Azure, PowerShell, Technical

New Service Fabric PowerShell Cmdlets

If you prefer to use PowerShell to interact with Azure and you are working with Service Fabric, today is your lucky day! Technically, //Build held a couple weeks ago was your lucky day since that’s when these were released but today is when I’m getting around to writing this post.

Announced a couple weeks ago, there are some new cmdlets that allow you to do cluster management. Tasks such as creating a cluster, adding/removing a node, adding/removing a node type, changing reliability or durability, things like that, are now possible using PowerShell. As of today, here are the new commands, currently at v 0.1.1:

Add-AzureRmServiceFabricApplicationCertificate
Add-AzureRmServiceFabricClientCertificate
Add-AzureRmServiceFabricClusterCertificate
Add-AzureRmServiceFabricNode
Add-AzureRmServiceFabricNodeType
Get-AzureRmServiceFabricCluster
New-AzureRmServiceFabricCluster
Remove-AzureRmServiceFabricClientCertificate
Remove-AzureRmServiceFabricClusterCertificate
Remove-AzureRmServiceFabricNode
Remove-AzureRmServiceFabricNodeType
Remove-AzureRmServiceFabricSetting
Set-AzureRmServiceFabricSetting
Set-AzureRmServiceFabricUpgradeType
Update-AzureRmServiceFabricDurability
Update-AzureRmServiceFabricReliability

For the latest documentation, check out the docs.

Installation

Admittedly, I’m not a huge PowerShell user. But, I wanted to at least give these a quick test run. Especially focusing on the New-AzureRmServiceFabricCluster command as that lets us now create a new cluster without writing an ARM template! Pretty cool…for the scenarios where it supports the customizations we need. More on that later. I mentioned I wasn’t a huge PowerShell users, and by that I mean to say I didn’t even have the Azure PowerShell SDK installed on my main machine. So I went off to install it. Just my luck, the first install didn’t go so well as when I tried running some of these new commands I got an error saying I needed to run Import-Module on AzureRM.ServiceFabric. Well, when I did that I got this error:

Import-Module : The module to process ‘.\Microsoft.Azure.Commands.ServiceFabric.dll’, listed in field ‘NestedModules’ of module manifest ‘C:\Program Files (x86)\Microsoft SDKs\Azure\PowerShell\ResourceManager\AzureResourceManager\AzureRM.ServiceFabric\AzureRM.ServiceFabric.psd1′ was not processed because no valid module was found in any module directory.

Indeed, the dll it was looking for didn’t exist. After some unsuccessful troubleshooting I gave up and removed the SDK and reinstalled. That time it worked.

Create a New Cluster

Starting with Hello World, I wanted to create a new cluster. Nothing fancy, just following one of the examples given in the help documentation. Updating my script, I ended up with this (watch for wrapping if you copy/paste):

$pwd=“OneSuperSecret@99” | ConvertTo-SecureString -AsPlainText -Force
$RGname=“testposhasf”
$clusterloc=“SouthCentralUS”
$subname=$RGname.$clusterloc.cloudapp.azure.com”
$pfxfolder=“c:\MyCertificates\”

Write-Output “create cluster in ” $clusterloc “subject name for cert ” $subname “and output the cert into ” $pfxfolder

New-AzureRmServiceFabricCluster -ResourceGroupName $RGname -Location $clusterloc -ClusterSize 3 -VmPassword $pwd -CertificateSubjectName $subname -CertificateOutputFolder $pfxfolder -CertificatePassword $pwd -OS WindowsServer2016DatacenterwithContainers

That creates a 3 node cluster using the Server 2016 w/Containers OS and secures it by creating a new cert and storing it in Key Vault along with downloading it locally so I can use it. (Install it locally before trying to access Service Fabric Explorer.) It took around 10ish minutes and resulted in a usable cluster, all without writing a single line of JSON!

And here’s the Resource Group view, showing all of the artifacts it created for me:

A few things to point out:

  1. While this command does create a secure cluster, notice it created the Key Vault in the same Resource Group. Not really the best deployment scenario, but it gets the job done. If you’d prefer to use an existing Key Vault, use one of the other options of the same command to create a new Key Vault Resource Group. Examples are shown in the help.
  2. For some reason, it created the cluster with version 5.5.216 of the Service Fabric runtime, whereas the latest version is 5.6.210 (and preferred when using Windows containers). Hopefully this will get fixed soon.
  3. If you don’t like the naming scheme (does “l5nbd6qsesaeu100” mean anything to you?), you’ll need to create a JSON template.
  4. For control over many other options (such as deploying into an existing VNET), you’ll be back in JSON.
  5. Just because you’re back in JSON, you can still leverage this command by passing in your template file (see the other examples).

All-in-all, I think this is a great start and I like where the tooling is going. I can’t wait to see these capabilities grow and, hopefully, be adopted over in the CLI world.

Azure, Azure Government, PowerShell, Technical

Get Started with PowerShell on Azure Government

Many folks using Azure Government probably have a subscription or two on public Azure. If you’re bouncing between environments and using PowerShell on each, it could become cumbersome to switch between them. This post shows a method that I’ve found to be easy to implement and simple to switch between environments. As a footnote, this can also be used to set up multiple environments beyond Azure Government, such as on-premises Azure.

If you do nothing after installing the Azure PowerShell modules and then run Get-AzureEnvironment, you’ll get two results (as of this posting): AzureCloud and AzureChinaCloud. So the first thing we need to do is add another environment for Azure Government. After that, we’ll use the certificate method to connect to our subscription. I prefer this method for three reasons:

  1. I can use this same certificate for my other subscriptions, allowing me to easily switch between them on the same machine
  2. Azure Government doesn’t support using Azure AD (Add-AzureAccount), at least based on my experiences (see edit below)
  3. Using a publishing settings file may work, but honestly I haven’t spent time using this method to see if it works or works as well as using a certificate

Ok, let’s add that new local environment. Run the following Posh command (I included line breaks for readability):

Add-AzureEnvironment -name “AzureGovernment”
-PublishSettingsFileUrl “https://manage.windowsazure.us/publishsettings/index?client=xplat”
-ServiceEndpoint “https://management.core.usgovcloudapi.net”
-ManagementPortalUrl “https://manage.windowsazure.us” -StorageEndpoint “core.usgovcloudapi.net”
-ActiveDirectoryEndpoint “https://login.windows.net/” -ActiveDirectoryServiceEndpointResourceId “https://management.core.usgovcloudapi.net/”

 Feel free to change the –name parameter value to whatever you want to use as this is a local environment name, but leave the rest as-is. And don’t forget the trailing slash on -ActiveDirectoryServiceEndpointResourceId or you’ll get an error when authenticating.

Now let’s create a local certificate. Open up a Visual Studio command prompt or other cli that supports makecert and run:

makecert -sky exchange -r -n “CN=<YourCertName>” -pe -a sha1 -len 2048 -ss My “c:temp<YourCertName>.cer”

For a reference on how to do that, look here: https://msdn.microsoft.com/en-us/library/azure/gg551722.aspx

Once that cert is created, you need to add it to your subscription in Azure Government.

  1. Navigate to https://manage.windowsazure.us and log in
  2. At the bottom of the left navigation, click on “Settings”
  3. Click on “Management Certificates”
  4. At the bottom of the screen, click on “Upload” and choose the .cer file you created earlier and stored in c:temp, then upload the file

Once the certificate has been added, you can now add a new subscription entry using the Azure environment and certificate previously created. First, you need to grab some configuration values:

$subId “<YourSubscriptionId>”
$thumbprint 
“<YourCertificateThumbprint>”
$cert Get-Item Cert:\CurrentUser\My\$thumbprint
$localSubName 
“<LocalSubscriptionName>”
$environmentName “AzureGovernment”

 <YourSubscriptionId> can be copied from the Management Certificates screen where you uploaded your certificate. Double click the value next to your cert and it will highlight the entire value so you can copy it, although it won’t show the entire value. You can expand the width of the column if you’d like to see the entire value (that was recently added J)

<YourCertificateThumbprint> can be copied from the same location under the Thumbprint column.

<LocalSubscriptionName> is a local name you will use to refer to this subscription, so use a name that makes sense to you. Maybe “ProdAzureGovernment”, as an example.

For environmentName, use the same name you used earlier when creating the local Azure Environment. If you kept my default, the name will be “AzureGovernment”.

Now run the following (I included line breaks for readability):

Set-AzureSubscription -SubscriptionName $localSubName
-SubscriptionId $subId -Certificate $cert -Environment $environmentName

If all went well, you’re all set! To see your local subscriptions, run Get-AzureSubscription. You should see your new ProdAzureGovernment subscription (or whatever you called it) along with any other subscriptions you already had configured, if any. You will also see which one is default and also current. The one flagged as default will be used by default when you first fire up PowerShell. The one marked current is what you’re currently hitting when you run commands against your subscription. You can change which subscription is default and current by running Select-AzureSubscription and passing in the desired config.

Assuming you have one subscription called “MSDN” and another called “ProdAzureGovernment”, within the same PowerShell window you can switch between them by simply running Select-AzureSubscription.

Select-AzureSubscription “MSDN” –Current
Get-AzureVM

Will show you all VMs on your MSDN subscription.

Select-AzureSubscription “ProdAzureGovernment” –Current
Get-AzureVM

Will show you all VMs on your Azure Government subscription.

If you have your Azure Government subscription set to current and then run Get-AzureSubscription, you may receive an error stating “The given key was not present in the dictionary.” I’m not sure what the cause of this is, but all other commands I’ve run against the subscription have succeeded just fine. If I figure that out I’ll post an update.

It’s just that simple! Hope that helps. As always, if you have any questions or suggestions please post a comment.

<EDIT>Thanks to a tip from my colleague Keith Mayer, I discovered why I couldn’t get Azure AD to work. My previous script for Add-AzureEnvironment was missing the -ActiveDirectoryEndpoint parameter, which is kind of important. After adding that to the environment definition I was able to use Azure AD and the Add-AzureAccount cmdlet to authenticate against Azure Government. Yeah! This is actually the preferred method going forward as opposed to using a certificate.</EDIT>

PowerShell, SharePoint, Technical

Custom Access Denied Page in SharePoint 2013

In SharePoint 2010, it was quite easy to tell SharePoint to use a custom access denied page that you developed and deployed to the farm instead of the out of the box page. There are many reasons that lead to the need for this, such as changing the text of the message or adding a more dynamic page / form to collect information from the user or perform some other function. Once you build your page and get it deployed, all it took was a call to SPWebApplication.UpdateMappedPage or the PowerShell cmdlet Set-SPCustomLayoutsPage with the proper parameters and you’re off and running. Plenty of posts on the Internet on doing that task so I won’t cover it here.

What I do want to cover, however, is where things stand on this topic with 2013. As of the writing of this post, you can’t do this. Although the same UpdateMappedPage method and Set-SPCustomLayoutsPage cmdlet exists in 2013, there is an identified bug in the product related to the property. The custom location can be set using either of these methods, but SharePoint will not recognize them and will continue to use the out of the box accessdenied.aspx page. I’ve verified this through a Microsoft internal distribution group as well as a support case submitted by me on behalf of one of my clients. Hopefully this gets fixed in a hotfix or CU, but until then you are out of luck.

There are a couple other options, though.

  1. Supported Option:  Create an HTTP handler (covered a bit in this forum post) to intercept each request and redirect to your custom page if the server is sending the user to the out of the box accessdenied.aspx page. I don’t like this since it adds overhead to every SharePoint page request.
  2. Unsupported Option, proposed by a co-worker of mine, Lester Sconyers:
    1. Add a delegate control to the error.master like below. (I know, I know. Not ideal)
    2. <SharePoint:DelegateControl runat=”server” ControlId=”MyDelegate” AllowMultipleControls=”true” />

    3. Create a user control to be deployed to _controltemplates
    4. Create an elements.xml file which will add the control to the delegatecontrol.
    5. <ControlId=”MyDelegate”ControlSrc=”~/_controltemplates/15/mycontrols/redirect.ascx”Sequence=”1″ />

    6. On the pageload method of the user control check the request url. If it is for access denied, redirect users to your custom page

A nice option for those who are ok with modifying out of the box pages.

I should note that the UpdateMappedPage and Set-SPCustomLayoutsPage are not just for access denied. They are used for the following pages:

  • AccessDenied
  • Confirmation
  • Error
  • Login
  • RequestAccess
  • Signout
  • WebDeleted

I haven’t tested to see if changing the setting for pages other than AccessDenied are respected or not.

PowerShell, SharePoint, Technical

SharePoint 2013 Web Templates

I thought I would update my 2010 Web Templates post with the same info for the 2013 platform. Here is a list of all the web templates in SharePoint 2013, including the ID, Description and CompatibilityLevel:

ID Title Name Description CompatibilityLevel
0 Global template GLOBAL#0 This template is used for initializing a new site. 15
1 Team Site STS#0 A place to work together with a group of people. 15
1 Blank Site STS#1 A blank site for you to customize based on your requirements. 15
1 Document Workspace STS#2 A site for colleagues to work together on a document. It provides a document library for storing the primary document and supporting files, a tasks list for assigning to-do items, and a links list for resources related to the document. 15
2 Basic Meeting Workspace MPS#0 A site to plan, organize, and capture the results of a meeting. It provides lists for managing the agenda, meeting attendees, and documents. 15
2 Blank Meeting Workspace MPS#1 A blank meeting site for you to customize based on your requirements. 15
2 Decision Meeting Workspace MPS#2 A site for meetings that track status or make decisions. It provides lists for creating tasks, storing documents, and recording decisions. 15
2 Social Meeting Workspace MPS#3 A site to plan social occasions. It provides lists for tracking attendees, providing directions, and storing pictures of the event. 15
2 Multipage Meeting Workspace MPS#4 A site to plan, organize, and capture the results of a meeting. It provides lists for managing the agenda and meeting attendees in addition to two blank pages for you to customize based on your requirements. 15
3 Central Admin Site CENTRALADMIN#0 A site for central administration. It provides Web pages and links for application and operations management. 15
4 Wiki Site WIKI#0 A site for a community to brainstorm and share ideas. It provides Web pages that can be quickly edited to record information and then linked together through keywords 15
9 Blog BLOG#0 A site for a person or team to post ideas, observations, and expertise that site visitors can comment on. 15
15 Group Work Site SGS#0 This template provides a groupware solution that enables teams to create, organize, and share information quickly and easily. It includes Group Calendar, Circulation, Phone-Call Memo, the Document Library and the other basic lists. 15
16 Tenant Admin Site TENANTADMIN#0 A site for tenant administration. It provides Web pages and links for self-serve administration. 15
17 App Template APP#0 A base template for app development.  It provides the minimal set of features needed for an app. 15
18 App Catalog Site APPCATALOG#0 A site for sharing apps for SharePoint and Office 15
2764 Access Services Site ACCSRV#0 Microsoft Access Server 15
2757 Access Services Site Internal ACCSVC#0 Microsoft Access Server Internal 15
2757 Access Services Site ACCSVC#1 Microsoft Access Server 15
7 Document Center BDR#0 A site to centrally manage documents in your enterprise. 15
95 Developer Site DEV#0 A site for developers to build, test and publish apps for Office 15
10000 Academic Library DOCMARKETPLACESITE#0 The Academic Library template provides a rich view and consumption experience for published content and management. Authors populate metadata and apply rules at the time of publishing, such as description, licensing, and optional rights management (IRM). Visitors of the site can search or browse published titles and add authorized selections to their collection to consume, subject to the rights and rules applied by the author. The site provides an IRM-capable document library, a publishing mechanism for authors to publish documents, detailed views for each document, a check-out mechanism, and related search capabilities. 15
3300 eDiscovery Center EDISC#0 A site to manage the preservation, search, and export of content for legal matters and investigations. 15
3300 eDiscovery Case EDISC#1 This template creates an eDiscovery case. Users create locations where they can preserve or export data. 15
14483 (obsolete) Records Center OFFILE#0 (obsolete) This template creates a site designed for records management. Records managers can configure the routing table to direct incoming files to specific locations. The site also lets you manage whether records can be deleted or modified after they are added to the repository. 15
14483 Records Center OFFILE#1 This template creates a site designed for records management. Records managers can configure the routing table to direct incoming files to specific locations. The site also lets you manage whether records can be deleted or modified after they are added to the repository. 15
40 Shared Services Administration Site OSRV#0 This template creates a site for administering shared services 15
3100 PerformancePoint PPSMASite#0 A site for presenting PerformancePoint dashboards and scorecards. The site also includes links to PerformancePoint Dashboard Designer and storage for dashboard content such as analytic charts, reports, KPIs, and strategy maps. 15
3200 Business Intelligence Center BICenterSite#0 A site for presenting Business Intelligence content in SharePoint. 15
20 SharePoint Portal Server Site SPS#0 This template is obsolete. 15
21 SharePoint Portal Server Personal Space SPSPERS#0 This web template defines a Personal Space for an individual participating on a SharePoint Portal. 15
21 Storage And Social SharePoint Portal Server Personal Space SPSPERS#2 This web template defines a minimal Personal Space with both Social and Storage features for an individual participating on a SharePoint Portal. 15
21 Storage Only SharePoint Portal Server Personal Space SPSPERS#3 This web template defines a minimal Personal Space with Storage features for an individual participating on a SharePoint Portal. 15
21 Social Only SharePoint Portal Server Personal Space SPSPERS#4 This web template defines a minimal Personal Space with Social features for an individual participating on a SharePoint Portal. 15
21 Empty SharePoint Portal Server Personal Space SPSPERS#5 This web template defines a empty Personal Space. 15
22 Personalization Site SPSMSITE#0 A site for delivering personalized views, data, and navigation from this site collection into My Site. It includes personalization specific Web Parts and navigation that is optimized for My Site sites. 15
30 Contents area Template SPSTOC#0 This template is obsolete. 15
31 Topic area template SPSTOPIC#0 This template is obsolete. 15
32 News Site SPSNEWS#0 This template is obsolete. 15
39 Publishing Site CMSPUBLISHING#0 A blank site for expanding your Web site and quickly publishing Web pages. Contributors can work on draft versions of pages and publish them to make them visible to readers. The site includes  document and image libraries for storing Web publishing assets. 15
53 Publishing Site BLANKINTERNET#0 This template creates a site for publishing Web pages on a schedule, with workflow features enabled.  By default, only Publishing subsites can be created under this site. A Document and Picture Library are included for storing Web publishing assets. 15
53 Press Releases Site BLANKINTERNET#1 This template creates the Press Releases subsite for an Internet-facing corporate presence website. 15
53 Publishing Site with Workflow BLANKINTERNET#2 A site for publishing Web pages on a schedule by using approval workflows. It includes document and image libraries for storing Web publishing assets. By default, only sites with this template can be created under this site. 15
33 News Site SPSNHOME#0 A site for publishing news articles and links to news articles. It includes a sample news page and an archive for storing older news items. 15
34 Site Directory SPSSITES#0 A site for listing and categorizing important sites in your organization. It includes different views for categorized sites, top sites, and a site map. 15
36 Community area template SPSCOMMU#0 This template is obsolete. 15
38 Report Center SPSREPORTCENTER#0 A site for creating, managing, and delivering Web pages, dashboards, and key performance indicators that communicate metrics, goals, and business intelligence information. 15
47 Collaboration Portal SPSPORTAL#0 A starter site hierarchy for an intranet divisional portal. It includes a home page, a News site, a Site Directory, a Document Center, and a Search Center with Tabs. Typically, this site has nearly as many contributors as  readers and is used to host team sites. 15
50 Enterprise Search Center SRCHCEN#0 A site focused on delivering an enterprise-wide search experience. Includes a welcome page with a search box that connects users to four search results page experiences: one for general searches, one for people searches, one for conversation searches, and one for video searches. You can add and customize new results pages to focus on other types of search queries. 15
51 Profiles PROFILES#0 This template creates a profile site that includes page layout with zones 15
52 Publishing Portal BLANKINTERNETCONTAINER#0 A starter site hierarchy for an Internet-facing site or a large intranet portal. This site can be customized easily with distinctive branding. It includes a home page, a sample press releases subsite, a Search Center, and a login page. Typically, this site has many more readers than contributors, and it is used to publish Web pages with approval workflows. 15
54 My Site Host SPSMSITEHOST#0 A site used for hosting personal sites (My Sites) and the public People Profile page. This template needs to be provisioned only once per User Profile Service Application, please consult the documentation for details. 15
56 Enterprise Wiki ENTERWIKI#0 A site for publishing knowledge that you capture and want to share across the enterprise. It provides an easy content editing experience in a single location for co-authoring content, discussions, and project management. 15
6115 Project Site PROJECTSITE#0 A site for managing and collaborating on a project. This site template brings all status, communication, and artifacts relevant to the project into one place. 15
59 Product Catalog PRODUCTCATALOG#0 A site for managing product catalog data which can be published to  an internet-facing site through search. The product catalog can be configured to support product variants and multilingual product properties.  The site includes admin pages for managing faceted navigation for products. 15
62 Community Site COMMUNITY#0 A place where community members discuss topics of common interest. Members can browse and discover relevant content by exploring categories, sorting discussions by popularity or by viewing only posts that have a best reply. Members gain reputation points by participating in the community, such as starting discussions and replying to them, liking posts and specifying best replies. 15
63 Community Portal COMMUNITYPORTAL#0 A site for discovering communities. 15
90 Basic Search Center SRCHCENTERLITE#0 A site focused on delivering a basic search experience. Includes a welcome page with a search box that connects users to a search results page, and an advanced search page. This Search Center will not appear in navigation. 15
90 Basic Search Center SRCHCENTERLITE#1 The Search Center template creates pages dedicated to search. The main welcome page features a simple search box in the center of the page. The template includes a search results and an advanced search page. This Search Center will not appear in navigation. 15
61 Visio Process Repository visprus#0 A site for viewing, sharing, and storing Visio process diagrams. It includes a versioned document library and templates for Basic Flowcharts, Cross-functional Flowcharts, and BPMN diagrams. 15
0 Global template GLOBAL#0 This template is used for initializing a new site. 14
1 Team Site STS#0 A site for teams to quickly organize, author, and share information. It provides a document library, and lists for managing announcements, calendar items, tasks, and discussions. 14
1 Blank Site STS#1 A blank site for you to customize based on your requirements. 14
1 Document Workspace STS#2 A site for colleagues to work together on a document. It provides a document library for storing the primary document and supporting files, a tasks list for assigning to-do items, and a links list for resources related to the document. 14
2 Basic Meeting Workspace MPS#0 A site to plan, organize, and capture the results of a meeting. It provides lists for managing the agenda, meeting attendees, and documents. 14
2 Blank Meeting Workspace MPS#1 A blank meeting site for you to customize based on your requirements. 14
2 Decision Meeting Workspace MPS#2 A site for meetings that track status or make decisions. It provides lists for creating tasks, storing documents, and recording decisions. 14
2 Social Meeting Workspace MPS#3 A site to plan social occasions. It provides lists for tracking attendees, providing directions, and storing pictures of the event. 14
2 Multipage Meeting Workspace MPS#4 A site to plan, organize, and capture the results of a meeting. It provides lists for managing the agenda and meeting attendees in addition to two blank pages for you to customize based on your requirements. 14
3 Central Admin Site CENTRALADMIN#0 A site for central administration. It provides Web pages and links for application and operations management. 14
4 Wiki Site WIKI#0 A site for a community to brainstorm and share ideas. It provides Web pages that can be quickly edited to record information and then linked together through keywords 14
9 Blog BLOG#0 A site for a person or team to post ideas, observations, and expertise that site visitors can comment on. 14
15 Group Work Site SGS#0 This template provides a groupware solution that enables teams to create, organize, and share information quickly and easily. It includes Group Calendar, Circulation, Phone-Call Memo, the Document Library and the other basic lists. 14
16 Tenant Admin Site TENANTADMIN#0 A site for tenant administration. It provides Web pages and links for self-serve administration. 14
2764 Access Services Site ACCSRV#0 Microsoft Access Server 14
2764 Assets Web Database ACCSRV#1 Create an assets database to keep track of assets, including asset details and owners. 14
2764 Charitable Contributions Web Database ACCSRV#3 Create a database to track information about fundraising campaigns including donations made by contributors, campaign related events, and pending tasks. 14
2764 Contacts Web Database ACCSRV#4 Create a contacts database to manage information about people that your team works with, such as customers and partners. 14
2764 Issues Web Database ACCSRV#6 Create an issues database to manage a set of issues or problems. You can assign, prioritize, and follow the progress of issues from start to finish. 14
2764 Projects Web Database ACCSRV#5 Create a project tracking database to track multiple projects, and assign tasks to different people. 14
7 Document Center BDR#0 A site to centrally manage documents in your enterprise. 14
14483 (obsolete) Records Center OFFILE#0 (obsolete) This template creates a site designed for records management. Records managers can configure the routing table to direct incoming files to specific locations. The site also lets you manage whether records can be deleted or modified after they are added to the repository. 14
14483 Records Center OFFILE#1 This template creates a site designed for records management. Records managers can configure the routing table to direct incoming files to specific locations. The site also lets you manage whether records can be deleted or modified after they are added to the repository. 14
40 Shared Services Administration Site OSRV#0 This template creates a site for administering shared services 14
3100 PerformancePoint PPSMASite#0 A site for presenting PerformancePoint dashboards and scorecards. The site also includes links to PerformancePoint Dashboard Designer and storage for dashboard content such as analytic charts, reports, KPIs, and strategy maps. 14
3200 Business Intelligence Center BICenterSite#0 A site for presenting Business Intelligence Center. 14
20 SharePoint Portal Server Site SPS#0 This template is obsolete. 14
21 SharePoint Portal Server Personal Space SPSPERS#0 This web template defines a Personal Space for an individual participating on a SharePoint Portal. 14
22 Personalization Site SPSMSITE#0 A site for delivering personalized views, data, and navigation from this site collection into My Site. It includes personalization specific Web Parts and navigation that is optimized for My Site sites. 14
30 Contents area Template SPSTOC#0 This template is obsolete. 14
31 Topic area template SPSTOPIC#0 This template is obsolete. 14
32 News Site SPSNEWS#0 This template is obsolete. 14
39 Publishing Site CMSPUBLISHING#0 A blank site for expanding your Web site and quickly publishing Web pages. Contributors can work on draft versions of pages and publish them to make them visible to readers. The site includes  document and image libraries for storing Web publishing assets. 14
53 Publishing Site BLANKINTERNET#0 This template creates a site for publishing Web pages on a schedule, with workflow features enabled.  By default, only Publishing subsites can be created under this site. A Document and Picture Library are included for storing Web publishing assets. 14
53 Press Releases Site BLANKINTERNET#1 This template creates the Press Releases subsite for an Internet-facing corporate presence website. 14
53 Publishing Site with Workflow BLANKINTERNET#2 A site for publishing Web pages on a schedule by using approval workflows. It includes document and image libraries for storing Web publishing assets. By default, only sites with this template can be created under this site. 14
33 News Site SPSNHOME#0 A site for publishing news articles and links to news articles. It includes a sample news page and an archive for storing older news items. 14
34 Site Directory SPSSITES#0 A site for listing and categorizing important sites in your organization. It includes different views for categorized sites, top sites, and a site map. 14
36 Community area template SPSCOMMU#0 This template is obsolete. 14
38 Report Center SPSREPORTCENTER#0 A site for creating, managing, and delivering Web pages, dashboards, and key performance indicators that communicate metrics, goals, and business intelligence information. 14
47 Collaboration Portal SPSPORTAL#0 A starter site hierarchy for an intranet divisional portal. It includes a home page, a News site, a Site Directory, a Document Center, and a Search Center with Tabs. Typically, this site has nearly as many contributors as  readers and is used to host team sites. 14
50 Enterprise Search Center SRCHCEN#0 A site for delivering the search experience. The welcome page includes a search box with two tabs: one for general searches, and another for searches for information about people. You can add and customize tabs to focus on other search scopes or result types. 14
51 Profiles PROFILES#0 This template creates a profile site that includes page layout with zones 14
52 Publishing Portal BLANKINTERNETCONTAINER#0 A starter site hierarchy for an Internet-facing site or a large intranet portal. This site can be customized easily with distinctive branding. It includes a home page, a sample press releases subsite, a Search Center, and a login page. Typically, this site has many more readers than contributors, and it is used to publish Web pages with approval workflows. 14
54 My Site Host SPSMSITEHOST#0 A site used for hosting personal sites (My Sites) and the public People Profile page. This template needs to be provisioned only once per User Profile Service Application, please consult the documentation for details. 14
56 Enterprise Wiki ENTERWIKI#0 A site for publishing knowledge that you capture and want to share across the enterprise. It provides an easy content editing experience in a single location for co-authoring content, discussions, and project management. 14
90 Basic Search Center SRCHCENTERLITE#0 A site for delivering the search experience. The site includes pages for search results and advanced searches. 14
90 Basic Search Center SRCHCENTERLITE#1 The Search Center template creates pages dedicated to search. The main welcome page features a simple search box in the center of the page. The template includes a search results and an advanced search page. This Search Center will not appear in navigation. 14
2000 FAST Search Center SRCHCENTERFAST#0 A site for delivering the FAST search experience. The welcome page includes a search box with two tabs: one for general searches, and another for searches for information about people. You can add and customize tabs to focus on other search scopes or result types. 14
61 Visio Process Repository visprus#0 A site for teams to quickly view, share, and store Visio process diagrams. It provides a versioned document library for storing process diagrams, and lists for managing announcements, tasks, and review discussions. 14
PowerShell, SharePoint, Technical

SharePoint 2013 Claim Expiration and AD Sync

Here’s an interesting scenario I hadn’t experienced before:  SharePoint 2013 farm doing a user profile sync with Active Directory. Security was based on Active Directory security groups managing membership and authorization controlled through SharePoint groups containing the AD groups. As users were added and removed to/from the AD groups, they weren’t seeing the change reflected in the SharePoint sites. After a crash course in claim caching, here’s what we ended up with.

First, an admittedly simplistic view of how SharePoint manages tokens:

  1. User browses to SharePoint site
  2. SharePoint checks local token store (STS) for a non-expired cached claim for that user
  3. If not found, STS creates a new claim by querying AD and then adds it to the cache
  4. If found, uses the cached claim

That covers the user, now lets look at how SharePoint syncs with AD to get group and membership info. Managed by the User Profile Sync service, SharePoint queries AD to learn about new or removed users as well as group membership. This is also controlled by a cache, and can create the scenario we ran into where AD users that were added or removed from AD groups did not have their authorization permissions updated in SharePoint.

By default, SharePoint will cache this group membership info for 24 hours. Well, we weren’t that patient. We changed it to two minutes using the following command:

stsadm.exe -o setproperty -propertyname token-timeout -propertyvalue 2

That sets the timeout to two (2) minutes. Admittedly a bit extreme, but we’ll set it back to a more reasonable timeframe when things aren’t so volatile.

So that takes care of SharePoint becoming aware of AD group permission changes, but how about user claims being updated? If SharePoint is aware of a user now being granted access through membership in an AD group, but that user obtained their claim earlier in the day before the AD group membership was changed, they will still be denied access. To change that we looked at setting the LogonTokenCacheExpirationWindow and WindowsTokenLifetime properties for the STS:

$sts = Get-SPSecurityTokenServiceConfig
$sts.FormsTokenLifetime = (New-TimeSpan -minutes 2)
$sts.WindowsTokenLifetime = (New-TimeSpan -minutes 2)
$sts.LogonTokenCacheExpirationWindow = (New-TimeSpan -minutes 1)
$sts.Update()
iisreset

The above is telling the STS that claims tokens are good for one (1) minute. WindowsTokenLifetime – LogonTokenCacheExpirationWindow, so 2 – 1 = 1. I’m pretty good with math. Default for both is 10 hours.

Oh, if you happen to set a lifetime that is shorter than the expiration window, that’s a good way to block users from accessing the site. Once their existing token expires, they’ll start seeing a message “The context has expired and can no longer be used.

image

In other words, don’t do that. Smile

Now every minute STS will refresh the claim token for a user to get the latest and greatest membership info from AD. That seemed to do the trick for this scenario, and we’ll definitely adjust the values above when things aren’t so volatile, but for now we’re looking good.

Here are a couple references we used to get to this result:
http://blog.amhawkins.com/2012/12/17/setting-the-sharepoint-2010-token-timeout-property/
http://blog.robgarrett.com/2013/05/06/sharepoint-authentication-and-session-management/ (specific to ADFS, but after being shown this through a co-worker I really started to understand lifetime and expiration dependencies)

For any security and/or IT Pro experts reading this, please comment and correct me where I’m wrong or was too vague.

Office Web Apps, PowerShell, Technical

Prereqs for Office Web Apps Server 2013

Just a quick programming note for our home viewers installing Office Web Apps 2013 on Windows 2008 R2. If you’re following the instructions on TechNet, they list the following prereqs as of the writing of this post:

  • Windows Server 2008 R2 Service Pack 1
  • .NET Framework 4.5
  • Windows PowerShell 3.0
  • KB 2670838

image

Ignore that last one. Another prereq that OWA checks when you try to create a new farm running New-OfficeWebAppsFarm is for KB2592525, although the TechNet article doesn’t mention that. If you install 2670838 and then try to install 2592525, you’ll get a message stating that the update doesn’t apply, so you aren’t allowed to install the update and can’t create your OWA farm.

If you did install 2670838, just uninstall it and you’ll be good to go.

PowerShell, SharePoint, SQL Server, Technical

SSRS, SharePoint 2013, and SQL 2012 Standard Edition

When building out a new farm using SQL 2012 Standard and SharePoint 2010, a multi-server farm deployment with a dedicated SSRS server was possible. In SharePoint 2013 with SQL 2012 SP1, not so much possible, but with additional “gotchas”. To be clear, here’s the architecture:

image

SP-WFE1 and SP-WFE2 are just front ends, so really the three boxes we care about are SP-APP1 (running central admin), SP-SSRS (where we want SSRS to run), and our SQL box.

Following these guidelines from TechNet and this blog article pointing out some gotchas, we can extract the gist of what the steps are:

  1. Install SQL Server 2012 SP1 on SQL box
  2. Install “Reporting Services – SharePoint” and “Reporting Services Add-in for SharePoint Products” on SP-APP1 and SP-SSRS
  3. Install “Reporting Services Add-in for SharePoint Products” on SP-APP1 (don’t install the “Reporting Services – SharePoint” component)
  4. Install “Reporting Services – SharePoint” and “Reporting Services Add-in for SharePoint Products” on  SP-SSRS
  5. Run  Install-SPRSService and Install-SPRSServiceProxy on SP-APP1 and SP-SSRS
  6. Start the “SQL Server Reporting Services” service on SP-SSRS
  7. Create a new SQL Server Reporting Services service application

The result is a new service app, but it will throw an error when you try to access it’s settings through Central Administration. Viewing the ULS error, it will tell you that it received a 503 error when calling the reporting web service on the app server. Well, that makes sense because we didn’t start the service on the app server, we want it to run on our SSRS server. If you look in IIS on the app server, the reporting site doesn’t exist. If you look in IIS on your SSRS box, it will exist. The URL will be something like http://sp-ssrs:32843/{GUID}/ReportingWebService.svc, with the GUID getting generated when you start the SQL Server Reporting Service.

So now we’re in quite a quandary. If you try to start the service on your app server to create the reporting web service, you’ll get an error stating that the version of SQL doesn’t support a scale-out farm. It seems like SharePoint is looking at servers in the farm with Reporting Services installed on it, regardless of whether the service is running on that server, when checking licensing. Well, we can’t uninstall Reporting Services from our app server since we would then lose the ability to create a service app, so we’re screwed.

Taking a look at the feature comparison, Standard definitely does not support a scale-out deployment. However, unless I’m misinterpreting the definition of farm scale-out, that’s not what this architecture is. Since we are trying to run Reporting Services on a single instance in the farm, this should be covered by Standard license.

Bummer. So, for now, we can’t do the above architecture using Standard. Maybe I’m wrong and I’m missing a configuration step somewhere. If so, please chime in.

—————————————————————————-

By the way, there are two versions of SQL Server 2012 with SP1 installs out there. One says it’s SP1, but doesn’t really install SP1. At some point, this was resolved so the latest package does install SP1 as it should. After you install SQL, you should see a version of 11.1.3000.0 or higher. If you don’t, you still need to install SP1 over your install. This goes for SQL Server as well as the SQL components you install on your SharePoint servers. The latest installs can be found here, with either a slipstreamed ISO or a SP1 executable.

If you miss this and get a new SSRS Service App created, it will throw an error. ULS logs will show a 500 error, and when navigating to the reporting service URL you will see that it can’t read the configuration file. Diving into the 15 hive, you will notice that there is no “Reporting” folder under “15WebServices”, which is where the IIS site is looking for it’s configuration settings. There will be one in the 14 hive. After installing SP1 on the SharePoint servers you will see this folder and know you’re good to go.

<UPDATE>I was able to get the above architecture configured correctly by making the changes noted in the post. Turns out the trick was to not install the Reporting Services – SharePoint component on the APP box. Thanks go to my co-worker Mark for helping me with that one.

PowerShell, SharePoint, Technical, Workflow

Install & Configure Workflow in SharePoint 2013 Multi-Server Farm

Recently going through a farm install and configuration of Workflow in a 2013 multi-server farm, I learned a couple things along the way that weren’t covered by the still-catching-up documentation.

First of all, prior to RTM, the messaging was that Workflow needed to be installed on a dedicated server and could not be on an existing server in your farm. This changed when RTM became available and it is now supported, although perhaps not recommended for environments needing scalability, redundancy, and availability to support a high throughput of processes. In my case, I chose to install and run Workflow on an app server that was running Central Administration.

Once that decision is made, we need to make sure we have the accounts and groups in AD we need:

  • Install account – A domain user with admin rights on the server being configured, as well as SysAdmin rights in SQL Server
  • RunAs account – A domain user with login rights to SQL Server (additional rights will be granted during the configuration)
  • Admin group – A domain security group with the RunAs account as a member, optionally the Install account as a member as well (see note later regarding starting the service)

A couple other requirements noted in the documentation that need to be checked:

  • SQL Server 2008 R2 SP1, SQL Server Express 2008 R2 SP1, or SQL Server 2012
  • TCP/IP connections or named pipes configured in SQL Server
  • Windows Firewall enabled
  • Ports 12290 and 12291 must be available (the configurator will open these ports in the firewall and use them for workflow traffic)

Now we can start the install and configuration of Workflow Manager (download link). The TechNet documentation (and here) is pretty bare, but it was sufficient to get me going. The installer will install any prerequisites that are missing and then install Workflow Manager. For configuring, you can either use the Configuration Wizard or PowerShell. I went with the wizard since the PowerShell documentation on Workflow was a skeleton and didn’t have much. I went with the Custom Settings option in the wizard so I had more control over things like database names. I also let the wizard generate a certificate for me with my provided key. If you don’t have your own, we’ll need to use this later. Everything else should be self-explanatory.

Depending on your scenario, the next steps may vary. The TechNet covers the options well so I won’t repeat them, but the decision is based on whether Workflow Manager is on a server in the farm and whether communication is over HTTP or HTTPS (in production, you should be using HTTPS.) I have Workflow Manager on a server in my farm using HTTPS so I needed to:

  • Install my certificates on my WFEs by exporting the cert and then importing it into the Trusted Root Certification Authorities store in each WFE, and then running New-SPTrustedRootAuthority cmdlet (all of which is covered well on TechNet)
  • Install the Workflow Manager Client on each WFE (download link above)
  • Run the Register-SPWorkflowService cmdlet:
    Register-SPWorkflowService –SPSite “https://myserver/mysitecollection” –WorkflowHostUri “https://workflow.example.com:12290”

That last step has a couple things worth noting.

  1. To get the WorkflowHostUri, go into IIS where you installed Workflow Manager and find the workflow service web application. Check it’s properties to get the Uri, with port (which is the same port you entered during the configuration, by the way)
  2. The command needs to be run using an account that is a member of the admin group you created earlier. If you added your install account, you can use that. If you didn’t, you need to run the command as your RunAs account

Following the TechNet docs, your next step would be to validate the install using SharePoint Designer. It’s been my experience that SPD will only be able to create 2013 workflows after two more steps, that aren’t documented:

  1. You need to have an App Management Service Application created. You don’t need to completely configure apps in your environment, but you need to at least create the service app or you’ll get an error when you publish a workflow from SPD.
  2. I wasn’t getting the 2013 workflow option to appear in SPD at first. I didn’t find the culprit, but a reboot of the Workflow Manager server did the trick for me.

If you need help creating an App Management Service Application, here are some scripts:

Register-SPWorkflowService –SPSite "https://myserver/mysitecollection" –WorkflowHostUri "https://workflow.example.com:12290"
$appAppSvc = New-SPAppManagementServiceApplication -ApplicationPool $applicationPool -Name "App Management Service Application" -DatabaseName "AppManagement_DB"
New-SPAppManagementServiceApplicationProxy -ServiceApplication $appAppSvc

You should be able to create 2013 workflows after all that. If you run into any hiccups, post a comment and I’ll do what I can to help out.

PowerShell, SharePoint, Technical

Move Content Type Hub

I wouldn’t by default recommend moving a content type hub, but realizing there may be a need to do so at some point, here is a process for moving the hub. There may be some repercussions of doing a move that have not yet been realized, which may be why Microsoft doesn’t allow you to change the Hub Uri in a Managed Metadata Service properties window once it’s been set.

Backup-SPSite http://OldHubUrl
Remove-SPSite http://OldHubUrl
Restore-SPSite http://NewHubUrl
Set-SPMetadataService “<Managed Metadata Service Name> –huburi http://NewHubUrl

Once that’s done, the content types in the subscriber site collections will still look like they’re subscribed. They’ll be read only, and if you look on the Content Type Publishing page (Site Settings –> Content type publishing) you will see them listed with the new hub URL. However, the next time the subscriber job runs on the server, the content types will become editable. To fix this, you will need to republish your content types to get them reconnected to the new hub. Don’t forget this last step.

Use at your own risk.

PowerShell, SharePoint, Technical

Missing Upload.aspx in a Document Library

A departure from my normal post…I usually try to stick to only posting solutions to weird situations I run into, or recommendations from real world experiences, or the occasional post on community or work activities. Not this time. This post technically falls into the first category (solution to a weird situation), but is really a cry for help. Smile

Problem Definition
The problem is having a document library that is missing the Upload.aspx form, which should be associated to the SPList.DefaultNewFormUrl property of the library. There are a few different ways to get there. I ran into it because of a web template I built that was missing the creation of the Upload.aspx file, so as sites were created with this template, everything worked fine except for “Upload Multiple Documents” and “New Folder” functionality. Both require the existence of the Upload.aspx file mapped to the DefaultNewFormUrl property to work properly. My bad.

Once the bug was identified, I fixed it in the template, but we still had existing sites that had the problem. Deploying a new version of the web template doesn’t retroactively fix existing sites, so we needed to find another solution.

Manual Fix
Although not ideal, there is a way to manually fix this issue:

  1. Open the site in SharePoint Designer and open “All Files” –> [Affected Doc Lib] –> Forms directory
  2. Right click, New, ASPX, name it “Upload.aspx”, and open the file
  3. Still in Designer, open another library with a good Upload.aspx file and open that file
  4. Copy the source from the good Upload.aspx file and paste it into the Upload.aspx source of the new file just created
  5. Change a few values in the properties of the ListFormWebPart:
    1. “Title” should be the title of the document library
    2. “ListName” should be the ID of the list, with curly brackets surrounding the ID
    3. “ListId” should be the ID of the list, without curly brackets
  6. Save the file

That should do it. Now you can upload multiple files, and create new folders. Sweet!

Desired Fix
Here’s where I deviate from my normal theme of blog postings. Although the manual fix is nice, what I really wanted was a way to script the fix so we could quickly and repeatedly update multiple libraries that were affected. This need leads me to PowerShell and figuring out how to add the Upload.aspx file to the affected libraries through a script.

After a bit of searching, I found a blog post on how to programmatically add a custom list form to a list. This was a great kick start to what I wanted to do. Converting that to PowerShell led to:

   1: $web = Get-SPWeb http://svr1/sites/teamportal/ProjectSite

   2: $badlib = $web.Lists["Change Requests"]

   3: $uploadfile = $badlib.RootFolder.Files.Add("/sites/teamportal/ProjectSite/ChangeRequests/Forms/Upload.aspx", [Microsoft.SharePoint.SPTemplateFileType]::FormPage)

   4: $limitedwebpartmanager = $uploadfile.GetLimitedWebPartManager([System.Web.UI.WebControls.WebParts.PersonalizationScope]::Shared)

   5: $webpart = New-Object Microsoft.SharePoint.WebPartPages.ListFormWebPart

   6: $webpart.ListId = $badlib.ID

   7: $webpart.PageType = [Microsoft.SharePoint.PAGETYPE]::PAGE_NEWFORM

   8: $limitedwebpartmanager.AddWebPart($webpart, "Main", 0)

   9: $badlib.DefaultNewFormUrl = "/sites/teamportal/ProjectSite/ChangeRequests/Forms/Upload.aspx"

Running this script added the Upload.aspx file to the library and properly associated it with the DefaultNewFormUrl property of the library. Multiple upload worked great. Adding a new folder was looking good…clicking on New Folder would open the correct form with the ribbon and Name field, but after clicking Save, would throw an error “Value does not fall within the expected range” for SPFileSystemObjectType when trying to create the folder.

For the life of me, I cannot figure out how to fix that! So here’s the challenge:  Duplicate this in your environment by creating a document library, opening the site in SharePoint Designer, open the Forms directory in the library, delete the Upload.aspx file, and then create a PowerShell script to add a new Upload.aspx file that works. If you make more progress than I did, please comment.

Thanks!