Just wanted to share this with everyone, free access to virtual labs to learn new MS Technologies.
http://technet.microsoft.com/en-us/virtuallabs/default.aspx
Thursday, April 19, 2012
Monday, April 2, 2012
Publishing Sharepoint 2007 w/ Infopath Forms via UAG 2010
Problem:
Accessing all the Sharepoint content through UAG seemed fine with just AAM setup on the Sharepoint side except when we attempted to open up Infopath forms. We had issues with the GetUserProfile() service not working and/or other Web services connections for populating the other drop downs in the Infopath forms failing. We were greeted with an error that said "Some rules were not applied" and "An error occured accessing a data source" or event id 5566.
Environment:
This setup included 2 load balanced UAG 2010 SP1 Update 1 boxes with a Cisco ACE NLB, 4 Sharepoint 2007 FE Farm servers, and 2 backend Web Services IIS boxes.
Solution:
**Notes about InfoPath: In order for InfoPath Forms to work via UAG, all data connections must be .udcx files placed in a Trusted Data Connection Library and Forms must be "Fully Trusted" and Administrator Approved.
Accessing all the Sharepoint content through UAG seemed fine with just AAM setup on the Sharepoint side except when we attempted to open up Infopath forms. We had issues with the GetUserProfile() service not working and/or other Web services connections for populating the other drop downs in the Infopath forms failing. We were greeted with an error that said "Some rules were not applied" and "An error occured accessing a data source" or event id 5566.
Environment:
This setup included 2 load balanced UAG 2010 SP1 Update 1 boxes with a Cisco ACE NLB, 4 Sharepoint 2007 FE Farm servers, and 2 backend Web Services IIS boxes.
Solution:
The solution ended up requiring us to implement Kerberos authentication because we were faced with the "double hop" issue (See http://blogs.technet.com/b/askds/archive/2008/06/13/understanding-kerberos-double-hop.aspx ). To successfully implement Kerberos required a lot of changes to our environment. I'll describe below in more detail what was done.
- Create Sharepoint Alternate Access Mappings
Navigate to Sharepoint Central Administration->Operations->Alternate Access Mappings. Create AAMs that map a new dummy url to the public facing URL that is set for Sharepoint 2007 in UAG. Place the AAM in the internet zone and make sure that the Public URL for the zone is set to HTTPS.
- Extend Web Application
Next, extend the web application (Application Management > Create or Extend Web Application > Extend Web Application to Another IIS Web Site ). Make sure that Negotiate (Kerberos) is configured as the authentication provider and allow anonymous is set to No. Map the Zone to Internet.
- Add Host Entries on Sharepoint Front End hosts
Next add an entry to the hosts file that points the dummy URL to loopback IP address (127.0.0.1). Apply this to every Sharepoint Front end server.
- Add IIS Host Header Binding
In IIS add a host header binding for the dummy URL, to the original web application (the one on port 80). For example if your real site name is partners.company.com and your dummy url is partnersuag.company.com, make sure to add the host header binding to the partners.company.com site in IIS.
- Install SSL Cert on IIS SSL Binding
Install an SSL certificate on the newly created SSL web application in IIS. Validate that the certificate is correctly installed and not showing any errors from the Certificates MMC or via IIS view certificate dialog screen.Validate the root cert is in the Trusted Root Authorities certificate store. We ran in to an issue where even though the certificate showed no errors, we received errors in Sharepoint about trouble making an SSL connection and this was because the certificates whole chain was in the Personal store instead of placing the root certs in the Trusted Root Auth store.
- UAG Web Servers Config
Make sure to check the replace host header in the Web Servers tab for the application and apply the “bogus” url in the text box. We matched the internal URL and the public URL in our configuration.
- UAG Authentication Configuration
Check use Kerberos Constrained Delegation for single sign on and type in http/*
- Validate SPNs in environment
· Validate SPNs for Sharepoint Service Account for IIS Front End Application Pool
o Make sure every SP FE server has a corresponding HTTP/<FQDN> and HTTP/<Netbios name> via Setspn -L sharepointsvcaccount
o If missing an SPN add via setspn –A HTTP/<FQDN> sharepointsvcaccount
o Also add setspn –A HTTP/<netbios name> sharepointsvcaccount
· Validate SPNS for Service Account for Web services IIS Application Pool
o Make sure every IIS box in the pool has a corresponding HTTP/<FQDN> and HTTP/<Netbios name> via Setspn -L svc-account
o If missing an SPN add via setspn –A HTTP/<FQDN> svc-account
o Also add setspn –A HTTP/<netbios name> svc-account
- Set Delegation for UAG computer account(s)
Add the delegation in AD Users and Computers to the UAG computer accounts, go to the Delegation tab and click add and type in Sharepoint svc account and IIS Web Farm service account and make sure to add all related SPNs that show up to the delegation. Reboot UAG servers.
- Set Delegation to Sharepoint Farm Service Account
Delegation should be set by adding the next service hop in the path for authentication, in this case add the Web Service IIS Farm svc account so that Sharepoint can impersonate users coming from UAG to the web services. Allow time for replication.
- Set Delegation to IIS Web Services Farm Service Account
Set the Delegation to Trust this computer for delegation to any service ( Kerberos only ). Allow time for replication.
- Set Delegation for Sharepoint/Web Service Front End IIS Computers
Validate that all corresponding Sharepoint Front End boxes and Web Services Farm IIS boxes have the following delegation set: "Trust this computer for delegation to any service ( Kerberos only )"
- Set Component Services to Delegate on all Sharepoint Front End
Go to Start -> Administrative Tools -> Component Services,Open the Computers node and right click on My Computer and select Properties. Set the Default Impersonation Level to Delegate.
- Add Registry Key to support Kerberos in Server 2003
Add a DWORD 32bit to HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxPacketSize and set the value to 1
Wednesday, September 28, 2011
dcpromo fails with error 1326: unknown user name or password
Problem:
Recieved an error 1325 (Logon failure: unknown user name or bad password) while attempting a dcpromo.
Here's a screenshot of the error:
The Solution:
I ended up just setting the local administrator password to match my domain administrator password and magically it worked! It made no sense to me! Anyone know why?
Thanks to http://tsoorad.blogspot.com/2010/01/oh-my-aching-brain-cell-or-dcpromo-u.html for the fix!
Recieved an error 1325 (Logon failure: unknown user name or bad password) while attempting a dcpromo.
Here's a screenshot of the error:
The Solution:
I ended up just setting the local administrator password to match my domain administrator password and magically it worked! It made no sense to me! Anyone know why?
Thanks to http://tsoorad.blogspot.com/2010/01/oh-my-aching-brain-cell-or-dcpromo-u.html for the fix!
Wednesday, September 21, 2011
Event Id 34 and 50 Time-Service errors fixed on Virtual DC
Recently I deployed a 2008 R2 Domain Controller running off VMware vSphere with VMware tools installed. I had found out that the VMware tools had Time synchronization with ESX host enabled (which the ESX hosts did not have ntp configured properly) and thus threw the DC's time sync way off. As a note it is best practice to either use only one of the time synchronization methods with DC's..... either all use Sync with ESX host or all use w32time...from my experience w32time seems to work better.
After discovering the time sync with esx host was checked I ended up getting lots of event errors 34 and 50 in the event logs. The fix was to uncheck the Sync with ESX host and edit the following Registry keys to allow me to sync the time back beyond the allowed sync change thresholds:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config]
MaxAllowedPhaseOffset 0xffffffff
MaxPosPhaseCorrection 0xffffffff
MaxNegPhaseCorrection 0xffffffff
After changing those keys I ran the following script and everything was fixed. :)
NET TIME /DOMAIN:<your domain> /SET
w32tm /config /update
w32tm /config /manualpeerlist:<your PDCe DC>
w32tm /config /syncfromflags:domhier /update
net stop w32time && net start w32time
After discovering the time sync with esx host was checked I ended up getting lots of event errors 34 and 50 in the event logs. The fix was to uncheck the Sync with ESX host and edit the following Registry keys to allow me to sync the time back beyond the allowed sync change thresholds:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config]
MaxAllowedPhaseOffset 0xffffffff
MaxPosPhaseCorrection 0xffffffff
MaxNegPhaseCorrection 0xffffffff
NET TIME /DOMAIN:<your domain> /SET
w32tm /config /update
w32tm /config /manualpeerlist:<your PDCe DC>
w32tm /config /syncfromflags:domhier /update
net stop w32time && net start w32time
Monday, September 19, 2011
Workstation trust relationship issues and iPhone login prompt issues: RESOLVED
Just recently I worked on resolving an authentication issue that took a month long to solve with Microsoft Premier Support Services on a Sev-A case. The issue ended up just needing a hotfix applied to all the remaining 2003 DCs in the domain.
The symptoms were the following:
1) iPhones were randomly prompting for logon and sometimes would not allow authentication for up to 30 minutes. This was also logged in the UAG 2010 servers as Event ID 14 mentioning the "trust relationship" has failed. Android phones also had the same issue however they never prompted on error so it was quiet on the android front.
2) Workstations would randomly fall off the domain and get errors like Workstation trust relationship between this workstation and primary domain failed, or no logon servers available to process this logon request. The workaround was to logon with your username with the SPN like user@user.com or rejoin the machine to the domain.
Environment for the affected AD site:
5 2003 R2 DCs, 2 2008 R2 DCs, Exchange 2010 in the site (3 CAS) with iPhones/Android phones coming in through 2 UAG 2010 array.
Problem and Solution:
We found out that the KRBTGT object had been authoritatively restored causing it increase it's version number basically making it unreadable by the 2003 DCs. We also found that the KRBTGT object had been moved to a different OU folder (possibly by a disabled users script moving disabled accounts to the "Disabled Users" OU). Simply applying the hotfix from MSFT to all the 2003 DCs solved the problem.Another solution would be to upgrade all the remaining 2003 DCs.
Takeaways:
Solving kerberos authentication issues is sometimes very hard to do. We ended up working on many fronts to solve this problem (UAG, Exchange, AD). Some good debugging techniques are to Enable Kerberos Logging, Enable netlogon.log logging on all the effected DC's and try to actively start up netmon traces as well when you notice the issue occuring.
Microsoft KB with hotfix: http://support.microsoft.com/kb/939820
The symptoms were the following:
1) iPhones were randomly prompting for logon and sometimes would not allow authentication for up to 30 minutes. This was also logged in the UAG 2010 servers as Event ID 14 mentioning the "trust relationship" has failed. Android phones also had the same issue however they never prompted on error so it was quiet on the android front.
2) Workstations would randomly fall off the domain and get errors like Workstation trust relationship between this workstation and primary domain failed, or no logon servers available to process this logon request. The workaround was to logon with your username with the SPN like user@user.com or rejoin the machine to the domain.
Environment for the affected AD site:
5 2003 R2 DCs, 2 2008 R2 DCs, Exchange 2010 in the site (3 CAS) with iPhones/Android phones coming in through 2 UAG 2010 array.
Problem and Solution:
We found out that the KRBTGT object had been authoritatively restored causing it increase it's version number basically making it unreadable by the 2003 DCs. We also found that the KRBTGT object had been moved to a different OU folder (possibly by a disabled users script moving disabled accounts to the "Disabled Users" OU). Simply applying the hotfix from MSFT to all the 2003 DCs solved the problem.Another solution would be to upgrade all the remaining 2003 DCs.
Takeaways:
Solving kerberos authentication issues is sometimes very hard to do. We ended up working on many fronts to solve this problem (UAG, Exchange, AD). Some good debugging techniques are to Enable Kerberos Logging, Enable netlogon.log logging on all the effected DC's and try to actively start up netmon traces as well when you notice the issue occuring.
Microsoft KB with hotfix: http://support.microsoft.com/kb/939820
Domain Controller Upgrade causes Exchange outage
The other day we experienced an exchange outage at a customer site while doing DC upgrades from 2003 to 2008 R2. The exchange box was reporting the error below:
The fix was simply to recycle the Microsoft Exchange Active Directory Topology Service and it's dependents (it was pointing to the DC we were upgrading and thus it went down and the outage occurred). We recycled the service and it pointed to the other healthy DC in the site.
The fix was simply to recycle the Microsoft Exchange Active Directory Topology Service and it's dependents (it was pointing to the DC we were upgrading and thus it went down and the outage occurred). We recycled the service and it pointed to the other healthy DC in the site.
Tuesday, August 30, 2011
Powershell Script to automate WINS install/configuration
Here's a short powershell script I wrote that will automate the installation of WINS server and configure a two way replication partnership.
Import-Module Servermanager
Add-WindowsFeature WINS-Server
[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') | Out-Null
$computer = [Microsoft.VisualBasic.Interaction]::InputBox("Enter Host of Replication Partner", "Computer", "$env:computername")
$myip=((ipconfig | findstr [0-9].\.)[0]).Split()[-1]
$partner=([System.Net.Dns]::GetHostaddresses("$computer".split('.')[0]))[0].ipaddresstostring
netsh wins server $myip add partner Server=$partner type=2
netsh wins server $partner add partner Server=$myip type=2
Subscribe to:
Posts (Atom)