Alexander Anikin's blog

My personal blog

Archive for November 2010

SharePoint 2010 Hotfixes

leave a comment »

Hi all,

I have some strange issuses in SP 2010 last week.

It’s UserProfiles services bug, I mean.

We creates web-application from code and get an error – access is denided for UserProfiles DB:

Cannot open database “User Profile Service Application_ProfileDB_9b8c607a8c764c9d967345850995d10a” requested by the login. The login failed.  Login failed for user ‘DOMAIN\USER’

Googling and investigation don’t get any results for me.

I decide get and install last hotfixes:

And it’s working fine!

Page about hot-fix issues – read it first:

http://blogs.msdn.com/b/sharepoint/archive/2010/11/06/details-and-workaround.aspx

Written by Alex Anikin

November 29, 2010 at 2:28 pm

Posted in Hotfixes, Sharepoint

Claims Provider Service Application Error (500)

leave a comment »

Hi all,

I have just created Sharepoint Web Application with Claims Authorisation provader using.

It’s at clear cloned virtual server instance with Sharepoint Foundation and Office Web Apps.

I renamed it using stsadm and reboot. All supposedly ok!

When I try to open created site – I got an error – Internal Server Error 500. 😦

Go to logs:

w3wp.exe (0x11EC)                        0x15D0 SharePoint Foundation          Claims Authentication          8306 Critical An exception occurred when trying to issue security token: The HTTP service located at http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc is too busy. . 0b1f4fdc-fe59-4d14-9603-8cbdf7c89da9

As a summary the resolution was in a single point: From the all above findings we can see that most of the service applications are failing.

Resolution was re-provision the Security Token Service application. Below PS script will do it !

PS C:\Users\aanikin> $sts = Get-SPServiceApplication | ?{$_ -match “Security”}
PS C:\Users\aanikin> $sts.Status
Online
PS C:\Users\aanikin> $sts.Provision()

For all services re-provision use this:

PS C:\Users\aanikin> foreach($sts in Get-SPServiceApplication){$sts.Provision();}

As I think, we must do this for renamed server instance as well!

Written by Alex Anikin

November 13, 2010 at 2:50 pm

Posted in Security, Sharepoint

Excel Services – File Access Method: Impersonation

with 2 comments

When attempting to open an Excel Workbook stored on a file server (not joined to farm) and render this file in Excel File in Excel Services (with file access method set to Impersonation), the below message is thrown because user credentials are not being passed to the file server.

“Excel You do not have permissions to open this file in the browser”
 
Cause:
Kerberos was not properly setup to pass credentials from the Farm to the File Server.
 

Resolution:

If you want to use impersonation (via:) Central Administration > Manage Service Applications > Excel Services Application > Global Settings > Security: File Access Method > Impersonation (instead of Process Account) and have the ability to open Excel Files in Excel Services that are stored on a file server you must.

Make sure the Claims to Token Windows Service is running on any Server running Excel Calculation Services.  In this example it is only running on one server (Server001).
Locate the service account running the Excel Services Application > Central Administration > Security > Configure Service Accounts > Credential Management (Example of account running the Excel Services Application: Microsoft\ExcelSvcAccnt).
Set a dummy SPN for this service account via ADSIEdit.msc > ExcelSvcAccnt (example) > Properties > Service Principal Name > HTTP/C2WTS > Add > Ok

Trust the File Server (Server where files are stored; Example “Server002”) for Kerberos via:
Active Directory > Computers > Server002 (example) > Properties > Delegation > Trust this Computer for delegation to any service (Kerberos only).

Constrain the service account running the Excel Services Application to the file server (Server002) via:
Active Directory > Users > Microsoft\ExcelSvcAccnt  (example) > Properties > Delegation > Trust this user for delegation to specified services only > Use any authentication protocol > Add > SP002 (File Server) > Select All > OK

Constrain the machine running “Claims to Windows Token Service” and  “Excel Services Application” (Server001) to the file server (Server002) via:
Active Directory > Computers > SP001 (example) > Properties > Delegation > Trust this computer for delegation to specified services only > Use any authentication protocol > Add > SP002 (File Server) > Select All > OK

Authentication should now be properly set up.
Authorization to the File server must be properly given via NTFS Permissions.

Update:

What we need to do in AD:
1. Trust file Servers (ex tx2fs008)- Trust delegation for all services (Kerberos only)
For all file servers set AD attribute userAccountControl (need to add | TRUSTED_FOR_DELEGATION flag).  
2.  Constrain Excel Services account (ex. svc_ow_services)
Attribute msDS-AllowedToDelegateTo – add services of file-system server
 
3.  Constrain OW server account account (ex. tx2ow002$)
Attribute msDS-AllowedToDelegateTo – add services of file-system server
 
ps: i’m not sure but we can make Trust delegation for all services (Kerberos only) for 2 and 3 and not constrain it for file-servers only. It’s much simlper.

Written by Alex Anikin

November 13, 2010 at 10:33 am

Impersonation

with 2 comments

For changing current user you can use several types of impersonation Windows (loginName and password required) and Claims (upnName required).

1. Windows Impersonation

        // Logon types.
        public const int LOGON32_LOGON_INTERACTIVE = 2;
        public const int LOGON32_LOGON_NETWORK = 3;
        public const int LOGON32_LOGON_BATCH = 4;
        public const int LOGON32_LOGON_SERVICE = 5;
        public const int LOGON32_LOGON_UNLOCK = 7;
        public const int LOGON32_LOGON_NETWORK_CLEARTEXT = 8;
        public const int LOGON32_LOGON_NEW_CREDENTIALS = 9;
        // Use the unmanaged LogonUser function to get the user token for
        // the specified user, domain, and password.
        public const int LOGON32_PROVIDER_DEFAULT = 0;
        [DllImport(“advapi32.dll”, SetLastError = true)]
        public static extern bool LogonUser(
            string lpszUsername,
            string lpszDomain,
            string lpszPassword,
            int dwLogonType,
            int dwLogonProvider,
            out IntPtr phToken
            );

And getting WindowsIdentity by phToken then, and do WindowsIdentity.Impersonate().

Note1: you can use Logon types as you want.

Note2: assembly or executeable !must! have this attribute

[assembly: IsolatedStorageFilePermission(SecurityAction.RequestMinimum, UsageAllowed = IsolatedStorageContainment.AssemblyIsolationByUser)]
или
[assembly: PermissionSet(SecurityAction.RequestMinimum, Name=”FullTrust”)]
 
 2. Claims Impersonation (using C2WTS service)

Using Windows Identity Foundation and C2WTS service.

Get WindowsIdentity wi = S4Uclient.UpnLogon(userPrincipalName);

userPrincipalName like user@domain.com

Don’t forget change <allowedCallers> section in C2WTS.exe.config (C:\Program Files\Windows Identity Foundation\v3.5).

And impersonating then.

Note: this type of impersonation get LOGON32_LOGON_NETWORK type only, so you can issues with network resources access.

 

Logon types differencies:

LOGON32_LOGON_INTERACTIVE
This logon type is intended for users who will be interactively using the computer, such as a user being logged on by a terminal server, remote shell, or similar process. This logon type has the additional expense of caching logon information for disconnected operations; therefore, it is inappropriate for some client/server applications, such as a mail server.
LOGON32_LOGON_NETWORK
This logon type is intended for high performance servers to authenticate plaintext passwords. The LogonUser function does not cache credentials for this logon type.

 

Written by Alex Anikin

November 2, 2010 at 9:32 am

Posted in Security