SharePoint 2013 LoopBack Check keeps prompting your for authentication

If you remotely manage your SharePoint farm you probably (see below) don't need to worry about the following, but if you remote desktop to the farm and run tests, you will find that the server keeps prompting you for additional authentication or giving you a Server 500 internal error. This is because of a "loopback" security check that recognizes that you are viewing a local website.

1.      Granularly add each SharePoint hostname or hostheader URL that you might access in a loopback fashion (in the registry)

2.      Disable the Loopback check entirely (in the registry)

 

METHOD 1:

1.      Open Regedit.exe and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

2.    Right-click MSV1_0, point to New, and then click Multi-String Value and create “BackConnectionHostNames”

3.      Right-click BackConnectionHostNames, and then click Modify and in the Value data box, type: <URL> and then press Enter.

4.      Repeat the last step for all URLs that SharePoint hosts locally

5.      IISReset /noforce on your servers will be necessary (or possibly a reboot)

 

METHOD 2:

1.      Open Regedit.exe and manually configure HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa in registry and create the dword32 for DisableLoopbackCheck, modify the value to 1

2.      OR: Use a PowerShell script (nice since you’ll probably want to do this on each Web Front End)
New-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name "DisableLoopbackCheck" -value "1" -PropertyType dword

3.      IISReset /noforce on your servers will be necessary (or possibly a reboot)

 

 Oh... and what was that probably all about earlier? Well sometimes there may be web apps that perform authenticated local referencing that need this same trick to function correctly!

Majorbacon's guide to Correctly Granting Active Directory permissions for SharePoint Server 2013 One Way or Two Way profile synchronization

SharePoint user profiles are an important part of getting the most out of SharePoint social components and Managed Metadata Service. But to get it working correctly you'll need to correctly delegate permissions to the User Profile synchronization account so that it can safely penetrate Active Directory. There are several components depending on the nature of your synchronization model and your domain environment.

There are two methods to accomplish this, depending on a Production or Development environment:

Method 1: Production

Grant the granular, least privilege style permissions needed for the User Profile synchronization account to do its job of moving user attribute changes to and from Active Directory. There are four questions you have to ask yourself to know which steps you need to take?

Do I want to pull down changes from AD?
Then do Step 1 - Grant Replicate Directory Changes on the configuration Partition

Do I want to push up changes to AD from SharePoint?
Then do Step 2 – Grant Create Child Objects and Write Permissions on OUs
 
Does my NETBIOS domain name not match my DNS domain name?
Then do Step 3 – Grant Replicate Directory Changes on the configuration Partition

Do I have any 2003 Domain Controllers in AD?
Then do Step 4 – Add membership to the Pre-2000 Compatible Access group

Step 1: To grant "Replicate Directory Changes" permission on the domain

1. Launch Active Directory Users and Computers (ADUC) against a DC
2. Right-click the domain itself, and choose "Delegate Control"
3. Add: your User Profile synchronization account
4. Choose: "Create a custom task to delegate"
5. Choose: "This folder, existing objects in this folder, and creation of new objects in this folder"

Step 2: To grant Create Child Objects and Write permission on OUs

1. On the domain controller launch adsiedit.msc from Start
2. If the Default naming context node is not already present, do the following:
1. Select the root ADSI Edit node and from Action menu click “Connect to”
2. Under “Select a well know Naming Context” choose “Default naming context” and click OK.
3. Expand the domain and child nodes until reaching the OU to which you want to grant sync upload access, then right-click and select Properties.
4. Select the Security tab and click Advanced.
5. In Advanced Security select the User Profile synchronization account (which should be present from completing step 1). Ensure that its value in the Inherited From column is <not inherited> and then click Edit.
6. Under “Apply to” select “This object and all descendant objects” and then allow ”Write all properties” and “Create all child objects” permissions
7. Click OK and close dialog boxes
8. Repeat this process for all OUs where accounts will be modified by the User Synchronization account of SharePoint

Step 3: Grant "Replicate Directory Changes" permission on the configuration partition of AD

1. As an Enterprise Administrator open adsiedit.msc use the Action Menu to "Connect to" the "Configuration" naming context
2. Expand and right-click the CN=Configuration node and choose Properties
3. Select the Security tab.
4. Add the User Profile synchronization account and grant 
5. In the Group or user names section, select the synchronization account and allow "Replicating Directory Changes", click OK and close

Step 4: Add Sync Account to the Pre-Windows 2000 Compatible Access Group

1. In Active Directory Users and Computers expand the domain, and select “Builtin”.
2. Right-click the Pre-Windows 2000 Compatible Access group, and choose Properties.
3. Select the Members tab, and click Add
4. Add the User Profile Synchronization Account, click OK and close
   
    

Method 2: Development-Only

Quick and dirty, but does NOT conform to best practices of least privilege assignment: Just add the service user account of the User Profile synchronization account to the Enterprise Administrators group! This group has full control to the entirety of Active Directory, so this method works, but of course means that your service account, if compromised, could lay waste to your entire AD infrastructure. Only do this in isolated testing environments. (Oh, plus you'll still need to manage that Pre-Windows 2000 Compatible Access Group if you've got some legacy Windows 2003 domain controllers... but please tell me you don't!)

 

 

Performing an Upgrade of SharePoint 2013

Thoughts on http://technet.microsoft.com/en-us/sharepoint/fp142375.aspx
Upgrade Process for 2013: http://zoom.it/UA5Y#full

First: Prepare and Plan

• Plan for performance during upgrade
• Inventory Everything!
• Plan for site collection upgrade
• Create plan for current customizations during upgrade
• This is the NUMBER ONE THING that will need verification
• Clean up an environment before an upgrade
• Make sure everything is fixed (don't migrate broken stuff)
• Make sure it is clean (don't migrate unneeded) 

Then: Upgrade the Databases, Upgrade the Sites

• Use a trial upgrade to find potential issues
• http://zoom.it/Ips0#full
• Think about using Virtual Test Farms and/or Windows Azure
• Define this through scripting for consistency from virtual test to production
• Upgrade databases
• Copy Databases
• Upgrade Service App Databases First
• Create Web Applications, apply customizations, and Test-SPContentDatabase 
• Mount-SPContentDatabase
• Checklist for database-attach upgrade
• Upgrade site collections
• Site Collection Health Checks
• Try before you buy with Evaluation Site Collections
• Upgrade the Site
• Review upgraded sites
• My Sites: upgrde the My Site Host Site Collection and browsing MySites will trigger upgrade automatically

Verify and Troubleshoot

• Verify upgrade
• Troubleshoot database upgrade issues in SharePoint 2013
• Troubleshoot site collection upgrade issues
• Migrate from classic-mode to claims-based authentication
• This is another big one - make the move to claims-based authentication!

Side Note: Updating SharePoint (Patches and Service Packs)

• Be careful with updates - they take a while, and can break things.
• For Example: Service Pack 1 breaks Foundation Search
• ToddKlindt.com 
• take a look at bugs, notes, and regressions with
• Why SharePoint 2013 Cumulative updates take 5 hours to install
  (how to script shutting down services for a faster patch process)

 

Video: Using NETSH to change your IP address

Know your Ports!

Like many of you, I have used the windows utility of NETSTAT -a to reveal to me what port connections I have made when I (or the operating system) are connected to an outside resource. 

Note that you can see the local and remote systems and their local and remote port numbers (If instead of port numbers you see "isakmp" or "http", Windows looked up a nice label for the well-known-port reference from c:\windows\system32\drivers\etc\services file.

 

To complement this, let me suggest that you check out the Windows Resource Monitor available in Windows 7 and later. Open from Start or Task Manager.

Once inside, take a look at the networking tab:

 

As you can see, this utility will tell you the process ID (and goes ahead and looks up the process name) that goes with any assigned Port.

 Whether you are running Windows Server or Client software, it can be very nice to see exactly where your system is going when it thinks you're not paying attention - Think malware, viruses, gamers, etc.

 Remember, a port number is just a network convention used to find the right application on a system that is expected to speak a certain language. There is nothing that prevents an ftp client from making a request on port 25 rather than on port 21, but the problem is that the SMTP server service bound to Port 25 is expecting SMTP formatted email communications, not FTP file transfer requests!

 

The OSI 7 Layer Model

I might know what you are thinking. Because its probably what I'm thinking. The OSI 7 layer model? Really? I know, I know. This is a subject on which there is absolutely NO END of publication. Its the model that wouldn't die!

Nevertheless, I feel compelled to try my best to expand on this subject, because after having presented it many times, I often have students tell me that this time they get it. So maybe there's something in this presentation on the subject that will do the same for you.

So we will begin at the beginning.

Before considering the official 7 layer burrito, consider the following: In order for two computers to be able to "talk" to one another, they will need to have some things in common.

1. They need common "air" to communicate through (the wire),
2. something plugged into that wire that can know when and how to "speak" and "listen" (the network card).
3. They must speak and hear the same "language" (protocols).
4. Finally, they need to have "something relevant" to say to one another (network applications and services).

The OSI 7 layer model is simply a slightly more detailed diagram of the basic model that we have just worked out.

So let's look at the layers of the OSI model.

Layer 7: The Application Layer. This is the top layer, the most complicated, and what begins the initial process of communication. Layer 7 represents the language that is shared by two networking applications. Examples of protocols that are at the Application layer include HTTP, HTTPS, FTP, SMTP, Kerberos, DNS, and many more. Note that the application layer doesn't quite represent an application itself. For example, you have many web browsers (Opera, Internet Explorer, Firefox) and web servers (IIS, Apache...) that all share the common application protocol of HTTP and HTTPs. So when a web browser makes a request of a a web server using the common language of HTTP requests and responses can be made for web based data. Application protocols are often associated with specific port numbers (Port 80 for HTTP, port 53 for DNS, etc). Port numbers are simply conventions for values that are associated with a particular particular process. For Example IIS or Apache could be listening on port 80, but not both. Only one process can be bound to port 80.

Layer 6: The Presentation Layer.  Sometimes (which means not always), an application needs to alter the information that it is going to send over the internet into a format that is more appropriate for network travel. Two common changes to presentation are Compression (think of all the internet compressed file types, such as .jpg, .mp3, .wmv, etc) and Encryption (like Secure Sockets Layer, SSL for HTTPS). The application makes a call for this additional processing before sending the data, and the data must be converted back to its original format before it can be processed by the application.

Layer 5: The Session Layer. Many applications expect there to be a persistent connection between the two programs that are running over the network. This means that a network application usually doesn't begin with a request for data, but instead requests a session with the other application. Once the two programs have "sniffed tails" (figured out the rules for their session) data can actually be sent. My client port for http expects that that server's http port will remain open unless send a "goodbye" signal.

Layer 4: The Transport Layer. The application performs a handoff to the operating system, and depending on the application, will specify a certain preinstalled transport protocol to be responsible for delivery of the data. The two most likely handoffs are to Transmission Control Protocol (TCP) or User Datagram Protocol (UDP). TCP provides "guaranteed" delivery, in which the block of data is broken down into segments, and each segment is verified received by the recipient or it is sent again. (Like ordering something online, if you only got half of the content shipped to you, you'll request that the company attempt to send the rest again).  UDP, on the other hand, is a "best effort" delivery protocol. UDP will simply send the data to the destination, and any validation of receipt is up to the application layer protocol.

Layer 3: The Network Layer. The network layer is responsible for logical addressing and routing. Logical addressing is like your street address. It describes where you live, and will change if you move.  A snail mail address is not really a description of you as a person, but is needed for you to receive those important credit card offers from the banks. The Internet Protocol (IP) is the star of this layer, and your computer owns an IP address so that IP routers can deliver the data to you from remote networks. Once the data gets to the local network its time to move to the next layer...

Layer 2: The DataLink Layer. The DataLink layer is all about physical addressing and local physical delivery. Different network adapters have differing methodologies to determine when they may "speak" on the network and how to "listen". Ethernet Network Cards uses an access method called CSMA/CD unless you have a full duplexed switch. Wireless network cards use CSMA/CA to do the same thing.  How do they know that data on the wire is meant for them?  Every Ethernet network card is stamped with a MAC address which represents that NIC as a unique entity on the local network. Your MAC address is like your Social Security Number. It keeps you unique for the purposes of HR at your business, but it can't be used to tell them where you are. But if someone shouted out "would the person with SSN 234-52-2342 please stand up? I found your wallet with your SSN card inside!" You would get the message. But it only works if the person shouts out that message in the room your in. It wouldn't do that person any good to ask the post office to deliver your wallet based upon the known SSN value. In the same way, MAC addresses are used to communicate with the right node on the network, but never between networks. So... Network Cards are Layer 2 Devices.  Bridges and Switches forward local packets to the correct switchport based upon building a table of all known MAC addresses and the port that holds them, and are therefore layer 2 devices as well. ATM, Frame Relay, and MPLS are all layer 2 protocols, but these are used to between two nodes that are on a local Wide Area Connection Link, rather than a local link.

Layer 1: The Physical Layer. This is the dumb-as-dirt media that carries the signal from point A to point B. Cat 5 UTP cable, copper coax cable, fiber-optic cable, rj-45 connectors, MJ connectors, 2.4 Ghz bandwidth, clocking signal rates, modems, repeaters, and hubs are all layer 1 components. Note that Switches, Bridges, and Network cards all do have a physical aspect to them (you can bang them on a desk, right?), but the highest layer that they reach is layer 2. A router is physical as well, but the highest layer it reaches is layer 3.

Top down, bottoms up?

Communication is triggered from the top down, sent over the network and read from the bottom up.

Failure of any lower layer preempts the success of any higher layer.

The application/service is associated with layers 5-7
The OS protocol stack is associated with layers 3-4
The drivers and hardware are associated with layers 1-2

Even a stopped watch tells the right time twice a day, so if your network goes down, don't panic!

 

How do I make an Outlook Template?

Word, Excel, and PowerPoint all have easy template options for creating new documents based upon a sample file. Outlook, however, does not make it quite as easy! I needed to keep creating the same email on a daily basis, so here's what I did:

1. Create a sample file in Outlook:
   
   
   
2. Then we need to save this sample email as a template file, just like we would in Word or Excel. Pay close attention to where you are saving this file. You will need the complete path to the file in a minute.
   
   
   
3. Now we are going to create a macro that will let us open a new email from a template, something that is NOT available in Outlook like it is in the other office products. Additionally, Outlook does not let you record macros, only write them in visual basic code. Fortunately, our code will be short and sweet. First we need to go to the "Developer" tab and click "Visual Basic"
   
4. A "Microsoft Visual Basic for Applications" (also known as VBA) window will open. Right Click on "ThisOutlookSession" and choose to "Insert" a "Module". This will give you a window where you can enter some lines of instructions.
   
   
5. Now we need to enter the following code into the right-hand window. Replace red italicized words with your own counterpart.
   
   Sub NAME_OF_TEMPLATEMACRO()
   Set newItem = Application.CreateItemFromTemplate("c:\folder\template.oft")
   newItem.Display
   Set newItem = Nothing
   End Sub
   
   Here is an example in my case:
   
6. Now save and close the developer window. Before you can use your new macro you need to enable support for macros in Outlook. On the "Developer" Tab Click "Macro Security". This will open the "Trust Center" window where you can configure "Macro Settings". To enable macros without prompting choose the 4th radio button labeled "Enable all macros." To enable macros with a dialog prompt each time choose "Notifications for all macros". Click "OK" and Close Outlook, and then reopen Outlook to reinitialize Macro Security Settings.
   
7. Now that Macros are enabled, you can launch your template from the developer tab under Macros:
   
8. This opens your template up as a new file, but is not a very convenient. What would be nice is a shortcut in the Quick Access Toolbar above that would be available while looking at any tab! Here's how. Click on the dropdown arrow at the right hand side of the Quick Access Toolbar:
   
9. In the "Outlook Options" window that opens choose "Macros" from the list of command types to choose from:
   
10. Find your macro in the list of commands below and then click "Add" so that a button for the macro will be added to the Quick Access Toolbar. Then click "Modify" so we can change the appearance of the button:
    
11. Pick the most meaningful Icon you can find from the symbols given and click "OK" and then "OK" on Outlook Options" window.
    
12. You will now see your Icon on the Quick Access Toolbar from the moment you open up Outlook:
    
13. Click your Icon and you will see your template appear as a new email, waiting to be completed!
    

So there you have it. Microsoft Outlook has templates, but you need to be a little bit crafty to make them easy to use. May all your emails be delivered on the wings of internet eagles, and you inbox be spam-free.
-Majorbacon

 

Seriously People - Learn to Search!

Like most of you, I have grown indebted the wealth of information that is available on the World Wide Web. I'll research the inner workings of some new and exciting products, or I'll try to wrestle the last dying gasps out of a service that is on its last legs. I'm constantly finding using the website knowledge bases, but it is challenging using their internal search engines. But the big boys of search technologies find what I need... but also find about 100,000 forum items that I don't care about at the moment.  I am often surprised that many IT pros don't know how to isolate their web searches using a few simple parameters to their search engine queries so that they are only getting what they want. Whether you Bing or Google these days, these two simple tricks can help you find what you are looking for faster.

Tip #1: Get what you want, where you want it!
When researching a problem by typing in an error code or symptom into a search engine, I often get a flood of links to forums. Don't get me wrong - forums are one of the most powerful collaboration techniques on the Internet, and the natural evolution of the older newsgroups. It's just that sometimes, what I really want is a search result that comes straight from the Microsoft knowledge base, the MSDN site, the Cisco web site, or Amazon. Or... sometimes I specifically want to exclude a site that sends a lot of results I don't want. Let's say the search was for exchange 2007 OWA errors and I did a normal search:


You'll notice the results are all over the map on various web sites.
Now we'll try it again with a small addition to the query:


Did you see the difference? I added to the original query the phrase site:support.microsoft.com/kb. By doing this, the search engine will exclude any results that are not in from the Microsoft knowledge base. If I was researching standard documentation for OWA, I would have added site:technet.microsoft.com. If I was looking for technical books on exchange and OWA, you guessed it, I would have added site:amazon.com. It's just that easy. And of course, if I don't care what site the content comes from but I just want to exclude the 100,000 hits from MSexchange forums from my results, then I would add:
-site:forums.msexchange.org.
The minus sign before the site will add the Boolean NOT to my search, keeping me forum free for this lookup.

Tip #2: Look for what you want in the format you want it.
These days, some of the clearest insights on technology are presented in a non-web format, such as PDF or PowerPoint. So, if I'm looking for a walkthrough on a technology, I'll often include the filetype: phrase in my search, as listed below:

So I'm curious about the new features in Windows Server 2008, and I'm willing to bet that more than one someone has created a concise (unlike the corporate web pages) presentation on the subject. Of course, if I want to ensure that I'm not just getting the "yes man" verbiage on the subject, I could combine our two search tips, making it new features "Windows Server 2008" filetype:ppt -site:microsoft.com.

But I do this all the time! This is too much typing!
Stop whining! If you do certain advanced searches often, you could also "save" the advanced settings as custom searches in Internet Explorer's search provider. This little gem in the corner lets you create custom searches, that are based upon entering TEST in the search engine and then copying the url to the utility. Guess what? If you type TEST site:microsoft.com filetype:pdf you will get a search engine that looks for pdfs exclusively on microsoft's site! Well gang, I hope this helps you to speed up all your searches on Microsoft Windows Server, SQL, SharePoint, your Cisco Router or the latest version of Ubuntu!