Bugra Postaci's Blog

All my posts are provided "AS IS" with no warranties, and confer no rights.

  • Home
  • About
  • Docs
  • Privacy
Posts Comments
  • Sharepoint
    • Sharepoint 2010
    • SharePoint 2013
    • Sharepoint Tips & Tricks
    • SharePoint 2016
    • Sharepoint Tools
  • ASP.NET
  • C#
    • Tips & Tricks
  • Uncategorized

Outgoing emails are not working in SPS2016 after Security Update May 2017

22/06/2017 Leave a comment

This article has inform you previously there may be some concequences after May 2017 Security Update for SharePoint in some special configurations.

There is a security update May 9,2017 for SharePoint Server 2016
You can find details in following KB
https://support.microsoft.com/en-us/help/3191880/description-of-the-security-update-for-sharepoint-server-2016-may-9-20

  • SharePoint outbound email messages incorrectly try to authenticate to SMTP servers that support Generic Security Service Application Program Interface (GSSAPI), Kerberos, or NTLM authentication. This may prevent email messages from being sent. After you install this update, SharePoint sends email messages anonymously without authentication.

 

Well it is confusing, as you may know, out of the box mail configuration for SharePoint always anonymous. Thats correct.
But in some special configuration applied by customers to force SharePoint processes (w3wp or owstimer) to authenticate with their identities to Exchange server;  If aspnet:AllowAnonymousImpersonation settings was disabled for Authenticated users (well it doesn’t work for anonymous users at all) it may work.

<appSettings>
<add key=”aspnet:AllowAnonymousImpersonation” value=”false” />
</appSettings>

More details explained for this.
https://support.microsoft.com/en-us/help/2686411/sharepoint-impersonates-the-iusr-account-and-is-denied-access-to-resources
Security Warning : Well the suggested action for this settings , this should be enabled. Otherwise anonymous request will have higher rights with Application Pool Identities does.

The problem of this kind of authentication is incorrect ,not expected  for SharePoint and Microsoft considered this is a Security Issue. As Microsoft said by design it has to be anonymous. With that Security fix will prevent this. SharePoint will be always use anonymous authentication through SMTP servers.

For customers who interested force authentication , well there’s no way to disable the anonymous-only behavior but we have valid workaround for that:

  1. If you are using Exchange, you can set up a separate receive connector configured as externally secured, and restricted to the IP addresses of the SharePoint server(s) in their environment.  This will allow SharePoint to send e-mails anonymously through this receive connector, but the connector will treat the e-mails as if you were authenticated.  All other SMTP clients will continue using the regular receive connectors and any authentication policies associated with those receive connectors.
  2. Set up a smarthost SMTP relay that will accept e-mails anonymously from the SharePoint server(s), and then relay them to the company’s SMTP infrastructure using authentication.

Filed under Sharepoint, Uncategorized Tagged with AllowAnonymousImpersonation, SMTP

Single Label Domain names (SLD) and SharePoint

21/06/2017 Leave a comment

Not a good idea. Not supported at all , for SharePoint.

https://technet.microsoft.com/en-us/library/cc262485.aspx

Filed under Sharepoint, Uncategorized

About global threat of WannaCrypt attacks

15/05/2017 Leave a comment

A significant number of customers have reported ransomware (Win32.WannaCrypt ) that was suspected to be introduced into their environment via email, this malware is using Social Engineering to target companies. Microsoft Anti-Malware products have been updated and detect the present version of this malware from definition version 1.243.290.0 onwards

Customer Guidance for WannaCrypt attacks

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Impacted customers who were unpatched and infected will work through disaster recovery plans to rebuild and/or patch their systems.

1. Install Security Update MS17-010, to PREVENT further spread of the malware
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
2. Create the registry key to disable SMBv1 (used only if Security Update MS17-010 cannot be applied)
3. Updated Antivirus definitions should be applied (Microsoft Anti-Malware products detect the present version of this malware from definition version 1.243.290.0 onwards

For More details pls follow Windows Security Blog
https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/

Filed under Uncategorized Tagged with WannaCry, WannaCyrpt

Unable to open BDC Service Application UI from Central Admin site

11/02/2017 Leave a comment

Here is the issue definition that If we go to Central Admin – Manage service Applications -> Businees Datas Conectivity Service Application we obtain an error:

“Something went wrong” and a Correlation ID
Error message seen:
Event ID 8085 Event Viewer The BDC Service application Business Data Connectivity Service is not accessible. The full exception text is: Access is denied.
At logs:
SPIisWebServiceAuthorizationManager: SPIisWebServiceApplication with name ‘Business Data Connectivity Service’ and type ‘Microsoft.SharePoint.BusinessData.SharedService.BdcServiceApplication’ received request with ServiceSecurityContext whose primary identity has no valid data to check against ACL.
An exception occurred while writing a service call usage entry. Exception details: System.ObjectDisposedException: Safe handle has been closed
at System.Runtime.InteropServices.SafeHandle.DangerousAddRef(Boolean& success)
at Microsoft.Win32.Win32Native.GetTokenInformation(SafeTokenHandle TokenHandle, UInt32 TokenInformationClass, SafeLocalAllocHandle TokenInformation, UInt32 TokenInformationLength, UInt32& ReturnLength)
at System.Security.Principal.WindowsIdentity.GetTokenInformation(SafeTokenHandle tokenHandle, TokenInformationClass tokenInformationClass)
at System.Security.Principal.WindowsIdentity.get_User()
at System.Security.Principal.WindowsIdentity.GetName()
at System.Security.Principal.WindowsIdentity.get_Name()
at Microsoft.SharePoint.Utilities.SPUtility.GetCurrentThreadUserLogin(Boolean fFallbackToEnv)
at Microsoft.SharePoint.Administration.SPUsageManager.LogUsage(SPUsageEntry usageEntry)

The BDC Service application Business Data Connectivity Service is not accessible. The full exception text is: Access is denied.

From Central Administration Site when we try to open BDC service we have making a WCF request to Business Connectivity Service

Name=Request (GET:http://contoso.com:3760/_admin/BDC/ViewBDCApplication.aspx?AppId=ec61c2eb-a874-4dfd-8245-0476da3d2731)
WcfSendRequest: RemoteAddress: ‘http://contoso.com:32843/b02ca86c7cb94143bb8277579dbc505c/BdcService.svc/http&#8217; Channel: ‘Microsoft.SharePoint.BusinessData.SharedService.IBdcServiceApplication’ Action: ‘http://www.microsoft.com/Office/2009/BusinessDataCatalog/BusinessDataCatalogSharedService/MetadataObjectCreate&#8217;
WcfReceiveRequest: LocalAddress: ‘http://contoso.com:32843/b02ca86c7cb94143bb8277579dbc505c/bdcservice.svc/http&#8217; Channel: ‘System.ServiceModel.Channels.ServiceChannel’ Action: ‘http://www.microsoft.com/Office/2009/BusinessDataCatalog/BusinessDataCatalogSharedService/MetadataObjectCreate&#8217;

We have facing an authentication problem on Claims authentication. Looks that “User is not authenticated”

So it bring us to “Security Token Service” Application before calling BDC request

Claims Authentication af3y2 VerboseEx STS Call Claims Windows: Adding claim with type ‘http://sharepoint.microsoft.com/claims/2009/08/isauthenticated&#8217;, value ‘False’, value type ‘http://www.w3.org/2001/XMLSchema#string&#8217;, issuer ‘SharePoint’ and original issuer ‘SecurityTokenService’.
Claims Authentication af3y1 VerboseEx We are copying claim with type ‘http://sharepoint.microsoft.com/claims/2009/08/isauthenticated&#8217;, value ‘False’, value type ‘http://www.w3.org/2001/XMLSchema#string&#8217;, issuer ‘SharePoint’ and original issuer ‘SecurityTokenService’.

For Resolution and TroubleShooting suggestions

-> Check BDC Service Application has only Anonymous Authentication has enabled and “windows authentication” has disabled.
-> Check The Security Token Service Authentications are “Anonymous” and “Windows Authentication” has enabled.
-> Check IIS > SharePoint Web Services > Only Windows Auth should be selected.
-> Check BDC Service Application Anonymous Authentication Identity has set for “IUSR”
-> Check Top Level IIS Anonymous Authentication Identity has set for “IUSR”

1. Open IIS manager
2. Highlighted server name
3. Select Authentication from center pane
4. Highlight “Anonymous Authentication” and be sure it is Enabled
5. Click on “Edit…”
6. Select the “Specific User” radio box and click “Set”
7. Enter IUSR in the “User name:” box on the Set Credentials window.
— Note you do not need to enter a password.
8. Click OK to apply, then OK to apply.

Filed under SharePoint 2013, SharePoint 2016, Uncategorized Tagged with af3y2, Anonymous, Authentication, BDC, IIS, IUSR, SharePoint 2016

Delete inactive users in user profiles

30/03/2016 Leave a comment

For more detail there is a very good article about how mysite clean up job is working.
https://blogs.msdn.microsoft.com/kaevans/2012/06/25/inside-the-sharepoint-2010-my-site-cleanup-timer-job/

Well , if you have a scenario that you can not run somehow my site clean up job, or intentionally stopped for a reason and if you need to clean inactive user profiles following powershell script will help you to remove inactive (non-imported) profiles in User Profile Service in SharePoint.

#PowerShell Script – Delete Inactive User Profiles – SharePoint 2010/2013

#The scripts is distributet “as-is.” Use it on your own risk. The author give no warranties, guarantees or conditions.

if ((Get-PSSnapin “Microsoft.SharePoint.PowerShell” -ErrorAction SilentlyContinue) -eq $null) {
    Add-PSSnapin “Microsoft.SharePoint.PowerShell”
}

$site = Get-SPSite “<site url>”
$ctx = Get-SPServiceContext $site
$pm = New-Object Microsoft.Office.Server.UserProfiles.UserProfileManager($ctx)

$ProfileDB = Get-SPDatabase | ? { $_.Type -eq “Microsoft.Office.Server.Administration.ProfileDatabase”}

$SqlConnection = New-Object System.Data.SqlClient.SqlConnection
$SqlConnection.ConnectionString = $ProfileDB.DatabaseConnectionString
$SqlCmd = New-Object System.Data.SqlClient.SqlCommand
$SqlCmd.CommandText = “select NTName,RecordId from UserProfile_Full where bDeleted=1″
$SqlCmd.Connection = $SqlConnection
$SqlAdapter = New-Object System.Data.SqlClient.SqlDataAdapter
$SqlAdapter.SelectCommand = $SqlCmd
$DataSet = New-Object System.Data.DataSet
$SqlAdapter.Fill($DataSet)
$SqlConnection.Close()

Write-host “Total Count: ” $DataSet.Tables[0].Rows.Count
Write-Host “Following Inactive Accounts will be deleted !”

foreach($user in $DataSet.Tables[0].Rows)
{
   write-host “Planning to delete :” $user[“NTName”] -ForegroundColor Green
   $profile = $pm.GetProfile($user[“RecordId“])
    #To enable delete operation remove comment out for below line
    #$pm.RemoveProfile($profile)
    #write-host $user[“NTName”] is deleted!!! -ForegroundColor Red
}
write-host “Operation Completed !”

 

Filed under Uncategorized

← Older posts

Newer posts →

RSS Register

  • RSS - Posts
  • RSS - Comments

Search

Inside my brain

2010 2013 AAM Access Denied AD ASP.NET Authentication Backup C# configuration Content Content-type CU Cumulative Database Delete deployment enum Error Excel Feature GAC GC Http HttpHandler IE8 IIS LDAP list Lock() Log meeting Moss 2007 Moss2007 mysite Ninject NTLM Performance PowerShell problem Profile RBS Redirection request Search security server Service Service Pack session Sharepoint Sharepoint 2007 Sharepoint 2010 Sharepoint2010 SharePoint 2013 Site SP1 SP2 SPS2010 SPS2013 SQL stsadm Support Supportability Sync Syncronization TimerJob tools ULS UPA Update user Web Webpart Workflow

Categories

  • .Net Tools (6)
  • ASP.NET (34)
  • C# (32)
  • Coolite (1)
  • Debugging (1)
  • Design Patterns (1)
  • IIS (4)
  • Microsoft Support (1)
  • Powershell (2)
  • Sharepoint (105)
  • Sharepoint 2010 (89)
  • SharePoint 2013 (54)
  • SharePoint 2016 (9)
  • SharePoint 2019 (3)
  • SharePoint Online (5)
  • Sharepoint Tips & Tricks (20)
  • Sharepoint Tools (7)
  • System (2)
  • T-SQL (5)
  • Tips & Tricks (10)
  • Uncategorized (30)
  • Visual Studio IDE (4)
  • Windows 10 (3)

Top Posts

  • How to fix 64bit ACL limit exceeded problem on Sharepoint.
  • Cleaning orphan database from SharePoint Farm
  • The code execution cannot proceed because edgegdi.dll was not found
  • Sharepoint 2010 - Basic Authentication and Php .net web service connection.
  • Multiple file upload and Drag and Drop file feature on Sharepoint 2010
  • Decommisioning Microsoft Sync Framework 1.0 SP1 runtime
  • Can not connect to SharePoint Store via Proxy
  • Unable to open documents using direct links from SharePoint 2019

My Recents

  • The code execution cannot proceed because edgegdi.dll was not found
  • Who is listening on port 80 (http.sys ?)
  • Win10 Search from Start shows a black box
  • Anjular.js fragment identifier “#” hash issue with SharePoint 2019 Modern UI
  • About future of the Content Deployment feature for SharePoint 2019

Archives

  • August 2021 (1)
  • February 2020 (2)
  • November 2019 (2)
  • August 2019 (2)
  • July 2019 (2)
  • June 2019 (1)
  • May 2019 (1)
  • April 2019 (2)
  • March 2019 (2)
  • January 2019 (1)
  • July 2018 (1)
  • June 2018 (1)
  • May 2018 (1)
  • January 2018 (1)
  • December 2017 (1)
  • November 2017 (1)
  • July 2017 (1)
  • June 2017 (3)
  • May 2017 (1)
  • February 2017 (2)
  • May 2016 (1)
  • March 2016 (1)
  • February 2016 (1)
  • December 2015 (1)
  • November 2015 (1)
  • October 2015 (2)
  • August 2015 (3)
  • July 2015 (1)
  • June 2015 (4)
  • May 2015 (2)
  • April 2015 (1)
  • March 2015 (1)
  • February 2015 (3)
  • January 2015 (1)
  • December 2014 (3)
  • October 2014 (3)
  • August 2014 (6)
  • July 2014 (2)
  • May 2014 (5)
  • April 2014 (5)
  • March 2014 (2)
  • February 2014 (17)
  • December 2013 (2)
  • November 2013 (3)
  • October 2013 (5)
  • August 2013 (1)
  • July 2013 (3)
  • June 2013 (4)
  • May 2013 (2)
  • April 2013 (1)
  • March 2013 (3)
  • February 2013 (3)
  • January 2013 (4)
  • December 2012 (1)
  • November 2012 (4)
  • October 2012 (3)
  • September 2012 (2)
  • August 2012 (3)
  • July 2012 (5)
  • June 2012 (2)
  • May 2012 (3)
  • April 2012 (9)
  • March 2012 (7)
  • February 2012 (10)
  • January 2012 (8)
  • December 2011 (8)
  • November 2011 (2)
  • October 2011 (11)
  • September 2011 (10)
  • August 2011 (5)
  • July 2011 (7)
  • June 2011 (13)
  • May 2011 (2)
  • April 2011 (11)
  • March 2011 (1)
  • February 2011 (1)
  • January 2011 (6)
  • December 2010 (4)
  • November 2010 (4)
  • October 2010 (14)
  • September 2010 (5)
  • August 2010 (3)
  • April 2010 (9)
  • March 2010 (7)
  • February 2010 (10)
  • January 2010 (42)
  • December 2009 (3)
  • November 2009 (9)

Create a free website or blog at WordPress.com.

Bugra Postaci's Blog
Blog at WordPress.com.
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy
  • Subscribe Subscribed
    • Bugra Postaci's Blog
      • Join 60 other subscribers
    • Already have a WordPress.com account? Log in now.
    • Bugra Postaci's Blog
    • Subscribe Subscribed
    • Sign up
    • Log in
    • Report this content
    • View site in Reader
    • Manage subscriptions
    • Collapse this bar
 

Loading Comments...