Sunday, June 23, 2013

SharePoint Server 2013, Active Directory Groups and the access denied problem caused by token lifetime.

A while ago we experienced some issues when using Active Directory groups and SharePoint Server 2013. We added users to Active Directory groups which were added to SharePoint groups, but the users who got access using this method, still got access denied. After some investigation we found the problem.

In SharePoint 2013 all authentication is being handled through claims which are managed by the Security Token Service (STS). The STS is responsible for issuing security tokens to users. A user which has logged on to SharePoint will be authenticated and granted a token with his group membership. These tokens have a certain lifetime and will not be updated until they expire. The property which controls this is the WindowsTokenLifetime property – according to the documentation is it normally set to 1380 minutes or 23 hours -  see Set-SPSecurityTokenServiceConfig for more details. (On one of my SharePoint 2013 it seemed to be 10 hours).

Therefore users who had already logged on to the SharePoint Server did not get the required tokens for their new AD group membership until the token expired. You can however change the token expiration in the following way:

$sts = Get-SPSecurityTokenServiceConfig
$sts.WindowsTokenLifetime = (New-TimeSpan -Minutes 15)
$sts.LogonTokenCacheExpirationWindow = (New-TimeSpan -Minutes 15)
$sts.Update()

Changing the WindowsTokenLifeTime will probably have a performance impact since there will be a lot more requests going from the STS to your Active Directory domain controllers. I haven’t found clear guidance or best practices about this, so feel free to leave a comment.

Tuesday, June 11, 2013

Quick tip - copying files from your host to Hyper-V guest

I have been working with VMWare for quite a while but recently switched to Hyper-V on my Windows 8 portable. One thing I’m still struggling with is the ability to easily copy files from my host OS (Windows 8) to my guest OS which is running in Hyper-V. Currently I’m using Folder2Iso to quickly create ISO files which I then mount in my Hyper-V environment. If anyone knows of a better way of doing this – please leave a comment.

SharePoint Service Applications: SharePoint 2013 versus 2010

Service Applications Description SPS 2010 Std SPS
2010 Ent
SPS
2013 Std
SPS 2013 Ent
Access Services Let’s user view, edit and interact with Access 2010 databases which are published to SharePoint in a web browser

X

X

App Management service Provides administrators the ability to manage new SharePoint apps. Apps can be purchased from an external vendor or developed internally. It checks user access permissions and licensing for app usage.    

X

X

Application Discovery and Load Balancer service A.k.a. Topology web service. SharePoint has a built in basic load balancer  that provides administrator with fault-tolerant out of the box SharePoint service applications. See SharePoint 2010 Service Application Load Balancer for more details.

X

X

X

X

Business Data Connectivity service Gives access to line-of-business data systems – also check out the Business Connectivity Services code samples for SharePoint 2013

X

X

X

X

Excel Services Application Let’s users view and interact with Excel files in a web browser

X

 

X

Machine Translation service Provides automatic translation of sites and files (See Machine Translation Services in SharePoint 2013 for more details)    

X

X

Managed Metadata service Manages taxonomy hierarchies,keywords and social tagging infrastructure, and publish content types across site collections

X

X

X

X

Office Web Apps Service Office Web Apps is now a separate product, rather than a SharePoint Service Application. See Use Office Web Apps with SharePoint Server 2013 for more details.        
PerformancePoint Service Application Let’s users create dashboards and balanced scorecards  

X

X

PowerPoint Automation service Performs automated bulk PowerPoint conversions to other formats (pptx,pdf,xps,jpg,png) (See PowerPoint Automation Services in SharePoint  2013 for more details)    

X

X

Search service Crawls content, produces index partitions and serves search queries

X

X

X

X

Secure Store service Provides single sign on authentication to access multiple applications or services

X

X

X

X

State service Provide temporary storage of user session data for SharePoint Server components

X

X

X

X

Usage and Health Data Collection service Collects farm wide usage and health data and provides the ability to view various usage and health reports

X

X

X

X

User Profile service Adds support for My Site sites, profile pages, social tagging and other social computing features

X

X

X

X

Visio Graphics service Let’s users view and refresh published Visio diagrams in a web browser  

X

 

X

Web Analytics service Collect, reports, and analyzes the usage of SharePoint Server sites. The functionality of the Web Analytics service has been incorporated into the Search service

X

X

   
Work Management service Enables users to synchronize and aggregate tasks between different Microsoft products such as Exchange, SharePoint and Project Server. See Configure Exchange task synchronization in SharePoint Server 2013 for practical details or the My Tasks aggregation in SharePoint Server and Exchange Task integration white paper    

X

X

Word Automation service Performs automated bulk document conversions.

X

X

X

X

Subscription Settings Service Provides multi-tenant functionality for service applications. Tracks subscription IDs and settings for services that are deployed in partitioned mode. Deployed through Powershell only.

X

X

X

X

For more information about the SharePoint 2013 service applications check out the Services in SharePoint Server 2013 Visio diagram on Technical diagrams for SharePoint 2013 (Technet)