SharePoint 2013: Disable Loopback Check

You might encounter a very frequent problem when you are using FQDN or Custom Host Headers to access a SharePoint Site locally from the Server where it is hosted that is running on IIS 5.1 or later and get it constantly prompt for the credentials in the pop window.

Though this is very frustrating but a necessary evil that was introduced earlier with Microsoft Windows Server 2003 Service Pack 1 (SP1) and still present. This feature was designed to help prevent reflection attacks on the compute.

Reflection Attack

“In computer security, a reflection attack is a method of attacking a challenge-response authentication system that uses the same protocol in both directions. That is, the same challenge-response protocol is used by each side to authenticate the other side. The essential idea of the attack is to trick the target into providing the answer to its own challenge.

The general attack outline is as follows:
1.The attacker initiates a connection to a target.
2.The target attempts to authenticate the attacker by sending it a challenge.
3.The attacker opens another connection to the target, and sends the target this challenge as its own.
4.The target responds to the challenge.
5.The attacker sends that response back to the target on the original connection”

Source: https://en.wikipedia.org/wiki/Reflection_attack

Steps To fix this issue on Development & Non-Production Environment

Using Registry Editor

Step 1: Use Windows Icon + R to launch a Run menu

Step 2: Type the command “REGEDIT”

1

Step 3: Expand node “Computer -> HKEY_LOCAL_MACHINE -> CurrentControlSet -> Control”

2

Step 4: Locate Key by the name “Lsa” as shown below

3

Step 5: Add a new DWORD Entry

  • Select “Lsa” Key
  • On the Right Hand Side Panel create a new DWORD Entry as shown below

4

  • Enter “DisableLoopbackCheck” in Value Name field
  • Enter “1” in Value Date Field
  • Select “Hexadecimal” radio button

5

  • Click OK to save the DWORD

6

Using PowerShell Script

We can cut short the above steps by creating a DWORD Entry using PowerShell

If we see the Registry Key “Lsa” we found “DisableLoopbackCheck” DWORD is not present

7

Run the following PowerShell Command

New-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name “DisableLoopbackCheck” -value “1” -PropertyType dword

8

Once the command executed successfully you can the “DisableLoopbackCheck “ DWORD created successfully.

9

This is a simple fix to quite a frustrating issue we encountered so frequently during web development.

Hope you find it helpful.

Advertisements

SharePoint Online: How to Install SharePoint Online Management Shell

SharePoint Management Shell is a Windows PowerShell Module that allows managing SharePoint Users, Sites & Content in an efficient manner.

In this article we will see the steps to setup the development machines with “SharePoint Online Management Shell”.

First let’s look for the System Requirements to avoid any frustrating compatibility issues that might arise later on:

System Requirement

Supported Operating System
  • Windows 7 Service Pack 1
  • Windows 8
  • Windows Server 2008 R2 SP1
  • Windows Server 2008 Service Pack 2
  • Windows Server 2012
PowerShell
  • PowerShell 3.0

Steps to Install SharePoint Online Management Shell

Step 1: Visit the Url: https://www.microsoft.com/en-in/download/details.aspx?id=35588

Step 2: Click download button

1

Step 3: Select “sharepointonlinemanagementshell_4727-1200_x64_en-us.msi” file and click Next

2

Step 4: Run the “sharepointonlinemanagementshell_4727-1200_x64_en-us.msi” file

Step 5: Accept License Terms & Click Install Button

3

4

5

Step 6: Once the installation is complete, search for “SharePoint Online Management Shell” and launch it

6

This completes the installation of SharePoint Online Management Shell on our machine.

Now let’s try a few of the operations to verify the installation of SharePoint Online PowerShell Module

How to connect to SharePoint Online Services

Get current user credentials to connect to the SharePoint Online Services (assuming the user is having a valid SharePoint Online Account Credentials)

$userCredentials = Get-Credential

7

8

Import “Microsoft.Online.SharePoint.PowerShell” Powershell module to the Management Shell Console

Import-Module Microsoft.Online.SharePoint.PowerShell

9Connect to SharePoint Online Service by supplying Tenant Url and User Credential to the Connect-SPOService command

Connect-SPOService  -Url  https://prashantmbansal-admin.sharepoint.com -Credential $userCredentials

If you notice carefully the URL I have supplied to the Url Parameter in the above command, you will find “-admin” is added in the URL.

Actual URL of the Tenant is https://prashantmbansal.sharepoint.com but it is by convention that we much have to use “-admin” in the Host Header of URL in order to connect to the SharePoint Online Services.

That is why we have to specify the “https://prashantmbansal-admin.sharepoint.com” as Tenant URL.

10

If we forgot to follow this convention we might encounter the following error:

11

How to get the list of all the SharePoint Sites lies under current Tenancy

Once we are successfully able to Connect to SharePoint Online Services we can perform different operations on the site such as getting a list of all the SharePoint Sites available with in current tenancy by using the following command.

Get-SPOSite

12

This is just the first step to Start with PowerShell Development for the SharePoint Online Sites, but the possibilities are limitless, especially when we can combine the SharePoint Client Object Model with PowerShell Scripting Environment.

We will explore the details on CSOM based Solutions driven by PowerShell Scripts in future articles.

Hope you find it helpful.

Office 365: Security Groups Management using Powershell

Security Groups are the crucial part of any system as they define the Authorization on the available resources for the Users requesting access. They are also important to categorize permission boundaries for the set of users at once. So it is really important to streamline the process of managing Security Groups for any system.

Though the management activities are repetitive and boring if we need to repeat same steps again and again over the period of time.

Thankfully we can automate these repetitive tasks using PowerShell Scripts which can take inputs from the CSV or Text Files for the input values and perform necessary actions.

In this article we will discuss the automation scripts required for managing Security Groups in Office 365 using PowerShell.

If you want to follow along then the prerequisite for this article are:

  • Having a O365 Account created
  • PowerShell for Office 365 configured

If the above prerequisites does not meet then I would recommend you to read one of my earlier article “Office 365: How to Configure PowerShell for O365” to get to know the steps of installing prerequisites.

Lets’ login to O365 Account and visit the Admin Center

1

Navigate to Admin Center by clicking the “Admin” Tile on the Application Dashboard as shown below

2

Now in the upcoming sections we will see to the respective PowerShell Commands to deal with each of the management tasks

How to Add new Security Groups

Navigate Admin Center => Groups

For the first time in my case there are no security groups are present since this is a new O365 Account

3

Run “New-MsolGroup” command where “DisplayName” specify the name of the Security Group and “Description” specify the description for the group as shown below

New-MsolGroup -DisplayName “Test Security Group” -Description “This is created for testing.”

4

Once the command gets executed successfully, navigate Admin Center  => Groups to verify that new group has been added.

It is worth to note that “Default Group Type” for any group added using the above command will be “Security”

5

 How to export all Security Groups

We can export all the Security Groups from the O365 account by using “Get-MsolGroup” command as shown below

Get-MsolGroup

6

Once the command is executed successfully we can see the details of all the available Security Groups on the Host Window. Alternatively we can export the results to text files by piping the results to “Out-File” command.

How to export all Security Groups filtered by Group Properties

We can export a filtered set of Security Groups from the O365 account based on any property of the Group. In the following example I am using “DisplayName” property to filter the results as shown below

Get-MsolGroup | Where-Object {$_.DisplayName -eq “Test Security Group”}

7

Once the command is executed successfully we can see the details of the specific Security Groups matching the filter criteria

How to export all Security Groups filtered by Group Type

We can export a Security Groups based on its type also by using “GroupType”. In the following example we are going to filter all Security Groups which are of type “Security” from the O365 account.

Get-MsolGroup -GroupType “Security” | Where-Object {$_.DisplayName -eq “Test Security Group”}

8

Once the command is executed successfully we can see the details of all the Security Group of type “Security” and with DisplayName = “Test Security Group”

 How to Add Users to Security Groups

Run the following command to check the existing members which are present in the Security Group

$securityGroup = Get-MsolGroup -GroupType “Security” | Where-Object {$_.DisplayName -eq “Test Security Group”}

Get-MsolGroupMember -GroupObjectId $securityGroup.ObjectId

9

Once the command executed successfully we will get the list of Users already added to the group

We can see the same information by Editing the Group with in the Browser as shown below:

10

11

We can add new members to the Security Group by using the following command

Create Object required Security Group

$securityGroup = Get-MsolGroup -GroupType “Security” | Where-Object {$_.DisplayName -eq “Test Security Group”}

Create Object of the member depicted by “UserPrincipalName” parameter that needs to be added to the group

$member = Get-MsolUser -UserPrincipalName spdev001@spdevs001.onmicrosoft.com

Then use the following command to add the member to the group by specifying Group Object ID & Member Object ID

Add-MsolGroupMember -GroupObjectId $securityGroup.ObjectId -GroupMemberType “User” -GroupMemberObjectId $member.ObjectId

12

Once the command gets executed successfully we can see a new member has been added to the group.

We can verify the result of operation by using PowerShell Command

$securityGroup = Get-MsolGroup -GroupType “Security” | Where-Object {$_.DisplayName -eq “Test Security Group”}

Get-MsolGroupMember -GroupObjectId $securityGroup.ObjectId

13

We can also verify the result of operation by Browser as shown below

14

15

How to remove Users from Security Groups

We can we remove the Users from specific security group by using following set of commands

Create the Object of the respective group from which the user needs to be removed

$securityGroup = Get-MsolGroup -GroupType “Security” | Where-Object {$_.DisplayName -eq “Test Security Group”}

Create the object of the respective member that needs to be deleted from the group

$member = Get-MsolUser -UserPrincipalName spdev001@spdevs001.onmicrosoft.com

Then we can use “Remove-MsoLGroupMember” command to remove the member depicted by “Groupmemberobjectid” parameter from the group depicted by “GroupObjectId” parameter as shown below

Remove-MsoLGroupMember -GroupObjectId $securityGroup.ObjectId -GroupMemberType User -Groupmemberobjectid $member.ObjectId

16

Once the command gets executed successfully we can see the respective member gets deleted from the Security Group in question.

Now we can verify the delete operation by using the following PowerShell Command

$securityGroup = Get-MsolGroup -GroupType “Security” | Where-Object {$_.DisplayName -eq “Test Security Group”}

Get-MsolGroupMember -GroupObjectId $securityGroup.ObjectId

17

Or we can verify the same via Browser by Editing the Security Group as shown below

18

19

How to Remove Security Groups

We can use the following command to remove the Security Groups

Create object to the respective group

$securityGroup = Get-MsolGroup -GroupType “Security” | Where-Object {$_.DisplayName -eq “Test Security Group”}

Execute “Remove-MsolGroup” command to remove the group depicted by “objectid” parameter as shown below

Remove-MsolGroup -objectid $securityGroup.ObjectId

On execution this command will ask you for the confirmation on delete action

Enter your choice “Y” to continue “N” to cancel

20

21

Once the command is executed successfully we can go back to Groups section in Admin Center to verify the Delete Action

22

All of the above tasks can be automated by incorporating the CSV files to receive input from and perform the respective actions.

Hope you find it helpful.