Switching SP2010 from Classic Mode to Claims Mode Authentication

SharePoint Server 2013 uses claims-based authentication as its default authentication model, and it is required to enable its advanced functionality. Using claims-based authentication has the following advantages over using Windows classic-mode authentication:

  • External SharePoint apps support. App authentication and server-to-server authentication rely on claims-based authentication. With Windows classic-mode authentication you are unable to use external SharePoint apps. You also cannot use any services that rely on a trust relationship between SharePoint and other server platforms, such as Office Web Apps Server 2013, Exchange Server 2013, and Lync Server 2013.
  • Claims delegation without “double-hop” limitation. SharePoint can delegate claims identities to back-end services, regardless of the sign-in method. E.g., suppose your users are authenticated by NTLM authentication. NTLM has a well-known “double-hop” limitation, which means that a service such as SharePoint cannot impersonate the user to access other resources on behalf of the user, such as SQL Server databases or web services. When you use claims-mode authentication, SharePoint can use the claims-based identity token to access resources on behalf of the user.
  • Multiple authentication providers per one web application. When you create a web application in claims-based authentication mode, you can associate multiple authentication providers with the web application. It means, that, for example, you can support Windows-based sign in and forms-based sign in without creating additional IIS websites and extending your web application to additional zones.
  • Open standards. Claims-based authentication is based on open web standards and is supported by a broad range of platforms and services

There are several supported scenarios for migrating or converting from classic mode to claims mode authentication which performed with use of a number of Windows PowerShell cmdlets: you either switch your web apps on SP2010 before upgrade to SP2013 or you can convert SharePoint Server 2010 classic-mode web applications to SharePoint Server 2013 claims-mode web applications after you have SP2013 installed already.

Steps to switch your SP2010 web apps to claims based authentication:

1. Enable claims authentication for your web app.

2. Configure the policy to provide the user with full access.

3. Perform the migration.

4. Provision claims

Once done you with these changes may verify that you are using Claims Authentication for your web application:

GUI way. In Central Administration navigate to web application management, select your Web Application and click on Authentication Providers button:

SP 2010 check web app authentication mode 01

It will open a window where you can verify your default authentication mode:

SP 2010 check web app authentication mode 02

 PowerShell way:

It will return True or False depending on whether you have Claims Authentication enabled or not (screenshot below for enabled state):

SP 2010 check web app authentication mode 03

In case you have K2 components installed you may need to perform relevant configuration changes on K2 side (see Claims Authentication Configuration section at help.k2.com) which I will cover in separate blog post.

In case if you are in a mood for deep dive into what & why of claims authentication subject you may read through the following articles:

Identity (Management) Crisis (Part 1): The evolution of identity concepts

Identity (Management) Crisis (Part 2): Everything you (think you) know is wrong

Identity (Management) Crisis (Part 3): Solving the Identity Problem

Identity (Management) Crisis (Part 4): Selecting a Comprehensive Identity Management solution

Claims Based Identity: What does it Mean to You? (Part 1)

Claims Based Identity: What does it Mean to You? (Part 2)

Claims Based Identity: What does it Mean to You? (Part 3)


Category specific RSS feeds added

I’ve just installed WordPress plugin which allows use of category specific RSS feeds on this blog (this one). It means that if you interested in some new posts which appear here, but only on specific topic you may use category specific RSS feed as opposed to general feed which contains all sorts of posts on various topics. For example you may want use K2 or Tech or Language Learning category feeds if you interested in some specific topics only (which most likely in the case). I also placed K2 category RSS feed link on a side bar for convenience.


Preparing to revisit 70-689 exam again

It has been a while since I wrote my previous blog post in general and quite a while since I wrote any blog post related to MSFT 70-689 exam, so now it is high time to do this. :)

I spend last week attending SharePoint 2013 training (to be more specific it was course 20332 Advanced Solutions of Microsoft® SharePoint® Server 2013) and you maybe surprised why I’m still bother about Windows 8.1 instead of working towards SharePoint 2013 certifications. Well SharePoint certifications as well as some related blog posts on mo to do list, no worries. To be honest I don’t have that sort of neat to do list, but rather loads of scattered notes and vague intentions and ideas, but I working towards the points and targets floating in this fluid list :) On that list, apart from Windows 8.1 exam, there are some K2 and SharePoint related blog posts as well as re-take of K2 certifications and even more stuff…

Anyhow I failed 70-689 exam back in the spring (even twice – in April and June) and publicly announced that I will make it sooner or later, so now I’m announcing this again :) I recently done listening to Rewire by Richard O’Connor, and according to qualified professional’s opinion, making public announcements about your targets makes you stick to them better, as it makes your failure conspicuous and a bit more painful, so I’m going to use this technique here… In case anybody would interpret this behavior as a sort of compulsive idea to do something I would say no to that, as I really made (though still working on this skill) a good progress on giving up/leave some projects and targets which I reconsidered as irrelevant to me either totally or at this point. If you wan an example: I used to be a PhD Economics student, but dropped this in the middle after passing some exams and writing some early drafts of that big work you supposed to write as a PhD student, but I’m perfectly OK with the fact that I removed this target from my to do list (it also doesn’t prevent me from enjoying good Economics books and I never regret about investing my resources into that attempt).

Anyhow I finally started reading “MCSA Microsoft Windows 8.1 Complete Study Guide: Exams 70-687, 70-688, and 70-689″ which I’ve only skimmed before attempting 70-689 exam back in the spring and going to schedule my exam as soon as I done reading and will be getting 100% with MeasureUP practice test. And for those who can’t imaging blog post without pictures:

Ready to rivisit 70-689

Revisiting assessment test from the beginning of aforementioned book – 30 out of 40, not the best result but… As you can see at times it is possible to do your learning at coffee shop with help of napkins :) If you look at the picture really carefully you may read funny answer B to question 33:

Q: Your computer’s application has stopped responding. What should you do?

One of the potential answers: “Start backing up like crazy”

I really appreciate authors trying to inject some fun into dry materials, but a bit concerned about people selecting this as a right answer :)

P.S. For those who think this exam is too easy for experienced IT Pros I would suggest not to use dumps and also read through the torrents of laments of experienced folks in comments below this blog post – in short people really find that recent Microsoft exams: had too much out of scope stuff injected, excessively broad for primary technology/topic, require you to memorize ton of trivia, know the right answer prescribed by MSFT and in general “it seems that somebody on the top at MSFT said let’s make exams harder” :) But really it’s not a problem for those who really wants to pass this exam, right? 😉


K2 blackpearl Workspace security management

Sooner or later after you done with your initial implementation of K2 question of restricting access to K2 Workspace being brought up by somebody and though your configuration options are not very flexible here there is a way to do it (KB000291), the thing is that you should not rush into making changes into this area without reading documentation first (don’t tell me that it is what you normally do all the time).

What quite often happens here is as soon as a person charged with this task finds “how” part of it he/she rush to configure it without reading into any details, like those mentioned in “Other Considerations” section of KB000291. I believe that mindset “try first, read manual later” which is very popular in IT, somewhat difficult to resist as it is largely being instilled into you by technology itself (both hardware and software), which is and always was built with “fool-proof” design patterns in mind, trying to be forgiving and allow for rollbacks and easy correction and handling of errors. Anyhow people often configure something first, and then comes that moment of “now what/how do I fix this”?

When it comes to K2 blackpearl Workspace security management you should know beforehand the following about the way that the tabs in Workspace function:
1. With a new installation, no-one has explicit permissions, Workspace will function in optimistic security mode, meaning everyone can see the tab.
2. As soon as a user has been assigned explicit permissions on a tab, it will switch to pessimistic security mode. Meaning that a user will need explicit rights to see the tab. If a user is not on the list, they will not be allowed to see it and this is what is occurring in your environment.

So typical error when customizing K2 workspace security is granting rights only to one user (you should never left your admin account without these rights) which may left the company for example, or what we can deem a “double-mistake” here is granting these rights to only one user which in addition doesn’t have admin level rights on K2 server, thus you are leaving yourself with no opportunity for subsequent corrections via normal, GUI way.

In case you haven’t done double-mistake mentioned above you can easily correct this situation. To fix this, you just need to log in as a user who has been granted permissions and then assign permissions to those that you want to grant access (please grant those to your dedicated K2 admin account), using the Workspace Permissions option in the Security tab.

If case you are not sure which user has permissions, have a look at the ActionPermissions table in K2 databse:

Made an epic “double-mistake”? I.e. granted rights to one user without server level administrative rights in K2 and now not able to edit permissions despite this user can access required tabs? This means that you are reached the section of KB000291 entitled “Error Resolution” which you supposed to read before playing around with Workspace security settings. And I’m quote this section:

If this happens, it will be necessary to manually modify the SQL databases to reset all Workspace permissions. It will then be necessary to specify all the permissions again. Please contact K2 Support prior to modifying any of the K2 databases or data stored in them.

So you have to reset your permissions to their defaults (no explicit permission, optimistic security mode). It requires direct edits in your K2 DB which is considered to be thing to avoid whenever it is possible and should only be performed by you in case you know what you are doing and more importantly you know how do you rollback your change if anything goes wrong. So you should use do it with full understanding of risks involved.

It will suffice to issue the following SQL server statement against your K2 DB:

But you never do this without doing K2 DB backup first and reading preceding couple of paragraphs, right? I really hope so.

Another frequently asked question around K2 workspace permissions is revolving around the fact that you may see that they are not fine-grained enough and not fully in-line with RBAC ideology/approach. To these questions there is no easy answer with current implementation of K2 Workspace but things should become way better with complete overhaul of this part of K2 which is planned to be released at some point, but real particulars of this change and what we get with it are under NDA at this point.


What is “Syntax Error”?

I’m currently revisiting Programming for Everybody (Getting Started with Python) course on Coursera by Charles Severance by/University of Michigan and have an idea to join “Python for Everybody Specialization” which become available recently. What is cool about this course is that Charles Severance (a.k.a. Dr. Chuck – www.dr-chuck.com) is really making an effort to make your introduction gentle and ensure that newbies have comfortable start both with Python and with programming in general. This is something I really didn’t have when I studied related subjects in my almamater, where my teacher’s style was “you know that F1 button, right?”

Anyhow early modules try to cover some basics and I really like the way this course explains what you should think about “syntax error” message you may get all to often when you making first steps with any new language, here is a question from one of the quizzes:

Python Syntax Error

I’m not going to indicate correct answer to you, just highlighted the funniest option. :)


SQL Server: Giving user role membership on specific DB

Just a really quick note on how to manage RBA in SQL Server not relying on SQL Server Management GUI, as sometimes it is far quicker to execute a few lines, for example to create DB and then grant dbowner role membership, for let’s say you application service account so that your app can use newly created DB. So SQL code is the following:

NOTE: In real world/production environments you should not be so generous with granting dbowner role to each and every user, event to app service account. See some expanations for example here: 5 Reasons Against Allowing db_owner Role Permissions.


Frequency principle for language learning

At the time when I started to learn English I remember some statements that to maintain conversation in English on a descent level in most of the situations you need around 3500 words. I don’t remember exact explanation to that, but 3500 figure stuck in my head up to present :) Anyway even this relatively high number is a real source of consolation for students scared by an ocean of unknown words in new language, as putting a limit on what you are going to need from that changes your POV from frustration and dismay (if you have that) to something like “it’s attainable/manageable.” It is especially important for language learners who for some reason preoccupied by “how do I learn all that” more than anything else and consequently not able to start working in small steps towards tangible results. Personally, I never was intimidated by vocabulary immensity, rather perceiving it as richness and space to explore.

Anyhow now trying to learn French, I have better idea of importance of frequency in language acquisition, especially when you aiming at rapid language acquisition. Recently I heard more qualified opinion of Dmitry Petrov who builds his entire language learning system around frequency principle, and according to him average native speaker in any language uses 50-60 verbs regularly vast majority of other verbs used only rarely (approximately in 10% of speech). And giving the fact that verb is a “language’s engine” or core around which you can built various structures it is a good idea to familiarize yourself thoroughly with most frequent verbs and other parts of speech in your target language.

Side note: I think an opinion a person who supposedly can read in 50 languages and works professionally as interpreter with 8 of them Dmitry is more than qualified to speak about how to learn language efficiently.

Anyhow now I have a bit more clearer understanding of importance of frequency principle and will try to apply it in my language learning quest. This principle is not a revelation and maybe something we all know with our gut feeling, but sometimes idea has been spelled out to you to be appreciated fully. There are special frequency based dictionaries out there and some lists of words can be found in the internet. My French teacher recently shared with me some links to check out most frequent words in French:

20 verbes les plus conjugués sur lefigaro.fr

Les 50 verbes les plus fréquents (à l’oral et à l’écrit)

100 most frequently used French words

Les 600 Mots Français Les Plus Usités

Last link is most extensive list of all mentioned and it mentions interesting statement/factoid for those who like benchmarks anxious to have some frame of references on how much words is enough: it mentions that magic 3500 figure and also says that “le vocabulaire de Guy De Maupassant a été évalué à une fourchette allant de 12 000 à 15 000 mots” :)

So if you aiming for full blown sophisticated writing in your target language there is just 12 000 – 15 000 words to master… Almost nothing if you compare with number of entries in unabridged edition of OED or with some impressive but useless to be well known simultaneously for any person amount of rapidly growing corpus of special terms from science and technology.

Anyhow for me frequency principle is not something to guard me from vastness and richness of vocabulary but rather an efficiency tool in language learning something to focus on in the beginning. But lest frequent words to me not something to be ignored they rather space of opportunities and world to explore… Really there should be treasures and loads of things to explore in that space.


Windows Server 2016 TP3

I recently find a tiny bit of time to build a VM with the latest version of Windows Server 2016 Technical Preview which is TP3. Earlier builds were available under name Windows Server 10 Technical Preview. For details on what’s new in this release you may refer here.

Windows Server 2016 TP3

So insall UI looks very familiar if you ever installed Windows 10 and the very first window is something well familiar to all, nothing has been changed here. But second one demonstrates couple of major changes:

Windows Server 2016 TP3 Install Options

So default installation option entitled Windows Server 2016 does not contain “Core” in its name but this is actually what used to be known as “Core” installation option. Second option – “Windows Server 2016 (Server with Desktop Experience)” is our beloved full-fledged GUI version. And what is crucial here is that with Server 2016 this install type decision not reversible without re-installation. So once again: Unlike some previous releases of Windows Server, your choice of Server Core (which is new normal/default) vs. Server with Desktop Experience at the time of installation is not convertible to the other mode. And as you can clearly see from screenshot above the “Minimal Server Interface” and “Server with a GUI” modes present in Windows Server 2012 R2 are not available in this release.

Server 2016 also includes 3rd installation option which is not exposed in Setup Wizard – Nano Server, and you install it by configuring a VHD (details here).

To give you an idea of how new installation options compare against each other following picture can be useful (source):

Windows Server 2016 Install Types

And once installed with GUI your Server 2016 TP3 will look (no surprises here) very similar to Windows 10:

Windows Server 2016 TP3 Installed


Fixing “Cannot start Microsoft Outlook. Cannot open the Outlook window” error when starting Outlook 2013

Yesterday I wasted spent a few enjoyable hours fixing my test environment. I have a VM which hosts almost entire Microsoft technology stack within it (AD DS, SQL, Exchange) and of course K2 (it is all works well together, you know :) ). So I spent some time arranging tiny test case and was about to start checking the results when I run into issue with starting Outlook 2013 with the following error message:

Outlook error

The problem with this error message that it is a bit generic and especially if you take only two three first sentences out of it you will be set on wrong track both by your knee-jerk reflex and/or Google realizing that this was wrong direction well in the middle or even after completing all client side troubleshooting tricks (something from this list which is quite cool for curing client side Outlook quirks).

Somewhere in the midst of going through that list with no positive results, I finally realized that I probably need to re-read error message a bit more carefully. At this point I realized that Outlook says that it has server side problems in fact, and 3 firs sentences just sort of incongruous introduction. LESSON: Read error message till the end carefully, it really helps :)

So once I refocused my troubleshooting efforts on the second part of error message I was able to solve the issue (not in 10 minutes, but anyway). Connectivity issues were not something to worry about on “all in one” VM (AD DS, Exchange and Outlook are on the same box), so I started checking on Exchange side. I visited EAC and quickly noticed that single mailbox database available in my environment is offline:

Exchange Database Dismounted

So  I quickly attempted to mount it back by issuing the following command in EMS (for history geeks reading this EMS was first introduced in Exchange 2007):

For aforementioned command you need to specify database name only which you can see in EAC (see screenshot above) or in the output of the following cmdlet:

Unfortunately I was not able to mount my mailbox database with the following error “MapiExceptionDatabaseError: Unable to mount database (StoreEc: 0x454)”:

Mount Error

In order to check the state of mailbox database you will need to use Exchange Server Database Utility – eseutil issuing something similar to this in EMS:

The problem with that is that you need to know and explicitly specify a path to your database file in this case. You can get this path by issuing the following command in EMS (source):

Once I was done with that I was able to see that my mailbox DB had a state “Dirty Shutdown” which normally indicates only that the database files were not detached from the log stream correctly (see details here):

Dirty shutdown 2

So knowing this we want to bring back our DB to “Clean Shutdown” state. This can be done by means of hard repair using eseutil /p:

This operation will check the database for any damaged pages; if it finds any, it will delete them. Make sure that you can live without any data inside the database before doing a hard repair, because you may lose data. Once this operation completed you can verify your DB state issuing esutil /mh once again, it should be “Clean Shutdown” now:

Clean ShutdownBut before trying to mount mailbox database once again it is also necessary to move or delete all  database logs (all the log files + 1 check file E00.chk). Moving logs is a part of hard repair procedure which was actually my scenario. Before doing this you may verify log files healt with the following command:

In my case it was test VM and I was ready to accept any data loss focusing only on getting my environment back in up and running state ASAP – so I just located and deleted all the logs even without checking their health first.

For production or real world cases you should be very clear on exact process and have clear understanding on differences between soft recovery and hard repair. Probably this article may be helpful for you: Exchange Database Recovery – Using eseutil commands.

Anyhow it was interesting to fix it without reverting to snapshot or employing any other methods from cargo cult system administration toolbox (apart from restore from snapshot it may also include such things as triple-reset and extra coffee-breaks :) ). Though I should admit my troubleshooting approach in this particular case had a tiny touch of cargo-cult sysadmin culture.


How to enter BIOS on Thinkpad W540

Just a note which I mainly jotting down for myself on how to enter BIOS on ThinkPad W540 and some stuff around this topic. So first thing you need to know in case you need to enter into BIOS on Lenovo Thinkpad W540 is a hotkey for this – F1. But in case you know it, but can’t do it anyway then it is time to know yet another thing here :)

Because you are running modern operating system (I mean Windows 8.1 or 10 just in case ; ) whenever you perform shutdown operation what actually happens each time is that you are using Hybrid Shutdown which is something that allows you to do a Fast Boot. Boot times in Windows 8 and newer is really faster than in any previous OS versions thanks to these optimizations, even without SSD.

Each time you select the Shut down command from Windows 8 (8.1/10) Power menu, the first thing which happens (by default) is that the user session shuts down just like in a regular shut down operation. But next, instead of closing the kernel session, Windows hibernates the kernel session. Then, the hardware session shuts down normally and this allows really faster shutdown times.

Next thing to know about is Fast Boot technology (related MSDN blog post): when you turn on the computer, first of all the system’s firmware boots up and gets the basic computer hardware ready for the operating system. On a modern Windows 8 or newer computer, the setup of the hardware session is a much quicker operation than on older systems, as the UEFI system is more efficient than the BIOS system. To complete the hardware session, the OS enumerates all available hardware and loads the appropriate drivers, thus ensuring that a solid hardware session is available.
As soon as hardware session is ready, the operating system begins its resume operation. Since the resume operation consists only of restoring the kernel session, rather than restoring both the kernel session and the user session, the resume operation can occur much quicker. Additionally, the resume operation gets a boost from the fact that the operating system is now designed to take advantage of multiple CPU cores when it comes to processing the hibernation data file (the old resume process only used one), and use of SSD gives you an even more responsive resume operation.

With all that knowledge now you may understand that with this super quick startup you just unable to enter into your BIOS as you actually does not perform any real shutdown as you may think because how it all surfaced to you by Windows 8 GUI. To enter BIOS you need to perform true cold boot, and consequently need to do a real shut down first. And the way you do it in Windows 8 is bu holding Shift key on your keyboard and clicking on Shutdown option with your mouse in Windows GUI:

Win 8 ShutdownAfterwards you will be able to enter BIOS by pressing F1 after you switch on your W540 with power button.

Alternatively Restart option also gives you a full reboot of the system and thus a fresh kernel session. And of course you can do it old-school way using CLI:

The thing is when preparing to Windows 8.1 certification I had a difficulty to wrap my head around that mock question which asked something about Windows shutdown and one of the proper/correct responses was hold Shift and click on Shut down option. Now after doing a bit reading I’m crystal clear on why it is so :) Yet another question you may see in Windows 8/8.1 certification exam transitioned to the category of obvious things for me. :)