Access Denied when Enabling PowerShell Remoting

February 2nd, 2012

Quick tip: Are you receiving Access Denied messages when you are attempting to run the Enable-PSRemoting cmdlet? I’ve received them on machines connected to a domain, even when I’m running in an elevated PowerShell window. An easy trick is to open a PowerShell window as the built-in administration account on the machine. Not sure why, but for whatever reason, it seems to work!

VirtualBox Unidentified Network

February 2nd, 2012

Thanks to Oisin Grehan and his Nivot Ink blog for providing the foundation of this post!
VMWare VMNET Adapters Triggering Public Profile for Windows Firewall

I use Oracle’s VirtualBox to run x64 SharePoint virtual machines from my laptop. I’ve also noticed an Unidentified Network in my Windows 7 list of networks. That is caused by VirtualBox’s Host-Only Network Adapter. It wasn’t harming anything at the time so I left it alone.

However, I later attempt to enable PowerShell remoting on my host laptop for work with SharePoint scripting. Upon doing so, I was greeted with the following error message while attempting the Enable-PSRemoting cmdlet:

Set-WSManQuickConfig : WinRM firewall exception will not work since one of the network connection types on this machine is set to Public. Change the network connection type to either Domain or Private and try again.

Another helpful error message! That seems easy enough; Windows makes it very easy to modify the settings for each individual network adapter to Private, Work, or Public depending on your personal preference. However, this is not the case with an unidentified network. With an unidentified network, Windows sticks to its Public settings and will not change it.

So can I now not enable PowerShell remoting since I can’t remove the Public designation of VirtualBox’s unidentified network? No! VirtualBox’s Host-Only network isn’t really a true network connection at all. It is an endpoint adapter. Kudos to Oisin Grehan for developing a nice PowerShell script that will solve the issue by telling Windows, via the registry, that the network adapter is an endpoint device and not a true external network connection. This will cause Windows to stop treating the VirtualBox Host-Only adapter as a network and thus remove the unidentified network (and its public designation) from my list of networks. Problem solved! I’ve modified Oisin’s script to account for VirtualBox’s Host-Only instead of VMware adapters.

Note: This script will need to be executed every time VirtualBox is updated because the update will replace the existing adapter and cause the settings in the registry to be lost.

IIS Termination during Visual Studio Debugging

January 26th, 2012

What a familiar situation: You are debugging a SharePoint solution (or any ASP.NET code) and have Visual Studio attached to IIS. As you are stepping through your code, checking variables and getting a lot done, all of the sudden you are presented with the following message:

The web server process that was being debugged has been terminated by Internet Information Services (IIS). This can be avoided by configuring Application Pool ping settings in IIS. See help for further details.

It typically occurs within two minutes of Visual Studio pausing on a breakpoint. It is possible to extend this timeframe and the error message gives the answer. The reason Visual Studio presents this message is because IIS is forcefully terminating the worker process being debugged. Why? Because IIS (by default) performs health monitoring pings against each of its worker processes to ensure they are still responding. If IIS does not receive a response from the worker process to one of these pings within a given timeframe, IIS forcefully terminates the worker process. When debugging in Visual Studio, the worker process is stopped while Visual Studio is paused on a breakpoint. Therefore, the worker process has no way to respond to a health monitoring ping. Therefore, the worker process gets terminated.

How does one stop this vicious cycle and allow debugging to continue unimpeded? As the error message states, modify the IIS settings for health monitoring pings! To do this on a particular application pool:

  1. Open IIS Manager.
  2. On the left in the Connections pane, click Application Pools. The list of all of the application pools in IIS will display in the middle section of the window.

  3. Select the particular application pool used for debugging and click Advanced Settings under Edit Application Settings on the right in the Actions pane.

  4. Modify the two Ping settings: Ping Maximum Response Time (seconds) and Ping Period (seconds). The Ping Period is the interval used by IIS to ping the worker process. The Ping Maximum Response Time is the amount of time IIS will wait for a ping response. If IIS doesn’t get a response after the maximum response time has elapsed, that is when the termination occurs. By default, the ping period is 30 seconds and the maximum response time in 90 seconds. These are great in normal situations, but only give you about two minutes for debugging! Therefore, I would suggest throwing a few extra zeros in there – I personally set my ping period to 3000 seconds (50 minutes) and my maximum response time to 9000 seconds (150 minutes or 2.5 hours). Those values give me plenty of time to debug without needing to worry about termination. Once you have modified these values, click OK.

  5. While I would recommend developers to modify the health monitoring ping settings on their local development servers, these modifications should never be made in a testing or production environment.

    Happy debugging!

Managing Customizations to ASP.NET & SharePoint Browser Definitions

November 2nd, 2011

This article’s purpose is to discuss the best practices around managing customizations to ASP.NET’s Browser Definitions. For more details around ASP.NET’s browser definition platform, please see the Browser Definition File Schema (browsers element) article on MSDN. A quick overview of ASP.NET Browser Definitions can be found in the side panel.

ASP.NET Browser Definition Overivew
In any IIS site, including SharePoint sites, Microsoft provides a highly configurable platform for defining the various capabilities and mobile adapters of a browser. To facilitate this, Microsoft uses what is called a Browser Definition File which is an XML-based file that defines browsers, what makes that browsers different from the rest (the Identification), and browser properties – capabilities and mobile adapters. Microsoft provides several definition files out-of-the-box with ASP.NET that define various browsers. Then, individual web applications can provide their own Browser Definition Files that will supplement or override the out-of-the-box files. ASP.NET uses this information to tailor page rendering based on the browser making the page request.

ASP.NET allows for multiple files that all have the same schema. There are two sets of files that ASP.NET parses:

  1. Predefined Browser Definition Files – This set of files is specific to the version of the .NET Framework being used in the web application and contains the out-of-the-box ASP.NET browser definition files.
  2. Application-Level Browser Definition Files – This set of files is specific to each web application and contains the web application specific browser definition files.
    App_Browsers directory within the web application’s web root folder (e.g. inetpub or inetpub\wss\VirtualDirectories\80)

Each individual browser is defined using a <browser> tag. Within this tag, there are several other allowed tags that define how a browser is uniquely identified and what unique attributes should be defined for that browser. Browser definitions follow an inheritance hierarchy. New definitions must define a parent definition or existing definitions can be modified using the definition’s ID.

ASP.NET loads each browser definition file by concatenating them – each browser file contains a series of browser tags. The predefined files are processed first based on the ASP.NET version being used followed by the application-level files. Within each file location, ASP.NET seemingly processes each file in alphabetical order by file name. This means that if there are multiple definitions for the same browser, it seems that the definition in the last file will take precedence.

SharePoint chose to implement two browser definition files that are deployed locally to each SharePoint web application’s App_Browsers directory. This is important as SharePoint deploys its custom browser definitions in the same way that other applications using SharePoint or ASP.NET should deploy them – as separate .browser files deployed to the application-level App_Browsers directory. These two files, which may look familiar, are:

  • compat.browser, and
  • compat.moss.browser (If using SharePoint Server editions)

As the Browser Definition File Schema article in MSDN stresses, the predefined files that ship with the .NET Framework should never be modified – ever! This is because they could be overwritten by updates, patches, or service packs; causing any customizations to be lost.

As an extension to this rule, never modify the application-level browser definition files that ship with SharePoint. Why? The same reason as with the predefined files. Future SharePoint updates, patches, or service packs could overwrite these files; causing any customizations to be lost.

So what is left if customizations are required? Thanks to the architecture of these browser definition files, Microsoft allows an application to define its own browser definition files. This is relatively straightforward, but it does require knowledge of the browser definition files you will be overriding. I will cover three scenarios:

  1. Adding an entirely new browser definition
  2. Appending information to an existing browser definition
  3. Modifying an existing browser definition

As far as I know, there is no way to remove a browser definition. However, I’m not sure there would be a need or desire to do so.

Adding an entirely new browser definition
To add a new browser definition, add the definition’s browser element to a new browser definition file. Deploy this file locally into each web application’s App_Browsers folder. This new file’s definition(s) will be combined with the other predefined and application-level definitions.

Appending information to an existing browser definition
To append capabilities, mobile adapters, or other information to an existing browser definition, add a new browser tag to a new browser definition file that uses refID to reference the existing browser’s ID. Add the new information within this browser tag. This definition will be combined with the existing browser’s definition, which could be in another file, and append the new information.

Modifying an existing browser definition
To modify a capability, mobile adapter, or other information already defined as part of an existing browser definition, there are a few options. The first would be to use a similar process to appending information. It is possible to define browser definitions in a new file, using refID to reference the existing browser’s ID, and define the same information with different values. The second would be to implement a new browser, with no additional identification, with the parent browser set to the browser that should be modified.

For example, if the IE browser should be modified to be treated as a mobile device, then the following browser definitions could be used:

  • Option 1:
    <browser refID="ie">
            <capability name="isMobileDevice" value="true" />
  • Option 2:
    <browser id="ieMobile" parentID="ie">
            <capability name="isMobileDevice" value="true" />

However, note that if multiple browser definitions exist that reference the same browser ID and each has a different definition of the same information, then the last definition in the last file alphabetically in the application-level will be used.

For example, assume Option 1 was implemented in both MyApp1.browser & MyApp2.browser and that each of those browser files was deployed to the application-level App_Browsers folder. MyApp1 defines IsMobileDevice=True and MyApp2 defines IsMobileDevice=False. Since MyApp2 comes last alphabetically, it will take precedence and IsMobileDevice will be False. This underscores the need for applications to consider the environment’s existing customizations when developing custom browser definitions. In this example, the MyApp2 team, presumably deploying after MyApp1, should have seen MyApp1’s existing customization and implemented a new child browser (Option 2) to avoid a conflict or change MyApp1’s customization. The MyApp2 team would need to be aware that either way that is chosen for implementation will affect the entire web application, so they should consult the MyApp1 team!

To properly manage customizations to the browser definitions that ship with ASP.NET and SharePoint, applications being deployed to a SharePoint environment should make use of their own browser definition files that are deployed to the application-level App_Browsers folder. However, if the environment is planning on host multiple sets of customizations or applications that will require changes to the browser definitions, I would encourage a single file for each web application to ensure that applications changes are developed properly and do not conflict with each other.

Never modify any browser definition file not directly managed by the application being deployed. To implement the changes to existing browsers within the application browser definition files, it is best to use the refID attribute of the browser tag.

When deploying, changes to the App_Browsers folder should automatically be picked up by IIS and not require any sort of application pool recycle or IISReset.

Expanding Warm Up Script Triggers

September 7th, 2011

This post is a follow up to a post I wrote a few months ago around triggering a warm up script for SharePoint to execute only when a specific application pool is recycled. You may want to read that post before this one: “Application Pool”-Specific Warm Up Scripts

After using what I recommended in the previous post, I realized there were still issues with this approach. To step back and explain the larger picture, I had a scenario where I needed to execute a warm up script whenever the application pool was freshly started. The script is responsible for filling application-level cache. Therefore, I want to execute the script any time the application pool will be freshly started. This means not just when it is recycled, but also in instances like server reboots. I have previously described how to do this using the Windows Task Scheduler to trigger the script to execute based on certain events being logged.

Side Note: I did brainstorm ideas to trigger execution when the application pool started, instead of triggering when the application pool recycled, etc. Regrettably, I was unable to find any Windows events that are logged when the application pool starts. Therefore, that paradigm could not be leveraged. However, one could feasibly create a custom extension to the OOTB SharePoint HttpApplication class (SPHttpApplication) and add logic to one of the class’ methods or events to trigger the warm up script.

This method would be a bit expensive in terms of the need for extra custom development, impacts to the entire web application due to the need to customize the IIS web application’s HttpApplication class, extra deployment steps, interoperability issues with other global.asax customizations, etc. Evaluate this carefully before proceeding with the suggestion above.

As it would be too difficult to trigger when the application pool is started (see the Side Note), I needed to continue triggering the event based on what would occur immediately prior to the application pool being started. I found three things that need to be used:

  1. Server Start/Reboot
  2. IIS Reset
  3. Application Pool Recycle

Server Start/Reboot
Whenever the server is started, one may wish to trigger the warm up script. If the server will take requests or the script will perform a function desired soon after the server is started, then this trigger can be used. Fortunately, the Windows Task Scheduler allows one to add a trigger that will begin the task At startup. Therefore, one can easily add this trigger!

IIS Reset
Whenever IIS is reset, then all of the application pools will be shut down. If requests will come shortly after resetting IIS, it would make sense to use this as a trigger for the warm up script. After analyzing all of the events that the IISreset utility could log, the only one that applies to the situation of needing to track the application pool’s pending start would be when IIS is freshly started: ID 3201. All of the other events described above pertain to states where the warm up script would not need to be executed.

To add event 3201 as a trigger to the task scheduler, you can use the following settings:

  • Begin the task: On an event
  • Log: System
  • Source: IIS-IISReset
  • Event ID: 3201

Note that, per the TechNet links below, Microsoft no longer supports using the IISreset utility in IIS 7.0 & 7.5.

IISreset Event Reference for Windows Server 2008 / IIS 7.0

IISreset Event Reference for Windows Server 2008 R2 / IIS 7.5

Application Pool Recycle
This is the key event that need to be tracked. The application pool’s recycle settings in IIS are quite extensive! Each reason for recycling produces a different event. This is the major area I realized that I was lacking from the previous post.

IIS logs an event when the application pool recycles

  • (5074) automatically on a regular time interval,
  • (5075) automatically when a defined number of requests have been fulfilled,
  • (5076) automatically at specific times,
  • (5077) automatically when a defined amount of virtual memory is used or exceeded by the worker process,
  • (5078) automatically when an ISAPI extension reports an unhealthy condition,
  • (5079) manually by an administrator,
  • (5080) automatically upon making configuration changes,
  • (5081) automatically due to detected problems with the IIS configuration store,
  • (5117) automatically when a defined amount of private memory is used or exceeded by the worker process, or,
  • (5186) automatically when inactive.

Parameters for automatic recycles can be configured in the IIS Manager. After considering each event, if the warm up script needs to perform any function that should always be in place while the application pool is running, then each of these events should have a trigger set against it.

The good news is that we can use the notion from the previous post to configure the trigger. (“Application Pool”-Specific Warm Up Scripts) One simply needs to include all of the extra IDs in the event filter.

Example Event Filter for an example application pool SharePoint – 32767
Don’t forget to replace SharePoint – 32767 with your application pool’s name!
  <Query Id="0" Path="System">
    <Select Path="System">
      and (EventID=5074 or EventID=5075 or EventID=5076 or EventID=5077 or EventID=5078
           or EventID=5079 or EventID=5080 or EventID=5081 or EventID=5117 or EventID=5186)]
      and EventData[Data[@Name="AppPoolID"]="SharePoint - 32767"]]

Important Note: There are also settings in IIS to control if IIS generates recycle event log entries for each of the events listed above! For any warm up script triggers to function properly, ensure that all of the scnearios are set to generate events!

Application Pool Recycling Event Reference for Windows Server 2008 / IIS 7.0

Application Pool Recycling Event Reference for Windows Server 2008 R2 / IIS 7.5

In closing, don’t forget to include any necessary triggers to your own particular warm up script’s scheduled task in Windows so that it executes whenever desired! My suggestions are to include the server start/reboot, the IIS Reset event (3201), and the application pool recycle events (5074-5081, 5117, & 5186).

Thanks to Greg Rosati for providing the links to the event information on TechNet that led to the creation of this follow up post!

Discard Check Outs by the System Account

August 3rd, 2011

SharePoint has a wonderful check-in/check-out system for any library with minor versioning enabled. Users with the Override Check Out permission on a particular library have the powerful ability to discard or check in a document, page, etc. that is checked out to another user. This can typically be easily achieved via any of the library’s views using the out-of-the-box user interface.

Any user with the proper permissions can check in or discard the check out using the item's edit menu

If the System Account is the account that has the item checked out, users are no longer available to check in the item or discard the check out from the library’s views, even with the Override Check Out permission!

The options to check in or discard the check out are unavailable in the item's edit menu

However, there is an area where this can be done: Site Content and Structure. One can navigate there by selecting Manage Content and Structure under the Site Actions menu. If you find the same item in that area, you will be able to check in the item or discard the check out.

The missing options are available in the Site Content and Structure views

Moving an Event Source to a Different Windows Event Log

August 3rd, 2011

It is typically best practice when developing .NET applications, including SharePoint customizations, to create an event source for Windows Event Logging while installing the application. Each event source on a Windows computer is tied to a specific log upon registration. I recently provided guidance on how to move an event source to use its own brand new event log. The following lines of PowerShell can do this quickly. Unless your .NET application has the event log hardcoded into itself, which it shouldn’t because the event source should be registered to a log during installation, then the move shouldn’t require any code changes.

I found that I had to reboot the machine after executing the above lines of PowerShell for this change to fully take effect.

Update – I also have had the need to update the event log properties. To do so, use the Limit-EventLog cmdlet. The following code limits the MyNewOrExistingWindowsEventLog event log to a size of 20 MB (20*1024*1024 or 20,971,520 bytes) and tells Windows to overwrite old entries with new entries as needed.

“Application Pool”-Specific Warm Up Scripts

June 29th, 2011

Thanks to Thomas Vuylsteke and his ADdict blog for providing the foundation of this post!
FIM 2010: Warm Up Your Portal (IIS)
Be sure to read this post first to get the foundation of how one can configure a scheduled task to execute a warm up script whenever IIS recycles an application pool or whenever IIS is reset.

I had a scenario recently where one of my clients needed a rather long running warm up script to execute upon the recycling of a particular application pool. Being a larger farm, there were several application pools and the client only desired the warm up script to run when one specific application pool was recycled. The Windows Task Scheduler allows tasks to be triggered for execution when specific events are logged. When an application pool is recycled (automatically or manually) or when IIS is reset, events are logged in the System event log. Those events can be used to trigger tasks to run a warm up script in the Windows Task Scheduler!

IIS Action Source Event ID
Application Pool Recycle (automatic) WAS 5076
Application Pool Recycle (manual) WAS 5079
IIS Reset IIS-IISReset 3201

One can implement triggers for a warm up script task on each one of these event IDs. However, the 5076 & 5079 events are logged for all application pools. Therefore, if either event is used for a trigger, it means that the task will execute once for every application pool recycle on that instance of IIS. This may or may not be desired; for my client, it was not desired.

I needed to inspect the 5076 & 5079 events to see if there was enough data to further filter the trigger so it would only match 5076 & 5079 events for a specific web application. In my example, I’m attempting to filter on a web application named “SharePoint – 32767” (the name of your application pool can be looked up in IIS Manager).

The following is an excerpt of the relevant sections of the 5079 event’s XML representation (the 5076 event logs similar data):
<Event xmlns="">
    <Provider Name="Microsoft-Windows-WAS"
              EventSourceName="WAS" />
    <EventID Qualifiers="16384">5079</EventID>
    <Data Name="AppPoolID">SharePoint - 32767</Data>

Fortunately, the application pool’s name is logged! One can use that data to filter the trigger even more. To do this within the trigger, select Custom on the event trigger window. Then click on New Event Filter…

Trigger on Custom Event Filter

Once in New Event Filter window, select the XML tab and check the box at the bottom to Edit query manually. Copy and paste the following – which will cover both the 5076 and 5079 events. Don’t forget to replace the SharePoint – 32767 name in the example below with your application pool’s name!
  <Query Id="0" Path="System">
    <Select Path="System">
      *[System[Provider[@Name='Microsoft-Windows-WAS'] and (EventID=5076 or EventID=5079)]
      and EventData[Data[@Name="AppPoolID"]="SharePoint - 32767"]]

This will cause the warm up script task to trigger on the 5076 & 5079 events, but only for a specific application pool!

Thanks again to Thomas Vuylsteke and his ADdict blog for providing the foundation of this post!

Finding Sites with a Particular Feature Activated

February 12th, 2011

I continually have a question arise that seems easy to answer, yet from what I can tell, is not yet available with SharePoint out-of-the-box in its user interfaces. That question is:

What are all of the sites with feature xyz enabled?

A few years ago with a MOSS 2007 client environment where I had to answer this question, I was left with writing a quick C# console application that would crawl a web application for me and discover all of the site collections with a particular feature enabled. Not quite the best way of doing things, but it’s what was the best at the time.

Fast forward to SharePoint 2010. Now, PowerShell is in the mix and required for all SharePoint installations. Thanks Microsoft! So now, I have the vast capabilities of PowerShell available on any SharePoint farm I may encounter on any client environment with which I may be working. Plus, there’s an added bonus that, for some reason, the word “script” seems to scare clients and IT departments less than “console applications”. Even though PowerShell scripting can often wield the same powers as a C# console application, it seems to be accepted with more ease which makes my life easier.

Now that PowerShell is widely available, I rewrote that “quick C# console application” I referenced above in PowerShell for use recently on a SharePoint 2010 environment. The script below has a slightly more specific task than solving the question I posed above:

Output all of the site collection URLs within a particular web application that have a particular site-scoped feature enabled.

Here’s my script to do just such a task. The code below is meant for a single ps1 file.

Please note that it should work with both the 2007 & 2010 SharePoint product lines: SharePoint 2010 (Foundation & Server), WSS 3.0, and MOSS 2007. I have only tested this code on a SharePoint Server 2010 environment, but have no reason to believe it wouldn’t work in the other environments.

Feel free to use this script or modify it to fit your needs. There are several extra features that could be added to this script to make it even more versatile:

  • Reporting on the status of multiple features, not just a single feature
  • Reporting based on feature name versus feature GUID
  • Reporting on features scoped at different levels besides Site
    • Farm
    • Web Application
    • Web
  • Crawling other scopes besides a single web application
    • The entire farm,
    • Multiple web applications,
    • A subset of site collections,
    • A subset of sites,
    • Based on another block of script and/or function call to determine if a site should be scanned by the script,
    • etc.

I think the above script is a great starting point. Hopefully either myself or someone will get around to adding the above suggestions. Please share in the comments if you do end up extending this script!

Hiding the SharePoint 2010 Ribbon for Readers – A Proof of Concept

February 5th, 2011

In SharePoint 2010 publishing sites, the ribbon is the new way of life for authors. However for readers, the ribbon provides very little, if any, functionality. A few days ago, I was asked about hiding this empty space by a client. Their current 2010 master page had the ribbon moved to a custom position on their publishing sites. They had also suppressed the breadcrumb/folder navigation in the ribbon; thus for a typical reader view, there was no ribbon contents that would be displayed. However, the space on the page where the ribbon would live for authors still remained as empty space!

We very well could have developed some server-side logic to determine the permissions of the user and hide that area completely based on that. Given infinite time and resources, I probably would have opted for that solution.

However, several of us were tasked with coming up with an easier and simpler solution to implement. One of the other consultants in the room at the time suggested a solution using JavaScript to hide the area if no contents was found (i.e. if the ribbon hadn’t rendered anything for the reader). I thought it was a great idea and immediately opened up an out-of-the-box publishing site in SharePoint Designer to tinker and develop a bit of JavaScript.

The goal of my JavaScript POC was to hide the entire div tag containing the SharePoint out-of-the-box ribbon control. I investigated and discovered that, in the nightandday.master file, the ribbon is contained in a div with the ID s4-ribbonrow. With that ID, I would be able to hide that div based on its rendered HTML contents. I figured, for this example, that the existence of the text “Browse” would be enough to determine whether or not the ribbon had rendered something or not.

To do this, I added JavaScript code to nightandday.master and it worked like a charm. Below is the relevant excerpt of nightandday.master:

<div id="s4-ribbonrow" ...>
    <!-- SharePoint out-of-the-box Ribbon Controls & Code goes here -->
<script type="text/javascript">
    var ribbonRow = document.getElementById("s4-ribbonrow");
    if(ribbonRow.innerHTML.indexOf("Browse") == -1)
    { = "none";

I should note that I only was able to spend about 30 minutes on this entire topic. Please treat the above code as a proof-of-concept and make sure to evaluate the impact or effectiveness of this code in your own environment before using it.