Tag Archives: security

PowerShell script to disable Limited Access Lock Down mode for all Site Collections

I always like to make use of PowerShell to do stuff. When dealing with a lot of Site Collection, it is advisable to script your task than going through UI one by one to configure.

I have a requirement to take out the Limited Access Lock Down mode introduced in SharePoint 2013. A bit introduction for this feature, this feature actually BLOCK users from browsing a file (via Browser) or check-in/check-out a file (via Office Client such as Word).

limited access user permission lockdown mode

If you activate this lock down mode, SharePoint does not allow browsing of its parent and hence you will receive error when trying to edit a file via Office Client (even if you have contribute permission to the file itself!). If you are only allowing your users (usually external or someone who does not have permission to the entire web or document library) to read the file, you do not need to Deactivate this.

In my environment, its much more complicated where some users are only editable to file from other Sub Site or Site. And Content Owners always assign Individual file for other site’s user to edit. In this case, in order to allow seamless experience, I would need to make sure that this feature is Deactivated at all site collections.

I came out with this PowerShell, Short and Sweet one, to help me. Hope it helps!


Get-SPSite | % {
  Get-SPFeature -Site $_ | ? { $_.DisplayName -eq "ViewFormPagesLockDown"} | Disable-SPFeature -Url $_.Url -Confirm:$false
}

P.S. Run it via SharePoint Management PowerShell. Or else you need to add in “Add-PSSnapIn Microsoft.SharePoint.PowerShell” at the start of this script.

SharePoint Search Content Source Crawl Log Access Denied

I have the following issue when setting up SharePoint 2013 Search Service Application.

Whenever I started full crawling my content sources, after certain time (usually the next day). Content Sources page and Crawl Log will give Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
search service application content source access denied

Checking Search Instance Server’s Application Log and you can see the following error

The Execute method of job definition Microsoft.Office.Server.Search.Administration.IndexingScheduleJobDefinition (ID e611e95c-dc0a-40ee-a3a3-c58f2099c2d1) threw an exception. More information is included below.

Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

Event ID 6398

Subsequently go to Central Administration page > Timer Jobs to look for the respective Timer

Found “Indexing Schedule Manager on xxxServerNamexxx” failed miserably, for every 5 minutes.

It was then found that some user has this issue previously which has got something to do with TASKS folder in your C:\WINDOWS

sharepoint search windows task access denied issue

In case if you do not have the history of your Domain GPO, this particular folder was previously a target for Conficker Worm virus. Refer here. MS recommended to actually change the permission of this folder which then conflict the requirement for SharePoint Search Service.

If you are interest in checking your own GPO setting, you can simply run “rsop.msc” in your server’s RUN command. And you should be able to see the settings made as per below

sharepoint search windows task access denied issue conflicker

 

Workaround

In order to solve the issue, you have to get your AD GPO team to remove this setting from your sharepoint servers. Explicitly for this requirement or else your search cannot crawl.

For temp solution, you have to change the Owner of this TASKS folder and grant

WSS_WPG with minimum “Read” and “Write” access.

Finger Crossed

Target Audience in Web Part Property is missing.

Or rather how to prevent Target Audience feature in Web Part from missing.

I bumped into this problem where I wanted to set a web part to show only to a certain group of users.

Checking the Web Part properties does not show the Target Audience column. The behavior of this Target Audience web part property is that it will be shown (which we thought it was supposed to be shown by default), only when there is User Profile Service Application associated to your web application. (which usually will be provisioned automatically if you configure the farm via wizard).

user profile service application association

One reason for not associating this is for to prevent user from accessing My Site when they hit “About Me” site action menu.

about me

For some reason, this will also turn off the Target Audience in the Web Part. So. In order to turn on back the target audience feature. Here are the steps.

Resolution:

  1. Go to SharePoint Central Admin
  2. Go to Application Management and hit “Configure service application associations”
  3. In your web application row, hit the application proxy group to show the associations.
  4. Tick “User Profile Service Application” and hit OK.
  5. Your web part should immediately show Target Audience property

web part property target audience sharepoint

 

How to enable Remote Desktop for your Computer/Server

To most of the IT guys out there, I believe this is quite a common thing that you may have bumped into this and believe me, sometimes you thought you have done it right and still did not able to get it working.

Let me note that all the steps that you need to do in order to allow RDP to your Server (from some machine within the same Network).

Most people already know the step 1 and 2. What’s lacking here that you may not know is the step 3 (Fire Wall!)

FIRE~~~~ Wall FIRE~~~~ Wall

Photo credits to www.clker.com

Step 1: Allow remote connections to this computer and grant login for RDP

  1. Open RUN and enter “sysdm.cpl” and click “Remote” tabs.
    Alternatively, go to Explorer (Windows + E), right click anywhere, select Properties and click “Remote Settings” on the left panel.
  2. You should see System properties panel as shown below.
    remote desktop allow remote connections
  3. Check “Allow remote connections to this computer“.  Refer to here for option “Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)”
  4. Click “Select Users” and add in any users that you want to allow remote connection. If it is for your own usage, you may just leave this empty. In scenario where you need to allow multiple users to access your computer using different account, you need to create local user and add them here. In a even more common scenario where your computer/server is joined to a domain, you can add in the domain users account here for remote access.

Step 2: Security Policy

  1. At times, your server may need to join to a domain. Some domain policy may have configure the security policy to harden all domain servers. In this case, please check your local security policy and see if the Allow log on through Remote Desktop Services has included the login that you are gonna use. For simplicity, unless otherwise, use Administrator group of users which by default, granted permission to RDP.
  2. To check, open RUN and fire “secpol.msc
  3. Navigate the left panel to “Security Settings” > “Local Policies” > “User Rights Assignment”
  4. Look for “Allow log on through Remote Desktop Services” and see if your remote login is in this value. If not, “Please contact your server administrator” lol!

 

Step 3: Firewall!

  1. Open RUN and enter “wf.msc” (shortcut to Windows Firewall).
  2. Click “Inbound Rules” from the left panel
  3. Look for “Remote Desktop – User Mode (TCP-In)” and “Remote Desktop – User Mode (UDP-In)” and make sure they are both enabled. If not, please right click and hit “Enable Rule”

 

Once the steps above are done, open Remote Desktop Connection program (or “mstsc” in RUN), specify the computer/server IP and start RDP!

 

SharePoint Limited Access Permission – Careful when using BreakInheritance

This post is for SharePoint Developer or Admin who deals with SharePoint APIs (PowerShell or C#)

I have recently discovered a killing command from SharePoint that could kill your SharePoint Day. At times, you will need to configure a Unique permission to document/file for Content Sharing purposes. Typical feature which your end user will ask is to Share a certain document or folder to only certain group of people. Although it is recommend to Share using SharePoint Group which more manageable when it comes to a big Content management system, sometime you prefer to make a easier way out by just assigning to the Individual Users. (Less group to manage and you CAN Afford to loss the permission when things go wrong… and yes, this post will tell you why and how it goes wrong)

With much user friendly SharePoint “Share With” feature, you could break inheritance, grant new user permission so on and so forth. You can’t stop user from doing it, cause it is so apparent nowadays in SharePoint 2013

break and grant permission

Or you can run PowerShell script to Get the ListItem (or to be precise, SPSecurableObject Base Type object), subsequently execute  $object.BreakInheritance($false) and start adding SPRoleAssignment object.

If you have noticed this API

void ISecurableObject.BreakRoleInheritance(bool copyRoleAssignments)

 

This command allows you to quickly remove all existing RoleAssignment (from inheriting parent object permission) and so you can start adding Custom permission that you desired.

Important! This is Extremely Dangerous. Why? Because if you carefully loop into the $object.RoleAssignments (SPRoleAssignmentCollection) property, you will discover that some role definition bindings are named “Limited Access”. In SharePoint 2010, you can easily notice this definition through the permission setting page whereas in SharePoint 2013, it is hidden by default (which is more scarier cause you didn’t even know its existence).

Why is this Limited Access permission? There are many articles out there telling you why and why. I’m not gonna cover that here.

But if you really intend to so-called Cleanse the messy permission list that you have already added, the advice is Don’t.

Let me give you an example of how this BreakInheritance way of breaking parent permission can cause you problem.

By executing BreakInheritance(False), you are technically removing ALL Role Assignments from this object, which include the Limited Access permission granted automatically by SharePoint. You will usually see a lot of limited access for Document library and Web, cause the children within it are likely to be requested (by user) to have unique custom permission.

reset and break with false

 

For Example

  • Web 1 
    • Document Library A
      • Folder a (Break inheritance)
        • File
      • Folder b 

Assuming you have a “Folder a” with broken inheritance permission for UniqueUserA. Upon granting this unique permission, SharePoint automatically creates a Role Assignment for UniqueUserA with “Limited Access” permission to Web1 because Document Library A is inheriting permission from Web1 and hence it is added into Web1 instead.

Somehow or other, you need to change/script to change the permission for Web 1 object up there (the one with Limited Access), by purging the limited access granted to UniqueUserA. the permission that you granted previously to “Folder a” will be DELETED automatically! Yes, Automatically, seamlessly, without-your-knowingly.

And what is going to happen after that? Your lovely user UniqueUserA will send email you, telling you that he has no permission to access files or folder a. Not to mention if you have many Unique permission granted for sub folders within that document library.

Now, the Task you need to ask yourself is – How to still be able to remove existing permission while preserving the Unique configured child permission.

I came out with a simple PowerShell script that allows me to clear the permission. I think it can be easily translated into C# for code behind implementation.


#############################################################################
# Clearing Permission while keeping Limited Access user - Important #
#############################################################################
function ClearPermission
{
 Param([Microsoft.SharePoint.SPSecurableObject]$obj)

 $roleAssignments = $obj.RoleAssignments;
 $count = $roleAssignments.Count;
 for($i = 0; $i -lt $count ; $i++)
 {
  $roleAssignment = $roleAssignments[$i];
  $bindingCount = $roleAssignment.RoleDefinitionBindings.Count
  $clearCounter = 0;
  for($j = 0; $j -lt $bindingCount ; $j++)
  {
   $roleBinding = $roleAssignment.RoleDefinitionBindings[$clearCounter];
   if($roleBinding.Name -ne "Limited Access")
   {
    $roleAssignment.RoleDefinitionBindings.Remove($clearCounter);
   }
   else
   {
    $clearCounter++;
   }
  }
 }
 $obj.Update();
}

What it simply does is to loop through the Role Assignment Collection and delete only Binding with definition of Limited Access. Note that I do not loop via ForEach loop as when you looping the collection, you cannot delete the object within the collection. You can try and you will end up seeing error.

How to use:


Add-PSSnapin Microsoft.SharePoint.PowerShell

$w = Get-SPWeb https://yoursite

ClearPermission $w;

#add your unique permission here.

#additional code to add role assignement (permission)

$user = $w.EnsureUser("domainX\LoginNameY");

$roleAssignment = New-Object Microsoft.SharePoint.SPRoleAssignment($user);

$roleDefinition = $w.RoleDefinitions["Full Control"]

$roleAssignment.RoleDefinitionBindings.Add($roleDefinition)

$w.Update();

Hope it helps

Setting up a Single-box SharePoint 2013 Virtual Machine.

First thing first, below are some files which you would need in order to setup your own SP2013 Environment. VMware Workstation 9 – here SharePoint 2013 – here SQL 2012 – here Windows 2012 Server – here Visual Studio 2012 – here Here we go.

VMWare Workstation

  1. Install VMWare Workstation on to your local PC, Ensure that your local PC has got at least 8 gb RAM. You would need to allocate some of the RAM to your 2012 server later.
  2. Once completed the Workstation installation (i would not go through how you install software as it is simple), create a “New virtual machine“, choose Typical installation, PLEASE select option “I will install the operating system later“, else you will encounter error later. Then click Next until the vm files are created in your document folder “Documents\Virtual Machines\Windows Server 2012”
  3. Before powering up your vm, please map your Windows Server 2012 ISO file to boot up and install.

Windows Server 2012

  1. There is nothing much crucial to explain here. Just follow the setup wizard.
  2. Once completed, you will be asked to enter the administrator password bla bla bla.
  3. Remember to rename your windows name to something meaningful.. NOT Something like win-is2xx92243d which is totally making no sense. To configure this, go to Server Manager > Local Server > Click Computer Name > Change > Rename your server and click OK.Configure Windows 2012 Computer Name
  4. Restart your computer.
  5. Next, it is always good to set your Server IP address. Though this is not actually required for a Single Box Setup. But good to learn? =) Configure Server IP Windows 2012 1 then Configure Server IP Windows 2012 2
  6. Next is to setup Active Director Domain Services (AD DS), this is required for you to create services account for sharepoint and sql later on. Note! dcpromo.exe is deprecated for windows 2012. Sadly.
  7. Kindly go to Server Manager > Dashboard > Add Roles and Features
  8. Select Role-based or Feature-based installation
  9. Select your server from the Server Pool list and click “Next”
  10. Check on “Active Director Domain Services” check box, a prompt up will be displayed. Click “Add Feature”.
  11. Now, click NEXT all the way down until the installation completed.

Promote Windows 2012 to a Domain Controller

  1. Once your server 2012 is installed with AD DS, you have to promote your server to a domain controller.
  2. In the Server Manager, you may notice this Alert icon. Click on it and click on “promote this server to a domain controller”. Configure Domain Controller Windows 2012 1
  3. In the “Active Director Domain Services Configuration Wizard”, Select Add a new forest, put your favorite name. Configure Domain Controller Windows 2012 1
  4. Click Next, leave the rest default and specify your DSRM Password Configure Domain Controller Windows 2012 2
  5. Click Next all the way down until you see “Install” button. Kindly ignore those warning message. Click Install. Reboot and  you are done with DC Promo.

Service Account

  1. Now that your DC is up, you would need FEW accounts to setup your SharePoint 2013 environment. Note that i did not mention how many account required, because, ultimately, it depends on how segregated you want your farm to be. For Single Box solution and Less Error Prone. You may only need 3 accounts.
    1. Setup user account
    2. Server farm account or database access account
    3. SQL Server service account.
  2. Refer here  and here for the detail account.
  3. Open Run (Windows + R) then enter “dsa.msc” to open Active Director Users and Computers.
  4. Right Click  your Domain and add a new OU (this is my usual practice to park my sp account into an OU) Configure Service Account 1
  5. Add those 3 accounts.
    • spsetup
    • spfarm
    • sqlservice

SQL 2012

  1. Map your “SQLServer2012SP1-FullSlipstream-ENU-x64.iso” file to vm
  2. Run the ISO file in your VM, Select Installation Tab on the left and click New SQL Server stand-alone installation or add features to an existing installation.
  3. Click OK after the Setup Support Rules is completed, enter your product key (if you don’t have, use evaluation =D ), click OK. Include SQL Product Updates. Click OK~ These are pretty boring. Configure SQL 2012 2
  4. Next, select Role Mode. For evaluation purpose, i select All features with default.
  5. Name your SQL Instance
  6. Specify your services account. In my case, i use “SQL Server service account” that i have created previously. Configure SQL 2012 4
  7. Specify the Admin Account using the same SQL Server service account. account. (Well, this is for evaluation, you can still opt to use other account) Configure SQL 2012 5
  8. Analysis Configuration – Specify the same service account.
  9. Distributed Replay Controller – Specify the same service account and the Controller Name as your Server Name
  10. Click NEXT, NEXT, NEXT to install.. go get a coffee and come back after 30 mins…
  11. ..
  12. OK~ Next thing is to setup permission for SharePoint Setup Account. Base on the article above. You have to grant the account (In my case “spsetup”) DBCreator and SecurityAdmin permission.
  13. At this time, your server only allow Windows Authentication mode to access to your Database Engine. Please kindly Grant the SQLService account with Local Administrator right temporary. Log Off and switch to this account.
  14. Open your SQL Management Studio, Login via Windows Authentication, Right click on the “Login” node and “New Login”
    Configure SQL 2012 5.5
  15. Select the SharePoint Setup Account “spsetup” and go to Server Roles. Check the 2 server roles “dbcreator” and “securityadmin”
    Configure SQL 2012 6
  16. Click OK to proceed.
  17. For SharePoint 2013, there is one additional step is to change the Max Degree of parallelism to 1. Go to Database Engine, Right Click and Select Property. Under Advanced panel. Change the value to 1.
    Configure SQL 2012 7
  18. Click OK to proceed. Once this is completed, you may Switch User back to SharePoint Setup Account now (via Alt + Del + Insert) Note: Remove the SQLService account from local admin group once you are done with setting up the permissions.

SharePoint 2013

  1. Map your SP2013 iso file to your virtual machine (if you haven’t)
  2. Go into your vm and install SP2013 pre-requisites. The next few steps are for Offline Pre-requisite installation.
  3. Run Powershell with Administrator rights. Ensure you have executed the following command before Set-ExecutionPolicy RemoteSigned
  4. Run the following command. Make sure the path is where you store the pre-requisite files. Also, copy the “prerequisiteinstaller.exe” from your SP2013 iso to the same folder where your script is located.
    $SharePoint2013Path = "C:\Prerequisite"
    Start-Process "$SharePoint2013Path\PrerequisiteInstaller.exe" –ArgumentList "/SQLNCli:$SharePoint2013Path\PrerequisiteInstallerFiles\sqlncli.msi /IDFX:$SharePoint2013Path\PrerequisiteInstallerFiles\Windows6.1-KB974405-x64.msu /IDFX11:$SharePoint2013Path\PrerequisiteInstallerFiles\MicrosoftIdentityExtensions-64.msi /Sync:$SharePoint2013Path\PrerequisiteInstallerFiles\Synchronization.msi /AppFabric:$SharePoint2013Path\PrerequisiteInstallerFiles\WindowsServerAppFabricSetup_x64.exe /KB2671763:$SharePoint2013Path\PrerequisiteInstallerFiles\AppFabric1.1-RTM-KB2671763-x64-ENU.exe /MSIPCClient:$SharePoint2013Path\PrerequisiteInstallerFiles\setup_msipc_x64.msi /WCFDataServices:$SharePoint2013Path\PrerequisiteInstallerFiles\WcfDataServices.exe"
    
  5. After running the script, i encountered the following error “The tool was unable to install Application Server Role, Web Server (IIS) Role
  6. After 2 rounds of rebooting. The pre-requisite installation is finally done.
  7. Open the SharePoint Installer Splash Screen and hit Install SharePoint Server.
  8. Put in the Evaluation Product Key. NQTMW-K63MQ-39G6H-B2CH9-FRDWJ
  9. Click Next  until the installation is completed (yawn..)
  10. Once the installation is completed, leave the check box default “Run SharePoint Products Configuration Wizard”. Close your installation wizard.
  11. In the SharePoint Configuration Wizard, click Next.
  12. System will prompt you to stop the 3 services account, IIS, SP Admin Service, SP Timer Service, click Yes to continue.
  13. Select “Create a new server farm” and click OK.
  14. At this point, you may want to setup an ALIAS for SQL connection. (Good practice!)
  15. Fire Up “Run” and enter “cliconfg”.
  16. Under Alias tab, enter “sql” name and select “TCP/IP” and your sql server name (basically the same server since we are setting up a single box server.)
    Configure SharePoint 1
  17. Click OK and exit the CliConfg.
  18. Back to the SharePoint Product Configuration Wizard, enter the ALIAS that you just created as the SQL name.
  19. Next, specify the Login ID for “Server farm account or database access account” created earlier. (In my case “spfarm”).
    Configure SharePoint 2
  20. Specify the passphrase and click Next
  21. Specify the Central Admin port number and the authentication mode. Use NTLM for simplicity.
    Configure SharePoint 3
  22. Click Next to start configuring. Again you can go get some drink and come back like 20 mins time
  23. Tada~
    Configure SharePoint 4
  24. If you open your Task Manager, you will noticed that there is one new windows services running “AppFabric Service” which took you 300++mb of RAM. You may actually reduce the RAM usage to make room for other services. Refer here on how to reduce the AppFabric Memory Usage
  25. Once you close the Product Configuration Wizard, IE will be fired up to performance Configuration. Select all services if you like. Also, you may use a separate service account for the services that you intend to add. I would not recommend turning on Search Service Application as this will take up A LOT OF YOUR MEMORY!!!! Please note. Do it only if you have a lot of RAM in your VM Host.
  26. The Configuration may take quite some time. It happened to me before that it stuck forever. In case the screen doesn’t refresh or whatsoever, try to open the Central Admin again. The Services will still be created at the backend.

Configure SharePoint 5

Create Site Collection

  1. Once the Central Admin is done, you may proceed to create a Site Collection for your primary Web Application – 80
  2. Click on “Create Site Collection” under Application Management tab.
  3. Ensure the Web Application is selected correctly. Put in the Name and select your Site Template
    Configure SharePoint 6
  4. Specify the Primary Site Collection Admin – AHCHENG\spsetup
  5. Click OK!!! and Welcome to SharePoint 2013!

 

Note: If Newsfeed or MySite is having this “We’re almost ready!” error, please kindly check here to add your server as part of cache cluster

User Profile Synchronisation Started

Holy cow. Finally got my User Profile Synchronisation Service started successfully!! I’ve been cracking my head for these few days, tried reading and reading again the MSDN UPS Configuration guides. It’s just not an easy task to get it setup properly. Apart from that, would like to thank Harbar for the great work to note down all the necessary requirement for UPS

Evidence

Just to summarize all the requirement in case i may forget.

  1. The Service Account running the “Windows Service – User Profile Synchronization Service” MUST BE to be your SharePoint Farm Account (Check here on how to find your SharePoint Farm Account)
  2. The Service Account (Which is also the Farm Account) has to be granted with Local Administrator rights in machine which runs the User Profile Synchronisation Service Instance. At least when provisioning the service. (in layman’s term, when clicking the “Start” action link from “Manage Services on Server” in Central Admin). Check here on how to grant Administrator right. Why? Reason being that the provisioning requires modification on Server’s Registry which required administrator right to do so. Starting the UPS without Admin rights will cause Unauthorized Access. You may try and check SharePoint Log Files =).
  3. The Service Account (Which is also the Farm Account) has to be granted with Allow Log on Locally right. You can do this via group policy editor (GPEdit) in your Domain Controller machine. Check here on how to assign permission. Granting the access in step 2 is sufficient to get the service started. However, it is always not recommended to grant Farm Account with Administrators right. By revoking the Administrator right after provision, the Allow Log on Locally right will be gone too! Hence, it is advisable to grant explicitly the permission via GPEdit.

Note. Those are the requirement to get the User Profile Synchronisation Services STARTED. There needs additional set to setup the synchronisation connection.

NullReferenceException: Object reference not set to an instance of an object – Microsoft.Office.Server.Administration. UserProfileApplicationProxy. get_ApplicationProperties

Had this problem on all my SharePoint 2010 site.

[NullReferenceException: Object reference not set to an instance of an object.]
   Microsoft.Office.Server.Administration.UserProfileApplicationProxy.get_ApplicationProperties() +134
   Microsoft.Office.Server.Administration.UserProfileApplicationProxy.get_PartitionIDs() +44
   Microsoft.Office.Server.Administration.UserProfileApplicationProxy.IsAvailable(SPServiceContext serviceContext) +329
   Microsoft.Office.Server.WebControls.MyLinksRibbon.get_PortalAvailable() +44
   Microsoft.Office.Server.WebControls.MyLinksRibbon.EnsureMySiteUrls() +60
   Microsoft.Office.Server.WebControls.MyLinksRibbon.get_PortalMySiteUrlAvailable() +15
   Microsoft.Office.Server.WebControls.MyLinksRibbon.OnLoad(EventArgs e) +91
   System.Web.UI.Control.LoadRecursive() +65
   System.Web.UI.Control.LoadRecursive() +190
   System.Web.UI.Control.LoadRecursive() +190
   System.Web.UI.Control.LoadRecursive() +190
   System.Web.UI.Control.LoadRecursive() +190
   System.Web.UI.Control.LoadRecursive() +190
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2427

Checked Event Viewer for the log. Event: 8306 SharePoint Foundation error thrown

An exception occurred when trying to issue security token: Could not connect to http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc/actas. TCP error code 10061: No connection could be made because the target machine actively refused it 127.0.0.1:32843. .</span>

Tried the following steps (not working)

  1. Stopped the User profile sync service
  2. Stopped user profile service application
  3. Recycled SecurityTokenServiceAppPool with re-typing credentials
  4. Started User Profile service
  5. Started Sync service

Resolution

  1. Go to IIS (Internet Information Services) Manager
  2. Turn on “SharePoint Web Services Root” Application Pool
  3. Turn on “SharePoint Web Services” sites
  4. run iisreset via cmd

Worked!

NTLM Authentication Prompt never stop despite keying the correct ID and Password

Having this funny issue on my client’s Server. They are using Windows XP to access to SharePoint 2010 Site hosted in Windows 2008 R2 server. The SP Site is using Classic Authentication Mode, which is Window Integrated Authentication (if you check the Authentication Mode is IIS)

The NTLM login is all working when accessing the Web Site using the Web Server. However, after hitting on the web using Windows XP IE browser. The standard NTLM prompt keep prompting for login despite entering the correct PASSWORD and ID!!!

Several attempts eventually lead to Account Locked out and I have to unlock it in the AD. Headache.

Another problem arise when trying to RDP (Remote Desktop) to the web server via my client’s Windows XP machine.

The preliminary access tells that there might be firewall in between the client machine and the web server. After checking and telnet with RDP port number 3389 and 80. The connections were successful.

It seems that the Authentication somehow didn’t negotiated properly.

After checking through the Security Policy setting of my AD`. I found a rather interesting setting (which my Infra Guys may had did something which i was not aware of).

Network Security: LAN Manager Authentication Level.

If you are not aware, NTLM stand for NT Lan Manager.

Yes, the available settings are as shown: Quoted from MSDN

  • Send LM & NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication.
  • Send LM & NTLM – use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
  • Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
  • Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
  • Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication).
  • Send NTLMv2 response only\refuse LM & NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication).

The setting was “Send NTLMv2 response only, refuse LM & NTLM“. Ohhhh!!! okay~~

and then

This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional,
Windows XP Professional
, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM. For more information about how these settings apply to previous versions of Windows, see Knowledge Base Search

oh!!! twice.

Now i know where is the problem. My AD simply do not accept NTLM & LM which is the authentication standard only supported in XP. ><

hence.

Resolution

Kindly go to AD Security Policy Setting panel

or

Open RUN and enter “secpol.msc”

Enter the Admin account and password.

From the Left Panel, navigate to Security Options > Network Security: LAN Manager Authentication Level

Change to “Send LM & NTLM – use NTLMv2 session security if negotiated” and save!

Note: if you are using Group Policy, please edit it via “Group Policy Editor”, gpedit.msc