If you find that once you have configured FBA with SharePoint 2016 that you are unable to do the following with Office 2013 / 2016

Issues

1. Open Office Documents directly from Libraries
2. Export to Excel
3. Open with Explorer
4. Open a site with SharePoint Designer

However, if Office 2010 is installed you will be able to

1. Open Office Documents directly from Libraries
2. Export to Excel
3. Open with Explorer

Also, you will note you click export to excel on the ribbon from a list or library as soon you open the .iqy in excel it’s going to pass the List GUID along with the View GUID to _vti_bin/lists.asmx which due to authentication is going to fail and you will get stuck in an endless authentication loop. By this point you realize that Office 2013 / 2013 Client Integration with SharePoint Server 2016 does NOT work.

If you open fiddler and capture the results of the session you will find that you’re getting a 403 and X-MSDAVEXT_Error: 917656; Access+denied.+Before+opening+files+in+this+location%2c+you+must+first+browse+to+the+web+site+and+select+the+option+to+login+automatically.

There is an obscure security update for SharePoint Server 2016: June 13, 2017 that will allow you to resolve this issue. However, it doesn’t mention the issue of FBA, Office 2013 or any of the issues listed above. But by running the following PowerShell cmdlets you will be able to use Office 2016 and 2013. However, it will break your ability to use the client integration with Office 2010.

Resolution: Open the SharePoint 2016 Management Shell and at the SharePoint 2016 Management Shell command prompt, type the following commands:

$sts = Get-SPSecurityTokenServiceConfig
$sts.SuppressModernAuthForOfficeClients = $true
$sts.Update()

Restart Internet Information Services (IIS). To do this, run the following command:

iisreset /restart

Restart the SharePoint Timer Service (SPTimerV4). To do this, run the following commands:

Net Stop SPTimerV4
Net Start SPTimerV4

Run the following commands to verify that the change is made:

$sts = Get-SPSecurityTokenServiceConfig
$sts.SuppressModernAuthForOfficeClients

The last command should return True.

One of the SharePoint 2016 environments at Rackspace worked and others the SharePoint environment needed to be rebooted…

What made this more fun, is during this period a few of the clients engineers also started modifying their registry to get WebDav working…We had to reset these users registry and clear the webdavs cache for Office and delete the Keys below HKEY_CURRENT_USER\Software\Microsoft\Office\<version>\Common\Internet\Server Cache\ then restart the WebClient… Open Services and scroll down to Web Client, right click and choose restart

Reference:

• How modern authentication works for Office 2013 and Office 2016 client apps
• Enable Modern Authentication for Office 2013 on Windows devices
• Description of the security update for SharePoint Server 2016: June 13, 2017
• Making Microsoft Office to Work with WebDAV Server

Its clear that On-Premise environments are NOT getting any love as everyone has access to Microsoft Office 365 and its too easy to focus only on this clients..I’ve been hearing for years that:

On-Premise is dead, LONG LIVE ON-PREM!!!!

Cheers,

Ivan

No Comments

SharePoint Saturday returns to Southern California Pass it on to your colleagues and keep that calendar fresh. We have room for 18 more people!April 8th 2017 will mark the return of SharePoint Saturday Los Angeles. SharePoint administrators, end users, architects, developers, and other professionals that work with Microsoft SharePoint, Azure and Office 365 Technologies will meet for the SharePoint Saturday Los Angeles event on April 8th, 2017 at the Westside Conference Center Pepperdine University located at 6100 Center Drive, Los Angeles CA.  Come join us for some of the leading Engineers and MVPs for a day of this FREE one day conference. Breakfast and lunch will be provided. Register now, to reserve your space. Visit the site for more information on sponsors and speakers. http://www.spsevents.org/city/losangeles/losangeles2017

No Comments

Everyone uses a certificate when requiring authentication on an internet facing site. However it’s surprising how many folks don’t take the time to understand SSL/TLS. Securing SSL/TLS protocols is a pretty common thing to do on any Windows Server running IIS and web applications that uses HTTPS, especially if they require some sort of compliance. It is a good idea to do this on all of your servers in your SharePoint farm, to ensure your secure connections really are secure. It’s also important to note that while I have several SharePoint 2016 environments where I have removed both TLS 1.0/1.1. However, I have not removed TLS 1.1 from the any of my SharePoint 2013 environments. However, all of my clients with SharePoint 2013 are using a HW Load Balancer like the F5 and have offloaded SSL and removed TLS 1.0/1.1 using the HW…

All Microsoft Windows devices using SSL/TLS protocols use SCHANNEL, where you have to install something like OpenSSL on Linux. You may also notice that while OpenSSL has more security vulnerabilities they tend to respond quickly to them. However, Microsoft has been disappointingly slow in updating the cryptography stack in its OS and Applications. Note: there may be flags when running SSL Lab scans against your servers that you may not be able to resolve at this time. This may also apply to the availability of the latest cipher suites as well.

All of the configuration changes to SCHANNEL are stored in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

The first time I created a GPO to Configure SSL/TLS, and deploy to the farm. I spent a few days with Regedit and reading technet, I recommend using IISCrypto from Nartac to make the changes to ensure the process goes a smooth as possible on your first server then after reboot, exporting the SCHANNEL Key for use with a GPO to automate the deployment for all additional servers in your farm

You can use the following command to export up the SCHANNEL registry settings prior to making the changes and again after for use with the GPO, should you need to restore it: reg export HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ SChannel-Export.reg

Known issues

There are a few gotchas when making modifications to SCHANNELL on Windows, please QA as necessary in the lab prior to deploying to production:

1. SQL Server used to require TLS 1.0, when you disabled it your SharePoint Servers would not be able to communicate with the SQL Cluster. Please review the information about the SQL updates and additional known issues using the following link TLS 1.2 support for Microsoft SQL Server, then download and install the appropriate SQL Updates. All versions prior to SQL Server 2016 require the updates regardless of Service Pack or Cumulative Update
2. Please make sure you download and installed KB3080079 if you are running a version of Windows Server prior to Windows Server 2012 or RDS/RDP will break when after disabling TLS 1.0 and rebooting. Note: If you are using IISCrypto you may see a pop like the following screenshot after reviewing TLS 1.0/1.1

   

    

3. Older clients > Windows XP and earlier may not be able to connect if they do not support the newer SSL/TLS technologies and you disable the older ones. Out of the box Windows Server is configured to be relatively compatible with older clients, which in turn makes it less secure. You can find a complete browser compatibility list here: https://en.wikipedia.org/wiki/Template:TLS/SSL_support_history_of_web_browsers
4. Qualys will ding you for supporting 1024 bit DHE groups, and will recommend DHE key exchanges be increased to 2048 bit or disabled, but 1024 is the limit on all versions of Windows prior to Windows 10 at this time.
5. Be sure to thoroughly test your applications after making any changes, mainly looking for connection failures over HTTPS. The errors will be listed in the system event log with SCHANNEL as the source

The following configuration works with most modern software (Windows Vista and newer) while providing a relatively robust SSL/TLS configuration, and earning an A ranking on Qualys’s SSL Labs tester.

IISCRYPTO

1. Download IISCrypto and apply the “Best Practices” Template
2. Use The Best Practice Template; Click Templates, Use the drop Down choose Best Practice, then click Apply
3. Disable TLS 1.0 Assuming SQL updates have been applied and KB3080079for RDS/RDP has been applied
4. Disable MD5 under Hashes enabled
5. Click Apply
6. Reboot
7. Test your site with Qualys’s SSL Labs tester

QUALYS SSLLabs Ranking

No Comments

Recommendations

The following are recommendations to proactively manage the growth of data and log files:

When possible, increase all data files and log files to their expected final size, or periodically increase these at set periods, for example, every month or every six months, or before rollout of a new storage-intensive site such as during file migrations.

Enable database autogrowth as a protective measure to make sure that you do not run out of space in data and log files. Consider the following:

Important:

You must factor in the performance and operations issues associated with using autogrowth. For more information, see Considerations for the “autogrow” and “autoshrink” settings in SQL Server.

Default Settings

The default settings for a new database are to grow by 1 MB increments. Because this default setting for autogrowth results in an increases in the size of the database, do not rely on the default setting. Instead, use the guidance provided in Set SQL Server options.

Set autogrowth values to a fixed number of megabytes instead of to a percentage. The bigger the database, the bigger the growth increment should be.

Note:  Use care when you set the autogrowth feature for SharePoint databases. If you set a database to autogrowth as a percentage, for example at a 10-percent (%) growth rate, a database that is 5 GB grows by 500MB every time that a data file has to be expanded. In this scenario, you could run out of disk space. or the db could be 100gb and growth would be 10gb every time the file needed space

Consider for example, a scenario where content is gradually increased, say at 100MB increments, and autogrowth is set at 10MB. Then suddenly a new document management site requires a very large amount of data storage, perhaps with initial size of 50 GB. For this large addition, growth at 500 MB increments is more appropriate than 10MB increments.

For a managed production system, consider autogrowth to be merely a contingency for unexpected growth. Do not use the autogrow option to manage your data and log growth on a day-to-day basis. Instead, set the autogrowth to allow for an approximate size in one year and then add a 20 percent margin for error. Also set an alert to notify you when the database runs low on space or approaches a maximum size.

Maintain a level of at least 25 percent available space across drives to accommodate growth and peak usage patterns. If you add drives to a RAID array or allocate more storage to manage, monitor capacity closely to avoid running out of space. Setting autogrowth to use MB verse %  along with changing the autogrowth MB size will create less fragmentation than using the defaults, this SQL Query makes it easier to modify a large number of Dbs.

-- Query to Set File AutoGrowth

SELECT
    DB_NAME(mf.database_id) database_name,
    mf.name logical_name,
    CONVERT(DECIMAL(20, 2), (CONVERT(DECIMAL, size) / 128)) [file_size_MB],
    CASE mf.is_percent_growth
        WHEN 1 THEN 'Yes'
        ELSE 'No'
    END AS [is_percent_growth],
    CASE mf.is_percent_growth
        WHEN 1 THEN CONVERT(VARCHAR, mf.growth) + '%'
        WHEN 0 THEN CONVERT(VARCHAR, mf.growth / 128) + ' MB'
    END AS [growth_in_increment_of],
    CASE mf.is_percent_growth
        WHEN 1 THEN CONVERT(DECIMAL(20, 2), (((CONVERT(DECIMAL, size) * growth) / 100) * 8) / 1024)
        WHEN 0 THEN CONVERT(DECIMAL(20, 2), (CONVERT(DECIMAL, growth) / 128))
    END AS [next_auto_growth_size_MB],
    CASE mf.max_size
        WHEN 0 THEN 'No growth is allowed'
        WHEN -1 THEN 'File will grow until the disk is full'
        ELSE CONVERT(VARCHAR, mf.max_size)

    END AS [max_size],
    physical_name
FROM sys.master_files mf
ORDER BY database_name

Download: Set_AutoGrowth4AllDbs.sql

Ivan

No Comments

Tempdb Multiple Files

One of the important issues when hosting multiple Content Dbs with multiple terabytes data is to ensure that you have created a TempDB with additional files of the same size and once created move teach of the files to their own Volume.

Do NOT use ISCSI for SQL Dbs

In this case we are using a NetApp SAN with Fiber Chanel HBAs as iSCSI does NOT meet our SQL performance requirements. I Microsoft provides multiple whitepapers against using iSCSI for SQL Dbs. Also, I have seen performance degradation using iSCSI once the ContentDBs reach about 50GB in total size. Using Fiber Chanel I have been able to host multiple terabytes of ContentDbs without any degradation in performance.

Hardware

This server has 2 PROCS with 24 Cores, and 128GB of RAM with tempdb having 1 MDF, 2 NDF, and 1 LDF files on separate LUNS.. We used this script to move the original tempdb files to the SAN and then once provisioned to move the NDF files to separate LUNs.

NAME = Tempdb file Logical Name

FILENAME = the New path with existing filename where you want the file moved

Screenshot of OLD Locations

Screenshot NEW Locations

-- Query to Move tempDB

SELECT
    name,
    physical_name AS CurrentLocation
FROM sys.master_files
WHERE database_id = DB_ID(N'tempdb');
GO

USE master;
GO

ALTER DATABASE tempdb 
MODIFY FILE (NAME = tempdev, FILENAME = 'K:\MSSQL\Data\tempdb.mdf');
GO

ALTER DATABASE tempdb 
MODIFY FILE (NAME = templog, FILENAME = 'L:\MSSQL\Data\templog.ldf');
GO

SELECT
    name,
    physical_name AS CurrentLocation,
    state_desc

FROM sys.master_files

WHERE database_id = DB_ID(N'tempdb');

Note: you will need to restart the SQL Server Instance to have the move take affect

Download SET_TempDBLocation.ps1

Ivan

1 Comment

IIS-Reset.ps1

One of the many things scripts are good for in general  is making repetitive tasks easier and the results more consistent. PowerShell takes it to another level with its intuitive cmdlets . I find it much easier run a script from my laptop or log into a single server rather than using MSTSC to login to every server in the farm, I am working in a SharePoint environment of 25 servers, so it wouldn’t definitely be a drag..

PowerShell Script

<#    IIS-Reset.ps1
Run IISReset on Multiple Servers #>

#Specify servers in an array variable
[array]$servers = "Server1","Server2","Server3","Server4"

#Step through each server in the array and perform an IISRESET
foreach ($server in $servers)
{
    Write-Host "Restarting IIS on server $server..."
    IISRESET $server /noforce
    Write-Host "IIS status for server $server"
    IISRESET $server /status
}
Write-Host IIS has been restarted on all servers

Download http://1drv.ms/1ZjF889

Ivan

No Comments

Like most folks who upgrade their SharePoint 2013 farms after they have applied the latest SharePoint 2013 CUs to the SharePoint side of the environment they will usually still have 2 WAC servers and at least 3 WFM servers left to apply and configure updates. This may depend on release of the updates as the Service Bus and Workflow manager updates do not coincide with the monthly delivery of SharePoint 2013 CUs.

Upgrade-WAC.ps1

The reason for this post is to make it easy for me (not to forget) updating the WAC Servers / Office Web App Farm. Updating the Office Web App farm is somewhat unique in that you remove the farm prior to the installing the CU then create a new farm after the cumulative update installed

PowerShell Script

# Update-WAC.ps1
# Add July 2015 CU

Import-Module -Name OfficeWebApps 

# Review the Current State of the Office Web App Environment
Get-OfficeWebAppsFarm 
Get-OfficeWebAppsHost 
Get-OfficeWebAppsMachine 
cmd /c pause 

# Remove OfficeWebAppMachine prior to installing Cumulative Update
Remove-OfficeWebAppsMachine
cmd /c pause

# Install the Cummulative Update while paused

# Configure Office WebApp Farm after installing the updates
# If using HTTP remove comment below
# New-OfficeWebAppsFarm -InternalURL "http://wac.contoso.com" -AllowHTTP -EditingEnabled

New-OfficeWebAppsFarm -InternalURL "https://wac.contoso.com" -ExternalURL "https://wac.contoso.com" -CertificateName "wac.contoso.com" -EditingEnabled
cmd /c pause

# Open IE to test and ensure the New OfficeWebApps Farm is configured
$ie = New-Object -ComObject InternetExplorer.Application
$ie.Navigate("https://wac.contoso.com/hosting/discovery.ashx")
$ie.Visible = $true

If successful your browser will open and will look the example below

Download http://1drv.ms/1JCmcKm

Ivan

No Comments

SharePoint 2013 and Metalogix Content Matrix

SharePoint is mission-critical and users demand availability. Content Matrix allows you to migrate SharePoint by site collection, site, list, library, business unit, or department with zero downtime. Run old and new farms in parallel and test and re-arrange as often needed. Along with the Re-Organizer feature empowers your site collection owners and users, to manage SharePoint sites, content and metadata on an ongoing basis to keep in sync with business needs. All of my clients love this tool as it makes their environments more flexible and now with Re-Organizer we are enabling the site owners to more easily manage their site structure.

Error on Installation of Content Matrix 7.3.0002

During the installation of the Online edition of Content Matrix version 7.3.0002 while installing Metalogix Extensions Web Services you will see the error "MD5 check failed for the current file to be staged, the file may be corrupt" in the screenshot to the left. However, the installation will continue and complete. Also, if you go to the location in your AppData Folder and copy the "Metalogix SharePoint Extensions Web Service Setup.msi" it will run locally without any issues. The error appears to be related to the msi not matching the online manifest

Error Copying List Views Content Matrix 7.3.xxxx

Unfortunately, the installation error is not the only issue. The infamous "Object Reference not set to an instance of an object" error occurs when you attempt to copy list views. However, if you copy the complete list all views are included in the copy. In looking at the error details it appears to be caused by a dialog box, this makes sense as it never creates the job or writes to any log.

Error Copying Sites Lists or Library’s  Content Matrix Organizer 7.3.xxxx

The last symptom was when attempting to copy / move anything  using the Reorganize from the Widget Drop Down or the Ribbon of the list…

We initially found and reported these errors on 12/18/2015..

At first we thought incorrectly the error only occurred after an upgrade from an earlier version of Content Matrix, after further testing we found the issues existed in all 7.3.x versions whether installed as part of an upgrade or installed in a pristine environment. As always Metalogix Content Matrix is our favorite tool for SharePoint Migrations whether on-prem or online and Metalogix support is very helpful.  The only resolution at this time is to revert to a previous version Metalogix Content Matrix version 7.2.0017

Ivan

No Comments

It appears to be an IE issue when clicking on the New Document Drop down from the ribbon using fiddler4 there are not any results returned, probably jscript or jquery … I am running IE11 and I have tested IE10 which exhibits the same behavior. I haven’t tested on earlier versions yet.

However, if you open with Mozilla the Microsoft Office is blocked until you Allow Mozilla to open Office Documents and then Default open behavior for browser-enabled documents works as expected. In other words when the library is set to open ion the browser (via WOPI) the documents open in the browser, when set to open in the client application, the docs open in the client as expected..

1. Click On Allow

2. Then choose to Allow remember

3. Then choose OK,

4. Click on New Document one more time to open from the ribbon

Note: this only occurs if you have WAC installed and configured WOPI with SharePoint. Also, you only have to go to library settings to set the Default open behavior for browser-enabled documents: to Open in the client application, you don’t have to set the site collection… I will resolve as time permits

Cheers,

Ivan

No Comments

It seems like everyone NothingButSharePoint and Microsoft Office and Microsoft Bogs states that you can not embed unless your using Office 365 (this may have been due to using SharePoint 2010). There are many more post and articles that require you to use Onedrive.. There are probably many better ways to sharing Content using WAC with multiple farms and SharePoint On-Prem and I would enjoy hearing about how you have solved this issue

Embed a PowerPoint Presentation from a source SharePoint Farm and render the presentation in a target SharePoint Farm using CEWP

1. Go to http://focalpoint.cotoso.com and search for PPTX

2. Use the Drop Down, Choose embedded information, and Copy All

3. Go to http://learning.fabricam.com

5. Add Content Editor WebPart

6. Click Inside the WebPart Choose the Orange Insert, Click Embed Code

7. Insert (Paste CTRL+V) the Code you copied from http://focalpoint.contoso.com

8. Then Click the Insert button,

9. Next Edit the WebPart, and change the Width to 540px, then click OK

10. Click Check-in, then Publish this Draft

Note: The Site Collection Feature – Cross-Farm Site Permissions is activated on both Farms, the cross-farm site permissions feature to allow internal SharePoint applications to access websites across farms.

Ivan

No Comments