Calling all SharePoint Admins: Have you patched your servers?

A critical vulnerability of SharePoint Server has been identified which could lead to potential hacking.

Many enterprises use Microsoft SharePoint as the prime collaboration and content management platform and there are still a significant amount of SharePoint on-premise deployments across the world. This alert for the admins who manage on-premise deployments which you better take seriously and act fast.

A critical security vulnerability identified as CVE-2019-0604 | Microsoft SharePoint Remote Code Execution Vulnerability which behaves as explained by Microsoft below.

• A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.
• Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected versions of SharePoint.
• The security update addresses the vulnerability by correcting how SharePoint checks the source markup of application packages.

Critical: It is highly important that you follow the table below and update your servers accordingly. As of now, Microsoft have not identified any Mitigation facts or Workarounds for this issue, however, the list of security updates shall keep your server away from the vulnerability.

CVE-2019-0604 (Critical)

SharePoint Updates

And, following links shall help you on patching servers.

2016: https://docs.microsoft.com/en-us/SharePoint/upgrade-and-update/install-a-software-update
2013: https://docs.microsoft.com/en-us/SharePoint/upgrade-and-update/software-updates-overview-for-sharepoint-server-2013

Advertisement

Sorry Something Went Wrong: SharePoint 2016 Farm Configuration Wizard Failed with timeout during services provisioning

The Error says it all, SharePoint could not provision the farm configurations within the given timeframe and it pops up the timeout. End result is, no services or applications provisioned. Below is a result from the very first application server was trying to provision my SP2016 farm on production.

You may have successfully installed prerequisites and product but this error could occur during your next step which is product configuration and service app (farm configuration) provisioning if you have a weak bandwidth for inter server communication. No matter how robust your servers are, the network could screw it all with a low bandwidth.

Try to ping across the servers and ensure you have a steady line from WFE to Intranet and Database Servers. Below sample is from one of my deployment which was failed with above error due to lack of bandwidth from APP server to Database just because the customer was having legacy network equipment and cabling (It was lower than 50 mbps given for SharePoint VLAN).

This is also can affect during Product configuration. That means the connection between your Database server to Application Server is worst, not only for SharePoint but anything rely on network connectivity will surely not perform well.

Or even hangs on 3rd stage unusually (normally this stage takes 10 min max, at my case it was more than 30 which is hilariously abnormal)

Its mandatory to have a good (at least 1gbps, 10gbps is ideal) network connectivity across all SharePoint, OWA and Workflow Manager Servers.

Hardware requirements for SharePoint 2016 – https://technet.microsoft.com/en-us/library/cc262485(v=office.16).aspx

Configuring Calendar Overlay to Display Different Color for each Category in SharePoint Online-Make the SharePoint Calendar More Delightful and Useful

Calendar being one of the most significant feature in SharePoint. Most of the time to use it in a meaningful way, you need a little bit of customization. This article describes the way of customizing the color code of Calendar items based on a specific category.

Scenario: I need my calendar to show different colors for each category such as Meeting, Business, etc.…Once we complete all the steps, you will see a calendar like this which has different color for each category. The filtering option can be used to either default “Category” Field or you may create your own column with multiple choices as you need.

I have used SharePoint Online In this Scenario but it will be the same for On-Premise SharePoint as well.

So let’s get in to the scene. First to create Views on the Existing Calendar. Office 365 SharePoint will already have Calendar by default even for newly created sites.

Go ahead and Create a New View by Clicking on “Create View”

To Select the Calendar View, Click on it

Give it a name and drag to bottom of the page. In this case its “Meeting” so I will see this name when I’m configuring the Overlay at next levels.

Choose the Filtering Option as you need it to be. In this case I will use the Category Filed to Color up the events so each Category will have a different color. First lets create a View for the Meeting category. Once selected the field and given the Value which you want to filter, hit “ok” to save.

Now to configure the Calendar Overlay. Simply Click on “Calendar Overlay” Icon on the Ribbon

It will bring you up to this page. Hit on new Calendar here (Not to be confused. This doesn’t mean you need to have multiple calendars here. It simply means you can have multiple calendars as well. also you can have multiple views in a single Calendar too) so in this scenario, we will have multiple views in a single calendar in order to define different colors for each category.

Let’s create the first Overlay for the Meeting Category first. URL will be automatically inserted. If your calendar on the root site, simply click Resolve to retrieve the List and View otherwise define the path for your calendar.

This is where you define the View you created earlier. From now on, All items created under Meeting Category will be shown in Purple Color.

If you have many categories, repeat the same process for other category items as well (e.g.- Birthday, Business). When you complete everything, the final Calendar will look like this.

Sorry Something went wrong, An Unexpected Error Occurred After Migrating SharePoint 2010 Site to 2013

The error itself describes nothing related as it is a common error. there will be scenarios where the SharePoint farms that you are planning to migrate having bunch of custmizations and third-party integrations. this is one example i’ve been facing recently.

The Site was migrated using DB attached method and whatever the Custom Solutions were sitting on the source farm wrere migrated to destination (2013) Farm too. there were many Web applications and many of them worked perfectly but not this one.

Prompts “Sorry Something went wrong, An Unexpected Error Occurred” when accessing the destination site URL.

ULS Log is the god at this point.

Searching ULS through this correlation ID won’t give you the exact point here. Instead search through URL. At this point the error was occurred due to the Nintex Workflow Solution which is a third party WSP deployed and not configured. Retracting the two WSPs related to Nintex from this particular web Application resolved the error.

This is the ultimate reason behind this error. This Home page has been using a Task list associated to a third-Party Solution. Web Part remains fulty unless the connection and licensing configured properly.

Wrap-up: Any Cutom Solution used (only the ones used within your target Web application) in the Source Farm has to be deployed to the Destination farm. not only deployed and enabled but conigured for Connections and Licensing. in above scenario, the third-party solution was not licensed and neither configured as required which cuased the error in destination.

Anonymous Users getting authentication prompt for SharePoint List and Library access

Public facing sites hosted in SharePoint commonly needs anonymous access and that’s been there for quite long now.

Generic configurations are done from Central Administration and Site Permission Level but these steps will not allow anonymous users to have read access to all the content unless you specify.

• Enable anonymous access in “Authentication Providers” (Central Administration –> Application Management –> Select the target Web Application) – All Scenarios
• Grant rights to anonymous users in “Site permissions” -All Scenarios
• Grant rights to specific library (in some scenarios)

but you will get authentication prompted when anonymously accessing lists, libraries or items stored in.

To have read access to all lists and libraries across the site, you also need to Disable the “Limited-access user permission lockdown mode” Site Collection Features. Deactivating this feature will grant anonymous users to access all resources across the site (which are granted for anonymous access)

Unique Permissions are No longer works after Migrating SharePoint 2010 Web Application to 2013

It is well known that SharePoint 2013 by default uses Claims mode for Authentication and Whenever we create a Web Application it creates with Claims Auth. SharePoint 2010 also had Claims but was optional for us to choose whether we want to have Claims based or Classic. If you had a Classic Mode Web Application in SharePoint 2010 and then it migrated to SharePoint 2013, you also need to Migrate Users specifically from Classic to Claims because you can no longer user Classic mode in 2013.

I had a scenario where an Intranet Site was Hosted in SP2010 and Migrated to 2013 which had hundreds of Libraries and Folders inside them with Unique Permissions. After the Migration from 2010 to 2013 using DB attached method, everything worked well until users start complaining that they are unable to see any records with unique permissions.

Checked the permissions using “Check Permissions” Option and something seemed to be wrong as all the users are not having their relevant set of permissions in the new Destination. It just the Read permissions granted through “All Users” Group which is NT All Authenticated Users.

Migrating Users from Classic to Claims using below PowerShell Script Rectified the issue and everyone was able to access their relevant records as expected. checked the permissions again and it appeared all set of permissions which is looked like everything back to normal. We also need to ask every individual to check their content and functions to verify this.

You can run this in any Server in the Farm and once it’s done, cannot be reverted back so better test it out first in a POC Setup. this will completely switch your all users from Classic mode to Claims.

 

   1: Add-PSSnapin Microsoft.SharePoint.powershell -EA 0

   2: $webapp = Get-SPWebApplication -identity "http://intranet-poc.abc.local"

   3: $webapp.MigrateUsers($true)

Bottom Line: Claims Based Authentication is an Essential Component in order to enable SharePoint 2013 with Advanced functionalities. If you had a Classic mode Web Application in SharePoint 2010 and you are planning to Migrate it to SharePoint 2013, Migration of Users is a Critical part of the SharePoint Migration. It is important to test the same in a Test Environment prior to the Production.

Notes: There are lot more details and scenarios when it comes to Claims Authentication. will put it over here as an detailed article soon.

Implementing Multi-tenancy Infrastructure with SharePoint 2013 (SAAS) – Part 2: Planning for Deployment

– The Step by Step Guidance for Creating SharePoint 2013 Based Multi-Tenant Infrastructure,   Part 2 Planning for Deployment –   

Planning Your Deployment

Seems you are continuing to read from Part 1 of my Article Series.

For sure you will need few days to test the entire Multi-Tenant functionality properly. All the below perspectives are entirely depends on the Product Knowledge and the past experience. Performance is ofcource a major concern as this isn’t a generic setup where a single Web Application and few Site collections will serve requests. In this case we are talking about a Hosting Vendor who will be Providing a Stable, reliable and well performing SharePoint online service for its Clients.

It’s also goes more deeper when we think of Intranet Scenarios. Customer may host their Web Portal or may be Intranet Portal. Intranets needs robust environments as it will be heavy with lots of Services and content. Performance, Storage and Security is a big concern here.

However, there’s no environment stays static so you might need to scale up-out based on the utilization of resources. Specially the storage you won’t be able to stick to the initial when it becomes popular. So the improvements has to be done for sure.

You need to read more on SharePoint Hosting Guides given by Microsoft as I stated in the Part 1.

Test (POC)

Prior to the Production Deployment, It would be a great idea to run this and try out in a POC (Proof of Concept) Setup. A Single Server would be sufficient but multi-Server environment is ideal so you get the real world experience. Unlike generic SharePoint Farm deployment, Multi-tenant Farms are more tricky. You need to Plan a lot which is extremely goes in to the deep dive as down as Hardware, Software, SharePoint Services Allocation, Service Segregation across Servers, Performance Considerations such as Storage (IOPS), Security Requirements (Publishing Through Proxies) etc..

Hosting Tenants – Where the customer Tenants (site Collections) will sit on.

A Single Web Application for all the Site Collections (Tenants) ? Or a dedicated Web Application for Each ?. Well, This thing is entirely depends on how far you will go. Microsoft Does not recommends to Host more than 20 Web Applications per farm. This is a threshold not a Limitation. Yet it is considerable since you are not supposed to exceed the recommended level in these kind of critical real world scenarios.

Planning Backend for Tenants

Basic Idea of this is, whether we are isolating our customer’s site collections Databases or not.

Single Content Database for all ? Not a good idea. Data isolation is a prime concern when we talk about Multi-tenancy and a Dedicated Content DB per tenant would be ideal. When it comes to the scaling perspective, Isolated DB is ideal.

Site Collections and Database Limitations and Recommendations

Isolation is all about Site Collections and Databases. You have to go through Software Boundaries and Limits for SharePoint 2013 during your planning.

Active Directory Perspective

The Isolation also comes from Active Directory side when we talk about Security. Tenant A (Customer A) should not be able to see the users of Tenant B (Customer B). When a user of Tenant A trying to Search another user through the People picker, he should be only able to see the result within his tenant. This is a Security practice which will be implemented via Active Directory Organizational Units (OU).

Users

Where we store our Users is not a matter here. Yes you got it right ! We can use the Active Directory as I have shown in the diagram above. You could use somewhere else to store the users but you got the best place to store them, why somewhere else is depends on your requirements. I would straight go with AD through dedicated OU Concept which is too easy and centralized. I will only need to look after the AD Objects so the windows authentication is way smarter.

URL Considerations

The other Key point to make decision is, URL. How you are going to let your customers to access the site. There are two choices as 1. Ordinary Addressing and 2. HostHeader Site Collections.

Also there can be below possibilities. In this scenario we have to consider that we will provide all these for our customers.

1. Allowing Customers to Create Site Collections under their root
2. We Will provide Content Type Hub, My Sites, Tenant Administration Site

E.g. scenario – Above features may depends on the level of Subscription (feature packs you are setting for the tenant). Yet you need to make sure how these sub site collections are addressed. Take below sample scenario to get an understanding.

Web Application – Root (http://HostingProvider.com/)

Tenant URL – /TenantA

Other Sub Site Collections

/TenantA/CTHUB

/TenantA/MYSites

/TenantA/MySites/Personal

/TenantA/Admin

/TenantA/Sites

Per Tenant There going to be Lots of site collections where each stands there for a specific purpose. This is a hassle to manage with path based concept isn’t it ?. And the critical point is, Performance. Having lots of Managed Paths in a single Web Application will give you performance overhead. The recommended number of Managed paths per Web Application is 20. we can ofcource exceed the number and go for more in here but more you have will more overhead on performance.

Host-header Site Collection is the ideal way to achieve this point. Except few minor drawbacks, it gives excellent capability over the each site collection you can have multiple managed Paths. Even though the Site Collections sits on a single Web Application, doesn’t matter the number of Managed paths (in terms of Web Application wise) per web Application because you are dealing with a separate host-header Site Collection. I would recommend to go with Host Header Site Collections at this point.

Custom Stuff

Why Not !. having a Centralized service portal which allows users to visit and create a tenant themselves will be a handy thing just like Microsoft’s O365. having an armed super-duper backend to run the provisioning of tenants through automated scripts etc.. There’s lot more to talk on this thing so for now let me finish what I started under this topic.

 

Stay Tuned for Part 3 – 6 soon to be Published !

—————— Part 3 – Functionality Tech Preview (What It Really Gives You) ———————————-

—————— Part 4 – Deploying Core Infrastructure (Platform) ————————————————–

—————— Part 5 – Creating Partitioned Service Applications ————————————————-

—————— Part 6 – Creating Tenants and Do some real stuff ————————————————-

SharePoint Granular Backup Failed and Site Went Inaccessible (Locked)

So you was thinking that site backup has no Interruption to the running (live) system ? Yes it is. I ran in to an issue where an Granular backup was executed through SharePoint Management shell while users were accessing the portal in SharePoint 2010 production farm.

Backup was terminated due to lack of space in destination drive and users are prompted with "Error: Access Denied Massage" which was in an extremely critical peak hour.

There were multiple set of backup jobs running parallel in SharePoint Shell and few of them were unable to complete due to lack of space. The person who was handling this closed all the SharePoint Shells and sites suddenly prompted this error to all users. Sites which are successfully backed up had no issues.

Checked the Content DBs of particular Web Applications and they looks green as Database Read-only mode is "No".

When Looking out for a possible reason, the "Lock" word came up to my mind and checked the "Quotas and Locks" in Central Administration (Application Management –> Site Collections –> Configure Quotas and Locks)

And Here we Go !. It was in the Read only Mode. Changing the status to the "Not Locked" Mode bought everything back to normal.

It has put the site in to maintenance mode during the backup and since it was not properly completed, the status yet remains in Read-Only mode. So a good point to think before you execute any backups in SharePoint. Plan for a drive with enough space and off-peak hour.

This is the command line resolution for the same

stsadm -o setsitelock -url http://sitename -lock readonly

stsadm -o setsitelock -url http://sitename -lock none

Here are some good facts in terms of Backup and Restore Planning in SharePoint From Microsoft – https://technet.microsoft.com/en-us/library/gg266384.aspx

Open a Library with Explorer – "Your Client Does not Support Opening This List with Windows Explorer" Error

It’s a known feature in SharePoint 2007 and 2010 that we can open up a SharePoint Document library in Windows Explorer so that we can simply do bulk operations such as copy/paste multiple set of Documents, Folders etc.… And it’s a common issue which almost every SharePoint Admin may have faced that "Your client does not support opening this list with Windows Explorer" Massage is prompted whenever an user trying to open a Document library with Explorer.

There can be various reasons for this issue. below are some set of reasons I have come across. Possibly one of these might be the point for the issue you are facing like It was for me.

1. Open with Explorer Option is Grayed out in SharePoint 2010

In 2007 The same Massage can be popped out

This is because you have not used Internet Explorer. This feature tightly depends on IE.

2. Internet Explorer Versions and Platforms

• Windows XP | Server 2008 or R2 – Internet Explorer 7,8 or 9
• Windows 7 – Internet Explorer 7,8 or 9 is compatible. IE 10 is not supported on Windows 7 yet for this feature. You have to revert back to 9.0 if you are on Windows 7.
• Windows 8 or 8.1 – IE 10 Supports this feature so you have no issues with it. My Windows 8.1 Client worked like a charm.
• And it does not supports on 64 bit version of IE. Find the IE 32 bit (X86) on Program files simply by searching if you were using IE X64.

3. Web Client Service Dependency

This feature highly depends on "Web Client" Windows Service. If you are using a Client OS the Web Client Service will be already installed (Yet make sure its running by looking at the Services), if it’s a Windows Server you need to have the "Desktop Experience" Feature Installed which will contain the Web Client Service. Do the following to get it installed.

Launch Server Manager –> Add features –> Choose "Desktop Experience" –> Restart the Machine

In my case, this was the Point and I was able to get rid of the issue by installing Desktop Experience feature then it worked like a charm.

Then Go to Services (type "services.msc" in powershell or Run command to launch Services console) and make sure the WebClient Service is Runinng and the Startup Type has set to Automatic.

4. Add the SharePoint to trusted Sites in Internet Explorer

Make sure the Site You are trying is added as a trusted Site in Internet Explorer under Trusted Zone. Open up Internet Explorer –> Internet options –> Security –> Trusted Sites –> Sites –> Add the site there

And un-tick the "Enable Protected Mode" check box too.

5. Set to Automatic Login in Internet Explorer

Open IE and click on Settings Wheel –> Internet Options –> Security Tab –> Local Intranet –> Custom level –> Drag down to the bottom

Ensure the User authentication is set as follows.

Configuring Outgoing Email for Various SharePoint Environments

Configuring Outgoing email for a SharePoint Farm is one of the core thing to be done after the initial SharePoint Deployment and Configurations. You can use an Internal Mail Server or simply relay to an external Services such as Hotmail or Gmail. We will go through both ways in this Article. No purpose of referring to an External Service if you got a Mail Server in premise (e.g. – Exchange Server). Developers always prefer to use free Services like Gmail or Hotmail since having a Mail Server set up as a virtual is something consumes resources.

Scenarios

• Using External Services (Mostly Used for Testing Purposes by Developers)
• Using In Premise Mail Server
• Standalone and Multi Server Farms

Initial Common Steps (Ignore if you have SMTP and IIS 6.0 Roles and features Installed and go directly to Scenarios below)

To Install SMTP Services in SharePoint Server, Open Server Manager and go to Add Roles and Features. My server in this scenario is 2012, if yours is 2008 or earlier you may do the same from Control Panel –> Programs and Features.

Go to Add Roles and Features.

Click Next until you get the ‘Select Features’ tab. Select the SMTP Server There. Choose Telnet Client too, you will need it to test the connectivity to SMTP Services Later.

Below Tab will be prompted. Simply click ‘Add’ to it. SMTP Server is usually managed from IIS 6 Interface so let it install all the required components there. Click next after the selection and it will be completed in a minutes.

Once Installation is done, Go to Start menu and type IIS, find the old IIS Icon which comes as second item in results. Click and it will launch the IIS 6.0 Manager.

Meanwhile Let’s go to Services of SharePoint Server (Open Run and type ‘services.msc’ and Enter) and find SMTP Service then make the Startup mode to ‘Automatic’ from ‘Manual’.

Above Steps are the common ones for any scenario.

Scenario A – Configuring Outgoing Email for SharePoint with External Service

Once you launched the IIS 6.0 it will load below Snap in.

Right click on the Virtual Server Name [SMTP Virtual Server #1] and get the Properties of it.

General Tab – Nothing to do here

Access Tab. Under Authentication, Enable Anonymous and Click OK.

Connection: Choose All except list below under connection. You can also specify the Server here by choosing the first option so that would be more secure.

Relay: here also the second option for me. You can specify the server too.

Massage Tab – Nothing to do here for now. You can simply customize by defining limits based on the requirements.

Delivery Tab – Set the Outbound Security here. Choose ‘Basic Authentication’ and define the Account details which will be used to connect to particular SMTP Server (External). Enable TLS encryption and click OK to save.

Outbound Connection: I have No changes here. The default Port is 25 and you have to adjust based on the Port Number used by your External SMTP Service (‘I’m Using Gmail for testing)

Advanced: Define the FQDN of your SharePoint Server (Local Server which runs SMTP Service) and check DNS to validate the name. Set the name of your external SMTP Service under the ‘Smart Host’ field. (Gmail – smtp.gmail.com | Hotmail – smtp.live.com etc…)

You can leave rest of the things such as ‘LDAP Routing’, ‘Security’ with Defaults and enable as and when requires.

Let’s Open up IIS Manager which hosts our SharePoint Web Applications (IIS 7/8). Point to Relevant Web application which we will be using Outgoing Email in SharePoint. Click on the ‘SMTP E-Mail’ Feature.

Define it to use ‘Local Host’ and Save.

That’s it from IIS 6.0 Panel. Let’s Open up SharePoint Central Administration to do the last thing. Point to ‘System Settings’ –> Configure Outgoing Email Settings’ under Email and Test Category.

Define the

• Outbound SMTP Server (Local SharePoint Server which we enabled SMTP Services)
• From and Reply to Addresses
• Character Set with Defaults

That’s all on Configurations. Do a IIS Reset before we test the functionality.

Testing of Functionality.

You can either Set an Alert to a Library and if it’s sent we are good.

Login using an Account which has an Valid Email address. Create a test Library and go to Library Settings and ‘Set Alert on This library’.

It will prompt below snap in. it shows the Email address of the particular user. Click OK to save with default settings. Default settings will send an alert immediately based on any change you are doing to this library.

It will create the initial Alert right after the enabling. This Proves that Outgoing Email is now Functioning Well !

Or else the other way is to Create a Simple Workflow to fire a Mail based on a Record (or something). This is a nice way to test it out. Would be robust than the alert.

Open SharePoint Designer and create a Two Step Simple Workflow like below to test.

Upload a sample Item and Start the Workflow.

This will trigger the mail immediately.

Scenario B – Configuring Outgoing Email for SharePoint with In Premise Mail Server.

In This scenario, SharePoint Server will relay all the outbound mail traffic to Organization’s Mail Server which may be Exchange Server.

Nothing much but only below few changes you should do after the common Configurations done.

In SMTP Server ‘Delivery’ Tab. Enable ‘Anonymous Access’ under ‘Outbound Security’

Also the Internal Mail Server Name in the ‘Advanced’ Settings

Scenario C: Deal With Standalone and Server Farms

Standalone: In The Central Administration, You can point to Local SharePoint Server in the Single Server Scenarios. Do not point to the Smart Host from Central Admin.

Server Farm: having SMTP Service installed and configured in one of the Frontend Server would do. Make it available in all WFE Servers if you have multiple with Load balanced so that SMTP Service will still work even if any WFE goes down in case.

Point in to the Smart Host in Server Farm Scenarios. Do not point to the Local Server

Important Troubleshooting Steps

1. If you are not getting any mails yet, Check the Junk Folder too, sometimes it goes there under the untrusted category

2. Keep Monitoring the Queue Folder (C:\inetpub\Mailroot\Queue) if the mails are queuing here, you got a point to check.

3. Sometimes External Service vendors may have changed the port for SMTP for security purposes. Check the connectivity using Telnet. This is why we install Telnet service too when we installed SMTP. Open PowerShell as Admin and run below lines (customize with Name and Port)

If it connects Like below, we are Cool here. Otherwise you got a point to check, may be the port number of Firewalls you have.

Notes:

1. All Above Configurations are Identical for both SharePoint 2010 and 2013.
2. Also There’s No single Edition wise Difference (Foundation, Standard, Enterprise). all the steps are common for all Editions of SharePoint.