Monday, February 29, 2016

My notes on SharePoint 2013 user profile, people picker, user information list ports and troubleshooting

Hi all,

While working a business requirement, we need to configure SharePoint 2013 with AD (for two different forests), user profile sync service, people picker and related network requirements to accomplish the task.

User Profile Synchronization service setup along with requires quite an involved SharePoint architecture as well as fair knowledge on networking / firewall concepts.

User Profile Service:

I have had written a blog post about setting and configuring User profile synchronization service.  (UPS). It’s pretty complex to configure. User profile stores contains information in users. In most of environments it’s Active Directory (native support) as the source of creating user profile.

Firewall ports for UPS:

·         TCP / UDP 389 (LDAP)
·         TCP/UDP 88 (Kerberos)
·         TCP/UDP 53 (DNS)
·         UDP 464 (Kerberos Change Password)


User Information List:

Each site collection as has a hidden list called as user information list. This list is stored in a table in the content database and exists in each site collection. A user is added to the list when he accesses the site for the first time.

 It’s a hidden list and can be accessed only for administrators via this URL:
http://sp2013/sites/_catalogs/users/simple.aspx or
http://sp2013/sites/_catalogs/users/detail.aspx


SharePoint stores this user information at two places:
a) User Profile Store and
b) Site collection

and SharePoint uses this information in sync using two timer jobs:
·         User Profile to SharePoint Full Synchronization
·         User Profile to SharePoint Quick Synchronization
 
SharePoint internally manages User Profile store and Site collection. At times, they are out of sync and following STSADM commands has been executed.

Stsadm.exe –o sync –listolddatabases 0
and you can see all the databases and when they have been synced.

The next command also allow you to clear the tables:

Stsadm.exe –o sync –deleteolddatabases 0.

You can run this command to sync:

stsadm –o sync



Please refer to TechNet article for these STSADM commands for more info.
You can also use PowerShell as well.

People Picker Control:

SharePoint site has a control called as people picker as show



The address book as highlighted above comes from the site collection.   This blog explains well.
 This is the sequence when people picker searches for a user:
a)      It FIRST checks for exact match. For e.g. if you type in Aroh Shukla in the people picker control, its checks all the User Information List (a hidden list) within  site collection for this Name value or any SharePoint group.
If there is no exact match, then the control goes to Active Directory in the respect forests (in case you more than 1 forest) and queries all the user object’s Display Name for that match.
If a match is found and if you hover your mouse over it, you can see the user name.

b)      If step above does not resolve the user name, the people control searches for profiles or SharePoint groups that start with the text entered in the control (first name), by
a.       Checking the User Information list within site collection
b.      If it could not find, then it searches Active Directory forest.

c)       If step above does not resolve the user name, the people control searches for profiles or SharePoint groups that start with the text entered in the control (last name),
a.       Checking the User Information list within site collection
b.      If it could not find, then it searches Active Directory forest.

d)      The People Control will try search any SharePoint groups for that site collection.

To summarize, the People Picker control checks the User Information list within site collection and active directory.
 
Here is the flow when a user tries to add another user within site collection as follows: 



People Picker ports (or AD Ports) are as follows:

TCP/UDP 135, 137, 138, 139 (RPC)
TCP/UDP 389 by default, customizable (LDAP)
TCP 636 by default, customizable (LDAP SSL)
TCP 3268 (LDAP GC)
TCP 3269 (LDAP GC SSL)
TCP/UDP 53 (DNS)
TCP/UDP 88 (Kerberos)
TCP/UDP 445 (Directory Services)
TCP/UDP 749 (Kerberos-Adm)
TCP port 750 (Kerberos-IV)


You may request network engineer to open these AD ports for SharePoint to communicate with AD ports.

AD trust

Have one domain and one forest is easy to configure. However, this rarely happens in the real world scenario. Typically, organizations have multiple forests and domains.

Furthermore, having two way trust is not scalable, difficult to manage and could have potential security considerations. In two way trust, resources are shared both ways.

In one way trust, only domain trusts another domain. For e.g. CONTOSO domain trusts FABRIKAM domain.

The below diagram shows explains




SharePoint farm typically have one way trust and once you have configured one way trust, you can authenticate any account from a trusted domain as shown above.  Users in Fabrikam does not have permissions.

Issue:
Using the one way trust, you cannot see any accounts from the other domain the people picker as shown in SharePoint 2013.

No results found. (In the Fabrikam domain)



In SharePoint 2007/2010

No results were fund to match your search item. Please enter a new term or less specific term.  

A little configuration is required at the SharePoint farm.

Fix:

You need to execute these STSADM command in sequence to get both the CONTOSO and FABRIKAM accounts:

a) STSADM.exe -o setapppassword -password <<KEY>>

Note: Key could be anything but you need it keep is safe.
For e.g. STSADM.exe -o setapppassword -password “ProjectX”

b)
STSADM.exe -o setproperty -propertyname peoplepicker-searchadforests -propertyvalue "domain:contoso.com,contoso\spfarm,p@ssword;domain:fabrikam.com, fabrikam \aroh,123456" -url http://sharepoint2013.contoso.com

Note: You have to this command for EACH  SharePoint web end server.

For single domain, use this command,

stsadm -o setproperty -url https://sharepoint2013.contoso.com  -pn peoplepicker-searchadforests -pv "forest:contoso.com"

Troubleshooting

1.
Most of issues are related to firewall is not opened from SharePoint 2013 to Active directory server.   Trevor Seward (SharePoint MVP) had written a fantastic too called PeoplePicker Port tester to test the connectivity between SharePoint 2013 and Active Directory.



2. Using Microsoft PortQuery to test the open AD ports. It’s applicable for other ports such as Distributed Cache.



3. Error: Cannot retrieve the information for application credential key

You need to have to follow these commands:

a) STSADM.exe -o setapppassword -password <<KEY>>
b) STSADM.exe –o setproperty -url <web application url> -pn peoplepicker-searchadforests -pv forest:<source forest>;domain:<trusted domain>,<trusted domain>\<account>,<password>

For e.g.
a) STSADM.exe -o setapppassword -password “ProjectX”
b) STSADM.exe -o setproperty -propertyname peoplepicker-searchadforests -propertyvalue "domain:contoso.com,contoso\spfarm,p@ssword;domain:fabrikam.com, fabrikam \aroh,123456" -url http://sharepoint2013.contoso.com


I hope this blog post will be helpful.

References:

9.       Configure People Picker in SharePoint 2013
https://technet.microsoft.com/en-SG/library/gg602075.aspx


No comments:

How to display Sharegate administrative dynamic reports via Power BI on SharePoint Online

After working in the SharePoint domain for a couple of years as SharePoint consultant , I am fortunate enough to help customers from man...