Hi,
Today I came across an issue where a business wanted me to provide a link on the Home Page to a DOCX file (available in 'Documents' document library) and when a user clicks it; it downloads (or Save) the file on the local computer rather than open it from the 'Documents' document library.
Here is the solution
href="/_layouts/download.aspx?SourceUrl=http://spsite/Shared Documents/documentname.docx"
Cheers
Sohail
Wednesday, November 7, 2018
Wednesday, August 1, 2018
Import Active Directory Users into SharePoint 2013/2016 Group - PowerShell
Import Active Directory Users into SharePoint 2013/2016 Group
Write-host "Adding SharePoint Snapin"
$Host.Runspace.ThreadOptions = "ReuseThread"
Add-PSSnapin microsoft.sharepoint.powershell -ErrorAction SilentlyContinue
Write-host "Importing AD module"
import-module activedirectory -ErrorAction SilentlyContinue
write-host "Starting work..."
#Hard coded variables for testing,
# we need the name of the AD Group, the name of the corresponding group in Sharepoint to sync with,
#and the URL of the SPWeb where the SP group resides.
$ADgroupname = "CN=XXX,OU=XXXX,DC=XXX,DC=XX,DC=XX"
#Get-ADGroup -Filter * | Select distinguishedName, Name
$SPGroupName = "SPGroup_AllUsers"
$spweburl = "http://xxxxx.com"
#note that it's reasonably easy to turn this hardcoded list into a CSV import and then loop through multiple groups
[Microsoft.ActiveDirectory.Management.ADPropertyValueCollection]$Type = Get-ADGroupMember $ADgroupname | select PropertyNames
#get a list of the AD Users in the AD Group
#$ADGroupMembers = get-adgroupmember -Identity $ADgroupname | select @{name="LoginName";expression={$_.samaccountname}}
$ADGroupMembers = Get-ADGroupMember $ADgroupname | select samaccountname, email, name
if ($ADGroupMembers -eq $null)
{
write-host "The AD Group we're syncing with is empty - this is usually a problem or typo - the SP group will be left alone" -foregroundcolor red
return;
}
#get the list of users in the SharePoint Group
$web = get-spweb $spweburl
$group = $web.groups[$SPGroupName]
if ($group -eq $null) {
write-host "SPGroup Not found" ; return
}
$spusers = $group.users | select @{name="LoginName";expression={$_.LoginName.toupper()}}
write-host "Debug: at this point we should have a list of user ID's from SharePoint in domain\user format, uppercase"
#Remove all Existing Users in SharePoint Group
foreach($x in $spusers)
{
write-host $x.LoginName -foregroundcolor green
$User = Get-SPUser -Identity $x.LoginName -Web $web
$group.RemoveUser($User)
}
if($spusers -eq $null)
{
write-host "The SPgroup is empty" -foregroundcolor cyan
write-host "Adding all AD group members to the SP group"
foreach ($ADGroupMember in $ADGroupMembers)
{
#add the AD group member to the SP group.
#Please add code to get the domain or fix it if you have only one doain
$Domain= "royal_comm\"
#$SamAccountName = $ADGroupMember.samaccountname
$UserName = $Domain + $ADGroupMember.samaccountname
#$DisplayName = $ADGroupMember.name
#$Email = (Get-ADUser $SamAccountName -Properties mail).mail
write-host "Adding $()"
write-host "new-spuser -useralias $($UserName) -web $($web.url) -group $SPGroupName" -foregroundcolor green
$SPUser = $web.EnsureUser($UserName)
try
{
$group.AddUser($SPUser)
}
catch
{
Write-Host "User already exists..." -ForegroundColor Red
}
write-host "User is Added..." -ForegroundColor Green
}
write-host "Done adding users - script will now exit" -foregroundcolor magenta
}
#>
Tuesday, June 7, 2016
SAML-based Claims Auth in SP2016
SAML-based
claims authentication in SharePoint Server 2016
SAML-based authentication requires
- A Client Computer
- A SharePoint 2016 Server/Farm
- Claim Provider / IP-STS (example: ADFS)
- Identity Provider (example AD, LDAP) which contains the actual accounts and password
Note:
ADFS and SAML claims are not required if you are using AD DS infrastructure in which the forest and domain trust each other.
ADFS and SAML claims are not required if you are using AD DS infrastructure in which the forest and domain trust each other.
Trust Relationship for
SAML-based claims authentication process
Steps
- The ADFS
Server must trust the
Identity
Provider for which it
is issuing SAML
Security Token.
Note:
In case of AD and ADFS in the same domain; the trust is implicit and therefore trusts the validation security credentials by its domain controllers
- ADFS must also trust Security
Token request for
locations on the SharePoint 2016 Server
- You configure ADFS with the URLs
of SharePoint 2016 Web Applications as a Relying
Party and then web
pages of SharePoint 2016 Server and those URLs will
now be trusted for SAML
Security Token requests
- The SharePoint 2016 Server must also
trust ADFS
Server that
uses a Token
Signing Certificate
to sign the SAML
Security Token that
is issues.
- To validate the Digital Signature on the Security Tokens issues by ADFS, we configured the SharePoint 2016 Farm with Public Portion of that ADFS Token Signing Certificate
The SAML-based claims
authentication process
Step 1
Assuming that the
Client Computer does not
already have a Claims-based Security
Token.
SAML-based claims authentication
occurs when it makes an initial anonymous request of a secured
SharePoint 2016 web page
Step
2
The SharePoint 2016 Server redirects the Client Computer to the ADFS Server to obtain a SAML-based login page for User Credentials (username/password)
The SharePoint 2016 Server redirects the Client Computer to the ADFS Server to obtain a SAML-based login page for User Credentials (username/password)
Step 3
The User provides
credentials (username / password) and the Client Computer sends them to the
ADFS Server with a request for a SAML Security Token
Step 4
The ADFS Server validates the sent
credentials (username/password) with the Identity Provider (Active
Directory, LDAP etc.)
Step 5
After validating
the credentials from Identity Provider; the ADFS Server
- Constructs a SAML Security Token,
- Sign the Security Token, and
- Send this Security Token to the Client Computer
Step 6
The Client Computer sends a new request for the SharePoint 2016 Web Page and this time
it includes the SAML Security
Token that it(the Client Computer) received from the ADFS Server
Step 7
The Security Token Service on the SharePoint 2016 Server then creates a
claim-based Security Token
and stores it with the Distributed Cache Service on the
SharePoint 2016 Farm.
Claims (username, password, email
address or whatever info) in this Security Token are based on the
Claims in the SAML Security Token from the ADFS Server
The SharePoint 2016 Server then creates and
sends a Federated
Authentication or FedAuth Cookie to the Client Computer
This FedAUTH Cookie contains an encrypted key or index to the Security Token.
If the User is
authorized to access the requested web page on SharePoint through analysis of
the claims in the Security Token created by Security Token Service of SharePoint 2016 and Configured Permissions on SharePoint Contents; the SharePoint 2016 Server then sends the
contents on the requested web page
on SharePoint.
For subsequent requests, the Client Computer uses the FedAUTH Cookie for authentication.
For subsequent requests, the Client Computer uses the FedAUTH Cookie for authentication.
Note:
All above steps are valid for SharePoint 2013 Server as well.
Reference:
Happy SharePointing
Sunday, May 15, 2016
"Delete this Document library" link missing in SharePoint 2013
Problem
"Delete this document library" link is missing
Solution
Add-PSSnapin Microsoft.Sharepoint.Powershell
$web = Get-SPWeb('URL of Site')
$list = $web.Lists['Name of Document Library']
$list.AllowDeletion = $true
$list.Update()
Sunday, February 28, 2016
SharePoint 2013 Farm Installation on Windows 2012 R2 - .NET 4.5 Framework Issue
Hi,
I encountered a problem while installing SharePoint 2013 on Windows 2012 R2 and the installed failed and said
Apparently .NET 4.5 Framework was installed but also .Net 4.6 is also installed and SP 2013 does not like it. So
Go to the Control Panel --> Programs --> Programs and Features --> View Installed Updates
Find KB3102436 and Un-install it.
This will resolve your problem.
Happy SharePointing
I encountered a problem while installing SharePoint 2013 on Windows 2012 R2 and the installed failed and said
Apparently .NET 4.5 Framework was installed but also .Net 4.6 is also installed and SP 2013 does not like it. So
Go to the Control Panel --> Programs --> Programs and Features --> View Installed Updates
Find KB3102436 and Un-install it.
This will resolve your problem.
Happy SharePointing
Tuesday, November 3, 2015
New Azure SQL Server V12 Security Features
Secure Data with Azure SQL
Database
Azure SQL Database
offers a set of out-of-the-box features to secure organization data from non-authenticated
users. It offers simple-to-implement features that help to protect the data and
build secure business applications within Azure.
A lot of the newer Azure SQL Security Features are available only when clients connect using Secured Connection String.
Older In-Secure Connection String
{ServerName}.database.windows.net
Newer Secure Connection String
{ServerName}.database.secure.windows.net
Older In-Secure Connection String
{ServerName}.database.windows.net
Newer Secure Connection String
{ServerName}.database.secure.windows.net
Most of the newer Azure SQL Database Security Features only works with v12 engine which is GA.
If you have an older version v11 database; it is required to upgrade it to v12.
Check the version first by using this PowerShell Cmdlets
Get-AzureSqlServer
-ServerName ''
-ResourceGroupName ''
Note:
ResourceGroupName can be find using Azure Preview Portal
You will get some results when you run above PowerShell command and out of the all information; find ServerVersion value
ServerVersion : 2.0
If the value is 2.0 then the available SQL Engine is not v12 it can be upgraded with following PowerShell Command
Start-AzureSqlServerUpgrade
-ServerName ''
-ResourceGroupName ''
-ServerVersion 12.0
Running above Cmdlet will queued the upgrade request and will finish ASAP.
If you run above command for In-Use Database; there will be an outage which can potentially takes few minutes subject to the database size.
To get the status of the above upgrade request; run this PowerShell Cmdlet
Get-AzureSqlServerUpgrade
-ServerName ''
-ResourceGroupName ''
Now Azure SQL Server has been upgraded to v12 and it is required to protect the data using these security features.
New Azure SQL Database Security Features
1. Connectivity
Azure Active Directory (AAD) Authentication Support is Generally Available (GA) for connecting to SQL Database by using user identities in AAD for managed and federated domains in a centralized location.
Azure Active Directory authentication uses contained database users to authenticate identities at the database level. It is an alternative to SQL Server Authentication and database permissions can be managed using AAD groups.
2. Authorization
Row-Level Security (RLS) Support is GA that allows user identity based, role membership based, or query execution context based access to data rows.
Row-Level Security (RLS) Support is GA that allows user identity based, role membership based, or query execution context based access to data rows.
Row-Level Security (RLS) capability embeds and centralizes custom data
access logic within the Azure SQL database which minimize the risk of
accidental data access.
Azure SQL Database supports for Filter Predicates and Block
Predicate.
Filter Predicate restrict
row-level read access.
Block Predicate restrict
row-level write access
Dynamic Data Masking is supported for v12 of Azure SQL Database.
This feature mask the organization sensitive data for unauthorized access. It hides database fields of the requested data in the query result set and there is no impact on database operations.
This feature mask the organization sensitive data for unauthorized access. It hides database fields of the requested data in the query result set and there is no impact on database operations.
3. Encryption
Always Encrypted Feature to be in public preview soon.
Always Encrypted Feature is designed to protect organization sensitive data that are stored in SQL Server databases.
Always Encrypted Feature also allows clients to encrypt sensitive data inside client applications and not expose the encryption keys to the database.
The benefit of doing it is; Always Encrypted Feature always differentiate between those who own the data (and can view it) and those who manage the data (but should have no access).
The whole encryption mechanism is transparent to the business applications which is achieved by installing a Always Encrypted-enabled driver on the end-user computers which automatically encrypt/decrypt organisation sensitive data in all business applications.
This Always Encrypted driver encrypts the sensitive data only in specified sensitive data columns/fields before passing it to the SQL Server and similarly the same driver decrypts the encrypted data automatically in the query output results.
4. Compliance
Always Encrypted Feature to be in public preview soon.
Always Encrypted Feature is designed to protect organization sensitive data that are stored in SQL Server databases.
Always Encrypted Feature also allows clients to encrypt sensitive data inside client applications and not expose the encryption keys to the database.
The benefit of doing it is; Always Encrypted Feature always differentiate between those who own the data (and can view it) and those who manage the data (but should have no access).
The whole encryption mechanism is transparent to the business applications which is achieved by installing a Always Encrypted-enabled driver on the end-user computers which automatically encrypt/decrypt organisation sensitive data in all business applications.
This Always Encrypted driver encrypts the sensitive data only in specified sensitive data columns/fields before passing it to the SQL Server and similarly the same driver decrypts the encrypted data automatically in the query output results.
4. Compliance
Transparent Data Encryption Feature is GA and it encrypts
- Databases
- Transaction Logs
- Associated Backups
Transparent Data Encryption (TDE) is based on SQL Server Transparent Data Encryption Technology that encrypts the storage of the database by using AES-256 Symmetric Database Encryption Key.
SQL Server Database protects the Database Encryption Key with a Service-Managed Certificate and all key management for database copying, geo-replication, and database restores anywhere in SQL Server Database is handled by this service.
You can enable it on your database with two clicks in the Azure Preview Portal:
Go to Azure Preview Portal
Under Database Security --> Transparent data encryption
(1) Click ON and then
(2) Click Save
There is a slight downside that if you are migrating any SQL Database from On-Premises; it is required to
- Decrypt On-Premises SQL Database before Migrating
- Re-Encrypt again once it is migrated to Azure
You can achieve it by using (a) OR (b)
(a) TSQL on Azure Preview Portal
ALTER Database [SQL Database Name]
SET ENCRYPTION ON;
GO
(b) Azure PowerShell Command
Set-AzureSqlDatabaseTransparentDataEncryption
-ServerName ['Server Name']
-ResourceGroupName ['Resource Group Name']
-DatabaseName ['Database Name']
-State "Enabled"
Note:
Run the commands and wait for database to be encrypted.
Use this PowerShell command to check the status of this encryption process
Get-AzureSqlDatabaseTransparentDataEncryption
5. Threat Detection / Azure SQL Database Auditing
Auditing is GA on Basic, Standard, and Premium service tiers.
Threat Detection is an additional feature of Azure SQL Auditing which gives alert unauthorized / suspicious activities on Azure SQL Databases or even at the Database Server Level.
There are many PowerShell commands available for Azure SQL Auditing
For "Database" Auditing
(i) Get-AzureRmSqlDatabaseAuditingPolicy
Example:
Get-AzureRmSqlDatabaseAuditingPolicy
-ResourceGroupName "
-ServerName "
-DatabaseName "
(ii) Set-AzureRmSqlDatabaseAuditingPolicy
Example:
Set-AzureRmSqlDatabaseAuditingPolicy
-ResourceGroupName "
-ServerName "
-DatabaseName "
-StorageAccountName "
(iii) Remove-AzureRmSqlDatabaseAuditingPolicy
Example:
Remove-AzureRmSqlDatabaseAuditingPolicy
-ResourceGroupName ""
-ServerName ""
-DatabaseName ""
Example:
Remove-AzureRmSqlDatabaseAuditingPolicy
-ResourceGroupName "
-ServerName "
-DatabaseName "
For "Database Server" Auditing
(i) Get-AzureRmSqlServerAuditingPolicy
Example:
Get-AzureRmSqlDatabaseAuditingPolicy
-ResourceGroupName "
-ServerName "
(ii) Set-AzureRmSqlServerAuditingPolicy
Example:
- Set up the Auditing Policy of the Azure SQL Server
Set-AzureRmSqlDatabaseAuditingPolicy
-ResourceGroupName "
-ServerName "
-StorageAccountName "
- Set the Storage Account Key of an existing Auditing Policy of Azure SQL Server
Set-AzureRmSqlDatabaseAuditingPolicy
-ResourceGroupName ""
-ServerName ""
-StorageAccountKey Secondary
Set-AzureRmSqlDatabaseAuditingPolicy
-ResourceGroupName "
-ServerName "
-StorageAccountKey Secondary
Set-AzureRmSqlDatabaseAuditingPolicy
-ResourceGroupName "
-ServerName "
-EventType Login_Failue
(iii) Remove-AzureRmSqlServerAuditingPolicy
Example:
Remove-AzureRmSqlDatabaseAuditingPolicy
-ResourceGroupName "
-ServerName "
Defining for a "Database" to use Auditing Policy of the "Database Server"
(i) Use-AzureRmSqlServerAuditingPolicy
Example:
-ResourceGroupName "
-ServerName "
-DatabaseName "
Wednesday, October 7, 2015
IAM with Microsoft Identity Manager 2016
What is Identity & Access Management (IAM)
IAM means the establishment and management of individual users roles and credentials to make sure that the individual credentials are valid and he/she is authorized to access the organization line-of-business applications and/or assets. Also it is required to make sure that the individual credentials and access must be revoked/removed when he/she is leaving the organization.
Why organisations need Identity Management Solution?
Small, Medium and Large Organisations deploy Identity and Access Management (IAM) Solutions to make sure that they can meet the security challenges for all integrated business applications located on-premises and on the cloud. Having Identity Management Solution deployed in the organisations; users can use single identity to access all the business applications as per their role and making change in one identity solution will synchronize their details in other identity solution.
IAM is very useful to
- Provide users the right access for the data and services
- Integration of organisation identity solution with 3rd party identity solutions
- Consistent User experience for smooth authentication and authorization
- and others
Small, Medium and Large Organisations deploy Identity and Access Management (IAM) Solutions to make sure that they can meet the security challenges for all integrated business applications located on-premises and on the cloud. Having Identity Management Solution deployed in the organisations; users can use single identity to access all the business applications as per their role and making change in one identity solution will synchronize their details in other identity solution.
IAM is very useful to
- Provide users the right access for the data and services
- Integration of organisation identity solution with 3rd party identity solutions
- Consistent User experience for smooth authentication and authorization
- and others
ROI from Identity & Access Management Solutions
Every organization invest in technology with ROI in mind and in the world of IAM Solutions is not an IT issue but a challenge for C-Level Business Executives and/or Investors where information/data is the most important asset of the organization. An advanced Identity & Access Management solution is the core strength of an organization where organization will receive the return-on-investment in terms of being ready to integrate with any new solutions, integrating with 3rd party applications and/or identity repository stores, saving help-desk calls and capable to protect its assets from all external threats.
What is Identity Life cycle Management
Identity Life cycle management is the process of
- Provisioning of User Identity
- De-Provisioning of User Identity
- Identity synchronization
- Security Principal Creation
- Attribute Management
- Identity Aggregation and Delete
Identity Life cycle management is the process of
- Provisioning of User Identity
- De-Provisioning of User Identity
- Identity synchronization
- Security Principal Creation
- Attribute Management
- Identity Aggregation and Delete
Microsoft Identity Manager (MIM) 2016
- MIM 2016 is the latest version of Microsoft’s Identity and Access management (IAM) product suite which build on top of FIM 2010 R2 with additional capabilities of hybrid experience, Certificate Management (CM) and Privilege Access Management (PAM) REST APIs.
- MIM 2016 replaces Forefront Identity Manager (FIM) 2010 R2
- MIM 2016 provides managed synchronization between on-premises Active Directory Forest and Azure Active Directory
- MIM 2016 provides a broad range of services including user provisioning/de-provisioning, authentication/authorization of other LOB applications, BYOD, and data protection etc.
Microsoft Identity Manager 2016 Brief History
- MIM 2016 is the latest version of Microsoft’s Identity and Access management (IAM) product suite which build on top of FIM 2010 R2 with additional capabilities of hybrid experience, Certificate Management (CM) and Privilege Access Management (PAM) REST APIs.
- MIM 2016 replaces Forefront Identity Manager (FIM) 2010 R2
- MIM 2016 provides managed synchronization between on-premises Active Directory Forest and Azure Active Directory
- MIM 2016 provides a broad range of services including user provisioning/de-provisioning, authentication/authorization of other LOB applications, BYOD, and data protection etc.
Microsoft Identity Manager 2016 Features
MIM 2016 features are
- Identity data management and synchronization
- Self-Service Identity/password Management
- Dynamic Group Membership
- Reporting and Auditing
- Single Sign-On using SAML and other Federation Technologies
- Creation of Windows Accounts and Other Accounts
- Automation using PowerShell Cmdlets
- Restful APIs for integration with 3rd parties for identity related tasks
- Authentication and authorization workflow
- Credentials management
- Certificate management
- etc.
Where you use Microsoft Identity Manager 2016 ?
The most common scenarios are
1. Cloud-ready Identities - MIM 2016 prepares user identities in on-premises Active Directory for synchronization with Azure Active Directory
2. Self-Service Capability - MIM 2016 provides capabilities for password reset with Azure multi-factor authentication and joining to dynamics active directory groups with workflow approvals and certificate management.
3. Reporting and Auditing - MIM 2016 protects admin Accounts by providing privileged access and also provide new security protocols.
4. IAM Solutions for modern Hybrid Infrastructure - MIM 2016, on-premises Active Directory and Azure Active directory work together for an organization and secure the organization hybrid infrastructure.
5. Seamless integration - MIM 2016 seamlessly integrate with on-premises identities store like Active Directory, LDAP, Oracle, etc to provide consistent experience for on-premises applications as well as SaaS solutions.
5. New REST based APIs for AuthN/AuthZ - Programmatic interface for integrating MIM 2016 with other 3rd party solutions.
and others.
Subscribe to:
Posts (Atom)