Khalids Technical Diary

So everyone by now should have had a taste of 2013 if not what are you doing!!! With every new technology comes new pains as well as some good things one of my pains went something along the lines of:
"A certificate validation operation took 30007.5449 milliseconds and has exceeded the execution time threshold.  If this continues to occur, it may represent a configuration issue.  Please see http://go.microsoft.com/fwlink/?LinkId=246987 for more details."

*Shock horror* my logs were inundated with errors of the like also I was having tons of topology errors and endpoint failures. Now I popped open MMC and added the certificates snap in and selected local computer to check what certificate was causing me this grief.

I navigated to the SharePoint folder and opened one of the certificates and noted the following:

Aha!! Found you. I actually never found it as fast as I made it out to be. Once I narrowed it down I then remembered that I had something similar before and had to generate a cert via powershell. So I done the following in the SharePoint Management Shell:

$rootCert = (Get-SPCertificateAuthority).RootCertificate
$rootCert.Export(“Cer”) | Set-Content C:\root.cer –Encoding Byte

Once done I went back into the certificates snap in and imported the certificate into the trusted root certificate authorities. Once done the bulk of the errors disappeared and my logs looked much better and I had no more topology errors as well. Now for the last few remaining cert errors (1 or 2 per hour) I checked the local computer policy. Pop Open gpedit.msc and navigate to "Computer Configuration > Windows > Security Settings > Public Key Policies > Certificate Path Validation Settings". On the Network Retrieval tab, define the policy and uncheck “Automatically update certificates in the Microsoft Root Certificate Program. After you have defined this run a gpupdate /force and you should no longer have these errors in your event logs

This list is usually not editable but you can edit it by going to http://SITECOLLECTIONNAME//_layouts/people.aspx?MembershipGroupId=0

You will then be able to remove the old users and they should then not appear in people picker.

So you have multiple user profile service applications but do not know how to provision 2 of them at the same time? Never fear for as long as you have more than 1 SharePoint Servers in your Farm you will be able to provision multiple User profile Service applications.

There is 1 snag though in that the user profile synchronization service which provisions the User profile service application has a 1 to 1 relationship with the server ie you can start only one instance of the service per server. So basically navigate to Manager services on server in Central Admin then start user profile synchronization service and associate it with UPSA A. Once completed select another server under manange services and start the user profile synchronization service on UPSA B. Now you have 2 User profile service applications provisioned at the same time in your farm.

I stumbled upon quite a nifty little app to give a full farm report. It can be found at http://spsfarmreport.codeplex.com/

I was asked to convert a WEB application that was running classic mode authentication to Forms. Now in order to do this I had to change the web application to Claims based authentication however that was greyed out. No problem for powershell though. I done the following in powershell:

$App = get-spwebapplication “http://yoururl”

$app.useclaimsauthentication = “True”

$app.Update()

This enabled Claims authentication in the Web Application. I then edited the authentication providers and ticked the Forms based authentication box. Now the tricky bits are to follow. You will need to edit the web.config of your site as well as Central Admin and the Security Token.

 

In the Web Application web.config add the following after <providers>.

<add name="ADAuth"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="Your Auth Server"
port="389"
useSSL="false"
userDNAttribute="distinguishedName"
userNameAttribute="Samaccountname"
groupNameAttribute="mail"
userContainer="DC=hi,DC=local"
userObjectClass="person"
userFilter="(&amp;(ObjectClass=*))"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn,mail" />

 

Add the following under the rolemanager provider section

<add name="roleManager"
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="Your auth Server"
port="389"
useSSL="false"
groupContainer="DC=HI,DC=local"
groupNameAttribute="Displayname"
groupMemberAttribute="member"
groupNameAlternateSearchAttribute="mail"
userNameAttribute="mail"
dnAttribute="distinguishedName"
groupFilter="(&amp;(ObjectClass=group))"
scope="Subtree" />

 

Now we need to add the functionality to select Forms Authentication. Search the Web.config for PeoplePickerWildcards

Add the following below the tag

<add key="ADAuth" value="*" />

<add key="roleManager" value="*" />

 

Now save and close the web.config.

 

Open the web.config of your central admin application and add the following entries:

As above but add the following in under <providers>

type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="Your Auth Server"
port="389"
useSSL="false"
userDNAttribute="distinguishedName"
userNameAttribute="Samaccountname"
groupNameAttribute="mail"
userContainer="DC=hi,DC=local"
userObjectClass="person"
userFilter="(&amp;(ObjectClass=*))"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn,mail" />
/>

The search for the rolemanager provider and add this below

 

<add name="roleManager"
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="Your auth Server"
port="389"
useSSL="false"
groupContainer="DC=HI,DC=local"
groupNameAttribute="Displayname"
groupMemberAttribute="member"
groupNameAlternateSearchAttribute="mail"
userNameAttribute="mail"
dnAttribute="distinguishedName"
groupFilter="(&amp;(ObjectClass=group))"
scope="Subtree" />

 

And then add the following below the <PeoplePickerWildCards> tag

<add key="ADAuth" value="*" />

<add key="roleManager" value="*" />

Save and close the web.config

 

Now open the web.config of the security token and do the following:

Under the <providers> tag add the following

<add name="ADAuth"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="Your Auth Server"
port="389"
useSSL="false"
userDNAttribute="distinguishedName"
userNameAttribute="Samaccountname"
groupNameAttribute="mail"
userContainer="DC=hi,DC=local"
userObjectClass="person"
userFilter="(&amp;(ObjectClass=*))"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn,mail" />
/>

 

Search for the rolemanager provider and add this below

<add name="roleManager"
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="Your auth Server"
port="389"
useSSL="false"
groupContainer="DC=HI,DC=local"
groupNameAttribute="Displayname"
groupMemberAttribute="member"
groupNameAlternateSearchAttribute="mail"
userNameAttribute="mail"
dnAttribute="distinguishedName"
groupFilter="(&amp;(ObjectClass=group))"
scope="Subtree" />

 

Now Save and close the file.

 

To test go into Central Admin and try to assign a user permissions but only use the first 3 letters of their name the click the check names button. You should receive a warning that "No exact match was found. Click the item(s) that did not resolve for more options" when click the letters you should be given an option to select forms or ADAUTh

 

 

I came across this on our test environment recently after authenticating. I then done some googling and found a nifty solution to the problem. I added the following to the web.config file and this resolved the error I was receiving.

 

So I had to create some custom workflows for a client. All good and well and I completed my task however upon saving the items as a template my reusable workflows seem to have broken (joy!!!).

After struggling quite a bit I decided to recreate them and instead of downloading them from sharepoint designer I downloaded them from the site assets library. Low and behold the items worked fine then.  Lesson learnt sharepoint designer is a devil in disguise.

To set this up we first need to add a Trust for the OWA site of the organisation in question. We can do this by adding the OWA certificate to the Trust relationships in Central administration.

 

The first step in this procedure is to get the Certificate from the OWA site. Run internet explorer as an administrator



Once you have done this navigate to the OWA URL. Once you are on the page you will notice a padlock icon next to the Address in the address bar click the padlock icon and select view certificates.



Once completed you will have a box appear with the relevant certificate information. Select details and click copy to file.



You will receive the following screen click next



Select DER encoded binary X.509 (.CER) then click next

 

Select a filename for your certificate and click next this will save the certificate in the location you provided with the filename. Click next



Click finish.

 

Open Central Administration then click on Security.

Locate Manage Trust and click on it

Click on new



Name the new trust relationship and add the root authority certificate you saved then click on ok.



 

This will create the trust relationship needed between exchange and Sharepoint.

On the sharepoint site now Navigate to the calendar area where you wish to allow this functionality.

In the calendar ribbon select calendar overlay.



Click on new calendar. Under Calendar name type the name of the calendar (usually the users email address) the select the exchange radio box. Also give the calendar a description and also a colour as to make the events easier to identify when viewing them. Type in the OWA address and the exchange web service URL then click find. This will resolve the names needed for this. Click ok



You should now be able to overlay the users calendar over the Sharepoint site calendars.