Featured Post

Windows 8 and Cisco VPN

I’ve installed the Windows 8 preview and tried the Cisco VPN client to set up a VPN to my workplace. Just like with the early releases of Windows 7 the client will give the following error:             To get this to work a change in de Windows registry is needed: Open...

Read More

Kerberos constrained delegation (KCD)

Posted by andre | Posted in Kerberos, SharePoint 2010 | Posted on 16-06-2014


Last week I found myself struggling with some Kerberos delegations. I read everything there was to read about it online and got most information from a lot of other blogs. But.. none of them could really tell me everything I needed, so there for another blog about KCD.
The objective: Use Excel services to publish user personalized data stored on a SQL server outside the SharePoint farm.

I started by checking all necessary objects for the correct configuration:


a DNS Host (A) Record for the web application

The appropriate service accounts

- Web applications’ IIS application pool
- Excel services’ IIS application pool
- Claims 2 Windows Token Service
- SQL Server for SharePoint
- SQL Server for data source

Service Principal Names (SPN) for the accounts

The SharePoint Server web application service account
- HTTP/<DNS HOST name>

SQL servers (for both servers you enter 4 SPNs. Depending on the application you’re delegation it will use the right SPN. Better safe than sorry)
- MSSQLSvc/<DNS HOST name>
- MSSQLSvc/<DNS HOST name>:<Port>
- MSSQLSvc/<DNS FQDN>:<Port>

Excel Services’ service account

The Claims 2 Windows Token Service service account

For both the Excel and C2TWS tt doesn’t matter what you enter for SPN, you just need to enter something in order to get the delegation tab available in AD DS. It does however needs to be unique throughout the domain.

Add delegations for the services

The account you use for C2WTS and Excel Services needs to be configured for Constrained Delegation with Protocol Transitioning and needs permissions to delegate to the Services it is required to communicate with. To configure delegation you can use the Active Directory Users and Computer snap-in.

Right-click each service account and open the properties dialog. In the dialog click the Delegation tab

  • Select “Trust this user for delegation to specified services only”
  • Select “Use any authentication protocol”
  • Click the add button to select the service principal allowed to delegate to
  • Select User and Computers
  • Select the service account running the service you wish to delegate to. In this example it is the service account for the SQL service
  • Click OK. You will then be asked to select the SPNs you would like to delegate to on the following screen.
  • Select the services (or select “Select all”) for the SQL server and click OK.



Log onto the server and add permissions for the C2WTS service account both in Windows and SharePoint, configure Excel services and create a new web application.

  • Add the service account to the local Administrators Groups.
  • In local security policy (secpol.msc) under user rights assignment give the service account the following permissions:
  • Act as part of the operating system
  • Impersonate a client after authentication
  • Log on as a service

Open Central Administration

  • Under Security → Configure Managed Accounts, Register the C2WTS service account as a managed account
  • Under Security → Configure Service Accounts, Select the Claims 2 Windows Token Service and change the identity of the C2WTS to the new managed account
  • Under services, select Manage services on server
  • In the server selection box in the upper right hand corner select the server(s) running excel services
  • Find the Claims to Windows Token Service and start it

Configure a new Excel Services service application and application proxy to allow web applications to consume Excel Services

  • Select Manage Service Applications under Application Management
  • Select New, and then click Excel Services Application
  • Configure the new service application. Be sure to select the correct service account (create a new managed account if the excel service account is not in the list)

Configure a new web application

  • Navigate to Manage Web Applications in the Application Management section
  • Select New and create your web application. Ensure that the following is configured:
  • Select Classic Mode Authentication
  • Configure the port and host header for each web application
  • Select Negotiate as the Authentication Provider
  • Under application pool, select Create new application pool and select the right managed account


For IIS Windows Authentication via Kerberos needs to be enabled.

  • In Internet Information Services (IIS) Manager, locate the Web Application under ‘Sites’
  • Select the Web Application and in the middle pane under the heading ‘IIS’, locate ‘Authentication’
  • Select the ‘Authentication’ Icon and in the right ‘Actions’ pane, clikc on ‘Open Feature’
  • In the Authentication dialog, select Windows Authentication (usually at the bottom)
  • Click on ‘Providers’ in the right ‘Actions’ pane
  • Verify that ‘Negotiate’ and ‘NTLM’ are the only ones listed and that they are listed in that order, ‘Negotiate’ at the top
  • Click Cancel and then again in the right ‘Actions’ pane click on ‘Advanced Settings’
  • Verify in the ‘Advanced Settings’ dialog that ‘Extended Protection’ is ‘Off’ and that ‘Enable Kernel-mode authentication’ is unchecked
  • Click Cancel
  • Exit Internet Information Services Manager.


Test Browser Authentication

See if a Kerberos ticket is distributed to the client after making the connection.

  • From a trusted client open a web browser and go the new web application
  • Check if you’ve received a ticket with Fiddler, Netmon, KList, etc

Test SQL Authentication

Upload a Excel file to the web application and see if the data can be refreshed from the SQL data source. In the SQL server security event log a Kerberos delegation log entry should be created.

It should say that the Kerberos user credentials where transited by the Excel service account.

Lessons learned

Changing a SPN

It happens, you’ve enter a wrongful SPN or you simply found a typo. After you change the SPN you need to reset the delegations. Otherwise they stay pointed towards the old SPN.

Other delegations

In some scenarios it’s necessary to delegate the web application’ service account or the computer object to the data source. Different scenarios, different delegations.



Configuring Kerberos authentication: Core configuration


Identity delegation for Excel Services


SharePoint distributed cache issues

Posted by andre | Posted in Distributed Cache, Installation & Configuration, SharePoint 2013 | Posted on 07-06-2013


Cache host info is null”  ”FeedCacheService.GetPublishedFeed: Object reference not set to an instance of an object” “The operation failed because the server could not access the distributed cache. Internal type name: Microsoft.Office.Server.Microfeed.MicrofeedException. Internal error code: 55

Have you installed SharePoint 2013 and have you seen any of the above notifications? Well good news, you are not the only one!

I’ve done numerous SharePoint installations for customers in the past months and every multiple-server configuration came with the same errors and none showed anything at the newsfeed.

After reading all the blogs about it I contacted Microsoft and we came to the following conclusions:

Don’t mix your distributed cache instance with your search services

Search can take up a lot of memory. Especially the memory distributed cache would like to use. If those two get into a fight about who’s going to use available memory cache might lose the fight and won’t be able to store the data. This way a wrongful entry could be made into the database and corruption is what follows.

Don’t fiddle with the AppFabric configuration

AppFabric is a Windows feature, distributed cache is a SharePoint cache layer based on top of AppFabric. Changing the AppFabric configuration, starting / stopping the service or changing the hosts in the cluster is not something a SharePoint admin should do. Adding or removing cache hosts should only be done with Remove- SPDistributedCacheServiceInstance and Add-SPDistributedCacheServiceInstance.
When all hope seems lost, start over!

After you’ve seen all the errors and reset all clusters and hosts, you’ll probably still get the same error. By recommendation from Microsoft: start over! Disconnect your servers from the farm and remove your databases.

How to configure

In a multiple server configuration you always start with setting up your main application server. In a basic set-up this server will host your Search, User Profile, etc. This is where the key to a successful configuration lies. After installing the SharePoint software and applying the March PU (KB767999) you want to configure your host without registering as a cachehost. Use the following PowerShell command to do so:

      New-SPConfigurationDatabase -DatabaseName [name] -DatabaseServer [server] -AdministrationContentDatabaseName [name] -Passphrase [passphrase] -


    -FarmCredentials [credentials]

The parameter “SkipRegisterAsDistributedCacheHost” prevents the server from becoming a distributed cache host.

After you complete your application server you connect your web front-end servers. By running the wizard your server automatically becomes a distributed cache host. In case you want to use dedicated cache hosts you can use the “SkipRegisterAsDistributedCacheHost” parameter when using the “Connect-SPConfigurationDatabase” command.

Configuring the User Profile Service

Now that your farm is ready you create a web application as your MySite host and you add a new User Profile Service service application.

Either you use an existing application pool or you create a new one, the account which is running your application pool needs to have “full control” connection permissions at the User Profile Service application.









Follow this blog to get this step done:

If all things are set correctly your newsfeed will now show the proper items!

At the servers configured as a cache host you can check the AppFabric configurion by running the following 2 commands in PowerShell:

    Use-CacheCluster followed by Get-CacheHost

Getting the status of your SharePoint Distributed Cache hosts is done by running

    Get-SPServiceInstance | where{$_.typename -like “*distributed*”}

The status on your DistributedCacheCluster is checked with:

    $SPFarm = Get-SPFarm
    $cacheClusterName = “SPDistributedCacheCluster_” + $SPFarm.Id.ToString()
    $cacheClusterManager = [Microsoft.SharePoint.DistributedCaching.Utilities.SPDistributedCacheClusterInfoManager]::Local
    $cacheClusterInfo = $cacheClusterManager.GetSPDistributedCacheClusterInfo($cacheClusterName);
    $cacheClusterInfo | fl *


Adding a cache host

If you want to add a SharePoint server as a cache host you run nothing else then:


Las Vegas: SharePoint Conference 2012 Day 1

Posted by andre | Posted in SPC12 | Posted on 13-11-2012


The first day of conference has passed and there’s been given quite some information on all fronts! But like most mornings it started with breakfast. In a large hall the morning meal was provided and hundreds of people shared tables, a good start to swap stories.

With a filled stomach it was off the large hall for the keynote. Assuming everybody was there, since it was the only session at that time, the hall was filled with about 10,000 people. The kickoff was a intro movie on SharePoint 2013, with a dozen meters wide screen, the loud music and the deep bass I did end up having a few chickenbumbs.

It started with some general information on SharePoint and where it’s standing now, Jeff Teper followed with some new added features to the 2013 edition. Search, tasks and off course social was mentioned here. After that there was a big thumbs up to the Yammer folks and their collaboration with the Microsoft team.

SharePoint and Yammer share a whole bunch of functionality in the new version. You can now show Yammer messages in your SharePoint feed and vice versa. Also linking your SharePoint documents in your Yammer feed is no more than a few clicks and you can simply view the document in Yammer by using Office Web Apps. After a some notes on Office 365 and the performance upgrades in the new SharePoint version it was off to the breakout sessions.

I started with a session from Dan Holme on tips, tricks and scripts on the SharePoint 2013 installation. A few new features were highlighted; request management (http://www.harbar.net/articles/sp2013rm1.aspx), distributed cache (http://technet.microsoft.com/library/jj219700(office.15).aspx) and the increased requirements for the query components (http://technet.microsoft.com/en-us/library/jj219620.aspx). Followed by the creation of the SQL answer file.

After the creation of the SQL answer file it was on to the SharePoint 2013 installation process, which was roughly the same as its predecessor. After a few more tips and examples on scripts the session was concluded.
The final session of the day was about adopting SharePoint 2013 services in a 2010 farm. It was a really interesting session, although it raises more questions than it answered. This is definitely a subject that needs to be tested thoroughly.

Tomorrow is day 2 and I’m ready!


Windows 8 and Cisco VPN

Posted by andre | Posted in Uncategorized | Posted on 05-09-2012


I’ve installed the Windows 8 preview and tried the Cisco VPN client to set up a VPN to my workplace.

Just like with the early releases of Windows 7 the client will give the following error:






To get this to work a change in de Windows registry is needed:

  • Open the registry by typing “regedit” in the run prompt
  • Browse to the following registry key:    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CVirtA
  • Select DisplayName and choose Modify
  • Remove all character leading up to “Cisco Systems VPN Adapter for 64-bit Windows”
  • When only “Cisco Systems VPN Adapter for 64-bit Windows” remains, close the window.
  • Try to reconnect



SharePoint 2010 themes

Posted by andre | Posted in SharePoint 2010 | Posted on 29-02-2012


SharePoint 2010 themes

Designing a site or even customizing a site in SharePoint is not something everyone is made
for. For most actions you need to go into code or get busy working SharePoint Designer. With
Themes there is a little something everyone can do!

The easiest way to do this is by using Powerpoint. Office themes can be easily created and
saved here. SharePoint 2010 is defined into 12 different colors; 4 background colors, 6 accents
and 2 hyperlink colors. I’ll point out where the colors apply or your site.

“Text/Background – Dark 1″

Applies to the site link in the ribbon and the navigation links in the quick launch menu.









“Text/Background – Light 1″

Applies to the background of your site and all the menus and pop-up screens.

“Text/Background – Dark 2″

Applies to the top bar and the headings in the quick launch menu.











“Text/Background – Light 2″

Applies to the background of the quick launch menu, the ribbon and the top link bar.

“Accent 1″

Applies to the Quick launch and Site Actions hover color, selected month in calendar and select tab in the top link bar.

“Accent 3″

Applies this color to every second bar on the site features page.










“Accent 4″

Applies to the background of the buttons in the top link bar and the web part borders.

“Accent 6″

Applies to the selected calendar date and the hovering loading block.








Accent 2 and 5 don’t apply to any fysical content but only to markup styles. Accent 2 applies to Colored Heading 2, Accent 3 to Style “Caption”, Accent 5 to Colored Heading 4 and Accent 6 to Style “Highlight”.


Metadata Library View in SharePoint 2010

Posted by andre | Posted in Managed Metadata, Nintex Workflow, SharePoint 2010 | Posted on 28-02-2012


With SharePoint 2010 Managed Metadata was introduced as a new feature, but with all new features they have their limitations. One of the major limitations of using metadata in a library is that a metadata column filter cannot be applied to a term group but only to a single term. This is because a filter on the metadata column cannot use the “Begins With” or “Contains” operators.

Today I was working on a project for a customer who wants 12 different views on a single library to sort the related documents. The document types in this library has to be grouped in the 12 categories and a view has to be made for each category.

With the limitations at hand I looked at copying the metadata text from the column to a hidden plain text column. The column filter could then be applied to the “Single line of text” column. I made a Nintex workflow to copy the term to text, which all seemed to go okay.

After a few user tests I seemed that issues occurred when a document was checked in, cause then no changes could be made to the file. So I adjusted the workflow to first check-out the document, but to those who already checked out the document received an error and after adding a “Condition” the workflow locked the file when it was waiting for the check-out status to change.

So after a few errors and conditions the workflow turned from a simple ‘text-copy-workflow’ to a full-grown state machine.

What the Nintex Workflow does is check if the file is checked out, if not then the term is directly copied to text. If the document is checked out the State Machine will start and it will pause for 1 minute. After every pause the document check repeats and it either waits again or changes to the 2nd State and copies the term to text.

This way a document is never locked by the Nintex Workflow, the user or the system.



Thanks for reading.

Special thanks to Jim van Leeuwen.

European SharePoint Conference Day 2

Posted by andre | Posted in European SharePoint Conference | Posted on 19-10-2011


Day 2 started as planned with keynotes from Mirjam van Olst and Spencer Harbar. their presentation on experiences from the field on SharePoint migrations was a pretty straight forward story. The session was split into work-related fields like management, development and ITPRO. Although most information was known information, it was a good ‘freshen up’ and eye opener on things which are usually forgotten in the process.

After a good opening we went for the session on Project and SharePoint. By using Project Server 2010 it becomes possible to view your project timelines and keep track of costs directly in Sharepoint. SharePoint has the functionality to create an overview for all projects. All project have their own project page where project related information is shown. It is presented as a dashboard. By use of SharePoint a graphical view is presented about the timeline and information on the project.
Right after the break we went for a session on SharePoint upgrade by Joel Oleson. The main decisions were discussed, like migrating, in-place upgrade, pre-upgrade considerations and experiences in the field.
After lunch I went to a BCS session by Andre Vala and Raul Ribeiro. They gave a nice demo on external list with read and write functionality. And not just to a single source but by using a SQL database and information stored in Azure at the same time.
Tom Zitter went to Bob Kreha’ Bridging the Gulf. Implementations of SharePoint are usually viewed and planned from a technical perspective and sight is lost on the ultimate goal; collaboration throughout the organization. Before a collaboration platform can but used to the fullest it is necessary to have everybody on the same page. It is important that everyone knows what is coming and everybody can accept errors and mistakes. At the start all users should be able to post their content on the ECM. Even non-work related blogs or news items should be accepted at start and filtering should not be a bottleneck to a employee to make a post. All of this should be taken in to account and be documented in a considered governance design.
Then it was up to John Baldwin from EMC to update our knowledge on storage optimization and he did! When SharePoint lacks performance storage is the problem in most cases. So making sure that your storage is in optimal shape when you start using SharePoint is key. Make sure you think about how to configure your storage before you start installing SharePoint and SQL, don’t just drop your installation on the disks, but think about where to put your content databases and how many should share a disk, LUN or volume.
Especially the provisioning of diskspace, the minimal amount of IOPS per GB in a farm viewed from the user perspective and the planning on IOPS and GB kept me thinking.
Just like Mirjam van Olst mentioned in the morning presentation John Baldwin mentioned it again, don’t use RBS just because you want to or you think it’s ‘cool’. Make sure you have the right reasons!
After the storage session it was but a small step to Steffen Krause’s session on SQL Best Practices. With the new gained knowledge we jumped into SQL’s need for storage allocation and performance. Making the wrong choices or not choosing it at all could lead up to a 30% to 50% loss of performance!
Just like John Baldwin best practices on usage for RAID and NTFS block sizes were given and multiple tools and settings like SQLIO.exe, quick formats, MAXDOP and autogrowth passed the review.
Day 2 was even better then day 1, let’s hope that day 3 is even better! See you all tomorrow and remember “Never shrink your database!”.
On a personal note we went and explored some more of Berlin and literally tasted some culture!

European SharePoint Conference Day 1

Posted by andre | Posted in European SharePoint Conference | Posted on 18-10-2011


After a goodnight sleep and almost an hour of traffic we arrived at the Estrel Hotel. We were ready to attend sessions hole day and soak up information.

The opening session from Bjorn Olstad gave us a refreshing view on the meaning of SharePoint as a platform and how most delegates agreed on that.
At 10.00 we kicked-off with John Kleemans session on “Measuring Social Learning in SharePoint with Assessments”. His interactive presentation was a good start of the day. Especially his view on learning and forgetting curves and the 70:20:10 Framework by Charles Jennings.
After John it was up to Jan Tielens’ session on Office 365. His perspective on the presentation was based uppon busting the ITPRO myths. Topics like management, public sites, enterprise features, user profile synchronization, Exchange and Lync past the review. Where most administrators or ITPRO’s stay on premise because of management, administration, off-premise storage and so on is out of their hands, light was shed on all topic and Jan tried to convince them otherwise.
Also the possibilities and limits of custom code, PowerShell and sandboxing were addressed.
The possibility to connect the Office 365 cloud with your own Active Directory for a full user import really lifted some weight of my shoulders. Not having to create every user again, but the ability for each user to logon with their own domain account in the cloud is a great feature.
With all this together I think working in the cloud is ‘a thing’ for the small and medium sized companies. A full-size corporation would most likely still want to keep their data and application on premise. I’m glad Jan Tielens mentioned that as well.
Before lunch I attended Rafal Lukawiecki’s presentation on BI, or as he called it PI.
He planned on putting 90 minutes of content in 45 minutes time. So from the start till the end it was a rapid flow of information.
All methods of BI came to pass. From the most popular Excel to the yet to be released PowerView.
The PowerPivot review with his endless (over 100 milion rows) Excelsheet gave a excellent view on the possibilities and performance. Even with those amounts of data his virtual machines had to trouble generating calculations and filtered views in a matter of a second.
The PivotViewer review got the crowd pretty worked up due the awesome animations of the pictures he showed. For Centric that is a everyday thing of course. Wait till they see our ‘Faceboek’!
Other ways to gather and filter data where based upon the Bing Maps data connector and the SQL Reporting Services Report builder.
His graphical demos were a good example on the possibilities of these tools.
In the afternoon it was up to the best practices for SharePoint Enterprise Search by Agnes Molnar. The session was pretty straight forward and the shown options and points of attention were basic information.
A few points on federated search are up for further research, but all other were pretty much known information.
In the for last session of day 1 I went for Peter Viellefont’s session on templates. I expected some more on planning and structure on the basic business templates, but it turned out to be a sales pitch. So not much learned there.
Last but not least we attended Matthew Hughes’ demo on “SharePoint branding from start to finish”. His demonstration on changing the look and feel on a site by using SharePoint designer made it look easy enough! He gave a few ins and outs on how to change headers, footers, the ribbon, menu’s and logo’s by using a custom masterpage and a style sheet.
If he can do it in about 30 minutes I could at least put in an hour or 2 of effort to give it a try myself!
Ending his session with the quote “I’m not an expert but I can do stuff” gave a nice touch to his demo.
Day 1 is done and 2 more yet to come. See you tomorrow!

Berlin here we are

Posted by andre | Posted in European SharePoint Conference | Posted on 18-10-2011


After 7 hours of travel and a big bucket of KFC hotwings we arrived at the city of Berlin. On the east-side of the city we checked in the hotel and got ready to make the first blog post and here we are!

In just a matter of hours the European SharePoint Conferance 2011 will kick-off their first session and we’ll be there waiting to check in and gather some new SharePoint intell. We’ll most likely start our day with the Best Practices for SharePoint upgrades (after a good cup of coffee that is of course) or maybe PowerPivot, followed up by Jan Tielens’ session on Office 365.

I’m off to a couple hour of sleep. See you all in the morning!