OneDrive Making a Real Comeback

collab365-watch-my-session

Have you heard about the virtual Collab365 Global Conference 2017 that’s streaming online November 1st – 2nd?

Join me and 120 other speakers from around the world who will be bringing you the very latest content around SharePoint, Office 365, Flow, PowerApps, Azure, OneDrive for Business and of course the increasingly popular Microsoft Teams. The event is produced by the Collab365 Community and is entirely free to attend.

Places are limited to 5000 so be quick and register now.

During the conference I’d love you to watch my session which is called : ‘OneDrive Making a Real Comeback’

OneDrive and OneDrive for business has been vital for collaboration context. Microsoft is making OneDrive better and better everyday with bunch of exciting and useful new features. Let’s discover the latest on OneDrive as its now acts as a more unified product with the latest capabilities announced.​

If you join me, you will learn:

  • Latest of OneDrive
  • OneDrive
  • Unified OneDrive for everyone

Topic(s):

  • OneDrive

Audience :

  • End User
  • IT Manager
  • Power User

Time (in UTC) :

  • Thursday, November 2 2017 7:00 AM

How to attend :

  1. Register here.
  2. At the time listed above go here to watch my session. (you can also add me to your own personal planner from the agenda.
  3. Be ready to take notes!
Advertisements

SharePoint Multitenancy – BCS and Secure Store Service applications are not appeared in the tenant admin portal

When your developers asking for BCS to be configured and If you do not see any links for BCS and Secure Store Service applications under your tenant admin portals, it’s quite normal. That not necessarily mean the Multitenant concept is not supporting BCS or SSS in partitioned mode. When the initial scripts are executed to perform service application creation, these two applications are also provisioned. However the linking is not done.

As per Microsoft:

  • Business Data Connectivity service

Once configured in partition mode, all configuration of the Business Data Connectivity service moves to tenant administration. However the Tenant Administration site template does not include the link to this page, which can be added using the customization technique in the Extending the Tenant Administration site template section

  • Secure Store service

Once configured in partition mode, the generation of encryption keys remains a farm level configuration performed either via Central Administration or Windows PowerShell. The remainder of the Secure Store service configuration moves to tenant administration. However the Tenant Administration site template does not include the link to this page, which can be added using the customization technique in the Extending the Tenant Administration site template section.

Spencer did a wonderful job with his detailed explanation to Multitenancy http://www.harbar.net/articles/sp2013mt.aspx. Thanks to this great series of article, I was able to setup a comprehensive farm for one of the government agency in Asia which has over 30 tenants. Nevertheless, it doesn’t seems to cover this particular problem.

There is a solution in CodePlex for this, but I didn’t attempt to try as it involves a deployment in the servers- https://fixmultitenantissues.codeplex.com/

clip_image001

Let’s find a way out of this.

It’s possible to extend the tenant admin portal template to perform certain things such as adding a new link, removing a link etc.. But where are these links? If we have them, we can at least try to configure BCS and see if that functions well under partitioned mode, right?

Well, they are there!

You can find the SSS and BDC Application pages in the resource folders under the following path. These folders contain the pages used in these two applications. Finding these allows us to test the Business Data Connectivity Service functionality and embed the URLs to the tenant admin portals by extending the site template.

clip_image002

SSSvc folder contains the following items inside. Just copy the path and the page name at the end. The path would be “http://tenant.domain.net/admin/_layouts/15/sssvc/TA_ManageSSSvcApplication.aspx

clip_image003

Then BCS. Go to BDC folder and check if it has the following set of files. Path for that would be “http://tenant.domain.net/admin/_layouts/15/bdc/TA_ViewBDCApplication.aspx

Copy both these URLs to a notepad.

clip_image004

Now let’s add these links in to Tenant admin portal. For now we are adding these in to the left navigation so that if everything works well we can extend the template and add the links globally and permanently.

Open up the tenant admin portal and simply go to Site Settings –> Quick Launch, under the Look and feel section

clip_image005

Add new headings respectively

clip_image006

They should appear in the left panel right away.

clip_image007

Click on each, and you should be able to open up the applications now.

clip_image008

clip_image009

If everything goes well, you can go ahead and extend the layout templates. The following feature definition shows how to add a new group, several links, and remove the link to the Manage Site Collections page. Doing this allows us to globally enable the links across all tenant admin sites at once.

<Elements xmlns=”http://schemas.microsoft.com/sharepoint/”&gt;
<CustomActionGroup
Id=”TenantAdmin_HostingUserAccounts”
Location=”Microsoft.SharePoint.TenantAdministration”
Title=”User Accounts”
Sequence=”90″
ImageUrl=”_layouts/images/SiteSettings_UsersAndPermissions_48x48.png”>
<UrlAction
Url=”” />
</CustomActionGroup>
<CustomAction
Id=”TenantAdmin_HostingUserAccounts_AddUser”
GroupId=”TenantAdmin_HostingUserAccounts”
Location=”Microsoft.SharePoint.TenantAdministration”
Sequence=”10″
Title=”Create User”>
<UrlAction
Url=”_layouts/UserAccountsWebParts/UA_AddUsers.aspx” />
</CustomAction>
<CustomAction
Id=”TenantAdmin_HostingUserAccounts_ManageUsers”
GroupId=”TenantAdmin_HostingUserAccounts”
Location=”Microsoft.SharePoint.TenantAdministration”
Sequence=”30″
Title=”Manage Users”>
<UrlAction
Url=”_layouts/UserAccountsWebParts/UA_ManageUsers.aspx” />
</CustomAction>
<HideCustomAction
GroupId = “TenantAdmin_Sites”
HideActionId = “TenantAdmin_Sites_ManageSiteCollections”
Location=”Microsoft.SharePoint.TenantAdministration” />
</Elements>

Full details of extending the template is described in this TechNet article https://technet.microsoft.com/en-us/library/dn659286.aspx?f=255&MSPPError=-2147217396

InfoPath Error in SharePoint 2016: There has been an error while processing the form

Warning There has been an error while processing the form. click OK to resume filling out the form. You may want to check your form data for errors.

clip_image001[6]

Let me guess, you have gone through all possible verifications on data sources and form fields and everything pretty well developed and verified ? same goes for me. one of my colleague was developing a form and she came up with this error on SharePoint 2016 recently.

She was using GetUserProfileByName SOAP Web Service to fetch current user’s group in to a field, and that’s where this error prompts. that was verified by removing the particular connection and rules filling up data.

After verifying form fields, Data connections and other basics, I decided to inspect the infrastructure step by step. SharePoint logs and Event Log did not had any relevant entry. Finally in the lonely boat, I took following steps one after one to sail towards an island.

1. Enabled all InfoPath services from CA (General Application Settings) – Everything is already set

clip_image001[8]

clip_image002

clip_image003

2. Registered the HTMLCHKR – no luck

regsvr32 “C:\Program Files\Common Files\Microsoft Shared\OFFICE14\htmlchkr.dll”

  1. 3. Added the target site to InfoPath application’s trusted Locations – no luck
  2.  
  3. clip_image001[10]clip_image002[6]
  4. 4. Restarted and recycled Security Token Service Application/pool for all WFEs – no luck
  5. image
  6. 5. Restarted Servers – no luck

Two last steps were able to shed some lights !

6. Disabled loopback check

What is Loopback check?. If you have been prompted continuously for credentials in a SharePoint server when you try to access your site within that server, that’s obviously because of loopback.

Microsoft: Windows Server 2003 SP1 introduced a loopback security check. This feature is obviously also present in Windows Server 2008/12. The feature prevents access to a web application using a fully qualified domain name (FQDN) if an attempt to access it takes place from a machine that hosts that application. The end result is a 401.1 Access Denied from the web server and a logon failure in the event log.
Unfortunately 401.1 is not really helpful as this error code means there is a problem with the user credentials. Of course, the HTTP spec doesn’t know about security features in a vendor’s implementation so there can’t be a HTTP error code for such a feature. This can lead to much banging of the head on the desk. It’s one of numerous causes of the 401.1 which are nothing to do with invalid credentials (e.g. attempting to use Kernel Mode Authentication with domain account in IIS7).

Option1 : Logged in to target SharePoint Server/s and launch PowerShell as administrator, then ran – New-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name “DisableLoopbackCheck” -value “1” -PropertyType dword)

You don’t need to add it if its exists (means loopback is already disabled)

clip_image001[4]

  1. Option 2: You can also Add this registry entry manually
  2. Click Start, click Run, type regedit, and then click OK
  3. In Registry Editor, locate the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  4. Right-click Lsa, point to New, and then click DWORD Value. (In Win 2008, its DWORD 32bit)

Type DisableLoopbackCheck, and then press ENTER.

Right-click DisableLoopbackCheck, and then click Modify.

In the Value data box, type 1 and then click OK.

Quit Registry Editor.

  1. Then I ran SharePoint Product Configuration wizard on SharePoint Server just to give it a refreshment.

After restarting Servers, added the form connection and rules back and InfoPath form loaded perfectly normally !

SharePoint 2016 Product Configuration Wizard Error: Configuration Failed with Unauthorized Access Exception

If you are going to deploy SharePoint 2016, this is a common error that encountered.

clip_image001[4]

The error pretty much pointing to a Access permission which you might doubtlessly think its database permission but no it’s not !

clip_image002[4]

If you expand the event log, It will have 100, 104 errors logged due to this.

clip_image003[4]

Resolution is to permit setup account to access Tasks folder (C:\Windows\Task). This is a critical folder which needs to be able to access by the setup account during the Product Configuration.

To take the ownership of this folder, log in to relevant SharePoint server using a local admin account and right click on the Tasks folder.

clip_image004[4]

Under Security tab, go to Advance

clip_image005[4]

Change the Owner from SYSTEM to your Setup account (the account will be used to run Product Config Wizard)

clip_image006[4]

Once changed, the new owner can be seen as showed below.

Error-SPSetup

Repeat the same for all SharePoint Servers in your farm if you planned to have multiple. Now run the Product Configuration Wizard again and you will notice its smoothly passing to task 5. within few minutes, the Wizard will be successfully complete.

clip_image008[4]

And here comes the winning moment !

image

If you are still accounting with any additional errors in the Wizard, these points are some basic ones to verify.

Ensure:

  1. 1. Antivirus Disabled for all SharePoint and Database Servers (If any)
  2. 2. Firewall
  3. 3. Named Pipes in SQL Services enabled (Sometimes this isn’t enabled by default)

And then:

  1. 1. Disable UAC (Never Notify)
  2. 2. Restart Server
  3. 3. Run the Product Config Wizard again as Administrator

Enjoy the all new SharePoint !

SharePoint Hybrid Deployment Live Demo

It was a fruitful day at Collab365 Global conference 2016 with lots of wonderful sessions from experts allover the world. It was great to address an online crown this morning and my session is now on-demand and you can watch it here

Hybrid

Here are some resources for those who love to explore and try Hybrid for SharePoint

Download IdFix Tool – https://www.microsoft.com/en-us/download/details.aspx?id=36832

Download Azure AD Connect – https://www.microsoft.com/en-us/download/details.aspx?id=47594

Planning SharePoint Hybrid Free E-Book – https://blogs.msdn.microsoft.com/microsoft_press/2016/04/26/free-ebook-planning-and-preparing-for-microsoft-sharepoint-hybrid/

Configuring SharePoint Hybrid Free E-Book – https://blogs.msdn.microsoft.com/microsoft_press/2016/07/06/free-ebook-configuring-microsoft-sharepoint-hybrid-capabilities/

Its Official and I will be speaking at Collab365 Global Conference!

It is indeed a great opportunity for me to present in the world’s largest online conference with over 5000 attendees from more than 100 countries.

Collab365 is the largest online conference with hundreds of live sessions streamed nonstop 24 hours. Join the Collab365 team on the 19th – 20th October, for great sessions of SharePoint, Azure and Office365 content by the global experts. Delivered direct to your device, wherever you are in the world, when you want it and for no cost at all.

13692752_743937695748615_4419095732286813445_n

Register yourself today at http://collab365.events/collab365-global-conference-2016/

Azure AD Conditional Access for Office 365 (Exchange and SharePoint Online) Preview Release

Yesterday Microsoft announced one of the most awaited feature for Office 365, “Azure AD Conditional Access Preview” for SharePoint Online and Exchange.

What is Conditional Access and What it is for ?

Security has been one of the key elements in systems for decades but for the present time it needs to be much more comprehensive than ever before with the evolvement of the cloud and mobile era. With the rise of devices used by a person and the ability to access corporate resources from anywhere in the world, there is a massive demand of securing corporate resources. Ultimately the latest strategies of securing corporate resources are defined by the new ways which users are used to accessed them.

Microsoft has taken another big leap of security capabilities with this release today. Azure Active Directory Conditional Access Features Allows you to secure and manage your corporate resources in simple ways in cloud or even on premise. If you want to ensure an stolen user credential or unmanaged device will not harm your corporate resources, Azure AD Conditional Access if made for you.

clip_image001

How is the access Enforced

Generally when a user signs in to a service, Azure Active Directory checks whether the security inputs of this user meets the access requirements you defined. and if the requirements are met, user will be authorized to access the service or application.

The enforcement can be done in two ways. You can define policies to configure the access either way, for users or devices.

  • User based Access (Control who you want to allow access)

User Attributes – User Attributes level can be used to define policies of which users can access organization’s resources.

Group Membership of a User – or either based on the Group/Groups of user which he/she represents in.

Multifactor Authentication (MFA) – Multifactor Authentication can be configured to ensure better security. User has to provide more than one factor (Password) which could be either a PIN or Phone Number. That ensures extra level of security for your organization’s resources.

Sign-in and User Risk – This capability known as “Conditional Access Risk Policies” comes with Azure AD Identity protection. This will allow you to track unusual sign in activities and risk events based on the access trends and implement advance protection. Global and Multi-region companies will benefit a lot with the capability.

  • Device Based Access (Control what you want to allow access)

Enrolled Devices – Using Microsoft Intune, you can use Device Level Access to control only MDM (Mobile Device Management) Enrolled devices are allowed to access resources. Intune is capable to validate if the device is enrolled with MDM. Also device level access will ensure that only the matched devices with the policies (such as force file encryption on a granted device) you have configured are allowed to access. Even you can flush out the content of a device remotely which was stolen or misused using MDM solutions.

The best part is, It’s not just limited to the cloud, you can also use device based access policies to control your on premise resources or even cloud based SaaS or line of business applications.

What does this Preview Brings you?

This release is a much awaited capability for most of the organizations and a huge step on the Access Policy framework. Conditional Access for CRM and Yammer been already there but Specially for SharePoint and exchange, the call has been ringing there for quite long time.

These three conditions are released for SharePoint and Exchange online as preview. Microsoft Recommends to enable these policies alongside risk based conditional access policy available with Azure Identity Protection.

  • Always require MFA
  • Require MFA when not at work
  • Block access when not at work

Conditional Access Policies are supported in Browser based access to Exchange Online, SharePoint Sites and OneDrive and even for Desktop Applications that uses modern authentication mechanisms.

Across the mobile devices, these are the tested desktop and mobile applications connects to Exchange and SharePoint so far by Microsoft.

  • For Windows 10, Windows10 Mobile, Windows 8.1, Windows 7 and Mac
  • Outlook, Word, Excel and PowerPoint in Office 2016
  • Outlook, Word, Excel and PowerPoint in Office 2013 (with modern authentication enabled)
  • OneDrive Sync Client (with modern authentication)

For IOS

  • Outlook Mobile App

Resources:

Detailed Explanation of Azure Ad Conditional Access

Conditional Access Policy Support for Mobile Devices

Original Announcement