Tuesday, 5 January 2016

Change SharePoint CentralAdmin APP pool account:

stsadm -o updatefarmcredentials -userlogin "AccountName" -password "Password"

Example:

stsadm -o updatefarmcredentials -userlogin "testdomain\spfarmapppool" -password "password"

Tuesday, 1 July 2014

Change CRM Application Pool Identity


Server Inventory:

2 WEB Server (CRM2011): web01.testdomain.local and web02.testdomain.local

1 APP Server + Backend Server (CRM2011): app01.testdomain.local

1 SQL Server: sql01.testdomain.local

1 AD Server with DC: ad01.testdomain.local
 
Organization Name: testorg

Apppool Identity of CRM application: testdomain\crmapppool1
Task: Change CRM app pool identity from testdomain\crmapppool1 to testdomain\crmapppool2 with least privilege.
 
Steps:
AD Level:
1.       Check testdomain\crmapppool2 account is present in AD.
2.       Password should set to “no expire” (As per service account policy of organization)
3.       Add testdomain\crmapppool2 account in following AD group of CRM OU:
PrivUserGroup
                        SQLAccessGroup
CRM Web Server Level:
1.       Add this domain account with Read access on following Sub Key of web01.testdomain.local and web02.testdomain.local Servers:
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM 
2.       Provide read and write permission to testdomain\crmapppool2 account on the Trace Folder by default located under \Program Files\Microsoft Dynamics CRM on the web01.testdomain.local and web02.testdomain.local Servers.
 
3.       Add testdomain\crmapppool2 account as member of web01.testdomain.local and web02.testdomain.local Servers following groups:
CRM_WPG
                           IIS_Users
 
CRM App Server and Backend Server Level:
                No Action required.
CRM SQL Server Level:
                No Action required. SQL level permission will take care by AD group mentioned in section “AD Level” point 3. So don’t worry about new app pool account access in DB.
Next Steps:
*Permissions and Access level have been setup for new app pool account, now we can change app pool identity.
*Login to Web Server web01.testdomain.local and web02.testdomain.local on by one and go to IIS and change the app pool identity of CRM application with new account testdomain\crmapppool2.
*Once you change to new identity testdomain\crmapppool2 account will automatically add in local group policy “logon as service” of web servers. If you getting any error then login to web server by admin access and go to local group policy (you can use local secpol.msc command from run ) and add testdomain\crmapppool2 account in “LOGON AS SERVICE” section.
* Activity completed. Try to access the http://mscrminternal.testdomain.com/testorg application.
Thanks please put your comments if you are facing any difficulties.


Wednesday, 14 August 2013

Change Authentication Provider from NTLM to Kerberos of SharePoint Web Application by Powershell of exisiting web applicaiton:


Get-SPWebApplication "http://webapplication" | Set-SPWebApplication –Zone "default" -AuthenticationMethod "Kerberos"

 

Wednesday, 24 July 2013

SSRS integration mode in SharePoint for new web application.


Once you configured SSRS with integration mode. If you create new web application and want to use SSRS there. Every time you have to go to SharePoint Central admin and in general Setting you have to activate feature from there (for new site collection under new web application). We understand we can go to site collection level and activate Reporting feature from there. But also need to require to go central admin and from SharePoint Central Admin > General Application Settings > click Reporting Services Integration you have to activate feature from as well. Why this is require. Because if you see after doing central admin steps if you notice it will show following message.

 Access for SSRS service account to farm successfully added.

 





 

But one thing will always come in mind. Why every time needs to go there and do centraladmin activity every time. If we want to do for only new web app. Its true. You can do for new web application for following Power shell command. In this way it will not impact other web applications which are running previously.

Powershell command is:

              $SPSite= this is thesite collection url where you want to give access to SSRS service account.

                $webapp = Get-SPWebApplication $SPSite
$ApplicationAccount = Service Account of SSRS.

                $webapp.GrantAccessToProcessIdentity($ApplicationAccount)

 

 

Other way:

You can follow other way is go to central admin and select Web application from application management and add Service account with FULL Rights under user policy setting.

 

Tuesday, 23 July 2013

Kerberos Authentication Setup in SharePoint Environment



Kerberos Authentication Setup at Small SharePoint Farm
Kerberos setup is really easy. Once you will know what is happening in every step you can easily Setup Kerberos authentication without any problem. Here I am taking a small SharePoint environment having 1 APP server, 1 WEB Server, 1 SQL Server.

SharePoint Farm Topology:

1 APP Server: eg: app.domain.com
1 WEB Server: eg: web.domain.com
1 SQL Server: eg: sql.domain.com
SQL service is running with : domain\sqlservice
1 Central Admin: http://app:8888.domain.com
1 Web application (host header): http://testapp.domain.com
http://testapp.domain.com is running with app pool with domain account: domain\apppool
*Here no service is running with computer account so we don’t need to computer account delegation.

End Result:

Setup Kerberos Authentication only for web application (Not for central admin, in some scenario its require but here I am not mentioning that)

Major Steps:

1. Create SPN for app pool account.
2. Create SPN for SQL server service account.
3. Trust for delegation of app pool account.
4. Central admin go to web properties and as per zone set Negotiate authentication for web applciaiton.
Create SPN for app pool account.
Application (http://testapp.domain.com) is running with domain\apppool account. So we have to create SPN for application pool account. Syntax as below:
App Pool Account: domain\apppool
Application: http://testapp.domain.com
SPN:
You can use Power shell, adsi edit or Command Prompt to create these SPNs.
HTTP/testapp.domain.com domain\apppool
(*If you are using port no. Then you can use syntax: HTTP/servername.domain.com:portno domain\apppool eg: HTTP/webapp1:4444 domain\weapppool1 and HTTP/webapp1.domain.com:4444 domain\webapppool1 . It is best practice if you create both spn with server name and fully qualified name.)
Create SPN for SQL server service account:
Check SQL service running with which account at my example it is running with domain\sqlservice.
SPNs
Setspn –S MSSQLSvc/ sql.domain.com domain\sqlservice
Setspn –S MSSQLSvc/ sql.domain.com domain:1433 domain\sqlservice
(*Default port of SQL is 1433, if you have different port no. Then modified accordingly)

Trust for delegation of app pool account:
Once you create SPN for any account Delegation Tab will activate at account properties:
Trust delegation for app pool account domain\apppool
Go to active directory and make following changes for domain\apppool account.
Under Delegation Tab:
Select Trust this user for delegation to any service (Kerberos only)
Central admin go to web properties and as per zone set Negotiate authentication for web application:
Login to central admin.
Go to Web application properties and set Negotiate authentication for web application (http://testapp.domain.com)
Kerberos Setup has been done.

Testing:
You can use fiddler or other Kerberos Tester tool. But best way is login to eventvwr of web server and under security you can see Kerberos authentication will display for user login.

Monday, 28 January 2013

Sign in as a different user in share point 2013

Sign in as a different user in share point 2013







Solution: 


Open welcome.ascx  from \15\TEMPLATE\CONTROLTEMPLATES\Welcome.ascx

Add following code there.

<SharePoint:MenuItemTemplate runat="server" ID="ID_LoginAsDifferentUser"
 Text="<%$Resources:wss,personalactions_loginasdifferentuser%>"
 Description="<%$Resources:wss,personalactions_loginasdifferentuserdescription%>"
 MenuGroupId="100"
 Sequence="100"
 UseShortId="true"
 />

Save and trying to browse the site again.

Here you can see.......


*Please note it will impact whole farm, so if you need this for every where then only go with this one.



Thanks.

Saturday, 26 January 2013

SharePoint 2013: This SQL Server instance does not have the required "max degree of parallelism" setting of 1

SharePoint 2013: This SQL Server instance does not have the required "max degree of parallelism"  setting of 1

At the Time of Configuration wizard or by power-shell you can get following error, If you are configuring least account permission.

Error:

New-SPConfigurationDatabase : This SQL Server instance does not have the required "max degree of parallelism"
setting of 1. Database provisioning operations will continue to fail if "max degree of parallelism" is not set 1....



What is Parallelism and what is the Role?


This option sets the maximum number of processors SQL Server can use for one query. If SQL Server has to bring back a lot of data (lots of rows) for a query it sometimes makes sense to break the query down into a number of smaller queries, each query returning a subset of the total rows. This way SQL Server can make use of more than processor and hence on multi processor boxes it can potentially return a lot of rows more quickly, for a given query, than it can on a single processor box.

Reason of the error:

The default setting for this in SQL is 0 and FOr SharePoint 2010 its doesnt need to change.

But In SharePoint 2013 you need to do change it to 1 . Then only you can create config database and installation will complete.



Resolution:

1. Login to SQL Server by using Management Studio.

2. Right click on the SQL Service Instance and select Properties

3  Under Advanced, locate Max Degree of Parallelism under the Parallelism section and switch the settings from 0 to 1.




4. CLick Ok and re run the wizard.

Please note at the time of getting error the config DB will create, So once you are going to run the wizard /powershell after fixing the Parallelism issue dont forget to delete old config DB which were created at the time of error. Other wise you will get the error.


You can say some time you dont get error this, it happens because from which account you running the wizard if that is having sys admin rights on SQL server then at time of configuration it automatically change the settings and switch to 1 , but once you follow proper permission level of accounts then you will get this error.