Category Archives: SharePoint 2013

Cross Site Scripting with SharePoint 2013 REST calls

Today I had to figure out how to query a SharePoint 2013 REST service from another domain.

It took a while to find the correct settings. 😉

There was no list on the internet so I want to post it here as reference. – If you have additions to it please post them in the comments.

My test bed:

  1. I created two web applications
  2. At the root of both web apps I created a “Team Site” site collection.
  3. I uploaded a copy of jQuery to the masterpage catalog of .
  4. Also to the masterpage catalog of this site I uploaded a script file named “crosssitescripting.js” containing the REST call to .
  5. On the homepage of the root site collection of I added some script tags to load the script files jQuery.js and crosssitescripting.js. And a div tag for the sub web list.


I opened the homepage of in the browser and got an error in the F12 dev tools of the Internet Explorer. As expected.


Now I added some web.config modifications using PowerShell to enable cross site scripting. (Some years ago I wrote a note on that topic:

After reloading the site I could see the sub web list:


Here is the content of crosssitescripting.js

    $.support.cors = true;
        url: "",
        type: "GET",
        crossDomain: true,
        dataType: "json",
        headers: { "Accept": "application/json; odata=verbose" },
        xhrFields: { withCredentials: true },
        success: function (response) {
            var ul = $("#weblist").append("<ul/>");
        error: function (xhr, status) {

Here is the PowerShell script to add the web.config modifications:

Add-PSSnapin Microsoft.SharePoint.PowerShell -EA 0

$localFarm = Get-SPFarm

$webapp = Get-SPWebApplication ""

# Remove old web.config modifications of MyAuthenticationProvider
$oldMods = @();
$webapp.WebConfigModifications | ? { $_.Owner -eq "CrossSiteScripting" } | % { 
    $oldMods = $oldMods + $_

$oldMods | % { 

# update the Web Application and apply all existing web.config modifications - this executes the "remove" actions from above

#Wait until web.config modifications finished by timer job
while( (Get-SPTimerJob | ? { $_.Name -eq "job-webconfig-modification"}) -ne $null ) {
    Write-Host "." -NoNewline
    Start-Sleep 1

# New web.config modifications for MyAuthenticationProvider
$myModification1 = new-object Microsoft.SharePoint.Administration.SPWebConfigModification
$myModification1.Path = "configuration/system.webServer/httpProtocol/customHeaders"
$myModification1.Name = "add[@name='Access-Control-Allow-Origin'][@value='']"
$myModification1.Sequence = 0
$myModification1.Owner = "CrossSiteScripting"
#0 = for the enum value "SPWebConfigModification.SPWebConfigModificationType.EnsureChildNode"
$myModification1.Type = 0
$myModification1.Value = "<add name='Access-Control-Allow-Origin' value='' />"

$myModification1 = new-object Microsoft.SharePoint.Administration.SPWebConfigModification
$myModification1.Path = "configuration/system.webServer/httpProtocol/customHeaders"
$myModification1.Name = "add[@name='Access-Control-Request-Method'][@value='GET,POST,HEAD,OPTIONS']"
$myModification1.Sequence = 0
$myModification1.Owner = "CrossSiteScripting"
$myModification1.Type = 0
$myModification1.Value = "<add name='Access-Control-Request-Method' value='GET,POST,HEAD,OPTIONS' />"

$myModification1 = new-object Microsoft.SharePoint.Administration.SPWebConfigModification
$myModification1.Path = "configuration/system.webServer/httpProtocol/customHeaders"
$myModification1.Name = "add[@name='Access-Control-Request-Headers'][@value='Content-Type,Authorization']"
$myModification1.Sequence = 0
$myModification1.Owner = "CrossSiteScripting"
$myModification1.Type = 0
$myModification1.Value = "<add name='Access-Control-Request-Headers' value='Content-Type,Authorization' />"

$myModification1 = new-objectMicrosoft.SharePoint.Administration.SPWebConfigModification
$myModification1.Path = "configuration/system.webServer/httpProtocol/customHeaders"
$myModification1.Name = "add[@name='Access-Control-Allow-Credentials'][@value='true']"
$myModification1.Sequence = 0
$myModification1.Owner = "CrossSiteScripting"
$myModification1.Type = 0
$myModification1.Value = "<add name='Access-Control-Allow-Credentials' value='true' />"


#Wait until web.config modifications finished by timer job
while( (Get-SPTimerJob | ? { $_.Name -eq "job-webconfig-modification"}) -ne $null ) {
    Write-Host "." -NoNewline
    Start-Sleep 1

SharePoint 2013 People Picker error: “Sorry, we’re having trouble reaching the server.”

I have had a strange error today in my dev lab environment. First I recognized that I could not select users from the People Picker:


Sorry, we’re having trouble reaching the server.

Second I realized that I was not able to use any function that belongs to WCF web services such as the SharePoint REST API, e.g. at http(s)://<server>/_api/web.

Using Fiddler I found this behavior:


HTTP 404 NOT FOUND on /_vti_bin/client.svc/ProcessQuery

Same for /_vti_bin/client.svc/web which is the same as /_api/web.


Search the web I found some hints regarding this error in SharePoint. But nothing worked.

Than I created a own web service “service1.svc” with a simple method in it and placed it in folder <SP-Hive>\isapi where the virtual folder “_vti_bin” is located on the file system.

Result:  I could not call my own web service too. Same result: NOT FOUND.

Than I search the web for “WCF 404” and found some hints to “HTTP Activation” feature of Windows Server OS. Of course this was activated for .NET 3.5 and .NET 4.5.

So I deactivated the “HTTP Activation” feature of .NET 3.5 and .NET 4.5 and re-enabled one by one (1st .NET 3.5, 2nd .NET 4.5 ) them after deactivation.





After that I did a IISRESET. – Than everything works again as expected. 🙂




Client Side Encryption of List Item Fields for SharePoint 2013 (Demo Project)

Some days ago I found this JavaScript library for client side encryption using standard crypto algorithms. Everything done in the browser. Cool!


Stanford Javascript Crypto Library: – They say: “It uses the industry-standard AES algorithm at 128, 192 or 256 bits; the SHA256 hash function; the HMAC authentication code; the PBKDF2 password strengthener; and the CCM and OCB authenticated-encryption modes.”


Based on this I wanted to create a client side SharePoint List Item crypt module to encrypt (text) data in the users browser. So the data is stored in SharePoint encrypted. No one can read it without having the password.

Here is the code:

It’s a coding exercise, nothing more!!!! Read the limitations below and be sure: there are more limitations I do not know at the moment…


My solution is very simple: I created a Visual Web Part with Visual Studio 2012. This web part contains everything I need for encryption / decrpytion.

1. It contains the Standford Javascript Crypto Library.

2. It contains a copy of jQuery 1.10.1.

3. It contains a Base64 serialized image that is used to mark input fields as “encryption protected”.

4. Some custom javascript.

That’s it. Small footprint. – The web part needs to be placed on each list form (new / edit / display) and on each list view page. Everything else is done by the Web Part.



  • Client side data encryption.
  • Industry standard encryption. Theoretically possible to decrypt the data later outside of SharePoint using the correct password and some tools / libraries.
  • You can share the password with anyone who needs to decrypt the data. It’s not bound to your user account.


Limitations – be careful to read and understand them before using it in any way. – There are more limitations. The list is not complete!!!

  • First of all: It’s a single-person’n’quick-done demo project. Nothing for production use. – You could use your data! – I’m responsible for any problems.
  • Works only for text fields and multi line text fields without HTML formatting.
  • (Single line) text fields in SharePoint are limited to 255 characters length. The encrypted data is stored as Base64 in the field. So it’s not possible to encrypt 255 characters to the same amount of data: 255 bytes of plain text chars are much more that 255 bytes in encrypted state. SharePoint and my module does not handle this situation. (Because it’s a demo project not a product 😉 )
  • If you loose the password there is no way (other than “brute force”) to get your data back. There is no back door.
  • The data cannot be searched. – You should exclude the list from being crawled.
  • No way to change the password. – If this will be possible in the future than there will be no way to migrate already encrypted data. This is because it’s client side encryption. The server does never now the password. So it cannot migrate the data from the current version of the project to a new version.
  • No inline edit on list view pages!
  • No “decrypt” option to permanently remove encryption.

At all: The project is not perfect, in any way.


Here is a step-by-step guide of how to use it:

1. Create a site collection.

2. Add a custom list called “Crypted Data”.

3. Add a new multi line text column as “plain text”


4. Click “New item”. This is the default “New” form.


5. To add the crypto web part choose “Edit Page” from the site actions menu. Click “Add a Web Part”. Select category “Custom”, select web part “ikarstein’s List Item Crypt” and zone “Main”. Then click button “Add”.



6. Now you get a form section on the form asking for your password, because the password cache of your browser is empty.


7. After you enter the password and click the button “Set Password” you see lock icons behind the two text fields. These are added dynamically by the crypto web part.


8. Now you can add data as normal to the list item:


9. On saving the list item you will see the encrypted content for a short time. Before the encrypted and Base64 encoded data you see a prefix @@*[ – This I use to identify encrypted values.


10. After saving and back on the list view page you see this:


After adding the web part to the list view page you see this (automatically):


the values are decrypted using the browser cached password.

11. The same for edit form and display form. If you do not add the web part you will see the encrypted values. Like here:


After editing the form page you see the decrypted values:


The same for edit…


After you edit the web part you can edit the decrypted values and change them:


Some changes and saving it. This is the list view afterwards:


12. The inline edit mode does not work!!!



It’s very simple. Look at the code on CodePlex. Just one note: The web party loads its own jQuery version only if the page does not contain jQuery already.

SharePoint 2013 Design Packages: Import with PowerShell (Part 2 of 2)

Last Thursday I wrote about “Exporting SharePoint 2013 Design Packages with PowerShell”. Today I’d like to show you the import function. This functions can be used to handle with SharePoint 2013 Design Packages with PowerShell, e.g. in deployment scenarios. Therefore it should by very useful. (I hope so 😉 ) FEEDBACK WELCOME!!!

You can download the scripts here:

Here you can find the blog article about “Export-SPDesignPackage”:


The import function is called “Import-SPDesignPackage” and here are the details:


Here are some samples

#First sample

Import-SPDesignPackage -SiteUrl "http://sharepoint.local/publishing" -ImportFileName "C:\temp\publishing2.wsp" -PackageName "P2" -Apply $true

#Second sample

    @{ SiteUrl ="http://sharepoint.local/sites/publishing1";
       ImportFileName ="C:\temp\publishing1.wsp";
       PackageName ="P1";
    @{ SiteUrl ="http://sharepoint.local/sites/publishing2";
       ImportFileName ="C:\temp\publishing2.wsp";
       PackageName ="P2";
) | New-ObjectFromHashtable | Import-SPDesignPackage

The first sample shows you how to import one design package to a dedicated site. By using the “Apply” parameter the design package will be applied to the site immediately.

The second sample shows you hot to import two different packages to two different site collections. In the sample I use a hashtable for input parameters. They are assigned to the function parameters by “property name binding”. See “”: Section “ValueFromPipelineByPropertyName”:

For example, if the function has a ComputerName parameter, and the 
piped object has a ComputerName property, the value of the ComputerName
property is assigned to the ComputerName parameter of the function.

The following example declares a ComputerName parameter that is 
mandatory and accepts input from the ComputerName property of the 
object that is passed to the function through the pipeline.

Some more details about that. Skip it if you are not interested…




This “property name binding” does not work with hashtables. Therefore I created a helper function “New-ObjectFromHashtable” that creates a PowerShell object (“PSObject”). This function is generic. (It’s also included in the script files.)


On the one hand with “new-object System.Management.Automation.PSObject” you can create a new “empty” PowerShell object that can be used in your script as every other object, e.g. a SharePoint object like an instance of class SPSite. With cmdlet “Add-Member” you can add new members to the object. – On the other hand you have a hashtable with named values. You can access the collection of names = keys and with each key you can access the value. – Let’s combine it: You can iterate through the keys collection and create a new member in an empty PSObject instance.


functionNew-ObjectFromHashtable {
    #written by Ingo Karstein ( v1.0#Use this function to convert a hashtable to a PowerShell object ("PSObject"), e.g. for using hashtables for property name binding in# PowerShell pipelines
        [parameter(Mandatory=$true, Position=1, ValueFromPipeline=$true)]

    begin {
        $results= @()

    process {
        $r=new-objectSystem.Management.Automation.PSObject$Hashtable.Keys | % {
            $r | Add-Member-MemberTypeNoteProperty-Name$key-Value$value-Force


    end {


The resulting object can be passed to each “property name binding” enabled cmdlet. – The PowerShell engine tries to match input object property names and cmdlet parameter names. If there is a match the input object property value gets assigned to the cmdlets input parameter.


The cmdlet can also convert a list of hashtables to a list of objects. That is used in the “Import-SPDesignPackage” script.




Parameter Name Parameter Set Name Mandatory? Position Description
SiteUrl Default Yes 0 Site Url for import
Site Site Yes 0 SPSite object for import
ImportFileName DefaultSite Yes 1 Filename and path of the design package for import
Apply DefaultSite Yes 2 $true = Apply the design package after import$false = Only install the design package for later activation
PackageName DefaultSite No 3 Package name. If not specified it uses the file name without extension. The package name will be used for naming the imported file in the solution gallery of the site collection
MajorVersion DefaultSite No Version number of the design package. If not specified it uses “1” for the major version.
MinorVersion DefaultSite No Version number of the design package. If not specified it uses “0” for the minor version.


The function returns an object for each processed (or not processed) site collection:


Object Property Description
SiteUrl Url of the processed site
Success $true = Import and “Apply” (if specified) was successful
InputFileFound $true = File found$false = File not found
InputFileExtensionValid $true = Input file has extension “.wsp”$false = Input file hat not extension “.wsp”
SiteFound $true = The specified site was found
SolutionFileName The name of the solution is auto generated from package name or file name and major and minor version number. This is the name of the package in the site collections solution gallery.
PackageAlreadyExsits $true = the solution does already exist in the solution gallery.

Some additions

The import process requires the package to be stored inside the site collection before the the last input step. Therefore the function creates a folder named “tmp_importspdesignpackage_15494B80-89A0-44FF-BA6C-208CB6A053D0” in the site collections root web root folder. In this folder the package gets uploaded. From the location the package is imported. The folder will be deleted after successful or not failed import.

SharePoint 2013 Design Packages: Export with PowerShell (Part 1 of 2)

Last night I search for “export import sharepoint 2013 design packages powershell”. No luck there. – So I created two functions for this purpose. It works nicely 🙂

The functions only use public methods of the SharePoint (Server) Object Model. No reflection, et cetera. The most important class in this context is “Microsoft.SharePoint.Publishing.DesignPackage”. It has two methods: Export and Install. This I used to create to PowerShell functions: Export-SPDesignPackage and Import-SPDesignPackage. Both are able to work in PowerShell pipeline context. This gives you the possibility to export a bunch of Design Packages from several sites using PowerShell.

You can download the scripts here:

You can use the scripts as PowerShell modules or by copying the content to your own PowerShell script files. But please be careful: By now it’s only tested in my dev environment!!

The scripts use the SharePoint Server Object Model. So they have to be executed on a SharePoint farm server! You also need an priviledged account that has rights to export (or import) SharePoint Design Packages.

Today I’ll describe the export function. Tomorrow or the day after tomorrow I’ll publish a description of the import function. Here is the import part:


Here are some samples:



#First Sample


$cred=new-objectSystem.Management.Automation.PSCredential( "domain\spfarm", (ConvertTo-SecureString-AsPlainText"Passw0rd"-Force))

$site1, $site2 | Export-SPDesignPackage -UseTempFileForExportWithExtension ".wsp" -DownloadCredentials $cred -PackageName "test"#Second Sample


$site1, $site2 | Export-SPDesignPackage -ExportFileName "C:\temp\Package.wsp" -UseExportFileNumbering -IncludeSearchConfig -DisposeSiteObject -OverwriteExistingFiles

#Third Sample


    @{PackageName="P1"; ExportFileName="C:\temp\p1.wsp"; SiteUrl="http://sharepoint.local/publishing"},
    @{PackageName="P2"; ExportFileName="C:\temp\p2.wsp"; SiteUrl="http://sharepoint.local/sites/publishing2"}
) | New-ObjectFromHashtable | Export-SPDesignPackage


#Fourth Sample


$site2 | Export-SPDesignPackage -ExportFileName "C:\temp\publishing2.wsp"  -IncludeSearchConfig -DisposeSiteObject -OverwriteExistingFiles

The first sample uses two SPSite objects as (pipeline) input and tells the function to export the design packages to temp files with auto generated names. For the download of the packages from the sites you can specify “download credentials”.

The second sample exports the same two SPSites. The export file name is specified. By using “UseExportFileNumbering” a number is inserted into the file name like this: “c:\temp\package-1.wsp”. So both export packages have different file names.

The third sample exports two sites  with individual export settings for each site. This is possible by “parameter binding by property name” where PowerShell binds the input object’s property to the function / cmdlet input parameters by name matching. But this does not work with hashtables. Therefore I created a helper function “New-ObjectFromHashtable” that creates a PowerShell object (“PSObject”). This function is generic. (It’s also included in the script files.)

The fourth sample exports just one site.


The function has the following parameters. All can be bound by “parameter binding by property name”!

Parameter Name Parameter Set Name Mandatory? Position Description
SiteUrl Default Yes 0 Url of Site Collection as System.String
Site Site Yes 0 SPSite-object
ExportFileName Default


No 1 Name for the exported file in the file system. The folder must exist!

Cannot be used together with “ExportFolder” and “UseTempFileForExportWithExtension”!

ExportFolder Default


No 1 Name of the folder for the exported design packages. The file name will be created through the SharePoint Server Object Model.

Cannot be used together with “ExportFileName” and “UseTempFileForExportWithExtension”!

UseTempFileForExportWithExtension Default


No 1 When specified the function will create a file name automatically by using "System.IO.Path.GetTempFileName()”. But it adds the extension you specify here. You should use “.wsp” by default.
PackageName Default


No 2 Name of the export package. This is not a file name but an internal name that is used inside the design package. This is optional. The Object Model can handle it for you.
IncludeSearchConfig Default


No 3
DisposeSiteObject Site No If you use SPSite objects as input you can specify whether the function should dispose it or not. Default: TRUE = “Please dispose it for me”!
DownloadCredentials Default


No You can specify credentials for the download of the generated package. The package is stored in the the solution gallery of the site collection. It’s downloaded by the function by using System.Net.WebClient with “DefaultNetworkCredentials” if no credentials are specified.
OverwriteExistingFiles Default


No If specified it overwrites the export file if it exists. If not specified it skips the export. But in the case nevertheless the design package will be created .
UseExportFileNumbering Default


No If you use “ExportFileName” you can specify this parameter to insert numbers into the given file name as described above.


The function returns an object for each processed (or not processed) site collection:


This objects can be used in pipelines or … as you like.

Object Property Description
Site Url Url of the processed site
Success TRUE = Export successful, export file created.
SiteFound The site collection was found
ExportError $null = OK

System.Exception = Error occurred

PackageFileName Name of the Package created by the Object Model
PackageName Name of the Package created by you OR the Object Model
PackageMajorVersion …created by Object Model during export
PackageMinorVersion …created by Object Model during export
ExportFileOverridden If “TRUE” the export file did exist but was overridden during export. If “OverwriteExistingFiles” parameter was NOT specified this property will always be FALSE.
DownloadError $null = OK

System.Exception = Error during download


Some Additions

The design package will be stored in the solution gallery of the site collection that can be found here: <site-collection-url>/_catalogs/solutions. It’s the same location as for the sandboxed solutions. It interesting: sandboxed solutions are deprecated but in this case they use at least the same storage for a new functionality.

After the package is created you can download it from the solution gallery. No big deal.

Create Provider Hosted High Trust App for SharePoint 2013 (Short Guide)

About this topic there are several guides. I can’t say that I have to add anything new 😉 But… as always… this blog is a kind of notebook for me. So I post this small guide.

1. You need to have or create a certificate that is used as “security token issuer”. This certificate can be created using IIS Manager or any other tool.

I use “XCA” ( With that tool you can create your own Certification Authority. (Of course you can use the Windows Server Certification Authority.) – I use XCA because it’s easy to manage this kind of certificates there and I use the certificates on several dev machines.

If you do so too you need to create a root certificate for your Certification Authority and install it in the “Trusted Root Certification Authrities” of your Local Computer (not only your personal cert store).


2. The first step is to register (or create) the certificate within IIS Manager:

Right click on the server node and choose “Server Certificates”.


Use “Import” to apply an existing certificate. Or use “Create Self-Signed Certificate” to create a new certificate.


This are the steps to create a new self-signed certificate:


After commit (“OK”) you need to export the certificate with private key and a second time without private key.









3. Open Visual Studio 2012. Create a new project:




For “Issuer ID” you need to create a GUID using Visual Studio or PowerShell. Here is the PowerShell way:

Start PowerShell.





Copy to output into the dialog in Visual Studio 2012.


4. Open a Windows PowerShell ISE, create a new PowerShell script file and copy the following code to it. Most of the code comes from here: With some additions from Steve Peschka’s Blog articles: and


$publicCertPath = "C:\root\High_Trust_App_1.cer"

#$issuerId = [System.Guid]::NewGuid().ToString()
$issuerId = ([Guid]"4729b8e2-073a-47f0-8538-105ec865f3d2").ToString()

$spurl ="http://sharepoint.local"

$spweb = Get-SPWeb $spurl

$sc = Get-SPServiceContext $

$realm = Get-SPAuthenticationRealm -ServiceContext $sc

$certificate = Get-PfxCertificate $publicCertPath

$fullIssuerIdentifier = $issuerId + '@' + $realm

New-SPTrustedSecurityTokenIssuer -Name $issuerId -Certificate $certificate -RegisteredIssuerName $fullIssuerIdentifier –IsTrustBroker


write-host "Full Issuer ID: " -nonewline
write-host $fullIssuerIdentifier -ForegroundColor Red
write-host "Issuer ID for web.config: " -nonewline
write-host $issuerId -ForegroundColor Red

#Disable OAuth HTTPS requirement FOR DEV!!

$serviceConfig = Get-SPSecurityTokenServiceConfig
$serviceConfig.AllowOAuthOverHttp = $true

New-SPTrustedRootAuthority -Name "$($certificate.Subject)_$($certificate.Thumbprint)" -Certificate $certificate 

Be sure to change any parameter that does not fit your environment. After that the script should look like this:



The following script lines are needed in order to get it working using a SharePoint site without SSL!!

$serviceConfig = Get-SPSecurityTokenServiceConfig

$serviceConfig.AllowOAuthOverHttp = $true


If you use SSL (e.g. https://sharepoint.local) you can skip this.

No other steps are required. I’ve tested this several times with always fresh SP 2013 environments because I had some difficulties to get this set up.

5. At this point I have not changed anything in Visual Studio after creating the project(s) (there are two) through the wizard.

Check the “web.config” file in you web project.


There you find the issuer ID again.

6. Now run the project. You need to trust the app.




Short Note About Error While Creating Search Service Application for SharePoint 2013 by PowerShell: “Value cannot be null. Parameter name: indexLocation”

Today I got an error while creating a Search Service Application for SharePoint 2013:

PS C:\> $SearchSA = New-SPEnterpriseSearchServiceApplication –Name “Enterprise Search Service Application” –ApplicationPool “Search App Pool” –DatabaseName “Search”

New-SPEnterpriseSearchServiceApplication : Value cannot be null.
Parameter name: indexLocation

To resolve this I just started the Search Service Instance on each (search) server in the farm and set it’s “DefaultIndexLocation” property.

After that I could create the Search Service App.

PS snippet:

"SearchServer1", "SearchServer2" | % {
    $svcInst = (Get-SPServer -Identity $_).serviceinstances | ? { $_.GetType().FullName -eq "Microsoft.Office.Server.Search.Administration.SearchServiceInstance" }
    $svcInst.DefaultIndexLocation = $defaultIndexLocation

This did it.