Search This Blog

Wednesday, November 7, 2018

Download a DOCX File instead of Opening it in SharePoint 2013/2016

Hi,

Today I came across an issue where a business wanted me to provide a link on the Home Page to a DOCX file (available in 'Documents' document library) and when a user clicks it; it downloads (or Save) the file on the local computer rather than open it from the 'Documents' document library.

Here is the solution


href="/_layouts/download.aspx?SourceUrl=http://spsite/Shared Documents/documentname.docx"

Cheers
Sohail

Wednesday, August 1, 2018

Import Active Directory Users into SharePoint 2013/2016 Group - PowerShell

Import Active Directory Users into SharePoint 2013/2016 Group 

Write-host "Adding SharePoint Snapin"
$Host.Runspace.ThreadOptions = "ReuseThread"
Add-PSSnapin microsoft.sharepoint.powershell -ErrorAction SilentlyContinue
Write-host "Importing AD module"
import-module activedirectory -ErrorAction SilentlyContinue

write-host "Starting work..."
#Hard coded variables for testing, 
# we need the name of the AD Group, the name of the corresponding group in Sharepoint to sync with, 
#and the URL of the SPWeb where the SP group resides.
$ADgroupname = "CN=XXX,OU=XXXX,DC=XXX,DC=XX,DC=XX"
#Get-ADGroup -Filter * | Select distinguishedName, Name
$SPGroupName = "SPGroup_AllUsers"
$spweburl = "http://xxxxx.com"
#note that it's reasonably easy to turn this hardcoded list into a CSV import and then loop through multiple groups

[Microsoft.ActiveDirectory.Management.ADPropertyValueCollection]$Type = Get-ADGroupMember $ADgroupname | select PropertyNames

#get a list of the AD Users in the AD Group
#$ADGroupMembers = get-adgroupmember -Identity $ADgroupname | select @{name="LoginName";expression={$_.samaccountname}}

$ADGroupMembers = Get-ADGroupMember $ADgroupname | select samaccountname, email, name

if ($ADGroupMembers -eq $null)
{
    write-host "The AD Group we're syncing with is empty - this is usually a problem or typo - the SP group will be left alone" -foregroundcolor red
    return;
}


#get the list of users in the SharePoint Group

$web = get-spweb $spweburl
$group = $web.groups[$SPGroupName]

if ($group -eq $null) {
    write-host "SPGroup Not found" ; return
}

$spusers = $group.users | select @{name="LoginName";expression={$_.LoginName.toupper()}}
  
write-host "Debug: at this point we should have a list of user ID's from SharePoint in domain\user format, uppercase" 


#Remove all Existing Users in SharePoint Group
foreach($x in $spusers)
{
     write-host $x.LoginName -foregroundcolor green

     $User  = Get-SPUser -Identity  $x.LoginName -Web $web

     $group.RemoveUser($User)
}


  
if($spusers -eq $null)
{
    write-host "The SPgroup is empty" -foregroundcolor cyan
    write-host "Adding all AD group members to the SP group"

    foreach ($ADGroupMember in $ADGroupMembers)
    {
        #add the AD group member to the SP group. 
        #Please add code to get the domain or fix it if you have only one doain
        $Domain= "royal_comm\"
        #$SamAccountName = $ADGroupMember.samaccountname
        $UserName = $Domain + $ADGroupMember.samaccountname
        #$DisplayName = $ADGroupMember.name
        #$Email = (Get-ADUser $SamAccountName -Properties mail).mail
        write-host "Adding $()" 
        write-host "new-spuser -useralias $($UserName) -web $($web.url) -group $SPGroupName" -foregroundcolor green
        
        $SPUser = $web.EnsureUser($UserName)
        try
        {
            $group.AddUser($SPUser)
        }
        catch
        {
            Write-Host "User already exists..." -ForegroundColor Red
        }

        write-host "User is Added..." -ForegroundColor Green      
    }
   
    write-host "Done adding users - script will now exit" -foregroundcolor magenta
}

#>


Tuesday, June 7, 2016

SAML-based Claims Auth in SP2016

SAML-based claims authentication in SharePoint Server 2016

SAML-based authentication requires 

  1. A Client Computer
  2. A SharePoint 2016 Server/Farm
  3. Claim Provider / IP-STS (example: ADFS)
  4. Identity Provider (example AD, LDAP) which contains the actual accounts and password 


Note:
ADFS and SAML claims are not required if you are using AD DS infrastructure in which the forest and domain trust each other. 


Trust Relationship for SAML-based claims authentication process

Steps
  • The ADFS Server must trust the Identity Provider for which it is issuing SAML Security Token.
    Note:
    In case of AD and ADFS in the same domain; the trust is implicit and therefore trusts the validation security credentials by its domain controllers
  • ADFS must also trust Security Token request for locations on the SharePoint 2016 Server
  • You configure ADFS with the URLs of SharePoint 2016 Web Applications as a Relying Party and then web pages of SharePoint 2016 Server and those URLs will now be trusted for SAML Security Token requests
  • The SharePoint 2016 Server must also trust ADFS Server that uses a Token Signing Certificate to sign the SAML Security Token that is issues.
  • To validate the Digital Signature on the Security Tokens issues by ADFS, we configured the SharePoint 2016 Farm with Public Portion of that ADFS Token Signing Certificate

The SAML-based claims authentication process

Step 1
Assuming that the Client Computer does not already have a Claims-based Security Token.

SAML-based claims authentication occurs when it makes an initial anonymous request of a secured SharePoint 2016 web page


Step 2
The SharePoint 2016 Server redirects the Client Computer to the ADFS Server to obtain a SAML-based login page for User Credentials (username/password)

Step 3
The User provides credentials (username / password) and the Client Computer sends them to the ADFS Server with a request for a SAML Security Token


Step 4
The ADFS Server validates the sent credentials (username/password) with the Identity Provider (Active Directory, LDAP etc.)

Step 5
After validating the credentials from Identity Provider; the ADFS Server
  • Constructs a SAML Security Token,
  • Sign the Security Token, and
  • Send this Security Token to the Client Computer

Step 6
The Client Computer sends a new request for the SharePoint 2016 Web Page and this time it includes the SAML Security Token that it(the Client Computer) received from the ADFS Server
Step 7
The Security Token Service on the SharePoint 2016 Server then creates a claim-based Security Token and stores it with the Distributed Cache Service on the SharePoint 2016 Farm.

Claims (username, password, email address or whatever info) in this Security Token are based on the Claims in the SAML Security Token from the ADFS Server

The SharePoint 2016 Server then creates and sends a Federated Authentication or FedAuth Cookie to the Client Computer


This FedAUTH Cookie contains an encrypted key or index to the Security Token.

If the User is authorized to access the requested web page on SharePoint through analysis of the claims in the Security Token created by Security Token Service of SharePoint 2016 and Configured Permissions on SharePoint Contents; the SharePoint 2016 Server then sends the contents on the requested web page on SharePoint.

For subsequent requests, the Client Computer uses the FedAUTH Cookie for authentication.

Note: 
All above steps are valid for SharePoint 2013 Server as well.

Reference:


Happy SharePointing

Sunday, May 15, 2016

"Delete this Document library" link missing in SharePoint 2013

Problem

"Delete this document library" link is missing






Solution

Add-PSSnapin Microsoft.Sharepoint.Powershell

$web = Get-SPWeb('URL of Site')

$list = $web.Lists['Name of Document Library']

$list.AllowDeletion = $true

$list.Update()

Sunday, February 28, 2016

SharePoint 2013 Farm Installation on Windows 2012 R2 - .NET 4.5 Framework Issue

Hi,

I encountered a problem while installing SharePoint 2013 on Windows 2012 R2 and the installed failed and said



Apparently .NET 4.5 Framework was installed but also .Net 4.6 is also installed and SP 2013 does not like it. So

Go to the Control Panel --> Programs --> Programs and Features --> View Installed Updates


Find KB3102436 and Un-install it.

This will resolve your problem.


Happy SharePointing


Tuesday, November 3, 2015

New Azure SQL Server V12 Security Features

Secure Data with Azure SQL Database

Azure SQL Database offers a set of out-of-the-box features to secure organization data from non-authenticated users. It offers simple-to-implement features that help to protect the data and build secure business applications within Azure.



A lot of the newer Azure SQL Security Features are available only when clients connect using Secured Connection String.

Older In-Secure Connection String

{ServerName}.database.windows.net

Newer Secure Connection String

{ServerName}.database.secure.windows.net

Most of the newer Azure SQL Database Security Features only works with v12 engine which is GA. 

If you have an older version v11 database; it is required to upgrade it to v12. 

Check the version first by using this PowerShell Cmdlets

Get-AzureSqlServer 
-ServerName ''
-ResourceGroupName ''

Note:
ResourceGroupName can be find using Azure Preview Portal

You will get some results when you run above PowerShell command and out of the all information; find ServerVersion value

ServerVersion : 2.0

If the value is 2.0 then the available SQL Engine is not v12 it can be upgraded with following PowerShell Command


Start-AzureSqlServerUpgrade
-ServerName ''
-ResourceGroupName ''
-ServerVersion 12.0


Running above Cmdlet will queued the upgrade request and will finish ASAP.

If you run above command for In-Use Database; there will be an outage which can potentially takes few minutes subject to the database size.

To get the status of the above upgrade request; run this PowerShell Cmdlet

Get-AzureSqlServerUpgrade
-ServerName ''
-ResourceGroupName ''


Now Azure SQL Server has been upgraded to v12 and it is required to protect the data using these security features.

New Azure SQL Database Security Features

1. Connectivity

Azure Active Directory (AAD) Authentication Support
is Generally Available (GA) for connecting to SQL Database by using user identities in AAD for managed and federated domains in a centralized location.

Azure Active Directory authentication uses contained database users to authenticate identities at the database level. It is an alternative to SQL Server Authentication and database permissions can be managed using AAD groups.


2. Authorization

Row-Level Security (RLS) Support
is GA that allows user identity based, role membership based, or query execution context based access to data rows.

Row-Level Security (RLS) capability embeds and centralizes custom data access logic within the Azure SQL database which minimize the risk of accidental data access.

Azure SQL Database supports for Filter Predicates and Block Predicate.
Filter Predicate restrict row-level read access.
Block Predicate restrict row-level write access

Dynamic Data Masking is supported for v12 of Azure SQL Database.
This feature mask the organization sensitive data for unauthorized access. It hides database fields of the requested data in the query result set and there is no impact on database operations.

3. Encryption

Always Encrypted Feature to be in public preview soon.

Always Encrypted Feature is designed to protect organization sensitive data that are stored in SQL Server databases.

Always Encrypted Feature also allows clients to encrypt sensitive data inside client applications and not expose the encryption keys to the database.

The benefit of doing it is; Always Encrypted Feature always differentiate between those who own the data (and can view it) and those who manage the data (but should have no access).

The whole encryption mechanism is transparent to the business applications which is achieved by installing a Always Encrypted-enabled driver on the end-user computers which automatically encrypt/decrypt organisation sensitive data in all business applications.

This Always Encrypted driver encrypts the sensitive data only in specified sensitive data columns/fields before passing it to the SQL Server and similarly the same driver decrypts the encrypted data automatically in the query output results.

4. Compliance

Transparent Data Encryption Feature is GA and it encrypts
  • Databases
  • Transaction Logs
  • Associated Backups
to meet the organization compliance requirements.

Transparent Data Encryption (TDE) is based on SQL Server Transparent Data Encryption Technology that encrypts the storage of the database by using AES-256 Symmetric Database Encryption Key.

SQL Server Database protects the Database Encryption Key with a Service-Managed Certificate and all key management for database copying, geo-replication, and database restores anywhere in SQL Server Database is handled by this service.

You can enable it on your database with two clicks in the Azure Preview Portal:

Go to Azure Preview Portal
Under Database Security --> Transparent data encryption

(1) Click ON and then
(2) Click Save

There is a slight downside that if you are migrating any SQL Database from On-Premises; it is required to

- Decrypt On-Premises SQL Database before Migrating
- Re-Encrypt again once it is migrated to Azure

You can achieve it by using (a) OR (b)

(a) TSQL on Azure Preview Portal

ALTER Database [SQL Database Name] 
SET ENCRYPTION ON;
GO

(b) Azure PowerShell Command

Set-AzureSqlDatabaseTransparentDataEncryption 
-ServerName ['Server Name']
-ResourceGroupName ['Resource Group Name']
-DatabaseName ['Database Name']
-State "Enabled"

Note:
Run the commands and wait for database to be encrypted.


Use this PowerShell command to check the status of this encryption process

Get-AzureSqlDatabaseTransparentDataEncryption


5. Threat Detection / Azure SQL Database Auditing

Auditing is GA on Basic, Standard, and Premium service tiers.

Azure SQL Database Auditing capabilities tracks SQL database events and writes audited events to the SQL Audit Log in Azure Storage.

Threat Detection is an additional feature of Azure SQL Auditing which gives alert unauthorized / suspicious activities on Azure SQL Databases or even at the Database Server Level.

There are many PowerShell commands available for Azure SQL Auditing

For "Database" Auditing

(i) Get-AzureRmSqlDatabaseAuditingPolicy

Example:
Get-AzureRmSqlDatabaseAuditingPolicy 
         -ResourceGroupName ""             
         -ServerName ""
         -DatabaseName ""



(ii) Set-AzureRmSqlDatabaseAuditingPolicy

Example:
Set-AzureRmSqlDatabaseAuditingPolicy 
         -ResourceGroupName ""             
         -ServerName ""
         -DatabaseName ""

         -StorageAccountName ""

(iii) Remove-AzureRmSqlDatabaseAuditingPolicy

Example:
Remove-AzureRmSqlDatabaseAuditingPolicy 
         -ResourceGroupName ""             
         -ServerName ""
         -DatabaseName ""

For "Database Server" Auditing

(i) Get-AzureRmSqlServerAuditingPolicy
 
Example:
Get-AzureRmSqlDatabaseAuditingPolicy 
         -ResourceGroupName ""             
         -ServerName "

(ii) Set-AzureRmSqlServerAuditingPolicy
 
Example:

- Set up the Auditing Policy of the Azure SQL Server

Set-AzureRmSqlDatabaseAuditingPolicy 
         -ResourceGroupName ""             
         -ServerName "
         -StorageAccountName ""


- Set the Storage Account Key of an existing Auditing Policy of Azure SQL Server

Set-AzureRmSqlDatabaseAuditingPolicy 
         -ResourceGroupName ""             
         -ServerName "
         -StorageAccountKey Secondary


- Set the Auditing Policy of Azure SQL Server to use specific Event Type

Set-AzureRmSqlDatabaseAuditingPolicy 
         -ResourceGroupName ""             
         -ServerName "
         -EventType Login_Failue


(iii) Remove-AzureRmSqlServerAuditingPolicy
 
Example:

Remove-AzureRmSqlDatabaseAuditingPolicy 
         -ResourceGroupName ""             
         -ServerName "


Defining for a "Database" to use Auditing Policy of  the "Database Server" 


(i) Use-AzureRmSqlServerAuditingPolicy

Example:

Use-AzureRmSqlServerAuditingPolicy 
         -ResourceGroupName ""             
         -ServerName ""
         -DatabaseName ""




Wednesday, October 7, 2015

IAM with Microsoft Identity Manager 2016

What is Identity & Access Management (IAM)

IAM means the establishment and management of individual users roles and credentials to make sure that the individual credentials are valid and he/she is authorized to access the organization line-of-business applications and/or assets. Also it is required to make sure that the individual credentials and access must be revoked/removed when he/she is leaving the organization.

Why organisations need Identity Management Solution?

Small, Medium and Large Organisations deploy Identity and Access Management (IAM) Solutions to make sure that they can meet the security challenges for all integrated business applications located on-premises and on the cloud. Having Identity Management Solution deployed in the organisations; users can use single identity to access all the business applications as per their role and making change in one identity solution will synchronize their details in other identity solution.

IAM is very useful to
  • Provide users the right access for the data and services
  • Integration of organisation identity solution with 3rd party identity solutions
  • Consistent User experience for smooth authentication and authorization
  • and others

ROI from Identity & Access Management Solutions

Every organization invest in technology with ROI in mind and in the world of IAM Solutions is not an IT issue but a challenge for C-Level Business Executives and/or Investors where information/data is the most important asset of the organization. An advanced Identity & Access Management solution is the core strength of an organization where organization will receive the return-on-investment in terms of being ready to integrate with any new solutions, integrating with 3rd party applications and/or identity repository stores, saving help-desk calls and capable to protect its assets from all external threats.

What is Identity Life cycle Management

Identity Life cycle management is the process of
  • Provisioning of User Identity
  • De-Provisioning of User Identity
  • Identity synchronization
  • Security Principal Creation
  • Attribute Management
  • Identity Aggregation  and Delete

Microsoft Identity Manager (MIM) 2016

  • MIM 2016 is the latest version of Microsoft’s Identity and Access management (IAM) product suite which build on top of FIM 2010 R2 with additional capabilities of hybrid experience, Certificate Management (CM) and Privilege Access Management (PAM) REST APIs.
  • MIM 2016 replaces Forefront Identity Manager (FIM) 2010 R2
  • MIM 2016 provides managed synchronization between on-premises Active Directory Forest and Azure Active Directory
  • MIM 2016 provides a broad range of services including user provisioning/de-provisioning, authentication/authorization of other LOB applications, BYOD, and data protection etc.
Microsoft Identity Manager 2016 Brief History


Microsoft Identity Manager 2016 Features

MIM 2016 features are

    • Identity data management and synchronization
    • Self-Service Identity/password Management
    • Dynamic Group Membership
    • Reporting and Auditing
    • Single Sign-On using SAML and other Federation Technologies
    • Creation of Windows Accounts and Other Accounts
    • Automation using PowerShell Cmdlets
    • Restful APIs for integration with 3rd parties for identity related tasks
    • Authentication and authorization workflow
    • Credentials management
    • Certificate management
    • etc.



Where you use Microsoft Identity Manager 2016 ?

The most common scenarios are

1. Cloud-ready Identities - MIM 2016 prepares user identities in on-premises Active Directory for synchronization with Azure Active Directory

2. Self-Service Capability - MIM 2016 provides capabilities for password reset with Azure multi-factor authentication and joining to dynamics active directory groups with workflow approvals and certificate management.

3. Reporting and Auditing - MIM 2016 protects admin Accounts by providing privileged access and also provide new security protocols.

4. IAM Solutions for modern Hybrid Infrastructure - MIM 2016, on-premises Active Directory and Azure Active directory work together for an organization and secure the organization hybrid infrastructure.

5. Seamless integration - MIM 2016 seamlessly integrate with on-premises identities store like Active Directory, LDAP, Oracle, etc to provide consistent experience for on-premises applications as well as SaaS solutions.

5. New REST based APIs for AuthN/AuthZ - Programmatic interface for integrating MIM 2016 with other 3rd party solutions.

and others.