Resently I installed a new SharePoint Server Subscription Edition but in this case only with the latest security update (https://support.microsoft.com/en-us/kb/5002191).

When I opened the home page of the newly created root site collection everything seems fine. But when navigation to some link in the quick launch I only got empty / blank pages. No errors in the Developer tools. Just no content.

(There was almost no content in the HTML DOM. Just the <head> tag with some content and the <body> tag with 1 <script> tag…)

After searching in the SharePoint logs I found this error:

Error encountered when creating uri from baseUrl /_layouts/15/next/odspnext/.

It helped me to find this page of Stefan Goßner: https://blog.stefan-gossner.com/2021/09/29/trending-issue-_layouts-15-viewlsts-aspx-shows-as-blank-page-in-sp2019-after-installing-september-pu/

This information is about ShgarePoint 2019 but the message and even the error code is identical.

So I installed the lastest available “language dependent” patch of January 2022: https://support.microsoft.com/en-us/kb/5002110

After installing it and after running the config wizard all the pages contents are shown!

This is the link to the SharePoint User Information List:

https://sharepoint.example.com/_catalogs/users/simple.aspx

The bold part must be replaced by the SharePoint site collection URL.

The interesting part is this: /_catalogs/users/simple.aspx

For example:

https://intranet.yourcompany.com/sites/finance/_catalogs/users/simple.aspx

/sites/finance is the site collection part of the URL in this case.

This list is a special system list but it’s based on the “normal” list mechanism of SharePoint. Therefore it has an ID and by knowing that you can open the settings page of the list.

If you opend the User Information List using the URL above in Firefox, Edge, Chrome,… you can select the surrounding table and grab the list ID from the HTML DOM:

With this ID you can open the settings page:

https://sharepoint.example.com/_layouts/15/listedit.aspx?List={F9780EA0-8B18-47E1-88BF-7C9543561C58}

As widely known, Microsoft Teams runs on desktop computers with Windows OS or Mac OSX or Linux. The “Teams” app is based on “Electron” (https://www.electronjs.org).

“Electron” runs a packaged web technology based app inside a Chromium based application.

Microsoft Teams is such a “web technology based app” that runs in such a Chromium based application locally on a computer.

Chromium normally offers “Developer Tools” to dig into the HTML / CSS / Javascriptg of a w web technology based application.

Normally the “Developer Tools” are disabled in “Microsoft Teams”.

But there is a trick to enable the “Developer Tools” on “Microsoft Teams”:

1. Windows

(Left) click 7 or more times on the “Teams” icon besides the clock.

Now right-click the icon once. There you see the Developer Tools:

2. Mac OSX

It’s almost the same with Mac OSX: There you click the “Teams” icon in the tray 7 times.

(I’ll add a screenshot later.)

3. Linux

Not tested.

I wanted to create a demo application with kind of real world authentication that I can easily adopt in projects.

This was not so easy as I thought.

1st: I wanted an identity provider that offers OAuth2.

2nd: I wanted the identity provider on my own machine or at least within my infrastructure.

3rd: I wanted a setup that I can describe to reproduce it.

Here is the result. – I work on Windows 11. It should work with Windows 10 too. – I use Visual Studio 2022.

Part 1: Preparation

Install Windows Subsystem for Linux version 2:

https://docs.microsoft.com/en-us/windows/wsl/install

Install Docker Desktop for Windows

https://docs.docker.com/desktop/windows/install/

Ensure you enabled WSL2 support in Docker!

Part 2: Setup

I need Casdoor as identity provider. It’s open source:

https://casdoor.org/

Pull the latest “all-in-one” Docker image of Casdoor.

docker pull casbin/casdoor-all-in-one

Now you create the container…

docker run -d -p  8000:8000 --name casdoor -v ./casdoor-data:/var/lib/mysql casbin/casdoor-all-in-one

Three comments on that:

1. The Casdoor portal on your machine can be accessed using http://localhost:8000. If you need another port that change “8000:8000” to something else like “9000:8000”. The second port is internally used inside the Docker container. Do not change that. The first port is the published one on your machine.
2. Casdoor is an identity provider. You will need to create identities in it. Of course you do not want to do that again and again. Therefore it’s a good idea to put the data of the Casdoor container into Docker volume. If you later recreate the container the volume will remain on disk.
3. You ask: “Where is the Docker volume located on disk on WSL 2”? Good question! WSL creates a hidden mount point (?) that you can access on Windows by accessing \\wsl$ in the Explorer. Then you can navigate to the correct folder that contains the volume of Casdor: \\wsl$\docker-desktop-data\version-pack-data\community\docker\volumes\casdoor-data

Now you can open Casdoor:

http://localhost:8000

The default login is: username “admin” with password “123” (without “”)

Now … create some users.

Then… create an application:

Part 3: The code

Now clone my github project:

https://github.com/ikarstein/com.kenaro.public.OAuth2Demo.Casdoor

Open the solution in Visual Studio 2022. Run it.

It will open a browser and looks like this:

Click “Authenticate using Casdoor”

Authenticate…

Thats it.

The magic happens in “Startup.cs”

.AddOAuth("casdoor", "Casdoor", options =>
        {
            options.AuthorizationEndpoint = "http://localhost:8000/login/oauth/authorize";
            options.TokenEndpoint = "http://localhost:8000/api/login/oauth/access_token";
            options.UserInformationEndpoint = "http://localhost:8000/api/userinfo";
            options.ClientId = "dc6556419364997a4032";
            options.ClientSecret = "2a4dbd07bbb655777a928ef99039a11d1e81d9d4";
            options.CallbackPath = "/signin-casdoor";
            options.ClaimsIssuer = "iss";
            options.SaveTokens = true;
            options.ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "name");
            options.ClaimActions.MapJsonSubKey(ClaimTypes.Gender, "data", "gender");
            options.ClaimActions.MapJsonSubKey(ClaimTypes.Name, "data", "displayName");
            options.ClaimActions.MapJsonSubKey(ClaimTypes.Email, "data", "email");
            options.ClaimActions.MapJsonSubKey(ClaimTypes.HomePhone, "data", "phone");
            options.ClaimActions.MapJsonSubKey(ClaimTypes.Locality, "data", "location");
            options.ClaimActions.MapJsonSubKey(ClaimTypes.Webpage, "data", "homepage");
            options.ClaimActions.MapJsonSubKey(ClaimTypes.Role, "data", "type");

            options.Events.OnCreatingTicket = async creatingTicketContext =>
            {
                var token = creatingTicketContext.Properties?.GetString(".Token.access_token");

                using var request = new HttpRequestMessage(HttpMethod.Get, "http://localhost:8000/api/get-account");
                request.Headers.Accept.Add(new System.Net.Http.Headers.MediaTypeWithQualityHeaderValue("application/json"));
                request.Headers.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", token);

                using var response = await creatingTicketContext.Backchannel.SendAsync(request, HttpCompletionOption.ResponseHeadersRead, creatingTicketContext.HttpContext.RequestAborted);
                if (!response.IsSuccessStatusCode)
                {
                    throw new HttpRequestException("An error occurred while retrieving the user profile from Authentik.");
                }

                var userInfo = await response.Content.ReadAsStringAsync(creatingTicketContext.HttpContext.RequestAborted);
                using var jsonDoc = JsonDocument.Parse(userInfo);
               
                creatingTicketContext.RunClaimActions(jsonDoc.RootElement);
            };
        });

I took a while to figure out how to configure the OAuth2 provider.

Today I could solve a wired problem. It belongs to User Profile “AD Import” on SharePoint Server 2019.

The profile overview of a person stated two different information: At the top there was the correct department but in the organizational chart the person had the wrong manager and so a wrong department information.

The organizational chart is generated from the “Manager” attribute of the SharePoint user profile.

In the profile I saw a correct “department” attribute value but a wrong “manager” attribute value.

I started a “Full AD Import”.

In the SharePoint log I saw an exception with the message, that a XML file in the SharePoint timer cache on one server could not be changed.

So first I refreshed all timer cache folders on all servers: Stop Windows service “sptimerv4” on every server. Find the subfolder with file “cache.ini” below c:\programdata\microsoft\sharepoint\config. The folder has a GUID as name. Than delete all file but cache.ini. Than set the content of cache.ini to “1” (without “”) and restart the service “sptimerv4”. The cache folder gets filled again. The content of “cache.ini” will be set to a valid value…

Next I restarted AD Import using PowerShell:

$s = get-spserviceapplication <guid>
$s.StartImport($true)

Now I saw the sync working in the SharePoint log but the manager attribte was not updated still.

My next idea was that maybe the property mapping had a problem. I looked at the mapping config but it looked OK in the editor.

Out of curiosity I have removed the assignment for “manager”. Than I ran the import and checked the user profile afterwards.

As a big suprise for me the manager attribte now got updated. WITHOUT MAPPING.

It seems that the manager attribute is mapped internally.

(. dotnet tool list -g) | select -skip 2 | select-string -pattern "^([^\s]+)" | % { $_.matches.groups[1].value} | % { . dotnet tool update $_ -g}

Almost exactly four years ago I started developing the software kenaflow. The project started as a workflow engine for SharePoint. Meanwhile the software can do a lot more, e.g. workflows for email inboxes.

Workflows with kenaflow work via PowerShell scripts: The data to be processed is passed individually to one or more scripts. What the developer does there is his/her business.

kenaflow creates the framework and takes care of the execution (scheduling).

kenaflow provides HTTPS endpoints, e.g. for web hooks or SharePoint remote events.

The whole thing is mega flexible and scalable.

Interested? Then feel free to send me a message! – kenaflow is free for the first six months in the full version!

The latest offering is kenaflow as a hosted cloud service. We provide kenaflow on a dedicated virtual machine per customer. You develop workflow scripts via Visual Studio Code Remote – using SSH. – Even on the smallest virtual machine you can run an unlimited number of workflows, limited only by the computational intensity and execution frequency of your workflows.

My customer tries to save a sub web “as template” using “/_layouts/15/savetmpl.aspx“.

He gets an “Access Denied” (“This site has not been shared with you”) page.

It took me a while to understand the ULS (SharePoint log). Finally I found the related lines.

Requiring ACPRight

The permission is being checked for a write operation

Requiring ManageListsRight and ACPRight as this is a write operation on catalog

Permission check failed. Asking for 0x00040802, have 0x7FFFFFFFFFFBFFFF

SPRequest.PutFile: UserPrincipalName=i:0).w|s-1-5-21-45689356773-24675323-1484686, AppPrincipalName= ,bstrUrl=https://sharepoint.farm ,bstrWebRelativeUrl=_catalogs/solutions/ikarstein.wsp ,cbFile=11111 ,punkSPFileMgr=<null> ,punkFFM=<null>

System.UnauthorizedAccessException: Access denied., StackTrace:   
 at Microsoft.SharePoint.SPFileCollection.AddStreamOrBytesInternal(String urlOfFile, Stream file, Int64 fileSizeToSave, SPFileStreamManager spmgr, Int64 fileOpt, String createdBy, String modifiedBy, Int32 createdByID, Int32 modifiedByID, DateTime timeCreated, DateTime timeLastModified, Object varProperties, String checkInComment, Stream formatMetadata, String lockIdMatch, String etagToMatch, SPLockType lockType, String lockId, TimeSpan lockTimeout, Boolean validateRequiredFields, Guid bitsSessionId, Guid originatorId, SPVirusCheckStatus& virusCheckStatus, String& virusCheckMessage, String& etagNew, Boolean& ignoredRequiredProps, SPFileInfo& fileProps)    
 at Microsoft.SharePoint.SPFileCollection.Add(String urlOfFile, Stream file, Hashtable properties, Boolean overwrite, Boolean requireWebFilePermissions)    
 at Microsoft.SharePoint.SPSolutionExporter.ExportWebToGallery(SPWeb web, String solutionFileName, String title, String description, ExportMode exportMode, Boolean includeContent, String workflowTemplateName, String destinationListUrl, Action`1 solutionPostProcessor, Boolean activateSolution)    
 at Microsoft.SharePoint.ApplicationPages.SaveAsTemplatePage.BtnSaveAsTemplate_Click(Object sender, EventArgs e)    
 at System.Web.UI.WebControls.Button.OnClick(EventArgs e)    
 at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)    
 at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)    
 at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)    
 at System.Web.UI.Page.ProcessRequest()    
 at System.Web.UI.Page.ProcessRequest(HttpContext context)    
 at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()    
 at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)    
 at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)    
 at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error)    
 at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb)    
 at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context)    
 at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)    
 at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)    
 at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)    
 at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)    
 at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)    
 at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)

Access Denied. Exception: Access denied., StackTrace:  
 at Microsoft.SharePoint.Library.SPRequestInternalClass.PutFile(String bstrUrl, String bstrWebRelativeUrl, Object punkFile, Int64 cbFile, Object punkSPFileMgr, Object punkFFM, SPFileSaveParams sfsp, SPFileInfo& pFileProps, UInt32& pdwVirusCheckStatus, String& pVirusCheckMessage, String& pEtagReturn, Byte& piLevel, Int32& pbIgnoredReqProps)    
 at Microsoft.SharePoint.Library.SPRequest.PutFile(String bstrUrl, String bstrWebRelativeUrl, Object punkFile, Int64 cbFile, Object punkSPFileMgr, Object punkFFM, SPFileSaveParams sfsp, SPFileInfo& pFileProps, UInt32& pdwVirusCheckStatus, String& pVirusCheckMessage, String& pEtagReturn, Byte& piLevel, Int32& pbIgnoredReqProps).

It took me a lot of time to figure that out…

$w = Get-SPWeb "https://sharepoint.farm"

$w.site.DenyPermissionsMask

([long]$w.site.DenyPermissionsMask).ToString("x")

0x7FFFFFFFFFFBFFFFL

0x7FFFFFFFFFFFFFFFL

0x7FFFFFFFFFFFFFFFL -bxor 0x40000

The line ” $w.site.DenyPermissionsMask ” returned the result: “AddAndCustomizePages” => A (A) C P => ACP ? => ACPRight … ?? There it was !!!

Hex: 0x40000 (line ([long]$w.site.DenyPermissionsMask).ToString("x") )

The long hex values showed me that exactly that right was for some reasons “denied” on the site collection.

I solved it using this command:

$w.site.DenyPermissionsMask = [microsoft.sharepoint.spbasepermissions]::EmptyMask

The previous setting can be restored with:

$w.site.DenyPermissionsMask =[microsoft.sharepoint.spbasepermissions]::AddAndCustomizePages

After the fix, I checked all site collections for this particular setting:

get-spsite -limit all | % {
    if( ($_.DenyPermissionsMask) -ne "EmptyMask") {
        write-host $_.url  -ForegroundColor red
        write-host "`t" ($_.DenyPermissionsMask) -ForegroundColor red
    } else {
        #write-host $_.url  -ForegroundColor green
    }
}

… No other site collection has had a setting other than “EmptyMask”.

It has been a problem for me to work with SQL backup and restore for SharePoint with Powershell…

Issuing the commands is no problem. A simple SQL Server connection is required.

But for long running tasks I need to see the server messages in Powershell.

Here is a trick to do that. I use it since years. As a C# developer I know the “event handler” that can receive the messages…

$cnn = New-Object System.Data.SqlClient.SqlConnection

$cnn.add_InfoMessage([System.Data.SqlClient.SqlInfoMessageEventHandler] {
  param($sender, $event);

  Write-Host $event.Message;
}); 

$cnn.FireInfoMessageEventOnUserErrors = $true

$cnn.ConnectionString = "Server=sqlserver;Database=master;Integrated Security=True;Connection Timeout=86400"

$cnn.Open()

“add_InfoMessage” does the trick.

On every SharePoint or IIS server I need the following script:

Short Version, e.g. for Windows Task Scheduler

powershell -command “get-childitem -path c:\inetpub\logs\logfiles -filter *.log -recurse | ? { $_.LastWriteTimeUtc -lt [datetime]::utcnow.addmonths(-2)} | remove-item -force -confirm:$false -whatif”

(You may need to adjust the path to the log files!)

Long Version

cls

$path = "C:\inetpub\logs"
 
$dt = [datetime]::Now

$s = [long]0
Get-ChildItem "$($path)\LogFiles" -Filter "*.log" -Recurse | % { $s += $_.Length }

Write-host "Size before: $($s / 1024 / 1024) MB"

$s = [long]0
Get-ChildItem "$($path)\LogFiles" -Filter "*.log" -Recurse | ? { ($dt - $_.LastWriteTime).TotalDays -gt 30 } | % { $s += $_.Length; $_ | Remove-Item -Confirm:$false -Force }

Write-host "Removed: $($s / 1024 / 1024) MB"

$s = [long]0
Get-ChildItem "$($path)\LogFiles" -Filter "*.log" -Recurse | % { $s += $_.Length }

Write-host "Size after: $($s / 1024 / 1024) MB"