Tag Archives: SharePoint

Un-Approve SharePoint List Item Previous Versions

I recently had a change request against a SharePoint Forms Library I had created a few years ago – the request was to adjust the permissions so that form submitters could see only the forms that they’ve submitted (and not others).

This is a generally straightforward action on new libraries: enable ” Require content approval for submitted items?”, and change “Who should see draft items in this document library?” to

However, enabling these settings seems to have caused the items that already existed to have an Approval Status of “Approved, ” despite a pending Approval workflow.  This caused the undesired effect of allowing users who do not hold the “Approve” permission level to access previous version of items still in the approval workflow.

I needed to reject previous versions of forms where the current version had not yet been approved.  On lots of items.

I found numerous examples from google how to use PowerShell to set the Approval Status of list items; however, nearly every example dealt with only the current version of a list item – making no mention of altering the approval status of previous versions of list items.

Additionally, I found a few posts attempting to manipulate attributes for previous versions;  the responses for each of these inquires were varied:

  • “you can’t – history is read-only,”
  • “you can migrate the documents to a new list, and re-build the history”
  • “you can delete the old versions”

I even found a mega-thread on TechNet how to “List and Delete List Item Versions using PowerShell,” and a “Complete Guide to Getting and Setting Fields Using PowerShell”

None of these options accomplished what I was seeking:  to simply remove the approval on previous versions.

Finally, I resorted to simply poking at the objects from PowerShell (never under-estimate the power of Get-Member to explore objects) Attempting to modify the properties on a previous version would yeild the error message “Unable to index into an object of type Microsoft.SharePoint.SPListItemVersion” (Link)

Ok – different approach:  I know my desired action is feasible via the UI for single list items:

So, I opened Chrome developer tools and captured the command sent when clicking “Reject this version”: A POST to “/_layouts/versions.aspx” with the ItemID, and an “op” value of “TakeOffline”. A quick google search revealed a server-side object model equilavent: Microsoft.SharePoint.SPFile.TakeOffline

My solution: invoke SPListItem.File.TakeOffline() for every file which is currently pending and has a previously approved version:

 

SharePoint 2013 List Workflows Failing

Quick Post.

Today I had an issue with a SharePoint 2013 List Workflow not running on a SharePoint Online Team Site.

 

Retrying last request. Next attempt scheduled in less than one minute. Details of last request: HTTP  to https://<SomeCoolTenant>.sharepoint.com/sites/<SomeCoolSite>/_api/web/lists(guid'**********************************') Correlation Id:  Instance Id: *************************************

System.Net.WebException: The request was aborted: The request was canceled. ---> System.InvalidOperationException: Failed to fetch an access token from the token service. The token service returned an error type of 'unauthorized_client' with the following description: AADSTS70001: Application with identifier '**************************' was not found in the directory **************************************
Trace ID: **********************************
Correlation ID: *****************************************
Timestamp: 2017-10-30 14:07:03Z ---> System.Net.WebException: The remote server returned an error: (400) Bad Request.
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.Activities.Hosting.Security.OAuthS2SSecurityTokenServiceCredential.FetchAccessToken(Uri stsUri, String targetServiceAudience, String authenticatorToken, HttpWebRequest request, TimeSpan timeout, EventTraceActivity eventTraceActivity, TimeSpan& expirationDuration)
--- End of inner exception stack trace ---
at Microsoft.Activities.Hosting.Security.OAuthS2SSecurityTokenServiceCredential.FetchAccessToken(Uri stsUri, String targetServiceAudience, String authenticatorToken, HttpWebRequest request, TimeSpan timeout, EventTraceActivity eventTraceActivity, TimeSpan& expirationDuration)
at Microsoft.Activities.Hosting.Security.OAuthS2SSecurityTokenServiceCredential.GetAccessTokenFromTokenService(OAuthS2SPrincipal client, OAuthS2SPrincipal targetServiceAudience, HttpWebRequest originalRequest, EventTraceActivity eventTraceActivity, TimeSpan& expirationDuration)
at Microsoft.Activities.Hosting.Security.OAuthS2SSecurityTokenServiceCredential.GetAuthorization(OAuthS2SAuthenticationChallenge[] bearerChallenges, HttpWebRequest request, EventTraceActivity eventTraceActivity)
at Microsoft.Activities.Hosting.Security.OAuthS2SAuthenticationModule.AuthenticateInternal(String challenge, WebRequest request, OAuthS2SCredential credential, EventTraceActivity eventTraceActivity)
at Microsoft.Activities.Hosting.Security.OAuthS2SAuthenticationModule.Authenticate(String challenge, WebRequest request, ICredentials credentials)
at System.Net.AuthenticationManagerDefault.Authenticate(String challenge, WebRequest request, ICredentials credentials)
at System.Net.AuthenticationState.AttemptAuthenticate(HttpWebRequest httpWebRequest, ICredentials authInfo)
at System.Net.HttpWebRequest.CheckResubmitForAuth()
at System.Net.HttpWebRequest.CheckResubmit(Exception& e, Boolean& disableUpload)
at System.Net.HttpWebRequest.DoSubmitRequestProcessing(Exception& exception)
at System.Net.HttpWebRequest.ProcessResponse()
at System.Net.HttpWebRequest.SetResponse(CoreResponseData coreResponseData)
--- End of inner exception stack trace ---
at Microsoft.Workflow.Common.AsyncResult.End[TAsyncResult](IAsyncResult result)
at Microsoft.Activities.Hosting.HostedHttpExtension.HttpRequestWorkItem.HttpRequestWorkItemAsyncResult.End(IAsyncResult result, Int32& responseCode)
at Microsoft.Activities.Hosting.HostedHttpExtension.HttpRequestWorkItem.OnEndComplete(ScheduledWorkItemContext context, IAsyncResult result)

 

Turns out that I had forgotten to enable the Workflows can use app permissions site feature:

So – If you’re not yet using Microsoft Flow and still need those SharePoint 2013 Workflows, remember to enable this site feature.

SharePoint 2016 SMTP Authentication

Edit: It appears that this has been fixed in KB 3191880 :

SharePoint outbound email messages incorrectly try to authenticate to SMTP servers that support Generic Security Service Application Program Interface (GSSAPI), Kerberos, or NTLM authentication. This may prevent email messages from being sent. After you install this update, SharePoint sends email messages anonymously without authentication.


Recently I encountered an issue where SharePoint designer workflow’s emails not being delivered.

Additional inspection revealed that the messages in question were addressed to an Exchange Distribution group with “Permitted Senders.”  This designation meant that messages sent to this distribution group must be received from an authenticated sender (which SharePoint does not support by default: SHAREPOINT 2016 OUTBOUND SMTP FAILURES).

Old Solution

One solution I’ve used in the past is to setup Microsoft’s SMTP server on one of the SharePoint servers, and use that to relay (authenticated) messages to the Exchange server.   This has generally worked fine in the past, but  has always felt a little kludgey.

Seriously, Microsoft?  You’re recommending that we install IIS6 tools on a modern server?

The Problem

Anyway, the above solution breaks down with SharePoint 2016 in certain scenarios:  When sharing documents in SP2016, the “invitation” is sent as the user who initiated the invitation!!!

By default, Exchange only allows authenticated users to send as the account who’s credentials were supplied.

This presents a “Catch 22:”

  • Enable IIS6.0 SMTP relay to send Authenticated messages to Exchange and be able to relay to groups (and external domains)
    —————————-OR—————————————–
  • Configure SharePoint to send through an unauthenticated receive connector, and be allowed to send as any user, but not able to relay otuside the domain, or to groups which require authentication.

I went down a few different solution paths trying to solve this:

Failed Attempt 1: Grant Send-As Permission to SharePoint

Attempt to grant the  SharePoint SMTP service account (since I was already sending authenticated mail) “send-as” permissions on all mailboxes in the domain.

This just felt kludgey, and I was ultimately not able to get it to work.

I may have not waited the recommended 2 hours for the Mailbox Cache Idle Limit to expire:  https://technet.microsoft.com/en-us/library/aa996988(EXCHG.80).aspx

 

Successful Attempt: Configure Externally Secured Exchange Connector

The solution for me was to create a new “Externally Secured” Exchange Receive connector: https://technet.microsoft.com/en-us/library/mt668454(v=exchg.160).aspx

Essentially, this allows the hosts defined in the receive connector’s scope to deliver “unauthenticated” SMTP traffic as if it were authenticated.  

This fulfills my SharePoint requirements:

  •  To “send-as” on behalf of users in a document sharing scenario.
  • To send email as SharePoint to distribution groups which require the sender to be authenticated
  • To send email to users outside of my domain.

I hope this helps someone (even if it’s me in the future).

SharePoint 2016 Outbound SMTP Failures

Recently I was configuring a SharePoint 2016 farm, and encountered some peculiar issues with outbound email.

SharePoint 2016 is the first version of SharePoint to include built-in support for TLS. In any previous version of SharePoint, TLS requirements were fulfilled by setting up a SMTP relay capable of authenticating to the desired target SMTP server.

Interestingly, It seems that SharePoint 2016 also responds to SMTP authentication challenges despite not having an explicit configuration option in Central Administration for which credentials to use for SMTP.

The issue I recently experienced is as follows:

  • List / Library “initial” alert subscription messages are delivered to the appropriate address
  • Actual alerts from a list / library are not delivered
  • Workflow Task emails are not delivered

Digging into the ULS logs of the SharePoint server, I noticed the following:

  • Messages send by w3wp (running under the web app pool service account) were delivered
  • Messages sent by OWSTIMER (running under the farm account) were not delivered.  The timer job in question is “job-immediate-alerts.”

So, despite having outbound email configured in Central Administration, it seems that SharePoint is not treating different classes of outbound email equally.

I tried many of the “well known fixes” to no avail:

  • Re-starting the server
  • Re-starting the timer service
  • Manually starting the job-immediate-alerts timer job with PowerShell
  • Altering the alerts properties of the site with stsadm

I finally broke out WireShark on my SharePoint server to observe the SMTP traffic.  What I found was interesting:

  • Messages sent by w3wp.exe had these characteristics:
    • SharePoint sends the message immediately upon request from the browser to subscribe to alerts on a library
    • SharePoint opens a SMTP session to the configured server
    • The Exchange 2013 server responds with an SMTP ntlm authentication challenge
    • The SharePoint server provides the credentials of the web app service account!
    • Exchange returns with smtp 5.7.1 client was not authenticated. 
    • SharePoint ignores the 5.7.1 error message, and delivers the message anyway
  • Message sent by OWSTIMER.exe had these characteristics:
    • SharePoint attempts to send the message with each execution of the job-immediate-alerts timer job.
    • SharePoint opens a SMTP session to the configured server
    • The Exchange 2013 server responds with an SMTP ntlm authentication challenge
    • The SharePoint server provides the credentials of the farm service account!
    • Exchange returns with smtp 5.7.1 client was not authenticated. 
    • SharePoint stops attempting to deliver the message because of the error!

In both of these scenarios, neither the farm service account, nor the web app service account are configured with Exchange mailboxes, so the authentication fails.

The receive connector in Exchange is configured to allow TLS, Exchange Authentication, and Anonymous authentication.

The unexpected behavior is this: SharePoint reacts to an SMTP 5.7.1. unauthenticated message differently depending on the context from which the SMTP session was initiated.  SMTP sessions initiated directly in the web app context succeed, but SMTP sessions initiated from timer jobs fail.

My temporary solution was to create a separate receive connector in Exchange on a separate port scoped so to only the SharePoint server’s IP that allows only anonymous authentication (it seems that by having Exchange Authentication checked, SharePoint fails).  This causes the Exchange server to never prompt the SharePoint server for STMP authentication, and therefore messages are delivered.

I’ll update this post as I discover more.

Schema Validation Errors While Setting an XML Node Value

When attempting to set the node value in an InfoPath form with code, “schema validation” errors may appear.   This is primarily caused by attempting to set the value of a field with one of the following data types:

  • Whole Number (integer)
  • Decimal (double)
  • Date (date)
  • Time (time)
  • Date and Time (dateTime)

The workaround is to remove the “nil” attribute from the element:

public void DeleteNil(XPathNavigator node)
{
if (node.MoveToAttribute(“nil”, “http://www.w3.org/2001/XMLSchema-instance”))
      node.DeleteSelf();
}

Additional Resources:

ForeFront Identity Manager (2010 R2) Synchronization Service Becomes Disabled

I had just installed FIM 2010 R2 in a lab environment – All roles on one server, and noticed that the “Forefront Identity Manager Synchronization Service”  Kept stopping, and being set to “Disabled.”

I had installed all of the latest patches for both FIM (4.1.3613.0) and SharePoint (14.0.7140.5000). I saw nothing in the Windows Event log to indicate there was a problem.  The “Synchronization Service Manager on FIM” application would launch fine while the service was running.  All configured management agents would synchronize no problem.  It’s just that – Every so often, the  “Forefront Identity Manager Synchronization Service” would just up and STOP!

After some research, I found this TechNet Blog Post which suggests that SharePoint is the culprit!

Since SharePoint is installed on this server only for the purpose of providing the FIM Portal, I had no need to set up (or otherwise use) the User Profile Service.   Consequently, SharePoint isn’t expecting the Synchronization Service to be in a running state! So, as part of the “Health Analysis Job (Hourly, Microsoft SharePoint Foundation Timer, All Servers)” SharePoint notices the service is running, and disables it!

I verified this by returning the service to the normal Automatic – Running state, and manually kicking off that Timer Job.

Sure enough, the job was stopped! ULS Viewer shows me this also:

See that? – “The SharePoint Health Analyzer found and fixed the following problem: One or more services have started or stopped unexpectedly..”  No details about which service was “started unexpectedly,” but I presume that the “Forefront Identity Manager Synchronization Service” was the culprit.

To prevent this from happening again, I nagivated to “Review Job Definitions” under “Monitoring” in Central Administration, located the  “Health Analysis Job (Hourly, Microsoft SharePoint Foundation Timer, All Servers)” and disabled it.

All seems well at this point in time…

My set of links for FIM installation tips, tricks, procedures, etc:

  • https://technet.microsoft.com/en-us/library/hh332711(v=ws.10).aspx
  • http://www.harbar.net/articles/fimportal.aspx
  • http://www.toddklindt.com/blog/Lists/Posts/Post.aspx?ID=224
  • http://social.technet.microsoft.com/wiki/contents/articles/2229.fim-2010-build-overview.aspx
  • http://www.fimspecialist.com/fim-portal/installing-fim-2010-r2-sp1-portal-on-sharepoint-foundation-2013/
  • https://social.technet.microsoft.com/Forums/en-US/76bd6012-f619-4636-8401-74cac8436f1f/fim-sync-service-keeps-disabling?forum=ilm2
  • http://www.fimspecialist.com/category/fim-hotixes-service-packs-updates/
  • https://technet.microsoft.com/en-us/library/jj200258(v=ws.10).aspx
  • https://technet.microsoft.com/en-us/library/hh322920(v=ws.10).aspx
  • https://technet.microsoft.com/en-us/library/hh322863(v=ws.10).aspx
  • https://technet.microsoft.com/en-us/library/jj134316(v=ws.10).aspx
  • https://technet.microsoft.com/en-us/library/hh322877(v=ws.10).aspx
  • https://technet.microsoft.com/en-us/library/hh332711(v=ws.10).aspx
  • https://technet.microsoft.com/en-us/library/hh332707(v=ws.10).aspx
  • https://technet.microsoft.com/en-us/library/hh332708(v=ws.10).aspx
  • https://technet.microsoft.com/en-us/library/hh332710(v=ws.10).aspx
  • https://fim2010techie.wordpress.com/2012/12/10/synchronizing-active-directory-users/
  • http://blogs.msdn.com/b/connector_space/archive/2014/12/30/understanding-the-fim-service-management-agent.aspx
  • http://social.technet.microsoft.com/wiki/contents/articles/3610.fim-2010-wiki-articles.aspx

 

 

Forgot SharePoint Farm User Account Password

I had recently patched an inherited SharePoint 2010 Farm up to the December 2014 CU.  I’m currently prepping to migrate the farm to SharePoint 2013, but I needed to get it patched in the interim.

I successfully applied SP2, and the the December 2014 CU (14.0.7140.5000 – Much thanks to Todd Klindt’s SharePoint Admin Blog for the easy build number lookup), and all seemed well.

That is, until I had to change an extranet user’s email address.  These users don’t have mail accounts in our Exchange environment, but we do populate the mail attribute in AD with their corporate email address.  I made the change to the attribute in AD, and attempted to run the User Profile Synchronization (Central Administration | Manage Service Applications | User Profile Service Application | Start Profile Synchronization).

This action failed because the User Profile Synchronization Service was not running on the server! (Central Administration | Manage Services on Server).

I attempted to start the service but was prompted for the DOMAIN\SPFarm account! I searched all archives and documents, but found no reference to this password!  UH OH!!!!!

I finally found this post: http://joelblogs.co.uk/2012/09/22/recovering-passwords-for-sharepoint-2010-farm-web-application-and-service-application-accounts/

I had full administrative access to the server on which Central Administration was installed, so all I had to do was run a “one liner” in PowerShell.  Could it really be that easy?!

Here’s how easy it is:

&$env:windir\\system32\\inetsrv\\appcmd.exe list apppool 
 "SharePoint Central Administration v4" /text:ProcessModel.Password

I ran the command in my dev environment first (we always test foreign code outside of production, right?), and got this!

No Way.  That’s my Farm account password….in PLAIN TEXT! WHOA SCARY!

So, If you ever find yourself forgetting any of your IIS Application Pool Account Passwords, you now have the tool to recover it!

HOO-RAH!

Collecting User Data in SharePoint 2010 with custom Site Columns

The Task: Build a system to archive paper documents (being scanned from e-mail enabled scanners) and optimize for retrieval

I decided to build an E-Mail enabled library to get the documents into SharePoint.   This allows users to save the email address in their contact list on the copier, and makes scanning in documents very easy.

To gather the metadata for these documents, I used the “Collect  Data From a User” (CUD) Action in SharePoint Designer.  This created a Content Type based on the name of the task – In my case “Student Document Data Collection.”

I then added some of my existing site columns to this content type from SPD – things like first name, last name, and district.  I didn’t want to use the CUD wizard to add these fields to the data collection task because a) all of the fields already exist in the site, and b) some of the fields are multiple choice, and I really don’t want to manage two instances of the same data!

After I modified the content type, I refreshed the workflow and returned to the CUD wizard in SPD, and saw that all of my fields populated! Hoorah!

I proceeded to build the rest of the workflow, referencing the fields collected in the CUD task in the normal manner; however, I was noticing a problem: None of the user entered data was showing up!

How could this be? SharePoint was prompting me for the data, I entered it, and I hit save… It should be there, right?  I wrote entries to the workflow history log to see if maybe the data just wasn’t being applied to the current item.  No dice – It looked like SharePoint just wasn’t storing the collected data.

Thanks to reddit user sbrick89, It looks like fields (Site Columns) created in the CUD action within SPD actually have a distinction from standard Site Columns! It’s not a big difference, but it will mess up your day (or, in my case WEEK)!   These fields are prefixed with “FieldName_”.

I jumped into my SharePoint Management PowerShell and whipped this up in order to create my Site Columns (in a way that they will be usable for data collection):

$SiteURL = “<YOUR SITE HERE>”

$Web = Get-SPWeb $SiteURL
$FieldXMLString = ‘<Field Type=”Text”
Name=”FieldName_StudentFirstName”
Description=”Student First Name”
DisplayName=”Student First Name”
Group=”0 Student Columns”
Hidden=”FALSE”
Required=”FALSE”
Sealed=”FALSE”
ShowInDisplayForm=”TRUE”
ShowInEditForm=”TRUE”
ShowInListSettings=”TRUE”
ShowInNewForm=”TRUE”></Field>’
$Web.Fields.AddFieldAsXML($fieldXMLString)

Documentation for the syntax of the $FieldXMLString can be found here: https://msdn.microsoft.com/en-us/library/office/ms437580(v=office.15).aspx

Of note is this “Name: Required Text: The name of a field. This is the internal name of a field and is guaranteed never to change for the lifetime of the field definition. It must be unique with respect to the set of fields in a list. The name is autogenerated based on the user-defined name for a field.

I also wanted to create a multiple choice Site Column for District:

$FieldXMLString = ‘<Field Type=”Choice”
Name=”FieldName_District”
Description=”District”
DisplayName=”District”
Group=”0 Student Columns”
Hidden=”FALSE”
Required=”FALSE”
Sealed=”FALSE”
ShowInDisplayForm=”TRUE”
ShowInEditForm=”TRUE”
ShowInListSettings=”TRUE”
ShowInNewForm=”TRUE”>
<CHOICES>
<Choice>District 1</Choice>
<Choice>District 2</Choice>
</CHOICES>
</Field>’
$Web.Fields.AddFieldAsXML($fieldXMLString)

After creating the Site Columns with the proper internal name, I was able to add the newly created site column to the CUD Content Type, update my workflow, and collect the user data successfully!   Yes, It does seem that any alterations (including changes to the items in a choice Site Colume) to the CUD Content Type require that the workflow be loaded in SPD, the CUD Step opened, “next through” the wizard, and the workflow re-published in order for the changes to appear in the actual data collection step.

Links:

http://www.sbrickey.com/Tech/Blog/Post/Secrets_Revealed-_SharePoint_Designer_-_Workflows_-_Approval_Task_-_Task_Form_Fields