Prettify Your SharePoint Access Denied Page!

In one of my recent engagements, I had to customize the default "Access Denied" page in SharePoint 2010. I tried to be creative - therefore, I created a brand new SharePoint 2010's "Access Denied" page that provides a "friendly" message with a "friendly" graphic to be user-friendly. Below is the screenshot of the "Access Denied" custom layouts page I created:

I kept all existing hyperlinks that exist in the default "Access Denied" page. In addition, I created a hyperlink that can allow users to click to automatically send an email to SharePoint support. My hyperlink will open an outlook with pre-populated subject and body with dynamically generated text values.

Try today!

If you have done similar or just have a better, creative idea, please share!

SharePoint 2013: My Tasks Not Updating

SharePoint 2013: My Tasks Not Updating

Seen the following error messages?

• Sorry, we’re having trouble refreshing your tasks
• Last updated at 1/1/1901 12:00 AM

If you are using a dedicated service account for your My Site hosting web application pool identity and Work Management Service, then you will need to do more than just creating a Work Management Service Application and starting the service.

Let's suppose that we have the following service accounts:

• Work Management Service (honggyem\spworkmgmt)
• User Profile Service (honggyem\spupssvc)
• Intranet (or primary) Web Application Pool Identity (honggyem\spwebapp1)
• My Site Host Web Application Pool Identity (honggyem\spwebapp2)

If you have created User Profile Service and My Site Web Application correctly, you should have correct permissions granted to the farm account, web application pool identity 1 and 2. Since your Work Management Service account is a separate service account, all you need to do is to add that account to the User Profile Service Application's Permissions list as shown below:


Once the above is configured as shown, your aggregated My Tasks in SharePoint 2013 will start functioning. Hope this helps and comment if you are struggling!

Post SharePoint 2013 Configuration PowerShell Script

Post SharePoint 2013 Configuration PowerShell Script

Whenever I deploy SharePoint 2013, I always use a dedicated service account for any service I configure or start. The idea is that you have each service account configured with minimum privileges granted for its purpose only and such setup will help you understand where your SharePoint environment fails in case of any error. I use the below PowerShell script more than anything every time I configure SharePoint 2013. This script will allow you to grant required database access to your web application content database(s). If you have more service applications or if you have more web applications, you will need to make slight modifications to the script. With no further introduction, I will share my script.


$urls = "http://intranet.honggyem.com","http://mysite.honggyem.com"
$superuser = "honggyem\spsuperuser"
$superreader = "honggyem\spsuperreader"
$intranetapppoolid = "honggyem\spwebapp1"
$mysiteapppoolid = "honggyem\spwebapp2"
$performancepointaccount = "honggyem\spppoint"
$accessserviceaccount = "honggyem\spaccess"
$excelserviceaccount = "honggyem\spexcel"
$visioserviceaccount = "honggyem\spvisio"
$bcsserviceaccount = "honggyem\spbcs"
$appmgmtserviceaccount = "honggyem\spappmgmt"
$workmgmtserviceaccount = "honggyem\spworkmgmt"
$count = 1
(Measure-Command {
 foreach ($url in $urls) {
  $w = Get-SPWebApplication -Identity $url
  $w.Properties["portalsuperuseraccount"] = $superuser
  $w.Properties["portalsuperreaderaccount"] = $superreader
  $w.Update()
  write-host $count "- SP Web Application Name:" $w.Name
  write-host "......Superuser account:" $w.Properties["portalsuperuseraccount"]
  write-host "......Superreader account:" $w.Properties["portalsuperreaderaccount"]

  $w.GrantAccessToProcessIdentity($intranetapppoolid)
  write-host "......Intranet Application Pool Identity account:" $intranetapppoolid

  $w.GrantAccessToProcessIdentity($mysiteapppoolid)
  write-host "......My Site Application Pool Identity account:" $mysiteapppoolid
  $w.GrantAccessToProcessIdentity($performancepointaccount)
  write-host "......PerformancePoint Service account:" $performancepointaccount
  $w.GrantAccessToProcessIdentity($accessserviceaccount)
  write-host "......Access Service account:" $accessserviceaccount
  $w.GrantAccessToProcessIdentity($excelserviceaccount)
  write-host "......Excel Service account:" $excelserviceaccount
  $w.GrantAccessToProcessIdentity($visioserviceaccount)
  write-host "......Visio Service account:" $visioserviceaccount
  $w.GrantAccessToProcessIdentity($bcsserviceaccount)
  write-host "......Business Connectivity Service account:" $bcsserviceaccount
  $w.GrantAccessToProcessIdentity($appmgmtserviceaccount)
  write-host "......App Management Service account:" $appmgmtserviceaccount
  $w.GrantAccessToProcessIdentity($workmgmtserviceaccount)
  write-host "......Work Management Service account:" $workmgmtserviceaccount
  $count++
  }
 }
)

Save the above as a .ps1 file such as GrantAccessToProcessIdentityForServiceAppsForSP2013.ps1 for your convenience. When you execute, make sure you are:

1. a farm administrator
2. a sysadmin in SharePoint DB server
3. logged into a SharePoint server and open the SharePoint PowerShell with "Run As Administrator"

Comment if you have any question or would like to know anything more in detail.

PerformancePoint Service Configuration Guide in SharePoint 2010

Recently, my friends and colleagues requested me to list the steps to correctly configure PerformancePoint Service in SharePoint 2010 with the Kerberos authentication since they struggle a lot with the correct setup. So, I spent some time to document the steps that will guide you to configure the service properly (especially for those who struggle a lot with "Per-User Identity" connection string settings). I know that many people call Microsoft Support to get this configuration right and I thought I would share with the public. I work a lot with folks in Microsoft and when we do, we follow the below steps. Some of the steps listed below are not exactly the same as what is documented in TechNet or MSDN (this does not mean Microsoft's online documentation is not right). However, there are more things to consider when it comes to specifically SharePoint 2010 and PerformancePoint configuration to work with the least privileged service accounts. I am not going to spend too much time explaining why I am performing such in each step so please feel free to leave a comment if you need more explanation. Here the step are:

Prepare the following service accounts and have them running as corresponding services:

• Claims to Windows Token Service Account (domain\sptoken1)
• PerformancePoint Service Account (domain\spppoint1)
• Analysis Services Service Account (domain\spsqlas1)
• SQL Server Browser Service Account (domain\spsqlbrowser1 or LocalSystem built-in account)
• The steps for both the domain account and the LocalSystem built-in account will be covered in this document.
• SharePoint Web Application Pool Identity (domain\spwebapp1)
• SharePoint Server (spserver1.domain.com)
• Analysis Services SQL Server (sqlserver1.domain.com)
• We will assume that there are two Analysis Services instances, one in the default instance (MSSQLSERVER) and the other in the named instance (FINANCE).
• (Optional Settings) The SharePoint web application is being served using an Alternate Access Mapping URL (http://intranet and http://intranet.domain.com)

NOTE: The above user accounts and variables are for a reference purpose only used in this document. Depending on the environment settings, different values may be used.

1. Verify that the Claims to Windows Token Service is running as domain\sptoken1 and ensure that the service is started in the SharePoint 2010 servers.
2. Add the Claims to Windows Token Service account (domain\sptoken1) to the following local groups in all SharePoint servers that are running the Claims to Windows Token Servce.
• WSS_WPG
• Administrators (UPDATE: this is not required)
3. Run the following command in the command prompt window to set the dependency on the Claims to Windows Token Service
• sc config c2wts depend= CryptSvc
• After executing the command, verify that the command was executed successfully by going to Services -> Claims to Windows Token Service -> Claims to Windows -> Properties -> Dependencies
• 
4. In all SharePoint server that are running the Claims to Windows Token Service, assign the service account (domain\sptoken1) the following user rights In Local Security Policy:
• Act as a part of operating system
• Impersonate a client after authentication
• Log on as a service
5. In Command Prompt Window, check for any duplicate SPNs (by executing setspn -x). If any, resolve the duplicate SPN issue before proceeding to the next step.
6. If you are using a named instance for the Analysis Services, in Command Prompt Window, check whether your SQL Server Browser in the SQL Analysis Services server is running under a domain account (domain\spsqlbrowser1) or a built-in account (LocalSystem).
• If the SQL Server Browser in the SQL Analysis Services server is running under a domain account (domain\spsqlbrowser1), check whether the SQL Browser Service is set with any SPN (by executing setspn -l domain\spsqlbrowser1). The following SPNs should be listed:
  MSOLAPDisco.3/sqlserver1
  MSOLAPDisco.3/sqlserver1.domain.com
• If the above SPNs are not listed, set necessary SPNs for the SQL Server that runs the SQL Browser Service by executing the following commands:
• setspn -s MSOLAPDisco.3/sqlserver1 domain\spsqlbrowser1 
• setspn -s MSOLAPDisco.3/sqlserver1.domain.com domain\spsqlbrowser1
• If the SQL Server Browser is running under a built-in account (i.e., LocalSystem), check whether the SQL Browser Service is set with any SPN (by executing setspn -l sqlserver1). The following SPNs should be listed:
  MSOLAPDisco.3/sqlserver1
  MSOLAPDisco.3/sqlserver1.domain.com
•  If the above SPNs are not listed, set necessary SPNs for the SQL Server that runs the SQL Browser Service by executing the following commands:
• setspn -s MSOLAPDisco.3/sqlserver1 sqlserver1 
• setspn -s MSOLAPDisco.3/sqlserver1.domain.com sqlserver1
• Please refer to Microsoft Knowledge Base (http://support.microsoft.com/kb/950599) for an explanation. 
7. In Command Prompt Window, check whether the SQL Analysis Service account is set with any SPN (by executing setspn -l domain\spsqlas1). The following SPNs should be listed:
   MSOLAPSvc.3/sqlserver1
   MSOLAPSvc.3/sqlserver1.domain.com
   MSOLAPSvc.3/sqlserver1:finance
   MSOLAPSvc.3/sqlserver1.domain.com:finance 
• If the above SPNs are not listed, set necessary SPNs for the SQL Analysis Service account by executing the following commands (for both default and named instances):
• setspn -s MSOLAPSvc.3/sqlserver1 domain\spsqlas1 
• setspn -s MSOLAPSvc.3/sqlserver1.domain.com domain\spsqlas1
• setspn -s MSOLAPSvc.3/sqlserver1:finance domain\spsqlas1
• setspn -s MSOLAPSvc.3/sqlserver1.domain.com:finance domain\spsqlas1 
• NOTE: Whether you have a default instance, a named instance, or both, you only need to set SPNs to the only necessary instances. The purpose of this example here is to demonstrate how default and named instances can be set. 
• The services needed to be added to the account’s delegation list for the account to present delegated credentials.
• In Active Directory Users and Computers, find the Analysis Services Service account (domain\spsqlas1), right click and select Properties -> Delegation tab. Select the following options: 
• Trust this user for delegation to specified services only 
• User any authentication protocol
• 
• Click Add… button.
•  
• Within the Add Services pop-up window, click Users or Computers… button.
• Find the SQL Analysis Services service account (domain\spsqlas1) and click OK.
• Click on Select All and hit OK. 
• Hit OK to exit to Properties window. 
• Please refer to Microsoft Knowledge Base (http://support.microsoft.com/kb/917409) for an explanation.
8. In Command Prompt Window, check whether the Claims to Windows Token Service account is set with any SPN (by executing setspn -l domain\sptoken1). The following SPNs should be set:
   CLAIM/spserver1
   CLAIM/spserver1.domain.com
• If the above SPNs are not listed, set necessary SPNs for the Claims to Windows Token Service by executing the following commands: 
• setspn -s CLAIM/spserver1 domain\sptoken1
• setspn -s CLAIM/spserver1.domain.com domain\sptoken1
• The services needed to be added to the account’s delegation list for the account to present delegated credentials.
• In Active Directory Users and Computers, find the Claims to Window Token Service account (domain\sptoken1), right click and select Properties -> Delegation tab. Select the following options: 
• Trust this user for delegation to specified services only 
• User any authentication protocol
•  
• Click Add… button.
•  
• Within the Add Services pop-up window, click Users or Computers… button.
• Find the SQL Analysis Services service account (domain\spsqlas1) and click OK.
• Click on Select All and hit OK.
• Hit OK to exit to Properties window. 
9. In Command Prompt Window, check whether the SharePoint Web Application Pool identity is set with any SPN (by executing setspn -l domain\spwebapp1). The following SPNs should be set:
   HTTP/spserver1
   HTTP/spserver1.domain.com
   HTTP/intranet
   HTTP/intranet.domain.com 
• If the above SPNs are not listed, set necessary SPNs for the SharePoint Web Application Pool Identity by executing the following commands: 
• setspn -s HTTP/spserver1 domain\spwebapp1 
• setspn -s HTTP/spserver1.domain.com domain\spwebapp1 
• setspn -s HTTP/intranet domain\spwebapp1 
• setspn -s HTTP/intranet.domain.com domain\spwebapp1 
• The services needed to be added to the account’s delegation list for the account to present delegated credentials.
• In Active Directory Users and Computers, find the SharePoint Web Application Pool Identity account (domain\spwebapp1), right click and select Properties -> Delegation tab. Select the following options: 
• Trust this user for delegation to specified services only
• User any authentication protocol
• \
• Click Add… button.
•  
• Within the Add Services pop-up window, click Users or Computers… button.
• Find the SharePoint Web Application Pool Identity (domain\spwebapp1) and click OK.
• Click on Select All and hit OK.
• Hit OK to exit to Properties window.
10. In Command Prompt Window, check whether the PerformancePoint Service Account is set with any SPN (by executing setspn -l domain\spppoint1). The following SPNs should be listed:
    PPOINT/spserver1
    PPOINT/spserver1.domain.com 
• If the above SPNs are not listed, set necessary SPNs for the PerformancePoint Service Account by executing the following commands: 
• setspn -s PPOINT/spserver1 domain\spppoint1 
• setspn -s PPOINT/spserver1.domain.com domain\spppoint1 
• The services needed to be added to the account’s delegation list for the account to present delegated credentials.
• In Active Directory Users and Computers, find the PerformancePoint Service account (domain\spppoint1), right click and select Properties -> Delegation tab. Select the following options: 
• Trust this user for delegation to specified services only 
• User any authentication protoco
•   
• Click Add… button.
•  
• Within the Add Services pop-up window, click Users or Computers… button.
• Find the SQL Analysis Services service account (domain\spsqlas1) and click OK.
• Click on Select All and hit OK.
• Hit OK to exit to Properties window. 
11. The services needed to be added to the SharePoint server’s delegation list for the account to present delegated credentials.
• In Active Directory Users and Computers, find the SharePoint server (spserver1), right click and select Properties -> Delegation tab. Select the following options: 
• Trust this user for delegation to specified services only
• User any authentication protocol
•    
• Click Add… button.
• 
• Within the Add Services pop-up window, click Users or Computers… button.
• Find the SQL Analysis Services service account (domain\spsqlas1) and click OK.
• Click on Select All and hit OK.
• Click Add… button again. 
• Within the Add Services pop-up window, click Users or Computers… button.
• Find the SharePoint Web Application Pool Identity account (domain\spwebapp1) and click OK. 
• Click on Select All and hit OK.
• Hit OK to exit to Properties window.
12. Run the following command in SharePoint PowerShell Management Tool
• $w = Get-SPWebApplication -Identity http://intranet.domain.com
  $w.GrantAccessToProcessIdentity("domain\spppoint1") 
13. After the SPN configuration and settings in the Active Directory, restart SQL Server Browser (disco) and OLAP services in the SQL server.