Alexander Anikin's blog

My personal blog

Archive for the ‘Security’ Category

Strange Office Web in Word Vieving Service Error after SP1 install

leave a comment »

In Central Administration at Services On Server we have Word Viewing Service stopped.

When we try to start it – we get this (the main is highlighted):

Adding binding ‘*:32843:’ for protocol ‘http’. 8dce029c-949a-495f-9c87-fae7133d906a
08/10/2011 09:45:37.55  w3wp.exe (0x1608)                        0x11FC SharePoint Foundation          Topology                       bmu2 High     Adding secure binding ‘*:32844:’ with SSL certificate ‘FindBySubjectDistinguishedName:CN=SharePoint Services, OU=SharePoint, O=Microsoft, C=US’ in store ‘SharePoint’. 8dce029c-949a-495f-9c87-fae7133d906a
08/10/2011 09:45:37.55  w3wp.exe (0x1608)                        0x11FC SharePoint Foundation          Topology                       bmu3 High     Adding binding ‘32845:*’ for protocol ‘net.tcp’. 8dce029c-949a-495f-9c87-fae7133d906a
08/10/2011 09:45:37.55  w3wp.exe (0x1608)                        0x11FC SharePoint Foundation          Topology                       bmu3 High     Adding binding ‘*’ for protocol ‘net.pipe’. 8dce029c-949a-495f-9c87-fae7133d906a
08/10/2011 09:45:38.07  w3wp.exe (0x1608)                        0x11FC SharePoint Foundation          Topology                       fx74 High     An exception occured while committing IIS configuration changes: A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520) 8dce029c-949a-495f-9c87-fae7133d906a
08/10/2011 09:45:39.10  w3wp.exe (0x1608)                        0x11FC SharePoint Foundation          Topology                       bmu3 High     Adding binding ‘*:32843:’ for protocol ‘http’. 8dce029c-949a-495f-9c87-fae7133d906a
08/10/2011 09:45:39.10  w3wp.exe (0x1608)                        0x11FC SharePoint Foundation          Topology                       bmu2 High     Adding secure binding ‘*:32844:’ with SSL certificate ‘FindBySubjectDistinguishedName:CN=SharePoint Services, OU=SharePoint, O=Microsoft, C=US’ in store ‘SharePoint’. 8dce029c-949a-495f-9c87-fae7133d906a
08/10/2011 09:45:39.10  w3wp.exe (0x1608)                        0x11FC SharePoint Foundation          Topology                       bmu3 High     Adding binding ‘32845:*’ for protocol ‘net.tcp’. 8dce029c-949a-495f-9c87-fae7133d906a
08/10/2011 09:45:39.10  w3wp.exe (0x1608)

Investigation – something wrong with Sharepoint Service certificate. And it can’t be assigned.

Resolution in this article: http://blogs.msdn.com/b/besidethepoint/archive/2010/11/30/sharepoint-2010-certificates.aspx

I use SPServiceHostCertificate_Example and change $names = “Sharepoint Services”, “full.server.name” and $env:PSModulePath to folder with files. As I can see – we recreate certificates and assign the new one to services. Word Viewing Service is started for me now. Fuff…

Written by Alex Anikin

August 10, 2011 at 4:14 pm

How To Install Root Certificate to SharePoint Server

leave a comment »

Generate .cer file and use PowerShell:

$rootca = New-Object System.Security.Cryptography.x509Certificates.x509Certificate2(“c:\rootca.cer”)
New-SPTrustedRootAuthority -Name “Name Of Root CA” -Certificate $rootca

Written by Alex Anikin

February 28, 2011 at 1:46 pm

Posted in Security, Sharepoint

How to create Certificate for Sharepoint 2010 Web Application with SSL

leave a comment »


  1. First of all you should create certificate which will be using in web application

    1. Go to sharepoint web front server and open IIS manager

    2. Click on web server, find and open server certificates in properties

    3. Click on “Create Certificate Request…”

    4. Provide “Distinguished Name Properties” (common name is name of certificate in store) and then click “Next” button

    5. Select “Cryptographic service provider” and “Bit length” and then click “Next” button

    6. Specify a file name and save certificate request

    7. Go to Active Directory Certificate Services: enter in browser http://<domain_controler>/certsrv

    8. Click on “Request a certificate”, then click on “advanced certificate request”, then click on “Submit a certificate request by using a base-64-encoded CMC or PKCS#10 file, or submit a renewal request by using a base-64-encoded PKCS#7 file ”

    9. Copy base-64-encoded request from the file which was created on step f

    10. Paste it in “Saved Request” text area, select “Web Server” item in “Certificate Template” drop down list and then click “Submit” button

    11. Check “Base 64 encoded” radio button and then click “Download certificate”

    12. Install certificate to “Trusted Publishers” store

    13. Then go to server certificates in IIS manager again and click on “Complete Certificate Request”, specify the path to certificate and the friendly name (site host header), click “OK” button

Result: certificate was successfully created and added to IIS server certificates (the name of certificate is site host header)

Note: repeat all steps for all web front end servers to create certificates on each machine

 

  1. Second one you should create sharepoint web application

    1. Go to central administration, then click manage web applications

    2. Click “New” to create new web application

    3. Select “Claims based authentication” option

    4. Specify port 443

    5. Specify host header (should be equal certificate name)

    6. Select “Use SSL” option

    7. Select Negotiate (Kerberos) or NTLM (do not know differences )

    8. Use managed account for application pool (like “SPAdmin”. It is important because we will make configurations for this account in AD and etc.)

    9. Click “OK” button

    10. Create site collection

Written by Alex Anikin

December 21, 2010 at 1:44 pm

Posted in Security, Sharepoint

Sharepoint Service Account’s Permisions for Office Web Apps

with one comment

I had some  investigations about Sharepoint account permissions and rights.

What I have: Windows Server 2008 R2 (included in AD, with Service Packs), SharePoint Foundation 2010 (very important – with update kb2394323) , Office Web Applications (very important – with update KB2346411  – this update has a lot for changes for OWA, and big changes in PowerPoint) .

I have simple account’s configuration:
domain\ow_site – web-applicaiton pool
Domain Groups Member Of: Domain Users, and rights for reading other users account if needed.
Local Server: Administrators (WSS_WPG and others adding automatically at creation time of managed accounts)
Local policies (if needed for any reasons – ex. specific authentication with http-module): Act as part of operating system, Logon as service  

domain\ow_services – services pool (by default: SharePoint Services Default Pool: Word, PowerPoint, Excel and etc.; we can definitely do separate account for services)
Domain Groups Member Of: Domain Users, and rights for reading other users account if needed.
Local Server: Administrators, (WSS_WPG and others adding automatically at creation time of managed accounts)
Local policies(if needed for any reasons – ex. specific authentication with http-module): Act as part of operating system, Logon as service

Comments:

1. Excel Services account should be in local Administrators when it’s working in File Access Method – Impersonation. (more info https://aanikin.wordpress.com/2010/11/13/excel-services-file-access-method-impersonation/)

2. After Security  Update KB2346411 PowerPoint Service needs thats web-applications pool acoount must be member of Local Administrators group. (As i think something with local policies.)

3. After Security  Update KB2346411 PowerPoint service account must have rights for writing to web-application content db:

Adding ow_services account db_owner role for  web-application content DB
a. Getting database name in Central Administration->Application Management->Manage content database – choose created Office Web Application at upper right corner. Copy DB_NAME for this application
b. Create config.sql file:
use [DB_NAME]
go
create user [DOMAIN\svc_ow_services] from login [DOMAIN\svc_ow_services]
go
sp_addrolemember ‘db_ownew’, ‘DOMAIN\svc_ow_services’
c. Run the command as administrator in the same folder with config.sql:
“C:\Program Files\Microsoft SQL Server\100\Tools\Binn\”sqlcmd –S localhost\SHAREPOINT –i config.sql
d. Do iisreset /noforce

Written by Alex Anikin

December 21, 2010 at 1:41 pm

Claims To Windows Token Service(C2WTS) Problems During Restarts

leave a comment »

Setup service start dependency for Claims to Windows Token Service (c2wts).  This service is part of SharePoint 2010 but it has problems during restarts.  To fix this so it starts properly on server restart, run the following from command line (don’t forget to run as administrator):

sc config c2wts depend= cryptsvc

Written by Alex Anikin

December 16, 2010 at 10:07 pm

Posted in Security, Sharepoint

Claims Provider Service Application Error (500)

leave a comment »

Hi all,

I have just created Sharepoint Web Application with Claims Authorisation provader using.

It’s at clear cloned virtual server instance with Sharepoint Foundation and Office Web Apps.

I renamed it using stsadm and reboot. All supposedly ok!

When I try to open created site – I got an error – Internal Server Error 500. 😦

Go to logs:

w3wp.exe (0x11EC)                        0x15D0 SharePoint Foundation          Claims Authentication          8306 Critical An exception occurred when trying to issue security token: The HTTP service located at http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc is too busy. . 0b1f4fdc-fe59-4d14-9603-8cbdf7c89da9

As a summary the resolution was in a single point: From the all above findings we can see that most of the service applications are failing.

Resolution was re-provision the Security Token Service application. Below PS script will do it !

PS C:\Users\aanikin> $sts = Get-SPServiceApplication | ?{$_ -match “Security”}
PS C:\Users\aanikin> $sts.Status
Online
PS C:\Users\aanikin> $sts.Provision()

For all services re-provision use this:

PS C:\Users\aanikin> foreach($sts in Get-SPServiceApplication){$sts.Provision();}

As I think, we must do this for renamed server instance as well!

Written by Alex Anikin

November 13, 2010 at 2:50 pm

Posted in Security, Sharepoint

Excel Services – File Access Method: Impersonation

with 2 comments

When attempting to open an Excel Workbook stored on a file server (not joined to farm) and render this file in Excel File in Excel Services (with file access method set to Impersonation), the below message is thrown because user credentials are not being passed to the file server.

“Excel You do not have permissions to open this file in the browser”
 
Cause:
Kerberos was not properly setup to pass credentials from the Farm to the File Server.
 

Resolution:

If you want to use impersonation (via:) Central Administration > Manage Service Applications > Excel Services Application > Global Settings > Security: File Access Method > Impersonation (instead of Process Account) and have the ability to open Excel Files in Excel Services that are stored on a file server you must.

Make sure the Claims to Token Windows Service is running on any Server running Excel Calculation Services.  In this example it is only running on one server (Server001).
Locate the service account running the Excel Services Application > Central Administration > Security > Configure Service Accounts > Credential Management (Example of account running the Excel Services Application: Microsoft\ExcelSvcAccnt).
Set a dummy SPN for this service account via ADSIEdit.msc > ExcelSvcAccnt (example) > Properties > Service Principal Name > HTTP/C2WTS > Add > Ok

Trust the File Server (Server where files are stored; Example “Server002”) for Kerberos via:
Active Directory > Computers > Server002 (example) > Properties > Delegation > Trust this Computer for delegation to any service (Kerberos only).

Constrain the service account running the Excel Services Application to the file server (Server002) via:
Active Directory > Users > Microsoft\ExcelSvcAccnt  (example) > Properties > Delegation > Trust this user for delegation to specified services only > Use any authentication protocol > Add > SP002 (File Server) > Select All > OK

Constrain the machine running “Claims to Windows Token Service” and  “Excel Services Application” (Server001) to the file server (Server002) via:
Active Directory > Computers > SP001 (example) > Properties > Delegation > Trust this computer for delegation to specified services only > Use any authentication protocol > Add > SP002 (File Server) > Select All > OK

Authentication should now be properly set up.
Authorization to the File server must be properly given via NTFS Permissions.

Update:

What we need to do in AD:
1. Trust file Servers (ex tx2fs008)- Trust delegation for all services (Kerberos only)
For all file servers set AD attribute userAccountControl (need to add | TRUSTED_FOR_DELEGATION flag).  
2.  Constrain Excel Services account (ex. svc_ow_services)
Attribute msDS-AllowedToDelegateTo – add services of file-system server
 
3.  Constrain OW server account account (ex. tx2ow002$)
Attribute msDS-AllowedToDelegateTo – add services of file-system server
 
ps: i’m not sure but we can make Trust delegation for all services (Kerberos only) for 2 and 3 and not constrain it for file-servers only. It’s much simlper.

Written by Alex Anikin

November 13, 2010 at 10:33 am