Friday, July 10, 2015

Newsfeed acting up

When mounting a production mysite to a dev-environment I got some exciting problems with the newsfeedpage.

Symtoms:
Posting new items worked fine. No errors, but when trying to comment other users threads following errors was dropped in our laps

image
Using the excellent Microsoft error translater I got this
Svenskt: Detta kunde inte posta eftersom vi har lite problem för tillfället.
English: This couldn't be posted because we're having some issues at the moment.
Same time this event 8306 shows in eventlog on server
image
After some digging in the ULS-logs I found this
STS Call Claims Saml: Problem getting output claims identity. Exception: 'System.InvalidOperationException: GetUserProfileByPropertyValue: Multiple User Profiles
Ok, so maybe profile problem. I check my profiledb and fine there is two profiles for my account since Im using both claims and windows in my testenvironment. I remove the one not used and try to reply to a post again.
I’m awarded with a new error
image
So now we’re getting somewhere!
Translating stupid swedish server…
Svenska: Det gick inte att kontrollera rekursionen.
English: Recursion check failed.

Found excellent post which solved by problems.
So I trow away my FeedIdentifier for my troubled users and re-access mysite using said user  and now It works!

Solution:
Update FeedIdentifier for problem users by deleting value for Feed Service Provider Defined Identifer and login on users mysite to recreate.
Its also possible to recreate string using new mysites siteID. Code on post below.

Conclusion:
Mysites are not to thrown around easily Especially between farms, even if they are in the same domain. All sites are have unique siteids. Had we also restored the user profile service we probably wouldn’t have this issue, but then that is a whole lot extra work. Therefore I now empty this Feed Identifiers with scripts when attaching mysites from production for selected users to make everything shine.

References:
https://social.technet.microsoft.com/forums/sharepoint/en-US/26031f27-491b-4fb9-8b81-88ca5e9ce474/like-button-doesnt-always-work – solution and extra code for fix
https://www.microsoft.com/Language/en-US/Emt.aspx – localized error messages

Tuesday, July 07, 2015

IIS headers and powershell

Scenario: Have old IIS-site on a different server, need to get all headers for a site to new IIS-site on another server. I could’t find any easy way to do it via gui, but scripting was pretty easy using the builtin IIS cmdlets.
So export all headers to textfile, edit that one if you need, and the import on new server.

---------------ExportHeadersFromSite.ps1---------------------
$iisSite = "mysite"
$path = "C:\Scripts\IIS-HostHeaders\hostheaders_mysite.csv"
$mybindings = Get-WebBinding -Name $iisSite | select protocol,bindinginformation
foreach ($binding in $mybindings)
{
write-output "Adding protocol $($binding.protocol) with binding $($binding.bindinginformation)"
}
$mybindings | export-csv -Path $path -NoTypeInformation

--------------------eof-------------------------------------------------------

--------------AddBindingsFromFile.ps1------------------------
$myfilename = "hostheaders.csv"
$site = "myNewSite"
$importfile = "$(Split-Path -Parent $MyInvocation.MyCommand.Definition)\$myfilename"

import-csv $importfile -Delimiter "," |ForEach-Object {
try {
$hostheader = $_.bindinginformation | %{$_.split(':')[-1]}
New-WebBinding -Name $site -Protocol $_.protocol -HostHeader $hostheader
write-host -foregroundcolor green "Added $hostheader to $site with protocol $($_.protocol)"
}
catch {write-host -foreground yellow "Couldn't do it. Already there?" }

}
----------------------------------eof-----------------------------------------

User Profile Service –what I learned so far

Sharepoint huh? It’s never easy.

I’ve been looking hard at User Profile Service lately for a variety of reasons, this is what I’ve learned. Use caution and test locally before using these, there’s always the risk of wiping the mysitedb. But if site hasn’t been heavily used, whats there to loose.

So how does it all come together? These are our key players:
Component Description
Sharepoint Profile Synchronization Uses Forefront Identity Manager for syncing AD. The Old solution, the syncdb often messes things up. Though it’s the only solution if you need to write changes to AD, like profile pictures.
Sharepoint Active Directory Import Uses Dirsync to import AD. Fast but can only read.
User Profile Service Application Handles all our specifics. This Service can be recreated and still keep the information if databases if these are not deleted.
User Profile Service Synchronization Service This Server Service must be running to make changes in the UPSA. When it runs, it creates local certificates that muddies the local certificate store. If the service is stubborn, the local certificates may be removed, they will be recreated.
Microsoft Forefront Synchronization Manager C:\Program Files\Microsoft Office Servers\15.0\Synchronization Service\UIShell\miisclient.exe – This software is useful for determining whats goes wrong with the AD-connection. Its only accessible after you actually got UPSA running. You can use Metaverse Search to verify the AD-changes are coming through the connection.
Timerjob User Profile Service Application ProfSync Also known as User Profile to Sharepoint Full Synchronization Job – This handles the sync from the ProfilesDB to the Site Collections User information list. Runs every hour per default.
Timerjob User Profile Service Application_Sweepsync This handles sync from profilesdb to site collections User information list incrementellay. Runs every five minutes per default.
Timerjob My Site Cleanup Job This handles deletion of profiles marked for deletion. Usually when profiles are removed from User Profile Service. It also removes obsolete user. Mysites that are assigned to deleted user is assigned to their manager and notification is sent

Problem/symtom: User Profile Synchronization Service stuck on starting. Without it, no AD-connection can be created.
Common Solutions: - Verify service is running with spfarm-account
- Verify spfarm is local administrator on AppServer
- Stop Service and try to start again.
$ups = get-spserviceinstance |where-object {$_.typename -like "User Profile Synchronization Service" -and $_.server -like "*$env:computername*"}
$ups |select id,typename,status,server
Stop-SPServiceInstance -Identity $ups.Id -Confirm:$false

- Remove all ForefrontIdentityManager certificates from local certificate store and services Forefront Identity Manager Service and Synchronization Service.
clip_image002[6]
clip_image004[6]
These will be recreated each time the service restarts.
- Empty farmcache.
          - Stop TimerService on localserver,
           - delete all files except cache.ini in C:\ProgramData\Microsoft\SharePoint\Config\ {guid}(folder containing cache.ini)
          - Change cache.ini to value 1
           - start TimerService

Problem/symtom: Something is off with the running sync. For example, changes in AD not replicating, when they have done so before.
Common Solution: Recreate User Profile Service Application
- Gather all information you need to recreate the service,
- Databasenames
- Permissions for User Profile Service (Centadmin>Manage User Profiles>People>Manage User Permissions)
- Administrators on User Profile Service Application(UPSA), Permissions on UPSA
- Special permissions levels, Site Naming format, Security Trimming Options on My Site Settings in UPSA
- Active Directory Synchronization Connections (OU, accounts for connecting), Synchronization settings
When recreating UPSA with old databases, the SyncDB have to be removed manually or use a new name. The SyncDB is staging area between ProfileDB and FIM-AD-Sync. Basicly whay miis looks into to see how it all went. SocialDB contains all likes and social functions.  
Symptoms: Cant access the User Profile Service Application. Correlation id shows : This User Profile Application's connection is currently not available. The Application Pool or User Profile Service may not have been started.
Common Solution:
- Restart or start User Profile Service and User profile Synchronization Service. Order: stop UPS, then UPSS, start UPS then UPSS.
clip_image006[6]
- Recreate proxy for Service Application and make sure proxy is connected to Default Proxy group or whatever group is used.
$proxy = get-spserviceapplicationproxy | Where-Object {$_.typename -eq "User Profile Service Application Proxy"}
$newproxyname = $proxy.name
write-host "Removing proxy..."
Remove-SPServiceApplicationProxy -Identity $proxy -Confirm:$false
$upa = get-spserviceapplication |Where-Object {$_.typename -eq "User Profile Service Application"}
write-host "Adding proxy..."
$newproxy = New-SPProfileServiceApplicationProxy -name "User Profile Service Application" -Uri $upa.uri.AbsoluteUri
$defaultproxygroup = Get-SPServiceApplicationProxyGroup -Default
Add-SPServiceApplicationProxyGroupMember -Identity $defaultproxygroup -Member $newproxy



Problem/symptom: Users are not syncing from AD or SyncDB to profiledb
- Checking FIM Sync from C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell\miisclient.exe shows that sync is working from the AD to SyncDB
- Checking ContentDBs shows sync is occurring between ProfileDB to UserLists
foreach($db in Get-SPContentDatabase){$db.Name+" - "+$db.LastProfileSyncTime} - Checking Timerjobs shows sync is running
$TimerFullSync = get-sptimerjob | where-object {$_.name -eq "User Profile Service Application_ProfSync"}
$TimerQuickSync = get-sptimerjob | where-object {$_.name -eq "User Profile Service Application_SweepSync"}
$TimerFullSync,$timerQuickSync |select name,Jobdisplayname,lastruntime,description |format-table -wrap

Common Solution:- Kill Connection and restart sync – This is useful when User Profile Service and Site Collections don’t update properly. These should get updated with User Profile to Sharepoint Full Sync and QuickSync. Check with Listoldatabase first to see if time seems old.
set-location "C:\Program Files\Common Files\microsoft shared\Web Server Extensions\15\BIN"
#stsadm.exe -o sync -listolddatabases 0
stsadm.exe -o sync -deleteolddatabases 0
$TimerFullSync = get-sptimerjob | where-object {$_.name -eq "User Profile Service Application_ProfSync"}
$TimerFullSync.RunNow()


References:
https://technet.microsoft.com/en-us/library/ff681014.aspx -
https://technet.microsoft.com/en-us/hh296982.aspx - permissions for sync
http://blogs.msdn.com/b/kaevans/archive/2012/06/25/top-recommendations-for-managing-the-my-site-cleanup-timer-job.aspx

Monday, July 06, 2015

csv-loop snippet

 

This example reads from mycsv.csv in same folder as script is.
-----------------csv-loop.ps1------------------
#settings#
$myfilename = "mycsv.csv"

#settings end
$importfile = "$(split-path -Parent $myinvocation.MyCommand.Definition)\$myfilename"
import-csv $importfile -Delimiter "," |foreach-object {
#All things here will execute towards every line of $myfilename
write-host "$($_.fullpath) , $($_.site) , $($_.file)"
}
------------------eof-----------------------------

----------------mycsv.csv--------------------
fullpath,site,file
test1,test2,test3
test4,test5,test6
-------------------eof---------------------------

Wednesday, July 01, 2015

Problems with updating feeds

Issue when running Update-SPRepopulateMicroblogFeedCache on Sharepoint 2013.

Add-PSSnapin microsoft.sharepoint.powershell
$accountname = "mydomain\spinstall"
$appProxy = Get-SPServiceApplicationProxy | where {$_.typename -eq "User profile service application Proxy"}
#$appProxy |format-table -AutoSize
Update-SPRepopulateMicroblogLMTCache -ProfileServiceApplicationProxy $appProxy
sleep -Seconds 30
Update-SPRepopulateMicroblogFeedCache -ProfileServiceApplicationProxy $appProxy -AccountName $accountname

Got this puppy:
image
When checking permissions on UPS with:

$USPA = Get-SpServiceapplication | Where-Object {$_.TypeName -eq "User Profile Service Application"}
$sec = Get-SPServiceApplicationSecurity $USPA
$sec.AccessRules

I noticed my spinstall account missing.
Added with nice found code

$USPA = Get-SpServiceapplication | Where-Object {$_.TypeName -eq "User Profile Service Application"}
$sec = Get-SPServiceApplicationSecurity $USPA
$account = New-SPClaimsPrincipal "mydomain\spinstall" -IdentityType WindowsSamAccountName
$sec = Get-SPServiceApplicationSecurity $USPA
Grant-SPObjectSecurity $sec -Principal $account -Rights "Full Control"
Set-SPServiceApplicationSecurity -Identity $USPA -ObjectSecurity $sec

Finally the repopulate cmdlet ran successfully.

Note though, this should really only be necessary if mysite has been restored or remounted (like earlier version). Possible if Distributed Cache has been shutdown ungracefully.

References:
https://social.technet.microsoft.com/Forums/systemcenter/en-US/8becf279-4889-4f0f-aa7a-428bc9a813f8/user-profile-service-access-denied-issues?forum=sharepointadmin
https://technet.microsoft.com/en-us/library/jj219560.aspx
https://technet.microsoft.com/en-us/library/jj219700.aspx