Permissions to Administer SharePoint 2010

I’ve been reading some articles on how to set a user up as a SharePoint Administrator and noticed there is no consensus on which should be the steps to achieve it.

In our environment we follow these steps:

  • Add as local admin to the servers on the farm
  • Add to the farm administrators group
  • Add as powershell admin using the command: add-spshelladmin -username domain\user
  • Add user as DB_OWNER to the Config and to the content databases

See you,

Amadeu.

Advertisements

SharePoint 2010: The security validation for this page is invalid

Deploying a new subsite into a SharePoint 2010 site collection, using a custom master page we started seeing the following error message when trying to add users to groups and changing settings of document libraries/lists:

The security validation for this page is invalid.

 

Reverting the master page back to the default one, the operations worked just fine. So it seemed the master page was missing something. Searching on Google about it I found 3 interesting articles about this subject:

http://www.simple-talk.com/community/blogs/charleslee/archive/2010/01/05/85440.aspx

http://snahta.blogspot.com/2008/11/security-validation-for-this-page-is.html

http://techtrainingnotes.blogspot.com/2009/12/sharepoint-security-validation-for-this.html

 

Basically, they explain this error is caused by a lack of validation on pages which change the content database. It can be solved in 2 ways:

-Adding the AllowUnsafeUpdates to your custom code.

SPWeb web = SPContext.Current.Web;
web.AllowUnsafeUpdates = true;

-Adding the FormDigest Sharepoint control to your master page.

From the MSDN article:

“To make posts from a Web application that modify the contents of the database, you must include the FormDigest control in the form making the post. The FormDigest control generates a security validation, or message digest, to help prevent the type of attack whereby a user is tricked into posting data to the server without knowing it. The security validation is specific to a user, site, and time period and expires after a configurable amount of time. When the user requests a page, the server returns the page with security validation inserted. When the user then submits the form, the server verifies that the security validation has not changed.”

 

The second solution solved our issues and the pages worked fine!!!

 

See you,

Amadeu.

Event ID 8311 – The root of the certificate chain is not a trusted root authority

UPDATED on 01/04/2012: Checking this error again I found out the SharePoint requires the whole certificate hierarchy or chain to be exported and added to the  Trusted Relationships inside Central Admin.

Hi, I’m back for a last post for this year. I completely stopped my blog activities in November because my daughter was born and things have been very exciting and busy at home…It is a completely new word for me and my wife.
Now, I’ll try to catch up and post an article a week….lets see how it works.

This week I’ll remember something that happened just a few days before my daughter was born. It was a very stressful time and it was not funny to have one of our farms not working but I guess things like this don’t choose the best or an appropriate time to happen.

After running by mistake the farm configuration wizard on one SharePoint 2010 farm, we started getting an error when trying to authenticate users using Claims based authentication. Our authentication method includes a SSL call  to a custom sign in web service.

The event log had 2 errors on every login attempt:

A System.Net.WebException:

System.Net.WebException: The underlying connection was closed: Could
not establish trust relationship for the SSL/TLS secure channel. —>
System.Security.Authentication.AuthenticationException: The remote
certificate is invalid according to the validation procedure.

Event ID 8311:

Log Name:      Application
Source:        Microsoft-SharePoint Products-SharePoint Foundation
Date:  [some date]
Event ID:      8311
Task Category: Topology
Level: Error
Keywords:
User:          NT AUTHORITY\IUSR
Computer: [computer name]
Description:An operation failed because the following certificate has validation errors:
Subject Name:CN=[certificate URL], OU=Secure Link SSL Wildcard, OU=[OU data], O=[company name], STREET=[address], STREET=[address], L=[city], S=[state], PostalCode=[zip code], C=US
Issuer Name: CN=[certificate authority], O=[certificate authority], C=US\nThumbprint: 631ABCED0C6972703A5140D80AD784E48B863AEC
Errors: The root of the certificate chain is not a trusted root authority.

Searching on Google about this issue I found the article “Event ID 8311, certificate validation errors in MSS 2010“. It pretty much described the same issue but related to access to Central Admin.

The error was caused by not having the specific SSL certificate in the SharePoint trusted certificates list so the call to the web service during the Claims authentication routine triggered this error because the SSL certificate was not trusted by SharePoint. Probably the farm configuration wizard activated the validation for this security setting somehow.

The difference in the resolution process for our case was instead of exporting the local SSL certificate we had to go to the server providing the web service and export the SSL certificate from there. We then copied it to the Central Admin server and loaded it into Central Administration’s Trust Relationships store.

In order to do it:

  • Go to the Central Admin web site.
  • Go to Security on Central Admin menu.
  • Go to Manage Trust.
  • Click on the New menu item.
  • Specify a name for trust relationship.
  • Select the SSL certificate you exported previously.
  • Click OK.

After configuring the trust relationship all login attempts were successful.

See you next year,

Amadeu.