Jesper M. Christenen - Livespace

For the time being I have not really time for blogging I'm afraid but will continue writing articles for the windowsecurity.com website.

I know many things are visible in the Microsoft Active Directory and tried a few things to investigate the things a standard user can see. If this is something for you, then take a look at the article – feedback and evaluation is welcome J

Active Directory information exposed to users?

When I search the internet for articles I stumbled on my own. Nothing wrong with that except that it was in Russian and with another author mentioned…

But as a service to you RSS subscribers I now present "Kerberos in a SharePoint Environment" in Russian also J

http://www.oszone.net/7392/Kerberos_Sharepoint

The third and final part of my troubleshooting Kerberos article is now published on Windowssecurity.com

Troubleshooting Kerberos in a SharePoint environment (Part 3)

Please rate the article if you read it

I needed to change my Shared Service Provider Administration website to a load balanced url and found this great post by Ram G. http://blogs.msdn.com/ramg/archive/2008/07/01/moving-ssp-admin-site.aspx

That does the trick fast and easy – just try avoid copy-pasting the code, just write it by hand J

The second part of my troubleshooting kerberos article is now published on Windowssecurity.com

Troubleshooting Kerberos in a SharePoint environment (Part 2)

Please rate the article if you read it J

On the web I finally found a solution to the dependent dynamic choice filter on a SharePoint list Item. It requires some custom code-project to implement and some companies might not allow this.

Say you want to have a category and the sub category filtered depending on the choice you made in the first multiple selection box.

You can find the solution on the SharePoint Snippets.com blog. DataDog first published his version here but this makes it possible to use any number of "Siblings".

Download and description: http://www.sharepointsnippets.com/post/2008/11/SharePoint-Cascading-Dropdown---Unlimited-siblings.aspx

Configuration example: http://www.sharepointsnippets.com/post/2009/01/Cascading-Dropdown---Configuration.aspx

I hope Microsoft will include this feature and filtered dropdown lookup boxes in the next version of SharePoint.

After I received Kerberos error messages and screenshots I started making an article series on Windowssecurity.com about a working environment. In this I started braking things one at a time and investigated what error-messages came from these – with screenshots, error logs and troubleshooting tools/techniques.

This can be used in SharePoint environments and also in other Kerberos troubleshooting tasks.

You can read part one of the series at Troubleshooting Kerberos in a SharePoint environment (Part 1) and the other parts are following soon.

I have updated my blog-post "Troubleshooting the Kerberos error KRB_AP_ERR_MODIFIED" with new details for SharePoint in IIS7 on Windows Server 2008.

Please visit this if you have this Kerberos error.

My project to make a complete backup of SharePoint with Windows Powershell (mostly used on WSS) just got support for Windows Server 2008 and Windows Vista. Also the deletion of old backups has been changed.

Visit the SPBackup project page on http://www.codeplex.com/spbackup

I attended a great session on Microsoft TechED 2008 IT Pro on ports and protocols from Martin Kearn and searched for his session slides (with no luck yet). I then stumbled across a blog post I missed from Liam Cleary (SharePoint MVP I also saw on the Ask-The-Experts stand) where he summarizes the session details and give out the links to Microsoft Knowledgebase articles.

Read the post and check out the overview tables of what to open up for in the Windows Firewall configuration

http://www.helloitsliam.com/archive/2008/11/11/sharepoint-%E2%80%93-ports-and-protocols.aspx?id=168

Hello everyone,

I am currently collecting error messages and if you have some please post them on this blog-post. Please describe your environment, what you are are trying to accomplish and the errors on the different servers. If you have errors and solutions that would be appreciated also J

Hope to see and solve some problems,

Thanks
Jesper

I got a new article published on www.WindowsSecurity.com about the security considerations of using Microsoft SharePoint to publish company information. Find out what to avoid and where to look for possible security breaches.

http://www.windowsecurity.com/articles/Sharepoint-Data-Security-Risks.html

I hope you will read it, rate it and give feedback

Thanks,
Jesper

Sometimes I need to check for duplicate E-mail addresses in my Sharepoint lists. In the beginning I looked for new items manually, but this will take….. a while now :o)

I came up with this script to report back if any address exists more than once:

This page gives you a chance to follow my community activities and will be updated periodically.

Forums

Being active on forums gives me the opportunity to help others and get the chance to learn something new also.

Online magazines

Blogs

Blogging can be a lifestyle – especially if you have something you just need to say to the group "Everyone"

Codeplex projects

Free coding-projects that helps everyone in the everyday challenges.

New features have been added to my Windows Powershell project SPListSync. You can now copy/synchronize from an existing SQL Server Database table to a Sharepoint list. Great if you have a customer database outside your Sharepoint-solution. New items can also be created using a new feature.

Check it out, and please give me feedback for good and bad J

http://www.codeplex.com/splistsync

Changes from 1.0

• Added possibility to synchronize from a SQL Database Server table
• Added feature to create new items in the destination list
• Small changes in script structure

Upgrade from 1.0
There are new settings in the XML-file, so please adjust your 1.0 configuration with the additional:

• <ParentSQLServer>
• <ParentSQLDatabase>
• <ParentSQLStatement>
• <CreateNewChilds>

If you have a Sharepoint list for companies and another for contacts how do you make sure every bit of information is up to date? This is a feature I wanted to have – and of course this should happen automatically.

First I thought of making automatic workflows with Microsoft Sharepoint Designer but it became difficult to keep track of the sites, lists, columns and different workflows for these. The obvious solution for after the SPBackup project was to make another Windows Powershell script to do this configured by a XML-file and scheduled by Windows Scheduled Tasks.

I made an example of this kind of cross-list updates below and you can download the latest version of SPListSync from CodePlex – the example XML-file provided can be used in the demonstration below

Sharepoint list-sync. with Powershell script: http://www.codeplex.com/splistsync

Sharepoint list-connections

Setup procedure

1. Create new address list for Companies:

1. Create new address list for Contacts

1. Create new column in the Contacts list for the Company link:

Add some sample companies, contacts and link these together.

1. Check Windows Powershell installation
   
   Make sure Windows Powershell is installed on the Sharepoint (WSS/MOSS) server. (Windows Server 2003 – download and install it from the Microsoft website. Windows Server 2008 – activate the feature through Server Manager.)
   
   If you do not sign your scripts, you can enable unsigned scripts in Windows Powershell with the command Set-ExecutionPolicy Unrestricted as shown here on the screenshot:

1. Check the Powershell script configuration XML file so that it fits your environment (see the documentation on CodePlex)
2. Run the script from the Powershell to test the synchronization
3. Schedule the script in Windows Scheduled tasks with the command:
   
   %windir%\system32\WindowsPowerShell\v1.0\powershell.exe -command "& C:\SPListSync\SPListSync.ps1

Hmmm, I suddenly got a problem with my VMware infrastructure client 2.5 on my Windows Vista 32-bit SP1: The program just exits or crashes with a memory error.

This happened when I:

• Selected a virtual machine
• Edited virtual machine settings
• Opened a console

I couldn't find any update or support-hits on this on VMware support site, and managed to solve the problem by copying libeay32.dll, ssleay32.dll to "%ProgramFiles%\VMware\Infrastructure\Virtual Infrastructure Client\Launcher". They can be found in the "%ProgramFiles%\\VMware\Infrastructure\Virtual Infrastructure Client\2.5" folder.

I have released a new version of SPBackup. One script to perform Sharepoint backups written in Windows Powershell.

Codeplex project: http://www.codeplex.com/spbackup

Important !
When using the <backupdestinationmaxkeepdays> remember that the script deletes ALL files on the backup location older than this number of days !

Changes from 1.0

• New catastrophic backup feature
• New procedure to keep the files on the backup destination for only a number of days
• Small changes in log-text

Making a complete scheduled backup of Microsoft Sharepoint requires an external script and I have written blog posts about this subject to make sure we all have everything included. Windows Powershell has the ability to collect every part and handle the backup procedure as you want – with a single script-file.

I have published a Windows Powershell script on Codeplex to automate:

• Backup of Sharepoint site collections with STSADM
• Backup and compress the 12-hive
• Backup and compress the IIS Metadata (portable with encryption password)
• Multiple settings for different site collection backup jobs (configurable in the XML-file)
• E-mail report

The inspiration came from the script Michael Noel wrote for backing up site collections with a VBScript (He has written about it here. I wanted a single script to do everything and here it is:

Full Sharepoint backup with Powershell: http://www.codeplex.com/spbackup

I hope this can help you make a full Sharepoint backup.

Recently I needed a specific function for my Sharepoint lists: Updating multiple items in a list. I thought of workflows instantly and found many good articles and blogs on how to manipulate the items but not quite changing searched items with data from another list. Then I fell over the Windows Powershell for Sharepoint on Karine Bosch blog – and Windows Powershell really has all the tools you need!

• Create sites and mundane configurations easily
• Batch import, export and manipulate Sharepoint items
• Run jobs at a specific time with Windows scheduler (workflows are action-based)

As other blogs mention there isn't much information and examples online, but browsing around the Internet can give you the information you need to build your scripts the way you want it. Some articles also import the Visual Studio 8 tools, but I just needed the script to work on my Sharepoint servers locally with installing Visual Studio.

Start with Sharepoint Powershell for beginners and Sharepoint Powershell for beginners – continued by Karine which will guide you through the basics. She also has an excellent post about Update a Sharepoint list with Powershell.

If you do not want to use CAML queries (an excellent CAML builder exist at U2U Community tools) you can query the lists and filter through Powershell even though the performance isn't the best if you have many items in the list. I have included an example below with comments for you. Change the first lines to match your environment and run the commands on one of your Sharepoint servers.

#Define various data
$siteUrl = "http://intranet.domain.local"
$webName = "/"
$ContactslistName = "Contacts"

#Set up connection to the Sharepoint site
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint")
$spSite = new-object Microsoft.SharePoint.SPSite($siteurl)
$spWeb = $spSite.OpenWeb($webName)

#Set up the list connection
$spListContacts = $spWeb.Lists[$ContactslistName]
$spListContactsCol = $spListContacts.items

#Get and show the list of contacts working in Dallas
$spListContactsCol.GetDataTable() | where-object{$_.WorkCity -like "Dallas"} | ft FullName, WorkAddress, WorkZip, WorkCity

Using the Windows Powershell gives you endless possibilities without programming and compiling in Visual Studio. Explore the shell and what it can do for your solutions.

Links to more information about Powershell and Sharepoint

Great info by Karine Bosch: http://www.u2u.info/Blogs/karine
Adventures in SPWonderland: http://blogs.flexnetconsult.co.uk/colinbyrne/CategoryView,category,PowerShell.aspx
Dataset/datatable output: http://mow001.blogspot.com/2006/05/powershell-out-datagrid-update-and.html

Have you ever needed to get data from a local Outlook ost-file? The reason why I write this blog is that I fell over this nice tool to have if you have a corrupt pst-file or you need to recover some data before Outlook synchronize with the server.

Find the OST2PST tool to convert a ost file to pst here:

http://www.recoverytoolbox.com/ost_to_pst_convertor.html

Teamviewer is a great free (for private use) desktop sharing tool for both private and corporate use. No installation is needed for this support-tool and it works on both Windows and Mac computers.

Try the Teamviewer online remote control here: http://www.teamviewer.com

Important! Do not copy-paste the command-line code to your environment. Write the text yourself, as a copy-paste can give problems (I suspect the Unicode-formatting to be different on some webpages).

Update: After this blog-entry I had an article published that gives an overview of Kerberos in a Sharepoint environment

Update 23/12-2008: On Windows Server 2008 the IIS7 uses Kernel mode authentication and the kerberos tickets uses this and not the App. Pool identity. This causes KRB_AP_ERR_MODIFIED errors and the Kernel mode authentication must be switched off (check out this blog by Spence Harbar: http://www.harbar.net/archive/2008/05/18/Using-Kerberos-with-SharePoint-on-Windows-Server-2008.aspx)

This article is about troubleshooting the specific error message and is mainly written for the Microsoft Sharepoint configuration. It can give some insight for other scenarios as well.

I ran into this error message in multiple Windows Sharepoint Services 3.0 (WSS) and Microsoft Office Sharepoint Server 2007 (MOSS) installations with different solutions to it and you can use hours and days to troubleshoot this error message. Therefore I wrote this article to summarize the problem and possible solutions to the error.

Overview of what to configure for the Kerberos

Kerberos is the recommended authentication method in Sharepoint and we need to catch our breath and see through the confusing error messages that are popping up on our screen. First of all: It isn't really difficult to configure Kerberos if you know how to do it – and more important: how not to configure it wrong. If you just try to configure it and do not really know how it is supposed to be configured and why then you can get into trouble finding and undoing the bad configuration.

We only need the following to be done

• Get a static IP address for all our servers and make sure the DNS zone (forward & reverse) do not have duplicate entries.
• Configure delegation trust for the Application Pool account, Frontend- and SQL servers
• Configure http Service Principal Names (SPN) for the Frontend server NETBIOS-name and FQDN and bind it only to the Application Pool account
• Configure the clients Internet Explorer security zone for the site to "Intranet" and permit auto-logon for this zone

You can check my blog-entry Notes on configuring Sharepoint to use Kerberos for more information.

The problem with event id 4: KRB_AP_ERR_MODIFIED

The error appears in the Windows system-eventlog on the client that tries to authenticate with the Sharepoint-server with an eventid 4:

Source: Kerberos
Event Type: Error
Event ID: 4

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/wss1.domain.local.  The target name used was HTTP/wss1.domain.local. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (DOMAIN.LOCAL), and the client realm.   Please contact your system administrator.

What this means is that the encryption key that the server uses is different than the one the client uses to decrypt the authentication package. So how do you troubleshoot this issue? I searched the knowledgebase's and forums and came up with many solutions to this error.

The problem is that the error can come from in a couple of reasons. I have tried to collect as many sources to the problem that I could find and a solution to each one starting with the one that most likely could cause the problem.

1. Duplicate DNS entries
   Most of the configurations gives the KRB_AP_ERR_MODIFIED error because of old DNS entries on your DNS server are not removed. Simply remove these so you only have one IP address per server and one server per IP address (use the sort on the DNS Manager to find duplicates). Also check the reverse lookup zone as the Kerberos use this lookup to make the server-match. And remember the replication delay for other DNS servers and the DNS-timeout on clients before testing – better wait a couple of minutes (or up to 30 min. for auto-repl.)
2. Multiple or missing SPN entries
   The SPN's are configured and centrally stored in your KDC in Active Directory. You only need mapping the http-type to your Application Pool account. If you map these to more accounts/servers or do not map those correctly you get the error. Remember that the host-type is used if no http are configured. Check for multiple mappings with the command:

   ldifde -d "dc=domain,dc=local" -r "servicePrincipalName=http*" -p subtree -l "dn,servicePrincipalName" -f output.txt

The http/NETBIOS and http/FQDN must only appear on one of the objects. Remove the ones that are not on the Application Pool Account. And if none is configured for that account you must of course map the SPN to it.

Note: It could be that the SPN's are case-sentitive, so check your server- and domain-names just in case! (See Shane Young's blog entry)

1. Computer account secure connection
   Some clients/servers fail to setup a correct secure connection with the domain. If this happens you need to reset and rebuild this. Follow this link to Microsoft Knowledgebase article KB216393 http://support.microsoft.com/kb/216393/en-us for instructions.

   If your server/client has been cloned you need to generate a new security ID (SID) and the recommended way to do this is to run the Microsoft sysprep-utility. Another way is to use the former Sysinternals, now Microsoft, utility NewSID.

2. Issues with the MTU Size
   The network packets that are send through the wires have a certain length. If an account is member of a large number of groups this have been seen. Another way to deal with the MTU-problem is to force the Kerberos to use TCP. You can find information about this in Microsoft knowledgebase article KB244474 (http://support.microsoft.com/kb/244474/en-us)

1. Other problems with Kerberos
   You can have other error-messages in your Windows eventlog, and please look all of these up before putting your servers in production. Most are related to the following

• Time difference on the servers/clients
• Firewall restrictions on the servers/clients

More information about troubleshooting Kerberos

Troubleshooting Kerberos Errors: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx

Troubleshooting Kerberos-related issues in IIS: http://support.microsoft.com/default.aspx?scid=kb;en-us;326985#XSLTH3168121122120121120120