Office 365 – DTD is prohibited in this document issue

SP2013logo

Got trouble Connection PowerShell to SharePoint online? This could be the resolution to your troubles.
I had this myself, or we had it in our Company tenant. This is what the issue was and this is how I fixed it:

When trying to connect to PowerShell for SharePoint Online, using the Connect-SPOService command, we got a error that did not tell us anything.

The error is:
Connect-SPOService : For security reasons DTD is prohibited in this document. To enable DTD processing set DtdProcessing property on XmlReaderSettings to Parse and pass the settings into XmlReader.Create method.

Well, its almost a joke right…
When searching the web for information on this particular, I struck zero…all I could find related to the ISP and the default search provider something. I quickly dismissed them as unrelated.
Then after some time had passed, I found a similar issue, this seemed related and it was a connectivity issue same as mine (If I still had the link I would give credit to where credit is due). This fellow had resolved the issue by adding a missing DNS record.
This made me think, since our tenant has existed since way Before Office 365 existed (BPOS) perheps we were also missing some of the required DNS records?
I checked with my collegues, and apparently we were missing the record as well.

So, if you ever see or get the ‘DTD prohibited’ issue, remember to check the DNS for the following record:

Type: CNAME
Alias: MSOID
Target: clientconfig.microsoftonline-p.net
Info: Used by Office 365 to direct authentication to the correct identity platform More Information

After I added this to DNS, Connect-SPOService works just fine!

Microsoft’s official explaination on the DNS record:
What’s the purpose of the additional Office 365 CNAME record?

When you run a client application that works with Office 365 such as Lync, Outlook, Windows PowerShell or Microsoft Azure Active Directory Sync tool, your credentials must be authenticated. Office 365 uses a CNAME record to point to the correct authentication endpoint for your location, which ensures rapid authentication response times.If this CNAME record is missing for your domain, these applications will use a default authentication endpoint in the United States, which means authentication might be slower. If this CNAME record isn’t configured properly, for example, if you have a typo in the Points to address, these applications won’t be able to authenticate.

If Office 365 manages your domain’s DNS records,, Office 365 sets up this CNAME record for you.

If you are managing DNS records for your domain at your DNS host, to create this record, you create this record yourself by following the instructions for your DNS host.

References and Credits‘
Nope, not this time…Credits & many thanks to To all of you.

_________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

Loopback Check configuration Tool released – free download

Hi All.

It is here! Free for all! DOWNLOAD

I am happy to announce that the Loopback Check Tool has finally been made available at Codeplex – https://loopbackchecktool.codeplex.com
No more last minute t-shooting the loopback check and ending up disabling it, trying to find the KB or a decent blog post on how to do it.

This Tool takes care of it all for you. Download the exe, put it on your servers, run it to configure the Loopback Check feature simple and easy.

Its simple.
Its small (21kb zipped)
Only click and make it happen
No installation, one single exe that works on most Windows Servers (and clients)
Disable the Loopback check completely (Not recommended)
Enable or Disable the Loopback Check function
Enable it and add excluded URLs (Recommended, now easy to do)

This is a preview image of what the tool looks like

The tool works fine on:

Windows Server 2012
Windows Server 2012 R2
Windows Server 2008 R2
Windows Server 2008
Windows 7
Windows 8
Windows 8.1
And probably a few more…

References:

You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version
http://support.microsoft.com/kb/896861/en-us

A quick guide to configuring the Loopback check
https://blog.blksthl.com/2013/05/07/a-quick-guide-to-configuring-the-loopback-check/

DisableLoopbackCheck & SharePoint: What every admin and developer should know.
http://www.harbar.net/archive/2009/07/02/disableloopbackcheck-amp-sharepoint-what-every-admin-and-developer-should-know.aspx

Thanks to:

Herakles and Gutke!

___________________________________________________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

Managing the Distributed Cache Service in SharePoint 2013

Managing the Distributed Cache Service in SharePoint 2013 using PowerShell

A true multipurpose tractor

Greetings SharePoint Campers!

This time I will just offer a brief cheat sheet for Distributed Cache operations using powershell, which is pretty much the only way you can configure and manage the service.
For some reason, the Distributed Cache seems to offer a lot of people grief, all from no functionality at all to extremely slow responsetimes on all pages loaded (see SharePoint 2013 page loads takes a very long time).

My best tip, the often working quick fix with a malfunctioning cache service, is to first try and stop and start it, then if its still failing, delete the service and add it back again. You should also from the start change the default service account from the farm account to a separate, maybe dedicated managed account.

Quick fix
1.
Stop the service
Start the service
2.
Delete the service
Create a new service
3.
Start checking the logfiles and do a proper t-shooting.

Remember that in a multiserver farm, the PowerShell commands will affect the server where the command has been executed, so make sure to be on the correct server Before runing the CMDlets.

Distributed Cache tasks listed in the following order:

Change the service account running the Distributed Cache
Graceful stop and deattach local server (No lost cache data)
Dettach local server from a cache cluster (Multiple Distributed Cache servers)
Reattach local server to a cache cluster (Multiple Distributed Cache servers)
Delete the service
Create a new service
Start the service on a server
Stop the service on a server
Check current Cache memory allocation
Change the Cache memory allocation
References

Change the service account running the Distributed Cache

It is recommended to use a SharePoint managed account for this service.
$spfarm = Get-SPFarm
$spcacheService = $spfarm.Services | where {$_.Name -eq “AppFabricCachingService”}
$spaccount = Get-SPManagedAccount -Identity domain\spdistcache
$spcacheService.ProcessIdentity.CurrentIdentityType = “SpecificUser”
$spcacheService.ProcessIdentity.ManagedAccount = $spaccount
$spcacheService.ProcessIdentity.Update()
$spcacheService.ProcessIdentity.Deploy()

CurrentIdentityType = “SpecificUser” should be just that and nothing else, do not replace this value

Verify by going to Central administration, Security, Configure Service accounts, Select ‘Windows Service – Distributed Chache’ i dropdown, that the service account has been replaced.

Graceful stop and deattach local server (No lost cache data)

Stop-SPDistributedCacheServiceInstance -Graceful
Remove-SPDistributedCacheServiceInstance

Deattach local server from a cache cluster (Multiple Distributed Cache servers)

Remove-SPDistributedCacheServiceInstance

Reattach local server to a cache cluster (Multiple Distributed Cache servers)

Add-SPDistributedCacheServiceInstance

Delete the service

$instanceName =”SPDistributedCacheService Name=AppFabricCachingService”
$serviceInstance = Get-SPServiceInstance | ? {($_.service.tostring()) -eq $instanceName -and ($_.server.name) -eq $env:computername}
$serviceInstance.delete()

Verify in Central Admin, System Settings, Manage Services on Server. It should be gone from this list when it has been completely deleted.
In a multi server farm, you will have to select which server to show the services from in the top-right dropdown.

Create a new service

Add-SPDistributedCacheServiceInstance

Verify in Central Admin, System Settings, Manage Services on Server. It should appear in this list when it has been created. In a multi server farm, you will have to select which server to show the services from in the top-right dropdown.

Start the service on a server

Stop the service on a server

$instanceName =”SPDistributedCacheService Name=AppFabricCachingService” $serviceInstance = Get-SPServiceInstance | ? {($_.service.tostring()) -eq $instanceName -and ($_.server.name) -eq $env:computername}
$serviceInstance.Unprovision()

Check current Cache memory allocation

Use-CacheCluster Get-AFCacheHostConfiguration -ComputerName $env:computername -CachePort “22233”

Change the Cache memory allocation

On all Cache servers in the farm stop the service
$instanceName =”SPDistributedCacheService Name=AppFabricCachingService” $serviceInstance = Get-SPServiceInstance | ? {($_.service.tostring()) -eq $instanceName -and ($_.server.name) -eq $env:computername}
$serviceInstance.Unprovision()
Update the memory allocation
Update-SPDistributedCacheSize -CacheSizeInMB CacheSize
Start the service on all Cache servers
$instanceName =”SPDistributedCacheService Name=AppFabricCachingService” $serviceInstance = Get-SPServiceInstance | ? {($_.service.tostring()) -eq $instanceName -and ($_.server.name) -eq $env:computername}
$serviceInstance.Provision()

CacheSize is the cache size’s memory allocation assignment in MB

‘

Note: Beware of the signle and double quotes if you copy the code…

‘

References

Manage the Distributed Cache service in SharePoint Server 2013
http://technet.microsoft.com/en-us/library/jj219613.aspx

Plan and use the Distributed Cache service in SharePoint Server 2013 (Poster)
http://www.microsoft.com/en-us/download/confirmation.aspx?id=35557

_________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

Create a bootable Windows Server 2012 R2 installation USB flash drive

Hi Windows connoisseurs! (wiki)

(This is essentially a remake of my Create a bootable Windows 8.1 installation USB flash drive post.) The setps are the same so you can easily follow that post or use this slightly updated version.

In this guide I will help you find a way to install Windows Server 2012 R2 quick and easy, from a simple USB flash drive. It’s really easy, but you still need to Think about a few things.
I’ll list them here and if you want, you can follow the step by step guide below.

Quicksteps:

1. Get a USB Flash drive formatted with FAT32, it has to be AT LEAST 8GB! (The Windows Server 2012R2 installation bits will not fit on a 4GB USB drive…)
2. Download and install the Windows 7 USB/DVD Download tool from Microsoft Store here or Codeplex here (It is an official Microsoft tool, totally wierdly named from the Windows 7 release but still very much valid!)
3. Download or locate a ‘Windows Server 2012 R2’ .iso file and store it locally on your harddrive.
4. Start the Windows 7 USB/DVD Download tool (from startbutton or ‘windows 8/Metro’ style startmenu’?)
5. Complete the steps 1-4
6. Insert the USB flash drive into the powered off PC to install, Power on and boot from USB drive (F9 at HP logo on HP Machines).
7. Install Windows Server as you would normally.
8. Done!

This guide in its entirety works just as well if you replace the Windows Server 2012 R2 .iso file with Windows 8.1, Windows 7, Windows Server 2012 or plain Windows 8 (Windows Server 2008 R2 not verified but willmost likely also work)

Step by step:

1. USB Flash Drive

Prepare a USB flash drive for installation, is has to be at least 8 GB in size and it has to be formatted with FAT32. It does not have to be erased, the tool will do that for you if needed.

Before

2. Download and install the Windows 7 USB/DVD Download tool from Microsoft Store or Codeplex. The Links are as follows:

http://images2.store.microsoft.com/prod/clustera/framework/w7udt/1.0/en-us/Windows7-USB-DVD-tool.exe
or
http://wudt.codeplex.com

Run the .exe file, you will have to be a local administrator on your machine for it to install properly.

Click Next

Click Install

Click Finish

3. Locate a Windows Server 2012 R2 .iso file. This file should be placed on a local harddrive. It does not matter where you put it, as long as it is on a local HD and it is accessable to you when running the tool, meaning that you have access to where the file is stored in the filesystem.

4. After the installation of the tool has completed, you will suddenly notice this tile:

You can also just use the search function, in ‘metro mode’ simply type Windows 7 and you will see it and its uninstall app.
Start the tool
Click Ok at the User Account Control popup dialog
The first screen should now look like this:

5. Hit the Browse button to locate your Windows Server 2012 R2 installation iso file.

In my test, I’m using an .iso file downloaded from TechNet Subscriber downloads (soon to be no more)
It does not have to be from TechNet, it can be MSDN or Volume Licensing or really any form of Windows Server 2012 R2 installation iso.

Click ‘Next’

Click on ‘USB device’
If you see the window below, that means that the USB drive is either not plugged in properly, or it has the wrong formatting or insufficient storage or similar. Make sure that you have a USB flash drive that meets: 4GB minimum+FAT32.

Insert a USB drive that meets the requirements and press the refresh button
Now, click on the ‘Begin copying’ button.

If the USB drive was ok, the copying will begin, but if not, if it still had files still on it, you will see this dialog:

Click Erase to continue

Click Yes and the formatting and copying process will begin.

Let it do its thing until it reaches 100%

When it has finished formatting and copying files, you are done.

After!

6. Next step, is to insert the USB drive into the PC you want to install Windows Server 2012 R2 on, Power it off completely and Power on again.
Use BIOS settings to select ‘boot from USB’ or like on a HP machine, hit F9 at the HP logo screen to boot directly from USB.

7. Let the Installation begin! The Windows installation is pretty much standard. A Clean install is described here. The setup of Windows 8, which is pretty much the same, is described here

8. Done!

References:

Install and Deploy Windows Server 2012 (R2)
http://technet.microsoft.com/en-us/library/hh831620.aspx

Thanks to:

Herakles and Gutke!

___________________________________________________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

Create a bootable Windows 8.1 installation USB flash drive

Hi Windows Lovers!?

(Looking to install Windows Server? The same steps apply, but for a server specific guide, go here Create a bootable Windows Server 2012 R2 installation USB flash drive)

This time I’ll help you find a way to install Windows 8.1 quick and easy, from a simple USB flash drive. It’s a piece of cake really, but a few things you need to know about.
I’ll list them here and if you want, you can follow the step by step guide below.

Quicksteps:

1. Get a USB Flash drive formatted with FAT32, it has to be AT LEAST 4GB!
2. Download and install the Windows 7 USB/DVD Download tool from Microsoft Store HERE or Codeplex HERE (It is an official Microsoft tool, totally wierdly named from the Windows 7 release but still very much valid!)
3. Download or locate a ‘Windows 8.1’ .iso file and store it locally on your harddrive.
4. Start the Windows 7 USB/DVD Download tool (from startbutton or ‘windows 8 style startmenu’?)
5. Complete the steps 1-4
6. Insert the USB flash drive into the powered off PC to install, Power on and boot from USB drive (F9 at HP logo on HP Machines).
7. Install Windows as you would normally.
8. Done!

This guide in its entirety works just as well if you replace the Windows 8.1 .iso file with Windows 7, Windows Server 2012 or plain Windows 8 (Windows Server 2008 R2 not verified but willmost likely also work)

Step by step:

1. USB Flash Drive

Prepare a USB flash drive for installation, is has to be at least 4 GB in size and it has to be formatted with FAT32. It does not have to be erased, the tool will do that for you if needed.

Before

2. Download and install the Windows 7 USB/DVD Download tool from Microsoft Store or Codeplex. The Links are as follows:

http://images2.store.microsoft.com/prod/clustera/framework/w7udt/1.0/en-us/Windows7-USB-DVD-tool.exe
or
http://wudt.codeplex.com

Run the .exe file, you will have to be a local administrator on your machine for it to install properly.

Click Next

Click Install

Click Finish

3. Locate a Windows 8.1 .iso file. This file should be placed on a local harddrive. It does not matter where you put it, as long as it is on a local HD and it is accessable to you when running the tool, meaning that you have access to where the file is stored in the filesystem.

4. After the installation of the tool has completed, you will suddenly notice this tile:

5. Hit the Browse button to locate your Windows 8.1 installation iso file.

Click ‘Next’

Insert a USB drive that meets the requirements and press the refresh button
Now, click on the ‘Begin copying’ button.

If the USB drive was ok, the copying will begin, but if not, if it still had files still on it, you will see this dialog:

Click Erase to continue

Click Yes and the formatting and copying process will begin.

Let it do its thing until it reaches 100%

When it has finished formatting and copying files, you are done.

After!

6. Next step, is to insert the USB drive into the PC you want to install Windows 8.1 on, Power it off completely and Power on again.
Use BIOS settings to select ‘boot from USB’ or like on a HP machine, hit F9 at tghe HP logo screen to boot directly from USB.

7. Let the Installation begin! The Windows installation is pretty much standard. A Clean install is described here. The setup of Windows 8, which is the same, is described here

8. Done!

References:

Thanks to:

As Always, Mattias Gutke! At CAG for some strange reason….Always a friend, a great help and a second opinion!

___________________________________________________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

Move your SharePoint IIS sites from the systemdrive(C:)

Move your SharePoint IIS sites from the systemdrive(C:)
or avoid putting them there in the first Place.

Do you see the lion that is totally in the wrong Place…or is it the Jeeps that are…?

Deal fellow SharePointlovers!

This time, I’ll try to show you how to avoid the messed up situation most SharePoint installations are in, with everything on the systemdrive, or C:
Now, us people have over time been better and better at one thing, we understand that the logfiles should not be located on the systemdrive, so we have learned over time to move the ULS log and the Usage and Health log from C:, some have even been clever enough to move even the IIS log from C:

But, what do we still always, always, always, find installed on C:?… … …yes, C:\inetpub!

It not very strange though, the developers of Windows Server have made a point out of not giving us an option to install inetpub on a different path, not unless you do an unattended installation or otherwise script or Control your installation. The ‘Add/Remove roles’ wizards in Server 2008, 2008R2 and 2012 all lack this option (for a reason).

BUT! This is intentially, the default inetpub location should and must be in the systemdrive, IIS is considered an operating system Component and has to be there for a number of reasons. At the end you will find a link to a KB article that explains this in more detail. Leave inetpub and its subfolders where it is!

So, why would we want to do this anyway
why move the inetpub and all of its content, or at least the separate site catalogs to a different drive?
– Separation (Performance and Security)
– Compartmentalization (Performance and Security)
Having averything on the same drive is bad for a few reasons, primarily performance and security. Perfomance since the OS is on the C drive and security because if an attacker by some means gets access to a different less secure applications sitecatalog, they also get access to the systemdrive and possible also all other webapplication sitecatalogs. Moving them to other drives, same or different, helps mitigate both possible issues.
I therefore recommend doing this:

Do your regular installation, add the Web Server role and let the inetpub folder end up on C:, like I said, no worries. Whats important for us will not be located there anyway.
Next, edit the registry to make the default location of inetpub be for example D: (unless this is were you will be putting all of your logfiles, then select a third or fourth drive)
Install the SharePoint as you would normally do, Central administration will now end up were you pointed the default location.
Create your Web Applications using the GUI or PowerShell and leave out the path, the IIS sites will be were you wanted them.

So, how do we do this in more detail? A Guide…

Configure the Web Server(s)

1. Configure the default location

On all of your web servers in the farm, and on your Central Administration server(s), edit the registry key that Controls the default location:

Start regedit by, Right clicking in the very lower left corner and you will get a list of actions, click on Run.

Type Regedit and click Ok.

Click Yes in the UAC dialog.

In Registry Editor, we locate the following path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InetStp

Under ‘InetStp’ we have a number of keys.

Locate and Edit the key PathWWWRoot from the default: (%systemdrive%)

to: (D: or where you prefer to locate it, E: F: G: H:…)

There you go! All set, no IIS reset or restarts of any kind required.
Like said before, go on and do this on all servers that will host a webserver (WFE or CA). If you don’t, then you will have an inconsistent setup making Everything very hard to setup and t-shoot.

2. Add SharePoint
After this has been changed on all of you r web servers, you can go ahead and install the SharePoint binaries and configure your farm, The Central Administration site will now be located on the drive you have specified, it will be in the exact same path as it normally would but on a different drive. For example: ‘D:\inetpub\wwwroot\wss\VirtualDirectories\20000\’

Note that the Central Administration UI will now be default suggest a different path:

If you create a new site using PowerShell, it will also by default put it in D: even if you don’t specify any path:

New-SPWebApplication -Name TheVeryFirst -ApplicationPool SharePoint -HostHeader theveryfirst.corp.balkestahl.se -Port 80 -Url theveryfirst.corp.balkestahl.se -DatabaseServer blksthl-sql -DatabaseName SP11_Content_TheVeryFirst

As you can see, were done! 🙂

For the logfiles, I’ll make a separate post, they should also be moved, more so even than the sitefolders. Logfiles will fill up the disks, they will slow performance and maybe most importantly, they contain delicate information that you want to keep separated from the OS and IIS.

References:

Guidance for relocation of IIS 7.0 and IIS 7.5 content directories
http://support.microsoft.com/kb/2752331

Configure ULS log and Usage and Health log location
https://blog.blksthl.com/2013/06/05/configure-uls-log-and-usage-and-health-log-location/

Thanks to:

Mikael Nyström (The Deployment Bunny) – Truesec
Mattias Gutke – CAG

___________________________________________________________________________________________________

Good Luckl!!

Regards

Twitter | Technet Profile | LinkedIn

SharePoint Security – State of the Union

SharePoint Security – State of the Union

A call to action regarding SharePoint and Security

Citizens of SharePoint!
I would like to say a little something about SharePoint and Security.
The usual focus when talking about IT and Security is technical aspects of security, it is a global phenomenon and it has always been like that. My most private thinking on the reasons for this is, that technical solutions simply are a lot more fun than the boring processes and policies. Take a Windows laptop for example, when discussing security it always comes down to Bit locker instead of discussing how you work to be secure.
SharePoint is no different, but in the SharePoint industry I feel that we have taken it even further, we do not even feel that Security is that much fun, or even that important maybe, the SharePoint community feels that custom solutions and architectural designs, maybe even corporate branding are a lot more fun than any aspect of Security.

Titanic, the unsinkable ship that sunk

In my personal opinion this is a shame and my hope is that this will gradually change in the future toward a more Security aware SharePoint community.
Developing new solutions, new custom applications and designing the world’s most elaborate SharePoint architecture will for a while yet I realize, be more interesting to the individual engineer than promoting the importance of keeping your local admin groups clean and why you should not logon using the farm account, for the most experienced Certified Master same as for the SharePoint IT-Pro beginner.
This is a fact and the risk is that we will start to see downsides from this as SharePoint for real has by now, found its rightful place in most every company’s infrastructure, all over the world.
Now you are probably starting to wonder how I can be so bold to state these things unfounded and without proof? You are probably thinking that you yourself is not like that, you do care about Security and all this is just about everyone else, if even that. Maybe some of us are better and some are worse, but we can all do better.
I have a feeling and I have some proof:
– I have for a while now worked dedicated with SharePoint Security, reviewing existing SharePoint environments and designing and implementing fresh new environments. During this period I have yet to come by a Security aware design of a SharePoint environment (my own designs excluded obviously).
– I have customers that have come to me and stated that part of the reason that they have contacted me, is that there simply is no other partner that focuses on SharePoint and Security and that can offer the services that I do. I am according to my customer, without competition, at least in my part of the world.
– I have seen from the SharePoint conference participant surveys, that of all of the topics that the participants want to hear more about next year, Security is always at the very bottom of the list.
– The number one rated and watched session at TechEd this year, was about hacker tools…

I may be wrong but I doubt it, security is not really on our agenda.
In my experience, all of us in this larger and larger SharePoint community, should pay a little extra attention on Security in all that we do. Not only in the Security technical aspects that we implement because we have to, take for example Kerberos authentication (Link to guide). Kerberos is a great Security feature that will enhance the Security in most SharePoint environments, but not many implementations have been made for the Security aspects of it, but for the simple reason that a double-hop scenario required it and thus it was implemented (visit my blog for an easy step by step guide to Kerberos in SharePoint).
Also, many, many SharePoint environments out there are setup by developers, I beg your pardon developers, but your focus is often to get a working test and development platform up and running, not to make it secure and stable. Also, after a solution has been developed and tested for functionality, your job is often done. The result is often something that is less than perfect in terms of Security.

It would be really nice if we could all help to change this, if we could all do just a few things that will in fact make the SharePoint environment more secure or at least, make it harder to penetrate and easier to keep track of.

I have made a list of things that we could all easily think of and do, and that would help SharePoint Security awareness.

Keep the number of local server administrators down to a minimum (0).

In most SharePoint environments we can assume that a local server administrator can get access to all of the content in SharePoint. Use domain groups, add an individual’s user account only as needed and remove when he/she is done.
You’ll find a command at the end that will show you a course list of the members of the local administrators group.

Do not disable the Loopback check on your Web servers.

This is a great Security feature, it will make life a little harder on a possible intruder, so why disable it. Add the URLs you need instead. If you buy a house and it has an alarm installed, you do not disable it, you grant access to the members of your family. Also worth mentioning, you should always avoid browsing from the server, but some features like search may depend on accessing the local server so a configuration may be the best answer.
You’ll find a PowerShell script at the end how you can easily configure it to allow the URL’s you need instead of disabling it completely.

Disable the SQL authentication and especially the SA account.

These account are completely unmanaged and unmonitored, it is a popular backdoor for any hacker.
They are rarely used and when used often by legacy applications, if they are, find out why and reconfigure or put the legacy app on a separate instance or server.

Never use Shared accounts (Never ever!).

I still see people defending the ‘setup account’ (shared installation and configuration user) and they state that it is given special permissions that are required later on. Operations people with a lot of people coming and going often use a ‘server monitor’ account that can be borrowed and used to get easy and fast access to the server. It is often a local account and often has a password that is well known by all…
In my opinion, there is never or very rarely a reason to keep a shared account. If you absolutely feel that you must, use a domain account and more importantly, disable it when it is not used. Also, change the password regularly.

Keep the Windows Firewall On (Ports-Link/Conf-Link).

Need I even explain this? It is however a sad fact that it is often disabled even in a production environment. It should be used and on in all environments, the development environment would else make an easy target for the evil hacker.
Configure it even during development, there are many ways to do it, PowerShell may be the simplest, check my blog blksthl.com on how to.
If you don’t do it right away, you or your customer will most likely forget to enable and configure it when you are done.

Keep the IE ESC On – Internet Explorer Enhanced Security Configuration.

A server is not really meant for us to browse SharePoint sites or the internet, use a client machine or a separate test server if you have to. If you MUST browse from this particular SharePoint server, disable it for admins only and enable it when done.
You’ll find a PowerShell script at the end how you can easily configure it.

Use HTTPS on Central Administration site.

Often, too often, https is used for web applications bt usually not for the central administration site, it is a bit of configuring and thinking to get it working, but it is a recommended way to protect your Environment. Remember, passwords will at times be transfered in cleartext on the central admin site.
Follow the Word of Spencer Harbar to get it done:
Using SSL for Central Administration with SharePoint 2013
http://www.harbar.net/archive/2013/02/13/Using-SSL-for-Central-Administration-with-SharePoint-2013.aspx

***

Summary,
My hope is, that we will all try do something extra when it comes to Security in the future, do your best to leave a better more secure environment behind, take a while instructing the customer on the importance of keeping the environment secure even after you have left. Make them aware as well.
If you or your customers need a wakeup call, please watch my dear colleague’s session from TechEd North America this year voted no 1, Marcus Murray and Hasain Alshakarti at Truesec:
Live Demonstration: Hacker Tools You Should Know and Worry About
http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/ATC-B309#fbid=SxGCyIja7i5
After you or your customer has seen what can be done with simple tools avalable to all…perhaps the general attitude towards security processes may improve a bit?

Final word: It is not all about cool buzzwords/technologies like oauth or claims or federations, it is even more about processes and boring policies…

Configure Loopbackcheck (Link) In a PowerShell prompt running as administrator: Get-Item -path ”HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0” | new-Itemproperty -Name “BackConnectionHostNames” -Value (“coolsite.corp.balkestahl.se”, “alias.corp.balkestahl.se”) -PropertyType “MultiString” (Replace mine with your own URL’s and add more using double quotes and a comma and space as separator) Make the changes stick with: Restart-Service IISADMIN

Configure IE ESC (Link) In a PowerShell prompt running as administrator: function Disable-IEESC { $AdminKey = “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0 Stop-Process -Name Explorer } Disable-IEESC (You have to hit enter twice after pasting the script)

Crude list of all members of Local Administrators In a PowerShell prompt running as administrator: Gwmi win32_groupuser | where-object {$_.groupcomponent –like ‘*”Administrators”‘} | ft partcomponent There are better looking examples out there but this is a one-liner that does the trick…

References:

DisableLoopbackCheck & SharePoint: What every admin and developer should know. (Spencer Harbar folks)
http://www.harbar.net/archive/2009/07/02/disableloopbackcheck-amp-sharepoint-what-every-admin-and-developer-should-know.aspx

A quick guide to configuring the Loopback check
https://blog.blksthl.com/2013/05/07/a-quick-guide-to-configuring-the-loopback-check/

Configure automatic password change in SharePoint 2013 using PowerShell
https://blog.blksthl.com/2013/05/14/configure-automatic-password-change-in-sharepoint-2013-using-powershell/

TCP/IP Ports of SharePoint 2013
https://blog.blksthl.com/2013/02/21/tcpip-ports-of-sharepoint-2013/

A guide to https and Secure Sockets Layer in SharePoint 2013
https://blog.blksthl.com/2012/12/20/a-guide-to-https-and-secure-sockets-layer-in-sharepoint-2013/

How to disable IE Enhanced Security in Windows Server 2012
https://blog.blksthl.com/2012/11/28/how-to-disable-ie-enhanced-security-in-windows-server-2012/

The first Kerberos guide for SharePoint 2013 technicians
https://blog.blksthl.com/2012/09/26/the-first-kerberos-guide-for-sharepoint-2013-technicians/

Using SSL for Central Administration with SharePoint 2013
http://www.harbar.net/archive/2013/02/13/Using-SSL-for-Central-Administration-with-SharePoint-2013.aspx

Thanks to:

Hasain Alshakarti – TrueSec
Marcus Murray – TrueSec
TrueSec Sweden / TrueSec US
Spencer Harbar – harbar.net
Andrija Marcic – Microsoft

___________________________________________________________________________________________________

Consider?

Regards

Twitter | Technet Profile | LinkedIn

Configure ULS log and Usage and Health log location

SharePoint jokers!

If you left the settings in SharePoint 2013 as default when installing and configuring, then you will probably have a log path that looks like this for both the ULS log and the Usage and Health log.
C:\Program Files\Common Files\microsoft shared\Web Server Extensions\15\LOGS

If you want to change this to a new path, maybe on a different disk like D: (recommended) or on a simpler path easier to remember, use the following commands:

You will need to run the commands in a PowerShell running as administrator and you will also need to load the SharePoint snapin first, add-pssnapin.
add-pssnapin microsoft.sharepoint

For the Diagnostics log(ULS)
set-SPDiagnosticConfig -LogLocation “D:\Program Files\Common files\Microsoft shared\Web server extensions\15\LOGS”
or
set-SPDiagnosticConfig -LogLocation “D:\SharePoint Logs\ULS”

For the Usage and Health log
set-SPUsageService -UsageLogLocation “C:\Program Files\Common files\Microsoft shared\Web server extensions\15\LOGS”
or
set-SPUsageService -UsageLogLocation “D:\SharePoint Logs\Health”

set-SPDiagnosticConfig -LogLocation “C:\Program Files\Common files\Microsoft shared\Web server extensions\15\LOGS”

In my environment, the Diagnostics trace log path looks like this:

And for the Usage and Health log, it looks like this:

References:

(If the two paths Point to a different location then you may see this in your event log)
6398 – The Execute method of job definition…SPUsageImportJobDefinition
https://blog.blksthl.com/2013/05/27/6398-the-execute-method-of-job-definition-spusageimportjobdefinition/

ULS Log Viewer download
http://archive.msdn.microsoft.com/ULSViewer

Thanks to:

Ankie at my customers, who pointed out the Usage and Health log issue 6398 in the first place.

___________________________________________________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

6398 – The Execute method of job definition…SPUsageImportJobDefinition

SharePointees!

Have this critical error in your Eventlog?

The Execute method of job definition Microsoft.SharePoint.Administration.SPUsageImportJobDefinition (ID ef497ec2-0cbf-4458-91ea-db75422fd9da) threw an exception. More information is included below.

Access to the path ‘C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS’ is denied.

This is a really annoying error in the eventlog, there are many references to this out there but most or even all take the easy way out and that is not for me 🙂

Two suggestions I have seen(that I do not recommend):

1. Add the ‘serviceaccount’ (usually the farm account) to the local administrators Group effectively giving the account full access to the entire filesystem.

2. Give the service account ‘serviceaccount’ (usually the farm account) read/write permissions to the LOGS folder.

Both are wrong, if the system would need access to this Place, why does it not have that allready?
In a real Life scenario I had this in the customers logs, when t-shooting I eventually figured out why they had it. In this customers Environment we had moved the ULS log location.
Central Administration/Monitoring/Configure Diagnostic Logging/Path
We had changed it (during PowerShell setup) to D: as one would…

So far so good, this will not in itself cause you any issues or events.
However, it as the other configurable location that did it. Usage and Health data…

This setting looked like this:

This was the reason…why this setting eaither was changed together with the log or if it would still have access…but no.
We ended up changing this path to D: as well, after all, this is what we really wanted anyway, no eccessive data on C:

Hope this helps anyone else.

Good luck!

Thanks to:

Mattias Gutke at CAG. My main man…

___________________________________________________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

SharePoint 2013 page loads takes a very long time

–

Short version: Stopping the Distributed cache service gave me great performance! From 6.10 s to 79 ms

Something is just a liiitle bit off…?

Long story: This is a bit of reality right here…
I was about to give up on one of my labb SharePoint 2013 Environments because it was so extremely slow all the time.
Warmup scripts, reloads, more memory, more CPU, stopping services, stopping search…nothing helped.

I had a constant loadtime of all aspx pages of 6+ seconds, 6.10-6.20 something. Even when the page was just loaded and I pressed F5 to reload, it still took 6.10 seconds.
This was an environment that gave you sensitive nerves…

So, after looking for any solution or more like looking for the little issue that caused this all day, I gave up more or less.
– CPU was at a maximum 40% on SQL, SharePoint cranked it up to 18%…
– Memory consumtion was at 25% of the 12GB SharePoint had…
– SQL was Lightning fast to all other SharePoint farms…
– Network utilization showed about 100Kbps at the most…

I scavenged the internet as usual and found nothing but the standard: add more memeory, add more CPU, stop services, stop search…
None of that helped and I had tried it all…

Then…when all hope was lost, I got on a call with my excellent SharePoint buddy Mattias Gutke, we talked about the issue, his server on a laptop with SSD disks showed 50-100ms loadtime of all pages, reload did nopt even produce a flicker…
Then as often happens, we came to discuss the Distributed cache service, what it did and why it was there and so on…I had already had a look at it but could not find any reason why a default cache would give me this lousy performance. Then, I had a look at the timestamp in the F12 Developer dashbord – Network tab – Start capturing. I saw the home.aspx load and it took the usual 6.10 seconds.
The timestamp could be found in the detailed view and on the response header.
I memorized the timestamp (that was in GMT timezone) and opened up my ULS log. In the log at the exact time of the response header, I saw errors from the distributed cache.

I decided that t-shooting the distributed cache would have to wait, it was getting late…but, before disconnecting the Lync call with Mattias, we decided to try and see just what would happen if I stopped the distributed cache service and loaded the page.
Said and done:

Now, loaded the same site:

Whit the Distributed cache service running:

Notice any difference? Now my SharePoint farm is Lightning fast!!! From 6.10 seconds down to 79 ms!

Why is this so then you ask? No idea, something misconfigured or perhaps this is standard when using a single SharePoint server…anyway, today I don’t care.
Stop the service and the performance is great!

Hope this may help you as it did me!

Thanks to:

Mattias Gutke at CAG. Again, my SharePoint sparring partner no 1…

___________________________________________________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn