAdministration objects are used, the objects are automatically disposed of if an assignment collection or the Global parameter is not used.

Note:

When the Global parameter is used, all objects are contained in the global store. If objects are not immediately used, or disposed of by using the Stop-SPAssignment command, an out-of-memory scenario can occur.

CompressionSize

Optional

Sets the maximum file size for the compressed export files. If the total size of the exported package is greater than this size, the exported package will be split into multiple files.

Confirm

Optional

Prompts you for confirmation before executing the command. For more information, type the following command: get-help about_commonparameters

Force

Optional

-Force Forcefully overwrites the export package if it already exists.The type must be either of the following values:
–True
–FalseThe default value is False.

HaltOnError

Optional

Stops the export process when an error occurs.

HaltOnWarning

Optional

Stops the export process when a warning occurs.

IncludeUserSecurity

Optional

Preserves the user security settings except for SPLists that have broken inheritance and item level permissions set.
(Use Import-SPWeb with –IncludeUserSecurity to preserve security on import)

IncludeVersions

Optional

Indicates the type of file and list item version history to be included in the export operation. If the
-IncludeVersions parameter is absent, the Export-SPWeb cmdlet by default uses a value of CurrentVersion. The type must be any one of the following versions:
LastMajor “Last major version for files and list items (default)”
CurrentVersion “The current version, either the last major version or the last minor version”
LastMajorAndMinor “Last major and last minor version for files and list items”
All “All versions for files and list items”

ItemUrl

Optional

Specifies the relative path to the object to be exported. Can also be a GUIDThe type must be a valid relative path, for example, /Subsite/Documents
or a valid GUID in the form: 12345678-90ab-cdef-1234-567890bcdefgh

NoFileCompression

Optional

Either enables or disables file compression in the export package. The export package is stored in the folder specified by the Path parameter or Identity parameter. We recommend that you use this parameter for performance reasons. If compression is enabled, the export process can increase by approximately 30 percent.

NoLogFile

Optional

Suppresses the generation of an export log file. If this parameter is not specified, the Export-SPWeb cmdlet will generate an export log file in the same location as the export package. The log file uses Unified Logging Service (ULS).It is recommended to use this parameter. However, for performance reasons, you might not want to generate a log file.

UseSqlSnapshot

Optional

Specifies a SQL Database Snapshot will be created when the export process begins, and all exported data will be retrieved directly from the database snapshot. This snapshot will be automatically deleted when export completes.

WhatIf

Optional

Displays a message that describes the effect of the command instead of executing the command. For more information, type the following command: get-help about_commonparameters

References:

Export-SPWeb
http://technet.microsoft.com/en-us/library/ff607895(v=office.15).aspx

Export a site, list, or document library (Search Server 2010)
http://technet.microsoft.com/en-us/library/ff428101(v=office.14).aspx

Thanks to:

Mattias Gutke – CAG – My main man!

___________________________________________________________________________________________________

Good Luckl!!

Regards

Twitter | Technet Profile | LinkedIn

Move your SharePoint IIS sites from the systemdrive(C:)

Move your SharePoint IIS sites from the systemdrive(C:)
or avoid putting them there in the first Place.

Do you see the lion that is totally in the wrong Place…or is it the Jeeps that are…?

Deal fellow SharePointlovers!

This time, I’ll try to show you how to avoid the messed up situation most SharePoint installations are in, with everything on the systemdrive, or C:
Now, us people have over time been better and better at one thing, we understand that the logfiles should not be located on the systemdrive, so we have learned over time to move the ULS log and the Usage and Health log from C:, some have even been clever enough to move even the IIS log from C:

But, what do we still always, always, always, find installed on C:?… … …yes, C:\inetpub!

It not very strange though, the developers of Windows Server have made a point out of not giving us an option to install inetpub on a different path, not unless you do an unattended installation or otherwise script or Control your installation. The ‘Add/Remove roles’ wizards in Server 2008, 2008R2 and 2012 all lack this option (for a reason).

BUT! This is intentially, the default inetpub location should and must be in the systemdrive, IIS is considered an operating system Component and has to be there for a number of reasons. At the end you will find a link to a KB article that explains this in more detail. Leave inetpub and its subfolders where it is!

So, why would we want to do this anyway
why move the inetpub and all of its content, or at least the separate site catalogs to a different drive?
– Separation (Performance and Security)
– Compartmentalization (Performance and Security)
Having averything on the same drive is bad for a few reasons, primarily performance and security. Perfomance since the OS is on the C drive and security because if an attacker by some means gets access to a different less secure applications sitecatalog, they also get access to the systemdrive and possible also all other webapplication sitecatalogs. Moving them to other drives, same or different, helps mitigate both possible issues.
I therefore recommend doing this:

Do your regular installation, add the Web Server role and let the inetpub folder end up on C:, like I said, no worries. Whats important for us will not be located there anyway.
Next, edit the registry to make the default location of inetpub be for example D: (unless this is were you will be putting all of your logfiles, then select a third or fourth drive)
Install the SharePoint as you would normally do, Central administration will now end up were you pointed the default location.
Create your Web Applications using the GUI or PowerShell and leave out the path, the IIS sites will be were you wanted them.

So, how do we do this in more detail? A Guide…

Configure the Web Server(s)

1. Configure the default location

On all of your web servers in the farm, and on your Central Administration server(s), edit the registry key that Controls the default location:

Start regedit by, Right clicking in the very lower left corner and you will get a list of actions, click on Run.

Type Regedit and click Ok.

Click Yes in the UAC dialog.

In Registry Editor, we locate the following path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InetStp

Under ‘InetStp’ we have a number of keys.

Locate and Edit the key PathWWWRoot from the default: (%systemdrive%)

to: (D: or where you prefer to locate it, E: F: G: H:…)

There you go! All set, no IIS reset or restarts of any kind required.
Like said before, go on and do this on all servers that will host a webserver (WFE or CA). If you don’t, then you will have an inconsistent setup making Everything very hard to setup and t-shoot.

2. Add SharePoint
After this has been changed on all of you r web servers, you can go ahead and install the SharePoint binaries and configure your farm, The Central Administration site will now be located on the drive you have specified, it will be in the exact same path as it normally would but on a different drive. For example: ‘D:\inetpub\wwwroot\wss\VirtualDirectories\20000\’

Note that the Central Administration UI will now be default suggest a different path:

If you create a new site using PowerShell, it will also by default put it in D: even if you don’t specify any path:

New-SPWebApplication -Name TheVeryFirst -ApplicationPool SharePoint -HostHeader theveryfirst.corp.balkestahl.se -Port 80 -Url theveryfirst.corp.balkestahl.se -DatabaseServer blksthl-sql -DatabaseName SP11_Content_TheVeryFirst

As you can see, were done! 🙂

For the logfiles, I’ll make a separate post, they should also be moved, more so even than the sitefolders. Logfiles will fill up the disks, they will slow performance and maybe most importantly, they contain delicate information that you want to keep separated from the OS and IIS.

References:

Guidance for relocation of IIS 7.0 and IIS 7.5 content directories
http://support.microsoft.com/kb/2752331

Configure ULS log and Usage and Health log location
https://blog.blksthl.com/2013/06/05/configure-uls-log-and-usage-and-health-log-location/

Thanks to:

Mikael Nyström (The Deployment Bunny) – Truesec
Mattias Gutke – CAG

___________________________________________________________________________________________________

Good Luckl!!

Regards

Twitter | Technet Profile | LinkedIn

SharePoint Security – State of the Union

SharePoint Security – State of the Union

A call to action regarding SharePoint and Security

Citizens of SharePoint!
I would like to say a little something about SharePoint and Security.
The usual focus when talking about IT and Security is technical aspects of security, it is a global phenomenon and it has always been like that. My most private thinking on the reasons for this is, that technical solutions simply are a lot more fun than the boring processes and policies. Take a Windows laptop for example, when discussing security it always comes down to Bit locker instead of discussing how you work to be secure.
SharePoint is no different, but in the SharePoint industry I feel that we have taken it even further, we do not even feel that Security is that much fun, or even that important maybe, the SharePoint community feels that custom solutions and architectural designs, maybe even corporate branding are a lot more fun than any aspect of Security.

Titanic, the unsinkable ship that sunk

In my personal opinion this is a shame and my hope is that this will gradually change in the future toward a more Security aware SharePoint community.
Developing new solutions, new custom applications and designing the world’s most elaborate SharePoint architecture will for a while yet I realize, be more interesting to the individual engineer than promoting the importance of keeping your local admin groups clean and why you should not logon using the farm account, for the most experienced Certified Master same as for the SharePoint IT-Pro beginner.
This is a fact and the risk is that we will start to see downsides from this as SharePoint for real has by now, found its rightful place in most every company’s infrastructure, all over the world.
Now you are probably starting to wonder how I can be so bold to state these things unfounded and without proof? You are probably thinking that you yourself is not like that, you do care about Security and all this is just about everyone else, if even that. Maybe some of us are better and some are worse, but we can all do better.
I have a feeling and I have some proof:
– I have for a while now worked dedicated with SharePoint Security, reviewing existing SharePoint environments and designing and implementing fresh new environments. During this period I have yet to come by a Security aware design of a SharePoint environment (my own designs excluded obviously).
– I have customers that have come to me and stated that part of the reason that they have contacted me, is that there simply is no other partner that focuses on SharePoint and Security and that can offer the services that I do. I am according to my customer, without competition, at least in my part of the world.
– I have seen from the SharePoint conference participant surveys, that of all of the topics that the participants want to hear more about next year, Security is always at the very bottom of the list.
– The number one rated and watched session at TechEd this year, was about hacker tools…

I may be wrong but I doubt it, security is not really on our agenda.
In my experience, all of us in this larger and larger SharePoint community, should pay a little extra attention on Security in all that we do. Not only in the Security technical aspects that we implement because we have to, take for example Kerberos authentication (Link to guide). Kerberos is a great Security feature that will enhance the Security in most SharePoint environments, but not many implementations have been made for the Security aspects of it, but for the simple reason that a double-hop scenario required it and thus it was implemented (visit my blog for an easy step by step guide to Kerberos in SharePoint).
Also, many, many SharePoint environments out there are setup by developers, I beg your pardon developers, but your focus is often to get a working test and development platform up and running, not to make it secure and stable. Also, after a solution has been developed and tested for functionality, your job is often done. The result is often something that is less than perfect in terms of Security.

It would be really nice if we could all help to change this, if we could all do just a few things that will in fact make the SharePoint environment more secure or at least, make it harder to penetrate and easier to keep track of.

I have made a list of things that we could all easily think of and do, and that would help SharePoint Security awareness.

Keep the number of local server administrators down to a minimum (0).

In most SharePoint environments we can assume that a local server administrator can get access to all of the content in SharePoint. Use domain groups, add an individual’s user account only as needed and remove when he/she is done.
You’ll find a command at the end that will show you a course list of the members of the local administrators group.

Do not disable the Loopback check on your Web servers.

This is a great Security feature, it will make life a little harder on a possible intruder, so why disable it. Add the URLs you need instead. If you buy a house and it has an alarm installed, you do not disable it, you grant access to the members of your family. Also worth mentioning, you should always avoid browsing from the server, but some features like search may depend on accessing the local server so a configuration may be the best answer.
You’ll find a PowerShell script at the end how you can easily configure it to allow the URL’s you need instead of disabling it completely.

Disable the SQL authentication and especially the SA account.

These account are completely unmanaged and unmonitored, it is a popular backdoor for any hacker.
They are rarely used and when used often by legacy applications, if they are, find out why and reconfigure or put the legacy app on a separate instance or server.

Never use Shared accounts (Never ever!).

I still see people defending the ‘setup account’ (shared installation and configuration user) and they state that it is given special permissions that are required later on. Operations people with a lot of people coming and going often use a ‘server monitor’ account that can be borrowed and used to get easy and fast access to the server. It is often a local account and often has a password that is well known by all…
In my opinion, there is never or very rarely a reason to keep a shared account. If you absolutely feel that you must, use a domain account and more importantly, disable it when it is not used. Also, change the password regularly.

Keep the Windows Firewall On (Ports-Link/Conf-Link).

Need I even explain this? It is however a sad fact that it is often disabled even in a production environment. It should be used and on in all environments, the development environment would else make an easy target for the evil hacker.
Configure it even during development, there are many ways to do it, PowerShell may be the simplest, check my blog blksthl.com on how to.
If you don’t do it right away, you or your customer will most likely forget to enable and configure it when you are done.

Keep the IE ESC On – Internet Explorer Enhanced Security Configuration.

A server is not really meant for us to browse SharePoint sites or the internet, use a client machine or a separate test server if you have to. If you MUST browse from this particular SharePoint server, disable it for admins only and enable it when done.
You’ll find a PowerShell script at the end how you can easily configure it.

Use HTTPS on Central Administration site.

Often, too often, https is used for web applications bt usually not for the central administration site, it is a bit of configuring and thinking to get it working, but it is a recommended way to protect your Environment. Remember, passwords will at times be transfered in cleartext on the central admin site.
Follow the Word of Spencer Harbar to get it done:
Using SSL for Central Administration with SharePoint 2013
http://www.harbar.net/archive/2013/02/13/Using-SSL-for-Central-Administration-with-SharePoint-2013.aspx

***

Summary,
My hope is, that we will all try do something extra when it comes to Security in the future, do your best to leave a better more secure environment behind, take a while instructing the customer on the importance of keeping the environment secure even after you have left. Make them aware as well.
If you or your customers need a wakeup call, please watch my dear colleague’s session from TechEd North America this year voted no 1, Marcus Murray and Hasain Alshakarti at Truesec:
Live Demonstration: Hacker Tools You Should Know and Worry About
http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/ATC-B309#fbid=SxGCyIja7i5
After you or your customer has seen what can be done with simple tools avalable to all…perhaps the general attitude towards security processes may improve a bit?

Final word: It is not all about cool buzzwords/technologies like oauth or claims or federations, it is even more about processes and boring policies…

Configure Loopbackcheck (Link) In a PowerShell prompt running as administrator: Get-Item -path ”HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0” | new-Itemproperty -Name “BackConnectionHostNames” -Value (“coolsite.corp.balkestahl.se”, “alias.corp.balkestahl.se”) -PropertyType “MultiString” (Replace mine with your own URL’s and add more using double quotes and a comma and space as separator) Make the changes stick with: Restart-Service IISADMIN

Configure IE ESC (Link) In a PowerShell prompt running as administrator: function Disable-IEESC { $AdminKey = “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0 Stop-Process -Name Explorer } Disable-IEESC (You have to hit enter twice after pasting the script)

Crude list of all members of Local Administrators In a PowerShell prompt running as administrator: Gwmi win32_groupuser | where-object {$_.groupcomponent –like ‘*”Administrators”‘} | ft partcomponent There are better looking examples out there but this is a one-liner that does the trick…

References:

DisableLoopbackCheck & SharePoint: What every admin and developer should know. (Spencer Harbar folks)
http://www.harbar.net/archive/2009/07/02/disableloopbackcheck-amp-sharepoint-what-every-admin-and-developer-should-know.aspx

A quick guide to configuring the Loopback check
https://blog.blksthl.com/2013/05/07/a-quick-guide-to-configuring-the-loopback-check/

Configure automatic password change in SharePoint 2013 using PowerShell
https://blog.blksthl.com/2013/05/14/configure-automatic-password-change-in-sharepoint-2013-using-powershell/

TCP/IP Ports of SharePoint 2013
https://blog.blksthl.com/2013/02/21/tcpip-ports-of-sharepoint-2013/

A guide to https and Secure Sockets Layer in SharePoint 2013
https://blog.blksthl.com/2012/12/20/a-guide-to-https-and-secure-sockets-layer-in-sharepoint-2013/

How to disable IE Enhanced Security in Windows Server 2012
https://blog.blksthl.com/2012/11/28/how-to-disable-ie-enhanced-security-in-windows-server-2012/

The first Kerberos guide for SharePoint 2013 technicians
https://blog.blksthl.com/2012/09/26/the-first-kerberos-guide-for-sharepoint-2013-technicians/

Using SSL for Central Administration with SharePoint 2013
http://www.harbar.net/archive/2013/02/13/Using-SSL-for-Central-Administration-with-SharePoint-2013.aspx

Thanks to:

Hasain Alshakarti – TrueSec
Marcus Murray – TrueSec
TrueSec Sweden / TrueSec US
Spencer Harbar – harbar.net
Andrija Marcic – Microsoft

___________________________________________________________________________________________________

Consider?

Regards

Twitter | Technet Profile | LinkedIn

Configure ULS log and Usage and Health log location

SharePoint jokers!

If you left the settings in SharePoint 2013 as default when installing and configuring, then you will probably have a log path that looks like this for both the ULS log and the Usage and Health log.
C:\Program Files\Common Files\microsoft shared\Web Server Extensions\15\LOGS

If you want to change this to a new path, maybe on a different disk like D: (recommended) or on a simpler path easier to remember, use the following commands:

You will need to run the commands in a PowerShell running as administrator and you will also need to load the SharePoint snapin first, add-pssnapin.
add-pssnapin microsoft.sharepoint

For the Diagnostics log(ULS)
set-SPDiagnosticConfig -LogLocation “D:\Program Files\Common files\Microsoft shared\Web server extensions\15\LOGS”
or
set-SPDiagnosticConfig -LogLocation “D:\SharePoint Logs\ULS”

For the Usage and Health log
set-SPUsageService -UsageLogLocation “C:\Program Files\Common files\Microsoft shared\Web server extensions\15\LOGS”
or
set-SPUsageService -UsageLogLocation “D:\SharePoint Logs\Health”

set-SPDiagnosticConfig -LogLocation “C:\Program Files\Common files\Microsoft shared\Web server extensions\15\LOGS”

In my environment, the Diagnostics trace log path looks like this:

And for the Usage and Health log, it looks like this:

References:

(If the two paths Point to a different location then you may see this in your event log)
6398 – The Execute method of job definition…SPUsageImportJobDefinition
https://blog.blksthl.com/2013/05/27/6398-the-execute-method-of-job-definition-spusageimportjobdefinition/

ULS Log Viewer download
http://archive.msdn.microsoft.com/ULSViewer

Thanks to:

Ankie at my customers, who pointed out the Usage and Health log issue 6398 in the first place.

___________________________________________________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

6398 – The Execute method of job definition…SPUsageImportJobDefinition

SharePointees!

Have this critical error in your Eventlog?

The Execute method of job definition Microsoft.SharePoint.Administration.SPUsageImportJobDefinition (ID ef497ec2-0cbf-4458-91ea-db75422fd9da) threw an exception. More information is included below.

Access to the path ‘C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS’ is denied.

This is a really annoying error in the eventlog, there are many references to this out there but most or even all take the easy way out and that is not for me 🙂

Two suggestions I have seen(that I do not recommend):

1. Add the ‘serviceaccount’ (usually the farm account) to the local administrators Group effectively giving the account full access to the entire filesystem.

2. Give the service account ‘serviceaccount’ (usually the farm account) read/write permissions to the LOGS folder.

Both are wrong, if the system would need access to this Place, why does it not have that allready?
In a real Life scenario I had this in the customers logs, when t-shooting I eventually figured out why they had it. In this customers Environment we had moved the ULS log location.
Central Administration/Monitoring/Configure Diagnostic Logging/Path
We had changed it (during PowerShell setup) to D: as one would…

So far so good, this will not in itself cause you any issues or events.
However, it as the other configurable location that did it. Usage and Health data…

This setting looked like this:

This was the reason…why this setting eaither was changed together with the log or if it would still have access…but no.
We ended up changing this path to D: as well, after all, this is what we really wanted anyway, no eccessive data on C:

Hope this helps anyone else.

Good luck!

Thanks to:

Mattias Gutke at CAG. My main man…

___________________________________________________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

SharePoint 2013 page loads takes a very long time

–

Short version: Stopping the Distributed cache service gave me great performance! From 6.10 s to 79 ms

Something is just a liiitle bit off…?

Long story: This is a bit of reality right here…
I was about to give up on one of my labb SharePoint 2013 Environments because it was so extremely slow all the time.
Warmup scripts, reloads, more memory, more CPU, stopping services, stopping search…nothing helped.

I had a constant loadtime of all aspx pages of 6+ seconds, 6.10-6.20 something. Even when the page was just loaded and I pressed F5 to reload, it still took 6.10 seconds.
This was an environment that gave you sensitive nerves…

So, after looking for any solution or more like looking for the little issue that caused this all day, I gave up more or less.
– CPU was at a maximum 40% on SQL, SharePoint cranked it up to 18%…
– Memory consumtion was at 25% of the 12GB SharePoint had…
– SQL was Lightning fast to all other SharePoint farms…
– Network utilization showed about 100Kbps at the most…

I scavenged the internet as usual and found nothing but the standard: add more memeory, add more CPU, stop services, stop search…
None of that helped and I had tried it all…

Then…when all hope was lost, I got on a call with my excellent SharePoint buddy Mattias Gutke, we talked about the issue, his server on a laptop with SSD disks showed 50-100ms loadtime of all pages, reload did nopt even produce a flicker…
Then as often happens, we came to discuss the Distributed cache service, what it did and why it was there and so on…I had already had a look at it but could not find any reason why a default cache would give me this lousy performance. Then, I had a look at the timestamp in the F12 Developer dashbord – Network tab – Start capturing. I saw the home.aspx load and it took the usual 6.10 seconds.
The timestamp could be found in the detailed view and on the response header.
I memorized the timestamp (that was in GMT timezone) and opened up my ULS log. In the log at the exact time of the response header, I saw errors from the distributed cache.

I decided that t-shooting the distributed cache would have to wait, it was getting late…but, before disconnecting the Lync call with Mattias, we decided to try and see just what would happen if I stopped the distributed cache service and loaded the page.
Said and done:

Now, loaded the same site:

Whit the Distributed cache service running:

Notice any difference? Now my SharePoint farm is Lightning fast!!! From 6.10 seconds down to 79 ms!

Why is this so then you ask? No idea, something misconfigured or perhaps this is standard when using a single SharePoint server…anyway, today I don’t care.
Stop the service and the performance is great!

Hope this may help you as it did me!

Thanks to:

Mattias Gutke at CAG. Again, my SharePoint sparring partner no 1…

___________________________________________________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

Configure automatic password change in SharePoint 2013 using PowerShell

SharePoint fellas!

I have a new tip for you.
My very best SharePoint buddy asked me today how to configure the Automatic password change using PowerShell, he could not find an answer anywhere…it was a good question…seems like the answer was missing and that was when I started to do some research.
I found nothing! Could be that I missed something, but Technet, Blogs, Forums, none had the answer…

The impressive Engine of a Boeing 787 – Dreamliner

After a lot of testing and failing, I managed to produce this working script:

*Must be executed in a PowerShell prompt running as administrator.
*If used in a .ps1 script file, you have to set the execution policy first.
*Replace the domain\accountname with an existing managed account.
*Change the values to valid values that you want to use.

# Set Automatic password change schedule

$SPManagedAccount = Get-SPManagedAccount -Identity “domain\accountname”

#Create a SPMonthlySchedule object and set default properties (as in the gui)
$SPSchedule = new-object Microsoft.SharePoint.SPMonthlySchedule
$SPSchedule.BeginDay = 7
$SPSchedule.EndDay = 7
$SPSchedule.BeginHour = 2
$SPSchedule.EndHour = 3
$SPSchedule.BeginMinute = 0
$SPSchedule.EndMinute = 0
$SPSchedule.beginsecond = 0
$SPSchedule.endsecond = 0

# Set the change schedule on the account
$SPManagedAccount.ChangeSchedule = $SPSchedule
$SPManagedAccount.DaysBeforeExpiryToChange = 2

# Properties not enabled in a default scenario in the GUI
$SPManagedAccount.EnableEmailBeforePasswordChange = $False
$SPManagedAccount.DaysBeforeChangeToEmail = 2

# Enable and make the change
$SPManagedAccount.AutomaticChange = $True
$SPManagedAccount.Update()

Done!

In my environment, it looks like this:

After successfulle updating the Managed Account with the automatic update Schedule, I just typed in

$SPManagedAccount

and hit enter, that gives you the most common properties
If you want to see the entire Schedule with details, type in:

$SPManagedAccount | ft ChangeSchedule

Then you get this:

Thats it, a Schedule has been set!

If you want to use the GUI in central administration to find out what values to set, enable the Automatic Password change on any managed account, than set the values you want in the graphical user interface. Save them by clicking OK.
Next you run the following in your PowerShell prompt:
$SPTemplateManagedAccount = Get-SPManagedAccount “corp\sp10search”
$SPTemplateSchedule = $SPTemplateManagedAccount.ChangeSchedule
$SPTemplateSchedule
This will produce a list looking like this:
BeginDay    : 7
EndDay      : 7
Description : Monthly
BeginHour   : 2
EndHour     : 3
BeginMinute : 0
EndMinute   : 0
BeginSecond : 0
EndSecond   : 0
Use the values in the list in your script and you will have identical values set.

Note: If you want to have a Daily Schedule instead of Monthly like in my example, you will have to modify the script to create a Microsoft.SharePoint.SPDailySchedule object instead.
If you do that, you will also have to remove the lines setting the BeginDay and EndDay values, they are not used in a Daily Schedule object.

Good luck!

References:

Configure automatic password change in SharePoint 2013 (GUI version only)
http://technet.microsoft.com/en-us/library/ff724280.aspx

Plan automatic password change in SharePoint 2013
http://technet.microsoft.com/en-us/library/ff724278.aspx

Thanks to:

Mattias Gutke at CAG. He asked the question…

___________________________________________________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

A quick guide to configuring the Loopback check

Update: A free tool is available that does all this for you in a GUI: Loopback Check configuration Tool released – free download

Hi dear friends!

401.1 Access denied…
If you try to access your newly created web application with a real nice FQDN or NetBIOS name and you end up getting a 401.1 Access denied…

Even after adding the site to the local intranet zone in IE…
Even after beeing prompted 3 times and filling in the correct credentials…
After setting up your Search to crawl you sites in a small farm whith crawl and web services on the same server…

You check and doublecheck your credentials, you add yourself as the farm admin, you try logging on with the farm account, but nothing…still 401.1…

I know this has been written about many times Before, but some things seem to still be missing…
Now everyone seems comfortable with the sparse description on how to ‘add hosts to the list’ which is pretty much what you do when configuring the loopback check the ‘secure way’. You can also disable the loopbackcheck completely, but why if there is no real reason. Read Spencer Harbars excellent post on the topic if you need explaining why this is so. It is a few years but it is still the truth!

The KB article 896861 for this is an old one and the title does not really tell you that this is the one you are looking for, ‘type the host name or the host names for the sites that are on the local computer, and then click OK.’ is not crystal…

Jump to:

Configure Loopback check using the GUI

Configure Loopback check using Powershell

Credits and References

What you need to do is this step by step:

In ‘Metro’ mode, type regedit

Regedit will most likely be the only result, hit enter

In regedit, find the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0

First…

then…

Now, create a Multi-String Value under the MSV1_0 key.

Type in the name of the new Multi-String value: ‘BackConnectionHostNames’, Hit Enter.

Right click on the value BackConnectionHostNames and coose Modify.

Add the URL you want to be able to access from a local browser on the server.

Don’t know why, but I seem to Always get this. Click Ok.

Viola!

Adding multiple URL’s to the list of ‘trusted’ URL’s, simply make a new line between them.

That will look like this.

To be extra sure that nothing else will sabotage functionality, check so that the URL’s are added to DNS.
(Or local hosts file)

Check so that the URL’s are added as bindings in IIS.

Verify that the URL’s are correct and are added to AAM.

Make sure that the URL is added to the Local Intranet Zone in Internet Explorer (if you need to browse the site from the server, NOT RECOMMENDED!).

Try to access the URL in a browser.

And the other URL.

Done!

Doing the same using PowerShell

Using PowerShell to configure the Loopback check, requires two steps:

1. Add the multistring value to the registry
Get-Item -path “HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0” | new-Itemproperty -Name “BackConnectionHostNames” -Value (“coolsite.corp.balkestahl.se”, “alias.corp.balkestahl.se”) -PropertyType “MultiString”

2. Restart the IISADMIN service
Restart-Service IISADMIN

1. Add the multistring value to the registry

Given that you have Everything setup correctly, your AAM’s, your DNS entrys, (URL added to local intranetsites zone in IE), and so forth…you can use this single PowerShell command to exclude the URL’s for your sites from the loopbackcheck, this way, you don’t have to disable the loopbackcheck at all (Way better security).

The following command will add my two URL’s to the exclusion list, edit the values to add your own URL’s.

Run this in a PowerShell prompt running in elevaled mode/as Administrator

Get-Item -path “HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0” | new-Itemproperty -Name “BackConnectionHostNames” -Value (“coolsite.corp.balkestahl.se”, “alias.corp.balkestahl.se”) -PropertyType “MultiString”

Running this will if Everything is done right, show this

This is how it will look if it succeeds!

If you get ‘The property already exists.’, then you already have the ‘BackConnectionHostNames’ value added to the registry, check using registry editor to see if you can delete it or if it has other values that need to be there.

After a successful execution, check the registry to verify

Regedit12x

2. Restart the IISADMIN service

Now you have to restart the IISADMIN service in order for it to ‘reread’ the registry values and implement our Changes.
This is easy, in a PowerShell prompt running in elevaled mode/as Administrator

Restart-Service IISADMIN

Note the typo/bug in the text, it says stopping twice but what it does it stopping and starting

Done!

The command line in step 1 will add two (2) entries to the list, coolsite.corp.balkestahl.se and alias.corp.balkestahl.se. If you need to add more URL’s, add them to the Values, like: -Value (“coolsite.corp.balkestahl.se”, “alias.corp.balkestahl.se”, “mycoolnetbiosname”, “extraname.corp.balkestahl.se”).

Make sure that the doublequotes are formated in the proper way if you copy from this post!

That would make the command

and

Restart-Service IISADMIN -force

–

References:

You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version
http://support.microsoft.com/kb/896861

Can’t crawl web apps you KNOW you should be able to crawl (Todd Klindt’s oldie but goodie)
http://www.toddklindt.com/blog/Lists/Posts/Post.aspx?ID=107

Thanks to:

As Always, Mattias Gutke! Now at CAG. Always a great help and second opinion!

___________________________________________________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn