SSRS Encryption key backup location

Backup the Report Services encryption key:

If you don’t specify the filepath optional argument when using the cmdlet “Backup-SPRSEncryptionKey”, the backup file will be saved in the following folder :

c:\windows\System32\[filename]
Advertisements

SharePoint, Powershell and FIM

Many, many posts can be found on the Internet regarding issues provisioning the User Profile Synchronization service with one of them being the Holy Grail :
Spencer Harbar’s Bible

Context :

2 of our 3 farms began to fail during the full farm backup procedure we perform every week. After looking in the ULS to check what was going on, it appeared that the UPSA failed to provision and was blocking the whole full farm backup.

The error found in the ULS was :

Event 9i1w : ILM Configuration : Error “ERR_CONFIG_DB”

Solution :

After digging a while, I found out it was linked to the Powershell Module “PSReadline“.

I add installed WMF 5.1 on the servers and installed the module at some point. What I didn’t knew was that the module PSReadline is loaded in all and every powershell console once it has been declared. It doesn’t appears in the profile files but it is still loaded.

This module seems to be in conflict with the UPSA provisioning method and makes the FIM installation crash at provisioning.

Lesson learnt :

DO NOT EVER CUSTOMIZE THE POWERSHELL CONSOLE ON SHAREPOINT SERVERS !!!!

ūüôā

SQL Server 2016 Configuration Manager

Another issue we came across, cannot use the SQL Server Configuration Manager from a machine where SQL Server isn’t installed.
This is kind of sad knowing that MS is pushing administrators to connect remotely on servers and make use of remote tools.

In order to use the SQL Server Configuration Manager snap-in integrated in the Computer Management MMC, you need at least the “SQL Server 20xx Common files” component which is installed when you install the Database Engine feature. You can check this by verifying directly in the uninstall section of the registry for MSI installations.

Get-ItemProperty -Path “HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*” | Sort-Object Displayname | Select-Object DisplayName, DisplayVersion

So,¬†if you require the Configuration Manager, you need to install a local instance of the¬†Database Engine because the standalone version of SQL Server Management Studio doesn’t give you this ability.

Diagnostic

I used Process Monitor from SysInternals to find out that when loading the compmgmt.msc window on a machine having SQL¬†Server Database Enngine instance, it will load a specific DLL registered in the system. The ‘Computer Management’ snap-in will check if any extension has been registered for specific node types as defined here :
Computer Management Extensible Node Types
Here’s the flow :
First, it will read the extensions.
mRemoteNG_2017-03-15_15-19-24The MMC executable found an extension with the ID¬†{EE7F2DDB-1319-4227-8FD4-4EB51615D34A} referenced as ‘SqlcmSnapin’.
The ID {476E6449-AAFF-11D0-B944-00C04FD8D5B0} is the unique ID for the Computer Management snap-in (CompMgmt.msc).
It will then check the unique ID of the snap-in in the dedicated registry path ‘HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns’.
mRemoteNG_2017-03-15_15-20-46
This entry validates the snap-in and gives it a friendly name (SQL Server Configuration Manager). We also see a first reference to the file used by the snap-in (C:\Program Files\Microsoft SQL Server\130\Tools\Binn\SqlManager.dll).
The MMC now will check if the snap-in is correctly registered in the local machine’s classes using the UID (HKEY_CLASSES_ROOT\CLSID{EE7F2DDB-1319-4227-8FD4-4EB51615D34A}).
mRemoteNG_2017-03-15_15-21-41
Again, the entry is found and we can see a second reference to the DLL.

Once the registry keys have been validated, it will try to load the files located in the SQL Server common installation path ‘C:\Program Files\Microsoft SQL Server\130\Tools\Binn\’.
First, the ‘SQLManager.dll’ file and then the different resources files.
mRemoteNG_2017-03-15_15-22-48
mRemoteNG_2017-03-15_15-23-45

Knowing this, it was just a question of registering the correct files on my machine to force the loading of the SQL Server Configuration Manager snap-in.
For the files themselves, you need to copy them from an existing SQL Server installation though.

Below is the Powershell script to automate this little configuration :

$myserver = ‘tst-s04’

$SQLInstallPath = ‘Program Files\Microsoft SQL Server\130\Tools\Binn’

# Copy the SQLmanager dll file
If ( -not (Test-Path -Path “C:\$SQLInstallPath\SqlManager.dll”) ) {
Copy-Item -Path “\\$myserver\c$\$SQLInstallPath\SqlManager.dll” -Destination “C:\$SQLInstallPath”
}
# Copy the Resources folder
If ( -not (Test-Path -Path “C:\$SQLInstallPath\Resources”) ) {
Copy-Item -Path “\\$myserver\c$\$SQLInstallPath\Resources” -Destination “C:\$SQLInstallPath” -Recurse
}

# Register the snap-in keys
#Extension
If ( -not ((Get-ItemProperty “HKLM:\SOFTWARE\Microsoft\MMC\NodeTypes\{476E6449-AAFF-11D0-B944-00C04FD8D5B0}\Extensions\NameSpace”).'{EE7F2DDB-1319-4227-8FD4-4EB51615D34A}’) -eq ‘SqlcmSnapin’ ) {
New-ItemProperty -Path “HKLM:\SOFTWARE\Microsoft\MMC\NodeTypes\{476E6449-AAFF-11D0-B944-00C04FD8D5B0}\Extensions\NameSpace” -Name ‘{EE7F2DDB-1319-4227-8FD4-4EB51615D34A}’ -Value ‘SqlcmSnapin’ -PropertyType String
}
# MMC
$RegPath = ‘HKLM:\SOFTWARE\Microsoft\MMC\SnapIns\{EE7F2DDB-1319-4227-8FD4-4EB51615D34A}’
If ( -not (Test-Path -Path $RegPath) ) {
New-Item -Path $RegPath -Force | Out-Null
New-ItemProperty -PropertyType String -Path $RegPath -Name ‘(default)’ -Value ‘SqlcmSnapin’
New-ItemProperty -PropertyType String -Path $RegPath -Name ‘NameString’ -Value ‘SQL Server Configuration Manager’
New-ItemProperty -PropertyType String -Path $RegPath -Name ‘NameStringIndirect’ -Value ‘@C:\Program Files\Microsoft SQL Server\130\Tools\Binn\SqlManager.dll,-3’
New-ItemProperty -PropertyType String -Path $RegPath -Name ‘About’ -Value ‘{E84BEF4D-385C-4113-AE37-2795FE726A18}’
$RegPath = ‘HKLM:\SOFTWARE\Microsoft\MMC\SnapIns\{EE7F2DDB-1319-4227-8FD4-4EB51615D34A}\NodeTypes’
If ( -not (Test-Path -Path $RegPath) ) { New-Item -Path $RegPath -Force | Out-Null }
$RegPath = ‘HKLM:\SOFTWARE\Microsoft\MMC\SnapIns\{EE7F2DDB-1319-4227-8FD4-4EB51615D34A}\NodeTypes\{1D59FD70-D8B8-4425-B12B-72E32516A9E9}’
If ( -not (Test-Path -Path $RegPath) ) { New-Item -Path $RegPath -Force | Out-Null }
$RegPath = ‘HKLM:\SOFTWARE\Microsoft\MMC\SnapIns\{EE7F2DDB-1319-4227-8FD4-4EB51615D34A}\NodeTypes\{B919722D-5ED6-44A2-A034-40C796E3E38E}’
If ( -not (Test-Path -Path $RegPath) ) { New-Item -Path $RegPath -Force | Out-Null }
$RegPath = ‘HKLM:\SOFTWARE\Microsoft\MMC\SnapIns\{EE7F2DDB-1319-4227-8FD4-4EB51615D34A}\StandAlone’
If ( -not (Test-Path -Path $RegPath) ) { New-Item -Path $RegPath -Force | Out-Null }
}

# SQL Manager Class
If (-not (Get-PSDrive -Name ‘HKCR’ -ErrorAction SilentlyContinue) ) { New-PSDrive -Name ‘HKCR’ -PSProvider Registry -Root ‘HKEY_CLASSES_ROOT’ | Out-Null }

$RegPath = ‘HKCR:\CLSID\{EE7F2DDB-1319-4227-8FD4-4EB51615D34A}’
If ( -not (Test-Path -Path $RegPath) ) {
New-Item -Path $RegPath -Force | Out-Null
New-ItemProperty -PropertyType String -Path $RegPath -Name ‘(default)’ -Value ‘SqlcmSnapin Class’
$RegPath = ‘HKCR:\CLSID\{EE7F2DDB-1319-4227-8FD4-4EB51615D34A}\InprocServer32’
If ( -not (Test-Path -Path $RegPath) ) { New-Item -Path $RegPath -Force | Out-Null }
New-ItemProperty -PropertyType String -Path $RegPath -Name ‘(default)’ -Value ‘C:\Program Files\Microsoft SQL Server\130\Tools\Binn\SqlManager.dll’
New-ItemProperty -PropertyType String -Path $RegPath -Name ‘ThreadingModel’ -Value ‘Apartment’
$RegPath = ‘HKCR:\CLSID\{EE7F2DDB-1319-4227-8FD4-4EB51615D34A}\ProgID’
If ( -not (Test-Path -Path $RegPath) ) { New-Item -Path $RegPath -Force | Out-Null }
New-ItemProperty -PropertyType String -Path $RegPath -Name ‘(default)’ -Value ‘SQLManager.SqlcmSnapin.5’
$RegPath = ‘HKCR:\CLSID\{EE7F2DDB-1319-4227-8FD4-4EB51615D34A}\VersionIndependentProgID’
If ( -not (Test-Path -Path $RegPath) ) { New-Item -Path $RegPath -Force | Out-Null }
New-ItemProperty -PropertyType String -Path $RegPath -Name ‘(default)’ -Value ‘SQLManager.SqlcmSnapin’
}

PowerPlan, WMI, GUI and Windows Server 2012

Howdy !

If you try to configure the power plan settings of your servers using DSC, you might come into the below issue if you are using one of the following resource : xPowerPlan or cPowerPlan. They both call WMI classname.

The WMI class ‘Win32_PowerPlan‘ of the namespace ‘root/cimv2/power’ is only available¬†when using a FULL GUI Windows Server 2012 (R2). If you switch to CORE flavor, the classname becomes inaccessible.

At the moment you are using a¬†Core only OS, this classname¬†doesn’t works anymore under Windows 2012 and 2012 R2 except for Windows 2016 Core.

You can quickly check the falvor of your OS with the following cmdlets :

$Computer = ‘yourMachine’
$sb = {
Get-ItemProperty ‘HKLM:\Software\Microsoft\Windows NT\CurrentVersion’ -Name Productname | Select -expa ProductName
Get-Item ‘HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Server\ServerLevels’ | ft -AutoSize
}

icm -ScriptBlock $sb -ComputerName $Computer

Cheers,
MW

PowerShell DSC Encryption issue

Context

While working on a new setup, we had to deploy some binaries on a server using DSC.

To make the process scale for many machines, we created a network share to host the binaries in order to centralize the access. In the DSC world, this meant we had 2 options :

1- Add the computer account of each machine accessing the share in the permissions of the share.

2- Use the encryption feature in DSC (define an account in the MOF in order to access the share)

During the testing phase, everything went well. The configuration was as is :
Authoring machine : Windows 10, Powershell 5.1.14393.693
Target machine : Server 2016, Powershell 5.1.14393.0

Issue

We then¬†deployed the configuration on a Windows Server 2012 R2 and the LCM kept getting in error, throwing the message “Decryption failed. LCM failed to start desired state configuration manually.”
powershell_2017-01-19_10-00-07

Digging a little deeper in the ‘Microsoft-Windows-Desired State Configuration/Operational’ event log,¬†just before the “Decryption failed” error, another error was caught :
“Message Invalid provider type specified.”mremoteng_2017-01-19_10-23-16

With the help of the Internet and some querying, I was able to “decrypt” our issue. I began by reading this nice article :
https://hyper-v.nu/archives/bgelens/2015/02/integrating-vm-role-with-desired-state-configuration-part-7-creating-a-configuration-document-with-encrypted-content/
Which led me to review the certificate we used for the DSC encryption.

The initial setup was using a CA issued custom certificate we created following Microsoft’s recommendation stated here :
https://msdn.microsoft.com/en-us/powershell/dsc/securemof#certificate-requirements
firefox_2017-01-19_10-31-36
And since we wanted to follow the MS’ Best practices, we configured our certificate template using the provider ‘Microsoft RSA SChannel Cryptographic Provider’.

Solution

The caveat with this configuration is that Windows Server 2012 R2 doesn’t know how to decrypt¬†anything using the ‘Microsoft RSA SChannel Cryptographic Provider‘. Even if you deploy WMF 5.1 Preview, it won’t help.
If you use the Self-Signed certificate generator script, it will work flawlessly because it actually uses the legacy provider named ‘Legacy Cryptographic Service Provider‘.

Either you create a certificate template¬†using the Provider category ‘Legacy Cryptographic Service Provider’ thus not following Microsoft’s certificate requirements or you use only self-signed certificate using the custom script or you upgrade your OS to Windows 2016.

Regards,
MW

SharePoint 2013, AlwaysOn, Availability group and SQL alias

Bonjour,

I had a story at my company where I had to migrate the SharePoint databases to a fresh AlwaysOn Availability Group (AOAG) SQL Instance. This move wasn’t an issue until we found out that our backup script (which is performing a “Backup-SPFarm” cmdlet) failed to re-provision the User Profile¬†Synchronization (UPS) Service.

Context

The issue all came down from the¬†fact that the UPS database was now configured with the AlwaysOn feature, therefore, any operations to the DB couldn’t occur anymore.

The error message in the ULS was :

SqlError: ‘The operation cannot be performed on database “UserProfile-Sync-DB” because it is involved in a database mirroring session or an availability group. Some operations are not allowed on a database that is participating in a database mirroring session or in an availability group.’¬†¬†¬† Source: ‘.Net SqlClient Data Provider’ Number: 1468 State: 1 Class: 16 Procedure: ” LineNumber: 5 Server: ‘AG Listener Name’

When the move to the new AlwaysOn SQL server happened, the operation went pretty smoothly since we are using SQL alias. We only updated our current alias name to redirect to the new SQL instance.

Updated configuration :
SQLAlias-AG-01

After some research, we found out that this is a “internet” known issue and can also occur on the Usage and Health database when performing patching of SharePoint farms.

Hence, we decided to modify the configuration and implement a better integration between SharePoint and AlwaysOn by using the SharePoint Database Availability Group cmdets. It will give us the flexibility to manage the databases in the AOAG directly from SharePoint.

In this initial setup, SharePoint isn’t aware of the AlwaysOn service running beneath¬†it. It only sees the SQL Alias and has no way to know which SQL server is running behind the SQL Alias ; it is a regular connection string.

By explicitly declaring to SharePoint that the databases are hosted by a HADR system, SharePoint Admins keep some visibility and control over the AOAG.

Availability Group Listener (AGL) and port attribution

When your AGL is configured to use the¬†default port (1433) and you don’t use SQL alias, you will surely have no issue when configuring your environment.
The troubles arises when you use SQL alias or have a custom port defined for the AGL, let’s say 25066 for the example.

  • When using a SQL alias (redirecting to the AGL), SharePoint will¬†fail retrieving the “Availability Group listeners”.
    SQLAlias-AG-02
  • When¬†using a custom port for the AGL, SharePoint will check the database server by using¬†a trimmed version of the data source.
    SQLAlias-AG-03
SQL Alias

You can use SQL Alias with Availability Group Listener as long as the SQL alias uses the same DNS entry as the AGL.

Availability Group Custom Port

You must use a SQL Alias to bypass the SharePoint port validation.

Solution (for both scenarios)

In both cases, you must use a SQL alias that mirrors the AGL dns name. For example, if your AGL is “AGListener” on port 25066.
SQLAlias-AG-05

Some in-depth details :

I was able to pinpoint this issue by decompiling the SharePoint assembly and verify the logic behind the powershell cmdlets. I found the root issue in the “UpdateDataSource” method of the Database object.
SQLAlias-AG-04
When trimming the datasource from its port, it then sends the port-less server string to the method “ChangeDatabaseInstance” which¬†itself calls “ValidateDatabaseServer”.
At this point, it won’t be able to validate the connection to the SQL server because¬†of the modified server string.

Cheers !
MW

PS:¬†I wasn’t able to find anything on the web regarding this particular issue except 1 slide that confirmed my troubleshooting.
Ref: http://blogs.technet.com/b/fromthefield/archive/2015/04/23/sharepoint-2013-amp-sql-alwayson-sharepoint-evolution-conference-2015.aspx РSlide 30

Quickly reset Firefox’s certificate store and exceptions

Hey there,

A quick PowerShell function to reset the certificate store and certificate exceptions for all firefox profiles. Can be handy in organisations when performing tests with certificate configuration and firefox.

shack/Reset-MAKFirefoxCertificateSettings.ps1


Function Reset-MAKFirefoxCertificateSettings{
# Certificate DB and exceptions reset
If(Get-Process -Name "firefox" -ErrorAction SilentlyContinue){Stop-Process -Name "firefox"}
Get-ChildItem -Path "$Env:APPDATA\Mozilla\Firefox\Profiles" -Recurse -Include "cert8.db","cert_override.txt" | ForEach-Object {
If(Get-ChildItem -Path "$Env:APPDATA\Mozilla\Firefox\Profiles" -Recurse -Include "$($_.Name).old" -ErrorAction SilentlyContinue){
Remove-Item -Path "$Env:APPDATA\Mozilla\Firefox\Profiles" -Recurse -Include "$($_.Name).old"
}
Rename-Item -Path $_ -NewName "$($_.Name).old"
}
}

Read-Host -Prompt "Press a key to continue and reset the Firefox settings."
Reset-MAKFirefoxCertificateSettings

Quickly generate PFX files for the Central Certificate Store from a SAN certificate

  • Define location of the certificate.
     $CertPath = 'C:\MyDisks\Certificates\MyCDN.mydomain.org.pfx' 
  • Load the certificate
     $Cert = Get-PfxCertificate -FilePath $CertPath

    [Enter the password in the credential prompt]
    OR

     $Pass = ConvertTo-SecureString -String 'TheSecurePasswordOfCertificate' -AsPlainText -Force
    [System.Security.Cryptography.X509Certificates.X509Certificate]::new($CertPath,$Pass) 
  • Generate the files using the DNS Names of the certificate
     $Cert.DnsNameList | %{Copy-Item -Path $CertPath -Destination C:\MyDisks\TMP\$($_.unicode).pfx} 

Red X in PowerPivot Management Dashboard

We were in a situation were the “Workbook Activity – Chart” of the PowerPivot Management Dashboard was showing a red X. Our authentication provider is Kerberos so we applied the according SPN to our accounts. We also modified the web.config file of PowerPivot web service to support Kerberos delegation. We were also aware that ADOMD.NET in required on the server running the Central Administration site if you don’t want to have that specific red X. Our farm is under SharePoint 2013 and when you install the spPowerPivot.msi package from SQL Server 2012 it is installing ADOMD.NET package. We decided to install it manually to make sure it’s not an issue with the install but the error was still present. We went through the ULS logs and nothing was showing us that an issue is happening except this entry:

“System.Runtime.InteropServices.COMException: The file you are attempting to save or retrieve has been blocked from this Web site by the server administrators”

Again, when looking at the logs, we validated that the Central Administration site was configured in the “Trusted File Location” of the Excel Service. We decided then to look at the Event Viewer on the server and were hoping something interesting could be present. We were seeing an error but were thinking it is not related since our farm was not still live and our web applications were in NTLM to not break our actual production under SharePoint 2010.

Error

We decided to refresh the page and noticed that the refresh triggered the error again. We then look directly in IIS for the authentication providers of the Windows authentication and found out that only NTLM was present. We added Negotiate and the issue was fixed. The issue was coming from a configuration that didn’t get applied when we changed the authentication provider of the Central Administration site. It was correctly applied in another environment so we probably faced a bug when we did our change. At least, everything is now running well.

ULS Viewer crashes when viewing SharePoint 2013 logs

Hello there,

A quick tip for those who encountered the ULS viewer crash with SharePoint 2013 as my colleagues and me.

Scenario

  • SharePoint 2013
  • ULS viewer

Issue

When opening a SharePoint log containing “verbose” logging with ULS viewer, this one crashes after processing all the data. This makes the tool unusable at some extent.
This issue doesn’t appear if you don’t set the logging level to at least “Verbose“.

Fix

Although I don’t know what is going on in the background, the quick fix for this is to disable in the option the feature “correlation tree”.

  1. Open Uls Viewer
  2. Go in menu “Tools/Options…”
  3. Uncheck the option “Enable correlation tree”
    ULSViewer-crashes

 

 

 

 

 

 

 

 

Happy troubleshooting !