Month: October 2014

Cookies – IE – ADFS – MSIS7001

Recently we had some strange issues with an ADFS login. Everything worked, but it didn’t. On some sites we got the following error:

“MSIS7001: The passive protocol context was not found or not valid. If the context was stored in cookies, the cookies that were presented by the client were not valid. Ensure that the client browser is configured to accept cookies from this website and retry this request”

One of my colleagues pointed out that all sites with the error contained the underscore (“_”) character, so we started digging into this and found out indeed IE has some issues with the underscore chars in the URL. More accurately the way IE is designed, makes it incapable of creating cookies, if the URL contains an underscore in the domain name.
We found this QandA on Internet Explorer and cookies:
http://blogs.msdn.com/b/ieinternals/archive/2009/08/20/wininet-ie-cookie-internals-faq.aspx

Snowballing further from that link leads to the following KB:
https://support.microsoft.com/kb/316112/

“Security patch MS01-055 prevents servers with improper name syntax from setting cookies names. Domains that use cookies must use only alphanumeric characters (“-” or “.”) in the domain name and the server name. Internet Explorer blocks cookies from a server if the server name contains other characters, such as an underscore character (“_”).
Because ASP session state and session variables rely on cookies to function, ASP cannot maintain session state between requests if cookies cannot be set on the client.
This issue can also be caused by an incorrect name syntax in a host header.”

Basically the above security patch is implemented as part of Internet Explorer and the way it handles domain names and cookies.
So far this has been tested on the following versions of of Internet Explorer; IE8, IE9, IE10 and IE11.
This is not a problem for Chrome or Firefox – I have not tested with other browsers or versions.

Advertisements

Adding Users/Groups – SharePoint – Powershell

A few times I’ve had to add users to specific SharePoint groups using powershell. I made the below script, which splits up each of the processes in the user creation and permission handling into transparent chunks. That way it’s easier to take what you need 🙂
The below users are external identity provider users, based on UPN. There is a domain users group being added also. The rest of the code should be self explanatory.

#Defines the site to work with
$URL= 'https://intranet.contoso.com/HR' 

#Gets the required web and site objects to work with
$Site= Get-SPSite $URL
$Web=$Site.RootWeb

#Creating Users
$JD=get-spweb $url | New-SPUser -UserAlias 'i:0e.t|Azure ACS|John.Doe@live.com'
$ON=get-spweb $url | New-SPUser -UserAlias 'i:0e.t|Azure ACS|Ola.Nordmann@live.com'
$AA=get-spweb $url | New-SPUser -UserAlias 'i:0e.t|Azure ACS|Anders.Andersen@gmail.com'
$MS=get-spweb $url | New-SPUser -UserAlias 'i:0e.t|Azure ACS|Medel.Svensson@contoso.com'

#Creating Groups
$DUContoso=get-spweb $url | New-SPUser -UserAlias 'c:0-.t|Azure ACS|Contoso\Domain Users'

#Get site default groups (using just "$web.Sitegroups" will show all of them.)
$HROwn=$web.SiteGroups["HR Owners"]
$HRMem=$web.SiteGroups["HR Members"]
$HRVis=$web.SiteGroups["HR Visitors"]

#Adding Users to groups
#Owners
$HROwn.AddUser($AA)
$HROwn.AddUser($MS)

#Members
$HRMem.AddUser($ON)

#Visitors
$HRVis.AddUser($DUContoso)

SharePoint Infrastructure Review

To aid others in correcting their SharePoint farm and to make the right choices, or simply to review their farm compared to standards, i’ve shared some of the most frequent issues / misconfigurations / things to consider whenever implementing a SharePoint farm.

This document contains the most frequent sources of issues in regards of a SharePoint infrastructure.
Each consequence of observation has been explained and recommended action stated, furthermore the type of observation has been set. The type classification is based on the authors experience and knowledge and should be challenged were project requirements state differently.
This infrastructure review is focused on SharePoint, IIS, SQL and partly Windows Server. This review does not include or only very limited to Hardware, NLB or network.

I expect to update the document when new items appear.
SharePoint Infrastructure Review (located on Google drive)