Sunday 16 August 2015

FedAuth Notes for Problem Solving

Overview:  These are my notes on FedAuth relating to SharePoint 2013.
SharePoint (SP) 2013 uses Claim Based Authentication (CBA).  In this example, I am looking at SiteMinder (a CA product) as the Federation Service (this is the equivalent to ADFS (Active Directory Federation Service) as the Identity Provider (IdP)).
Basic Flow of SP CBA Authentication:
  1. SP looks for a FedAuth cookie; if  there is no FedAuth cookie for the users, it shall redirect the user to login via the IdP (AAD/SiteMinder/ADFS et al.). 
  2. The IdP returns a valid SAML token to SharePoint's STS.
  3. The STS generated a FEDAUTH cookie for the user to hold the current users session lifespan state (to keep the user log in).  The user holds the STS token not the SAML token.  The FedAuth in is a pointer to the SAML token held in the SharePoint Token Cache.
The default behaviour of SharePoint is to store the FEDAUTH cookie on the user’s disk, with a fixed expiration date. The expiration of the FEDAUTH cooking can be for a fixed time or a sliding session (if the user interacts with SP, the SP session is extended).  FedAuth can be stored on the Disk (default or in memory (not persisted between browser close downs). 

Note:  Changing where the cookie is stored affects the way the user shall login and effects Office application login such as Word.  Test thoroughly before changing)

Note:  Watch the IdP providers expiration policy vs what you set up in SP.  As an example, you could remove a user from the IdP, however, the session is still persisted and the user can still interact with SharePoint.   From MSDN "Make sure that the value of the LogonTokenCacheExpirationWindow property is always less than the SAML token lifetime; otherwise, you'll see a loop whenever a user tries to access your SharePoint web application and keeps being redirected back to the token issuer." 

Note: Closing a browser window with the FEDAuth stored to Disk does not invalidate the SharePoint session.  So the FedAuth shall persist when IE is close.  However, by keeping the session lifespan/FedAuth lifetime relatively short, the  to be relatively short (think less than an hour) your security is better.
Note: Change from FedAuth to session based sessions should taken lightly, Office products need to be thoroughly tested and generally won't work seamlessly.

Updated 11 Feb 2019: rtFA cookie
"The root Federation Authentication (rtFA) cookie is used across all of SharePoint Online and the rtFA cookie is used to authenticate the user silently without a prompt.  So when moving from OneDrive to SPO or Admin sites, the user does not get additional prompts for login.  When a user signs out of SharePoint Online, the rtFA cookie is deleted."

SharePoint Authentication and Session Management
Remote Authentication for SharePoint Online (RTFA)
Why IE and Office work together in SP
Adding, removing SP claims and managing security using claims  and NB! also
Logout of SharePoint
Check Cookie TimeOut; set by formula:
FedAuth LifeTime = IdP endpoint SAML token lifetime Duration - STS LogonTokenCacheExpirationWindow

Update 04 Feb 2016: screenshot for clarity:

My blog post on changing from FedAuth to session based cookies.  The post also shows how to examine the cookies for Internet Explorer (IE).

Sunday 9 August 2015

Request Management

I hate Request Management (RM) and I believe it is going away in SP 2016.

Issue I have seen with RM enabled:
  • Tenant Admin API can't provision Site Collections (point to the WFE's and it works)
  • Workflow sometimes don't start
  • Removing RM improved performance on an Extranet
  • Distributed Cache - One client had Distributed Cache intermittent issues.  User had to re-authenticate using STS.  As the RM was hit 1st and using distributed cache and then picking 1 of several WFE's, the issue was twice as likely to occur.  Used the NLB to direct traffic to the WFE's and the number of re-auths halved.

Saturday 11 July 2015

Machine Translation Service for SP2013

Overview:  I have never use Machine Translation Services (MTS) and this post is my discovery of the Service.  These are my summarised notes.
  • Setup a MTS on the farm
  • Configure MTS on the farm
  • The Server/servers running the MTS need internet access as the need to connect to Microsoft Translator.
  • Used to translate word documents, html documents and plain text.
  • MTS has a single database
  • There is a length restriction of translations so long word document won't translate.  This can be amend in your MTS configuration but 500,000 characters is the default max translation length.
  • Full APIs: Server side Object model, or CSOM and REST API's. 
More Info:

Saturday 4 July 2015

Provisioing Site Collections on-prem using the Tenant Admin API

Problem: Ability to provision Site Collections without using Server Side code.  Use CSOM and the Tenant Admin APIs.  This is a follow on the post: Provisioning Site Collections using CSOM (read it 1st).  Thanks to Sachin Khade, Frank M (check) and Alex N R (check) has given me his time to understand this:
I have reduced the Tenant Admin process into the least amount of steps that works.

The steps are:
Perform on an existing Web Application
Run the PS Script below:
  1. Create SC using a team site site template STS#0
  2. Set the AdministratorSite Type = TenantAdministrator
  3. Add ProxyLibrary that add the TenantAdmin dll
  4. Attach the Proxy to the existing Web Application
  5. Enable SelfServiceCreation on the Web Application
  6. IISReset
  • Using the C# console create new site collections using the Tenant Admin API
PS Script

# The first section contains the variables you need to specify based on your needs
$webapp =  get-spwebapplication # My Web application (already exists)
$url = "" # Tenant Admin Site Collection used for provisioing (does not exist)
$WebsiteName = "Tenant Admin"
$WebsiteDesc = "Tenant Admin Site"
# better to use the site template "tenantadmin#0" using the team site site template "sts#0" causes
# an error msg (SubscriptionId can't be null), both work but you get less admin options # for provisioning.
$Template = "STS#0" 
$PrimaryLogin = "radimaging\psmith"
$PrimaryDisplay = "Paul smith"
$PrimaryEmail =
# Create a site collection and top level website
New-SPSite -Url $url -Name $WebsiteName –Description $WebsiteDesc -Template $Template -OwnerAlias $PrimaryLogin –OwnerEmail $PrimaryEmail
$web = Get-SPWeb $url

#Set the TenantAdmin SC
$site = get-spsite -Identity $url
$site.AdministrationSiteType = [Microsoft.SharePoint.SPAdministrationSiteType]::TenantAdministration
$newProxyLibrary = New-Object "Microsoft.SharePoint.Administration.SPClientCallableProxyLibrary"
$newProxyLibrary.AssemblyName = "Microsoft.Online.SharePoint.Dedicated.TenantAdmin.ServerStub, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
$newProxyLibrary.SupportAppAuthentication = $true
Write-Host "Successfully added TenantAdmin ServerStub to ClientCallableProxyLibrary."
# Reset the memory of the web application
Write-Host "IISReset..."   
Restart-Service W3SVC,WAS -force
Write-Host "IISReset complete."

As always check out this post from Vesa Vuronen:

Sunday 31 May 2015

Provisioing Site Collections using CSOM - Tenant Admin API

Overview:  This post looks at provisioning site collections using CSOM.  You can also provision site collections for SharePoint using PowerShell or any Server side object model. 
Points to Note:
Programmatically you can provisioning new site collections using CSOM using 2 approached namely:
  1. Tenant Admin API
  2. Http Post method (mimic the SharePoint UI for creating a site collection)
Note: Neither approach allows you to specify the Content Database to connect to, you shall need to manage the CDB you site collection goes into using the round robin site collection OOTB method for on-prem SP. 
Note: Tenant Admin API does not allow the Quota template to be specified.  See the FAQ section in this post.
Note: Tenant Admin API requires the April 2014 SP CU or later
Note: the Search Service Application needs to be configured to handle multi-tenancy to work correctly.  As do other the Service Applications using partitions to support multi-tenancy.  If you already have existing running farm, the change is a considerable effort.  The SA need to be created in partition mode and cannot be amended after creation (you will need to re-create the service Application).
Note: Using the Tenant Admin API for SC creation - you don't get the usual SP groups such as owner, contributor and visitor - you need to manually create them.
Note: I don't believe you can use the Publishing Site Template using the Tenant Admin API.
The Tenant Admin Site Collection can reside on the same or another Web Application where the site collections shall be provisioned.  Each Tenant Admin Site Collection (has it's own site template 'tenantadmin#0') has a SubscriptionId (Subscription Group) and when using the Tenant Site collection to create a new site collection, the new site collection is given the SubscriptionId for the group i.e. you can't specify the SubscriptionId declaratively).

Outline of steps to setup the Tenant Admin API:
  1. Service Application need to be configured in partition mode (important SSA are: search, UPA, MMS, BCS, SSS, there are more).
  2. Enabling remote site collection creation using CSOM on the Web Application
  3. Enable AdministrationSiteType property from a site collection to "TenantAdministration"
  4. Enable SelfServiceSiteCreationEnabled on the Web Application
  5. Set Up Tenant Admin for Multi Tenancy/setup subscription
More Information:
Multi-tenancy/Site subscriber explained by Bill Baer
Spencer Harbar's Rational Guide to Multi-tenancy is a useful resource
General guidance for hosters in SharePoint Server 2013 provides insight into Multi-Tenancy
Scenarios where multi-tenancy potentially shall be used:
  1. O365/SharePoint Online
  2. SPO-D
  3. Hosting companies
  4. Government implementations such as G-Cloud
  5. Large Enterprise (only with extreme requirements)
Notes on HNSC using Tenant Admin API:
  • When creating a host name site collection with managed paths e.g., you need to create the corresponding root hnsc for the routing to work i.e.
  • Creating a hnsc with a path is consider creating a hnsc not a path based site collection or a combination of the naming.
  • The manage path /sites/ which is already created works as it is already setup.  If you want another managed path you need to configure this separately.
Quota Limits:
Quota max storage size and code points are parameters in the CSOM Tenant Admin API, they don't set these values and you cannot set the quota templates using CSOM.  You only 2 options at this point in time is to use the UI and apply a template, not really an option for customers with hundreds, thousands or tens of thousands of site collections or you use PowerShell/ the Server side object model.

To be able to provision a new site collection, the account used to provision shall need to have contribute rights (it feels low and simple to me but that is the min) or higher on the Tenant Admin Site Collection.

Troubleshooting Tenant Admin Site Collection Provisioning:  Update 2017-06-28
I had tremendous problems with site collections not being completely created using CSOM and the tenant admin API on a new server that was provisioned by our engineering department.  There are a couple of IIS and farm setting you will want to review should you get this issue and our amazing team figured this out so it is not my credit.  Gonzalo, Uzzey and Anthony with thanks!

Change IIS timeouts on the WFE's and SP farm configs, this made the site collections provision completely correctly.

Monday 18 May 2015

Remote Event Receivers Basics

Overview:  Historically we use Full Trust Code (FTC) within SharePoint 2010 and MOSS to have the ability to handle events in SharePoint such as an item being added to a list.  Since SP 2013 and going forward, full trust code is not the preferred approach and Microsoft of Remote Event Receivers (RER).


  1. RER are web services that implement the iRemoteEventReceiver interface and a remote web server (WS). RER's WS can be hosted on an IIS application server (including Azure).
  2. Asynchronous events supported with different code approaches: 1. Synchronously call on the before and after events i.e. ItemUpdating, ItemUpdated 2. Asynchronous on past event/-ed events i.e. ItemUpdating only.
  3. RER's can be fired on SP events such as list item changes, BCS events, 

Complete and publish!!

Thursday 7 May 2015

SharePoint 2016 Points from the Ignite Conference

6 May 2015

SharePoint 2016 new features (from the Ignite conference 06 May 2015)

  1. Office Graph and Delve are important in SP2016.
  2. MS are releasing a search add-on for SP2013 later in 2016, this will be part of SP2016 (vNext). The add-on stores the index on o365. allows seemless indexing of on-prem and O365 using AD to AAD sync.

Download all the Ignite Videos and Slides: