SharePoint 2013

How to configure Outgoing email in SharePoint with O365 – SMTP relay

How to configure Outgoing email in SharePoint with O365, SMTP relay.
You might have moved all your mail accounts to O365, but you still have that on-premises SharePoint server, that needs to send alerts or has some similar message functionality. Previously you had an Exchange server and used that as relay. Now you need to use O365, so how do you do that? Lets have a look at the prerequisites first and then I’ll show you how to put it all together to send messages, both internally and externally if required.

– Service account in O365 with a mailbox; Used for authenticating SMTP request towards O365.
– Local SMTP server; Used for anonymous access to SharePoint SMTP.
– DNS record; Used as SMTP relay address internally.
– External IP address of local SMTP server; Used for SPF record registration.
– SPF record of mail domain; Used to validate the local SMTP server against public mail exchangers.
– Certificate that covers SMTP relay DNS address; This is used to provide required TLS encryption.
– Internal IP of SharePoint server(s); Used to allow the relay through local SMTP server.

SPF record
First thing to do is update your SPF record for your domain. This is done on your mail domains DNS settings and should be a text file.

SPF v=spf1 ip4: ~all

Install the matching certificate in the Personal store on the server.

If you do not have a local SMTP server already, you can install one using Roles and Features from within Windows Server.
To enable logging on the SMTP server, open IIS 6.0 Manager, expand your server and right click Properties. On the General tab; Check “Enable logging” and click Properties. Change log file directory to something different than your system drive.
On the Advanced Tab; Check the following Extended logging options:
Date (date), Time (time), Client IP Address (c-ip), Server Name (s-computername), Server IP Address (s-ip), Server Port (s-port), URI Query (cs-uri-query), Protocol Status (sc-status) and Protocol Substatus (sc-substatus).

Note: Take into consideration where you place the respective SMTP server folders. It is strongly recommended that you place them on a drive separate from the system drive.

IIS Configuration
Open IIS 6.0 Manager (which will be used to manage your SMTP server), expand your server and right click Properties on your SMTP Virtual Server.
On the access tab; under Secure communication it should state: “A TLS certificate is found with expiration date: “.
Click Authentication and verify that Anonymous access is enabled.
Click Relay, and select “Only the list below” and add the internal IP address of your SharePoint server(s). Leave the “Allow all computers which successfully authenticate to relay….” checked (this means that, all computers within the same domain may use this as a relay. IF you have infected machines, you want to disable this, or remove the infection).
Under the delivery tab; Click Outbound Security.
Check Basic authentication and type in your O365 service account information.
For example:

User name:
Password: Ninja1234

Make sure TLS encryption is Checked and click Ok.
Click Outbound connections and change TCP port to 587 and click Ok.
Click Advanced, and type in the local DNS address of your internal relay and type in the SMART host and click Ok.

O365 Configuration
Login to and navigate to Administration and Exchange.
In Office 365, click Admin, and then click Exchange to go to the Exchange Admin Center.
In the Exchange Admin Center, click Mail Flow, and click Connectors.
To add a new connector, click the + symbol and select From: “Your organization’s email server”, To: “Office 365” and click Next.
Choose the option “By verifying that the IP address of the sending server matches one of these IP addresses that belong to your organization”, and add the External IP address.
Leave all the other fields at their default values, and select Save.

SharePoint Configuration
Open Central Administation and click System Settings.
Click Configure outgoing e-mail settings.
Use the DNS name of your internal SMTP server as Outbound SMTP server and the From address should match that of your service account.

Testing & Troubleshooting
On your local SMTP server, create a file, called email.txt with the following content:

SUBJECT: Test email
This is a test email sent from my SMTP server

Copy this file into the Pickup folder of your SMTP server. The server will process this and move it to the Queue folder and process it for delivery to O365.
If you do not receive an email at your personal email address within 5 minutes, something is wrong. Here is how to check.
Go to your log file directory, configured previously and have a look at the error codes provided there.
If they are “queued for delivery”, you move to the Office365 Portal and use the mailflow function and search for your mails. There they will be listed with a status indicating their state. The details of the Office365 mailflow log are comprehensive.

From SharePoint

$email = ""
$subject = "Test subject"
$body = "Test body"
$site = New-Object Microsoft.SharePoint.SPSite "http://sharepoint"
$web = $site.OpenWeb()
// A True or False will confirm the message has been sent or not


Workflow Manager – Scripted Installation

Allrighty, I was sick and tired of NOT being able to install my Workflow Manager without the Web-platform Installer installation. Secondly I was tired of not being able to install Workflow Manager using my loved one, Powershell. So I called upon my good friend Mads Hjort Larsen and we started to work on it.
The script below will make use of offline msi files for the installation. So make sure you grab those before you run the script. They should be located in the same folder as the script before you run it.

The script

Set-Location (Split-Path -Parent -Path $MyInvocation.MyCommand.Definition)

#region Variables
$SQLserver = '<SQL SERVER>' # Name of the database server.
$DBprefix = '<Database Pre-fix>' # All databases will be prefixed with this string.

$SBRunAsAccount = '<Service Bus service account>' # The account under which the service runs. This account must be a domain account.
$SBRunAsPasswordString = '<Service Bus service Account passwprd>' # Password for RunAs account (in cleartext).
$SBAdminGroup = '<Service Bus Administrator group>' # The admin group for Service Bus. (Default "BUILTIN\Administrators")
$SBCertificateAutoGenerationKey = '<Certificate passphrase>' # This passphrase is required for certificate auto generation. This parameter is mandatory if you want certificates to be auto generated.
$TcpPort = <Service Bus port> # The port that the Service Bus for Windows Server uses for TCP. (Default 9354) 
$MessageBrokerPort = <Message Broker port> 9356 # The port that the Service Bus for Windows Server uses for MessageBroker communication. (Default 9356)
$InternalPortRangeStart = <Port Range> # The start of the port range that Service Bus for Windows Server uses for internal communication purposes. (Default 9000) 

$WFRunAsAccount = '<Service Bus service account>' # The account under which the service will be running. This account must be a domain account.
$WFRunAsPasswordString = '<Service Bus service account password>' # Password for RunAs account (in cleartext).
$WFAdminGroup = '<Service Bus Administrator group>' # The set of users who are considered workflow administrators. (Default BUILTIN\Administrators)
$WFCertificateAutoGenerationKey = '<Certificate Passphrase>' # This passphrase is required for certificate auto generation. This is a mandatory parameter if you want certificates to be auto generated.
$HttpsPort = <Workflow HTTPS Port> # The port that will be used by the workflow for HTTPS communication. (Default 12290)
$HttpPort = <Workflow HTTP Port> # The port that will be used by the workflow for HTTP communication. (Default 12291)

$SBNamespace = '<Service Bus Namespace>' # Specifies the name for the new Service Bus for Windows Server service namespace.
$AddressingScheme = 'Path' # Specifies the addressing scheme used in the service namespace. The possible values for this parameter are Path (default value) and DNSRegistered. If the value DNSRegistered is specified, the -DnsEntry parameter is required.
$ManageUsers = '<Workflow Namespace Administrator01>','<Workflow Namespace Administrator02>' # Specifies user or group names that will be managers of the service namespace.

$WF  = "WindowsFabric.msi"
$SB  = "Service_Bus.msi"
$WMC = "WorkflowManagerClient_x64.msi"
$WM  = "Workflow_Manager.msi"

## Can't touch this... or anything below this line ;P

$Sleep = 90 # Sleep duration is set to 90 seconds because that what all the cool kids online are doing.

    "IACCEPTEULA=yes" is required for quiet install of Windows Fabric, 
    "WEBPI=1" is required for installation of Service Bus and Workflow Manager outside of the Web Platform Installer, 
    "/QUIET" = Quiet mode, no user interaction, 
    "/NORESTART" = Do not restart after the installation is complete.

$fileNotFound = $null

$files = $WF,$SB,$WMC,$WM
foreach ($file in $files) {
    if (Test-Path -Path $file){
        Write-Host "✓ $file" -ForegroundColor Green
    }else{Write-Host "X $file" -ForegroundColor Red;$fileNotFound = $true}
}if ($fileNotFound -eq $true){Exit}
foreach ($file in $files) {
    Write-Host "Installing $file... " -NoNewline
    Start-Process $file -ArgumentList $ArgumentList -Wait
    Write-Host "Done"

[Environment]::SetEnvironmentVariable("PSModulePath", [Environment]::GetEnvironmentVariable("PSModulePath","Machine"))
Import-Module WorkflowManager

#region StringBuilding
# The strings are created like this to make it easier to put them on different SQL servers
function BuildString ($type, $dbName, $SQLserver) {
    New-Variable -Name $type'DBConnectionStringDataSource' -Value $SQLserver
    New-Variable -Name $type'DBConnectionStringInitialCatalog' -Value $DBprefix$dbName
    New-Variable -Name $type'DBConnectionString' -Scope Script -Value ("Data Source="+(Get-Variable -Name $type'DBConnectionStringDataSource' -ValueOnly)+";Initial Catalog="+(Get-Variable -Name $type'DBConnectionStringInitialCatalog' -ValueOnly)+";Integrated Security=True;Encrypt=False") -Force

# Example ConnectionString: Data Source=SQL01;Initial Catalog=Udv_service_SBManagement;Integrated Security=True;Encrypt=False
BuildString SBFarm SBManagement $SQLserver
BuildString GateWay SBGateway $SQLserver
BuildString MessageContainer SBMessageContainer $SQLserver
BuildString WFFarm WFManagement $SQLserver
BuildString Instance WFInstanceManagement $SQLserver
BuildString Resource WFResourceManagement $SQLserver

$SBCertificateAutoGenerationKey = ConvertTo-SecureString -AsPlainText -Force -String $SBCertificateAutoGenerationKey -Verbose
New-SBFarm -SBFarmDBConnectionString $SBFarmDBConnectionString -InternalPortRangeStart $InternalPortRangeStart -TcpPort $TcpPort -MessageBrokerPort $MessageBrokerPort -RunAsAccount $SBRunAsAccount -AdminGroup $SBAdminGroup -GatewayDBConnectionString $GatewayDBConnectionString -CertificateAutoGenerationKey $SBCertificateAutoGenerationKey -MessageContainerDBConnectionString $MessageContainerDBConnectionString -Verbose
New-WFFarm -WFFarmDBConnectionString $WFFarmDBConnectionString -RunAsAccount $WFRunAsAccount -AdminGroup $WFAdminGroup -HttpsPort $HttpsPort -HttpPort $HttpPort -InstanceDBConnectionString $InstanceDBConnectionString -ResourceDBConnectionString $ResourceDBConnectionString -CertificateAutoGenerationKey $SBCertificateAutoGenerationKey -Verbose

$SBRunAsPassword = ConvertTo-SecureString -AsPlainText -Force -String $SBRunAsPasswordString -Verbose
Add-SBHost -SBFarmDBConnectionString $SBFarmDBConnectionString -RunAsPassword $SBRunAsPassword -EnableFirewallRules $true -CertificateAutoGenerationKey $SBCertificateAutoGenerationKey -Verbose

Try {
    New-SBNamespace -Name $SBNamespace -AddressingScheme $AddressingScheme -ManageUsers $ManageUsers -Verbose
    for ($i=$Sleep; $i -gt 1; $i--) {
        Write-Progress -Activity "Creating new SB Namespace" -Status "Sleeping" -SecondsRemaining $i
        Start-Sleep 1
Catch [system.InvalidOperationException]{}

$SBClientConfiguration = Get-SBClientConfiguration -Namespaces $SBNamespace -Verbose
$WFRunAsPassword = ConvertTo-SecureString -AsPlainText -Force -String $WFRunAsPasswordString -Verbose
Add-WFHost -WFFarmDBConnectionString $WFFarmDBConnectionString -RunAsPassword $WFRunAsPassword -EnableFirewallRules $true -SBClientConfiguration $SBClientConfiguration -CertificateAutoGenerationKey (ConvertTo-SecureString $WFCertificateAutoGenerationKey -AsPlainText -Force) -Verbose

(The script is currently using a self-signed certificate.)

How to get MSI files
WebPICMD.exe /offline /products:”WindowsFabric,ServiceBus_1_1,WorkflowManager” /Path:c:\temp\

WebPICMD.exe /offline /products:WindowsFabric /Path:c:\temp\

WebPICMD.exe /offline /Products:ServiceBus_1_1 /Path:c:\temp\

WebPICMD.exe /offline /Products:WorkflowManager /Path:c:\temp\

WebPICMD.exe /offline /Products:WorkflowManager /Path:c:\temp\

Updated 17-June-2015: Incorporated Martin Sandersens comment into the script, removing the need for customized msi files.
Updated 07-August-2015: Updated script for fewer lines of code.

Adding Users/Groups – SharePoint – Powershell

A few times I’ve had to add users to specific SharePoint groups using powershell. I made the below script, which splits up each of the processes in the user creation and permission handling into transparent chunks. That way it’s easier to take what you need 🙂
The below users are external identity provider users, based on UPN. There is a domain users group being added also. The rest of the code should be self explanatory.

#Defines the site to work with
$URL= '' 

#Gets the required web and site objects to work with
$Site= Get-SPSite $URL

#Creating Users
$JD=get-spweb $url | New-SPUser -UserAlias 'i:0e.t|Azure ACS|'
$ON=get-spweb $url | New-SPUser -UserAlias 'i:0e.t|Azure ACS|'
$AA=get-spweb $url | New-SPUser -UserAlias 'i:0e.t|Azure ACS|'
$MS=get-spweb $url | New-SPUser -UserAlias 'i:0e.t|Azure ACS|'

#Creating Groups
$DUContoso=get-spweb $url | New-SPUser -UserAlias 'c:0-.t|Azure ACS|Contoso\Domain Users'

#Get site default groups (using just "$web.Sitegroups" will show all of them.)
$HROwn=$web.SiteGroups["HR Owners"]
$HRMem=$web.SiteGroups["HR Members"]
$HRVis=$web.SiteGroups["HR Visitors"]

#Adding Users to groups



Workflow Manager & Service Bus – Bug

There is a bug in the following CU’s for Workflow Manager and Service Bus which potentially breaks your workflow manager. So have a look on the Workflow Manager server for an Access Denied error against some workflow manager databases. If I get time, I will dig a bit more into the issue.

Cumulative Update for Workflow Manager 1.0 (KB2799754)
Cumulative Update for Service Bus 1.0 (KB2799752)

The following thread describes a possible workaround for the issue.

Web Server security – SSL/TLS

Following the recent attention from the Heartbleed vulnerability, it might be a good idea to have a look at your general SSL/TLS configuration. Being unable to write something more accurate I’ve only supplied to links which details out SSL/TLS versions and support on the different Windows O/S and a free SSL testing tool.
Which protocol is used depends on the server/client negotiated compatibility level. It will, by default use highest possible. – However exploiters will always use lowest possible 🙂

Support for SSL/TLS protocols on Windows

SSL Test tool

SharePoint 2013 – Workflow Management – Starting a workflow using Powershell

Had a simple task of creating a Powershell script that would be able to start a SharePoint workflow. Shouldn’t be too much a problem, I mean just get the web, get the list, find the associated workflows and start the right one using Powershell. How hard can it be?
Failing really short on examples on the web I had help from great colleagues again, puzzled together the below. The below code will start a specific workflow on all items within a designated list. The below should give the foundation to work with other management type tasks for SharePoint Workflows; Start, Start, Cancel etc.
I might update with additional examples, if needed 🙂

The Code

$sourceWebURL = '<URL>'
$sourceListName = '<List Name>'
$TargetWorkflow = '<Workflow Name>'
$spSourceWeb = Get-SPWeb $sourceWebURL
$spSourceList = $spSourceWeb.Lists[$sourceListName]

#Getting a Workflow manager object to work with.
$wfm = New-object Microsoft.SharePoint.WorkflowServices.WorkflowServicesManager($spSourceweb)
#Getting the subscriptions
$sub = $wfm.GetWorkflowSubscriptionService()
#Getting the specific workflow within the list of subscriptions on the specific list. (SP2010 associated workflows basically)
$WF = $sub.EnumerateSubscriptionsByList($spSourcelist.ID) | Where-Object {$_.Name -eq "$TargetWorkflow"}
#Getting a Workflow instance in order to perform my commands.

Foreach($item in $spSourceList){
	#Creating the dictonary object I need to parse into StartWorkflow. This could be most other workflow commands.
	$object = New-Object 'system.collections.generic.dictionary[string,object]'
	$object.Add("WorkflowStart", "StartWorkflow");
	$wfis.StartWorkflowOnListItem($WF, $item.ID, $object)

Microsoft.SharePoint.Client.WorkflowServices namespace

Additional credit
Frej Laursen, Joachim Bach & Per Jakobsen.

Installation SharePoint 2013 with Web Application Proxy and ADFS – Kerberos

Installation of SharePoint 2013 with Web Application Proxy and ADFS – Kerberos
Had some issues trying to piece together all the parts of the puzzle in order to get Web Application Proxy, ADFS and Kerberos to work together with a SharePoint 2013 Web Application hosting a Business Intelligence site, the linked guide should outline the most relevant points required. The rest should be read from references.

Link to doc:
Installation SharePoint 2013 with Web Application Proxy and ADFS – Kerberos guide (Location on Google Drive)

Step 3: Publish Applications using AD FS Preauthentication

SharePoint and the Web Application Proxy Role

Understanding the AD FS 2.0 Proxy