Get synopsis of all Lync powershell cmdlets in text file

oneliner to dump all synopsis of Lynv cmdlets to text file

gcm -mo *Lync* | % {get-help $_.name}| fl Name, Synopsis >c:\source\lync.txt

MCSE communications

Second MCSE in  the pocket.

Interop SIP UDP with Lync

Lync does not support SIP on UDP (port 5060), it only supports TCP or TLS (again TLS over TCP).

If you have a PBX or something that can work only on UDP, you would need a gateway like SBC or else that does support UDP.

Microsoft defend it's UDP rejection here http://blogs.technet.com/b/nexthop/archive/2008/05/23/to-udp-or-not-to-udp-that-is-the-question.aspx

Sonus SBC automation

http://ariprotheroe.wordpress.com/2013/11/27/sonus-sbc-1k2k-transformation-table-entry-builder/

Lync edge and application firewall

http://mobile.dudamobile.com/site/silbers?url=http%3A%2F%2Fsilbers.net%2Fblog%2F2013%2F02%2F04%2Fapplication-layer-firewall-blocks-lync-application-sharing%2F&dm_redirected=true

Force to add Lync contact in Skype

if Skype users can not find Lync used by sip, it may be that federation is not yet established or have some other issue.

To force skype client to add a lync contact even if it's is not discoverable by seach, in IE type

skype:2:sip@address.of.contact.com?add

No connectivity with any of Web Conferencing Edge Servers. External Lync clients cannot use Web Conferencing modality.

if you see below error on Lync 2013 frontend, try to disable IP6 on the NIC interface, disable in registry refer to http://support.microsoft.com/kb/929852 and reboot FE server. If not used the same procedure on Edge.

On FE you can change IIS Web sites bindings to IPv4 IP address instead of all unassigned.
Ensure that there are no deep packet application inspection or antivirus scan on the Firewall in between these servers.

Verify if you have session timeout in your firewall. In case of Palo Alto firewall you needs to set timeout to 4800 seconds, because PA will consider WebConf MTLS as ssl and due to offloading of ssl traffic only every 16th packet will be counted for session time to live. Refer to https://live.paloaltonetworks.com/docs/DOC-3950.

WebConf will send keepalives every 300 seconds (5 minutes), 16x300 will be you a timeout setiing required for Palo Alto.


Log Name:      Lync Server
Source:        LS Data MCU
Date:          12/16/2013 5:20:16 PM
Event ID:      41026
Task Category: (1018)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      xxx
Description:
No connectivity with any of Web Conferencing Edge Servers. External Lync clients cannot use Web Conferencing modality.
Cause: Service may be unavailable or Network connectivity may have been compromised.
Resolution:
Verify all Web Conferencing Edge Services in the topology are running, and network connectivity is available.

Errors on the FrontEnd 41024 41025 41026 every 20-30 minutes

UPDATE: http://daniyar-tech.blogspot.ch/2014/01/lync-2013-webconf-instability-events.html

External lync user can not start audio with internal user

Recently I was troubleshooting a case where externally connected internal Lync user could not establish audio call with internal client. From client log we see

INVITE (message shows 5 candidates, we also see that hotspot firewall blocks UDP, so this client will have only limited choise of TCP to establish media flow. Number of IP4 candidates should be 6+ in ideal situation),

SIP Trying

SIP OK (we get SIP responce from another end and list of candidates from the other side), we can now exchange IM chats

SIP ACK and then suddenly SIP BYE. No audio call is esablished.

IN SIP BYE we observe an error:

ms-client-diagnostics: 23; reason="Call failed to establish due to a media connectivity failure when one endpoint is internal and the other is remote";CalleeMediaDebug="audio:ICEWarn=0x4000322,LocalSite=10.79.2.125:49172,LocalMR=xxx:50452,RemoteSite=10.72.3.29:52206,RemoteMR=yyy:50175,PortRange=49152:49191,LocalMRTCPPort=50452,RemoteMRTCPPort=50175,LocalLocation=1,RemoteLocation=2,FederationType=0,NetworkName=test,Interfaces=0x14,BaseInterface=0x4,BaseAddress=10.79.2.125:49158"

if we lookup ICEWarn=0x4000000 in the resource kit: http://www.microsoft.com/en-us/download/details.aspx?id=22644

we could see that problem is coming from egde firewall:

0x4000000

TCP-TCP connectivity checks failed over the TURN Server.

This is indicating that TURN TCP-TCP connectivity check was tried and it failed. The failure indicates that port 443 was not opened on the firewall. If one of the TURN servers was 2007 A/V Edge Server. The administrator needs to open ports from 50,000 through 59,999 TCP to all external Audio/Video Edge services in the environment. This flag isn’t expected and may result in an ICE protocol failure.

Then I have to check if 443 is open, but since I have no access to the Cisco ASA, I use telnet to test the port. The problem with windows telnet is that I can not change IP source address. On the edge if you run telnet www.google.com 443 you will use address of first IP address (Access). That was ok. But to test thirst IP (AV) i had to download ncat http://nmap.org/dist/nmap-6.40-win32.zip
and then run from edge cmd  (http://manpages.ubuntu.com/manpages/natty/man1/ncat.1.html)
ncat -s IP_ADDR_AV_EDGE www.google.com 443
and it was immediately rejected meaning that this direction the port is closed.

When escalated incident was solved by ASA admin, audio calls started flowing.

For more detailed information on connection scenarios refer to http://www.shudnow.net/2010/12/06/lync-server-2010-port-ranges-and-audiomedia-negotiation/

UPDATE: it may happen that firewall is ok, but the VM was migrated to a ESX host that has different VLAN setup and this may prevent traffic also.

Nice example of Lync help intranet site

http://www.cites.illinois.edu/mshelp/index.html

Bug in Microsoft Lync 2013 client?

Many users report the issue: http://social.technet.microsoft.com/Forums/lync/en-US/c5bf2775-d195-4f3a-944d-733d707ab698/multiple-ls-storage-service-32054-errors?forum=lyncdeploy

This is the error that appears in EventLog when using Lync 2013 mobile.

Log Name:      Lync Server

Source:        LS Storage Service

Date:          12/4/2013 10:18:02 AM

Event ID:      32054

Task Category: (4006)

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      xxx

Description:

Storage Service had an EWS Autodiscovery failure.

UnsupportedStoreException: code=ErrorIncorrectExchangeServerVersion, reason=GetUserSettings failed, smtpAddress=xxx@xxxxx, Autodiscover Uri=https://autodiscover.xxxx/autodiscover/autodiscover.svc, Autodiscover WebProxy= ---> Microsoft.Exchange.WebServices.Data.ServiceRequestException: The request failed. The remote server returned an error: (401) Unauthorized. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.

   at System.Net.HttpWebRequest.GetResponse()

   at Microsoft.Exchange.WebServices.Data.EwsHttpWebRequest.Microsoft.Exchange.WebServices.Data.IEwsHttpWebRequest.GetResponse()

   at Microsoft.Exchange.WebServices.Autodiscover.AutodiscoverRequest.InternalExecute()

   --- End of inner exception stack trace ---

   at Microsoft.Exchange.WebServices.Autodiscover.AutodiscoverRequest.InternalExecute()

   at Microsoft.Exchange.WebServices.Autodiscover.AutodiscoverService.InternalGetUserSettings(List`1 smtpAddresses, List`1 settings, Nullable`1 requestedVersion, Uri& autodiscoverUrl)

   at Microsoft.Exchange.WebServices.Autodiscover.AutodiscoverService.GetSettings[TGetSettingsResponseCollection,TSettingName](List`1 identities, List`1 settings, Nullable`1 requestedVersion, GetSettingsMethod`2 getSettingsMethod, Func`1 getDomainMethod)

   at Microsoft.Exchange.WebServices.Autodiscover.AutodiscoverService.GetUserSettings(List`1 smtpAddresses, List`1 settings)

   at Microsoft.Exchange.WebServices.Autodiscover.AutodiscoverService.InternalGetSoapUserSettings(String smtpAddress, List`1 requestedSettings)

   at Microsoft.Exchange.WebServices.Autodiscover.AutodiscoverService.GetUserSettings(String userSmtpAddress, UserSettingName[] userSettingNames)

   at Microsoft.Rtc.Internal.Storage.Exchange.ExchangeContext.SendGetUserSettingsRequest(StoreContext ctx, String smtpAddress)

   --- End of inner exception stack trace ---

   at Microsoft.Rtc.Internal.Storage.Exchange.ExchangeContext.SendGetUserSettingsRequest(StoreContext ctx, String smtpAddress)

   at Microsoft.Rtc.Internal.Storage.Exchange.ExchangeContext.GetUserEwsSettings(StoreContext ctx, String smtpAddress, CacheMode cacheMode)

Cause: Autodiscovery Uri was not correctly configured or unreachable, that there is a problem with the Proxy, or other errors.

Resolution:

Check event details.  Check autodiscovery Uri is properly configured and reachable. Check that proxy setting is properly configured and reachable.  Validate Lync to Exchange Autodiscovery configuration by following the trouble shooting guide. If problem persists, notify your organization's support team with the event details.

UPDATE: http://support.microsoft.com/kb/2912341

 UPDATE2: KB is not available from MS.

Lync edge media flow explained

http://blog.schertz.name/2012/10/lync-edge-stun-turn/

Note the link to TechNet session at the end of article.

Testing ports on the Lync 2013 edge

http://flinchbot.wordpress.com/2013/05/10/portqueryui-config-xml-file-for-lync/
http://support.microsoft.com/kb/816103/en-us
http://www.microsoft.com/en-us/download/details.aspx?id=24009

Apart from above use ncat to test AV edge ports 443 and 3478

ncat –s ip_AV www.google.ch 443

ncat –s ip_AV –u anortherlyncedge 3478

Modified BAT Script to use for CLS - originally from R. Brynteson

@ECHO OFF
REM
REM By Richard Brynteson
REM Avtex
REM 2012
REM some modifications Lambert Consulting
REM run as admin to avoid snooper crach, if it is still crashing - reinstall Lync debug tools

CD "C:\Program Files\Common Files\Microsoft Lync Server 2013\ClsAgent"
goto menu
REM
REM DISPLAY MENU
:menu
echo What would you like to trace?
echo.
echo.
echo 1 Incoming and Outgoing Calls
echo 2 Address Book
echo 3 Application Sharing
echo 4 Audio Video Conferencing Issue
echo 5 Conferencing Auto Attendant
echo 6 Call Park
echo 7 CLS Logging
echo 8 Device Update
echo 9 Hosted Migration
echo 10 Hybrid Voice
echo 11 Instant Messaging and Presence
echo 13 LILR Legacy
echo 14 LILR Lyss
echo 15 Lyss and UCS
echo 16 Media Connectivity
echo 17 Meeting Join
echo 18 Monitoring and Archiving
echo 19 Response Group
echo 20 SP
echo 21 User Replication
echo 22 Voice Mail
echo 23 WAC
echo 24 XMPP
echo 25 Always On
echo 26 Quit
echo.
:choice
set /P C=[1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26]?
if "%C%"=="26" goto quit
if "%C%"=="25" goto alwayson
if "%C%"=="24" goto xmpp
if "%C%"=="23" goto wac
if "%C%"=="22" goto voicemail
if "%C%"=="21" goto user
if "%C%"=="20" goto sp
if "%C%"=="19" goto rgs
if "%C%"=="18" goto monarc
if "%C%"=="17" goto meeting
if "%C%"=="16" goto media
if "%C%"=="15" goto lyssanducs
if "%C%"=="14" goto lilrlyss
if "%C%"=="13" goto lilrlegacy
if "%C%"=="12" goto im
if "%C%"=="10" goto hybrid
if "%C%"=="9" goto hosted
if "%C%"=="8" goto device
if "%C%"=="7" goto clslog
if "%C%"=="6" goto callpark
if "%C%"=="5" goto conf
if "%C%"=="4" goto av
if "%C%"=="3" goto appsharing
if "%C%"=="2" goto addressbook
if "%C%"=="1" goto inoutcalls
goto choice
:alwayson
set log=AlwaysOn
goto trace
:xmpp
set log=XMPP
goto trace
:wac
set log=WAC
goto trace
:voicemail
set log=VoiceMail
goto trace
:user
set log=UserReplicator
goto trace
:sp
set log=sp
goto trace
:rgs
set log=RGS
goto trace
:monarc
set log=MonitoringAndArchiving
goto trace
:meeting
set log=MeetingJoin
goto trace
:media
set log=MediaConnectivity
goto trace
:hosted
set log=HostedMigration
goto trace
:lyssanducs
set log=LYSSAndUCS
goto trace
:lilrlyss
set log=LILRLYSS
goto trace
:lilrlegacy
set log=LILRLegacy
goto trace
:im
set log=IMandPresence
goto trace
:hybrid
set log=HybridVoice
goto trace
:device
set log=DeviceUpdate
goto trace
:clslog
set log=cls
goto trace
:callpark
set log=CPS
goto trace
:conf
set log=CAA
goto trace
:inoutcalls
set log=IncomingAndOutgoingCall
goto trace
:appsharing
set log=ApplicationSharing
goto trace
:av
set log=AudioVideoConferencingIssue
goto trace
:addressbook
set log=AddressBook
goto trace
:trace
REM
REM START LOGGING
REM
ClsController.exe -start -scenario %log%
ECHO Logging has been enabled.  Reproduce your issue now.
PAUSE
REM
REM
REM
ClsController.exe -stop -scenario %log%
ClsController.exe -flush
ECHO Logging has been disabled.
PAUSE
REM
REM
REM
Set TDate=CLS_%date:~4,2%-%date:~7,2%-%date:~10,4%_%time:~0,2%%time:~3,2%_%time:~6,5%.txt
ClsController.exe -search -loglevel verbose > %userprofile%\desktop\%Tdate%
"C:\Program Files\Microsoft Lync Server 2013\Debugging Tools\Snooper.exe" %userprofile%\desktop\%Tdate%
:quit
break
:end
@rem ===== BATCH SCRIPT END =====

Microsoft Lync Connectivity Analyzer on Windows 7 has stopped working

If you have Lync Connectivity Analyzer crashing in Windows 7 (32bit) try to remove KB2840642V2 update.

Lync to Skype federation requires provisioning from Microsoft side

https://pic.lync.com/provision/Logon/FAQ.htm

Some other notes that I can add:

Skype may not like SHA256 (SHA-2) signature on the endge certificate. Check if you can reissue your public certificate with SHA1 (less secure).

Note that egde must trust  "Baltimore CyberTrust Root" as this is what Skype uses.

It may take another 2 weeks after you get email from Microsofdt that provisioning is finished.

Do not forget to enable

Set-CsMediaConfiguration -EncryptionLevel SupportEncryption
Set-CsExternalAccessPolicy Global -EnablePublicCloudAccess $true -EnablePublicCloudAudioVideoAccess $true

as exaplained at http://technet.microsoft.com/en-us/library/jj205149.aspx

Lync clients logs path

Lync 2013 Desktop 

C:\Users\\AppData\Local\Microsoft\Office\15.0\Lync\Tracing

Lync 2010 Desktop  

C:\Users\\Tracing

AppStore Lync Client

C:\Users\\AppData\Local\Packages\Microsoft.LyncMX_8wekyb3d8bbwe\ LocalState\Tracing\LyncImm-Lync-0.Lynclog

LWA plug-in 

C:\users\\AppData\Local\Microsoft\LWAPlugIn\Tracing 

Troubleshooting lync voice routing

Several links that helped me to create voice routes in Lync 2013 http://masteringlync.com/2013/04/11/understanding-voice-routing-routing-authorization/.

http://techedzaportal.blob.core.windows.net/thurs7/Room%207_UNC401%20-%20Lync%202013%20-%20Dial%20Plan%20and%20Voice%20Routing%20%20-Bertolis%20-Young.pdf

Special note for slide 20:
Multiple routes in the same usage
• Gateway selected based on matching pattern.If multiple routes match, do not rely on route ordering for enforcing preference.
So even if Voice route test in Lync Contorl panel indicates that route works, you may see that FrontEnd may decide differently. When you trace SIP session you may observe that PhoneRoute is not exactly what you expected:

TL_INFO(TF_PROTOCOL) [pool\fe6]1830.044C::11/08/2013-21:40:09.582.00000175 (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265)) [758279003]
Trace-Correlation-Id: 758279003
Instance-Id: 19D8
Direction: outgoing;source="local"
Peer: pool.corp:59325
Message-Type: response
Start-Line: SIP/2.0 101 Progress Report
From: "testlync13";tag=d9096ad6cd;epid=586928041f
To:
Call-ID: d58bfea8e1c34bed887ce915bfc89be5
CSeq: 1 INVITE
Via: SIP/2.0/TLS yyy:59325;branch=z9hG4bK69EC0823.DE3BF7E7D064C968;branched=FALSE;ms-received-port=59325;ms-received-cid=2E200
Via: SIP/2.0/TLS zzz:57226;branch=z9hG4bK2C19BD82.033C499B38802969;branched=FALSE;ms-received-port=57226;ms-received-cid=141A100
Via: SIP/2.0/TLS 192.168.100.114:58378;received=xxx;ms-received-port=58378;ms-received-cid=3449B00
Content-Length: 0
ms-diagnostics: 12006;reason="Trying next hop";source="fe6.xxx";PhoneUsage="National numbers (0xx xxx xx xx)";PhoneRoute="National numbers (0xx xxx xx xx) (Pool UX1)";Gateway="gw1.corp";appName="OutboundRouting"
$$end_record


The solution is to make sure there is one route for a pattern in a PSTNUsage. For that you may need to create another voice policy + PSTNUsage for users and map to the correct route.


Here is another linc that talk about troubleshooting in general:
http://channel9.msdn.com/Events/TechEd/Australia/2013/EXL331

And banch of tools that help:

http://www.lync-solutions.com/Pages/Downloads.aspx


Enjoy.

Lync on premise Exchange online

http://office365champs.wordpress.com/2013/03/19/migrating-um-to-office-365-with-lync-on-premise/

http://ahandyblog.wordpress.com/cloud-technologies/office-365-unified-messaging-with-lync-2013-on-premise/

Test Lync autodiscover

http://blogs.technet.com/b/nexthop/archive/2013/02/08/the-new-lync-connectivity-analyzer.aspx

Windows 7 and XP are most popular

Windows 8.1's web use doubles shortly after launch http://www.engadget.com/2013/11/02/net-applications-october-2013/

Lync exclusions for Antivirus

http://technet.microsoft.com/en-us/library/dn440138.aspx

Lync voice quality monitoring

Using log tool http://blogs.technet.com/b/nexthop/archive/2012/12/10/troubleshooting-call-quality-locally-with-snooper.aspx
Microsoft Lync Server 2010: Work Smart Guide for Monitoring Server Reports http://www.microsoft.com/en-us/download/details.aspx?id=9129
Extend monitoring reports with power pivot http://blogs.technet.com/b/ilvancri/archive/2012/03/09/extending-your-lync-monitoring-data-using-powerpivot-and-power-view.aspx
Video on monitoring usage http://go.microsoft.com/fwlink/?LinkId=218906
Windows Pre-call diagnostic tool http://www.microsoft.com/en-us/download/details.aspx?id=40733&amp

Lync 2013 client address book sycnronisation

Newly enabled Lync 2013 client have a random delay 1-59 minutes to start downloading GAL. While it is not ready you may see the message "Address book is syncronising". You can force update as explained here.

Lync dependency on correct root certificates

Make sure that root certificates are indeed self-issued. And that intermediate certificates container does not have roots: http://support.microsoft.com/kb/2795828

Lync Server Networking Guide v2

Updated: Announcing the Release of the Lync Server Networking Guide v2 - NextHop - Site Home http://blogs.technet.com/b/nexthop/archive/2013/10/21/announcing-the-release-of-the-lync-server-networking-guide-v2.aspx

Sharepoint host named site collection limitations

http://blogs.msdn.com/b/kaevans/archive/2012/03/27/what-every-sharepoint-admin-needs-to-know-about-host-named-site-collections.aspx

Upgrade Lync 2013 from 2010

http://www.oiboran.com/?p=1073

Lync one liners

http://lyncsorted.blogspot.ch/p/one-liners-since-i-can-never-remember.html?m=1

Lazy Lync admin dial plan generator

http://www.lyncoptimizer.com/

Lync 2010 attendant and Polycom CX600

Please note that Lync 2010 attendant is not compatible with Polycom cx600 IP phone in the sense that attendant does not pair with this phone (no login credential are provided for usb tethering), you need to use standard Lync 2010 or 2013 client with this phone or in standalone mode.

Exchange 2010 UM auto attendant does not answer

if you have issue with newly created AA and you have eventlog entry with ID 1021(The Unified Messaging server rejected an incoming call with the ID <>. Reason: "The Unified Messaging server can’t find a valid UM hunt group for <> associated with UM IP gateway"), then make sure you have created an account with no spaces in the name. Otherwise delete and create new AA.

Office 2013, Lync 2013 MAK autoactivation

http://technet.microsoft.com/en-us/library/dd630736.aspx#BKMK_UseOCTSilentInstallOpt

Certificate request error "Certificate not issued (Incomplete)"

When I tried to obtain Exchange 2010 certificate I bumped into the error. If you get the error similar to this one: Active Directory Enrollment Policy {04D0DAAD-B09E-4083-AF37-4D6131C40066} ldap: Certificate not issued (Incomplete) when you try to get certificate from Microsoft CA, check if your req file is encoded in Unicode. Open req file in notepad and save with encoding ANSI. Resubmit your request and see if error disappears.

Lync 2013 cumulative updates explained

http://www.zerohoursleep.com/2013/07/lync-server-2013-cumulative-updates-cu2-july-2013-installation-workflow/

http://blogs.technet.com/b/dodeitte/archive/2013/07/02/how-to-verify-if-lync-server-2013-database-updates-completed-successfully.aspx

Google blogger posts to google+

Google Now Automatically Shares Blogger Posts to Google+ http://thenextweb.com/google/2013/09/10/google-now-automatically-shares-blogger-posts-to-google-turns-feature-on-by-default-for-linked-accounts/

Lync 2013 autodiscovery explained

http://blog.schertz.name/2012/12/lync-2013-client-autodiscover/

Microsoft Technet - last days to order

Effective September 1, 2013, TechNet Subscriptions are no longer available for purchase through the TechNet Subscriptions website. Hurry up to order it now!

dd-wrt NAT with several subnets behind

If you have a complex lab at home and you would like to setup dd-wrt routing do not forget to enable nat for all subnets, as by default dd-wrt will only take care of the one directly connected.
Here is example of my script that adds 10.10.10.0 subnet to the internet nat, script also contains openvpn related commands:
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.66.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -t nat -I POSTROUTING -o `get_wanface` --source 10.10.10.0/24 -j SNAT --to `nvram get wan_ipaddr`

OpenVPN key generation issue

If you see an error during openvpn (my version was OpenVPN 2.3.2 -- released on 2013.06.03 under Windows 7 32bit) key generation
"failed to update database
TXT_DB error number 2"
then remember to re-type unique choices like CN, Email, etc. that are given in square brackets [] - example below:
Country Name (2 letter code) [CH]:CH
State or Province Name (full name) [VD]:VD
Locality Name (eg, city) [Lausanne]:Lausanne
Organization Name (eg, company) [org]:org
Organizational Unit Name (eg, section) [VPN]:VPN
Common Name (eg, your name or your server's hostname) [server]:server
Name [Dan]:Dan
Email Address [admin@contoso.com]:admin@contoso.com

SharePoint Connections Amsterdam 2013

SharePoint Connections Amsterdam 2013 will take place at the Meervaart Theatre in Amsterdam on the 19th & 20th November 2013. http://www.nccomms.com/Sharepoint_Connections/Home.aspx

Security hardening of SharePoint farm

http://technet.microsoft.com/en-us/library/cc262849.aspx

eDiscovery in SharePoint 2013

SharePoint 2013 is capable to perform eDiscovery on sources limited to file shares, Exchange and SharePoint. The data can be hold in-place or exported out. If you have other types of data sources, like SAP, Documentum, etc., you may want to compare with other solutions.

SharePoint 2013 apps authentication with OAuth

SharePoint 2013 provides a new method for application authentication. Despite the term authentication, it is based on OAuth 2.0 (Open Authorization). The idea is that an app can access other parts of SharePoint without asking users credentials, but using user's permissions in a frame of selected authorization that user accepts during initial app installation. The apps access requirements are build in apps manifest by the developer. Refer to technet article and this video.

Powershell to monitor for SharePoint logs based on correlation ID

Apart from ULS, you can use powershell to search for a correlation and browse it in notepad, example:
Get-SPLogEvent -starttime (get-date).addminutes(-20) | Where -Object {$_.Correlation -eq "5918349c-c5a0-908b-6f2f-f6078c7382e5"} | fl > c:\temp\errors.txt; notepad c:\temp\errors.txt

SharePoint User Code Host starts then stops

SharePoint User Code Host starts then stops with ULS errors:

Performance Counter OS (pdh) call failed with error code PDH_CSTATUS_NO_MACHINE.
- Process perf counters are disabled. Sandboxed code monitoring cannot continue
from SPUCHostService.exe

EventViewer reports:

Log Name:      System
Source:        Service Control Manager
Date:          7/30/2013 12:00:10 PM
Event ID:      7034
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      SP2013.contoso.com
Description:
The SharePoint User Code Host service terminated unexpectedly.  It has done this 18 time(s).

The solution is described in  http://support.microsoft.com/kb/983081:

add windows service account of SharePoint User Code Host to local server groups 'Performance Monitor Users' and 'Performance Log Users'

SharePoint 2013 search access denied to People data sps3:// (Event 1314)

The error:

Log Name:      Application
Source:        Microsoft-SharePoint Products-SharePoint Server Search
Date:          7/29/2013 10:53:09 PM
Event ID:      1314
Task Category: Crawler:Gatherer Plugin
Level:         Warning
Keywords:    
User:          CONTOSO\sp_crawl
Computer:      SP2013.contoso.com
Description:
The start address sps3://sp2013:81 cannot be crawled.

Context: Application 'Search_Service_Application', Catalog 'Portal_Content'

Details:
Access is denied. Verify that either the Default Content Access Account has access to this repository, or add a crawl rule to crawl this repository. If the repository being crawled is a SharePoint repository, verify that the account you are using has "Full Read" permissions on the SharePoint Web Application being crawled.   (0x80041205)

The suggestion above is great, but does not help as it has been a case already.

The solution is to add crawler account to User Profile Service Admins with right to get data from People Data:

SharePoint 2013 organisation browser empty in non-mysites

To fix the issues please refer to http://spreza.blogspot.ch/2013/03/using-sharepoint-2013-organization.html
You need to place the script under Organisational browser webpart on the same page.
<script type="text/javascript"> function CreateHierarchyChartControl(parentId, profileId, type, persistControlId) { var i = profileId.indexOf("|"); var claimsmode = profileId.substr(i-1,1); if((i >=0 ) & (claimsmode=="w")) { profileId = profileId.substr(i+1,profileId.length-i-1); var initParam = profileId + ',' + type + ',' + persistControlId; var host = document.getElementById(parentId); host.setAttribute('width', '100%'); host.setAttribute('height', '100%'); Silverlight.createObject('/_layouts/ClientBin/hierarchychart.xap', host, 'ProfileBrowserSilverlightControl', { top: '30', width: '100%', height: '100%', version: '2.0', isWindowless: 'true', enableHtmlAccess: 'true' }, { onLoad: OnHierarchyChartLoaded }, initParam, null); } } </script>

However, the script is better to be placed in embeded HTML, rather than in Content Webpart.

SharePoint 2013 Add-SPProfileLeader cmdlet gives "ProfilePropertyCache does not have" error

if you have an error trying to specify your CEO in the User profiles -

"Add-SPProfileLeader : UserProfileApplicationNotAvailableException_Logging ::
UserProfileApplicationProxy.ApplicationProperties ProfilePropertyCache does
not have "


or if you use Update-SpProfilePhotoStore

Update-SPProfilePhotoStore -CreateThumbnailsForImportedPh
otos $true -MySiteHostLocation http://xxxxxxxxxx
Update-SPProfilePhotoStore :
UserProfileApplicationNotAvailableException_Logging ::
UserProfileApplicationProxy.ApplicationProperties ProfilePropertyCache does
not have ...


try to repeat this powershell command under farm account.

Or provide permission to your account in Central Admin - highlight User Profile Service Application and then click Permissions and add account that you use for PowerShell with Full permission



Sometime if it still does not work, check rather administrator.  Note also Service Account running Distributed Cache - AppFabric Caching  service ....

Microsoft supporting startups

http://www.microsoft.com/bizspark/About/Default.aspx

SharePoint 2013 Event ID:7362 portalsuperuseraccount

If you get this eventlog message in SharePoint 2013:

Log Name:      Application
Source:        Microsoft-SharePoint Products-Web Content Management
Date:          7/26/2013 3:05:44 PM
Event ID:      7362
Task Category: Publishing Cache
Level:         Information
Keywords:      
User:          
Computer:      
Description:
Object Cache: The super user account utilized by the cache is not configured. This can increase the number of cache misses, which causes the page requests to consume unneccesary system resources.
 To configure the account use the following command 'stsadm -o setproperty -propertyname portalsuperuseraccount -propertyvalue account -url webappurl'. The account should be any account that has Full Control access to the SharePoint databases but is not an application pool account.
 Additional Data:
 Current default super user account: SHAREPOINT\system

make sure you read this articles http://sharepointchick.com/archive/2010/10/06/resolving-the-super-user-account-utilized-by-the-cache-is.aspx  and http://technet.microsoft.com/en-us/library/ff758656.aspx

before you actually run stsadm, as you may break SP for all users.

Log viewer for SharePoint 2013

For troubleshooting and for correlation of errors, you might still need good old ULS viewer from Microsoft PSS. It helps to highlight correlated entires if you enable Smart Highlight.

SAML claims authentication in Sharepoint over AD FS

Following a lab on configuring SAML authentication in Sharepoint over AD FS
http://www.microsoft.com/en-us/download/details.aspx?id=30385
based on http://technet.microsoft.com/library/hh305235(office.15).aspx

I released that there are few typos in the scripts, also not clear the mapping of LDAP attributes to outgoing Claims, I had to modify to make it work from SAM-account-name to Email address from LDAP side

Free MS e-book - a guide to claims-based identity and access control

Although based on earlier versions of SharePoint and Windows, this book provides very detailed explanation on all concepts of Microsoft implementation of claims-based authentication and access controls.

http://msdn.microsoft.com/en-us/library/ff423674.aspx

A paper version is available on Amazon:

http://www.amazon.com/Guide-Claims-Based-Identity-Access-Control/dp/1621140024/

Bruce Schneier talks about power

Human society runs on trust. We all trust millions of people, organizations, and systems every day -- and we do it so easily that we barely notice. But in any system of trust, there is an alternative, parasitic, strategy that involves abusing that trust. Making sure those defectors don't destroy the cooperative systems they're abusing is an age-old problem, one that we've solved through morals and ethics, laws, and all sort of security technologies. Understanding how these all work -- and fail -- is essential to understanding the problems we face in today's increasingly technological and interconnected world. 


http://youtu.be/m3NJ-Ow2Lvg

How to change Sharepoint 2013 top left SuitBar to a custom text or image using masterpage

The first thing any branding is looking at is this famous "SharePoint" word in the top left corner of OOB Sharepoint 2013. There are many methods to change it - by creating Visual Studio project or App, by twicking in powershell, etc. Here is very simple method using masterpages and javascript. In Sharepoint Designer 2013 locate a source masterpage, make a copy to your custom name. Then locate the place where you can modify an object called "ms-core-brandingText" - quote from source fully rendered client HTML

<div id="suiteBarLeft"> <div class="ms-table ms-fullWidth"> <div class="ms-tableRow"> <div class="ms-tableCell ms-verticalAlignMiddle"> <div class="ms-core-brandingText"> SharePoint</div>

In case of seatle masterpage locate <div id="suiteBarRight">
and just above it add

<script type="text/javascript"> document.getElementById("suiteBarLeft").getElementsByClassName("ms-core-brandingText")[0].innerHTML = "Hello world!"; </script>

This is an example, you can add a logo image or link instead. Check-in the new master page with major version and then set this master page for the site.

The result would be something like this:



Note that to modify My Sites master page you need to open My Sites in SharePoint Designer (in my case URL http://sp2013.contoso.com/my) and modify directly the masterpage called mysite15.master with the same method.

User Profile Synchronization is not running on SharePoint 2013

When you configure user profile synchronization settings in Central Administration of SharePoint 2013, you may receive the error message:

“Cannot navigate to the requested page because User Profile Synchronization service is not running. Please start User Profile Synchronization service”.

To start it you need to select “Manage services on server” and provide credentials:

If you do not have this menu on your screen, probably you are not running IE10 as administrator.

How to enable Design Manager in SharePoint 2013 site

Design Manager is new feature of SP2013, but it is not enabled by default. To enable it you would need Publishing feature.

Go to “Site Settings” of the collection root site and select “Site collection features”:

Then Activate Publishing infrastructure:

Then in the “Site Setting” of the root site or any target subsite select “Manage site features”:

And Activate “SharePoint Server Publishing”:

Now you should be able to see new menu in under Settings Icon called “Design Manager”:

SharePoint 2013 resource

Articles contain an overview of product features, product comparison information, system requirements, product evaluation kit, news and reviews, case studies, videos, virtual labs, and product roadmap.

http://technet.microsoft.com/en-us/library/cc261970.aspx

----------------------------
This Post contains a bunch of Free Step by Step SharePoint Server 2013 Lab Guides that Microsoft gives for free on its Download Center. Usually I post them together with the other free resources that Microsoft offers, however this is a Test Lab Guide (TLG) only post, and the rest of the resources will come later in the month.

http://absolute-sharepoint.com/2013/07/free-step-by-step-sharepoint-server-2013-lab-guides-by-microsoft.html

SAML suppose to be secure!

using SAML standard does not mean that your SAML implementation is automatically secure. Here is attacks examples on XML signature (simple order change in XML might open a door)

http://youtu.be/RHIkb9yEV1k

Bruce Schneier Answers Your Questions Video

A lot of fun and serious thoughts
http://youtu.be/dJh0mIJn6kE

HP Storage vulnerability

HP security bulletin  report an issue in HP Storage powered by LeftHand OS.

It would be interesting to know if earlier products close to EOL such as EVA 4400 have the same vulnerability. HP has the similar support access method to earlier versions of enterprise storage, but it is not powered by LeftHand OS.

CentOS cluster

Detailed video walkthrough of creation of  a cluster on CentOS (RedHat) nodes

http://youtu.be/FP2_MxXGibY

note that you can not use cluster fencing on hyper-v guests, so for your lab use KVM or VMWare or Xen - read more at https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/High_Availability_Add-On_Overview/s1-virt-guestcluster.html.

The Four Pillars of Identity

Four pillars:

Administration (provisioning, change control, automation)
Authentication (is user really who he claims to be)
Authorization (role, risk, policy, claims based)
Audit (alerts, reporting, governance)

http://social.technet.microsoft.com/wiki/contents/articles/15530.the-four-pillars-of-identity-identity-management-in-the-age-of-hybrid-it.aspx

20 Critical security controls (SANS ver. 4.1)

Must read information for IT security professionals:

http://www.sans.org/critical-security-controls/guidelines.php

or PDF version

http://www.sans.org/critical-security-controls/cag4-1.pdf

DVD drive is not recognized in Windows 8

Suddenly I realised that my CDROM/DVDROM is missing in Windows 8. BIOS does detect it as usual.

The issues is inside Windows. The registry trick helped to solve it:

reg.exe add "HKLM\System\CurrentControlSet\Services\atapi\Controller0" /f /v EnumDevice1 /t REG_DWORD /d 0x00000001

reboot.

Little bit annoying, I do not understand why I should use registry for a very standard feature on my PC.

MCSE Private Cloud 2012

passed the last exam today!

Microsoft Thursday - this time is a tough one - all platforms affected, including Windows Kernel, etc.

Code for exploits probability is high, patch ASAP: 

1- Exploit code likely

http://technet.microsoft.com/en-us/security/bulletin/ms13-jul

CentOS switching to Oracle Linux

According to Oracle by switching from CentOS to Oracle Linux you shorten delays on RHEL sources recompilation which sometimes can be vital in critical enterprise environments. Oracle Linux claims 100% compatibility with CentOS. Another advantage is that Enterprise customers can optionally buy a support from Oracle. Otherwise it is as free as CentOS.

to switch use command:

curl -O https://linux.oracle.com/switch/centos2ol.sh 
sh centos2ol.sh

Microsoft equivalent of SAP Earlywatch for private cloud

System Center Advisor - public cloud based best practices analyser for MS private cloud. Can also work as OpsMgr conector with no extra overhead:

https://systemcenteradvisor.com/

http://channel9.msdn.com/Shows/Edge/Edge-Show-61--System-Center-Advisor-with-System-Center-2012-Operations-Manager

Enable Lync notifications in SCOM 2012

http://www.effectualit.com/2012/09/enable-the-instant-messaging-notification-in-system-center-2012-operations-manager/

Create System Center Service Manager Service Offering based on new SCVMM service with runbook automation

Assuming you have created a working runbook that creates automatically a service instance in SCVMM (refer to runbook example http://daniyar-tech.blogspot.ch/2013/07/system-center-2012-sp1-orchestrator.html) then you can proceed and use this runnbook in in Service manager –

Create template with class set to “Runbook Automation Activity”

In the template form select a runbook and fill the initial data

Create template with class set to “Service Request”, it is required to appear later in the droplist

In the template forms activities tab click plus icon

And the select the activity you want to add to the request workflow

Define at what stage of workflow this activity will execute.

Now you can define a request offering (Library - Service Catalog – Request offering - Create) by selecting a template we just created above

We may want to ask user to provide new VM ServiceName

And map it to runbook initial data variable ServiceName

Set publish status to Published.

Now you can create Service Offering and link it to this request offering

Set status of service offering to published and you now can start requesting it from Self-service portal or directly in the SM console.

Service request is in progress:

Service Manager -

Orchestrator -

Virtual Machine Manager -

Audit Collection Services in System Center Operations Manager

http://youtu.be/AQkdZKoflBc

How to create service automation in System Center

a lab scenario from MS virtual lab, provides a scenario on how to create templates, requests, automation tasks, runbooks.

http://downloads.vlabcenter.com/virtualwidemanuals/CMG/SystemCenter2012SP1Services&Automation.pdf

System Center 2012 SP1 Orchestrator runbook to deploy a SCVMM service from a template

Here is an example of System Center 2012 SP1 Orchestrator’s runbook to deploy a SCVMM service from a defined template.

Service Template Name   equals {TemplateName from “Initialize Data”}

Service Template Release   equals {TemplateRelease from “Initialize Data”}

Service Template Name {Service Template Name from “Get Service Template”}

Note that deployment did not work from the beginning with error:

“The following errors occurred when invoking PowerShell script:Could not find service template    Exception: InvalidOperationException Target site: PSRunspaceInvoker.HandleInvokeErrors Stack trace:    at Microsoft.SystemCenter.Orchestrator.Integration.PowerShellConnector.PSRunspaceInvoker.HandleInvokeErrors(IList invokeErrors)    at Microsoft.SystemCenter.Orchestrator.Integration.PowerShellConnector.PSRunspaceInvoker.Invoke(RunspaceInvoke runspace, String script, ILogger logger)    at Microsoft.SystemCenter.Orchestrator.Integration.PowerShellConnector.PSScriptRunner.Execute(String script)    at Microsoft.SystemCenter.Orchestrator.Integration.VMM2012QIK.ActivityBase.DoWork(IActivityRequest request, IActivityResponse response)    at Microsoft.SystemCenter.Orchestrator.Integration.VMM2012QIK.VMMBase.Execute(IActivityRequest request, IActivityResponse response)”

The solution was to add optional parameter Cloud Name as shown in the screen above.

Service Configuration Name {Service Configuration Name from “Configure Service Deployment”}