Access Denied message while accessing portal

premature backup termination can lead to Access Denied message while accesing portal

quick heal:
go to CA; Central Administration > Application Management > Site Collection Quotas and Locks change the site collection to the required site (say sharepoint 80) and change the site lock status to Not Locked. click ok once done.
access the site now.

access denied happens when the status of the site switches to Read-Only mode. this can mostly happen at the time of site backup premature termination.

MOSS2007 evalution version license expired

Evaluation version of Microsoft Office SharePoint Server 2007 for this server has expired

Option 1:

This may happen exactly 180 days after upgrading moss2007 from SP1 to SP2.

Simple way of sorting this is to re-apply the license key from the CA:

Central Administration > Operations > Convert License Type   and then enter the product key and click ok. This may perhaps take more than 2-3 hrs for global sync depending on the FARM size.

Option 2:

ACTION:
Current user updated MOSS2007 and registered his Volume License Key to the MOSS2007 Installation.
Current user tries to Access his "My Site" or Dashboards

RESULT: Current user receives following error:
"The evaluation version of Microsoft Office SharePoint Server 2007 for this server has expired."

CAUSE: Insufficient permissions for the groups WSS_WPG, WSS_ADMIN_WPG to the Registry. The application pool identity for your WSS/MOSS sites *MUST* be in the
"Distributed COM Users" group in order to successfully activate.

RESOLUTION:
We gave group WSS_WPG Read permissions to following registry key
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Office Server\12.0
We gave group WSS_ADMIN_WPG Full permissions to the same registry key
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Office Server\12.0

Add application pool Account ("dcomcnfg.exe") to the Distributed users and then reboot the server. 

Unable to pick AD Attributes from SharePoint for new users

AD attributes not in sync with some of the subsites:

Created a new user profile attribute but these attributes are not available when adding a new column using "person or group" column type... what could be wrong??

Follow the steps to achieve the expected sync on all sites:
Stsadm -o sync -listolddatabases 0
Stsadm -o sync -deleteolddatabases 0 (deletes from cache old databases)
Stsadm -o sync -IgnoreIsActive 1
Stsadm -o sync -synctiming M:1
check profile sync (CA» Operations» Global Configuration» Timer Job Status» scroll down to Profile Synchronization and check for any errors)
check quick profile sync (CA» Operations» Global Configuration» Timer Job Status» scroll down to Quick Profile Synchronization and check for status to track down success/ aborted errors)

run again Stsadm -o sync -listolddatabases 0


if all the content databases are not listed as a result of the above command, try removing content database and attach again.. if you are on production environment, plan and schedule after office hours.. recommended to do db remove/ attach on pre-production first.

how to do this?
Go to Central Administration > Application Management > Content Databases
select each content database, copy exactly the same name of content DB (ex: WSS_Content_HR). Remove content database. Now Add content database. specify exactly the same database name (ex: WSS_Content_HR). Click ok.

Stsadm -o sync -listolddatabases 0

hover mouse over the content database and see the database ID if its in sync with the results you just retrieved after running the command stsadm -o sync -listolddatabases 0

------------------------------------------------------------------------------------------------------

ID: b4fc6c18-a622-498d-8f33-426225dfb22d  Synchronized: 6/27/2011 4:31:03 PM
ID: 943f1a54-245c-4b66-8127-90e7e71066de  Synchronized: 6/27/2011 4:31:03 PM
ID: 4be6b4ee-bb5d-4374-8eb0-a755f0b3350a  Synchronized: 6/27/2011 4:31:02 PM

------------------------------------------------------------------------------------------------------

change back the sync timing to 1 hour to avoid any conflicts.

Stsadm -o sync -synctiming H:1

Also try to Clear the SharePoint Configuration Cache.. refer here . Any issues share here your comments. Please note that you need to stop the windows sharepoint services timer job from services before clearing sharepoint config cache.

Modified AD attributes not in sync with SharePoint portal

Changes made in the User attributes of Active Directory are not reflected in SharePoint portal (MOSS2007)

Queries:

i) created a new User Property attribute and mapped it to the MiddleName. now can’t see it in the list when defining the column type as ‘Person or Group’.

ii) unable to pull the AD attributes and fields on intranet site

 

I have made a connection to our Active Directory and the Synchronization of profiles is working like a charm
Solution is:
Access the SharePoint CA (central admin) using the Farm Admin account,  under Shared Services Administration » select the SharedServices » click user profiles and properties »
click custom source »

and then EDIT the existing connection

just maintain the same fields except for the authentication information where you have to reapply the credentials preferably with domain power user rights.

and then click ok. After which you have to start the crawling services so that the AD fields are fetched immediately.. if on production environment please note to avoid such crawling (full or incremental) after business hours as this will utilise higher resource bandwidth.

the above screen-shots were the recommended solutions from microsoft recently on our portal which I have snipped from our prodcution servers to share with the SharePoint professionals.

leave your comments if interesting or need further descriptive solution.

-Rinith

Single signon issues with Sharepoint (MOSS2007)

for some reason if your sharepoint server or any other application server is creating an authentication issue (especially with credentials pop-up) please consider reading the below article which is already puplished at the microsoft site. re-registering will do no harm with the FQDN. I have highlighted the commands which you need to look at. let me know in case of any doubts which I would be happy to explain.

Kerberos Authentication and Delegation.. one of the areas which needs to be looked at

The Kerberos authentication protocol is a technology for single sign-on to network resources. This enables web parts to access remote resources i.e. it makes it possible for web part to access cube information from Analysis Services running on another machine then your SharePoint machine with logged on/page user identity.

All information in this document is based on following articles How to configure a Windows SharePoint Services virtual server to use Kerberos authentication and Configure Kerberos Authentication for Analysis Services.

Requirements

• All accounts (including machine accounts) must belong to the same Windows 2000/2003/2008 based Active Directory domain (or to trusted domains in the same forest).
• User account (s) must allow delegation (default). The user account (s) you want to be delegated must have the Account Is Sensitive And Cannot Be Delegated option cleared (i.e. not checked). You'll find this property in Active Directory Users, under the Account property tab.
• If running Analysis Services 2000 you must have SP3 or higher. SP3 or higher version of PTS needs to be installed both on the server and on the client. In this case the client is the SharePoint Server.
• SPN (Service Principal Names) configuration utility. To configure SPN's you need the tool setspn.exe that can be downloaded from http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/setspn-o.asp.
• For more in detail requirements please read following articles:

- Enabling Kerberos Authentication for Analysis Services 2000 or Analysis Services 2005

- How to configure a Windows SharePoint Services virtual server to use Kerberos authentication

Configuration

1.            Enable Kerberos in the IIS Metabase on your SharePoint machine

To configure a virtual server that is extended with Windows SharePoint Services to use Kerberos authentication, you must first enable Kerberos in IIS. To enable Kerberos on the virtual server, first you need to shutdown IIS (iisreset /stop in the command window) and then follow these steps:

a.     On your SharePoint server, start Notepad, and then open the \system32\inetsrv\Metabase.xml file located on the hard disk.

b.     In the <IIsWebServer> section, locate the following line:

NTAuthenticationProviders="NTLM"

Modify the line so that it reads exactly as follows:

NTAuthenticationProviders="Negotiate,NTLM"

c.     Save changes and then quit Notepad.

d.     Start IIS (Run iisreset /start in the command window).

2.            Configure SharePoint machine to be Trusted for Delegation

To configure your SharePoint server to be trusted for delegation, follow these steps:

a.     On the domain controller, start Active Directory Users and Computers.

b.     In the left pane, click Computers.

c.     In the right pane, right-click the name of your SharePoint server, and then click Properties.

d.     Click the Delegation tab (or General for WinSrv2000), click to select the Trust computer for delegation check box.

e.     Quit Active Directory Users and Computers.

3.            Configure the domain account to be trusted for delegation

This is only necessary if the application pool for your SharePoint service is running under a domain account. To configure the domain account to be trusted for delegation, follow these steps:

                  a.     On the domain controller, start Active Directory Users and Computers.

b.     In the left pane, click Users.

c.     In the right pane, right-click the name of the account that runs the SharePoint application pool, and then click Properties.

d.     Click the Delegation tab (or for WinSrv2000 Account tab) click to select the Account is trusted for delegation check box, and then click OK.

e.     Quit Active Directory Users and Computers.

4.            Configure Service Principal Names

You only have to configure SPN's if SharePoint Service and/or Analysis Services is running under a domain account (I.e. you do not have to perform this step if your services is running under a built-in security principal such as NT Authority\Network.

a.     Perform this step if SharePoint Services runs in a application pool under a domain account. Type the following line at the command prompt on your SharePoint machine, and then press Enter, where ServerName is the NETBIOS or DNS name of your SharePoint server machine, Domain is the name of your domain, and UserName is the name of the domain user account running your SharePoint Services application pool:

setspn -A HTTP/ServerName Domain\UserName

b.     Perform this step if Analysis Services runs under a domain account. Type the following line at the command prompt on your Analysis Services machine and then press Enter, where ServerName is the NETBIOS or DNS name of your Analysis Server machine, Domain is the name of your domain, and UserName is the name of the domain user account running your MSSQLServerOLAPService:

Analysis Services 2000: setspn -A MSOLAPSvc/ServerName Domain\UserName

Analysis Services 2000: setspn -A MSOLAPSvc.3/ServerName Domain\UserName

5.    Configure connection string for the data sources

Each data source definition must have the SSPI property set to Kerberos to enable Kerberos Authentication. Add ;SSPI=Kerberos; to the connection string on all defined data sources. See how to configure a data source. Note: To verify that Kerberos Authentication works for your OLAP server you can run the MDX sample application locally on the OLAP server. In the Connect dialog add the string ;SSPI=Kerberos after the server name and try to connect.

Example to register a Server Principal Name

Say your MSOLAPServices runs on a machine called IM-PROD and you've decided to run the service under a domain account named F.Lastname. In this case, you add a SPN (Service Principal Name) on your IM-PROD machine for MSOLAPSvc with F.Lastname as the service account:

setspn -A MSOLAPSvc/IM_PROD.Mydomain.com MyDomain\F.Lastname

setspn -A MSOLAPSvc/IM_PROD MyDomain\F.Lastname

this way you register with the AD

Register NETBIOS or/and DNS name

It can be convenient to use both NETBIOS and DNS name because it allows the client to specify either name, but bear in mind that NETBIOS names might not be unique across the directory and, if a duplicate SPN is found in the directory, authentication will fail. If you're worried about this, use only DNS names when registering SPNs, and make sure your clients always use the fully qualified DNS name when making authenticated connections to a server using Kerberos.

Replication of MOSS

most reliable replication application for MOSS. i use this to replicate production intranet to the BCP site.
DocAve v5.6 for SharePoint 2007 use Replicator license. http://www.avepoint.com

merry Christmas web parts to customised mysites

Download the .DWP (google to download), import the DWP file on your site and drag it onto the page. Let it snow! Merry Christmas and a happy new year to all of you!

Attatching a Content DB to a Web Application

For each Web Application you create in SharePoint, by default, there is a single Content DB that is assigned to it. Typically, the steps for creating a web application are as follows:

1. Launch your Central Administration web site.
2. On the Quick Launch bar to the left of the page, click on Application Management.
3. Under the SharePoint Web Application Management heading, click on Create or extend Web application.
4. Click on Create a new Web Applicaiton.
5. The Create New Web Application page requires some information before creating your new web application. I won’t go through all of this in detail, but let’s pay particular attention to the Database Name and Authentication section

Now once your content db has been created, you’ll need to go back to the Application Management screen. From there, try the following:

1. Click on Content databases.
2. On the right of the toolbar, look for the Web Application drop down. Make sure you change this to match the web app you’re trying to replace the content db for. I find that sometimes this is defaulted to the Central Admin web application which is not what we want.
3. Click on the database name link, this should bring up the Manage Content Database Settings page. Change your Database status to Offline and check Remove content database. Click OK. This content db shouldn’t contain anything since we just created this web application.
4. We should now be redirected back to the Manage Content Databases page. Click on Add a content database.
5. The only thing you need to change on this page is the Database Name field. Set this to the name of the content db you want to add. Set the search server and click OK.

Now typically this is a smooth operation, however, if you encounter the error below:

Attaching this database requires an upgrade, which could time out the browser session. You must use the STSADM command ‘addcontentdb’ to attach this database.

Open up a command prompt window, and type the following stsadm command deom the 12 hives folder:

stsadm -o addcontentdb -url http://server01/ -databasename WSS_Content

(Note: sometimes copy paste to command prompt produces ascii characters so better re-type - and quotes "" if any)

There are other arguments you can use for this command, to see a list of those, type:

stsadm -o addcontentdb

Once the command has completed successfully, try refreshing your site. If you have any issues at all with this, drop me a line.