Archive

Archive for the ‘SharePoint Administration’ Category

SharePoint 2010: Adding SAML Claim permission for All Authenticated Users using PowerShell.

February 1, 2017 Leave a comment

I recently had to convert one of my SharePoint 2010 Web Applications from using Windows Claims/NTLM to use SAML Claims, removing the need for NTLM authentication by using a Claims Provider (ADFS) for authentication. When doing so permissions on the SALM Claims Web Application broke because it was still leveraging the Windows Claims Permissions. Since the NTLM permission was removed at the Web Application level, and to meet the DISA STIG requirement Anonymous Access permissions were also removed; this in return restricted access to users who used to have “read” rights to the Portal. To fix this problem I had to grant the “read” permissions for the SAML Claims ‘All Authenticated Users’ to all Site Collections / Sites so these users can once again gain access. Below is how I accomplished this using PowerShell.

————————————————————————–

$webApp = Get-SPWebApplication "[WEB APPLICATION URL]"
$sts = Get-SPTrustedIdentityTokenIssuer "[CLAIMS PROVIDER TOKEN ISSUER NAME]"

$PermLevels = @{}

"URL `t" + "userName `t" + "userLogin `t" + "userEmail `t" + "permissionLevel `t" + "SAMLClaim" >> User_Permissions_AllAuthenticatedUsers.csv

foreach ($web in $webApp | Get-SPSite -Limit All | Get-SPWeb -Limit All)
{

	foreach ($role in $web.Roles)
	{
		$permmask = $role.PermissionMask
		$permname = $role.Name
		$PermLevels.Add("$permmask", "$permname")
		trap [Exception] {continue}
	}
	foreach ($perm in $web.Permissions)
	{
		$permmaskcurrent = $perm.PermissionMask
		$level = $PermLevels.Get_Item("$permmaskcurrent")

		if ($perm.Member.Name -like "*All Authenticated Users*")
		{
				#CLAIM PRINCIPAL FOR ROLE
				$claimPrincipal = New-SPClaimsPrincipal -ClaimValue $perm.Member.Name -ClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -TrustedIdentityTokenIssuer $sts
				
				
				$newUser = New-SPUser -UserAlias $claimPrincipal.ToEncodedString() -Web $web

				$account = $web.EnsureUser($newUser)
			
				if ($level -eq "Limited Access")
				{
					$level = "Read"
					$role = $web.RoleDefinitions[$level]
					$assignment = New-Object Microsoft.SharePoint.SPRoleAssignment($account)
					$assignment.RoleDefinitionBindings.Add($role)
					$web.RoleAssignments.Add($assignment)
				}
				else
				{
					$role = $web.RoleDefinitions[$level]
					$assignment = New-Object Microsoft.SharePoint.SPRoleAssignment($account)
					$assignment.RoleDefinitionBindings.Add($role)
					$web.RoleAssignments.Add($assignment)
				}
				
				$web.Url + "`t" + $perm.Member.Name + "`t" + $perm.Member.UserLogin + "`t" + $perm.Member.Email + "`t" + $level + "`t" + $account >> User_Permissions_AllAuthenticatedUsers.csv

		}
	}
}

————————————————————————–

The above script loops through all the Site Collections and Sites to search for the Windows Claim for ‘All Authenticated Users’ once it finds an instance where the ‘All Authenticated Users’ permissions is used it adds the SAML Claim for ‘All Authenticated Users’

This script does not clean up/remove the old Windows Claims permission for the ‘All Authenticated Users’ I did that just incase the Web Application needs to be extended to once again support Windows Claims/NTLM authentication.

I will later blog about how to add the ‘All Authenticated Users’ SAML Claim to Groups, and also how to add indivdual SAML Claim permissions to users by granting their SAML Token for email.

Hopefully this is helpful for those that are struggling to reprovision their Windows Claims permissions to SAML Claims.

SharePoint 2010: Enable (Page) Output Cache Settings using PowerShell

January 25, 2017 Leave a comment

To optimize performance in SharePoint 2010, there are a few settings you can do to help with page load times and optimizing SharePoint Cache.

The three main ways to do this is:

1. BLOB Cache
2. Object Cache
3. Page Output Cache

In my environment we are not leveraging BLOB cache, and Object Cache is already enabled by default. Though you can optimize it for your SP environment.

However the Page Output Cache is not enabled by default.

Below is a PowerShell script I created that enables the Page Output Cache at the Site Collection Level for a Web Application.

$webapp = Get-SPWebApplication [URL OF WEB APPLICATION]

foreach ($web in $webapp.Sites)
{
$cacheSettings = New-Object Microsoft.SharePoint.Publishing.SiteCacheSettingsWriter($web.url)
$cacheSettings.EnableCache = $true
$cacheSettings.Update();
Write-Host “Updated Page Output Cache Settings…” $web.Url
}

Options:

#Default Page Output Cache Profile. The Cache Profile Id is built off the Cache Profile List (Site Actions – Site Settings – Site Collection Cache Profiles (under Site Collection Administration))

SetAnonymousPageCacheProfileId($web.Url, 1)
SetAuthenticatedPageCacheProfileId($web.Url, 2);

#Page Output Cache Policy
$cacheSettings.AllowPublishingWebPageOverrides = $true;
$cacheSettings.AllowLayoutPageOverrides = $true;
$cacheSettings.EnableDebuggingOutput = $true;

SharePoint 2010: Output Search Query Results Using PowerShell into .csv file

January 21, 2015 Leave a comment

I recently had to perform a massive search query for specific terms (key words) in my SharePoint 2010 environment, and provide a .csv file for all returned results.  The easiest way for me to do this was by utilizing the power of PowerShell.  So instead of having to manually execute separate Search queries within SharePoint Search I executed this script, which outputs the search results in an easy to read formatted .csv file.

#Setup a keyword query object
$site = New-Object Microsoft.SharePoint.SPSite http://portal
$kq = New-Object Microsoft.Office.Server.Query.KeywordQuery $site

#Set some query properties
$kq.ResultTypes = [Microsoft.Office.Server.Search.Query.ResultType]::RelevantResults
$kq.RowlLimit = 10000
$kq.QueryText = “TERM OR KEYWORDS TO QUERY”

#issue the query
$resultTableCollection = $kq.Exectute()

#Get the result Table
$relResultTable = $resultTableCollection.Item([Microsoft.Office.Server.Search.Query.ResultType]::RelevantResults)
$relDataTable = $relResultTable

#Output the results to .csv file
$relDataTable.Rows | select-object Path, Title, Description, Write, HitHighligedSummary | Export-Csv “c:\temp\searchresults.csv” -NoTypeInformation

The .csv file will provide the Path, Title, Description, Date Modified, and Highlighted Summary of the search results.

Hope this helps others that might need to do a similar search against their SP environment.

SharePoint 2010: Access Denied by Business Data Connectivity within SharePoint 2010 Designer

August 22, 2014 Leave a comment

If you are attempting to add a connection to an external data source within SharePoint 2010 Designer and you recieve the following error:

“Access denied by Business Data Connectivity”

Make sure you grant the proper permissions to the Business Data Connectivity Service Metadata Store within Central Administration.

1.  Browse to your Central Administration Site
2.  Browse to Application Management – Manage Service Application – Business Data Connectivity
3.  Within the Business Data Connectivity Service Application, click the “Set Metadata Store Permissions” icon in the ribbon
4.  Grant the proper permissions to those needed to establish DBC external connections (Edit, Execute and Set Permissions).

After granting permissions, attempt to establish your connection within SharePoint 2010 Designer again.  This time you should be able to connect and see your data source.

Hopefully this helps others.

SharePoint 2010 “Sharepoint Designer encountered an error generating the task form. Server was unable to process request. —> Activation could not be completed because the InfoPath Forms Services support feature is not present.”

June 20, 2014 Leave a comment

Ran into the below error recently when trying to publish a SharePoint 2010 Workflow from within SPD 2010.  With me being able to publish workflows before I knew this had nothing to do with the InfoPath Form Services or the SharePoint Server Enterprise Site Collection features.  If you run into this error, please check these services first.  If both are activated then proceed to the steps below to fix this issue.

“Sharepoint Designer encountered an error generating the task form.

Server was unable to process request. —> Activation could not be completed because the InfoPath Forms Services support feature is not present.”

This error will sometimes pop up due to problems with a hidden InfoPath feature IPFSSiteFeatures.  This feature can only be deactivated/activated using powershell.

To fix the above error.

1.  Log into your Central Admin Server with Farm Admin Credentials
2.  Bring up SharePoint 2010 Management Shell with Admin rights
3.  Type:

Disable-SPFeature “IPFSSiteFeatures” -url http://portal

4.  Say yes when prompted if you are sure you want to deactivate
5.  Next Type:

Enable-SPFeature “IPFSSiteFeatures” -url http://portal

6.  Once enabled try to publish your workflow again via SPD, this time it should complete with success.