Monday, November 15, 2010

Not able to login to Claims based auth. sweb apps in sharepoint 2010

Hi till yesterday I was able to login to claim based web apps in my sharepoint 2010 server. but today they are giving below mentioned error! even though classic mode auth web apps are running fine.

Nor it allow to activate /deactivate any fature to a site collection under claims based web app with same error in event log:

Please help.

error message in event viewer:

 

Log Name:      Application
Source:        Microsoft-SharePoint Products-SharePoint Foundation
Date:          10/8/2010 1:30:59 PM
Event ID:      8311
Task Category: Topology
Level:         Error
Keywords:
User:          SHAREPOINT2010\administrator
Computer:      sharepoint2k8.sharepoint2010.com
Description:
An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer Name: CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: 85F230FF68A8107A14667844D6741A6C2199C60E\n\nErrors:\n\n UntrustedRoot: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
NotTimeValid: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
OfflineRevocation: The revocation function was unable to check revocation because the revocation server was offline.
.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-SharePoint Products-SharePoint Foundation" Guid="{6FB7E0CD-52E7-47DD-997A-241563931FC2}" />
<EventID>8311</EventID>
<Version>14</Version>
<Level>2</Level>
<Task>13</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2010-10-08T08:00:59.446924300Z" />
<EventRecordID>524180</EventRecordID>
<Correlation ActivityID="{87C3E3A1-1134-43A6-A06E-150BA71C73C8}" />
<Execution ProcessID="6052" ThreadID="1540" />
<Channel>Application</Channel>
<Computer>sharepoint2k8.sharepoint2010.com</Computer>
<Security UserID="S-1-5-21-2138102958-2007814619-3387492156-500" />
</System>
<EventData>
<Data Name="string0">CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US</Data>
<Data Name="string1">CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US</Data>
<Data Name="string2">85F230FF68A8107A14667844D6741A6C2199C60E</Data>
<Data Name="string3">UntrustedRoot: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
NotTimeValid: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
OfflineRevocation: The revocation function was unable to check revocation because the revocation server was offline.
</Data>
</EventData>
</Event>

Reply1

Hi ,

 

Your certificate is no longer valid. Please visit below link for  error details for certificate.

http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509chainstatusflags.aspx

Please follow http://technet.microsoft.com/en-us/library/cc700843.aspx for troubleshooting

 




Pathik Rawal Blog: http://pathikhrawal.wordpress.com

Thursday, October 21, 2010

custom actions on work flow suspended sharepoint 2010

Hi

 

I need few custom actions like sending emails and few logs update  using  enterprise library. What will be the best approach for this .

will SPWorkflowEventReceiver   > WorkflowPostponed  solve my pupose

 

if yes, is there any alternate solution possible?

 

Reply 1

Sending emails from the custom actions sounds like a custom application page to me.




SharePoint Solution Architect, Developer

Thursday, October 7, 2010

a primary AD group should not be added to a SharePoint Site Group.....

Hi

as per http://msdn.microsoft.com/en-us/library/bb975136%28office.12%29.aspx and the problem we are facing:

Primary group membership In Active Directory, each user has a primary group. When the LDAP Role provider is used with Active Directory, a user's primary group is not included in the list of roles for the user. By default, a user's primary group is the Domain Users group. As a result, the Domain Users group is not a good choice to add to a SharePoint group when you are provisioning permissions because unless the user's primary group is changed, no user is returned in the membership of that role. For more information, see the primaryGroupID attribute in User Security Attributes.

 

My requirement is:-

I have  added  user 'us1' in an ADGroup  'ADG1'.  The ADGroup( via FBA ) is added to sharepoint site group "SiteGroup1" .  The sharepoint site group "SiteGroup1"  has 'view only' rights on a subsite in my Sharepoint portal - "Mysite1" .

Problem :

when user 'us1'  tries to access my sub site "Mysite1"  on my FBA portal,he is not authorized to access it .....

 

any clues how to get it working?

 

Reply 1

Hi,

 

Please grant SiteGroup1 ‘full control’ and try again.

If you get the same result, please check your FBA configuration settings.

Here is a useful article:

http://blogs.technet.com/b/speschka/archive/2009/11/05/configuring-forms-based-authentication-in-sharepoint-2010.aspx

 

Hope it is helpful!




Seven

Reply 1.1

Hi

 

its not about giving Full Control or view only.

suppose a user has rights on the site being part of an ad group, and this ad group is its primary group.

ad group is added to the sharepoint site group.

but as the link i had given, the user is not having rights as given by the sharepoint site group, since ladap does not retive this user under the given role, cause its through primary group as membership group in AD.

Reply 1.1.1

Hi,

 

From the link you given, the thing is that, only the domain users group will be unavailable to the SharePoint site since it is the default primary group. If you add this group to the SharePoint site, only the users who have changed the primary list will receive the role from this group in SharePoint site. For other primary groups you have set for some users, there is no this limitation.

 

If your need in your post is still not meted, please check your FBA configuration settings as I have mentioned.

 

Hope it is helpful!




Seven

Reply 1.1.1.1

Hey Seven you could  replicate the exact scenario and verify what I meant here. I not pointing out specific Group who is Primary Group for all users by default.

Its like Primary AD Groups should  not be used for providing rights. What I have understood till now . reason being if a user is member of a group and this group is also primary ad group for this user  and if we add this primary group in a sharepoint site group, that's not done, user is still not having the intended rights!!!!

Monday, August 9, 2010

'Microsoft.SharePoint.IdentityModel.SPClaimsUtility' does not contain a definition for 'AuthenticateFormsUser'

Hi

I am trying to use SPClaimsUtility for au8thenticating my user as per http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.identitymodel.spclaimsutility.authenticateformsuser.aspx .

But I get error  'Microsoft.SharePoint.IdentityModel.SPClaimsUtility' does not contain a definition for 'AuthenticateFormsUser'

in my object browser for the 'Microsoft.SharePoint.IdentityModel.dll I am not able to find the def for this static function.

What could be the possible cause?

 

Cheers-hemant

 

we could not solve above problem but I used below mentioned code for FBA authentication finally:

Authenticate returns true or false according to user is authenticated or not .

 

 

 

private SecurityToken GetSecurityToken(string loginName,string psswrd)

{

 

 

 

 

 

return SPSecurityContext.SecurityTokenForFormsAuthentication(newUri(SPContext.Current.Site.Url),"memebershipprovidername","roleprovidername",loginName,psswrd);

 

}

 

 

 

private bool Authenticate(string loginName, string psswrd)

{

 

 

 

bool flag = false;

 

 

 

 

SecurityToken securityToken = null;

 

 

 

if (loginName==null && psswrd==null)

{

 

 

 

throw new ArgumentException("Please provide username and password");

}

 

 

 

using (new SPMonitoredScope("Retrieve security token and establish session."))

{

securityToken =

 

 

this.GetSecurityToken(loginName,psswrd);

 

 

 

if (securityToken == null)

{

flag =

 

 

false;

}

 

 

 

else

{

 

 

this.EstablishSessionWithToken(securityToken);

flag =

 

 

true;

}

}

 

 

 

return flag;

}

 

 

 

 

internal void EstablishSessionWithToken(SecurityToken securityToken)

{

 

 

 

if (securityToken == null)

{

 

 

 

throw new ArgumentNullException("securityToken");

}

Microsoft.SharePoint.IdentityModel.

 

 

SPFederationAuthenticationModule fam = this.Context.ApplicationInstance.Modules["FederatedAuthentication"] asMicrosoft.SharePoint.IdentityModel.SPFederationAuthenticationModule;

 

 

 

if (fam == null)

{

 

 

 

throw new ArgumentException(null, "FederationAuthenticationModule");

}

 

 

 

//Microsoft.SharePoint.Utilities

 

 

// .SecurityContext.RunAsProcess(delegate

 

 

//{

 

 

fam.SetPrincipalAndWriteSessionToken(securityToken,

 

true, SPSecurityTokenServiceManager.Local.UseSessionCookies);

 

 

 

 

//});

}

this function is not available in beta version of sharepoint 2010. in licensed version dll , the reference is there.

 

further the alternative code mentioned above has minor change wrt licensed version of new dll:

 

 

fam.SetPrincipalAndWriteSessionToken(securityToken);

instead of

 

fam.SetPrincipalAndWriteSessionToken(securityToken,

 

true, SPSecurityTokenServiceManager.Local.UseSessionCookies);

 

 

further we may like to have our own custom sign out:-

 

 

 

protected void lnkBtnSignOut_Click(object sender, EventArgs e)

{

HttpContext httpCntxt = HttpContext.Current;

 

 

 

//Signing out

FormsAuthentication.SignOut();

 

 

//Request.Cookies.Clear();

 

 

 

// nullifies current context

HttpContext.Current =

 

null;

 

 

 

//refills current context

HttpContext.Current = httpCntxt;

 

 

//abandons user's session

Session.Abandon();

 

 

//Clears authentication cookies if present

 

 

if (Response.Cookies.Count > 0)

{

 

 

 

if(Response.Cookies["FedAuth"] != null)

Response.Cookies[

 

 

"FedAuth"].Expires = DateTime.Now.AddDays(-1);

 

 

 

if (Response.Cookies[".ASPXAUTH"] != null)

Response.Cookies[

 

 

".ASPXAUTH"].Expires = DateTime.Now.AddDays(-1);

}

 

 

 

 

//Redirects to login page

FormsAuthentication.RedirectToLoginPage();

}

 

 

 Reply 1 by http://social.technet.microsoft.com/profile/shantha%20kumar/?ws=usercard-mini

Hi,

This error occurs because of, you didn't have the Microsoft.SharePoint.IdentityModel.dll as a reference in your project.

If you need that, Search for that dll under installation drive (C:\Windows)

For me, that dll appears under (C:\Windows\Installer\$PatchCache$\Managed\00004109410100000100000000F01FEC\14.0.4763 )

Copy that dll and paste it some where, add this dll as a reference in your project.

I hope, this will help for you.

 




Shantha Kumar T - MCTS

Monday, July 5, 2010

SharePoint publishing behaviour related to expiration - approved documents not set to draft sometimes

Hi

 

query 1:-

Ours is a publishing portal. Max time it works, but there are instances when it does not work.

There are few documens in our doc library for which expiration date is less than current date, still they moderation status is approved!!!!

Could you please suggest what may be the reason for this ?

 

query 2:-

 

to expire few pages with our code, we shedule the page to current time + 1 minute by a timer job. max times it works fine, but there are few instances for which page file keep checked out by system account infinitely.sample code:-

/// <summary>
/// Expires the page by setting the Scheduled End Date to Current Time + 1 minute
/// </summary>
/// <param name="item">SPListItem that needs to be scheduled to expire</param>
/// <param name="pagesLibraryUrl">Pages Library URL in the Site Collection</param>
private static void ExpireExistingPage(SPListItem item)
{
try
{
ScheduledItem scheduledItem = null;
if (ScheduledItem.IsScheduledItem(item))
{
scheduledItem = ScheduledItem.GetScheduledItem(item);
if (scheduledItem.ListItem.Properties["PublishingExpirationDate"] == null || DateTime.Parse(scheduledItem.ListItem.Properties["PublishingExpirationDate"].ToString()) > DateTime.Now)
{
if (CheckOutPage(item.File))
{
scheduledItem.EndDate = DateTime.Now.AddMinutes(1);
scheduledItem.ListItem.Update();
scheduledItem.Schedule();
string expireSuccessfullMsg = string.Format(EXPIRE_SUCCESSFULLY_MSG, item.ContentType.Name, item.Title);
LogInFile(expireSuccessfullMsg, CommonEnums.LogEntryType.Information);
}
}
}
}
catch (Exception ex)
{
LogInFile(ex.Message, CommonEnums.LogEntryType.Exception);
}
}

 Reply1 by http://social.technet.microsoft.com/profile/aryan30/?ws=usercard-mini

Hi Hemant,

 

Possible reason of some pages not expiring could be that you might have been setting the wrong time in End Date field and doing System Update after that.

Can you try by updating (using System Update)the end date in past say 1 day before and check whether sharepoint expires that page.

Another reason could be some particular field within sharepoint didn't got updated during updation of time (due to some async moss event or something like that).

 

Can you try by removing all other code from your code except setting of end date. Do you still find some pages which didn't expired?

Seems to be some trick of asynchronus moss events which are overlapping with each other. Trying giving sleep time b/w these events and check if Checked out error gets solved.Sleep time should vary from 1-4 secs.

 

 

Monday, June 21, 2010

Microsoft.SharePoint.WebPartPages.ToolPart , page needs a refresh to apply changes back to web part

Hi

 

I have a problem with custom tool part. The page needs a refresh before the changes are actually visible in the web part.

Either user have to hit apply then OK in Tool Part, or after directly hitting Ok he needs to refresh the page.

 

Seems to be create child control of web part  being called before applychanges of tool part.

 

Any pointers ?

Reply 1

This is a common issue with custom properties in SharePoint webpart.

Just try call the method that modifies your custom property in the PreRender event.

For more check these links:

http://social.msdn.microsoft.com/Forums/en-US/sharepointdevelopment/thread/6445d939-05da-4ce9-a2cf-3e9fe28b98ee

http://social.msdn.microsoft.com/Forums/en-US/sharepointdevelopment/thread/5b85a5dc-37aa-49d7-a741-d40c7bd2bd0c




BR, PM

Reply 2

Hi

 

Thanks for you guidance,

I had to use a property from custom tool part to a script in the usercontrol( inside our web part).

calling my RegisterStartUpScript inside OnPreRender in user control solved my problem.

 

Thanks

Reply 3

Awesome news!!




BR, PM

 

Friday, June 11, 2010

How can i find the currently login user of extended web application through ASP.Net code?

i have created a web application http://spserver:19578 and then i extend a web application http://spserver:19579 from it.

Now i am currently login as ali to http://spserver:19579. i write the following code

SPSite sitecollection = new SPSite("http://spserver:19579");
SPWeb web = sitecollection.AllWebs["/"];
SPUser user = web.CurrentUser;

lblUser.Text = user.Name;

but it returns System Account. and when i used LoginName instead of Name then it returns SharePoint\system.

 

Note: I am using form based authentication in http://spserver:19579 and windows authentication in http://spserver:19578.

 

Reply 1

hey try using SPContext .Current .Web .CurrentUser