Wednesday, February 25, 2015

Error: Replication access was denied. error code: 8453

Error:
Replication access was denied. error code: 8453

Reason:
You will get this error, while you are trying to crawl the people from Active directory in SharePoint 2010. 

During the people search configuration, the the number of people will not be crawled in SharePoint 2010. Also, you cannot get the actual error straightaway. The right way to get the actual error message is, you have to use the Synchronization service manager. You can get this tool inside the SharePoint server at the below path:
C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell\miisclient.exe 

In this tool, if you "Run" the Profile Import, under the "Operations" tab, you will get the above error message. The error screenshot may be like below:


















Solution:
The resolve this issue, we must provide the access rights to the service account of the "User Profiles" service. OK. What kind of access rights needs to be provided? 

The user should have the "Replicating Directory Changes"Permission in the active directory. To provide this rights to the "service account" user, follow the below steps:

1. Login into the Active directory server.
2. Open the "Active Directory Users and Computers" console.  (C:\WINDOWS\system32\dsa.msc)
3. Right click on the "Domain name" and goto "properties".


















4. Go to security tab and Select the specific service account user. (If the user is not listed, you can add the user by clicking the "Add" button in the same screen).
5. Scroll the Permissions and select the "Replicate Directory Changes" option like the below image.



























Thats it...

Posted by at No comments:

Monday, February 16, 2015

Configuring SharePoint 2010 with Kerberos Authentication

Determine the application pool account that will be responsible for authenticating users. 

Follow the steps below to be absolutely sure of the account responsible for running the site that will support kerberos authentication.  If SharePoint has already been configured verify your application pool account is, in fact, running the IIS application pool that supports the website where Kerberos is enabled
image
Open the web application that will support Kerberos and make a note of the application pool that supports this web application (note that you may have more than one web application for the same data for such cases as http and https so take care to determine the exact web application)
image
Make a note of the account that is the identity of this application pool, later this account must be trusted for “Delegation”.
* If the application pool is “Network Service” then Kerberos cannot be configured, the application pool account configured through Central Administration must be a domain account.
image



Get the exact machine names that will host the sites that will support kerberos authentication

Right mouse key on Computer Management and click properties
image
Make a note of the machine’s actual name (you will not be using the alias)
image

Open Active Directory Users and Computers

image
Open the Application Pool account in Active Directory Users and Computers (ADUC) and note that there is no tab “Delegation”
image

Locate the servers(s) in Active Directory Users and Computers as well

Repeat the step above for the computer, the Delegation tab will typically not be visible until the SETSPN tool is run (that will come later).  In the screenshot below, the Delegation tab is visible because the server is an all in one with a domain controller.
image

Enable Kerberos for SharePoint Web Application

First things first, Kerberos can be enabled for an existing SharePoint web application if it was not specified during the initial installation wizard.  Follow the steps below to enable kerberos authentication for a SharePoint web application.
Open central administration, note that the port may be different (I typically use 8080 for central administration)  *** NOTE, IF YOU CAN NOT OPEN CENTRAL ADMINISTRATION, DO NOT HAVE RIGHTS, OR DO NOT KNOW HOW THEN STOP, YOU SHOULD NOT BE DOING THIS ***
image
Click on Manage Web Applications
 image
image
In the dialog that opens, click on the zone (which is typically default although you may choose intranet)
image
In the Edit Authentication dialog that opens, scroll down to IIS Authentication Settings and choose “Negotiate (Kerberos)”.  A JavaScript alert will appear warning you of the manual steps you will have to complete, these manual steps are detailed later in this article)
image
Click save and close the remaining dialogs.

Run SETSPN command line tool for the SharePoint Application Pool Account

The enable kerberos authentication a domain administrator will need to run the following commands via command line on each SharePoint Server.  These commands use the SETSPN tool which is delivered by default in all Windows Server 2008 machines, if the tool is missing it is readily available for download from Microsoft.com.
Open a command prompt as administrator
image
First run the SETSPN command for the application pool account.
Correct the names in bold below to match the names in your environment.  Also note that the “http“does not have a “://”.
setspn –A http/servername  corp\spapppool
image
Run a similar command for each server (the results below are atypical since the machine used is already a domain controller, however, the command is still correct
setspn –A http/spapp10  spapp10
image

Open Active Directory Users and Computers and Trust the Application Pool for Delegation

Once the SETSPN command has been run, the delegation tab will appear in Active Directory Users and Computers (ADUC) for the application pool account.
image
On the delegation tab of the SharePoint Application Pool’s properties window “Trust this user for delegation to any service (Kerberos only)”

image


Open Active Directory Users and Computers and Trust the Server(s) for Delegation

Once the SETSPN command has been run, the delegation tab will appear in Active Directory Users and Computers (ADUC) for the servers registered using the SETSPN tool
image
On the Delegation tab check the box “Trust this computer for delegation to any service (Kerberos only)”
image

Verifying Service Principal Names (SPNs) using SETSPN

The setspn tool does support the –L or list switch that allows administrators to display the SPNs for a particular computer or user account.

Run setspn for the service account

setspn –L corp\spapppool
image

Run setspn for the server

setspn –L spapp10
image

Testing Kerberos

There are tools available for testing Kerberos but it’s quite easy to determine if it is running properly.
When it’s enabled but not working the following symptoms may be present
  1. Login prompts may appear when the previously did not under NTLM Authentication
  2. Login Errors appear in the Windows Security Event Log typically stating that Kerberos authentication failed
  3. Users are required to login using Office applications when their machines are domain members and the logged in user should have rights.
When Kerberos is first configured for the application pool account a message will appear in the Windows Security Logs stating that a ticket was requested.image
Open SharePoint in a browser using the URL where Kerberos is now configured and then refresh the security log.  If Kerberos is running properly messages similar to the one below will appear in the logs on a regular basis.
For particular users logged in, events will appear similar to the one below
image
In addition, many messages similar to the one below will appear in the event log.
image
Posted by at No comments:
Subscribe to: Posts (Atom)