Thursday, April 26, 2012

Strange SharePoint user issue on 2010 version


We have one SharePoint user reported his alert email is different from his email account.

His correct userID is “NA\virajm” and the email should be userID@qualcomm.com as indicated in AD. However the email looks likeuserID@quicinc.com that is different from the correct email. In addition, we check the alert on the site, the alert displayed is “virajm_alias (NA\virajm_alias)” as in the screen shot. 

We have tried to verify this user from four different webapps and found his name is displayed in three different ways. Here are the steps to search the user from people picker on different four webapps (SharePoint, Projects, MySites, and central admin).

Site Actions->Site Permissions->Grant Permissions->Browse User Picker-> Enter virajm and search

1. From Projects webapp that contains the lisrary that user has set up the alert, we noticed two entries.


2. From another SharePoint webapp, we noticed one entry but incorrect email userID@quicinc.com.


3. Form mysite webapp and central admin webapps, we noticed one entry with correct email userID@qualcomm.com.

If we display the hidden user list http://webapp/siteURL/_catalogs/users/simple.aspx, we have only one entry related to the user with correct name. Click the name will display the mysite for the user.


 
We have done the full user profile sync and we have no people picker customization for these webapps. At this point, I’m not able to explain what happened and have no idea how to debug and resolve this strange issue. 

If you have any suggestion to debug this issue, please let me know.

Added on 8/22: We just found the issue and way to resolve it. The issues is there is one more entry for this user inside user hidden list as you can see in the screen shot.


 Here is the workaround to resolve this.
1. Go to user alert manager page and delete the alert for the user. Site Settings->Site Administration->User alerts and select the user and delete the alert
2. Go to user hidden list and delete the user virajm_alias
3. Recreate the alert for this user

Although problem resolved, we still not sure how this invalid user was created on the site. This is still mystery.

Wednesday, April 25, 2012

NextLabs’ Entitlement Manager Issue #3 - Could not Apply Policy To Downloaded Documents in Outlook


We are evaluating NextLabs EntitlementManager to restrict the users belong to some security groups toaccess selected site collections with sensitive information even these users have been granted the permission through individual account, any AD groups, or email list groups. After we have set up the policy and restrict the access to a list and try to access through outlook, we identified some expected behavior – the downloaded document will not be protected by the SharePoint policy!
 
Here are the procedures to reproduce the issue.
  1. Connect list/library from SharePoint to outlook. Make sure you have the access.
  2. Access the list/library and open one of the documents (.doc file) from outlook.
  3. Apply the deny policy to the list to deny access to all .doc files. Make sure you could not access those .doc files when you try from SharePoint UI.
  4. Access the list/library and open one of the documents (.doc file) from outlook.


You will see two categories of the documents as displayed in the screen shot. One category is the “Downloaded Documents” that you have viewed before. Another is “Available for Download” that you have not accessed before. You will still be able to access any documents inside “Downloaded Documents” but will NOT be able to access any documents inside “Available for Download”.

The reason this is expected because the “Downloaded Documents” are already on your local machine. Unless the content or version has been updated on SharePoint, outlook will not retrieve again the document from SharePoint. The policy could not be trigger. This is same to any other scenarios that NextLabs’ Entitlement Manager could not protect any files outside SharePoint!

This case did not seem to be critical since it only applies to ALL the following conditions.
  • User has to have the access one time
  • User has open the document from outlook one time
  • User has not delete the local cached document
  • The document on SharePoint has not been updated sine user open it from outlook

One another side, user is looking at the local document copy he/she has permission before the policy applied that is similar to look at document has been downloaded to the local.


NextLabs’ Entitlement Manager Issue #2 - Did not Provide User Friendly Deny Access Message


We are evaluating NextLabs EntitlementManager to restrict the users belong to some security groups toaccess selected site collections with sensitive information even these users have been granted the permission through individual account, any AD groups, or email list groups. After we have set up the policy and restrict the access to a list, we found it block the access but the error message is not user friendly. The error message is different depends on which clients you are coming from. Here are some error messages you might get when you try to access SharePoint with deny access policy applied.

1. If you access the library directly from SharePoint UI, you will get the following error message.


2. If you access the library from designer, you will get the following error message.





3. If you access the document directly from SharePoint UI, you will get the following error message.



4. If you access the document directly from outlook, you will get the following error message.


5. If you access the library from REST URL, you will NOT get the any error message and you will be able to access the list as we reported in previous blog.

We are still testing many other test cases and will update the result.

NextLabs’ Entitlement Manager Issue #1 - Did not Support REST Client


We are evaluating NextLabs EntitlementManager to restrict the users belong to some security groups toaccess selected site collections with sensitive information even these users have been granted the permission through individual account, any AD groups, or email list groups. After we have set up the policy and restrict the access to a list, we found it block the access for many clients but not for REST client.

The list we try to block is http://serverURL/dept/Firethorn/IT/Lists/Harry/AllItems.aspx.  After the deny access policy has been applied to the list, you will get the following error message when you try ace the list from SharePoint UI.



Even the message is not user friendly, it has block the access based on the policy. However, when you try to access the same list through REST web service http://serverURL/dept/Firethorn/IT/_vti_bin/listdata.svc/Harry, we are able to ace the content as in the following screen shot.


 This seems to be a bug and we are working with NextLabs to identify the way we could block the list and library access from REST web service when the deny access policy applied.

Key Benefit of NextLabs’ Entitlement Manager to restrict SharePoint users to access selected site collections


Our security department has identified some SharePoint 2010 site collections need to restrict to users of some security groups. The requirement is to restrict the users belong to some security groups toaccess selected site collections with sensitive information even these users have been granted the permission through individual account, any AD groups, or email list groups. There are some options and the NextLabs EntitlementManager looks very promising.

NextLabs’ Entitlement Manager for SharePoint is a content aware Entitlement Management solution that provides the capability to authorize, classify, enforce and audit enterprise resources across Microsoft SharePoint. This solution allows large enterprises to enjoy secure internal/external collaboration while helping them achieve obligatory compliance, protecting data both on and off the SharePoint Environment.

Entitlement Manager for SharePoint supports all access protocols and clients (browser, webDav, web folders, front page extensions, MS Office, MS Designer, SOAP), while ensuring administrative privileges are restricted to content owners avoiding security risks caused by SharePoint's discretionary access control model. Automation of security procedures via security trimming and enhanced support for various authentication methods such as Windows, forms-based, Web SSO, and ADFS make this solution the most secure Entitlement Management solution in the industry today.

The Key Benefits are:
  1. Compliance for Obligatory Regulation
    Provides fine grained attribute based authorization and access control policies to comply with regulations such as ITAR, HIPAA, SOX, NERC, FERC, PIPAA and many more. 

  2. Increases Enterprise-wide Adoption of SharePoint  
    Provides IP Protection and Extranet Security increasing wide-spread adoption of SharePoint, while promoting open, ad hoc collaboration. 

  3. Extends and Enhances SharePoint Security
    Manages and controls SharePoint chaos, while improving information availability and reliability, extending and enhancing SharePoint security allowing enterprise users the flexibility to collaborate. This is accomplished via end-user education, data protection automation and mandatory access control practices. 

  4. Fast and Easy to Manage Solution 
    Uses adaptive authorization policies achieving obligatory compliance via the fewest number of policies making it fast and efficient to create/modify and deploy policies. 

  5. Significantly Reduces Entitlement Management Cost -
    Easy to use, centrally administered solution eliminates the complexity associated with administering/maintaining very large number of permission/role based authorization policies, resulting in an enormous reduction in administration/maintenance time and cost.
     
  6. Improves Time To Value -
    Easy to deploy solution that integrates with existing SharePoint deployments with minimal effort, improving your enterprises’ time to value

The Entitlement Manager for SharePoint Architecture is simple.The Entitlement Manager for SharePoint has two primary components, the Adapter and the Policy Controller. The Adapter runs inside IIS and the Policy Controller as a Windows Service.



The activity logs are collected from Policy Controllers and stored centrally in an Activity Journal. The Reporter application lets Policy Analysts monitor SharePoint activities in real-time with fine detail, or run reports to analyze trends and patterns.
  • Summary Analysis – Interactive charts by user, files, or data class to examine collective behavior.
  • Trend Analysis – Helps to discover behavioral changes over time to better understand risk exposure.
We are starting the POC to evaluate the product and will publish the findings.  If anyone who has used this product before, please share your thoughts.

Friday, April 20, 2012

How to remove the duplicated Document ID after 2012 Feb CU upgrade?


2012 Feb CU release note indicted to fix the duplicated IDs issue.  This is the fix for any new document IDs.
The question to us is how we could the existing duplicated document IDs on the existing sites?

We have tried to the following procedures but none of them seem to work. See previous blog for details.


1. Deactivate/reactive “Document ID Service” site collection feature
2. “Reset all Document IDs in this Site Collection to begin with these characters” from Set Actions->Site Settings->Site Collection Adminstration->Document ID settings
3. Run two timer jobs named “Document ID enable/disable job” and “Document ID assignment job” for the webapp


If there is out of box procedure we could remove the entire document ID on the site and then regenerate for them again, it should get rid of the duplicates. At this time, we are generate the report to list all the duplicate document IDs and we may have to try to reset those IDs using APIs.

If anyone have any better way to remove the duplicated Document ID after 2012 Feb CU upgrade, please let me know.

Wednesday, April 18, 2012

How to debug and resolve CanUpgrade [SPConfigurationDatabase] failed issue

We have run into the following error several times and it’s a good time to record the solution.

In one of DEV SharePoint development box today, when we deploy solution and the solution was stay in deploying status. We also received timer job error and we are not able to deploy any solution. The log shows the following error.

04/18/2012 12:50:05.63 OWSTIMER.EXE (0x0494)                              0x27BC SharePoint Foundation                 Upgrade                                       fbv7       Unexpected       [OWSTIMER] [SPUpgradeSession] [ERROR] 
[4/18/2012 12:50:05 PM]: CanUpgrade [SPConfigurationDatabase] failed.          
04/18/2012 12:50:05.63 OWSTIMER.EXE (0x0494)                              0x27BC SharePoint Foundation                 Upgrade                                       fbv7       Unexpected       [OWSTIMER] [SPUpgradeSession] [ERROR] 
[4/18/2012 12:50:05 PM]: Inner Exception: The type initializer for 'System.Data.SqlClient.SqlConnectionFactory' threw an exception.    
04/18/2012 12:50:05.63 OWSTIMER.EXE (0x0494)                              0x27BC SharePoint Foundation                 Upgrade                                       fbv7       Unexpected       [OWSTIMER] [SPUpgradeSession] [ERROR] 
[4/18/2012 12:50:05 PM]:    at System.Data.SqlClient.SqlConnection..cctor()    
04/18/2012 12:50:05.63 OWSTIMER.EXE (0x0494)                              0x27BC SharePoint Foundation                 Upgrade                                       fbv7       Unexpected       [OWSTIMER] [SPUpgradeSession] [ERROR] 
[4/18/2012 12:50:05 PM]: Exception: The type initializer for 'System.Data.SqlClient.SqlConnection' threw an exception.              
… <Some error skipped here>
04/18/2012 12:50:05.63 OWSTIMER.EXE (0x0494)                              0x27BC SharePoint Foundation                 Timer                                         7v43       Medium               An error occured while initializing the timer.       
04/18/2012 12:50:05.63 OWSTIMER.EXE (0x0494)                              0x27BC SharePoint Foundation                 Timer                                         5utx       Unexpected       The timer service could not initialize its configuration, please check the configuration database.  Will retry later.

The error seems to indicate the upgrade and is very misleading. After debugging on the issue again, we realized this was the same issue we had before. The real error is in the application event log the DB is FULL. Here are two errors from SharePoint application event logs.



Now, it’s very clear that database is exceeding the limit. You could go to the location (our case is E:\SQL\Data) to review which DB is causing this issue. It’s as always the user profile sync application as in the following screen shot.


The solution is to shrink the DB and you will resolve the issue.

“Reset all Document IDs in this Site Collection to begin with these characters” does not seem to work on 2010 SP1 + June CU

SharePoint 2010 has introduced an excellent out-of-the-box feature that allows you to automatically assign a unique document ID to all of your documents that are uploaded to your SharePoint site. This site-collection scoped feature is designed the document IDs are guaranteed to be unique across the site collection that the feature has been activated for. The major use case to use this feature is all document ID on one site collection can have a common prefix and we could have a short URL to access the documents. One example to access the document is http://sbx01/sites/harry/_layouts/DocIdRedir.aspx?ID=ZHMD6RZVPS52-3-2.

This seems like an excellent feature if the uniqueness is true. However, the issue is there are several bugs on 2010 SP1 + June CU and the IDs are not guaranteed to be unique. You could reproduce the duplicated document ID issues through save template or content organizer. We are upgrading to 2012 Feb CU that supposed to fix the duplicated IDs issue. There is no surprise that it does not fix the existing duplicated document IDs. The major reason is “Reset all Document IDs in this Site Collection to begin with these characters” failed on several environment after Feb CU upgrade. We have several people reported similar issues.

Here is the procedure to reproduce the issue.

1. Active “Document ID Service” site collection feature
2. Add column “Document ID” to the list library
3. Add item and you will see Document IDs 

4. Reset all Document IDs in this Site Collection to begin with these characters” from Set Actions->Site Settings->Site Collection Adminstration->Document ID settings

5. Run two timer jobs named “DocumentID enable/disable job” and “Document ID assignment job” for the webapp
6. De-active/Active “Document ID Service” site collection feature
7. Column “Document ID” values on the list libraries not updated
8. New list may not have “Document ID” assigned

Our original thought is to remove and reset the document ID on the site with duplicated IDs, then regenerate the IDs for all the document on 2012 Feb CU. This way it should have all unique IDs. Since this is not working as we expected, we are not able to fix the existing duplicated document IDs. If anyone find any workaround or solution, please let us know.

Thanks.