SharePoint 2013 – Another FIPS 140-2 Adventure “The encryption type requested is not supported by the KDC”

Oh Federal Information Processing Standard (FIPS) 140-2 AKA FIPS 140-2…You got me again! See the original post here:

http://www.andrewjbillings.com/fips-compliance-keep-away-from-sharepoint/

As stated in several Official Microsoft documents, SharePoint uses several Windows encryption algorithms for computing hash values that do not comply with FIPS 140-2..therefore you CANNOT enable the FIPSAlgorithmPolicy registry key. Here’s some info:

So in this situation we found that the group policy was applied so we retracted that and SharePoint was “back up.” At this time sites were loading, but I was seeing a bunch of errors related to search and distributed cache in the eventvwr/ULS Logs:

System.ServiceModel.Security.SecurityNegotiationException: A call to SSPI failed, see inner exception. —> System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. —> System.ComponentModel.Win32Exception: The encryption type requested is not supported by the KDC

This led me to the following blog post: http://blogs.msdn.com/b/openspecification/archive/2011/05/31/windows-configurations-for-kerberos-supported-encryption-type.aspx

In this scenario 3 things still needed to happen:

First, IIS Crypto was ran and set to FIPS 140-2 mode. This needed to be reverted as this blocks MD5 hashes.

Then, the AD attribute msDS-SupportedEncryptionTypes needed to be changed from 24 to 28 on all SharePoint 2013 servers. The value of 24 does NOT include MD5 hashes..which SharePoint desperately needs.

msDS-SupportedEncryptionTypes

After this was set Local Security Policy needed some tweaking (“Network Security: Configure Encryption types allowed for Kerberos”)

This was set to the following (Blocking MD5):

secpolMD5Issue

Once checking ALL boxes containing MD5 we were back up and running..Search was working and distributed cache was happy..SharePoint was happy..we were all pretty happy in fact 🙂

-AJB

 

SQL GDR Update Breaks SharePoint 2013/SQL 2014 SharePoint-Integrated SSRS

The other day the following patch was applied to a SharePoint server running SQL Server Reporting Services 2014:

clip_image002

Information about this GDR: https://support.microsoft.com/en-us/kb/3045324

This was all fine and dandy until we tried to run a report and got the following error:

  • An unexpected error occurred in Report Processing. (rsInternalError)

· Could not load file or assembly ‘Microsoft.ReportingServices.ProcessingObjectModel, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91’ or one of its dependencies. Access is denied.

After seeing an access denied error message my gut was to run the PowerShell command to re-secure resources: Initialize-SPResourceSecurity

This didn’t fix the issue..I ended up coming across the following forum post..Apparently this issue also happened in SQL 2012:  https://social.msdn.microsoft.com/Forums/sharepoint/en-US/5a34109a-4792-4983-9242-8573575bb727/sql-server-reporting-services-2012-sharepoint-integrated-mode-error?forum=sqlreportingservices

The fix was the following:

  1. Backup encryption keys for the SSRS Service Application
  2. Note any other customizations (SMTP Server, Execution Account, Administrators, etc.) and WRITE THESE DOWN..or take screenshots. Screenshots are good
  3. Delete the SSRS Service Application (Uncheck the box to delete data associated..)
  4. Create a new SSRS Service Application. I used the same name, same Report Server database, same application pool, etc.
  5. Restore the encryption key
  6. Make any changes noted in step 2

 

Everything should be back up and running

“The trial period for this product has expired”…But really it didn’t

The other day users were getting some strange errors on a page containing an InfoPath form. Users were seeing an error that read “The Trial Period For This Product Has Expired.” I knew this was not the case so I decided to looks at the ULS logs.

Here is the error I was seeing in logs (Seems to be misleading since the error the user sees is “The trial has expired”)

Getting Error Message for Exception System.TypeInitializationException: The type initializer for ‘Microsoft.Office.InfoPath.Server.Util.UrlManager’ threw an exception. —> System.Security.SecurityException: Requested registry access is not allowed.     at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)     at Microsoft.Win32.Registry.GetValue(String keyName, String valueName, Object defaultValue)     at Microsoft.Office.InfoPath.Server.Util.UrlManager.<>c__DisplayClass1.<OpenFileNameMap>b__0()   

It looked to be an issue accessing the registry on the servers. I fired up perfmon and low and behold some access denied errors to SharePoint-related registry keys. Instead of changing these manually I ran the following command to reset the SharePoint security for the file system and registry:

Psconfig –cmd secureresources

Or you can use the PowerShell equivalent: Initialize-SPResourceSecurity 

After that I rebooted the servers for the changes to take into effect and that page started loading up.

Reference: https://technet.microsoft.com/en-us/library/ee513047(v=office.14).aspx

 

SharePoint 2013 – Crawling a “2010 Mode” Site Collection

Working on an upgrade project we decided to keep a SharePoint site (highly customized) in 2010 mode for the time being. First, here is the list of items that will not function while the SharePoint site remains in “2010 compatibility mode.” This is because the features were deprecated/removed and replaced with new/different services and functionality.

Please see the entire list at this official Microsoft link: https://technet.microsoft.com/en-us/library/Ff607742.aspx

Feature Replaced by in SharePoint 2013
Search Scopes Result Sources
SharePoint Web Analytics Reports Analytics now built into Search Service Application

*I remember reading about workflows experiencing intermittent issues in 2010 mode (As described here: http://en.share-gate.com/blog/not-working-after-sharepoint-migration-to-2013), but there is no official documentation stating this fact and it all depends how customized the workflow is.

After getting the search scopes migrated and showing up in the search scope admin area of site settings I noticed no results were coming in. The SharePoint site was added to the default content source in search which is for crawling SharePoint sites I tried giving it its own content source with type SharePoint Site and still no-go. After changing the content source to type Web Site everything was rocking and rolling..

-AJB

SharePoint 2013 – Missing Patches Error

While working on a SharePoint test environment the other day I tried to take a backup of a site collection and got an error. After digging further I noticed that all databases were in compatibility mode. This lead me to Windows Update and I noticed that SharePoint security patches had been pushed to all servers in the farm and the SharePoint Products Configuration Wizard had NOT been run. This is a big no-no…please, if you push patches to your servers monthly and they include SharePoint-related patches make sure to run the grey wizard after. After applying patches to the servers in the farm I tried to run the grey wizard and got the following error:

“Error: Some farm products and patches were not detected on this or other servers. If products or patches are missing locally, you must quit this program and install the required products and patches on this server before starting this wizard. If products or patches are missing on your servers, you must install the required products and patches on the specific servers, and you may then click the Refresh button to perform the status check again.”

After running the following command on each server everything started working:

Get-SPProduct –local

SharePoint Admin Tool Belt Addition – C2WTS Troubleshooting

I was troubleshooting an issue with the Claims to Windows Token Service the other day and found a great tool to assist. I was working in a SSRS integrated environment configured with Kerberos and was getting the error “Cannot convert claims to windows token” when configuring a data source to test against. The issue was that the C2WTS service account was not in the local admin group. I had requested this access, but in this environment the local admins were all in an Active Directory Group and I did not have permissions to confirm this and adding the account in local admin explicitly was whipped out with Group Policy. Anyways, enough about the issue..the awesome tool is at http://rodneyviana.codeplex.com/releases/view/19103 and is called c2WTS tester

Add it to your SP Admin tool belt!

-AJB

Office Web Apps 2013 Moved to VLSC…Where are you?

Many of you have probably read that Office Web Apps Server 2013 has moved from the Download Center to the Volume Licensing Service Center(VLSC) from here (Evaluation availability is still available on MSDN for subscribers ):

http://blogs.technet.com/b/office_sustained_engineering/archive/2014/10/22/web-apps-server-removal-from-download-center.aspx

https://technet.microsoft.com/en-us/library/jj219455.aspx

Recently I went to the VLSC site (https://www.microsoft.com/Licensing/servicecenter/default.aspx) and did a search for Office Web Apps..no results. I did a search for Web Apps..no results. After calling the VSLC phone number they indicated that the Office Web Apps Server 2013 install is located under the Office Professional Plus 2013 (and Office Professional Plus W/ SP1) download.

Just another day in the life..

Office Local Drafts Issue/ULS Logs…Can I see a Check-Out

Hey All – I ran across an interesting scenario with one of our clients last week that I thought would be useful to share. They were having issues with Office 2007 and SharePoint 2010. For some reason every now and then a highly edited document would revert back to a previous version. After this happened users continued to collaborate on that document until someone noticed that they’re changes weren’t saved from their last edits. After this happened I was brought in to take a look and see if I could find out what was going on here…

Some background – Office 2007 and Office 2010 have 2 different defaults (At least the base installs at this client did) for how to handle the check out of a file.

  • Office 2007: Defaults to “Use my local drafts folder”
  • Office 2010: Defaults to “The Office Document Cache”

We noticed this specific issue was happening because the users were using the local drafts folder and were not checking the file back in. With Office 2010 you get a nice little pop-up (With Office 2007 you do NOT):

2010popup

The client went ahead and applied the group policy settings stated here (Thanks Joran!): http://joranmarkx.wordpress.com/2012/01/31/disable-check-out-to-local-drafts-folder/

Now that we have the issue fixed the client wanted a little additional follow-up. They wanted to see what information the “logs” would provide us if this were to happen again. This client had all of the default ULS logging settings turned on. I was able to track down the last time this happened in the ULS logs and I could only see the user accessing the site, not much else. Once I turned on verbose logging I could see the following entry:

“Performing lock of checkout operation for documents/SPTestDoc.docx. Lock Flags = 5. Lock Id – . Lock timeout = 0.

The audit logs and IIS logs can show the user accessing the file, but we do not know if they checked it out, overrode a checkout, etc. I am not advising anyone to turn on verbose logging 24/7..This will most likely fill up your data drive (Hopefully you are putting logs on a secondary/Non-OS drive) and should only be used in troubleshooting. It is definitely good to know that the defaults do not “capture” a checkout and that verbose logging will need to be enabled for the entry above to show in logs.

-AJB

SharePoint 2010 – Office Web Apps Cache Expiration

I was doing some browsing around a SharePoitn 2010/Office Web Apps-Enabled farm the other day and noticed something interesting that I thought I’d share. By default when you setup Office Web Apps in SharePoint 2010 the cache expiration does not get set in the web app’s property bag.

I started by checking the web app cache URL’s propery bag items. As you can see there is nothing related to cache expiration:

After this I went ahead and set the max size/cache expiration for the Office Web Apps cache URL and then checked the property bag items:

Notice the waccacheexpirationperiod entry now!

 

-AJB

Document Inventory PowerShell Script

The other day I had a request to get a list of all documents in a web application and some information about each document. From here I was able to open the file in Excel and create a PivotTable of each site collection, site, and library, and get counts of the versions and unique permissions for each. In this case a few of the libraries were approaching the 50,000 unique security scope limit in a list/library…be careful of that limit (Described here: http://technet.microsoft.com/en-us/library/cc262787(v=office.15).aspx#ListLibrary)! Here is the script:

Additional Notes: