When Microsoft Forefront Security for SharePoint is installed on a SharePoint server, non-SharePoint sites may have problems accessing the Internet Server API (ISAPI) filter that is installed by Forefront Security.

On Internet Information Services (IIS) 7, users who browse to these sites may receive the following error message:

HTTP Error 500.0 – Internal Server Error

Calling LoadLibraryEx on ISAPI filter “D:\Program Files\Microsoft Forefront Protection for SharePoint\FSSPUsernameFilter.dll” failed

On IIS 6, users who browse to non-SharePoint sites may receive the following error message:

Service Unavailable

Internet Information Services 7 (IIS 7)

- In IIS Manager, navigate to a non-SharePoint Web site that is experiencing this issue.
- Select the Web site, and then double-click ISAPI filters.
- In the Filter pane, select FSSP Username Filter.
- In the Actions pane, click Remove.
- In the confirmation dialog box, click Yes.

Test the site to determine whether the issue is resolved. If the issue is not resolved, an IIS restart of the Web site may be necessary. You can do this through the IIS administrator.

Internet Information Services 6 (IIS 6)

To determine whether issue that is described in this article is the same issue that you are experiencing, examine in the Application Event Viewer. If if the ISAPI filter is causing this issue, the following error will be logged:

Type: Error

Event ID: 2214

The HTTP Filter DLL C:\\Program Files\Microsoft Forefront Protection for SharePoint\FSSPUsernameFilter.dll failed to load. The data is the error.

On IIS 6 servers, the ISAPI filter is not exposed at the individual site level. To resolve the issue, add the account that the non-SharePoint site is running as to the ISS_WPG and WSS_WPG security groups. On these servers, look up the account that the non-SharePoint site is running as. You can do this by looking at the credentials on the application pool that the site is running under. After you have the account that the non-SharePoint site is running as, follow these steps to resolve the problem:

- Add the account that the non-SharePoint site is running as to the ISS_WPG and WSS_WPG security groups.

- This makes sure that the Web site has permissions to load the ISAPI filter in the Forefront for SharePoint directory.

- For the changes to take effect, you must run an IISReset. To do this, open a command prompt, and then type IISReset. This shuts down and restarts all IIS services.

Making Sharepoint 2010 available externally using MS UAG 2010 you would think would be fairly straightforward however our experience is at best its very flakey! This is kind of backed up by the fact numerous blog posts & guides from Microsoft & 3rd party’s contradict each other, these are just my notes for how I managed to get it to work.

2 x WFE Windows Server NLB IP: 192.168.1.100

Public Host Name – extranet.abccorp.co.uk

Sharepoint Webapp: docs.abccorp.local
DNS: docs.abccorp.local –> 192.168.1.100

1) Making configuration changes on the UAG published application config – our experience was that if you create a new web application config in the UAG from scratch compared to editting an existing one to the same config you would quite often get different results. So when applying any config changes we always deleted the trunk & the published app config and recreated them from scratch with the required new config, this was the only way we felt we we’re getting the ‘true’ result of the config change.

2) The Application Server addresses & the application url – In order to get the UAG Sharepoint web application to work we had the following config:

HTTPS Trunk:
Public Hostname – extranet.abccorp.co.uk

Sharepoint UAG App:
Web Servers (Addresses tab) – docs.abccorp.local (DNS points the the NLB WFE IP Address)
Public Host Name (Addresses tab) – extranet.abccorp.co.uk
Application URL (Portal Link tab) – http://docs.abccorp.local

Notes on above –
# The address we put in for the web servers & application URL had to be the same, if they weren’t the same it seems the UAG didn’t encode the application URL correctly on the client side.

# We used Windows Server NLB as opposed to using the UAG to do the Load Balancing

Sample CSS to customise the ‘Site Actions’ buttons in Sharepoint 2010

/* Site Actions Menu */
.ms-siteactionsmenu{
border:1px solid transparent;
background-color:#F2F2F4;
}
.ms-siteactionsmenu .ms-menu-a span{
color:#000000;
}
.ms-siteactionsmenu .ms-siteactionsmenuhover {
background-color:#FFFFFF;
color:#ffffff;
}

More From pstilgoe

• How to Prevent users from changing views in Sharepoint
• Sharepoint 2010: How to hide the quick launch menu
• Sharepoint 2010 CQWP: Make the CQWP portable by using tokens to point to the current site instead of static URL

Ask pstilgoe To Recommend Your Posts

An example XSL template to display document details in a content query webpart:

<xsl:template name="DocumentsDetails" match="Row[@Style='DocumentsDetails']" mode="itemstyle">
       <xsl:variable name="SafeLinkUrl">
            <xsl:call-template name="OuterTemplate.GetSafeLink">
                 <xsl:with-param name="UrlColumnName" select="'LinkUrl'"/>
            </xsl:call-template>
       </xsl:variable>
       <xsl:variable name="DisplayTitle">
            <xsl:call-template name="OuterTemplate.GetTitle">
                <xsl:with-param name="Title" select="''"/>
                <xsl:with-param name="UrlColumnName" select="'LinkUrl'"/>
                <xsl:with-param name="UseFileName" select="1"/>
            </xsl:call-template>
       </xsl:variable>
	   <xsl:variable name="DisplayAuthor">
     <xsl:call-template name="OuterTemplate.GetTitle">
         <xsl:with-param name="Title" select="''"/>
         <xsl:with-param name="UrlColumnName" select="'LinkUrl'"/>
         <xsl:with-param name="UseFileName" select="1"/>
     </xsl:call-template>
</xsl:variable>
         <div class="item link-item">
         <xsl:if test="string-length(@DocumentIconImageUrl) != 0">
             <div class="image-area-left"> 

		<a href="{$SafeLinkUrl}" title="{@LinkToolTip}">
<xsl:if test="$ItemsHaveStreams = 'True'">
                   <xsl:attribute name="onclick">
                     <xsl:value-of select="@OnClickForWebRendering"/>
                   </xsl:attribute>
                 </xsl:if>
                 <xsl:if test="$ItemsHaveStreams != 'True' and @OpenInNewWindow = 'True'">
                   <xsl:attribute name="onclick">
                     <xsl:value-of disable-output-escaping="yes" select="$OnClickTargetAttribute"/>
                   </xsl:attribute>
                 </xsl:if> 

                 <img class="image" src="{@DocumentIconImageUrl}" title="" />
				 </a>
             </div>
         </xsl:if>
         <div class="link-item">
         <div style="color: black; font-family: Arial, Helvetica, sans-serif; line-height: -2%">
             <xsl:call-template name="OuterTemplate.CallPresenceStatusIconTemplate"/>
             <a href="{$SafeLinkUrl}" title="{@LinkToolTip}">
                 <xsl:if test="$ItemsHaveStreams = 'True'">
                   <xsl:attribute name="onclick">
                     <xsl:value-of select="@OnClickForWebRendering"/>
                   </xsl:attribute>
                 </xsl:if>
                 <xsl:if test="$ItemsHaveStreams != 'True' and @OpenInNewWindow = 'True'">
                   <xsl:attribute name="onclick">
                     <xsl:value-of disable-output-escaping="yes" select="$OnClickTargetAttribute"/>
                   </xsl:attribute>
                 </xsl:if>
                 <xsl:value-of select="$DisplayTitle"/> 

               </a>   |   <xsl:value-of select="@Author" />   |   <xsl:value-of disable-output-escaping="no" select="ddwrt:FormatDate(string(@Description), 2057, 5)" />
 	</div>
           </div>
       </div>
  </xsl:template>

A returned file in the CQWP will display:

Plan 36 | xxxxxx\StilgoeP | 01/06/2011 09:35

Doc Icon (links to doc) – Doc Title (links to doc) – Author – Modified Date & Time

More From pstilgoe

• Sharepoint 2010: How to hide the quick launch menu
• Sharepoint 2010 CQWP: Make the CQWP portable by using tokens to point to the current site instead of static URL
• Modifying an Open XML Document in a SharePoint Document Library

Ask pstilgoe To Recommend Your Posts

STSADM -o backup -directory: Error Cannot open backup device Operating system error 5 (error not found)

Ensure the SQL service account is a domain account and it has permissions to
the Shared folder.

Also ensure the account used to execute the backup command has the correct rights on the DB’s as per MS recommendations ie. Owner, creator etc.

More From pstilgoe

• Error: Cannot retrieve the information for application credential key
• Sharepoint list error <!– #RENDER FAILED –>
• Error (Exception from HRESULT: 0×80004004 (E_ABORT))

Ask pstilgoe To Recommend Your Posts

Sharepoint 2010 SP1 new features include:

- The usual stability, performance and security enhancements rolled up.

- A site recycle bin, basically we could always recover files etc from the recyclye bin but in SP1 you can now recover whole Sharepoint site collections & sites aswell!

- A new improved storage space allocation feature enabling site collection owners to have a better understanding of their storage usage, similar to the one in MOSS 2007 but better.

- Remote storage support for shadow copies ensuring better reliability and recoverability.

- New Powershell cmdlet (Move-spsite) for moving Site Collections between databases without moving content back in the db when using remote blob storage.

- Improved backup & restore functionality for Sharepoint Server 2010

- Project Professional synchronises scheduled tasks with Sharepoint task lists

- Google Chrome Support for SharePoint 2010 and Office Web Apps

More From pstilgoe

• SharePoint/MOSS Active Directory Self Service Web Part
• Sharepoint 2010: How to hide the quick launch menu
• Sharepoint 2010: Sample CSS to customise Site Actions button

Ask pstilgoe To Recommend Your Posts

If you are doing a migration from a filesystem to Sharepoint you will more than likely come across problems uploading documents to Sharepoint that contain illegal characters in their filenames.

In Sharepoint the following characters are classed as illegal characters – & ” : * ? <> # {} % ~ / \ Tab

The + character can also cause problems & should be avoided in filenames & sitenames.

Below are some useful Powershell scripts to help you remove the illegal characters prior to uploading your documents to Sharepoint.

List all files containing a specific character (in this case ‘&’)

gci -rec | ? {-not $_.psicontainer -and $_.name.Contains("&")}

Count the number of files containing a specific character (in this case ‘&’)

(gci -rec | ? {-not $_.psicontainer -and $_.name.Contains("&")}).Count

Replace a specific character with another, in our case the ‘&’ with the word ‘and’

gci -rec | ? {-not $_.psicontainer -and $_.name.Contains("&")} | % {rename-item $_.fullname -newname ($_ -replace "&","and")}

More From pstilgoe

• Import data from CSV and SQL to a SharePoint list
• How to Prevent users from changing views in Sharepoint
• Bulk Uploading Files to Sharepoint – Illegal characters

Ask pstilgoe To Recommend Your Posts

This looks very interesting tool & very useful in creating and maintaining your companies taxonomy.

“At PINGAR we have been building semantic search applications for business enterprises since 2007.

Consider the facts. The volume of data companies need to manage is growing 40 percent a year. Fifty percent of data searches are unsuccessful — employees may lose up to 25 percent of their productive time searching for information. And the cost to enterprises from failed searches is approximately USD $5.3 million per year, for every 1000 enterprise workers employed.

PINGAR’s research teams had three objectives:

•Deliver applications to assist enterprise workers to find more relevant data, faster
•Improve employees’ search experience
•Improve enterprise productivity and drive down costs.

These objectives were achieved with PINGAR’s Microsoft SharePoint 2007 and 2010, and Apache SOLR semantic search applications. Each can be purchased as an easy to install ‘plug-in’ server application, for distribution across enterprise networks.”

Find out more Pingar.com

More From pstilgoe

• How to Prevent users from changing views in Sharepoint
• How to easily move / copy list items from one sharepoint list to another
• Charting Data From Sharepoint Lists

Ask pstilgoe To Recommend Your Posts

Configuring K2 Blackpoint in a one way trust as per previous post. Deployed a new process & then triggered it by creating a new document. The process started & I could click on it & see it as ‘In progress’.

When I went to the K2 Process Portal the ‘Processes’ webpart showed the process as deployed with all the relevant data. However the process never displayed in the K2 Worklist webparts nor did it show as ‘Running’ in the K2 Instance Summary Webpart.

This is because the account that you are using to run your Sharepoint web application needs ‘Admin’ & ‘Impersonate’ rights on the K2 server.

More From pstilgoe

• Does K2 Blackpoint (or Blackpearl) work in a HTTPS / SSL environment?
• K2 Blackpoint K2 Blackpearl does not support single sign on authentication
• K2 Blackpoint/Blackpearl In a one way trust environment – Error: Authentication required for session

Ask pstilgoe To Recommend Your Posts

I had a strange problem where if I went into:

Central Admin –> Manage Databases Upgrade Status

in Sharepoint 2010 I had 2 Business Data Connectivity Service databases with the same name! The status of the one in use was ‘No action required’ & the rogue one had ‘Database is too old and upgrade is required’

There was only one database showing on the SQL server, the one in use, if you find you get 2 service application databases with the same name (somehow!?) the command to delete it is:

Stsadm -o deleteconfigurationobject -id b9b3e713-9e53-42ab-a634-a2c54e90a0d6

(replace the guid with the rogue database guid)

More From pstilgoe

• Sharepoint – Creating Content Databases
• Sharepoint 2010: How to hide the quick launch menu
• Sharepoint 2010 CQWP: Make the CQWP portable by using tokens to point to the current site instead of static URL

Ask pstilgoe To Recommend Your Posts

Installing K2 Blackpoint / Blackpearl in a one way trust environment you need to run the K2 server service account & application pool using an account from the ‘trusted’ domain. It is also recommended that you install K2 components using this account:

Note: It is recommended to install all K2 components using the K2 Service Account. Log on to the server as the K2 Service Account before installing.

However if you try you will get the following error:

“The K2 Setup Manager requires the logged on user to have domain user privileges to proceed”

As you are in a one way trust environment you cant easily give the required permissions (if at all) so the work around is –

“If you have a scenario where you have multiple domains, you can disable the Installer’s domain check. 1. Please browse to the directory where you are executing the installation files from. 2. Look for an configuration file called product.config. This file will reside in the installer directory. 3. Please edit the file and change the Domainusercheck from true to false as shown below. 4. Save the file and execute the setup.exe again.

setting key=”domainusercheck” value=”false”

source: K2underground

More From pstilgoe

• Auto populate your InfoPath form with the current user name
• Deploying K2 process: Error occurred adding the feature to the farm Server was unable to process request. —> Access denied.
• How to make the filter choices display by default in the DVWP

Ask pstilgoe To Recommend Your Posts

SharePoint 2010: net stop SPTimerV4 / net start SPTimerV4

SharePoint 2007: net stop SPTimerV3 / net start SPTimerV3

SharePoint 2003: net stop SPTimer / net start SPTimer

More From pstilgoe

• Displaying the week number using a Sharepoint calculated column
• How to delete the Shared Service Provider in MOSS 2007
• Sharepoint 2010: How to hide the quick launch menu

Ask pstilgoe To Recommend Your Posts

If you are installing K2 Blackpoint / K2 Blackpearl in a distributed Sharepoint environment, you install K2 for Sharepoint on your web front ends but the K2 section still doesnt appear in Sharepoint Central Administration.

This is probably because you are hosting your central admin web app on a different server ie. an application server, if this is the case you need to install K2 on this server hosting your central admin as well as your Sharepoint Web Front End servers.

More From pstilgoe

• This page cannot be edited in SharePoint Designer
• K2 Blackpoint In one way trust environment – process not showing as running in K2 Process Portal
• K2 Blackpoint K2 Blackpearl does not support single sign on authentication

Ask pstilgoe To Recommend Your Posts

Target the CQWP to the current site export the CQWP, Edit & replace the WebUrl with below:

<property name="WebUrl" type="string">~Site</property>

To target the CQWP for the Site Collection its currently located on:

<property name="WebUrl" type="string">~sitecollection</property>

More From pstilgoe

• Displaying the week number using a Sharepoint calculated column
• Sharepoint 2010: How to hide the quick launch menu
• Sharepoint 2010: Sample CSS to customise Site Actions button

Ask pstilgoe To Recommend Your Posts

The xsl code will display & make the document icon link to the sepcific document & open it in edit mode in your content query webpart:

<a href="{$SafeLinkUrl}" title="{@LinkToolTip}">
<xsl:if test="$ItemsHaveStreams = 'True'">
                   <xsl:attribute name="onclick">
                     <xsl:value-of select="@OnClickForWebRendering"/>
                   </xsl:attribute>
                 </xsl:if>
                 <xsl:if test="$ItemsHaveStreams != 'True' and @OpenInNewWindow = 'True'">
                   <xsl:attribute name="onclick">
                     <xsl:value-of disable-output-escaping="yes" select="$OnClickTargetAttribute"/>
                   </xsl:attribute>
                 </xsl:if> 

                 <img class="image" src="{@DocumentIconImageUrl}" title="" />
				 </a>

To format your Sharepoint content query webpart to UK date format do the following:

In your ItemStyle.xsl add the following line to your declarations:

xmlns:ddwrt="http://schemas.microsoft.com/WebParts/v2/DataView/runtime"

Then use the following line to display & format your date field in UK date format:

<xsl:value-of disable-output-escaping="no" select="ddwrt:FormatDate(string(@Modified), 2057, 5)" />

@Modified is your date field that you want to format

If you have you Sharepoint 2010 Farm setup in one domain & your users are in a seperate domain using a one way trust, when they perform a search they will not return any search results. This is because the account running the app pool for the search query service is running using a domain account on the trusting domain.

This account has no rights on the domain where the users sit to determine how the search results should be security trimmed etc. My initital thought was we need to run the search query app pool account using an account on the same domain as the users which does / will work.

However a better way is to run the following powershell command:

$searchapp.SetProperty("ForceClaimACLs",1)

now run a ‘Full Crawl’ and you users should now return search results as expected over the one way trust.

You can display you Search App details with the following command:

Get-SPEnterpriseSearchServiceApplication

Note: After performing the above search alerts will be broken. If you do need search alerts you can try running your search app pool with an account from the user domain.

To list your managed accounts use:

get-spmanagedaccount | ft username

(| ft username) returns the full text of the username

Then to delete the account use:

Remove-SPManagedAccount

press enter & enter the name of the managed account to delete

New-SPManagedAccount

create a new managed account

Set-SPManagedAccount

set a new password expiration & notication settings on a managed account

Error in Event Log on Sharepoint Server: This task is currently locked by a running workflow and cannot be edited

When a workflow processes a task normally, the following sequence of events is expected to occur:

1. The process begins.

2. The workflow places a ‘lock’ on the task so nothing else can change the values while the workflow is processing.

3. The workflow processes the task.

4. The lock is released when the task processing is finished.

The error occurs because the lock never gets released, which usually occurs between steps 2 – 4. You can read more from this forum post.

http://connect.nintex.com/forums/thread/6503.aspx

Anyway I was getting this problem in a K2 Blackpoint / Blackpearl workflow which was preventing my workflow from moving to the next step. I resolved it by creating a new task list & pointing my K2 process to the new task list, no locking errors & the workflow runs fine now.

You may get similar errors with any workflow product ie. Nintex, Sharepoint Designer Workflow, C# Workflow etc, anything that uses the Sharepoint Workflow Engine & Sharepoint Task Lists.

1. Open Command Prompt.
2. Type: netdom trustTrustingDomainName/d:TrustedDomainName/add

TrustingDomainName – Specifies the DNS name (or NetBIOS name) of the trusting domain in the trust being created.

TrustedDomainName – Specifies the DNS name (or NetBIOS name) of the domain that will be trusted in the trust being created.

• To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups [http://technet2.microsoft.com/WindowsServer/en/library/f6e01e51-14ea-48f4-97fc-5288a9a4a9b11033.mspx], Default groups [http://technet2.microsoft.com/WindowsServer/en/library/1631acad-ef34-4f77-9c2e-94a62f8846cf1033.mspx], and Using Run as [http://technet2.microsoft.com/WindowsServer/en/library/8782f8ab-9538-4111-8a68-7bfd130c21c01033.mspx].
• To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt.
• This command-line method requires the Netdom Windows support tool. For information about installing Windows support tools, see Related Topics.
• Other switches can be used to assign a password or determine the direction of the trust. For example, to make a two-way, transitive trust, you can use the following syntax:
netdom trustTrustingDomainName/d:TrustedDomainName/add/twoway
• To view the complete syntax for this command, at a command prompt, type:
netdom trust | more

One Way trust validation

Inbound
————–

LDAP 389 UDP and TCP
MS DS 445 TCP
DCE Endpoint resolution – portmapper 135TCP
Netlogon fixed port

Using object / people picker

Outgoing
—————
LDAP 389 UDP and TCP
LSA fixed port
Kerberos 88 UDP
DCE endpoint 135 TCP

Netlogon to external forest with NTLM

Outgoing
————

DCE endpoint 135 TCP
netlogon fixed port