Alternate Access Mapping from 443 to http

Overview: Pretty simple to use Alternate Access Mapping (AAM).  In my scenario I have an https site already that is working.  A hardware load balancer is added to the environment which does the SSL offloading.  So now I need to be able to send it http/port 80 requests.

2 Steps:
1.> Edit the binding in IIS

2.> Created AAM settings in Central Admin (CA)
CA > Configure alternate access mappings  > Add you https site to the existing site.

More Info:
http://blogs.msdn.com/b/fabdulwahab/archive/2013/01/21/configure-ssl-for-sharepoint-2013.aspx

ULS log files are created but are empty

Problem: I have created a SharePoint 2013 farm with a custom location for my log files e.g. d:\logs.  On the 1st SP2013 VM that created the SP farm using AutoSPInstaller, the logs are present and logging correctly.  On the other/remaining SP VM's, the logs are created every 30 min however, the lof files are empty.

Initial Hypothesis: I had no idea and after looking at google the answer is permissions on the local file system.  Justin Kobel's post gives the fix.

Resolution:

Or run this Powershell on each VM:

PS> $computer= "$env:computername"
PS> $group="Performance Log Users"
PS> $domain="demo"
PS> $user="pbeck"
PS> $de = [ADSI]"WinNT://$computer/$Group,group"
PS> $de.psbase.Invoke("Add",([ADSI]"WinNT://$domain/$user").path)

PS> net stop SPTraceV4
PS> net start SPTraceV4

 

Tip: Using the Invoke-Command you can loop thru and connect to the SP VM's remotely and run the change on each VM in the SP far.  PS to loop thru and change local security groups is here and the xml is here.

 

 

More Info:
You will notice that the files within Windows explorer are shown with a blue colour.  This is to show the files/folders are compressed. 
Blue means compressed.
Green means encrypted.

Testing my SharePoint 2013 Network Load Balancer

Overview:  This is how I tested my Kemp load balancer.  Kemp terminates the SSL and has a load balancer that checks the http service is running.  I still like to use session persistence for load balancing.

Fiddler is useful from the client, you can check that SSL is getting correctly written by the Load Balanacer. 
Microsoft Network Manager 3.4 is useful to watch the traffic between the WFE and the load balancer.  WireShark is also good option.  This role would probably best be performed by using Fiddler as a reverse proxy to capture the traffic (I never done this).


SharePoint 2013 has the Request Management Service that acts like a load balancer for traffic.  I don't understand the point and I would need a rather strange scenario to use Request Management if I have a decent load balancer in place (KEMP or F5).


Updated 17 Aug 2015: All the Load balancer solutions (F5, Cisco, Kemp etc.) have traffic distribution, it is a good idea to use a more advanced algorithm.  For instance using an F5, setting to use the "Dynamic Ratio" algorithm redirects traffic based on continuous monitoring of the servers resources.  F5 has many options I prefer using the "Dynamic Ratio" but it depends on the circumstances.

AutoWCAInstalller - Create an Office Web App 2013 Farm automatically

Overview:  Create a 2 VM WCA farm that will be used by the SharePoint 2013 farm on Windows 2008 R2.

Overview of the WCA farm and SharePoint WFE's

1.> Copy the folling files onto each VM in the WCA farm.  I add this to my template or do an xCopy to the machines.

2.> Install the Pre-requisites and WCA binaries
Run the following PS cmds in this order on each VM:
VM-WCA1
C:\Windows\Temp\OWA\InstallOWA.ps1 # WCA Pre-reqs on the 1st VM

C:\Windows\Temp\OWA\InstallOWA2.ps1 vm-wca1 # WCA binaries on the 1st vm

 

  

VM-WCA2
C:\Windows\Temp\OWA\InstallOWA.ps1

C:\Windows\Temp\OWA\InstallOWA2.ps1 vm-wca2

 

 

VM-WCA1
C:\Windows\Temp\OWA\WAC_ConfigureOWAFarm.ps1 \\192.168.1.1\c$\EN\Build\OWA\OWAFarmConfig-UAT.xml
VM-WCA2
C:\Windows\Temp\OWA\WAC_ConfigureOWAJoin.ps1 "VM-WCA1.demo.local"

Explaination:

• InstallOWA.ps1 - Install pre-requisites for Windows 2008 R2 VM's.
• InstallOWA2.ps1 - Installs the WCA binaries and WCA patching needed for Windows 2008 R2.
• WAC_ConfigOWAFarm.ps1 - Create the WCA farm on the 1st/main VM.
• WAC_ConfigOWAJoin.ps1 - Join the 2nd or more farms to the WCA farm.
• SP2OWAConfig.ps1 - Hookup of Sp2013 to your new WCA farm.
• configSilent.xml - I use this to install the WCA binaries/exe in silent mode for automation.  You can see an example of creating this on the Office Web Apps 2013 installation media.

Tip: Use the Invoke Cmd to install WCA remotely, I use TeamCity to do this but PS work perfectly on a remote server.

My generated log file from VM-WCA2 is here if you want to check your install.

Appology:  I lifted some of this PowerShell off codeplex and I can't find the original source to reference the code.  
 

Office Web App WCA - SSL confussion

Overview: Office web Apps (WCA) 2013 defaults to using https, this is a good position to take but SSL offloading may be needed or you may want to do testing without SSL.  In my case we are using KEMP for SSL termination and before the NLB's are in place I made some hard discoveries.

Options:
SSL, WCA wants to use SSL and has some confusing switches, they make sense eventually so to summerise: You have 3 options to install WCA with SP2013:

• Not using SSL (not recommened),
• SSL Certificates on the WCA servers
• SSLOffloading (Hardware device such as an F5 or KEMP does the SSL decryption, this saves you distributing certs to the WCA servers but means that the traffic between the NLB and the servers is not encrypted.)

My Scenario and Resolution:
Basically I have 2 WCA servers that make up my Office web App farm.  I want to connect SharePoint 2013 to display/edit document via the web browser and I want the preview cabability that SharePoint search needs.  This post explains the situation "Not Using SSL". 

In my initial attemp at installing the WCA farm I selected the switch -SSLOffLoading, this makes the WCA farm accept http requests.  My issue was that other resources then made http requests that with a load balancer performing SSL termination in place is correct.  And here was the problem, when i open a word document it just waits.  I opened my IE developer toolbar and noticed the https request.  Below is how I rolled out of the issue to allow me to use http throughout (Don't do this in production).

Location of the ULS logs on the WCA VM's: C:\ProgramData\Microsoft\OfficeWebApps\Data\Logs\ULS

 

***********************************************************

 

This part of the post differs in that I explain how to use the "SSLOffloading scenario".

You need a load balancer such as F5 or Kemp with networking configured.

The big differences are:

Ensure the "WopiZone : internal-https"

Tip:  Watch the networking. 

Tip:  You can't use a wild card certificate if you use SSL termination on the load balance (it actually works if you only have 1 WCA VM in your farm).

 

Scenario: SharePoint 2013 farm (represents any WOPI client/consumer), this can be on http or https.  The WCA farm consists of 2 or more WCA dedicated VM's.

 

The diagram above shows of the clients browser will interact with the WOPI consumer namely SharePoint 2013 and it accesses the SSL based url for the WCA server.  So the request would go to https://wca.demo.dev.  The load balancer performs SSL termination and load balances to any WCA server on port 80 using session affinity.

 

Tip: I used a wildcard certificate in UAT that works in a load balanced scenario but rather go for the fully qualified certificate for the WCA https service. 

 

********************

 

Problem:  When I create a WCA farm (1VM) and connect SharePoint to use the WCA farm, office documents show correctly.  However when I have WCA multiple servers, I get a the error “[ServerError: Verifying signature failed]. [status:NotFound”.  In my  VM logs on the Office web app server (WCA ULS).

Initial Hypothesis: The error appears to be an issue with SSL, while routing around I found the following information on certificates: http://technet.microsoft.com/en-us/library/jj219435.aspx#certificate

·         The certificate must come from a trusted Certificate Authority and include the fully qualified domain name (FQDN) of your Office Web Apps Server farm in the SAN (Subject Alternative Name) field. (If the FQDN is not in the SAN when you try to use the certificate, the browser will either show security warnings or won’t process the response.)

·         The FQDN in the SAN field can’t begin with an asterisk (*).

Below is a view of our wildcard certificate of the SAN field:

 

What made this issue tough to track is that when I only have 1 WCA server, WCA displays my word document correctly.  This document is cached when I add the remaining servers however once the cache clears down I loose WCA functionality.

 

***********************************************************

Microsoft troubleshooting for WCA

http://technet.microsoft.com/en-us/library/ff431687.aspx

 

***********************************************************

Tip:  A lot of issues around WCA involve networking.  It is useful to verify networking on the VM's.  I use host entries until I am ready to get the load balancing service working.  Note:  Ensure communication from WCA back to the SP WFE's.

 

 

 Fixing WCA Issues

Automate the deployment of an WCA 2013 farm - run the setup.exe silently

Problem:  I have been trying to automate the creation of my Office Web Apps (WCA) 2013 farm and hook it into my SharePoint 2013 farm.  When installing the WCA binaries using PowerShell I get prompted periodially. 

Initial Hypothisis:  Using the setup.exe /? switch I don't see a run silently or accept defaults.  I tried extracting the exe and workingout the switches without joy.  Asked some folks an no answer.  The is a /config switch but I have no idea how to structure it.  Eventually I noticed a folder on the WCA binaries ""

Resolution:  Run the setup.exe and supply the location of the configuration file for a silent install.  If you refer to the config.xml as I have done above, the install will use all the default settings.  Change it if you want a custom Office Web Apps install on each machine in the farm.

I could not find this on the Internet and once I got there is is on the net, see below - recon I need a Google search training day.

More Info:
http://www.sharepoint13.org/?p=124
http://technet.microsoft.com/en-us/library/cc261668(v=office.14).aspx

WCA and SP2013 not displaying Office document

Problem: I have setup Office Web Apps (OWA/WAC) 2013 on Windows 2008 R2 and connected it to SP2013.  WAC appears to be working and the hookup from SP2013 went without a hitch.  I try open a word document in WAC and receive the error: "Sorry, there was a problem and we can't open this document. If this happens again, try opening the document in Microsoft Word."

Initial Hypothesis:  I can't find any errors in my event logs and in my ULS log on WAC (C:\ProgramData\Microsoft\OfficeWebApps\Data\Logs\ULS) I opened the latest log and looked for errors, I found couple of "Unexpected" errors that relate to my problem.  The error looks something like: "HttpRequestAsync, (WOPICheckFile,WACSERVER) no response [WebExceptionStatus:NameResolutionFailure, url:http://web-sp2013-uat.demo.dev/_vti_bin/wopi.ashx/files/ef71ad7d...."
...
WOPI CheckFile: Catch-All Failure [exception:Microsoft.Office.Web.Common.EnvironmentAdapters.UnexpectedErrorException: HttpRequest failed

I realised that my DNS entry to web-sp2013-uat.demo.dev is missing on my WAC servers, I added local host entries which corrected the error.

Resolution:  Ensure the DNS entry to the SP2013 web servers has permeated down to all WAC servers, I added a host entry to proof the fix however stick to using DNS as if the IP/resolving changes you would need to go to each OWA/WAC machine and correct the issue.

More Info:
http://wp.ahcheng.com/2013/07/07/office-web-app-with-sharepoint-sorry-there-was-a-problem-and-we-cant-open-this-document/