Getting Access Denied, even when you are a Site Collection Administrator

Here’s a solution I found to a weird issue I recently encountered. It was for a SharePoint 2007 site that had been upgraded to 2010 while also moved to a new domain. For some reason, a few of the user accounts were not getting authenticated properly. They would get the “Access Denied” page. This happened even if the person was set up as a Site Collection Administrator.

I found that this problem disappeared if I ran the following command:

stsadm –o migrateuser olddomain\username newdomain\username –ignoresidhistory

This command would return an error “Value cannot be null. Parameter Name: UserProfileApplicationProxy”. Regardless, the account could then log into the site.

Why? Don’t know.

How to make 100 friends in SharePoint

Do you have SharePoint installed on a development or test environment somewhere? Does it have it’s own Active Directory installation? So, how do you explore all the wonderful features of the SharePoint User Profile service? You know, like the Silverlight organisation chart, or Audiences, or Colleagues, or…

Well, not to fear, after much procrastination, I’m finally able to provide a solution to your problem. I’ve made up names, job titles and managers for 100 people. Any similarity to real people is purely coincidental. Not only that, but I’ve created a PowerShell script to create these accounts in Active Directory.

This means your User Profiles in your virtual environment can go from a bland handful of test accounts, to a dazzling collection of fictitious employees in different departments, physical offices and job titles. Just imagine the Audiences you can create!

Feel free to edit the CSV file (using Excel) to modify personal details and add more people. You can even add additional user properties, but you will also need to make some changes to the PowerShell script to get these into Active Directory, not hard if you are familiar with PowerShell.

I’ve tested the PowerShell script on a Windows 2008 R2 domain, however I executed it from a Windows 7 desktop. The script does not require Microsoft Exchange or third party script add-ons. I execute the script using the domain admin account. You may run into issues if you try using accounts with less privileges.

The script contains a path to an Active Directory Organisation Unit (OU) where all the accounts will be created (OU=Staff,DC=lab,DC=laptop,DC=iw). You will want to change this before running it in your environment. This OU needs to exist before you run the script.

I have configured the script to create the accounts but not to enable them. This is for security purposes. However, if you want to enable them, you just need to uncomment two lines and seek legal advice.

You can download the zip file containing the people details and PowerShell script from here. Any feedback greatly appreciated.

Getting help with Kerberos and SharePoint

Ever tried configuring a SharePoint environment to use Kerberos authentication? It is never a lot of fun. There aren’t that many people that know Kerberos to any great depth – I know I don’t. So any kind of help you can get with setting this up should be taken advantage of.

So pop over to SharePointSecurity.com and read about your new best friend – SharePoint Kerberos Buddy. I don’t think its an over-exaggeration to say that Adam Buenz is a genius in this area. Now he has released a FREE tool to help you get your Kerberos configuration right. Check it out.

Configuring BackConnectionHostNames for the Loopback Check

Its not always easy doing the right thing. At this stage, we all probably know about the issue with trying to access a site with a host name on Windows Servers (http://support.microsoft.com/kb/896861).

You probably know that there are two ways of dealing with this issue - disabling the check or providing a safe list of sites.

The easiest thing to do is disable the check. But that doesn't make it right. The check is there to protect your system against nasties that want to do bad things to your server.

So that leaves us with the option of defining a safe list of addresses that the server can access locally. Sounds easy, but I've had problems every now and again with getting this to work and the temptation is to just revert to disabling the check. So I thought I'd share some rules that I follow when setting the BackConnectionHostNames entry:

1. Don't include the protocol - e.g. "mywebsite" rather than "http://mywebsite"
2. Put each entry on it's own line
3. Use lowercase - e.g. "mywebsite" rather than "MyWebSite"
4. If it is an internal site, include the short name as well as the fully qualified domain name (e.g. "mywebsite" and "mywebsite.domain.somewhere.local")
5. Reboot after you have created the BackConnectionHostNames registry entry. I believe that you don't need to reboot for subsequent changes to this key, but I probably would - call me superstitious.

Australian SharePoint Conference – only days away

The Australian SharePoint Conference is back in Sydney on March 8th and 9th. This is a great event to learn more about the SharePoint products and see how other companies in Australia are using it. There are four tracks, so there should be something for everyone:

• Business
• Voice of the Customer
• IT Professional
• Developer

Also check out the half-day workshops held on the 7th and 10th. For full details and to purchase tickets, visit www.sharepointconference.com.au