SharePoint Connoisseur: SharePoint 2013 Security

Showing posts with label SharePoint 2013 Security. Show all posts

Friday, March 4, 2016

How to generate pfx certificate using cer certificate?

When we request SharePoint server to server trust certificates from the company, we are receiving the following two files.

Mycert.cer

Mycert.key

However, we do not receive the pfx file that required for SharePoint servers. We has been using different ways to construct the pfx file and I would like to summarize here in order for me to refer in the future.

There are different situations that we need to generate pfx certificate. The way to generate it will depends and I’ll show two different ways.

The first situation is you have a private key with a .p7b certificate file and need to create a .pfx file.
You could use IIS server MMC UI to create the pfx file as described here.

The second is you have received both cer and kay file, you have to generate the pfx file from scratch. You could use the following command to generate the pfx file. You MUST put the key file with same name as cer file in the same directory as described here.

certutil -MergePFX Mycert.cer Mycert.pfx

The third situation is you have pfx file already imported to IIS but accidentally deleted. Now you only have the cer file but NO key file. Here is the way to generate the pfx file.

Upload the cer file to IIS as described in Microsoft support blog. Run the following command to restore the pfx file.

certutil -repairstore my "SerialNumber"

SerialNumber is the serial number that you find for the cer file uploaded.

Now you have the cert file for SharePoint server to use.

Wednesday, January 28, 2015

Automation to monitor NextLabs policies deployed to all SharePoint servers

After we have deployed NextLabs SharePoint entitlement management solution, we have come up a automation process to update the SharePoint entitlement policy daily. However, we found sometimes the updated policies are not deployed to ALL SharePoint WFEs. As a result, some servers might have the old policies. We have worked with NextLabs to provide a API so we could very the deployed policies are the updated ones. However, there is no such API at this time.

In this article, I will provide a workaround to check the policy file on ALL SharePoint WFEs. If any file not updated during last 12 hours, the process will send out email to notify administrator.

This is just a quick workaround and you may modify for your own purpose.

#**************************************************************************************
# References and Snapins
#**************************************************************************************
$snapin = Get-PSSnapin | Where-Object {$_.Name -eq 'Microsoft.SharePoint.Powershell'}
if ($snapin -eq $null) {
Add-PsSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
}
#**************************************************************************************

#************************************************
# Variables that you need to change
#************************************************

$policyPath = “C:\Program Files\NextLabs\Policy Controller\bundle.bin”
$timespan = new-timespan -days 0 -hours 12 -minutes 0

$emailFrom = "NextLabsMonitor@mycompany.com"
$smtpserver="smtphost.mycompany.com"

$emailTo = "admin@mycompany.com"
$subject="NextLabs policy check " + [System.DateTime]::Now.ToLocalTime()
$message = "NextLabs policy checking results " + [System.DateTime]::Now.ToLocalTime()
$policyoutofdate = $false

#*********************************************
# Get all WFE servers
#********************************************
$appServers = get-spserver | ? { $_.Role -eq "Application" }

foreach($server in $appServers)
{
    if($server.Status -eq "Online")
    {
        $ServiceName = “Microsoft SharePoint Foundation Web Application”
        $ServiceRef = Get-SPServiceInstance -server $server | where-object {$_.TypeName -eq $ServiceName}
        if($ServiceRef.Status -eq "Online") # This is WFE server that has NextLabs policies
        {
            $currentHostName = gc env:computername;
            $serverName = $server.DisplayName

            if($server.DisplayName.ToLower() -ne $currentHostName)
            {
                 $policyPath = "\\" + $server.DisplayName + "\" + $policyPath.Replace(':','$');
            }

             if(Test-Path $policyPath)
             {
                    # Check time
                    # Get-Item “C:\Program Files\NextLabs\Policy Controller\bundle.bin” | Format-List

                    $lastWrite = (get-item $policyPath).LastWriteTime
                    if (((get-date) - $lastWrite) -gt $timespan) {
                        $policyoutofdate = $true
                        Write-Host "Policy might be out of date on server $serverName." -ForegroundColor Red
                        $message = $message + "`n" + "`n" + "`n" + "Policy might be out of date on server $serverName." + "`n"
                    } else {
                        # newer
                        Write-Host "Policy is fine on server $serverName." -ForegroundColor Green

                    }
                    #Write-Host "Checked the policy file"
              }
              else
              {
                    $message = $message + "WARNING: The NextLabs policy file does not exists on server $server" + "`n"
                    Write-Host "WARNING: The NextLabs policy file does not exists on server $server" -foreground yellow;
              }
        }
    }
    else
    {
            Write-Host -foregroundcolor Yellow "WARNING: Server $server is Offline. Skipping checking the NextLabs policy";
    }
}

$message = $message + "`n"
$smtp=new-object Net.Mail.SmtpClient($smtpServer)

if($policyoutofdate)
{
    $smtp.Send($emailFrom, $emailTo, $subject, $message)
}

Thursday, January 15, 2015

Ultimate procedure to display SharePoint online hybrid search results in SharePoint Server 2013

After you have configured the SharePoint online and DirSync to allow users to leverage the Office 365 features, you might want to implement the following two functions to streamline the integration from SharePoint on-premises to SharePoint online.

Redirect on-premises OneDrive to SharePoint online OneDrive for business
Configure one-way outbound hybrid search to display SharePoint online results in SharePoint Server 2013

TechNet has good procedure but is missing some key procedure. Manas from Microsoft escalation engineer team summarized the process in his blog that is helpful. Bill from Microsoft also provided step-by-step procedure. However, when we configure our one-way outbound hybrid search, we run into many issues and brought up some concerns on these instructions. Here are the summary of the concerns.

Uncompleted scripts from TechNet
Several discrepancies among all these instructions
Lacking verification procedure
Lacking automation scripts

In this article, I’ll list the major articles with tips, verifications, automation scripts, and some debugging tips. You could follow each individual blog on the details.

If you do not want to use Office 365 production tenant for your testing, you could use my article ActiveOffice 365 Developer Subscription using MSDN subscription benefit to set up a develop environment.

Now, you should have all the necessary details to configure and verify the one-way outbound hybrid search. The users could seamlessly navigate from SharePoint on-premises to SharePoint online and see online search result from on-premises.