Archive for Configuration

Fine Grained Permissions in 2013

Setting item level permissions was straight forward in SharePoint 2010, you selected the items you wanted to break inheritance on and selected the Permissions item. When moving to SharePoint 2013 and trying to do the same thing, to a lot of users this functionality appears to no longer exist. Worry not!

To set item level permissions for an item (or multiple items) select the candidate items and switch to the Items tab in the ribbon.

Shared With

Notice the ribbon item called Shared With. This is what replaces the Permissions item from 2010. Click it and a list of users that the item is shared with loads.
Read more

Loopback Check and 401.1 Error

SharePoint Short #18

If you’re developing a web service for SharePoint, or trying to access one of the SharePoint web services, through server code and get a 401.1 Unauthorized exception, it’s worth checking if the status of the loopback check, especially if you’re using a host name for the site.

Since Windows 2003 (SP1) a loopback security check was added. The purpose of this check is to prevent access to the web application if there is an attempt to access it from the same server hosting the site, using a fully qualified domain name or host name.

If you’re getting this exception on a dev\test environment, the simplest solution is to disable the loopback check. Do this by opening the registry editor and navigate to the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

From there, right click the LSA folder and add a new DWORD value called DisableLoopbackCheck. Set the value to 1 and then reboot the server. Do this for all Web Front Ends in the farm.

If, on the other hand, this is happening on a production environment, do not disable the loopback check as this will remove a security check that may compromise your environment. Instead, add the host names that should bypass this check by adding another key to the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0

Right click the MSV1_0 folder and add a new Multi-String value called BackConnectionHostNames. Set the value to the host name you want to exclude. If there are more than one, add them on separate lines and do not include the protocol, just the host name. Reboot the server and apply this to all Web Front Ends in the farm.

For the last configuration, you could define a group policy to apply this across multiple servers, but I’ll leave that for another day!

LDAP Role Provider Argument Exception

If you’re seeing the following error in the ULS logs, hopefully it’ll be as simple a fix for you as it was for me:

LdapRoleProvider.GetRolesFor() exception: {0}.System.ArgumentException: The (&(((ObjectClass=group))(member=CN=Some User,CN=Users,DC=domain,DC=local)) search filter is invalid.

at System.DirectoryServices.SearchResultCollection.ResultsEnumerator.MoveNext()

at Microsoft.Office.Server.Security.LdapRoleProvider.GetRolesFor(String userOrGroupDN, DirectoryEntry groupContainer, LdapDistinguishedNameManager ldapDnManager, List`1& userRoles)

To resolve this error, all that’s required is to updated the Group and User filter values for the role provider in the forms web application and the security token’s web configuration files.

The role provider settings I had looked something like:

<roleManager>
  <providers>
    <add name="SPRoleManager" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="domain.local" port="389" useSSL="false" groupContainer="CN=users,DC=domain,DC=local" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="((ObjectClass=group)" userFilter="((ObjectClass=person)" scope="Subtree" />
  </providers>
</roleManager>

Notice the values for groupFilter and userFilter((ObjectClass=person).

This is correct for the Central Administration web configuration. For the forms web application and security token’s configuration this should be updated to (&amp;(ObjectClass=person)).

Perform an IIS reset and next time you log in the exception in the ULS log should be resolved.

User Profile Sync

Sometimes, when trying to create an alert in SharePoint you receive the following error message:

You do not have an e-mail address.
Alert has been created successfully but you will not receive notifications until valid e-mail or mobile address has been provided in your profile

The obvious things to check here are the outgoing mail server settings in Central Administration.

It may be the case that you recently added an email address to the account in question, or after receiving the above error added an email address to the user’s profile in Central Administration.
Read more

Follow

Get every new post delivered to your Inbox

Join other followers: