We’ve introduced improvements to search in SharePoint 2013 so that it will be easier to display relevant titles and authors in search results. We’ve also introduced some changes how the time of the last document modification is set. This allows now more consistent and intuitive sorting and search refinement based on this time.

In this blog we’ll tell you about these changes. They’re included in the SharePoint Server 2013 cumulative update published on October 26th 2013.

Tell me in a few words: what has changed?

The metadata extractor in the content processing pipeline extracts metadata from the content that you crawl. Before the changes we’ve introduced, the output of the metadata extractor was directly written to the corresponding managed properties. Now, we’ve created two brand new crawled properties: MetadataExtractorTitle and MetadataExtractorAuthor. The metadata extractor now writes extracted titles and authors from Word documents and PowerPoint presentations to these crawled properties. These new crawled properties map to the managed properties Title and Author.

We’ve also removed extraction of the LastModifiedTime from MetadataExtractor code. Now dates included in the document body will not influence setting the date of last modification.

How can I benefit from these improvements and get the new properties?

SharePoint Server 2013:

· Install the SharePoint Server 2013 cumulative update package published on October 26th 2013.

· Perform a full crawl of all your content sources.

Tell me the details

What has changed to allow search to display better titles?

How can I change which title is shown in the search results?

What’s new with the Author mapping?

What’s new in last saved date/time extraction?

What has changed to allow search to display better titles?

Sometimes, people save or upload Word documents or PowerPoint presentations with titles like “Document1.docx” or “Presentation1.pptx”. Before the MetadataExtractor was introduced this title would typically show up as the title in the search results. That was not so good.

To present a better title for such files in the search results, we use the MetadataExtractor in the content processing pipeline. It searches for a title in the body of Word and PowerPoint files. Currently, if the MetadataExtractor finds a good candidate for a title in the body, it writes the extracted title to the new crawled property MetadataExtractorTitle that is mapped to the managed property Title by default.

Because the title from the crawled property MetadataExtractorTitle has the first priority in the mapping to the managed property Title, there’s a good chance that the titles of Word and PowerPoint files shown in search results are more relevant.

Note: the custom mapping for the managed Title property should be backed up before the October CU installation. Otherwise it will be missed. The reason for this is creation of new crawled properties and thus rolling back to the default Title mappings.

How can I change which crawled property is shown as the title in the search results?

You can change which crawled property is selected to be shown as the title in the search results. This depends on the priorities of crawled properties in the search schema. If you decide to change the priority order of the mapping, make sure that the crawled property that you give priority is filled with useful Titles.

Here’s a table that shows the default priority list for thecrawled properties mapped to the managed property Title:

Even though you can change the priority order of the mapping, if one of the crawled properties is empty, the next crawled property from the priority list will be selected.

So, even though the MetadataExtractorTitle has the first priority for the title, it will only be used if a title was extracted. If that, for some reason, wasn’t possible, the TermTitle from SharePoint will be used as the title, and so on.The same mapping order is active for other document formats. But, the MetadataExtractor doesn’t work for, for example, PDFs. For file types other than PowerPoint and Word documents, the MetadataExtractorTitle will be empty and the next crawled property title will be selected to be shown as the title.

Alternatively, if you want to use the SharePoint TermTitle as the title for all your documents, change the priority of the crawled property TermTitle to position 0. If, for some reason, the TermTitle has no value, the MetadataExtractorTitle will be shown as the title, and so on.

You can change the priority in the search schema, see Manage the search schema (TechNet, on premises) or Manage the search schema

What’s new with the Author mapping?

We’ve added the MetadataExtractorAuthor crawled property. The metadata extractor extracts authors from the body of Word documents and PowerPoint presentations and keeps them in this new crawled property. This can be useful for, for example scientific articles where all authors are listed inside the document body but are not displayed in any document properties.

The mapping to the Author managed property for any file format works like this:

1) All possible authors found during crawling are added to a non-prioritized list.

2) From that list, a concatenated string is created that excludes duplicates and empty values.

3) This string is mapped to the Author managed property.

The authors extracted by the metadata extractor are simply added to the list and included in the string.

Even though the priority is not important for the Author managed property, since all authors extracted from content are included in the string, this is where the crawled properties come from:

What’s new in last saved date/time extraction?

We stopped extracting date of the last modification or creating from the document body. Even though it may be useful for PowerPoint documents where the date of presentation is mentioned on the first slide, it was introducing too much uncertainty. Let’s imagine a presentation talking about French revolution and having its dates on the first slide. Then it was highly probable that you presentation will have 14.07.1789 as creation date which, I believe is undesired.

So, with this change you still can map crawled properties to LastModifiedTime and use the managed property in the search results but there will be no output from MetadataExtractor in this list

This table shows the default crawled property mapping and priority to LastModifiedTime:

You can now sort search results based on the preferred date of modification, by changing the priority order, or you can perform more sophisticated logic like deleting too old documents from your site collection

We hope that by adding these changes, we’ve improved the way in which you can control search results.

Post By : Srinivas Dutta [MSFT] ,Ievgeniia Zhovtobriukh [MSFT]

This blog covers some unique scenarios where UPSS is not designed to work & also scenarios where it works only under specific conditions.

Let’s get started.

1. Single Server Farm :UPSS is not designed to start/work on a Single Server Farm

How to check this?

Check the 'ServerRole' by going to: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\14.0\WSS"

If the 'ServerRole' says: 'SINGLESERVER' this confirms it is a Single Server Farm

 

Refer: http://support.microsoft.com/kb/983061

2. SharePoint farm built using SQL Authentication***

You can check on the below registry which is the 'dsn' key, this 'dsn' key will only be created when SharePoint server is connected to a farm

Got to the SharePoint Server “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\14.0\Secure\configdb"

And look for the 'dsn' key

If the 'Integrated Security' says 'False' it means it is a SQL Authentication, for Windows Authentication the 'Integrated Security' will be 'True'

SQL Authentication:

Windows Authentication:

Refer: http://blogs.technet.com/b/sykhad-msft/archive/2011/07/29/building-sharepoint-2010-farm-using-sql-authentication-amp-its-limitations.aspx

***Installing Oct-CU-2012 for SharePoint Server 2010 helps to start User Profile Sync Service even on SharePoint 2010 Farms built using SQL Authentication***

The fix was included in Oct-CU-2012 and above Cumulative Updates for SharePoint Server 2010

Refer- http://support.microsoft.com/kb/2687557/en-us

“Assume that you create a new User Profile Service Application (UPA), and you configure the synchronous database to use SQL authentication by setting up a SharePoint farm as an administrator. In this situation, the UPA creation is successful, but the UPA synchronization service cannot start”

3. When you have Full Fledged Forefront Identity Manager (FIM) installed on the SharePoint 2010 Server:

When you have Full Fledged Forefront Identity Manager (FIM) installed on the same SharePoint Server, where you are trying to start UPSS, ideally Full Fledged FIM should not be installed on any of the SharePoint 2010 Server as this becomes an unsupported scenario

How to check if this is installed?

§ Go to Control Panel on the SharePoint 2010 and check if that’s installed

§ Get into Services console, right click on "Forefront Identity Manager Sync Service", check the Path to executable which should ideally be:

"C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\Bin\miiserver.exe" however in cases where FIM Client has been installed, the executable path will be shown as:

"C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Bin\miiserver.exe"

§ Also checked into the below registry:

"HKLM\system\currentcontrolset\services\FIMSynchronizationService", even here the ImagePath will show an incorrect path which is:

"C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Bin\miiserver.exe" instead of:

"C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\Bin\miiserver.exe"

What next? How to fix this?

§ Uninstall Full Fledged FIM Client from Control Panel

§ You could try the following: correct the ImagePath of the following registry: "HKLM\system\currentcontrolset\services\FIMSynchronizationService"

from "C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Bin\miiserver.exe" to

"C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\Bin\miiserver.exe"

§ This should correct the Path to executable under the Services Console for the "Forefront Identity Manager Sync Service"

Hopefully this should resolve, however I have seen cases where even after uninstalling FIM Client & modifying the above registry alone is sometimes not sufficient to start back the UPSS, that's because there are a lot of registry key entries which does not get removed when we uninstall FIM, in such cases an extensive cleanup of manual cleanup of registries is required, I would highly recommend to open up a Support Incident with us to get this fixed

POST BY :SYED ABDUL KHADER [MSFT]

Position: Support Escalation Engineer

Location: Bangalore, India

Introduction

------------------------------------------------------------------------------------------------------

Microsoft India Global Technical Support Centre (GTSC)

Microsoft GTSC was established in October of 2003 in India, it is part of Microsoft’s Customer Service and Support (CSS) organization which has locations throughout the Americas, EMEA, Asia Pacific and Greater China.

Microsoft’s CSS organization supports over 170 Microsoft products which range from the Consumer to Enterprise customer segments. This includes the MSN and Home and Entertainment products as well as the more deeply technical products from Developer Support and Enterprise Platform Support to Enterprise Messaging Support and Enterprise Business Applications Support. The site in Bangalore is a part of a global network that has over 50 million customer touch points on an annual basis and provides services to the Consumer and Enterprise customer segments.

For more details regarding India GTSC, please visit http://www.microsoft.com/india/gtsc>

Are you interested in working on some of the most difficult and complex problems in SharePoint On-Premises, SharePoint Online [Cloud] and SharePoint Hybrid Setup’s? Do you have an excellent knowledge in Windows Operating systems, Microsoft Windows Networking, SQL Server Administration, Microsoft.NET, Internet Information Services & SharePoint? Do you like working on cloud technologies? Can you represent Microsoft in critical, time sensitive solution delivery? If these things excite you, please read on…

Responsibilities:

--------------------------------------------------------

Represent Microsoft and communicate with corporate customers via telephone, written correspondence, or electronic service regarding technically complex escalated problems identified in Microsoft software products, and manage relationships with those customers. Frequently, these problems will not only be technically complex, but will be politically charged situations requiring the highest level of customer skill.

Receive escalated, technically complex mission critical or politically hot customer issues, and maintain ownership of issue until resolved completely.

Solve highly complex level of escalated problems, involving broad, in-depth product knowledge or in-depth product specialty; may include support of additional product line.

Use trace analysis, source code, and other sophisticated debugging tools to analyze problems and develop solutions to meet customer needs; may involve writing Powershell script.

Acquire & coordinate resources from other groups as needed to resolve customer issues.

Key technical interface to Quick Fix Engineering (QFE) and Development for the resolution of high impact or pervasive issues effecting Microsoft's corporate clients.

Manage hot issues by setting customer expectations, devising action plans, being available 24x7 and professionally communicating to all parties involved.

Lead triage meetings to share knowledge with other engineers and develop customer solutions efficiently.

Represent Microsoft professionally in on-site situations.

Act as technical lead, mentor, and role model on a team of engineers; provide direction to others, review solutions and articles, etc. Mentor new escalation engineers.

Develop and deliver technical training to other engineers.

Maintain strong working knowledge of pre-release products and take ownership for product improvement in key product areas.

Report software bugs and customer suggestions.

Write complex technical articles and sample programs for knowledge base.

Assist with selection of new team members.

May act as technical focal point in cooperative relationships with other companies.

Qualifications, Abilities and Experience should include:

----------------------------------------------------------------------------------------------------------------------------------

Candidate must be a strong critical thinker, and enjoy solving very difficult problems (often involving code level analysis).

Engineers in Escalation Services are frequently involved with the highest profile issues, and therefore must be able to handle both pressure and complex situations.

Candidates must also have strong customer service, accurate logical problem solving and communication skills, and the ability to work in a team environment.

The ideal candidate may have a four year degree in C.S. or Engineering and a minimum of four years product support experience or the equivalent in work experience.

Prior knowledge of Windows Server, networking technologies, Microsoft.NET Framework & SharePoint is required

If you enjoy being the problem-solver in the spotlight of critical problems, then this position will excite and challenge you.

This Role requires the candidate to be flexible to work in the night shifts which will be rotational in nature.

Apply Here

SharePoint with Large lists is common scenario in any Sharepoint deployment. While there are Several blogs / Guidance TechNet articles which exist working /Managing Large lists, My blog is particularly about the "List view lookup Threshold"

Here is a table summarizes information about resource throttles and limits that you need to be aware of. These throttles and limits are set on the Resource Throttling page in Central Administration

From <http://office.microsoft.com/en-in/sharepoint-server-help/manage-lists-and-libraries-with-many-items-HA102771361.aspx>

This feature limits the number of joins that a query can perform. Each lookup column in a list view causes a join with another table. Each additional lookup column in a view increases the complexity of metadata navigation and list view queries. By number of joins, I mean the number of Lookup, Person/Group, or Workflow Status fields that are included in the query. So for example, if you have a view that displays 6 lookup columns, and filters on another 3 distinct lookup columns then by default that view won't work, since the List View Lookup Threshold is 8, and the view is attempting to use 9 lookups.

Here are few observations which affect this threshold , which may cause either the request to hit the threshold limit & hence be throttled or may lead to the views showing data beyond the threshold limit configured in central Admin

1. What classifies as Lookup columns: Standard lookup columns, single-value managed metadata, multiple-value managed metadata, single-value people and group columns, and multiple-value people and group columns , Workflow Status , Created by , Modified by ( people ) are obviously counted as lookup columns .

2. Additionally following columns shows on list view also work as lookup columns , Name ( linked to Document) , Link (Edit to edit item) , Name ( linked to Document with edit menu), type ( icon linked to document)

3. We allow overriding the query throttling in following circumstances

a. User is browsing when the system is in an Unthrottled Time window ( Web application throttling settings)

b. The current user is a box administrator (part of local admin group on the machine where the request is served from) . Local admin privileges can also be obtained by being part of an AD group which in turn is a part of local or Domain Admins groups . you can use the following command prompt to dump the group membership of a logged on user on a particular Machine /workstation .

C:> WhoAmI /Groups

c. The user is browsing using farm admin/Application Pool account   for the Web-application .

We highly recommend that you do not increase this number beyond 8, because through thorough testing we've observed that there's a serious non-gradual performance degradation that shows up above 8 joins. Not only does the throughput that the server can handle drop significantly at that point, but the query ends up using a disproportionately large amount of the SQL Server's resources, which negatively affects everybody else using that same database. Here is an article which talks about more on the Performance impact http://technet.microsoft.com/en-us/library/ff608068(office.14).aspx

References:

Working with Large Lists in SharePoint 2010 - List Throttling

SharePoint 2010: How to Change the List View Threshold and Other Resource Throttling Settings

Manage lists and libraries with many items

POST BY : RAJAN    KAPOOR [MSFT]

What is PerfWizard?

PerfWizard is a diagnostic tool that helps customers and engineers resolve performance-related issues in their SharePoint deployments. PerfWizard helps you create and deploy Performance Monitor (PerfMon) counters through automation on specified servers in the farm that are running SharePoint and Microsoft SQL Server. You can run PerfWizard on one computer in the SharePoint farm to create a series of .cmd files. These .cmd files let you create, delete, start, stop, and query the PerfMon counters. They are highlighted in the File List section. The .cmd files perform all these operations remotely on each server that you specify when you run PerfWizard. Without PerfWizard, it can take hours to set up PerfMon counters on multiple servers in a farm. By using PerfWizard, that job should take only a few minutes to finish.

How Do I Get PerfWizard?

PerfWizard is a tool that was developed by and is primarily used by Microsoft Technical Support Engineers. To use PerfWizard, you must open a support case with Microsoft. You can contact Microsoft Support to open a support case. Your Support agent can then send you a link to download PerfWizard.

Running PerfWizard

The nature of the performance issue that you are experiencing will likely determine how you run PerfWizard and the data collector scripts. Does the issue occur intermittently or constantly? Does it affect only certain servers? Which services are deployed to the servers? Does the issue occur only at certain times of day? These are the kinds of questions that you must ask before you collect performance data. Troubleshooting performance can be a long and difficult process, so proper planning saves time.

When you run PerfWizard, you enter the server names for each server that is running SQL Server, each Web Front End server, and each search server on which you want to create performance counters. You can refer to the PerfWizard Versions and Counters section to see which counters are deployed to each kind of server. PerfWizard allows a server to have one set of counters So you cannot add the same server both to the Web Front End to SQL Server. Specify only the servers on which you want to create the counters. This might be a specific server or every computer in the farm.

Follow these guidelines when you collect PerfMon data:

• It’s important to have baseline performance data to know the average performance of the system. This data also gives you something to evaluate against when a performance issue is occurring. Baseline counters should be run continuously so that performance can be evaluated around-the-clock. By default, the baseline data collectors that are created by PerfWizard have a 60 second sample interval.
• When the issue occurs, collect incident performance data. An incident data collector set has a smaller sample interval than the baseline set has, so it collects data more frequently. By default, the incident data collectors that are created by PerfWizard have a 5 second interval. Incident performance data files can grow very quickly. It’s important to run these only when the issue is occurring. These data files have a 500 MB maximum size limit. If the limit is reached, the data collection stops.
• Sometimes, the first two guidelines aren’t possible to follow. This happens when you experience a constant performance issue without having any baseline performance information. In these cases, collect either baseline or incident data, and then compare it to recommended performance metrics.
• PerfWizard can be run on computers both with and without Internet access. In either situation, you will be sent a URL to the Microsoft Support website by the agent who is working on your incident. If you have not yet opened a support case, see the How Do I Get PerfWizard? section.

Follow the instructions below to run PerfWizard.

With Internet Access

1.) On the Start menu on one of the servers in the farm, right-click Internet Explorer, and then click Run as Administrator.

2.) Open the URL that was sent to you by your Support agent. The following screen is displayed:

3.) Click Run. The following screen is displayed:

Note: We highly recommend that you run the network connectivity tests that are offered here before you accept the license agreement. Many servers have restricted network access. Therefore, the diagnostic package may fail in the next step as it downloads components that it requires to run. After you agree to the license agreement, and you verify that you have network connectivity to the download servers, click Accept.

4.) When you see the following screen, select This Computer, and then click Next:

5.) Now you can run PerfWizard. You are presented a series of dialog boxes that ask you to input the names of your servers by role. Remember that you can refer to the PerfWizard Versions and Counterssection to see which counters are deployed to each kind of server. PerfWizard allows only one set of counters to be created on each server, so you cannot add the same server both to the Web Front End and to SQL Server. Specify only the servers on which you want to create the counters. These can be a specific server or every computer in the farm, as shown in the following screen shot:

6.) When you click Start, you are provided some instructions. Click Next to start to add the configuration settings within PerfWizard. You are prompted for your support case number and the path of the output log folders. We highly recommend that you store the logs from all servers on a network share to aid the collection process. We also recommend that you store the logs on a nonsystem drive. The following screen shots provide samples of what your input should resemble:

A folder named PerfWizard is created and saved to the desktop. This folder contains all the .cmd files that are described in the File List section. Go to the Using the .cmd Files section for detailed information about what each of these files does.

You now have the option to save the results or upload them to the Microsoft website for your Support agent to view. This package collects no data from your system. It only creates the .cmd files to automate the configuring of PerfMon counters. Your Support agent is notified when you upload the results. But the real power of this package comes from the .cmd files themselves.

Without Internet Access

1.) Follow steps 1 through 4 from the With Internet Access section,. except that in step 4, select A different computer. Leave the check box cleared if you want the diagnostic package to install Windows PowerShell for you, as shown in the following screen shot:

2.) Specify a file location in which to save a portable version of PerfWizard. The program is saved as PortableDiagnostic.exe.

3.) Move PortableDiagnostic.exe to one of the servers on which you want to run PerfWizard. Right-click the file, and then click Run as Administrator. You can now follow the rest of the With Internet Access procedure, starting at step 5.

Using the .cmd Files

Read the File List section to understand each .cmd files that are created.

1.) We recommend that you enable the ProcessNameFormat and ThreadNameFormat registry values before you create PerfMon counters. This makes it much easier to correlate data to specific processes and threads based on their IDs. By default, PerfMon appends a number to each process that has the same name. For example, PerfMon typically creates W3WP_1, W3WP_2, W3WP_3, and so on. When these naming options are enabled, the Process IDs for each process is appended instead. For example, PerfMon creates W3WP_2740, W3WP_4668, W3WP_5672, and so on.

2.) Create the counters. Run the CreateCounters.cmd file to create baseline and incident counters on all the computers on which you are running PerfWizard. For every server that you specified in the server list, you should see a “The command completed successfully” message. If you do not see this message, verify that you have local administrator credentials on each server. LOGMAN requires dynamic RPC ports to be open on the remote server. You might receive “access denied” error messages for this reason in secure environments. In this case, and instead of changing firewall settings, we recommend that you run the .cmd files on each server in the farm to create the counters.

3.) You can verify that the counters were created by checking directly in PerfMon or by using the “QueryCounters.cmd” script.

4.) After you create the counters on all the appropriate servers, you’re ready to start the baseline counters. These should run continuously so that you have data to compare to for all hours of the week. When you’re ready to start all the counters, run the StartBaselineCounters.cmd file. Again, you can verify that the counters started by checking PerfMon or by running the query file. We recommend that you upload baseline data to your Support agent daily for analysis.

5.) Wait for the issue to occur. When you see the issue, repeat step 3 for the incident counters. Make sure that you stop these counters as soon as the issue stops. These counters have a much higher sample rate, so they’ll occupy more disk space.

6.) Now that you have baseline data and also data that was collected when the issue was occurring, you can upload the PerfMon logs to your Support agent, who will provide you a link to a secure file transfer. Obtain the PerfMon log files from the location in which you saved them when you ran PerfWizard. Your file list should resemble the following:

File List

Several .cmd files are created when you run PerfWizard. Each .cmd file contains batch code that performs a PerfMon operation, such as “start” and “stop.” You can open the .cmd files by using a text editor, such as Notepad, to view the script that will be run. The following table displays the name and descriptions of each file that is generated. Each file is appended by using the Case ID that was entered when you ran PerfWizard. If no value was entered, a random number is used instead.

Generated .cmd Files

Resources

· Learn about Using Performance Monitor.

· Learn about Working with Performance Logs.

· Check out Mike McIntyre’s blog about troubleshooting performance issues in SharePoint environments.

· Learn about Manipulating Performance Monitor logs.

· Check out these Microsoft Knowledge Base articles about PerfWizard Diagnostic for more information about these tools.

•  The SharePoint 2007 Performance Monitor Wizard
•  The SharePoint 2010 Performance Monitor Wizard
•  The SharePoint 2013 Performance Monitor Wizard
•  Open a support ticket with Microsoft Technical Support.
• Learn about Logman.exe.

Audience

This version of PerfWizard is designed for Microsoft Support Engineers and IT Pros who specialize in Microsoft SharePoint Server. PerfWizard can be used to help identity performance issues and bottlenecks in a SharePoint farm. In order to use PerfWizard, you must be a local administrator on each server on which you want to collect performance data.

Disclaimer

PerfMon Data Collector Sets write performance data to disk. We highly recommend that you store the PerfMon logs on a nonsystem drive. This option is presented when you run PerfWizard. Microsoft does not support the practice of modifying the scripts that PerfWizard generates, unless you are directed to do this by Microsoft.

POST BY :SharePoint Diagnostics Team

We have set up outbound search in Part 1 of this post .Now let’s take a look at how to configure inbound search.

Configure Inbound Search

Inbound from SharePoint Online to company’s corporate network i.e. SharePoint On-premises. User that is not on corporate network, but signed into SharePoint Online in Office 365, searches. There is an inbound request to customers network i.e. SharePoint On-premises to return results. Results from both SharePoint Online and SharePoint On-premises are displayed.

For this post we are going to look at search experience for the same user manas in the mbspoincloud domain (manas@mbspoincloud.com) who at this point is able to search from SharePoint On-premise and get results from SharePoint Online.(outbound search) For this same user we will now configure Inbound Search. At this point it’s assumed that the organization has already followed the steps above and configured the steps mentioned in the part 1 of this post i.e.

1> Directory Synchronization

2> Server-to-Server Trust with Windows Azure ACS

The next steps would be to configure SharePoint Online to display results from SharePoint On-Premise Server.

1. Configure Secure Store target application.

2. Configure Forefront as a reverse proxy.( In this post I am going to share steps with Forefront as a Reverse Proxy.)

Note: - We are testing additional Reverse Proxy and should be posting the test results accordingly.)

3. Search configuration in SharePoint Online.

a. Result Source.

b. Query Rule.

Configure Secure Store Service Target Application

In order for SharePoint Online to access SharePoint Server 2013 on premises, a reverse proxy that supports certificate authentication is needed and a Secure Sockets Layer (SSL) certificate needs to be installed on the reverse proxy and the Secure Store Service (SSS) of SharePoint Online. SharePoint Online for hybrid search requires you to acquire a Secure Channel certificate and then create a Secure Store Service application in SharePoint Online to store the certificate. This target application is called Secure Channel target application. Before SharePoint Online submits the Search Query String, it performs a S2S authentication with the reverse proxy and only if the authentication is success fully (trusted Root CA, CRL check successful, Certificate valid, etc.), the Search Query String is submitted. Based on the query, Online Search service would send a HTTPS request which includes the client certificate from the Secure Store and the OAuth token, as well. The reverse proxy authenticates the request by using the client certificate and forwards it to the on-premise SharePoint 2013 farm. SharePoint 2013 On-Premise farm then extracts the ID of the user from OAuth token and uses client object model (CSOM) to map it to the corresponding identity of the user in on-premise.

SSL certificate that is used should be from a Public Certification authority issued to for your domain (mbspoincloud.com in our case), must be at least of 2048-bit encryption and should be of either

· Wildcard (A wildcard certificate is a public key certificate, which can be used with multiple subdomains of a domain example *.mbspoincloud.com)

or

· SAN X.509 standard (SAN Certificate Subject Alternative Names let you protect multiple host names with a single SSL certificate. To validate if you have a SAN certificate, you need to look up the Subject Alternative Name field in the Details tab of the certificate.

You need to ensure that the certificate is from a well-known Public Certification authority and acts both a server and client certificate. Self-signed certificate cannot be used for this purpose. To validate, you can take a look at the Details of the certificate under “Enhanced Key Usage” field.

Once correct certificate type is obtained, then we should be good to proceed with Secure Store target application creation.

Complete the following steps to create Secure Store service application in SharePoint Online to store the SSL certificate used to authenticate against the reverse proxy.

Open Internet Explorer and browse to http://portal.microsoftonline.com and log on with your global administrator account that you used when you signed up for the tenant. From the navigation bar at the top, click Admin and then click SharePoint.

In the SharePoint Online Administration Center, click secure store from the left navigation pane. Click New to create a Secure Store target application in the Secure Store service application.

In the Target Application Settings section, perform the following actions.

Target Application ID: Type the name (for example, SPOnline).

Note : This Target Application ID should be provided while you create the Result Source in SharePoint Online .This ID is a unique target application name that cannot be changed later.

Display Name: This is just a name to identify the target application ID within your SharePoint Online farm. Type in a name of your

choice (for example, SPOnline).

Contact E-mail: Type the e-mail address of the primary contact for this target application

Credential Fields: This is where we need to define the authentication type for communication with the reverse proxy.

Field Name: This is the name of the field that the user will get to see once they choose the Set Credentials option. The field names cannot be edited later. Within the text box in the first row, type Certificate.

Field Type: Select Certificate from the drop-down list box as the field type.

Field Name: This is just the name of the field that the user will get to see once they choose the Set Credentials option. The field names cannot be edited later. Within the text box in the second row, type Certificate Password.

Field Type: Select Certificate Password from the drop-down list box as the field type.

Once the above steps are completed, the Credential Fields section should look like the following screenshot.

Target Application Administrators: This is where you need to define the list of users who would later have access to manage the secure store Target Application settings that you are creating..

Members: This is where you need to define the list of users and groups mapped to the credentials that are defined for this target application. Make sure to add any users who will be using the hybrid configuration.

Once you click OK, the target application should be created. Under Target Application ID, select the Target Application ID check box that you created which in this case is SPOnline. Click the Set tab.

Click the Credentials group, click Set, click Browse next to the Certificate field and then browse to the location that you stored the public Certificate you acquired. You would need a .pfx format of the certificate

The Certificate that you acquired from a public certification authority may have been delivered to you in a different format but the certificate which you import here should be in a .pfx format which means you definitely would have had a password for the same. Type the passwordin the password field. If you are unsure about the password, you should not proceed with import. There is no validation of the password field while you upload the certificate to Secure Store Target Application, which means it will accept any characters for password. Incorrect password will result in failure for establishing a secure channel with reverse proxy and hence no search results will be returned. Following is an optional step that you should try in case of doubt about the password.

Double click the .pfx file and follow the steps until it prompts you to enter the password. You can enter the password after you specify the file to import screen.If it takes you to the Certificate Store screen, it means that you have the correct password. You do not need to install the certificate. Click Cancel as you are on the screen identical to the image below since now you are sure about the password.

Once you have typed in the correct password, click OK to upload and set the certificate for the target application. A copy of this certificate would be required in the reverse proxy server. This completes the target application creation for Secure Store in SharePoint Online.

Configure Forefront as a Reverse Proxy

In order for SharePoint Online to query and return results from on-premise SharePoint farm, a reverse proxy device must be configured to provide a secure endpoint for connection to SharePoint On premise . A reverse proxy device is required to receive incoming requests from SharePoint Online and pass them to SharePoint On-Premise servers. Next step would be to configure a reverse proxy. While creating this content we are still validating additional reverse proxies and I should be posting the test results for additional reverse proxy devices later in this blog shortly.

Reverse proxy has a few standard requirements.

· Reverse proxy should support pass-through authentication.

· Reverse proxy should support OAuth 2.0.

· Reverse proxy should support client certificate authentication.

· Reverse proxy should not modify the original SharePoint headers.

Threat Management Gateway (TMG 2010) is a supported reverse proxy device for SharePoint 2013 hybrid. Forefront Threat management gateway or TMG can be configured to support both pass-through authentication and certificate authentication. Threat Management Gateway (TMG 2010) when used, a Reverse Proxy should be domain joined to support SSL client certificate authentication

Prerequisites for Configuring Forefront TMG as a Reverse proxy

· A public SSL certificate issued by a trusted public certification authority (CA).

· The SSL certificate of the web server needs to be installed as a personal certificate of the computer account.

· Member server preferably Windows Server 2008 R2.

· Two NICs.

· Public IP address.

· Private IP address in the same subnet as domain controller.

Configuration Overview

The following steps that need to be configured on the TMG server.

1. Install the Secure Channel certificate to configure client certificate authentication for the TMG web listener.

2. Configure Listener for HTTPS.

3. Configure Web publishing rule for SharePoint.

Let us take a look at the detailed configuration steps.

Install the Secure Channel Certificate

To start, we need to configure client certificate authentication for the TMG web listener. The SSL certificate that you have obtained from a well-known public Certification authority and imported in the Secure Store application has to be imported first as a personal certificate of the computer account on the machine Forefront TMG is installed to. Unless you do so it will not show up in the list of existing certificates. To do so follow the steps below.

1. On the Forefront TMG computer, click Start, click Run, type mmc in the Open text box, and click OK.

2. In the Console1 window, click the File menu and then click Add/Remove Snap-in.

3. Select Certificates and click Add.

4. On the Certificates snap-in page, select Computer account and click Next.

5. On the Select Computer page, select Local computer and click Finish.

6. In the console tree, expand the Certificates (Local Computer) node, and right-click Personal.

7. Select All Tasks, and then click Import.

8. On the Welcome to the Certificate Import Wizard page, click Next.

9. On the File to Import page, browse to the location where you have stored the certificate and select the certificate from public certification authority, and then click Next.

1. On the Password page, type the password for this file and then click Next.

The Password page provides the option Mark this key as exportable. If you want to prevent exporting of the key from the Forefront TMG computer, do not select this option.

2. On the Certificate Store page, verify that Place all certificates in the following store is selected and that Certificate Store is set to Personal (the default settings), and then click Next.

3. On the Completing the Certificate Import Wizard page, click Finish.

Verify Server Certificate Was Properly Installed

1. Click Start, click Run, type mmc in the Open text box, and click OK.

2. In the Console1 window, click the File menu and then click Add/Remove Snap-in.

3. In the Add/Remove Snap-in dialog box, click Add.

4. In the Add Standalone Snap-in dialog box, select Certificates and click Add.

5. On the Certificates snap-in page, select Computer account and click Next.

6. On the Select Computer page, select Local computer and click Finish.

7. In the Add Standalone Snap-in dialog box, click Close.

8. In the Add/Remove Snap-in dialog box, click OK.

9. In the console tree, expand the Certificates (Local Computer) node, expand Personal, click Certificates, and double-click the new server certificate, that is, *.mbspoincloud.com

On the General tab, there should be a note that says You have a private key that corresponds to this certificate.

On the Certification Path tab, you should see a hierarchical relationship between your certificate and the certification authority (CA) and a note that says This certificate is OK.

There are at times company policy would have service accounts which are either in the Managed Service Accounts AD container, or do not have local logon rights to domain members .A best practice for configuring the cert on the Reverse Proxy server: Rather than adding the certificate to the personal store of the fwsrv account the cert should only be added to the computer’s personal store, and the fwsrv account should be granted at least read permissions to the private key of the cert. Provide the service account of Forefront TMG read access to the private key of the cert.

10. In case you want to do so, from within the MMC window that you opened above right click the certificate, click All Tasks and then click Manage Private Keys.

fwsrv account should be granted read (at least) permissions to the private key of the cert. Note the service account shows up NT Service\ fwsrv

Publish SharePoint Server For Extranet

Note : Every company would have their best practices around publishing web server in the internet . It is advised to consult the company’s security/ network expert and share the plan and get his buy in before following the steps below. The below steps are just “As Is” and may not considered be the best way to publish and secure SharePoint or any Web servers in the Internet.

To publish the SharePoint server so that it is accessible from the Internet, you need to create a web listener and a publishing rule. When you create a web publishing rule, you specify a web listener to be used when applying the rule.

Configure Listener for HTTPS

Log in to the server that hosts Forefront TMG .From the Toolbox tab on the very right, expand Network Objects group. Within the group, right-click the Web Listener node and click New Web Listener.

Provide a name of the new web listener (for example, SPS) and click Next. Under Client Connection Security, click the Require SSL secured connection with client’s option button and click Next.

Under Web Listener IP Address, choose the Network Interface that is associated with the external IP address of your company’s network (in my case External), and then click Next.

Under Listener SSL Certificate, click the Use a single certificate for the Web Listener option button, and then Select Certificate. You should be able to choose the wildcard certificate that you have acquired from a public certification authority and added to the server.

Under Authentication Settings, ensure you have selected SSL Client Certificate Authentication in the Select how clients will provide credentials to Forefront TMG drop-down list box.

Click Next on the Single Sign On Settings. his will create the web listener. Click Apply to save the changes and update the configuration.

Completing the above steps will create a web listener and activate the same. The next step would be to create a web publishing rule to publish the on-premise SharePoint Server 2013.

Publishing Rule for SharePoint Server 2013

Once the web listener was successfully created, complete the following steps.Select the Firewall Policy node from the tree on the very left. Right-click the tree node, click New, and then click SharePoint Site Publishing Rule.

Provide an easily identifiable name for the new Publishing Rule (for example, SPS Publishing) and then click Next.Select the correct publishing type (in my case, it is just a single SharePoint Server 2013 site) and click Next.

You can choose for SSL termination or SSL bridging at this stage. This decides whether the communication between the TMG server and SharePoint will be HTTPs which is the most recommended way. You would then need to ensure that the web front end of your SharePoint server has a copy of the certificate and you also accordingly have the correct alternate access mappings settings. This is definitely more secured and desired approach. For this example I will use HTTP. Click the Use non-secured connections to connect the published Web server or server farm option button, and then click Next.

Enter the URL to the Internal SharePoint Site and the host name of the SharePoint Server. In this case, it is spweb. Click Next.

Specify the Public name (or select any domain name option), and then click Next.

Select the web listener you created in the previous step and then click Next.Leave the default selection for Authentication Delegation settings and then click Next.

Select the option corresponding to your current Alternate Access Mapping settings on the SharePoint Server 2013 machine and then click Next.

In the next screen you can either limit the User sets to a bunch of users or change User Sets that the publishing rule applies to All Users and click Next. Click Finish to have the publishing rule created, and then click Finish.Click Apply to save the changes and update the configuration. If you click Firewall policy, you should now see the web publishing rule that you created.

As I mentioned earlier, depending on the security standards of a company the above configuration may vary . Configuring TMG is not the core-objective of this post , but I just wanted to share a standard way of publishing SharePoint site through reverse proxy and also create a listener for secure store target application to be able to make requests to.

Alternate Access Mappings

The next step would be to ensure that we have the correct alternate access mappings for the SharePoint On-Premise site collection to be accessed from the Internet. It is recommended to extend and map the web application and have separate IIS sites for Extranet and Intranet. You can follow the steps documented in TechNet http://technet.microsoft.com/en-us/library/gg276325.aspx. Apparently if you have chosen the option to terminate SSL at TMG level your alternate access mappings should look identical for the web application that you are looking at publishing externally.

For more information about alternate access mappings, see: http://technet.microsoft.com/en-us/library/cc288609(v=office.12).aspx

At this stage, you should be able to access your on-premise SharePoint environment using the public URL from anywhere, even from your Corpnet.

Search Configuration in SharePoint Online.

Now that we have the Secure Store target application created and SharePoint On-Premise site collection published using TMG, we need to perform a few additional steps in order to see search results from SharePoint Online.

Two steps are needed to configure Hybrid Search:

1. Create a result source.

2. Create a query rule.

New Result Source

Browse to http://portal.microsoftonline.com and log on with your global administrator account. From the navigation bar at the top, click Admin and then click SharePoint.

The configuration can happen on different levels: Global in the Search Service Application, Local per Site Collection or per Site Level. For this post , we will do the configuration at tenant admin level. From left navigation pane in SharePoint admin center, click Search.

In Search Administration, click Search Result Sources. On the Manage Result Sources page, click New Result Source.

On the Search Result Sources page, do the following:

a. In the Name text box, type a name for the new result source (for example, SharePoint Online RS).

b. For the Protocol, select Remote SharePoint.

c. For the Remote Service URL, type the address of the root site collection of the SharePoint On-Premise site collection whose results should be included . This is the same URL for SharePoint On-Premise site collection that was published via TMG through this same URL.

d. For the Type, select SharePoint Search Results.

e. Leave Query Transform as default, which is {searchTerms}.

f. For Credentials Information, select SSO Id and type in the Name of the Secure Store target application you created earlier and have uploaded the certificate.

It is recommended that you validate that you do not have an in-correct Target application name here. Click OK to save the new result source. If you edit the result source, you should see the settings identical to the ones shown in the following screenshot.

The next step would be to create a new query rule. From the left navigation pane in SharePoint admin center in SharePoint Online, click Search.

1. In Search Administration, click Manage Query Rules.

2. In the Select a Result Source drop-down list, select the result source you created before example SharePoint Online RS.

3. Click New Query Rule.

4. In the General Information section, in the Rule Name box, type a name for the new query rule (for example, SharePoint Online QR).

5. Click the Context link to expand the options.

6. In the Context section, do the following:

a. Under Query is on these sources, either select All Sources or One of these sources. If you select One of these sources, make sure to select the result source created before (here, it is SharePoint Online RS).

b. Leave the default selection for the Query is performed from these categories and Query is performed by these user segments options.

7. In the Query Conditions section, click Remove Condition so that the rule will fire for every query.

8. In the Actions section, leave Promoted Results as default.

9. In the Actions section, under Result Blocks, click Add Result Block.

10. In the Edit Result Block dialog box, do the following:

a. Leave the default for the Query Variables and Block Title sections.

b. In the Query section, in the Search this Source drop-down list box, select the name of the result source that you created before (here, it is SharePoint Online RS). In the Items drop-down list box, specify the number of items to show up as maximum (the default is 2 but feel free to select a number of your choice).

c. Click the Settings hyperlink.

d. In the Settings section, make sure the This block is always shown above core results option is selected. This is just to easily see if the Hybrid Search configuration is actually working and the block will always show up in your results page.

e. Skip the Routing section and click OK to add the result block.

11. Back at the Add Query Rule page, click the Publishing hyperlink.

12. In the Publishing section, make sure the Is Active check box is selected.

13. Click Save. Once you view the Query rule, it should look identical to the following screenshot.

This completes the configuration that is required on SharePoint Online.

Open a new browser session and type in the SharePoint Online site collection URL https://<tenantdomain>.sharepoint.com .In the Sign in with your organization account tab, type in the username and password . Note :-The user has been already synchronized from your on-premise AD following the steps in part 1 of this post and has been added to SharePoint Online site collection, (example ,user manas@mbspoincloud.com)

In the search drop-down list box, select Everything as a filter for your search.

Within the search text box, type a keyword. Search result should be displayed from both verticals (online, on-premise) identical to figure below.

In case you do not see any results here are a few quick troubleshooting tips since you do not have access to ULS logs like you do in your on-premise farms.

Test Result Source

Browse to http://portal.microsoftonline.com and log on with your global administrator account that you used when you signed up for the tenant. From the navigation bar at the top, click Admin and then click SharePoint.

From SharePoint admin center from left navigation pane, click Search and then click Manage Result Sources. In the Manage Result Sources page, hover your mouse on result source you created SharePoint Online RS and click Test Source.

This fires a test query and shows you relevant troubleshooting information, example in the below case the on-premise SharePoint site collection is not accessible.

You can also find relevant information from Query Builder. Browse to http://portal.microsoftonline.com and log on with your global administrator account that you used when you signed up for the tenant. From the navigation bar at the top, click Admin and then click SharePoint. From SharePoint admin center, from left navigation pane, click Search.

In the Search Administration section, under Site Collection Administration, click Search Result Sources. In the Manage Result Sources page, click the result source you created in the previous procedure (for example, SharePoint Online RS). In the Edit Result Source page, click Launch Query Builder. In the Build Your Query page, select the Test tab. Click the Show more hyperlink.

Type a search term of your choice in the textbox next to {subject terms} and click Test Query (Hint: “*” is also a valid search term).

Relevant search results will be displayed in the Search Result Preview window if your configuration is valid. If there are problems with your configuration, troubleshooting information will be displayed.

At this stage, you have configured a two-way Hybrid search with DirSync password synchronization. A quick recap:

Outbound Search (most common): Outbound from on premises or corporate network i.e SharePoint On-Premise to SharePoint Online. User searches from on-premise. There is an outbound request to SharePoint Online to return results. Results from both SharePoint Online and SharePoint On-Premise are shown.

Inbound Search: Inbound from SharePoint Online to On-Premise where Sharepoint is hosted. User that is not on corporate network, but signed into SharePoint Online, searches. There is an inbound request to corporate network - SharePoint On-Premise to return results. Results from both SharePoint Online and SharePoint On-Premise are shown.

Two-way Search: Search is setup both inbound and outbound as described above. Both scenarios are supported in that case – whether user is on-premise on corpnet or only signed in to SharePoint Online

In my next part of this post I will discuss about steps to configure an ADFS server so that users can have single sign on experience.

Please watch this Space for Part 3 of this series which would be coming soon!!!!

POST BY : MANAS BISWAS [MSFT]

Part1 and Part2 of this post talks about how we can configure two-way Hybrid search with Directory synchronization password sync. Note single sign on is not a core configuration requirement for Hybrid search , it enhances the sign in experience for the users when they access the content that are rendered in search results from SharePoint Online. As mentioned in part 1 of the post the user re-hydration process is the key for hybrid search results for which Dirsync is a key requirement . However when we look at sign in experience for a user from on-premise while he accesses resources in SharePoint online, he would need to type in his user name manas@mbspoincloud.comand password every time . He can of course choose remember me and save password but he still lacks the Single Sign In experience in SharePoint Online.

In this post we will be configuring Identity Federation to provide single sign on experience to the users. Steps below talks about configuring a single ADFS server, of course the best practices would be to deploy ADFS server in a farm and for extranet users configure ADFS proxy. With the steps below Single sign on experience will be available to only intranet users, of course you can expose the ADFS STS endpoint to Intranet so that intranet users can still authenticate while they are not logged in to company’s intranet . So let’s take a look at what is required when you would want to configure ADFS and provide the single sign on experience.

Your on –premise domain has already been added and verified following the steps in part 1 of this post.  Following are the key requirements for ADFS install.

· Active Directory Domain must be at least in Windows 2003 mixed or native mode.

· You should have a Windows 2008 server or Windows server 2008R2 to install and configure ADFS.

· You need to download ADFS installer from http://www.microsoft.com/en-us/download/details.aspx?id=10909

· You need to create “A” record for the STS endpoint for your on –premise ADFS server

Install Active Directory Federated Services 2.0 (ADFS 2.0)

Post downloading the installer execute AdfsSetup.exe.

1. In the Open File – Security Warning dialog box, click Run.

2. On the Welcome to the ADFS 2.0 Setup Wizard page, click Next.

3. On the End-User License Agreement page, select the I accept the terms in the License Agreement check box, and then click Next.

4. On the Server Role page, review the two options for Federation server and Federation server proxy. Verify that Federation server is selected and then click Next.

5. On the Install Prerequisites Software page, review the prerequisites list and click Next.

6. On the Completed the ADFS 2.0 Setup Wizard page, verify that the Start the ADFS 2.0 Management snap-in when this wizard closes check box is not selected, and then click Finish.

The next key task would be to obtain a certificate. You can choose to procure a certificate from a public certification authority or use a domain certificate if you have the infrastructure. For this example I have a certification authority configured on-premise. In case you do not have a certification authority configured in your on –premise domain you can generate a certificate request and procure a certificate from public certification authority.

Create or Procure a SSL Certificate

On the machine where ADFS 2.0 has been installed you need to follow the steps below.

Open Internet Information Services (IIS) Manager. In the Navigation pane, click local machine name .In the Results pane, under IIS, double-click Server Certificates.

In the Actions pane, click Create Domain Certificate.

In the Request Certificate window, on the Distinguished Name Properties page. You can request a wildcard certificate for your domain *. mbspoincloud.com Fill information in the Organization, Organizational unit, City/locality and State/province fields and click Next.

On the Online Certification Authority page, Under Specify Online Certificate Authority, click Select and choose the certification authority for your domain. Type a friendly name to identify your certificate and click on Finish.

The next task would be to assign the Certificate to the Default Web Site.In the Navigation pane in IIS manager, expand local machine name select Sites and then select Default Web Site. In the Actions pane, choose Bindings. In the Site Bindings window, click Add.

In the Add Site Binding window, click the Type drop-down list box and then click https. From the SSL certificate drop-down list box select the certificate you created above.

Once certificate is installed properly you can proceed with the AD FS configuration. To launch the AD FS configuration wizard, click Start, click Administrative Tools, and then click ADFS 2.0 Management. In the ADFS 2.0 management console, in the Results pane, click ADFS 2.0 Federation Server Configuration Wizard. On the Welcome page, verify that Create a new Federation Service is selected and then click Next.

On the Select a Stand-Alone or Farm Deployment page, click the Stand-alone federation server radio button and then click Next.

On the Specify the Federation Service Name page, verify that SSL certificate and Federation Service name and then click Next.

On the Ready to Apply Settings page, review the configuration and then click Next. On the Configuration Results page, review the results and click Close. Successful configuration of ADFS setup would look like the prinstscreen below.

Installation of the Microsoft Online Services Module for Windows PowerShell

Now that we have installed ADFS 2.0 we have to establish a trust with Office 365. To do so we would need to install the below components.

Install the Microsoft Online Services Sign-In Assistant : The Microsoft Online Services Sign-In Assistant provides end user sign-in capabilities to Microsoft Online Services, such as Office 365 and is a pre-requisite for Azure Active Directory module for powershell. Download the Microsoft Online Services Sign-In Assistant from http://www.microsoft.com/en-us/download/details.aspx?id=28177

Windows Azure Active Directory Module for Windows PowerShell. In order to convert your on-premise domain to federated and establish a trust with Office365 you would need Windows Azure Active Directory Module for Windows PowerShell . As mentioned in http://technet.microsoft.com/en-us/library/hh967619.aspx you can use the cmdlets to accomplish Windows Azure AD tenant-based administrative tasks such as user management, domain management and for configuring single sign-on. Once you have installed the Sign in assistant you can download Azure Active Directory Powershell from http://g.microsoftonline.com/0BX20en/229

Once downloaded you can execute AdministrationConfig-EN.msi. On the Welcome to the Microsoft Online Services Module for Windows PowerShell Setup page, click Next , follow the instructions and complete the Setup.

Convert your On-premises domain to Federated Domain

If you have chosen to add a shortcut you should see PowerShell shortcut on the desktop. In the Windows PowerShell prompt, type the following command and then press Enter.

Connect-MSOLService

In the Enter Credentials window, enter the user name and password of your Office 365 Global Administrator

Run the following command (this command prompts for the Host name of your ADFS Server).

Set-MsolADFSContext

Execute the following command, where the domain should be your on premise domain.

Convert-MSOLDomainToFederated -DomainName mbspoincloud.com

Once the domain has been converted to federated, you should see a message “Successfully updated mbspoincloud.com” domain message on your screen.

In case you see an error while the conversation is happening, browse to the following folder location to review the log C:\users\userAccount\documents\MicrosoftOnline.Open the latest MSOL-IdentityFederation-date log file. Review the log file and search for the word “error” to narrow your search on what problems are occurring.

Now any on-premise user should be able to leverage single sign on experience . Note since I have not shared the steps to publish ADFS end point to Internet which has best practices around ADFS proxy this setup will only be accessible to users within the company’s intranet . If user manas@ mbspoincloud.com now browses to SharePoint Online site collection from company’s intranet (https://<tenantdomain>.sharepoint.com )and types in his username he should see the message “Redirecting ..We’re taking you to your organization sign-in page.”

The sign in should now work and user should be able to access the SharePoint Online Site collection. Now you notice the difference that the same user is able to seamlessly sign in without additional password prompt because of IdP (Identity Provider) and RP (Relying Party) trust that we have setup to provide end user with Single Sign on experience. Once the user signs and clicks on search drop-down list box he should be able to have the same search experience. The search result should be displayed from both verticals (online, on-premise) identical to image below.

I have shared Microsoft Threat management Gateway (TMG) as Reverse proxy for this post . We are testing additional reverse proxy and I would post the test results shortly in my next post.

POST BY : MANAS BISWAS [MSFT]

This blog will provide some handy information for Setting up Hosted Apps in SHAREPOINT 2013 with ADFS 2.0

As stated in http://technet.microsoft.com/en-us/library/jj219806.aspx, SharePoint 2013 SharePoint hosted apps support SAML authentication.

Each SharePoint hosted apps has a unique DNS domain, so each also have a unique return URL (when user comes back from STS) that is typically https://spapp-UNIQUEID.appsContoso.local/_trust

To be able to use ADFS 2 with SharePoint hosted apps, the following must be done:

- In SharePoint: Create a unique realm per SharePoint hosted app
- In ADFS: Create a relying party per SharePoint hosted app

Create a unique realm per SharePoint hosted app in SharePoint:

$t=Get-SPTrustedIdentityTokenIssuer "TRUSTNAME"
$uri=new-object System.Uri("https://spapp-UNIQUEID.appsContoso.local")
$t.ProviderRealms.Add($uri, "https://spapp-UNIQUEID.appsContoso.local")
$t.Update()

Create a unique relying party in ADFS:

The relying party should be created with following settings:
WS Federation Passive Endpoint: POST to https://spapp-UNIQUEID.appsContoso.local/_trust
Identifier: https://spapp-UNIQUEID.appsContoso.local

Issue the same claims as the SharePoint web application hosting the app.
The drawback of this method is that each time an app is installed, a realm must be created in SharePoint and a relying party must be created in ADFS.

Additional  Information

It is possible to configure SharePoint to specify the return URL in a query string called wreply. It is added to the URL that redirects user to the STS. This behavior is enabled with following PowerShell commands:
----------------------------------------------------------
$t=Set-SPTrustedIdentityTokenIssuer "TRUSTNAME"
$t.UseWReplyParameter=$true
$t.Update()
----------------------------------------------------------
But ADFS 2 does not honor the reply parameter so this setting does not help in this scenario.

POST BY: Yvan Duhamel [MSFT]

In SharePoint 2013, selecting a document in a document library does not show the ribbon commands automatically and you need to manually click on the ribbon tabs (Files/ library) to use the commands. In SharePoint 2010, when you select a file checkbox in a document library, the 'Document' tab of the library tools ribbon automatically gets enabled with its commands. This is different in SharePoint 2013 where the Files/Library tab does not get automatically shown on document selection.

However, in SharePoint 2013, we can see that there is a "..." button appear in the list/library, by clicking it, we can choose to perform the most commonly used actions against the page, list or other components. That means we can perform the actions of our choice within the list/library area in a page. What's more, we also can add custom actions into this "..." menu to implement more functionalities.

This is an expected behavior in SharePoint 2013. The new UI reflects our “Minimal Download Strategy” in SharePoint 2013 that improves rendering performance when browsing content where large parts of the page do not change, which provides a more fluid navigation experience. You can read more here.

Also refer to the below links which provide more information about the SharePoint 2013 UI experience on document libraries.

#  Introduction to document libraries

# Introduction to libraries in SharePoint 2013 which shows the UI design for SharePoint 2013 document libraries.

# SharePoint 2010 Server Ribbon Architecture

Post by: Praveen Hebbar [MSFT]

In SharePoint 2010/2013 , user identity pass-through delegation will not work when a BCS External Content type (using a SQL Server Data source) is used in a web application with claims-based authentication (Windows authentication and Kerberos) configured.

The Setup for scenario mentioned above is the one described in "Scenario 9” at http://technet.microsoft.com/en-us/library/ff829837(v=office.14).aspx

When this Scenario is Configured , following message is still the message on a list based on the external content type for any user:

"Message from External System: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'."

The same setup works perfectly in SharePoint Server 2010 and SharePoint Server 2013 when a web application is used that has Classic Mode / Windows Authentication / Kerberos configured.

Reason for this Behavior

The delegation related to BCS is described in the Scenario 9 of the white paper for Kerberos configuration (see the linked .doc file): http://technet.microsoft.com/en-us/library/ff829837(v=office.14).aspx . One of the Requirements for this to work is to Configure your web applications with classic Windows authentication using Kerberos authentication.

When we have A Web-app deployed in Claims mode on SharePoint 2010/2013, this will not work due to the Fact that BCS was never designed to leverage the Claims to Windows Token Service (C2WTS) and this is documented in the white paper.  You can find more information on Claims to Windows Token Service (C2WTS) here.

This C2WTS service is used when claims is used as authentication mode to transfer the user identity that needs pass-through from a claims identity to a windows identity.

What to Do then ?

The only true workaround in case of Claims Mode Web-app here is to use Secure Store Service (SSS) with a target application of type "Individual" that is able to pass-through the user's identity via credential mappings.

See the following articles for more information:

Plan the Secure Store Service in SharePoint Server 2013

Configure the Secure Store Service in SharePoint 2013

Please be aware of this unwanted side effect of using Secure Store Identity

In the case of user credentials change (like scheduled password changes) the user either needs to re-enter his credentials via the list view which displays the needed form or on the administrative side actions can be taken to update the credential mappings in the Secure Store Service target application used by the BCS external content type on a regular basis. 

Else a classic mode web application can be used, but by default in SharePoint Server 2013 through the UI administrators can only create claims mode web applications.

Additional Information

Plan for Kerberos authentication in SharePoint 2013

Identity delegation for Business Connectivity Services

POST BY : Praveen Hebbar [MSFT]

We recently came across cases where  Profiles of Disabled users in AD are not getting deleted from SharePoint User Profile Service Application when using ADImport. Read further to get more details on the issue & the workarounds .

Behavior: When using “SharePoint Active Directory Import” for the Synchronization Options in SharePoint 2013 , the users who are disabled  in Active Directory are not getting removed from SharePoint post a Full/Incremental Import . .  A deeper look into this reveals that account is not marked as deleted ( bdeleted=1 flag in UserProfile_full Table of the Profile Database of the UPA) . This behavior is seen even though we check the option to “Filter out disabled users” while creating the Sync Connection.

Note : The behavior is continued to be seen even when a Custom Filter is defined in LDAP syntax in the box provided .  Also If the user is not disabled & moved to another OU which is not selected to be Sync , similar behavior is observed.

Observation:

Since we are not using FIM for synchronization, there is nothing to look into Sync DB. Everything happens within Profile DB. Full import will detect the user is not getting imported and marks the field ‘IsImported’ to 0 on DNLookup table in Profile DB for the affected user. However it still does not set bdeleted to 1 in UserProfile_Full table which is needed for MySiteCleanUp Job to delete the profile and finally Personal Site.

Following is the sample query to check all the users which exist in Profile DB with the Status , ‘IsImported’ to 0 , You can match this list with your disabled users in AD to Confirm .

SELECT A.RecordID,A.NTName, A.bDeleted, B.IsImported

FROM [UserProfile_Full] A (nolock)

inner join [DNLookup] B (nolock)

on A.RecordID = B.RecordId

where b.IsImported =0

Note : It is not recommended to Query any Sharepoint databases or to make changes other than ones described at http://support.microsoft.com/kb/841057 .

Workaround:

The “SharePoint Active Directory Import” does not mark the profile to be deleted either with incremental or Full Import when they are disabled and only way to remove the obsolete users is as mentioned HERE .

1 Run Full Import

2 Post that run Use SharePoint Management Shell to Run following

a) $upa = Get-SPServiceApplication -id <Identity of User Profile Service Application>

b) Set-SPProfileServiceApplication -Identity $upa - PurgeNonImportedObjects $true

At this point of writing this blog (31-Mar-2014), this is known behavior with   work around as tested against SharePoint 2013 SP1 Build .

Note: The Deletion of an account in AD is handled as expected & profile in SharePoint Profile Database is marked as deleted ( bdeleted=1) & eventually cleared by Mysite Cleanup job .

POST BY: Satheesh Palanisamy [MSFT]

The SearchHostController is related to the SearchServiceInstance. SearchHostController manages the search components that run on a server, and maintains a local repository for linguistic dictionaries.

The search components retrieve the linguistic dictionaries from the PrimaryHostController.

So it is important that Only Search nodes be made as PrimaryHostController in order for Custom Dictionary deployment jobs and dictionary imports to work successfully.

If search node {best practice recommendation is to make primary admin as PrimaryHostController} is not made as PrimaryHostController, you might see logs similar to below combined with failed dictionary deployment jobs

Search Linguistic Processing 65 Warning Dictionary deployment failed. SearchComponent: OWSTIMER.EXE, CorrelationId: 69657aa7-fa2a-45fd-983e-e0fa2f079e27, SearchServiceApplication: {cc53be81-7382-45f5-a719-a89891846f6f}, DictionaryName: Microsoft.UserDictionaries.EntityExtraction.Companies.Inclusions, Component:FlowExecution, FailureMessage: Deployment (flow:Microsoft.CustomDictionaryDeployment) for custom dictionary c866ca65-f095-4a16-9249-028d500f7703 did not complete successfully. Flow execution state was: Failed. Failure: Evaluation failure. An evaluation thread threw an exception. (Exception type: Microsoft.Ceres.Evaluation.DataModel.EvaluationException. Exception message: Evaluation failed in operator RepoWriter of type DictionaryRepositoryWriter), Cause: Microsoft.Ceres.ContentEngine.Services.ContentIntegrationEngine.FailCauseException: Evaluation failed in operator RepoWriter of type DictionaryRepositoryWriter.

You would also see when you try to import a dictionary through following mechanism Dictionary imports fail

$searchApp = Get-SPEnterpriseSearchServiceApplication

Import-SPEnterpriseSearchThesaurus -SearchApplication $searchApp -Filename ".\thesaurus.csv"

Expected: Dictionary imported successfully

Actual: PowerShell.exe (0x10214) 0x104B8 Search Linguistic Processing 129 Information Dictionary import cmdlet failed. SearchComponent: PowerShell.exe, CorrelationId: b3a69b93-a42e-4c63-b8fe-5f766848a64d, SearchServiceApplication: b3932f1a-d626-4907-9fe5-013363c3a229, DictionaryName: Microsoft.UserDictionaries.Thesaurus, Failure: Failed to import custom dictionary Microsoft.UserDictionaries.Thesaurus. Failure: Evaluation failure. An evaluation thread threw an exception. (Exception type: Microsoft.Ceres.Evaluation.DataModel.EvaluationException. Exception message: Evaluation failed in operator DictionaryRepositoryWriterLangInDependent of type DictionaryRepositoryWriter).. 018c8918-f800-0003-f09a-5dd0ac78ce01

In order to address these issues, please make sure search node is running as PrimaryHostController.

You can verify which node in the farm is running as PrimaryHostController, by running below command. You will see PrimaryHostController set to true on only one node in the FARM.

If that node {running PrimaryHostController} is not a search node, that could cause problems noted above.

To fix the issue make search’s Primary admin node as Primary Host Controller. You can verify which is Primary Admin node by going to CA | Manage Service Application | Search Service Application and you will see screen like below

Now go to that Search Admin node and make that as PrimaryHostController through below commands

Our best practice recommendation is to make Search Primary admin node as Primary Host Controller always.

POST BY: Srinivas Dutta [MSFT]

Use Case Description: The search results with %5C (the “\” character) will become double encoded (represented as “%255C″). This causes broken links for e.g. when accessing Search Center and performing people search with "user1". At the peopleresults.aspx page, click the username in the search result

Actual Results: The personal site of user1 cannot be accessed. You can see the personal site for user1 is something like below

http://sp2013.contoso.com/my2/Person.aspx?accountname=contoso%255Cuser1

Note :  We have identified this unexpected behavior  & working on a Fix for the same . This Post will be updated once we have more insight on Release Schedule & Build Details for  the fix . Please us the following Workaround till  then

Workaround Instructions: Apply below workaround on current search center site. If you have additional search center sites, please update all of them.

1. On your Search Center site collection go to Site Settings and then Master Page Gallery

2. On Master Page Gallery click on Display Templates and then click on Search

                      Now find File named Item_Person.html and then checkout the file. Make a backup of the file and open the file in your favorite text editor and locate highlighted Line in below Screenshot.

3. Now replace above highlighted line replace with following text.

var encodedPath = $urlHtmlEncode(decodeURI(ctx.CurrentItem.Path));

4. Now find File named Item_Person_CompactHorizontal.html and then checkout the file. Make a backup of the file and open the file in your favorite text editor and then locate highlighted Line in below Screenshot.

5. Now replace above highlighted line replace with following text.

              var encodedPath = $urlHtmlEncode(decodeURI(ctx.CurrentItem.Path));

6. Now find File named Item_Person_HoverPanel.html and then checkout the file. Make a backup of the file and open the file in your favorite text editor and then locate highlighted Line in below Screenshot.

                 Now replace above highlighted line so that it looks like following.

<a id="_#= visitId =#_" class="ms-calloutLink ms-uppercase" href="_#= $urlHtmlEncode(decodeURI(ctx.CurrentItem.Path)) =#_" title="_#= $htmlEncode(Srch.Res.hp_PeopleItem_ViewProfile) =#_">

7. Now check-in the above files and make sure they are published.

POST BY: Srinivas Dutta [MSFT]

There are many great articles that talks about how to integrate yammer with SharePoint 2010. I am going to try to summarize the important things you need to know about yammer, its features and common errors that may occur during the configuration of yammer with SharePoint 2010.

What is Yammer?

§ Yammer is an enterprise social network.

§ It is a collaboration software that allows you :

• To get connected to the right people
• Share information across teams
• Organize projects, etc

§ It is a single mapping of everything employees encounter at work, creating a single social experience for everyone.

FEATURES OF YAMMER:

Yammer groups:

· create groups

· discover and join group

· invite team members

· share announcements

· quick access to most viewed & edited files

Yammer profile:

· user profiles

· leader boards

· member directory

· discovery of coworkers

Join conversations (global communication in 26 languages):

· Use publisher to share an update.

· private & open conversations, post a message

· create polls

· organize meetings & events

Discover what you need

· stay on top of company activity

· search people, content, conversations

· find related documents, files, people

FEATURES OF YAMMER INTEGRATION WITH SHAREPOINT 2010:

YAMMER AND SHAREPOINT 2010 INTEGRATION:

Below listed are the forms of integration of yammer possible with SharePoint 2010:

Primary yammer web part:

· Embed virtually any Yammer feed (including My Feed and Group Feeds) into SharePoint sites to facilitate team and company-wide conversation.

· Send private messages directly to one or more coworkers at a time and keep track of these conversations in a separate Private Messages tab

· Manage new messages, @mentions, replies and more in a separate Notifications tab

Light embeddable feeds:

· Embed a lightweight Yammer mini feed anywhere in SharePoint to view and keep track of relevant discussions without disrupting your workflow.

Single –sign on:

· Leverage SharePoint authentication credentials to simultaneously log into Yammer through a single entry point.

Admin configurations:

· Manage the Primary Yammer Web Part using SharePoint’s built-in Web Part controls and templates. Choose to configure read-only Yammer feeds so that users without Yammer accounts can also view conversations

Federated search:

· Find the information you need fast with relevant Yammer messages displayed side by your SharePoint search results.

PRE-REQUISITES FOR THE YAMMER INTEGRATION WITH SHAREPOINT 2010:

· Yammer enterprise network.

· Yammer SharePoint Service Account.

· .Net Framework 3.5 SP1.

· Sharepoint Server 2010 (Enterprise or Standard Version).

· Sharepoint Server 2010 Service Pack 1, Cumulative update.

· Supported web browsers.

· Access to SharePoint server.

· Sharepoint administrator account with access to Central Administration.

· Site collection at the root web application path.

· User profile service application.

· Uninstall prior versions of Yammer before installing the new versions.

· The user must have a user profile in the UPA and the work email property of the profile should be populated with the email address of yammer profile.

DEPLOYMENT OF PRIMARY YAMMER WEB PART:

Two ways to deploy yammer web part:

· yammer solution installer

(Recommended way – small farms without much customization)

· stsadm commands, runs as batch file

(Large farms, with customizations)

INSTALLATION USING THE YAMMER INSTALLATION WIZARD:

• Extract the file provided by Yammer to a directory on a SharePoint web-server (for example C:\YammerSP).

• Browse to the folder where you extracted the zip file.

• Run the Setup application from the installer folder.

• You must complete each step in the wizard to successfully deploy the Yammer Web Part.

STEP 1:

STEP 2:

STEP 3:

STEP 4:

STEP 5:

STEP 6:

INSTALLATION USING STSADM COMMANDS:

· Extract the zip file provided by Yammer to a directory on a SharePoint web-server (for example C:\YammerSP).

· Open a command prompt and change the directory to point to the files you just extracted; using the previous example: CD C:\YammerSP\

· Type the following command and press enter: deploywithstsadm

NOTE: After each step you will be prompted to wait until either a retract , delete, add, or deploy operation is completed. To check the status of the job you can go to the SharePoint Solution Management page (a.k.a. “solution store”) on your SharePoint Central Administration server: http://<servername>:<port>/ _admin/Solutions.aspx .

After you have completed installation and deployment, check the deployment status by logging into your SharePoint server as an administrator, opening the Solution Management page and verifying that yammer.sharepoint.features_v3-x-x is deployed under "Manage farm solutions" and is located under "System Settings" in Central Administration.

POST INSTALLATION CHECKS:

1. Certificate verification after installation:

Check the following locations for the certificate installation:

· Central administration > security > General Security> Manage trust.

View certificates in the MMC snap-in

• Open a Command Prompt window.
• Type mmc and press the ENTER key. Note that to view certificates in the local machine store, you must be in the Administrator role.
• On the File menu, click Add/Remove Snap In.
• Click Add.
• In the Add Standalone Snap-in dialog box, select Certificates.

Click “my user account”:

Click on certificates under “trusted root certification authorities” for DigiCert high assurance EV Root CA:

Check certificates under “intermediate certification authorities” for “DigiCert high Assurance CA-3

Repeat the same for “computer account”.

2. Check the following settings in the SharePoint 2010 farm:

Yammer Apps Feature MUST NOT be activated for Central Administration site collection

NOTE: Beginning with Yammer For SharePoint v3.1.1, the Yammer Apps site collection feature MUST NOT be activated in the Central Administration site collection. If it is activated, the Yammer Settings screen will not work correctly. Yammer For SharePoint v3.1.4 prevents activation of the feature in the Central Administration site collection, but the feature may have been activated with prior versions. Thus, there is the need to manually deactivate it in some instances.

PRIMARY YAMMER WEB PART IN SHAREPOINT 2010:

After connecting to the yammer server, we will be able to add the primary yammer WebPart in the SharePoint sites by clicking on “edit page”>insert>WebPart.

COMPANY FEED -All messages with in yammer network.

GROUP FEED-Displays content from one specific group

MY FEED-Contextualized view of yammer, applicable for my site, page targeted at engaging individual users

USER FEED-Display individual user feeds

SEARCH FEED-Integrates with an enterprise or basic search site to provide matching federated search results from yammer

COMMON ERRORS DURING YAMMER INTEGRATION:

1. “THE YAMMER WEB PART IS NOT DISPLAYED IN THE SHAREPOINT PAGE”

· This may be caused by a number of different SharePoint configurations and issues.

· To look at a list of all the web parts that have been added to a page in SharePoint, point your browser to http://<SharePoint page URI>?contents=1

· If you see the web part listed on the resulting page, then it has been successfully added to the page.

· Be sure to set the width of the web part to a desired value using the standard Edit Web Part functions.

2. WHEN UPGRADED FROM OLD VERSION OF THE WEB PART TO THE NEW VERSION OF THE YAMMER WEB PART 3.1.4 THE WEB PART IS NOT WORKING.

· The yammer apps site collection feature should be deactivated in the central administration site collection features

· The yammer apps feature is never compatible with the SharePoint central administration

3. “TEST CONNECTION FAILED”

· Make sure the Yammer – GeoTrust Global CA certificate is installed.

· If it is already installed, and the problem persists, configure the SharePoint proxy server.

· If the SharePoint webserver(s) are behind a proxy-server. In this case, you must ensure the web.config file contains the default proxy for each webserver in your farm (you’ll need to repeat this step for every web application for which you’re interested in using our Web Parts). Edit the web.config file, and add the following entry to

· Check if the following url’s accessible from the client browser and from the SharePoint server

SharePoint Server >>>> *.yammer.com

Browser >>>> *.yammer.com or 204.152.18.0/23

                *.cloudfront.net

                *.amazonaws.com

                *.cotssl.net

                *.edgekey.net

4. THE WEB PART DOES NOT LOAD AND GIVES THE FOLLOWING ERROR:

“System.Exception: Unable to load the web part. IsEdit: False, IsAsync: False, FormMode: Display,SharedProperties:{"site_url":"someurl","service_account":"true","webpart_guid":"","iframe":

true","version":"3.1.6"} at Yammer.SharePoint.WebParts.YammerAppsWebPart.CreateChildControls()”

• You must configure the web part to point to a network.

• Edit the page, select the desired feed, and choose a network.

• Then, Save the page.

5. “System.NullReferenceException:Object reference not set to an instance of an object.

at Yammer.SharePoint.Framework.DefaultYammerSettingsManager .EnsureYammerSession(String

networkId) at Yammer.SharePoint.WebParts.YammerAppsWebPart.CreateChildControls()”

• Inspect SharePoint server logs.

• if you see an error similar to those listed below indicating that “the root of the certificate chain is not a trusted root authority”, then the DigiCert certificate is not properly installed in the Manage Trusts section of Central Administration.

6. “An operation failed because the following certificate has validation errors:\n\nSubject Name:CN=*.yammer.com,O="Yammer,Inc.",L=Sanfrancisco,S=California,C=US,SERIALNUMBER=FNoaPeKm4rVoM9q0R4SuzMlDDq0Q6KAl\nIssuer Name:CN=GeoTrust SSL CA,O="GeoTrust,Inc.",C=US\nThumbprint:BF90A539080B97448CB0A503F46F27A18836ACD8\n\nErrors:\n\n.The root of the certificate chain is not a trusted root authority.”

“The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.”

“System.Security.Authentícatíon.AuthenticationException: The remote certificate is invalid according to the validation procedure.”

• Inspect the certificates and SharePoint 2010 trust relationship.

7. “WHEN YOU TRY TO LOGIN USING THE RIGHT CREDENTIALS , YOU SEE THE FOLLOWING MESSAGE”

If SSO is enabled for your network, you'll need to enter a temporary passcode in the password field.

Follow these steps to get a temporary passcode

• In the Yammer website, log in as the VERIFIED ADMIN account you are using to configure the web part.

• Click on the Apps link

• Scroll down and click on the Yammer tab, then find the Desktop App, and click Learn More

• In the Single Sign On Instructions, copy the passcode.

• Paste the passcode into the password field in Central Administration.

8. PERFORMANCE AND OUTAGE SCENARIOS DUE TO YAMMER WEB PART

• It is very rare that there are performance and outage issues due to yammer web part

• Use developer dashboard

• Check if the site collections having yammer apps feature enabled is having degraded performance.

• Try temporarily disabling the yammer apps feature in the site collection features

9. FIDDLER FOR TROUBLESHOOTING YAMMER INTEGRATION:

Import Fiddler Root certificate into the SharePoint 2010 Trust Store.

This allows the SharePoint code to make the http call to Fiddler that will then pass the call onto Yammer.

The Yammer Geo Trust Global CA certificate is not used in this case.

• Open Fiddler

• Click on Fiddler Options

• Click on HTTPS

• Click on Export Root Certificate to Desktop

• Open SharePoint Central Administration

• Click on Security

• Click on Manage Trust

• Click on New

• Browse to the desktop and upload certificate

ENHANCEMENTS IN SHAREPOINT 2013 – YAMMER INTEGRATION:

• Removing the SharePoint Server 2013 social web parts from My Sites and Team Sites
• Hiding user interface controls that provide social functionality
• Yammer app for SharePoint to embed Yammer feeds (home feed, group feed, comment feed) into SharePoint sites.

REFERENCES AND LINKS:

https://about.yammer.com/success/resources/activation/

http://technet.microsoft.com/en-us/library/dn130129(v=office.14).aspx

https://about.yammer.com/yammer-blog/yammers-integration-with-microsoft-sharepoint-2010/

https://about.yammer.com/success/activate/integrations/

POST BY Rupini Thuraiyur [MSFT]

Part1 and Part2 of this post talks about how we can configure two-way Hybrid search with Directory synchronization password sync and eventually enhance the sign in experience of users in. This post assumes that you have successfully configured Directory Synchronization part that I have documented in Part1 of my post .

What's the difference between OneDrive and OneDrive for Business?

1. OneDrive is free, personal online storage that you can choose to use at home, work, or school.  Files are available from any device by going to OneDrive website or using the OneDrive mobile app for your phone.

2. OneDrive for Business is for organizations to provide online storage to their members. It’s included in SharePoint 2013 and is available with Office 365 SharePoint Online. This is a library intended for storing and organizing work documents. OneDrive for Business is also different from your team site, which is intended for storing team or project-related documents. You can read more about it here . What you see in your SharePoint 2013 and SharePoint Online header/navigation listed as OneDrive  is an abbreviation of OneDrive for Business. 

I simply like the new announcement that came in recently that states. “Massive increase to OneDrive storage plans: 15 GB free for everyone, 1 TB for Office 365 subscribers” . What is more amazing is the integration with SharePoint Onpremise.

With Service Pack 1 for SharePoint Server 2013, a new feature has been introduced for OneDrive. After you install Service Pack 1, you will have an option to redirect your users in SharePoint 2013 to OneDrive in Office 365. Post configuration of the feature in an On-Premise SharePoint 2013 farm, when a user clicks OneDrive in the navigation bar, or when they click Sites from their personal site, they will be redirected to OneDrive in their Office 365 tenant. This would be a seamless experience for the users while they access the documents from within their corporate network or outside. With this feature, users can continue to use On-Premises SharePoint farm, as well as leverage the rich features of OneDrive in Office 365.

To integrate OneDrive for Business between SharePoint On-Premises and SharePoint Online farm, you need to have access to the following components:

· SharePoint Online Subscription

· SharePoint On- Premise Single Server or Farm

· SharePoint 2013 Service Pack 1

With Service Pack 1 for SharePoint Server 2013, a new feature has been introduced for OneDrive. After you install Service Pack 1, you will have an option

Key Configuration Steps

The following steps should be configured before the users in On-Premises SharePoint farm will be able to host their My Sites in SharePoint Online and leverage the benefits of OneDrive for Business in Office 365.

Office 365 Environment

· Sign up for a new Office 365 subscription or leverage an existing subscription.

· Synchronize users from On-Premise Active Directory using DirSync with password sync.

· Deploy Active Directory Federation Services (AD FS) to have single sign on experience for users (optional).

· Ensure tenant has a functional My Site host (tenantdomain-my.sharepoint.com)

On-Premise SharePoint 2013 Environment

· Install Service Pack 1 in SharePoint 2013 on-premises environment.

· Configure OneDrive and Sites Link in On-premise Farm.

· Create and compile an audience with the list of users who would provision My Site in Office 365.

· Configure Hybrid Search for retrieving documents from OneDrive for business.

Let us now look at the configuration of each of these steps in detail. You can use your existing Office 365 subscription to configure OneDrive for Business. In case you do not have an Office 365 Tenant and want to sign up, click here. To compare the various Office 365 plans, click here. The following steps assume that you have an Office 365 subscription and you would configure OneDrive for Business for your On-Premises domain where SharePoint 2013 is installed.

Identify My Site URL in SharePoint Online

One of the crucial step to get users to redirect to OneDrive for Business in SharePoint Online is to synchronize the user accounts from SharePoint On-Premise Active Directory to Azure AD in Office 365. You can follow the steps in Part1 of my post to configure the same. As mentioned in the beginning of this post Part 1 also includes establishing a server to server authentication which is not a requirement for this configuration. You can enhance the user experience by deploying single-sign on using AD FS and converting your On-Premises domain to federated, which is again optional. The core requirement is to ensure that you have the users from On-premises synchronized to Azure AD.

You should be aware of the My Site Hosts URL of your Office 365 Tenant Domain for the rest of the configuration. When you sign up for an Office 365 Tenant, you will be asked to specify a new Domain Name. something.onmicrosoft.com. The is called as Tenant Domain and it is the default Domain that is used for example as UPN for user accounts. The Tenant Domain is also important with regard to SharePoint Online as something, which is a part of something.onmicrosoft.com is used for some other URLs as follows:

· something.sharepoint.com: The default root Site Collection for SharePoint Online

· something-admin.sharepoint.com: The SharePoint Online Admin Center

· something-my.sharepoint.com: The SharePoint Online My Site Host

· something-public.sharepoint.com: The default SharePoint Online Public Web Site in Wave 15

To validate the My Site Host URL from your Office 365 admin dashboard follow these steps:

· Log on to Office 365 as a global administrator.

· In the Office 365 portal administration site, select Admin on the top navigation bar, and then select SharePoint.

Within SharePoint admin center under the list of private site collections, you should see a site collection with tenantdomain-my.sharepoint.com. Keep a note of this URL, as this is your MySite root URL that you need to provide while you configure your On-Premises farm.

By default, top navigation bar has links to OneDrive, Yammer, Newsfeed, and Sites. From within the Settings tab in from left navigation in SharePoint admin center you can customize the navigation bar by choosing which options to show to users.

In case you have not already done so in your on-premises environment, install SharePoint Service Pack 1 binaries. Binaries should be installed across all the servers if there are multiple servers in the farm. Run PSConfig wizard across all servers to ensure that the upgrade completed successfully. For detailed steps to install a Service Pack, see:

Deploy software updates for SharePoint 2013

Post a successful upgrade, to verify that SharePoint servers in the farm shows the correct version you can check the version under Servers in Farm which should match the image below

Alternatively, you can bring up Windows Powershell for SharePoint and execute the following command within SharePoint management shell.

<Get-spfarm>.buildversion

This will ensure that the farm has been successfully upgraded to SP1.

After you install Service Pack 1, browse to Central Administration URL. You will see Office 365 Connections on the left navigation as well as in the center frame. To configure OneDrive and Sites link, click Configure OneDrive and Sites link from the center frame options.

Before you proceed with configuring OneDrive, you need to validate a couple of additional settings.

Validate User Profile Service Application

Validate the User Profile Service Application after upgrade to SP1. Verify if the User Profile Service and User Profile Synchronization Service are running. You can browse to Central Administration on your On-Premises farm (http://centraladmin/_admin/Server.aspx) and check the status for User Profile Service Application and User Profile Synchronization Service and validate that the status is Started.

Alternatively, you can run the following command in SharePoint PowerShell

$app=Get-SPServiceApplication | where-object {$_.TypeName -match "User profile "}

$app

$app.status

The output should match the following screenshot:

For best practices on User Profile Application refer to: Administer the User Profile service in SharePoint Server 2013

It is recommended to do a profile import (incremental) to ensure that all user profile attributes of the user is updated with most recent changes.

Validate My Site Creation Permissions

On-premises, users should have the ability to create personal sites. To use this feature, users should also have permission to use OneDrive in Office 365. You need to validate the user’s permissions to create personal sites in User Profile Service Application.

Follow these steps to validate My Site Creation Permissions:

1. In your On-Premises SharePoint Server 2013 farm, where you have installed SP1, browse to Central Admin> Manage Service Applications >User Profile Service Application.

2. From User Profile Service Application, under People section, click Manage User Permissions.

3. From Permissions for User Profile Service Application dialog box, select All Authenticated Users. Ensure that the following check boxes are selected:

· Create Personal Site

· Follow Peopleand Edit Profile

· Use Tags and Notes

You can validate the permissions by executing the following command in a SharePoint management shell:

$app=Get-SPServiceApplicationProxy|Where-Object {$_.TypeName –match “user profile”}

$upasecurity =Get-SPprofileServiceApplicationSecurity –ProfileServiceApplicationProxy $app

$upasecurity

The output should match the output in the below screenshot:

We have checked the permission for all authenticated users . You can definitely use audience targeting to differentiate users who can have their My Sites created in either On-Premises or Office 365. To do so, you have to create an audience or use an existing one that has the list of people you would want to create My Site in Office 365.

· To create an audience in SharePoint 2013, see: Add an audience

· You can also use PowerShell to create an audience. Click here to download the Sample Script.

· Once you create an audience, you need to ensure that the users in the compiled audience has permissions in the User Profile Service Application as discussed above.

Now we are all set to configure OneDrive for Business from Central Administration. To do so browse to Central Administration on your On-Premises SharePoint farm. From the home page select Office 365> Configure OneDrive and Sites Links.

Configure OneDrive and Site links page, is accessible with http://centraladminurl/_admin/cloudconfiguration.aspx . On this page, you can configure settings like My Site URL to redirect users of OneDrive for Business to Office 365. You can also set a target audience to restrict users and optionally choose to redirect the Site pages to Office 365.

On the Redirect OneDrive for Business to Office 365 page, under the My Site URL textbox, type the My Site URL that you got from Office 365 portal administration to test the connectivity.

Choose the audience, if any. In case of no audience, select Everyone. This choice defines the redirection for users to Office 365. Selecting Everyone will redirect all users to Office 365 for provisioning their My Sites.

If you want to redirect the Sites page in users’ personal sites, select the Redirect the Sites page checkbox.

Note : The action of ‘Follow sites’ is available for only Online sites when redirection for Sites page is selected. Click OK to save your settings.

The URL for Hybrid mysite location in SharePoint Online is governed by a property called HybridRemotePersonalSiteHostURL. Execute the following in a SharePoint management shell to retrieve the redirection property.

$ca = Get-spwebapplication -includecentraladministration | where {$_.IsAdministrationWebApplication}

$spsite = $ca.url

$site = Get-SPSite $spsite

$context = Get-SPServiceContext $site

$upsa = New-Object Microsoft.Office.Server.UserProfiles.UserProfileManager($context)

$profile = $upsa.GetEnumerator()

$profile

From the powershell output validate that the value for HybridRemotePersonalSiteHostURL This should point to your My Site host for Office 365

This is all that is required to set up profile settings in the SharePoint On-Premises farm..

Validate Configuration

To ensure that the users are able to create their My Site in Office 365, follow these steps. Choose a user, who is part of the audience to provision OneDrive for Business in Office 365. This user should already be synchronized to Office 365 Azure Active Directory using DirSync and should be Active and should have a valid SharePoint Online license in Office365. The user should log on to one of the client machines and browse to SharePoint On-Premises site to which they have access. From within the top navigation the user should click on the OneDrive link on the top navigation.

The browser URL should look identical to the one in the following screenshot. The OneDrive link redirects the user to the SharePoint Online URL.

Depending on if, you have chosen to deploy AD FS for Single Sign-On or DirSync with password sync, the user experience would vary.

a. In case of Single Sign-On, the user should seamlessly sign in to the SharePoint Online environment.

b. In case the environment has DirSync password sync enabled, it would require the user to enter their credentials for authentication.

Once provisioning for My Site is completed, the user should be able to navigate to OneDrive and see OneDrive in SharePoint Online and see Shared with Everyone folder.

Within configure OneDrive and Site links page, if site redirection option was selected, clicking sites from the top navigation will redirect users to Office 365.

The user logs on to a SharePoint On-Premises site and clicks OneDrive. With the above configuration in place, the user should be redirected to SharePoint Online. Since the user has been synchronized to Office 365 and has a SharePoint license, if they log on to SharePoint Online and click OneDrive, they should be redirected to same OneDrive as above. If the user experience matches the experience above, then OneDrive for Business is successfully configured for SharePoint On-premise environment to be hosted in Office365.

In the next part of this post, I will talk about how you can configure OneDrive as a Hybrid search vertical in SharePoint Onpremise search center.

POST BY [MANAS BISWAS]

Part 4 of my post has steps to redirect On-Premises users to host their mysites in Office365 typically referred to as OneDrive for Business. Post this configuration a key ask from users would be to provide an easy way to search for documents from OneDrive in Office 365. This is where Hybrid Search comes into play. To achieve this, you will have to create a search vertical that fetches results from OneDrive. So let’s take a look at how to set up Search of OneDrive for Business in Office 365 from SharePoint Server 2013.

What Is a Search Vertical

When you install SharePoint 2013 and create or browse to a search center, you will see that the Search Navigation Web Part is configured to display links to the search verticals:

· Everything

· People

· Conversations

   Videos

When users click a search vertical link, the search results are filtered and displayed following the configuration of the search vertical using search results from Search Results Web Part. Users can of course

create their own search vertical and add it to be displayed in the Search Navigation Web Part. This concept of Search vertical is used to get search results for SharePoint On-Premises users from OneDrive in Office365. To create and retrieve results from the Search Vertical from OneDrive and display within SharePoint Onpremise search center, there are a few prerequisites.

On-Premise SharePoint 2013 Environment

· Complete all of the prerequisites mentioned in Part 4 of this post to configure OneDrive for business

· Validate your SharePoint On-Premises has at least the following service applications:

o At least one web application with an Enterprise Search Service application site collection

o User Profile Service Application

o Subscription Settings Service Application

o App Management Service Application

· Replace the STS certificate of the On-Premises SharePoint Server and establish a Server-to-Server trust with Windows Azure ACS.

· Configure Search (Results Part and Query Rule) on the On-Premises SharePoint Server 2013.

· Configure Search Results Web Part and create a search-results page; typically a search vertical to display results from OneDrive for Business in Office 365

The rest of the configuration assumes that you have successfully replaced the STS certificate of the On-Premises SharePoint Server and established a Server-to-Server trust with Windows Azure ACS acting as a trust broker between your On-premise and Online environment. Complete steps are documented in Part 1 of my post.

Create Result Source to Retrieve Results from OneDrive for Business

You can create a result source for a Search service application, a site collection, or a site. The pre-configured default result source is Local SharePoint Results. However, additional result sources like SharePoint Online may be configured. The configuration can happen on different levels:

· Global in the Search Service Application

· Local per Site Collection or per Site Level

For this post, I will create a Global result source at Search service application.

1. Log on to your SharePoint 2013 environment with SPFarm Account or an account with equivalent privileges.

2. Browse to Central Administration and within Application Management click Manage service applications.

3. Click the Search service application to which you want to add a result source.

4. From the Search Administration page on the left navigation click New Result Source.

5. On the Search Result Sources page, do the following:

a. In the Name text box, type a name for the new result source (for example, SharePoint Online OneDrive)

b. For the Protocol, select Remote SharePoint.

c. For Remote Service URL, type the address of the root site collection of SharePoint Online site collection from where results should be included (for example, https://mytenant.sharepoint.com).

d. For the Type, select SharePoint Search Results.

e. Within the Query Transform section, after {searchTerms} type a space. Type the My Site host URL for your SharePoint Online tenant path:https://tenant name-my.sharepoint.com/personal

Leave Credentials Information as default, which is Default Authentication and click Save to save the result source.

This completes the Result source creation. Next, we need to complete the configuration of search results page.

Create Search Results page to retrieve results from OneDrive for Business

Browse to Enterprise Search Centre for your On-Premises SharePoint 2013 environment. In case you do not have one, you can create a new site collection from Central Administration and use the Enterprise Search Centre Template.

Browse to the Enterprise Search Centre mentioned above, click Site Contents and click Pages library. You should see a list of all search pages available for your SharePoint 2013 environment. To create a new Page in this Pages Library, follow these steps mentioned below :

a. Click Files from the top navigation on the library, click New Document and click Page.

b. In the Create Page dialogue box, fill in the following details:

i. In the Title textbox type “ Results from OneDrive”

ii. Description is optional

iii. In the URL Name textbox, type OneDriveResults so the page would be OneDriveResults.aspx

iv. Click Save to create the page

v. Once you have created a new page, ensure that you Check inand Publish a major version of the page to the Pages library, as it will be checked out to the account your are logged in with to perform the configuration.

Add Search Results Web Part

Once you have created a New Search Result page following the steps above we need to add Search results Web Part to retrieve the results.

1. Browse to the search-results page OneDriveResults.aspx that you created in the previous step. To browse to the page click the page on the pages library.

2. Click on the gear icon and choose Edit page.

3. Choose Page tab from top navigation.

4. At the bottom of the list of webparts on the page, you should see Search Results WebPart. Hover in the right-hand corner and select Edit WebPart.

The Search Results Web Part editing tool appears.  Select Change query. This should launch a new window to build your Query.

5. From within Build Your Query navigate to Select a Query section and select the Result source you created earlier. This should show up in the list of result sources in the drop-down menu.

6. Leave rest of the selection as defaults and click Apply and OK on the WebPart editing menu.

7. Save the Page and ensure you do a Check in and Publish the page.

The final step would be to create link in the Search Center for OneDrive as a search vertical . The out of box links within search results webparts are:

o Everything

o People

o Conversations

o Videos

Our goal is to have OneDrive as well so that users can easily retrieve the same.

Follow steps below to add OneDrive for Business as a search vertical:

1. Browse to the enterprise Search Center you created on your on-premise environment.

2. Click the gear icon and click Site Settings. Under Search, click Search Settings and fill in the following information.

a. Enter a Search Center URL (Optional).You can choose to leave this empty. If you decide to enter a URL of the Global search center, it displays a message to all users offering them the ability to search again from within that search center.

b. Select the Use the same results page settings as my parent checkbox.

c. Under Configure Search Navigation click Add a Link and fill in the following details:

i. In the Title textbox type in a name to describe the vertical (for example: OneDrive)

ii. In the URL textbox type the link to the results page you created above, for example, /sites/Search/Pages/onedriveresults.aspx

iii. If you want a new session to be open for the results, select the Open the Link in new Window check box.

iv. You can configure Audience so that this shows up only for people whose OneDrive you have redirected to Office 365 or leave it empty if you want to show it to all.

V. Clicking OK should show a new Navigation called OneDrive, which should now be available to users when they search in the enterprise search center for their On-Premises SharePoint 2013.

This completes the setup for OneDrive as a separate vertical that users can click to restrict the search results to OneDrive from SharePoint Online. The search retrieval experience varies based on if ADFS and single sign on has been deployed or if only DirSync with password sync has been configured as a sign in option for Onpremise users. With DirSync password sync, the users would be able to retrieve documents from their OneDrive. However, when they click on the document from within the results they would need to provide their username and password to retrieve the details from Sharepoint Online environment. Once single-sign on is deployed this experience changes. The steps to configure ADFS is described on part 3 of my post. Once single sign on is configured users should be able to seamlessly sign in and retrieve the document once they click on the document from within the search results block . Once they sign in and have a valid fedauth cookie for subsequent clicks on the results that are displayed document retrieval continues with the single sign on experience .

Retrieve Results

To validate your configuration browse to the Enterprise Search Center and you should see the OneDrive vertical. Type a keyword and click OneDrive vertical to see the results.

In my upcoming posts, I am going to talk about how to configure Business connectivity services and leverage an OData source and common error messages and their fixes while setting up Hybrid scenarios.

POST By Manas Biswas [MSFT]

The SHA-1 hashing algorithm for the Microsoft Root Certificate Program is being decommissioned

Introduction

This post contains information related to SharePoint Server technologies and associated certificates using the SHA-1 hashing algorithm.

More Information

On November 12, 2013, Microsoft Security Advisory 2880823 announced a policy change regarding the Microsoft Root Certificate Program: root certificate authorities will no longer be allowed to issue X.509 certificates using the SHA-1 hashing algorithm for SSL and code-signing purposes after January 1, 2016. As mentioned in the announcement, using the SHA-1 hashing algorithm in digital certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.

In conjunction with Microsoft’s announcement about SHA-1, Google published recently that Chrome browser builds would gradually sunset SHA-1 certificate support beginning in September 2014. Go to Gradually Sunsetting SHA-1 for more details.

For customers administering SharePoint Server on-premise environments such as SharePoint 2013 or 2010, users visiting SharePoint sites through the Google Chrome browser will be affected by Google’s notice concerning Chrome browser changes when visiting sites using SHA-1 certificates, including SharePoint sites. Those Chrome users will find that Chrome categorizes SHA-1 sites as “secure, but with minor errors”, “neutral, lacking security”, “active mixed content”, and “affirmatively insecure”.

To avoid issues associated with SHA-1 certificate deprecation, Microsoft recommends that certificate authorities no longer sign newly generated certificates using the SHA-1 hashing algorithm and begin migrating to SHA-2. Microsoft also recommends that customers replace their SHA-1 certificates with SHA-2 certificates at the earliest opportunity.

For more information about SHA-1 deprecation, visit the following Microsoft websites:

Microsoft Security Advisory 2880823

SHA1 Deprecation Policy

POST BY : Bryan Petersen [MSFT]

High-privileged users can embed active content in SharePoint sites. This article describes techniques that SharePoint administrators can use to restrict active content.

The risk of active content

Active content refers to web markup or controls that execute in the user’s browser and can perform actions on behalf of the user. JavaScript is the most common type of active content.

The same-origin policy allows active content to interact with other web endpoints on the same domain as the current page. For example, active content on http://contoso.com/page1.aspx can access http://contoso.com/page2.aspx, but it cannot access http://fabrikam.com/page3.aspx.

SharePoint allows high-privileged users to add and modify active content which runs in the context of the site. A malicious user may add active content which interacts with other SharePoint pages to perform undesirable actions without the victim’s consent.

Controlling active content with permissions

In SharePoint 2013, the Add and Customize Pages permission controls the ability to add or modify active content:

- The Read, Contribute, and Edit permission levels do not include the Add and Customize Pages permission level. These users cannot add or modify active content.

- The Design and Full Control permission levels do include the Add and Customize Pages permission. These users can add or modify active content.

- Site Collection Administrators are implicitly granted the Add and Customize Pages permission.

Only highly-trusted users should be granted permission levels which enable them to add active content.

Controlling active content at the site collection level

SharePoint administrators may wish to prevent all users on a given site collection from adding active content. In SharePoint 2013, the site collection DenyPermissionsMask property can be used to deny certain permissions from all users, including Site Collection Administrators.

Here’s how to apply a DenyPermissionsMask using the SharePoint 2013 Management Shell:

$site = Get-SPSite http://contoso/sites/restricted

$site.DenyPermissionsMask = ($site.DenyPermissionsMask -bor [Microsoft.SharePoint.SPBasePermissions]::AddAndCustomizePages)

Controlling active content at the web application level

SharePoint administrators may wish to restrict the use of active content across an entire web application. For example, each user is a Site Collection Administrator on their own My Site and it would be unrealistic for the SharePoint administrator to manually set the DenyPermissionsMask each time a new My Site is provisioned.

Web application policy can be used to deny the Add and Customize Pages permission for all users in a given web application. Here’s how to apply this policy using the SharePoint 2013 Management Shell:

$w = Get-SPWebApplication http://contoso-my

$p = $w.PolicyRoles.Add("NoActiveContent", "Denies active content")

$p.DenyRightsMask = [Microsoft.SharePoint.SPBasePermissions]::AddAndCustomizePages

$w.Update()

Controlling active content using domain isolation

Some SharePoint deployments are configured to allow My Sites or Self-Service Site Creation, which allows users to provision a site collection where they are granted Site Collection Administrator privileges.

If you choose to allow users to embed active content in these sites, consider hosting them on a web application that uses a different domain name than other trusted content. The same-origin policy will prevent untrusted active content on these sites from interacting with trusted content on other domains.

For example, trusted content may be hosted at http://contoso.com. Consider enabling My Sites and Self-Service Site Creation on a separate web application at http://contoso-my.com.

Summary

Administrators have four means of controlling active content in SharePoint 2013:

- Grant an appropriate permission level which prevents users from working with active content

- Disable the Add and Customize Pages permission on a site collection

- Disable the Add and Customize Pages permission on a web application

- Isolate active content to a separate domain

These techniques allow a SharePoint administrator to mitigate the impact of untrusted active content.

Author : Steve Sheppard [MSFT]

PROBLEM

When you create a SharePoint Designer 2013 Workflow and you use the Send an email action, you don't have the option to specify a FROM email address. This setting is pulled from the Outgoing Email settings in SharePoint 2013 on-premises Central Administration.

WORKAROUND

The SendEmail REST endpoint can be performed manually in a SharePoint Designer 2013 Workflow (also known as the SharePoint 2013 Workflow Platform) by using a valid SharePoint user's email address.
To understand what's being constructed, query the REST endpoint by using the SharePoint Designer Call HTTP Web Service Activity. Refer to the client-side object model (CSOM) documentation for more information. For more information, go to the following Microsoft website:

Utility.SendEmail method

This was performed on a SharePoint Online site.
The following steps are used to re-create a parameterized version of what the Send an Email action does. Here's a sample JavaScript Object Notation (JSON) object sent by Workflow Manager to SharePoint 2013 by using the SharePoint REST endpoint:

{

"properties": {

"To": {

"results": ["i:0#.w|contoso\\validUser", "i:0#.w|contoso\\validUser2", "SharePoint Owner Group"]

},

"Subject": "HI",

"From": "validSPUser@contoso.com",

"__metadata": {

"type": "SP.Utilities.EmailProperties"

},

"Body": "<HTML><HEAD> <META name=GENERATOR content=\"MSHTML 10.00.9200.16843\"><\/HEAD>

<BODY> <P><FONT color=#00ff00 size=6 face=\"Segoe UI\"><STRONG><A href=\"Lists\/groups\/1_.000\">abc<\/A>

<\/STRONG><\/FONT><\/P><\/BODY><\/HTML>"

}

}

1. Connect to a site by using SharePoint Designer 2013.
2. Click Workflows, and then click Site Workflows.
3. Give the workflow a name, and then select SharePoint 2013 Workflow Platform.
4. Right-click the transition to stage, and then click go to stage.
5. Click End of Workflow.
6. Type replace to insert the replace action, and then click the first string text.
7. Type a semicolon (;), and then in the second string, type a comma (,).
8. Click the third string and then click Fx. Select Workflow Context, click Initiator, and then select Login Name as the return type. If multiple selections are enabled, you'll want to use the Login Names, Semicolon Delimited option.

• This is an unnecessary step for a SharePoint People/Group column that has a single value. However, if you do this, it's possible to send email messages without additional changes to the workflow.
• The output of this Replace action will be sent to a new variable called output.

1. Insert another Replace action. This time, click the first string and then type a backslash (\). In the second string, type two backslashes (\\).

• Select the variable named output as the data source from the previous step, and then change the output to the same step.
• Doing this encodes the backslash that's found in SharePoint claims. Other characters may also have to be escaped.

1. Insert a set workflow variable action. Set the output variable to use the output variable and several additional characters.

• It should resemble the following:

[“[%Variable: output%]”]

• Take the current value, which could be a single claim, multiple claims or SharePoint groups, and add quotation marks (") and square braces ([]) around it. The replace actions from before took the semicolon character and replaced it with a comma (,) and encoded any backslashes (\) with two backslashes (\\). Review the JSON object at the beginning of these steps to compare the patter that's being created manually.

1. In Stage 1 type build, click Enter. This inserts the build a dictionary action.
2. Click the Variable:Dictionary, and then create a new variable named requestBody. Leave it as a Dictionary Type.
3. Click this variable, and then click the Add button.
4. Click this variable, and in the dictionary variable properties, create the following key and value pairs:

1. Type build again, and then create another dictionary object. Create a new variable called requestheaders. The following key and value pairs have to be created:

1. Type Call, and then add the Call HTTP Web Service Action to the workflow.
2. Click the workflow, and then in the dialog box, click the ellipses (...)
3. Click Add or change lookup, click Workflow Context, click Current Site URL, and then click OK.
4. After the lookup, type /_vti_bin/client.svc/sp.utilities.utility.SendEmail. It should resemble the following:

[%Workflow Context:Current Site URL%]/_vti_bin/client.svc/sp.utilities.utility.SendEmail

1. Change HTTP Verb to HTTP POST, and then click OK.
2. Click request, and then select the responseBody dictionary variable.
3. Right-click Call HTTP Web Service Action and then click Properties. In the dialog box, select the RequestHeaders drop-down and thenspecify the requestHeaders variable. Click OK.
4. Click Publish.
5. Browse to /_layouts/15/start.aspx#/_layouts/15/workflow.aspx. The site workflow should be listed and when you the workflow name, it should send an email message that contains a custom FROM address.

MORE INFORMATION

Note These steps can be performed with a list or a reusable workflow. 
The FROM address has to be associated with a valid user in SharePoint.
The TO addresses also have to be valid SharePoint users. The same rules apply as if we used the Send an Email Action in SharePoint Designer 2013 on the SharePoint 2013 Workflow Platform.
The Call HTTP Web Service Action can be configured to output various data such as headers, response code, and response body. If a multiline column is created, the output of these variables can be written there. The log to history list isn't suitable as the response can be larger than 255 characters.

POST BY : Dalibor Kovacevic [MSFT]

Use Case Description:

In Sp2013 Federated search can be defined as using search indexes created by external search sources for e.g. search engines like Bing to supplement SharePoint search results. With federated search, user will be able to query, retrieve and display search results for content that is not crawled by the SharePoint search server. For example, you can set up a search to return content indexed by an external search engine like Bing.

You can configure result source (configured through Site Settings > Result Sources) pointing to external federated search source. For e.g. you can configure Bing federation through settings like bellow.

i. Name:                  Bing Federation

ii. Protocol:              OpenSearch 1.0/1.1

iii. Source Url:          http://www.bing.com/search?q={searchterms}&format=rss

We want to make you aware that after installing the September 2014 CU, if you are receiving an error message(exception stack trace below) when a search query is issued against an OpenSearch query to external result sources for e.g. BING (http://www.bing.com), then you may be running into this known issue.

Exception:

ExecuteFlowInternal FlowExecutor:Microsoft.ProductivitySearchFlow Exception: System.ArgumentException: key is null or empty  Parameter name: key    Server stack trace:      at Microsoft.Office.Server.Search.Query.PropertyBag`1.ValidateKey(String key)   

at Microsoft.Office.Server.Search.Query.PropertyBag`1.InternalSet(String key, Object value)     at Microsoft.Office.Server.Search.Query.SS14ImsLookup.ResultTableCollectionGeneratorEvaluator.ResultTableCollectionGeneratingRecordSet.PopulateMetadata(ResultTableCollection resultTableColletion, IRecord record)     at Microsoft.Office.Server.Search.Query.SS14ImsLookup.ResultTableCollectionGeneratorEvaluator.ResultTableCollectionGeneratingRecordSet.DoMoveNext()     at Microsoft.Ceres.Evaluation.Processing.RecordSets.RecordSet.MoveNext()     at Microsoft.Ceres.Evaluation.Processing.RecordSets.RecordSet.<GetEnumerator>d__0.MoveNext()     at System.Linq.Enumerable.First[TSource](IEnumerable`1 source)     at Microsoft.Office.Server.Search.Query.Pipeline.Executors.OpenSearchProviderFlowExecutor.ExecuteCore(KeywordQueryProperties keywordProperties)     at Microsoft.Office.Server.Search.Query.Pipeline.Executors.QueryPipelineFlowExecutor.Execute(KeywordQueryProperties keywordProperties)     at Microsoft.Office.Server.Search.Query.Pipeline.Executors.QueryPipelineHardWiredFlowExecutor.Execute(KeywordQueryProperties keywordProperties)  at Microsoft.Office.Server.Search.Query.Pipeline.QueryPipelineComponent.ExecuteFlowInternal(IQueryPipelineFlowExecutor executor, KeywordQueryProperties keywordProperties, String flowName, Int32 timeout)     at Microsoft.Office.Server.Search.Query.Pipeline.QueryPipelineComponent.ExecuteFlow(String flowName, KeywordQueryProperties keywordProperties, Int32 timeout)     at Microsoft.Office.Server.Search.Query.Pipeline.Processing.QueryRouterEvaluator.QueryRouterProducer.ExecuteQueryFlow(String flowName, KeywordQueryProperties input)     at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Object[]& outArgs)     at System.Runtime.Remoting.Messaging.StackBuilderSink.AsyncProcessMessage(IMessage msg, IMessageSink replySink)    Exception rethrown  at [0]:      at icrosoft.Office.Server.Search.Query.Pipeline.Processing.QueryRouterEvaluator.QueryRouterProducer.ExecuteQueries(IRecord originalQueryRecord, IEnumerable`1 routingRecords, QueryExecutionContext executionContext, IUpdateableDictionaryField`2 resultField)     at  Microsoft.Office.Server.Search.Query.Pipeline.Processing.QueryRouterEvaluator.QueryRouterProducer.ProcessRecordCore(IRecord record)     at Microsoft.Ceres.Evaluation.Processing.Executor.ProducerOperatorExecutor`1.ProcessProducerRecord(IRecord inputRecord)   

Proposed Fix:

Microsoft Product group is aware of this issue and diligently working and prioritizing it to include the fix in one of the upcoming CUs. Please contact Microsoft support for more details on CU {Cumulative Update}.

POST BY : SRINI DUTTA [MSFT]