While building some recent SharePoint 2013 Servers, I hit a few issues relating to the Workflow Manager Service installation. The Servers are running Server 2012 R2 and as such no matter what order I selected the components for installation it would always fail and some pieces would install and others would not. After playing for a while, I decided that the only way of doing this would be to perform a manual installation and not use the "wpilauncher". This is done by using the same tool but from a command line instead.
The order is very simple you need to download in this order:
- Service Bus 1.0
Service Bus 1.0 Cumulative Update (KB2799752)
- Download here: http://www.microsoft.com/en-us/download/details.aspx?id=36794
- Workflow Client
- Workflow Manager Refresh
The command line approach is very simple, it uses the following syntax:
Webpicmd /offline /Products:"Product Name" /Path:"Path Location"
To download the components above you can use the following commands, I am using the following location: "G:\Components\Workflow\" to download into.
Webpicmd /offline /Products:ServiceBus /Path: G:\Components\Workflow\ServiceBus
Webpicmd /offline /Products:WorkflowClient /Path: G:\Components\Workflow\Client
Webpicmd /offline /Products:WorkflowManagerRefresh /Path: G:\Components\Workflow\Manager
Make sure you download the Service Bus 1.0 Cumulative Update using the link above and place in the same location. My folder structure looks like this:
Now to perform the installation you need to use the following command:
WebpiCmd.exe /Install /Products:Product to Install /XML:XML Definition Location /AcceptEula /SuppressPostFinish
This syntax will allow each component to be installed using the command line in the correct order. The following are sample commands you can run:
WebpiCmd.exe /Install /Products:ServiceBus /XML: G:\Components\Workflow\ServiceBus\feeds\latest\webproductlist.xml /AcceptEula /SuppressPostFinish
WebpiCmd.exe /Install /Products:WorkflowClient /XML: G:\Components\Workflow\Client\feeds\latest\webproductlist.xml /AcceptEula /SuppressPostFinish
WebpiCmd.exe /Install /Products:WorkflowManagerRefresh /XML: G:\Components\Workflow\Manager\feeds\latest\webproductlist.xml /AcceptEula /SuppressPostFinish
Once you have ran the commands, everything will be installed and working. You can then either use the standard Application Wizard to set it up, or PowerShell. I would encourage you to use PowerShell, which is much easier and needed if you want to repeat the process easily.
PowerShell: If you wish to use PowerShell instead of "old skool" command line, then simply use this syntax:
Start-Process -FilePath "Path to WebpiCmd" -ArgumentList "/Install /Products:"Product to Install" /XML:"XML Definition Location" /AcceptEula /SuppressPostFinish" -Wait –PassThru
An example would be:
Start-Process -FilePath "C:\Program Files\Microsoft\Web Platform Installer\WebpiCmd.exe" -ArgumentList "/Install /Products:ServiceBus /XML: G:\Components\Workflow\ServiceBus\feeds\latest\webproductlist.xml /AcceptEula /SuppressPostFinish" -Wait –PassThru
Now outside of this once all this was installed I had various issues connecting a second server to the Workflow Farm. You can see this when you run the wizard for the new servers you wish to add and upon validation you see port blocking errors similar to this:
The first places to check would be the Windows Firewall rules to make sure the rules that were supposed to be created actually got created. They should be the following:
Even if the Windows Firewall is not running (which of course won't be the issue) you should have these rules generated and added. Next check that the services on the primary server (first one created) are actually running. I found that the "Service Bus Message Broker" was not running at all. Resolving this is needed either way. Check the following services are all running:
- Service Bus Gateway
- Service Bus Message Broker
- Windows Fabric Host Service
If any of these are not running, start them, you may need to reboot the server to have them start cleanly. So if that doesn't fix it then you need to look at traffic between the servers you are trying to connect to. For my instance I was working with, it was firewalls blocking the communication between the two servers. The following rules needed to be added to allow the traffic:
- Allow Port 9355 HTTPS
- Allow Port 9354 TCP
- Allow Port 9356 TCP
- Allow Ports 900 to 9004 TCP
Once these changes were made, the wizard re-validation process still failed. So far I had checked all the network connectivity, services and what I thought was everything. So what I decided to do was run the wizard for removing the server from a Workflow Farm. I was quite amazed that it offered me the ability to do that, so at some point it had connected itself only for the Service Bus components to the farm.
After running that wizard, it completed successfully saying it had removed the current server from the Service Bus Farm. Re-running the "Join to Farm" wizard then successfully validate the connections as needed.
The wizard then ran and failed again, based on the "Service Bus Message Broker" service not being able to start. I still don't have it working 100% yet due to the service just not starting at all, but I am now further along than I was a while ago. When I get it working 100% I will post an update.
Just wanted to say a big "THANK YOU" to all those that
attended the couple of SharePoint Security Roundtables I did in McLean, VA and
then SanFrancisco, CA. It was a great time to talk about some of the issues we face as businesses and
organizations in securing our content. Looking at the things
we need to consider, and then how we can govern it a little bit better.
We still have two more planned being presented by my colleague Doug Hemminger:
If you are in Chicago or Minneapolis then sign and let’s have a great conversation about Security
A year ago the guys over at Cipherpoint
conducted a survey of collaboration systems. This included SharePoint, file servers, Office 365, and SharePoint Online. The purpose of this was to explore security and compliance issues related to the use of these platforms. If you have not seen this then head over to the link below:
The great news is that they are doing this again this year and need YOU to go and complete the survey. Use the link below to complete it.
I encourage you to do this, so that we can then look back as an industry at what are the security holes and issues that we all face with collaboration platforms.
Today I found a little weird thing. A client SharePoint 2013 environment would not crawl at all. It caused the following standard error that I am sure you have all seen a million times.
"Item not crawled due to one of the following reasons: Preventive crawl rule; Specified content source hops/depth exceeded; URL has query string parameter; Required protocol handler not found; Preventive robots directive. (This item was deleted because it was excluded by a crawl rule)"
I tried everything I could think of, deleting and re-creating result sources, crawling one page, crawling not as SharePoint, removing the "robots.txt" files to name a few things. I then resorted to trawling through the "web.config" and found the following entries:
<add name="X-Content-Type-Options" value="nosniff" />
<add name="X-MS-InvokeApp" value="1; RequireReadOnly" />
HTTP Header <add name="X-Content-Type-Options" value="nosniff" />
Each type of file delivered from the web server has an associated MIME type (also called a "content-type and not a SharePoint Content Type either") that describes the nature of the content (e.g. image, text, application, etc.). For compatibility reasons, Internet Explorer has a MIME-sniffing feature that will attempt to determine the content-type for each downloaded resource. In some cases, Internet Explorer reports a MIME type different than the type specified by the web server. For instance, if Internet Explorer finds HTML content in a file delivered with the HTTP response header Content-Type: text/plain, IE determines that the content should be rendered as HTML. Because of the number of legacy servers on the web (e.g. those that serve all files as text/plain) MIME-sniffing is an important compatibility feature.
Unfortunately, MIME-sniffing also can lead to security problems for servers hosting untrusted content. Consider, for instance, the case of a picture-sharing web service which hosts pictures uploaded by anonymous users. An attacker could upload a specially crafted JPEG file that contained script content, and then send a link to the file to unsuspecting victims. When the victims visited the server, the malicious file would be downloaded, the script would be detected, and it would run in the context of the picture-sharing site. This script could then steal the victim's cookies, generate a phony page, etc.
HTTP Header <add name="X-MS-InvokeApp" value="1; RequireReadOnly" />
The "DirectInvoke" feature in Internet Explorer enables applications to register their MIME Types for direct invocation from a URL. When Internet Explorer encounters a file type that it doesn't handle natively, it can use a handler application, rather than downloading the file. Using "DirectInvoke", handler applications have control over how their files are downloaded and enables smart techniques specific to the application's requirements. Microsoft Office maintains a local cache of documents on a user's machine. When a user attempts to download an Office document in Windows Internet Explorer, "DirectInvoke" calls Office using the target URL, rather than downloading the file. Office checks its cache and only downloads the file if it isn't already in the cache. This behavior can provide significant bandwidth savings, especially when handling large, media-rich documents.
When the "web.config" is set to "1;RequireReadOnly", then the server is requesting that a "DirectInvoke" configured application be used and requires that the file opens in read-only mode.
For this environment I removed the two lines and the crawl worked. I need to do some further investigation but right now this worked perfectly. The security and functionality impact for the "default" zone crawl in my mind are negligible, for the external side I would not remove these at all. I will post updates once I have more detail but for now, this has done the trick. More to come :-)
Well what a great place to have a SharePoint Conference, Barcelona!! It has been a few years since I have visited now that I live in the US. After flights to the UK, then onto Spain, I arrived very tired but ready to go for it. The Hotel is fantastic, Hotel Rey Juan Carlos, set within great grounds and across the street from the conference center.
The conference has been great so far, fantastic keynotes and sessions covering all types of content. I did my "Hacking" SharePoint session, the one I thought I would present a few times and then never update or be asked to do it again. However as you may have seen in the news, Security and Hacking is becoming more important in every facet of our life that I keep updating the presentation!! Having presented it lots and lots, I look back and realize it has been different every time. I was excited to present that here. I want to thanks those that came and filled my room for the session, and just let you all know that the guy on the webcam woke up J
NOTE: Blurred on Purpose, it is not your eyes!! You needed to be in the session to see it properly J
For those that were not in the session, this is how I started the session, explaining that we still don't secure things the way it should be done. Simple things like someone's (no idea who's it is) webcam at home. Accessing this one was as simple as first finding it, then looking up the default username and password for the specific manufacturer and model. IN this example it was a FOXCOM FI8910W, which a quick search in Google points me to the credentials I needed.
This for me is the problem, why was the password not added, or username changed. This is really the premise of the session. I often use the analogy of buying "flat-pack" furniture, something you would buy from Ikea for example. We all know that it contains instructions, but we all seem to inherently know how it is supposed to go together though we may have never done it before. So we put the furniture together and find something is not quite right. We seem to do the same with SharePoint installations. It is so easy to set it up incorrectly, but we do it without following guidance just as with building the furniture. The documentation is better now than it has ever been, we need to follow this so that we make our environment as "least privilege" as possible and published securely.
We also need to now think like a potential hacker, testing our platforms whether internal or external. We need to also keep up to speed on cyber-attacks and specifically what Microsoft is doing around this. Simply visit http://www.microsoft.com/security/cybersecurity/#!Overview to see the cybersecurity whitepapers and approaches. Of course you can also visit https://technet.microsoft.com/en-us/security/bulletin to see the latest security bulletins.
All in all hopefully the message that you are getting is to check your SharePoint environment, make sure it is setup, configured and secured correctly. Penetration test your environment to see what you can find. Below are some links to current blog posts, and there is a series I am still working on that will show you how to penetration test your environment as an example of what can be done.
SharePoint URL Endpoints (Use in Google)
Is Your SharePoint Secure – Part 1
Is Your SharePoint Secure – Part 2
Is Your SharePoint Secure – Part 3
Is Your SharePoint Secure – Part 4
Hacking versus Misconfiguration
Is Your SharePoint Vulnerable?
Last but not least I demonstrated quickly the use of a tool called Maltego that allows for gathering of information from multiple sources, to build a picture of people, devices or content.
NOTE: Blurred on Purpose, it is not your eyes!! You needed to be in the session to see it properly J
This is a great tool, requires a bunch of learning, but is very useful for gathering information about details you may find from trawling through SharePoint sites.
As per my last final thoughts in the slides following these steps:
Pen test your SharePoint Site – plenty of tools out there for this
- Internal - Choice
- External – No Choice
Ensure Latest Patches
- My personal rule be two CU's behind, unless you need the CU for bug
- Users will find a way of getting into content, just as they did with file shares
- Hackers will always try to circumvent security
Learn how to hack!! Just Kidding
- At least how to protect against the hack
- Make Security Top Priority
- Learn how to publish SharePoint correctly and securely
The pen testing series will continue soon, look for a new post soon J
The European SharePoint Conference is less than three weeks away and I'm delighted to be part of such an exceptional line up. The conference will take place in Barcelona, Spain from the 5-8th May 2014 and is Europe's largest SharePoint event bringing you great sessions and the latest innovations from Vegas.
Browse through the superb conference programme including 110 sessions, keynotes, and tutorials, including topics covering the latest news from SPC14 including what's new with SharePoint 2013 SP1 - Office Graph/Oslo - new Office 365 REST APIs - Access Apps - Cloud Business Apps.
I will be conducting a session on "Think You Can Hack SharePoint?" aimed at IT Professionals.
"Think You Can Hack SharePoint?"
"What is a hacker? In the dictionary a hacker is defined as a computer user who attempts to gain unauthorized access to proprietary computer systems. We all know that in reality a hacker is someone who tries to gain access to anything that they do not have access too, file shares, websites, wifi or even your blog site. SharePoint is such a large platform that has many entry points that we need to minimize the attack surface. In this session we will look at what it would take to "hack" SharePoint, but more importantly how to protect and secure the content and the site entry points to stop those pesky hackers getting in."
The European SharePoint Conference will be run over four days and with over 1000 SharePoint attendee's already signed up don't miss this fantastic opportunity to mingle with the European SharePoint Community.
If you want to deepen your SharePoint expertise, to understand the trend of the SharePoint market, and to learn how to leverage Microsoft Office 365 for your business, including the revolutionary Enterprise Social wave, the European SharePoint Conference is the best place to be in 2014!
Prices start from €1150! There is also special group discounts for bookings of 3 or more people.
Book Now and I'll see you in Barcelona in May
Well what a great year so far. I took 2 months out of travelling during January and February, a promise I made to made my wife. It was great, just normal work and just being at home with family, made a great difference than sipping around on flights all the time.
Now things are back to normal, SharePoint Conference under my belt where I presented two sessions, one on Data Security and Compliance in SharePoint (http://channel9.msdn.com/Events/SharePoint-Conference/2014/SPC344) and then a Multi-Factor Authentication for SharePoint Online and On-Premise (http://channel9.msdn.com/Events/SharePoint-Conference/2014/SPC384). It was a great conference, and really enjoyed presenting again. I hope that those that attended enjoyed the sessions too.
Exciting times today to find I have been renewed as a SharePoint MVP for the 8th year running which is an amazing feeling to be recognized by you as the community and of course by Microsoft. I wish to say congratulations to all those who got renewed and to those new MVP's who have joined the club today, you deserve it.
So what is next, well conference season is well and truly underway and you can find me at the following over the next few months (only want to worry about that far for now).
SharePoint Saturday Twin Cities, Minneapolis, April 5th, 2014
SPS Gulf, Online, Aprtil 12th, 2014
SP24, Online, April 17th, 2014
SPTechCon San Francisco, April 22 – 25th, 2014
European SharePoint Conference, Barcelona, May 5 – 8th, 2014
Secure 360, Minneapolis, May 12 – 14th, 2014
SharePoint Conference.ORG, Reston, May 18 – 20th, 2014
SharePoint Fest New York City, June 2 – 4th, 2014
There are others throughout the year, but if I try to focus on all of them it becomes a little bit overwhelming J
So would be great to meet you all at a conference or SharePoint Saturday somewhere, so if you are there come and say hello. I know the topics I tend to cover are not the most exciting topics. Things like Hacking, Security, and Pen testing, Authentication and Authorization are not everyone's favorite thing to talk about, but hey come and join me and hopefully it will be more exciting than you think.
On a personal note my parents are coming to America for the first time ever so this is going to be fantastic, some other members of my family are visiting too (not all of them, do have 7 brothers and 5 sisters after all), and then I am excited about taking the kids to Disney World, Orlando at the end of the year. This year is going to be great.
Hope your year is working out like mine is so far J
So I updated my clean Development Virtual Machine yesterday evening to Service Pack 1 and what happened you wonder?
Well firstly it took ages!! What did you expect? It updated fine and upon checking the upgrade status it was clean, checking the database upgrade status tells me that I have to upgrade:
I won't bore you with how long it took to complete but it did either way. So after launching Central Administration what did I see?
A nice little message saying that I can now get "Yammer" and "OneDrive for Business" from Office 365. Really? No shocker there but what does this mean?
Well upon clicking the "Yammer" link I am taking to the following screen.
I wonder what will happen when I click "Activate Yammer?"
And then the screen before is changed to this.
So there we have I have now activate "Yammer", but have no idea what it just did. So if I go back and click the "OneDrive" link I get taken to the following page.
Interesting, so we will come back to this as it needs configuration.
Back to the "Yammer" thing. I launch my normal Site Collection and start to look for "Yammer" integration. What do I find? A link at the top of my site collection that looks like this.
When I click this link it takes me to the "My Site Host", and launches a new page "_layouts/15/Yammer.aspx". And presents me with the following screen.
Clicking the link "Take me to Yammer" takes me to the cloud, where I can login to my Yammer network at which point it remembers the network that I went to and the next time I click the "Yammer" link it takes me back to that place. You can at any point disable that feature again by going back to "Central Administration" and looking under the "Office 365" category. Interesting bug, when you click on the using the highlighted links bellow they go nowhere J
It returns the following.
The URL does not exist. It does exist in the template for "Central Administration" but does not load.
So REMEMBER to run the full upgrade through, and update the databases by running the "PSCONFIG" commands. Do not skip any step otherwise it won't work. When it does it just goes to this page.
Such a big page for so few options. The configuration is really that, you don't get anything else. Even though it is limited it is at least a start.
Deactivating the feature removes the top navigation link and puts SharePoint 2013 back to normal.
So really the enhancements made for "Yammer" are minimal, even reflecting the SharePoint DLL's and searching for "Yammer" reveals nothing new.
Outside of the "Yammer" thing and "Office 365" profiles, the big one for me is the ability to run SharePoint Server 2013 on Windows Server 2012 R2 now. Of course the note here is that you need use the "Slipstreamed" ISO image that contains the base application, updated and Service Pack 1.
Be warned, if you are trying to create your own "slipstreamed" SP1 media it may not work, download the newly created media.
Read this notice and warning: http://blogs.technet.com/b/stefan_gossner/archive/2014/02/28/sharepoint-2013-with-sp1-quot-slipstream-quot-is-now-available-for-download.aspx
So this month has been a busy one, not so much community efforts this month, more work as I made a promise to my family that I would not travel in January and February. Yes it has been hard, almost suffered from withdrawal symptoms of not seeing the SharePoint regulars, I think that is just to do with me not seeing Christina Buckley for a couple of months!! Not sure if that is good or bad yet J
Anyway this past month has seen me focus my energy on the most amazing piece of kit ever, my Raspberry PI. I have been running it for a while as Kali Linux hacker box, but wanted something I could take with me on the road and use for general internet use. Those that know me will know that I am always paranoid about anything and am a great advocate for using VPN's and Proxies to mask my traffic. I don't have anything to hide, however I also believe in me being able to do whatever I wish (nothing illegal) without it being censored to the point I cannot do anything, I go to work for that J
So this past week or so I finally built my Raspberry PI Tor box. This runs Raspbian, is configured for the following:
- Secure Linux Box
- Ethernet Wired
- Wireless Access Point Enabled
- DHCP Enabled
- Tor Enabled
This means that while traveling I plug it directly into the hotels Ethernet which becomes its public IP Address, connect to the wireless access point that is enabled on it, and then surf the internet through the Tor Proxy network. This allows to either surf anonymously with whatever IP Address is gets for me, or I can set it to a specific country and it will connect to the Tor nodes there, so watching UK TV became a little easier all of a sudden. Of course it is not super-fast but it works really well, I have been using it from my iPad, iPhone and Surface for the past week or so and it has been great. To make my paranoia more real I am using a 643 character WPA key to get onto it J
I also have second one that is still running as my Kali Linux Hacker box which works great when connected to the other Tor Proxy I have. These are great pieces of kit, highly recommend getting one. A blog post to come later on, about the parts and configuration I used for my Tor Proxy.
While playing with the Raspberry PI, I also felt that this year I needed to step it up a notch on my fitness programs. Last year I completed Insanity and T25, as well as my regular running. This year I wanted to me slightly healthier by finding more ways to be active at work. So after some research I decided to see if I could actually work (when at home) while walking on the treadmill. To begin with it was a bit awkward, made tons of spelling mistakes while typing (writing this while walking on it), at least spell check works really well in Word 2013 J
After my successful test of using an old shelf laid across the arms of the treadmill I built my own desk that simply slots over the arms and stays there whether I walk or run.
This has meant that while working at home I literally walk or run all day while working. This has meant that I have been hitting between 12 – 15 miles a day while working, versus the nothing I was getting when sitting at my desk at work or my office at home. Highly recommend it you as an easier way to stay in shape.
Shortly after getting this sorted out and really setting my goals, such as 10K training etc. a challenge appeared on the horizon, which came out of the back of that magical device the Fitbit which a lot of the SharePoint community use. A friend and sore loser, Virgil Carroll, setup a challenge from the 1st February to the end with us all donating money to the winner's charity. This has been great far with over 50 people from all over the world have joined in, some racking up a few steps, miles and active minutes while others steaming ahead and destroying everyone, did I mention I have been winning (for now), however think Marcy Kellar is going to kill me soon, and Virgil is the current master of the Active Minutes:
Either way this is a fantastic way of being motivated by your peers and also having some good old fashion smack talk to inspire everyone.
Now my month would not be complete without the stress of putting together two sessions for SPC14. I am presenting on Data Security and Compliance and then Multi-factor Authentication for SharePoint On-Premise and SharePoint Online. These will be fun sessions talking about the subject that really no-one talks about, however with the latest hacks that have took place, now we are willing and able to chat about them. Should be some fun sessions, hopefully you come and see me present J
All in all this year, 2014 has been great, outside of all of this, being at home for over a month has been great. Spending time with my kids and wife come first over the SharePoint pieces of my life, sorry to the SharePoint world, but in the pecking order you lose out. However come March onwards I will be at the following conferences, as well as couple of SharePoint Saturdays where I can fit them in.
- SharePoint Conference 2014, March
- SPTechCon San Francisco, April
- European SharePoint Conference, Barcelona, May
- TechEd North America, Houston, May
- Secure 360, Minneapolis, May
- SharePoint Conference.ORG, Reston, May
- SharePoint Fest New York City, June
There are a few more after that, but I can only focus on a few at one time J
Anyway hope to see you around the community in the next month.