Making SharePoint Trust Enterprise CAs

If you have an enterprise PKI, or even just a single CA, that issues certificates to services such as ADFS or Workflow Manager that you intend to use with your SharePoint Farm, it might be worth while importing you Root and Intermediate CA Certificates into SharePoint to make it trust the other services.

Currently we have a PKI setup similar to the following:

-Enterprise Root CA (Offline)
—Enterprise Intermediate CA (Offline)
——Web Services CA (Online)
——Authentication CA (Online)

The Root and the Intermediate CA are offline and secured except for planned maintenance, such as publishing new certificate revocation lists. The Web Services CA is the CA that issues the certificates we use for web services like Workflow Manager, and the Authentication CA issues the ADFS signing Certificate, which also needs to be trusted by SharePoint.

First of all, you need to grab a copy of the certificate of each CA in the Chain. If you have your PKI configured correctly, they should be readily available so I won’t go into that process. If you are exporting them from the CA servers, DO NOT export private keys, SharePoint doesn’t need them and that would be a major security concern. Once you have them, copy them to a directory on your SharePoint server(s).

Then, make sure the certificates are in the trusted root certificate authorities on every server in your farm. the easiest was to do this is to publish the certificates using group policy, but you can do this manually if you like. Simply follow these steps on each server in the farm:

  1. Double click the first certificate.
  2. Click Install.
  3. Select “Local Machine” and click Next.
  4. Click Yes on AUC prompt.
  5. Select “Place all certificates in the following store”.
  6. Click Browse and select “Trusted Root Certificate Authorities” or “Intermediate Certificate Authorities” depending on if the certificate is at the root of the chain.
  7. Click Next.
  8. Click Finish.
  9. Repeat for each certificate in the chain.

On your SharePoint server execute the following powershell commands for each certificate, changing “C:\RootCA.cer” to the path of each certificate, and “Enterprise Root CA” to a friendly name for each CA.

$path = “C:\RootCA.cer”
$root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($path)
New-SPTrustedRootAuthority -Name "Enterprise Root CA" -Certificate $cert

If you don’t like powershell or are unable to access powershell for whatever reason, you can also install the certificates from Central Admin.:

  1. Navigate to Central Admin -> Security -> Manage Trust.
  2. Click “New”.sharepoint_ca_add_trust.jpeg
  3. Add a friendly Name for the certificate.
  4. Click Browse and select your certificate.
  5. Click OK.
  6. Repeat for each certificate in your PKI chain.


SharePoint 2010 User Profile Sync Observations

The past few days I have had the pleasure of working with User Profile Sync in SharePoint 2010 and my observations follow.

1. It’s shit! – Although Microsoft have improved this feature of SharePoint with a series of CU’s, it is the most complicated part of SharePoint 2010 to setup, or at least the trickiest to troubleshoot.

2. It doesn’t like proxy servers – I struggled to get the UPS to start successfully for a full day. The log in ULS viewer was getting to “ILM Configuration: The ExportMiisEncryptionKey process completed successfully” before restarting the provision process. It turned out it was our automatic proxy configuration script that was causing the problems. To fix this I followed the steps below.

1. Hold Shift and Right-click Internet Explorer
2. Click Run as different user
3. Enter the credentials for your Farm account
4. G to Tools > Internet Options > Connections > LAN Settings and either disable the “Automatically Detect Settings” check box or add an exception for your SharePoint server
5. Reboot Server

3. User Profile Picture Import could be more seamless – OOTB SharePoint will import user profile pictures from AD. Unfortunately not many of the guides on the internet mention the fact that the import doesn’t create the required thumbnails automatically. This is a problem as the images in AD are stored as a blob and the “Picture” field in UPA is expecting a URL to the image. To fix this, run the following PS command (I had to login as the farm admin).

Update-SPProfilePhotoStore -CreateThumbnailsForImportedPhotos 1 -MySiteHostLocation http://mysitesurl

If you get a Null Reference exception when attempting to run this command, then you don’t have the permission to do so. This Technet article explains the permissions requirements for updating user profiles, along with a few other things.

All in all, this is a great product until it goes wrong, then it is an absolute beast!

I know all of this information is already available online, but the more times it is published the less time it will take for people to find it in Google 🙂

Custom File Type Icons in SharePoint 2010

The chances that your Company, like ours, is going to want to upload documents to SharePoint 2010 that are not recognised by SharePoint out of the box and show the generic “blank document” style icon. Fear Not! It’s relatively simple to add an icon for a certain file type – PDF’s for example. These steps will need to be repeated on each WFE server in your SharePoint farm.

First thing you are going to want to do is get an icon for PDF files, or any other file type for that matter. (The icon for PDF’s can be found here)

Then head on over to C:/Program Files/Common Files/Microsoft Shared/Web Server Extensions/14/TEMPLATE/IMAGES/ on your SharePoint server and place the downloaded icon there.

Once this is done open C:/Program Files/Common Files/Microsoft Shared/Web Server Extensions/14/TEMPLATE/XML/DOCICON.xml in notepad or something similar. Remember to make a backup of this file before you modify it incase everything goes Pete Tong!

Look for the lines in the file that start “<Mapping Key=” and add <Mapping Key=”pdf” Value=”pdficon_small.gif”> on its own line. Save the file when you are done.

Now depending on your maintenance schedule you need to restart IIS for this change to take effect. If you don’t have a certain maintenance window then go ahead and open an elevated command prompt and type IISRESET. A system restart would also do the trick.

Once either the service has restarted, or your server is back up from that long reboot while the RAID card initiates, browse to one of your SharePoint sites and upload a PDF. Simple.

Of course this method can be used for any file type you like by simply substituting Key=”pdf” with Key=”<File Extension>” and Value=”pdfIcon_small.giz” with Value=”<Icon_Path.jpg>”. Don’t forget that most web browsers will not render a .ico file though!

SharePoint 2010 “Group cannot be found” error

I ran into a very interesting error in SharePoint today and thought I would document it as I attempt to fix it. Hopefully it will help somebody else in the future.

In my site collection -> Site Actions – > Site Settings – > People and Groups I noticed that all of my groups were duplicated. If you try to click on one of the groups to edit it there is no issue, but the second group throws the following error.

I was actually going to delete a load of groups to start with, so I decided to delete them all and re-create the ones I need. Since I can’t get into edit the group in the GUI, I tried powershell on the server. This didn’t work either and bombed me out with the same error.

Now what? I decided to check Central Admin and take a look at the content databases. There appeared to be 2 site collections in the content database. I can only remember creating 1, although the site was migrated from Sharepoint 2007 so maybe that had something to do with it.

I then backed up the content database and restored it in our development environment to do a bit more digging. When you hover over the group name in SharePoint the URL has ID=### at the end. I fired up MS SQL Management Studio and took a look in the “Groups” table and noticed that the groups present had the same ID’s as the URLs for the groups displayed in SharePoint that I could still edit. There were no rows for the groups that I could not edit though. It looks like the groups have had their ID’s changed for some reason.

Then I edited the table and copied the row of a working group and inserted a new row, pasting from my clipboard and changing the ID to the ID in the URL or the group that was not working. I couldn’t commit this as the Title already existed in the bale, so I added a 1 to the end of the title for the row I had just created and committed it.

I went back to SharePoint and clicked on the group that was not working. It worked…. I could now click Settings – > Group Settings -> Delete and the group was gone, both from SharePoint and from the Groups table.

I seriously wouldn’t recommend this on a live server, but I repeated these steps in our development environment for each group and I was successful in deleting all of the groups from the SharePoint site collection.