Create Self Signed Certificate with PowerShell on Windows Server 2012 R2.

A little bit outdated. I know.

But customers not always have the latest server versions running.

Today a customer asked me how to create a self signed SSL certificate with “subject alternate names” (SAN) using PowerShell on Windows Server 2012 R2.

The default cmdlet “New-SelfSignedCertificate” has not all features on this server OS.

The customer found a script but it did not offer SAN. I found another one (in german language) that gave me the other information…

Sources:

https://docs.microsoft.com/en-us/archive/blogs/vishalagarwal/generating-a-certificate-self-signed-using-powershell-and-certenroll-interfaces

https://www.symplasson.de/it-blog/san-erweiterung-csr-windows-ca

I assembled both scripts. Here is the result.

# script assembled from these sources
#  - https://docs.microsoft.com/en-us/archive/blogs/vishalagarwal/generating-a-certificate-self-signed-using-powershell-and-certenroll-interfaces
#  - https://www.symplasson.de/it-blog/san-erweiterung-csr-windows-ca
# …by Ingo Karstein ( ik a.t. kenaro.com)
#
# Useful e.g. on Windows Server 2012R2 because there are less functionality in cmdlet New-SelfSignedCertificate.
#
# The SSL cert ist written to certstore "My" of "LocalMachine"

 $name = new-object -com "X509Enrollment.CX500DistinguishedName.1"
 $name.Encode("CN=srv", 0)

 $key = new-object -com "X509Enrollment.CX509PrivateKey.1"
 $key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
 $key.KeySpec = 1
 $key.Length = 4096
 $key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)"
 $key.MachineContext = 1
 $key.Create()

 $serverauthoid = new-object -com "X509Enrollment.CObjectId.1"
 $serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1")

 $AlternativeNames=@("srv", "localhost")
 $AlternativeIPs=@("127.0.0.1", "::1")

 $SAN = New-Object -ComObject X509Enrollment.CX509ExtensionAlternativeNames
 $IANs = New-Object -ComObject X509Enrollment.CAlternativeNames

 foreach ($SANstr in $AlternativeNames)
 {
     $IAN = New-Object -ComObject X509Enrollment.CAlternativeName
     $IAN.InitializeFromString(0x3,$SANstr)
     $IANs.Add($IAN)
 }

 foreach ($SANstr in $AlternativeIPs)
 {
     $IAN = New-Object -ComObject X509Enrollment.CAlternativeName
     $IAN.InitializeFromString(0x3,$SANstr)
     $IANs.Add($IAN)
     $IAI = New-Object -ComObject X509Enrollment.CAlternativeName    
     $IAI.InitializeFromRawData(8, 0x1, 
        [Convert]::ToBase64String(
       ([System.Net.IpAddress] $SANstr).GetAddressBytes())) $IANs.Add($IAI)
 }

 $SAN.InitializeEncode($IANs)

 $ekuoids = new-object -com "X509Enrollment.CObjectIds.1"
 $ekuoids.add($serverauthoid)

 $ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1"
 $ekuext.InitializeEncode($ekuoids)

 $cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1"
 $cert.InitializeFromPrivateKey(2, $key, "")
 $cert.Subject = $name
 $cert.Issuer = $cert.Subject
 $cert.NotBefore = (get-date).AddDays(-1)
 $cert.NotAfter = $cert.NotBefore.Addyears(50)
 $cert.X509Extensions.Add($ekuext)
 $cert.X509Extensions.Add($SAN)
 $cert.Encode()

 $enrollment = new-object -com "X509Enrollment.CX509Enrollment.1"
 $enrollment.InitializeFromRequest($cert)

 $certdata = $enrollment.CreateRequest(0)

 $enrollment.InstallResponse(2, $certdata, 0, "")

SharePoint On-Prem Search Service Error: “Access Denied”

I got this error:

Search Service Application: Crawl Log – Error Breakdown

Access is denied. Verify that either the Default Content Access Account has access to this repository, or add a crawl rule to crawl this repository. If the repository being crawled is a SharePoint repository, verify that the account you are using has “Full Read” permissions on the SharePoint Web Application being crawled.

…but the “default content access account” already had “Full Read” permission on the web application.

  1. Check “DisableLoopbackCheck” in Windows Registry on SharePoint Server.
  2. Or check “BackConnectionHostNames” in Windows Registry on SharePoint Server.
  3. Check the content source setting: Is the web application url the one defined as “Default Zone” in Alternate Access Mappings of the web application?
  4. Check the authentication provider for the web application: SharePoint Search works with Windows Integrated Authentication. It is required that the “default zone” is configured with “Windows Integrated Authentication”, not “Basic Auth”!

Maybe the server requires a reboot after changing the configuration.

SharePoint Error: Metadata backend service request ExpectedFailure: Metadata backend service request failed in a authorized access exception: System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]: AccessDeniedEx:The current user has insufficient permissions to perform this operation.

I got the following error:

Exception returned from back end service. System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]: AccessDeniedEx:The current user has insufficient permissions to perform this operation. (Fault Detail is equal to An ExceptionDetail, likely created by IncludeExceptionDetailInFaults=true, whose value is: System.UnauthorizedAccessException: AccessDeniedEx:The current user has insufficient permissions to perform this operation.
at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplication.CheckPermission(SPIisWebServiceApplicationRights requiredPermissions)
at Microsoft.SharePoint.Taxonomy.TaxonomyDatabaseMapper.GetTermSetWithAllTerms(Guid rawPartitionId, Guid termSetGuid, Boolean includeDeprecated, Boolean limitMembership)
at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplication.GetTermSetWithAllTerms(Guid rawPartitionId, Guid termSetGuid, Boolean includeDeprecated, Boolean limitMembership)
at SyncInvokeGetTermSetWithAllTerms(Object , Object[] , Object[] )
at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)
at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)
at System.ServiceModel.Dispatche…).

Metadata backend service request ExpectedFailure: Metadata backend service request failed in a authorized access exception: System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]: AccessDeniedEx:The current user has insufficient permissions to perform this operation. (Fault Detail is equal to An ExceptionDetail, likely created by IncludeExceptionDetailInFaults=true, whose value is: System.UnauthorizedAccessException: AccessDeniedEx:The current user has insufficient permissions to perform this operation.
at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplication.CheckPermission(SPIisWebServiceApplicationRights requiredPermissions)
at Microsoft.SharePoint.Taxonomy.TaxonomyDatabaseMapper.GetTermSetWithAllTerms(Guid rawPartitionId, Guid termSetGuid, Boolean includeDeprecated, Boolean limitMembership)
at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplication.GetTermSetWithAllTerms(Guid rawPartitionId, Guid termSetGuid, Boolean includeDeprecated, Boolean limitMembership)
at SyncInvokeGetTermSetWithAllTerms(Object , Object[] , Object[] )
at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)
at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)
at System.ServiceModel.Dispatche…).

Solution

If you are running your Search Service Application using a different account than the farm account then you need to grant “Full Control” permission the this account on the Managed Metadata Service Application!

SharePoint: Error in ULS and Windows Event Log: Unknown SQL Exception 241 occurred. Additional error information from SQL Server is included below.

Today I did some SharePoint 2016 => 2019 migration tests for a customer.

I set up the new farm weeks ago, but today I saw the following error for the first time in the SharePoint ULS and Windows Event Log:

Entering Monitored Scope (Storage Metrics processing timer job). Parent=Timer Job job-storage-metrics-processing

System.Data.SqlClient.SqlException (0x80131904): Fehler beim Konvertieren einer Zeichenfolge in ein Datum und/oder eine Uhrzeit.
at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action1 wrapCloseInAction) at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose) at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady) at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString, Boolean isInternal, Boolean forDescribeParameterEncryption, Boolean shouldCacheForAlwaysEncrypted) at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async, Int32 timeout, Task& task, Boolean asyncWrite, Boolean inRetry, SqlDataReader ds, Boolean describeParameterEncryptionRequest) at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, TaskCompletionSource1 completion, Int32 timeout, Task& task, Boolean& usedCache, Boolean asyncWrite, Boolean inRetry)
at System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(TaskCompletionSource`1 completion, String methodName, Boolean sendToPipe, Int32 timeout, Boolean& usedCache, Boolean asyncWrite, Boolean inRetry)
at System.Data.SqlClient.SqlCommand.ExecuteNonQuery()
at Microsoft.SharePoint.Utilities.SqlSession.ExecuteNonQuery(SqlCommand command, SqlInfoMessageEventHandler handler) ClientConnectionId:c66450bf-adc7-4fc4-bbcd-e9e2c050a75a Error Number:241,State:1,Class:16

Unknown SQL Exception 241 occurred. Additional error information from SQL Server is included below. Fehler beim Konvertieren einer Zeichenfolge in ein Datum und/oder eine Uhrzeit.

It happens during execution of the SP timer job “Storage Metrics Processing” (technical name: “job-storage-metrics-processing”).

In the “job history” in the Central Administration I could see the affected database. It was one of the migrated database I mounted before to the new SP farm.

Fix

After two hours I found the solution:

In SQL Server the login for the new farm account “sp-farm-new” was set to DEFAULT LANGUAGE = GERMAN.

I changed the DEFAULT LANGUAGE of all accounts to “ENGLISH” and the error was gone.

I checked all SP service accounts of the old farm: They are all set to DEFAULT LANGUAGE = ENGLISH.

Set URL for “New Tab” in Microsoft Edge

In Microsoft Edge the default behaviour of “new tab” is it to open a customizable page with Microsoft Bing and other content. The content can be disabled but there is no way to change the “new tab” page completely.

Here is a PowerShell snippet to do it, tested on Windows Server 2019. Not working on Windows 10 Pro 20H2 / MS Edge 88.

if( (get-item "HKLM:\Software\Policies\Microsoft\Edge" -ea Ignore) -eq $null) {
    New-Item "HKLM:\Software\Policies\Microsoft\Edge"
}

if( (Get-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Edge" -Name NewTabPageLocation -ea 0) -eq $null ) {
    New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Edge" -Name NewTabPageLocation -PropertyType String -Value "https://google.de"
} else {
    Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Edge" -Name NewTabPageLocation  -Value "https://google.de"
}

Get-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Edge" -Name NewTabPageLocation 

Update…

It does not work on a machine that is not domain joined. 🙁

Here I found a possible solution for Windows 10:

Fix PowerShell Error: “The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.”

Just as a reminder.

When getting this error:

The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

…just add this to your PowerShell script:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Auto Update VISUAL STUDIO 2019/2017 on Windows

I have some development machines with Visual Studio 2017 and/or 2019 installed. Too many to constantly install updates in.

For a long time I was looking for a solution for this, but I did not find one. Supposedly the automatic update of Visual Studio is not possible.

In the end… I have found a way.

In a nutshell:

  1. Download the latest Visual Studio Installer for the respective version.
  2. Install the VS Installer update.
  3. Use the VS Installer to run the Visual Studio Update.

Look at this:

https://github.com/ikarstein/auto-update-vs

Original “PS2EXE” migrated from MS Technet Gallery to Github

This is more “for the record” than it makes real sense. But why not? For a few years “PS2EXE” was represented on Technet and has over 90.000 downloads to date. That is super great. – Meanwhile there is also a successor, which I didn’t develop, but it seems to be alive. That makes me happy, even if a bit wistful, because I didn’t manage to stay on the ball with this little project.

So here is the link: https://github.com/ikarstein/ps2exe

SharePoint 2013 Error: An error occurred during the compilation of the requested file, or one of its dependencies.

I have had this exception on SharePoint 2013 pages on several servers after they are running a for one or two days:

“An error occurred during the compilation of the requested file, or one of its dependencies.”

In the Windows Event Log -> Application I found this error:

sperror20161108-1

There are two possible reasons (maybe there are more 😉 ):

    1. There was .NET Framework 4.6.x installed but was removed in order to “fix” the SharePoint 2013 setup failure message.

      In this case you need to re-install .NET Framework 4.6.x after SharePoint 2013 setup. SharePoint 2013 is fully supported with 4.6.x!

       

    2. If the server is under heavy load and there are lots of processes startet in the Windows OS, then the “Desktop Heap” could be out of memory.

      In this case you need to increase the Desktop Heap size of the “Inactive Windows Desktop”.

      1. Open the Windows registry and navigate to HKLM\System\CurrentControlSet\Control\SessionManager\SubSystems
      2. Open Property “Windows”
      3. Copy the complete content …
      4. … into Notepad
      5. Change the 3rd value of the “SharedSection” part to 20480.
      6. Copy the whole string back into the registry property “Windows”
      7. Reboot your server

      sperror20161108-2

      This will increase the Dektop Heap to 20MB for the inactive desktops.
      Links:

      https://blogs.msdn.microsoft.com/winsdk/2015/06/03/what-is-up-with-the-application-failed-to-initialize-properly-0xc0000142-error/
      https://support.microsoft.com/en-us/kb/126962
      https://blogs.msdn.microsoft.com/ntdebugging/2007/01/04/desktop-heap-overview/

 

SharePoint 2013: Error in “Products Configuration Wizard” after Update to SP1

Today I got an error on my development farm after I updated SP 2013 to SP1 level. I also removed Visual Studio 2012 from the box and installed Visual Studio 2013.

In fact I did the SP1 update as last step.

Than I tried to run the “SharePoint 2013 Products Configuration Wizard” and got this error in the first update step (“Initializing…”):

image

One ore more typed failed to load.

I was pretty sure this error was caused by the Visual Studio “update”

image

Could not load file or assembly ‘Microsoft.Data.Edm, Version=5.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35’ or one of its dependencies.

image

Could not load file or assembly ‘Microsoft.Data.OData, Version=5.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35’ or one of its dependencies.

After some research I found this two components belong to “WCF Data Services 5.0 for OData V3”.

I downloaded the package from http://www.microsoft.com/en-us/download/details.aspx?id=29306 and installed it on my SharePoint dev box.

After that the “Products Configuration Wizard” worked as expected.