Showing posts with label certificates. Show all posts
Showing posts with label certificates. Show all posts

Friday 7 March 2014

EventLog Error Fix

Overview: After building my farms I trawl through the ULS and event logs to look for logs messages to identify any issues.  This post contains errors from my event logs that hopefully will help me in future.

Problem: My event log shows a Windows/IIS error whereby the IIS sites application pool uses a service account that does not have a user profile on the machine.  The error message reads "Event Id: 1511 Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off."

Verify the issue:



Resolution: (IEDaddy's post gave me the resolution)
1.> Stop the processes that use the account (I stopped the web sites that used the application pool account "demo\OD_Srv")
2.> cmd prompt> net localgroup administrators demo\OD_Srv /add
3.> cmd prompt> runas /u:demo\OD_Srv /profile cmd
4.> in the new cmd prompt run > echo %userprofile%
5.> Check the user profiles and verify the profile store for the account (demo\OD_Srv) has a status of "Local"
6.> Remove the account from the local administrators group ie cmd> net localgroup administrators demo\OD_Srv /delete

More Info:
http://www.brainlitter.com/2010/06/08/how-to-resolve-event-id-1511windows-cannot-find-the-local-profile-on-windows-server-2008/
http://todd-carter.com/post/2010/05/03/give-your-application-pool-accounts-a-profile/

*************************

Problem: EVENT ID: 8321 - Task Category: Topology
A certificate validation operation took 120053.1569 milliseconds and has exceeded the execution time threshold. 

Resolution:  I performed various steps:
1.> Host entry add the host entry:
127.0.0.1  crl.microsoft.com
2.> Trust the SP root cert
http://support.microsoft.com/kb/2625048

Import the Trusted certificate

3.>  Reduce the time when the crl check is done (not a fix but it will fail quicker and carry on)

This post may also help - but it wasn't my issue: http://stevesps.blogspot.co.uk/2013/01/sharepoint-foundation-event-id-8321.html

 *************************

Problem: Event Id: 8313 - Task Category: Topology
A failure was reported when trying to invoke a service application: EndpointFailure
Process Name: w3wp
Process ID: 5640
AppDomain Name: /LM/W3SVC/1647355528/ROOT-1-13036555135555957
AppDomain ID: 2
Service Application Uri: urn:schemas-microsoft-com:sharepoint:service:649a3e7c090555059555c7a101555576#authority=urn:uuid:55b29cf855594c76555658fca66dac65&authority=https://sv-sp-web1:32844/Topology/topology.svc
Active Endpoints: 2
Failed Endpoints:1
Affected Endpoint: http://sv-sp-app2:32843/649a3e7c0904495552e4c7a555d64555/MetadataWebService.svc

Initial Hypothesis: It looks like the Web front ends cannot coomunicate with the MetadataWebService.svc, run mmc > file > add/remove snapin > snap-in "certificates" > Add > Computer Account > Local Computer > OK.
Expand "Certificates" > SharePoint > Certificates.  Open the certs and check if they are verified.  In my case my wfe's are good but my app servers do not have a valid certificate as shown below.

Resolution:
PS> $rootCert = (Get-SPCertificateAuthority).RootCertificate
PS> $rootCert.Export(“Cer”) | Set-Content C:\SharEPointRootAutority.cer –Encoding Byte




http://khalidstech.blogspot.co.uk/2012/11/certificate-validation-errors-in.html

Automation to add the SharePoint Root Certificate is done very nicely in this post: http://lennytech.wordpress.com/2013/06/18/powershell-install-sp-root-cert-to-trusted-root/

 **************

Disable CRL check (I believe this is from AutoSPInstaller)
Set-ItemProperty -path "HKCU:\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing" -name State -value 146944
set-ItemProperty -path "REGISTRY::\HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing" -name State -value 146944
get-ChildItem REGISTRY::HKEY_USERS | foreach-object {set-ItemProperty -ErrorAction silentlycontinue -path ($_.Name + "\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing") -name State -value 146944 

*************
 

Problem: Event Log is capturing EventId: 2159 Source: SharePoint Foundation Error message refers to Event 8306 within the ULS logs.

Resolution: Edit the web.config allowing the ULS to capture additional information relating to the error.  The resulting error show the common SharePoint COM class factory error.  In this scenario changing the "SecurityTokenService" app pool "Load User Profile" property to true correct the underlysing issue.

***************
 

Thursday 2 January 2014

IIS setting for SharePoint 2013

Some checks and reminders for IIS - This is a work in progress!

1.> Change the IIS log location for existing websites, this needs to be done on each WFE in your farm, providing you want to change them. 
PS Script to Change the IIS log directory for existing web sites.
2.> Disable IIS recycling
3.> Ensure app pool accounts have low levels of network permissions.
4.> Certificates used by IIS, when do they expire.
5.> Application Initialisation for IIS8 or warm-up scripts to stop the long delays after and IISREST/app pool recycle.

   **************
CPU over utilisation


   ********************

Verify when certificates are going to expire:

import-module webadministration
$DaysToExpiration = 365
#change this once it's working
$expirationDate = (Get-Date).AddDays($DaysToExpiration)
$expirationDate5yrs = (Get-Date).AddDays(1020)
$certs = Get-ChildItem IIS:SSLBindings
foreach($cert in $certs)
{
 $store = $cert.Store.ToString()
 Write-Host " Cert Store:" $cert.Store.ToString()
 Write-Host " Cert Port:" $cert.Port.ToString()
 Write-Host " Cert Thumbprint:" $cert.Thumbprint
  $body = Get-ChildItem CERT:LocalMachine/$store
  foreach ($me in $body) {

   if ($expirationDate -gt $me.NotAfter) {
    Write-Host " Expiring soon" -BackgroundColor red
   }
   elseif ($expirationDate5yrs -gt $me.NotAfter) {
    Write-Host " Expiring in 5 years" -BackgroundColor Yellow
   }
   elseif ($expirationDate -le $me.NotAfter) {
    Write-Host " Expiring more than a year away" -BackgroundColor green
   }
   Write-Host " - Body subject: " $me.Subject
   Write-Host " - Body thumbprint: " $me.Thumbprint
   Write-Host " - Body fiendly name: "$me.FriendlyName
   Write-Host " - Body Expiry: "$me.NotAfter
  }
     Write-Host ""
}

 *********************
 Check the service account do not have too many permissions:
Script below retrieves pswd to show client potential issue

Import-Module WebAdministration
$webapps = Get-WebApplication
foreach ($webapp in get-childitem IIS:\AppPools\)
{
$iispath = "IIS:\AppPools\" + $webapp.name
$pswd = $webapp.processModel.password
$state = (Get-WebAppPoolState -Name $webapp.name).Value
$color = "White"
$forecolor = "Black"
if ($pswd.Length -gt 0)  {$color = "red"} # verify the domain accounts don't have excessive priviges
if ($state -eq "Stopped")  {$forecolor = "blue"} #Why are there stopped IIS websites
Write-Host "Name:" $webapp.name " | Version:" (Get-ItemProperty $iispath managedRuntimeVersion).Value `
" | Username:" $webapp.processModel.userName " | Pswd:" $pswd `
" | State:" $state -BackgroundColor $color -ForegroundColor $forecolor
}

 Tip: Advise client to change Windows service account used to run the SP timer job.  Check ramifications.


**********************************