Monthly Archives: August 2015

SharePoint/Azure ACS Token Signing Certificate. Will you please just sign my tokens?!

Setting up Azure ACS was fun. It’s so easy to get it up/running/connected to SharePoint and you have the instant satisfaction of using Microsoft/Google/Facebook accounts to login to SharePoint. Great success! Note: Microsoft only gives you the UPN claim..which is a unique ID so when users log in it looks gross. Google and Facebook are able to pull in a lot more claims..but Microsoft is more secure in that fashion I suppose.

Anyways there is great documentation out there already on how to get rocking and rolling. Here’s a few I’ve used:

Anyways there isn’t really much documentation out there on the Token Signing Certificate. Most of the documentation out there states to use a self-signed certificate for DEV and get a certificate from a Commercial Certificate Authority for PROD. Alrighty then. Here’s the screen in Azure


Not knowing too much in the ADFS token signing cert space (In the past most environments I have worked with use ADCS or PKI to generate these)  I took to the interwebs.

The reason I was researching is because if I were to put in a CSR for I wouldn’t get it or it would get revoked…I don’t own Companies like Comodo have a DCV (Domain Control Validation) questionnaire built right into the certificate purchasing process. For the self-signed cert you can use whatever you want.

I researched to see if Azure ACS could have a friendly name or DNS CName that we could pull the cert for. NOOPE!

I found a great tool by Steve Peschka that allows you to actually export the token signing certificate right out of ACS. The ACS tenant is actually already an HTTPS site so there is a preexisting cert. SWEEET! It works like a charm too..

This specific client had their heart set on using the commercial certificate authority so I kept trucking.

The certificate for ACS is described in detail here:

Alright I’m still not sure what subject name to use..until I found this forum post:

Frank Lesniak had the answer I was looking for (This was for ADFS, but still applied to ACS):

**I’m just copying his answer in here in case the forum post ever gets deleted

  1. The certificate’s key length should be at least 2048 bits.
  2. Validity period should be as long as possible (given cost), up to 5 years
  3. The signing algorithm should be either SHA-1 or SHA-256. If you need to support ADFS 1.x legacy federation, Windows 2000, Windows XP SP2, or Windows Server 2003, use SHA-1. Otherwise, for best security, use SHA-256. You may need to call your publically-trusted certificate issuer to validate the signing algorithm.
  4. Ensure that the private key is exportable
  5. Subject name does not matter… but something like would be a common implementation.
  6. Key usage does not matter.

The key points being #5 and #6 – ADFS does not care what you name the certificate or what kind of certificate is being used (i.e. code signing, server authentication, client authentication, etc.). My advice would be to generate a certificate however you’d normally feel comfortable doing so. For example, many of my clients use IIS to generate the certificate signing request (CSR), then submit the CSR to the commercial CA. Once you’ve loaded the certificate into the computer store, it should be available for AD FS to use.


In summary – It doesn’t matter! Use or if you’re already rocking a wildcard cert for everything use that. Any X.509 certificate will do…

SharePoint 2013/SSRS 2014 – HTTPException Request Timed Out

Here’s the scenario – SharePoint 2013 with SSRS 2014. This is a small 3 tier farm – 1 App (Running SSRS), 1 Web, and 1 SQL server. This farm had been running smoothly for quite some time and started sporadically receiving HTTPException Request Timed Out errors. This seemed to only be affecting 1 specific report (Largest/Most used report in the farm) as I was able to run other reports when the 1 report was acting up.

The end users would just see the typical SSRS loading screen until the 110 second timeout kicks into effect and then the use is presented with a “Request Timed Out” error with a correlation ID. In the eventvwr application log I could see this:

Process information:

   Process ID: XXX

   Process name: w3wp.exe

   Account name: Domain\App Pool Account

Exception information:

   Exception type: HttpException

   Exception message: Request timed out.

After some digging I noticed that the page file on the system had been modified to a static size of 4GB. After changing this to system managed everything started working perfectly (Note: You could also use the Microsoft recommendation of 150% RAM on the system – Recently, I have also seen where search crawls stop working (Running continuously for 10+ days) due to switching the page file to a very low value. Moral of the story – make sure you’re page file is large enough!


SharePoint Upgrade – Incoming E-mail Issues

Here’s another fun scenario: SharePoint 2007 to 2010 upgrade that heavily relies on Incoming e-mail. When migrating/upgrading the content database, the incoming e-mail information is retained and you can see it by browsing to your favorite list or library of choice. Yay!..well kinda. This doesn’t work..I felt like Clark Griswold trying to light up his house on Christmas Vacation. The incoming e-mail alias is ALSO kept in the SharePoint configuration database. This means that the content database will have everything you need, but the config database is out of sync. You can fix this using a manual method of turning off and turning back on the ability for that list/library to receive e-mail…NO THANK YOU. As Russ declined to check each bulb individually..I respectfully declined that offer here as well.

PowerShell to the rescue! There is a RefreshEmailEnabledObjects() method you can use on a SPSite object to bring your SharePoint farm back in perfect harmony..Just like the old Coca Cola commercial used to say (Just a pop culture drop day today)

You can create your own script to loop through all SharePoint site collections or you don’t have to reinvent the wheel because Salaudeen Rajack at has already done this for you:

SharePoint Foundation 2013 SP1 Bits..Diagnostic Data Provider Timer Jobs Enabled

I don’t know if this was a one-off thing, but I figured I’d share just in case. It’s even possible someone turned these jobs on without notifying anyone..though nobody has fessed up yet! If I run through another SPF13 install soon I’ll be sure to update the post.

I have confirmed that all copies of SharePoint Server 2013 do NOT enable the Data Diagnostic Timer Jobs by default. I have also confirmed that a RTM SharePoint Foundation 2013 install has the same behavior. Recently I ran through a SharePoint Foundation SP1 install (ISO pulled from VLSC)..and after a few weeks noticed the Usage Logging database was growing out of control! Looking over the timer jobs I saw that all diagnostic data provider timer jobs were turned on:


That explains it..These jobs are normally disabled as they aggregate a lot of different information/logs from SharePoint and puts it into one central location/database. We usually either turn these on for “health checks” or when troubleshooting issues and want a complete snapshot of the farm. Turned them off..Trimmed up the usage data using this method:

Note: The link above cleared up only about 10GB of data..leaving me still with a gigantic Usage Logging database. Apparently there isn’t any way I could find (without SQL queries) to clear the Diagnostic Data out of the DB. It did trim some items – Page Requests, Feature Usage, etc. You could either wait for the retention period to kick in..or if the data isn’t important you can create a new Usage database and delete the old one using the Set-SPUsageApplication PowerShell cmdlet explained here:

SharePoint 2013 – “2010 Mode” Site Collection Search Scopes

One migration tidbit to note when going from 2010 to 2013. Search scopes are contained in the Search Service database..NOT the content database. This means that if a site heavily relies on search scopes..and you are choosing to keep this site in “2010 Mode” (Not generally recommended, but sometimes makes sense) then you will need to upgrade the Search database as well. This is because sites running in “2010 Mode” will use existing scopes, but you cannot create new search scopes after the content database is upgraded to SharePoint 2013. Side Note – If this site collection is upgraded to SharePoint 2013 then you can use the fancy shmancy new result sources.

The search database can be upgraded using the following PowerShell cmdlet:


More about this cmdlet here:

This process is rock solid…kind of. It doesn’t give you GUIDs, but the search database names are in the following format:

  • <Search Service Application Name>_AnalyticsReportingDB
  • <Search Service Application Name>_CrawlDB

I had a DB naming format and this did NOT work for me. The search Admin DB (The one I restored) was renamed as I went through the SQL backup/restore process so it had the naming down. I used the process described here to get everything nice and clean:

Search database names were scopes were showing up. Life is good

SharePoint 2013 – Another FIPS 140-2 Adventure “The encryption type requested is not supported by the KDC”

Oh Federal Information Processing Standard (FIPS) 140-2 AKA FIPS 140-2…You got me again! See the original post here:

As stated in several Official Microsoft documents, SharePoint uses several Windows encryption algorithms for computing hash values that do not comply with FIPS 140-2..therefore you CANNOT enable the FIPSAlgorithmPolicy registry key. Here’s some info:

So in this situation we found that the group policy was applied so we retracted that and SharePoint was “back up.” At this time sites were loading, but I was seeing a bunch of errors related to search and distributed cache in the eventvwr/ULS Logs:

System.ServiceModel.Security.SecurityNegotiationException: A call to SSPI failed, see inner exception. —> System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. —> System.ComponentModel.Win32Exception: The encryption type requested is not supported by the KDC

This led me to the following blog post:

In this scenario 3 things still needed to happen:

First, IIS Crypto was ran and set to FIPS 140-2 mode. This needed to be reverted as this blocks MD5 hashes.

Then, the AD attribute msDS-SupportedEncryptionTypes needed to be changed from 24 to 28 on all SharePoint 2013 servers. The value of 24 does NOT include MD5 hashes..which SharePoint desperately needs.


After this was set Local Security Policy needed some tweaking (“Network Security: Configure Encryption types allowed for Kerberos”)

This was set to the following (Blocking MD5):


Once checking ALL boxes containing MD5 we were back up and running..Search was working and distributed cache was happy..SharePoint was happy..we were all pretty happy in fact 🙂



SQL GDR Update Breaks SharePoint 2013/SQL 2014 SharePoint-Integrated SSRS

The other day the following patch was applied to a SharePoint server running SQL Server Reporting Services 2014:


Information about this GDR:

This was all fine and dandy until we tried to run a report and got the following error:

  • An unexpected error occurred in Report Processing. (rsInternalError)

· Could not load file or assembly ‘Microsoft.ReportingServices.ProcessingObjectModel, Version=, Culture=neutral, PublicKeyToken=89845dcd8080cc91’ or one of its dependencies. Access is denied.

After seeing an access denied error message my gut was to run the PowerShell command to re-secure resources: Initialize-SPResourceSecurity

This didn’t fix the issue..I ended up coming across the following forum post..Apparently this issue also happened in SQL 2012:

The fix was the following:

  1. Backup encryption keys for the SSRS Service Application
  2. Note any other customizations (SMTP Server, Execution Account, Administrators, etc.) and WRITE THESE DOWN..or take screenshots. Screenshots are good
  3. Delete the SSRS Service Application (Uncheck the box to delete data associated..)
  4. Create a new SSRS Service Application. I used the same name, same Report Server database, same application pool, etc.
  5. Restore the encryption key
  6. Make any changes noted in step 2


Everything should be back up and running

“The trial period for this product has expired”…But really it didn’t

The other day users were getting some strange errors on a page containing an InfoPath form. Users were seeing an error that read “The Trial Period For This Product Has Expired.” I knew this was not the case so I decided to looks at the ULS logs.

Here is the error I was seeing in logs (Seems to be misleading since the error the user sees is “The trial has expired”)

Getting Error Message for Exception System.TypeInitializationException: The type initializer for ‘Microsoft.Office.InfoPath.Server.Util.UrlManager’ threw an exception. —> System.Security.SecurityException: Requested registry access is not allowed.     at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)     at Microsoft.Win32.Registry.GetValue(String keyName, String valueName, Object defaultValue)     at Microsoft.Office.InfoPath.Server.Util.UrlManager.<>c__DisplayClass1.<OpenFileNameMap>b__0()   

It looked to be an issue accessing the registry on the servers. I fired up perfmon and low and behold some access denied errors to SharePoint-related registry keys. Instead of changing these manually I ran the following command to reset the SharePoint security for the file system and registry:

Psconfig –cmd secureresources

Or you can use the PowerShell equivalent: Initialize-SPResourceSecurity 

After that I rebooted the servers for the changes to take into effect and that page started loading up.



SharePoint 2013 – Crawling a “2010 Mode” Site Collection

Working on an upgrade project we decided to keep a SharePoint site (highly customized) in 2010 mode for the time being. First, here is the list of items that will not function while the SharePoint site remains in “2010 compatibility mode.” This is because the features were deprecated/removed and replaced with new/different services and functionality.

Please see the entire list at this official Microsoft link:

Feature Replaced by in SharePoint 2013
Search Scopes Result Sources
SharePoint Web Analytics Reports Analytics now built into Search Service Application

*I remember reading about workflows experiencing intermittent issues in 2010 mode (As described here:, but there is no official documentation stating this fact and it all depends how customized the workflow is.

After getting the search scopes migrated and showing up in the search scope admin area of site settings I noticed no results were coming in. The SharePoint site was added to the default content source in search which is for crawling SharePoint sites I tried giving it its own content source with type SharePoint Site and still no-go. After changing the content source to type Web Site everything was rocking and rolling..