Explorer View breaks after IE8 install on Windows 2003

Posted on 31/07/2009 by Alex Angas

Since installing Internet Explorer 8 on my Windows Server 2003 development machine I’ve been unable to use Explorer View, with the error:

Please wait while Explorer View is loaded. If Explorer View does not appear, your browser may not support it.

Searching around, the main reasons seem to be:

  1. SharePoint site behind SSL – no fix at time of writing
  2. IE security level changes – fixable by adjusting security levels or adding SharePoint site to Trusted Sites zone
  3. WebClient service not running – fixable by starting this Windows service and ensure it is set to start automatically

For me the problem was #3, however attempts to start WebClient resulted in “File not found”-type errors. The following error was logged in the Event Viewer:

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{BA126AD1-2166-11D1-B1D0-00805FC1270E}
to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20).  This security permission can be modified using the Component Services administrative tool.

This familiar problem usually occursin SharePoint installations with the IIS WAMREG admin Service in Component Services. However this time searching the registry for the GUID in the error I had came up with the “Network Connection Manager Class”. Then searching for the GUID in its AppID key of {27AF75ED-20D9-11D1-B1CE-00805FC1270E} resulted in the netman component.

I then configured the security as described by the error in Component Services:

netman Launch Permission

After stopping and restarting MS DTC I was able to start WebClient successfully and Explorer View worked again.

Posted in SharePoint | Tagged , , | 2 Comments

Debugging file locking in the GAC

Posted on 29/07/2009 by Alex Angas

Do you ever find that your solution files have been “successfully deployed” according to SharePoint, yet the updated code isn’t taking effect? Perhaps you are trying to debug but breakpoints aren’t being hit when normally there’s no problem. Yet for some reason rebooting the server fixes the problem…

If that’s the case, the reason is probably file locking, most likely to occur if you have assemblies that need to be deployed to the Global Assembly Cache (GAC). If you ever find yourself in this situation, download a copy of the excellent Process Explorer tool, and follow these steps to verify:

  1. Start Process Explorer on the server affected.
  2. Press Ctrl+F, or in the menu click Find, Find Handle or DLL…, or just click the binoculars icon on the toolbar:Process Explorer toolbar
  3. Type the name of the assembly DLL and click Search.
  4. Under the Handle or DLL column, look for any assemblies located in the path C:\WINDOWS\assembly\temp. These lines tell you what process is locking the assembly.
OWSTIMER.EXE is the culprit

OWSTIMER.EXE is the culprit!

The C:\WINDOWS\assembly\temp folder is Windows’ equivalent of “assembly purgatory” where the assembly will sit until Windows can deploy it. If the currently deployed assembly cannot be overwritten as it is already locked by a process then the DLL will stay there until the process releases the lock or ends, or until Windows is restarted (also ending the process).

One example where this problem can occur is when a WSP solution containing custom e-mail event receivers is upgraded. The timer service, OWSTIMER.EXE, executes event receivers via the Windows SharePoint Services Incoming E-Mail job. As the OWSTIMER.EXE process isn’t restarted when a solution is deployed, it will always hold onto the lock for the DLL containing the event receivers. The solution is to restart the Windows SharePoint Services Timer service on each web front end server. If you’re finding this problem in development, WSPBuilder v1.06 adds a “Recycle the Windows SharePoint Services Timer” option.

This problem can also occur when using Visual Studio if certain combinations of add-ins are installed. You can again check this by using Process Explorer and verify if DEVENV.EXE is the locking process. If so, take a good look at the add-ins you actually need. Regularly restarting Visual Studio is very frustrating and will severely cut your productivity!

Posted in SharePoint | Tagged , , , | 6 Comments

Gotchas configuring SSO

Posted on 28/07/2009 by Alex Angas

SharePoint 2007 seems to have some real weirdness going on with configuring SSO. I’ve been setting it up in a test environment in a very simple way, using the farm administrator account for everything: Microsoft Single Sign-on Service account, Single Sign-On Administrator Account, Enterprise Application Definition Administrator Account, etc… Note that this is for testing only and is not best practice! Here are the problems I’ve found…

Weirdness #1: Error 0×80630005. Verify this account has sufficient permissions and try again.

Resolution: Log in to the server as the “Microsoft Single Sign-on Service” service account. As described by Frank Grossmann.

Weirdness #2: Error 0x8063064a. Verify this account has sufficient permissions and try again.

Resolution: Remote desktop to the server’s console (i.e. use mstsc /console) or physically log in to the server. As described by Dave Sobel. The Microsoft documentation for configuring SSO implies this but is not explicit:

Note that you must be logged into the SharePoint Central Administration Web site on a farm server to configure single sign-on (SSO) for Office SharePoint Server 2007. If you attempt to configure SSO on a workstation or any computer that is not a farm server, you will see an error message that reads “Single sign-on cannot be configured from this server. To configure single sign-on, go to the computer running the single sign-on service and specify these settings locally.”

I haven’t finished the configuration yet but hopefully there won’t be more problems. The best guide I’ve found is MOSS Single Sign On Setup Step-By-Step and beats what Microsoft provides.

Posted in SharePoint | Tagged , | Leave a comment

“The rows you modified could not be saved to the server due to validation errors”

Posted on 21/07/2009 by Alex Angas

Encountered a strange problem copying and pasting between the datasheet views of two contact lists. Only the Contact and Country fields were showing in the datasheet view.

When doing the paste, the following error appeared:

invalid1

The rows you modified could not be saved to the server due to validation errors. This is usually caused by invalid default values.

The error gives some clue as to the problem. I then attempted to add a single entry manually (without the paste) and received a new error:

Columns that require data are not included in this view. If you want to edit rows that are missing data in these columns, or add new rows, you must first add the required columns to the view.

Columns that require data are not included in this view. If you want to edit rows that are missing data in these columns, or add new rows, you must first add the required columns to the view.

Finally, I added all of the columns to the view and at last found the column causing the problem:

You must specify a non-blank value for Title.

You must specify a non-blank value for Title.

Setting the Title field to not be required fixed the issue!

Posted in SharePoint | Tagged , | 5 Comments

Populate a SharePoint site collection from Excel

Posted on 20/06/2009 by Alex Angas

I’ve needed to populate a site collection with many hundreds of sites in an automated fashion several times over the last couple of years. Every time the business owner gives me an Excel spreadsheet of the sites they want created. So rather than reinvent the wheel – again! – I’ve decided to start developing something reasonably generic and release it to my very first Codeplex project.

This first version is designed for a topology where each segment of the URL has its siblings in common. For example, Industry > Brand > Product or Division > Sector > Department. Depending on feedback I might make this more flexible.

Speaking of feedback, I’d really appreciate any comments from end users or other developers on desired features or comments on code WTFs! Please go to SPExcelator on Codeplex, download and add to the discussion!

Finally, special thanks to Robin Meuré for suggesting use of the excellent Excel Data Reader project.

Posted in SharePoint | Tagged , , , | Leave a comment

Workspace permissions – Part 3: "Workarounds and The Future"

Posted on 27/11/2008 by Alex Angas

A crucial foundation of SharePoint is its powerful permissioning model. This is a series of three posts that discusses SharePoint permission assignment in a Project Server project workspace. Part 1 explained how permissions are assigned and problems with the feature’s design. Part 2 discusses a particular bug (i.e. the feature’s implementation). Finally, Part 3 has some solutions.

We’ve looked at the problems with this feature, so what can we do about it? Well the new Project Server 2007 eventing model isn’t broken, so if you have a developer handy use that!

First, uncheck the Workspace Permissions box in Server Settings / Project Workspace Provisioning Settings. Then, have a look at the WssInterop event WssWorkspaceCreated. This fires whenever, um, a workspace is created. The initial state of a created workspace is with permission inheritance broken and the service account assigned to the workspace with Full Control.

From here, use SPWeb.EnsureUser for each user you’d like to give access to the workspace. This works by adding the user to the SPWeb if they haven’t been already. This does not give the added users any permissions to the workspace. SPWeb.EnsureUser also works with Active Directory groups, so a model where every user needs read access can be simply accomplished. Finally, use SPWeb.RoleAssignments, SPWeb.RoleDefinitions, and SPRoleAssignment.RoleDefinitionBindings to assign users the correct permissions (sorry, hopelessly glossed over but there are examples out there on how to use these).

Something else to note about a custom solution is that despite unchecking the Workspace Permissions box earlier on, Project Server’s behaviour does not change when giving access to the PWA site. It will still handle this for you according to the rules in Part 1, leaving you to configure the permissions for the workspace with custom code.

This works fine and if you are able to make use of Active Directory groups, is fast as well. Plus now that you’ve gone custom, you have all of the freedom (and traps) of flexibility and the ability to create your own permission assignment rules. Don’t forget you’ll need to invest time in creating custom administration pages to manage those as well.

So what about going forward and sticking with the product for a solution? For Project Server 14 or 2009 or 2010 I have no idea if there will be any changes to the workspace permissions functionality. If you agree that this feature needs looking at, please give feedback to the Project Server team as they do read it and listen (I’ve had great responses from Treb Gatte and Brian Smith on other issues). Hopefully bugs will be fixed and the feature improved next release!

Thanks for reading and I hope this helps someone else out there with similar experiences.

Posted in Project Server | Tagged , , , | 2 Comments

Workspace permissions – Part 2: "Access Denied"

Posted on 26/11/2008 by Alex Angas

A crucial foundation of SharePoint is its powerful permissioning model. This is a series of three posts that discusses SharePoint permission assignment in a Project Server project workspace. Part 1 explained how permissions are assigned and problems with the feature’s design. Part 2 discusses a particular bug (i.e. the feature’s implementation). Finally, Part 3 has some solutions.

If you’ve been having some great successes out of your Project Server solution you’ll probably be building up quite a few users and workspaces. One particular customer I’m aware of has over 1000 of each. To try and get around the inflexible rules outlined in Part 1, they’ve decided to give every user at least read access to every workspace. Unfortunately this has uncovered a particularly nasty SQL deadlock bug.

10/06/2008 15:33:59.86 Microsoft.Office.Project.Server (0x1540) 0x12C4 Windows SharePoint Services Database 6f8g Unexpected Unexpected query execution failure, error code 1205. Additional error information from SQL Server is included below. "Transaction (Process ID 151) was deadlocked on lock resources with another process and has been chosen as the deadlock victim. Rerun the transaction." Query text (if available): "{?=call proc_SecAddPrincipalToRole(?,?,?,?,?,?)}"

The bug happens when one or more of the following operations is occurring at a time:

  1. Creating a new workspace by publishing a project (queue job “WSS Workspace Create”)
  2. Resynchronising workspace permissions from Server Settings / Project Workspaces (queue job “WSS Workspace Membership Synchronisation”)
  3. Changing a user’s Project Server groups which results in changes to SharePoint permissions (queue job “User Synchronization for Project Web Access App Root Site and Project WSS Workspaces”)

When the bug hits, permissions are only partially assigned so as this happens again and again, a user’s consistency of access disappears. The only solution is to try and resynchronise the workspace with fingers crossed that it succeeds without another SQL deadlock. But you’re completely out of luck when running a batch job that affects several workspaces such as number 3 above. The workspace it reached before everything went horribly wrong doesn’t appear to be logged!

Because of the SQL deadlock failures, the SynchronizeMembershipForPwaAppRootSite() method in the WssInterop web service has been looked at. This performs a complete resynchronisation across all workspaces, functionality that is not available through the UI. Unfortunately with testing in UAT (less powerful than production but still a three server farm), this operation was going to run for days. Also, no other sync jobs could occur at the same time or else it would be SQL deadlock again!

Bugs are the worst, but implementation is also a shocker because of the huge length of time these jobs take to run. For example, up to 7 minutes for numbers 1 or 2 above, and 15-45 minutes for number 3 depending on number of users with changed permissions. This is exacerbated as more workspaces are created (the problem seems to be more related to number of workspaces rather than number of users). The server environment where this issue is occurring is very powerful and speed should not be an issue.

We’ve seen from Part 1 the deficiencies in design of this feature, but now also it’s implementation. So things can only get better in Part 3, coming next!

Posted in Project Server | Tagged , , , | Leave a comment

Workspace permissions – Part 1: "By Design"

Posted on 25/11/2008 by Alex Angas

A crucial foundation of SharePoint is its powerful permissioning model. This is a series of three posts that discusses SharePoint permission assignment in a Project Server project workspace. Part 1 explains how permissions are assigned and problems with the feature’s design. Part 2 discusses a particular bug (i.e. the feature’s implementation). Finally, Part 3 has some solutions.

Project Server has its own SharePoint security groups which almost precisely equate to the standard SharePoint groups of Read, Contribute, Design and Full Control. The TechNet article Coordinate Project Server and Windows SharePoint Services security is the official word for exactly how permissions are assigned. Essentially just as SharePoint has its own built-in list of groups for “Read”, “Contribute”, “Design” and “Full Control”, then Project Server comes to the party with “Readers (Microsoft Office Project Server)”, “Team members (Microsoft Office Project Server)”, “Project Managers (Microsoft Office Project Server)” and “Web Administrators (Microsoft Office Project Server)”… blurrgh!

Here is a simplified summary of the rules that explain how users get their permissions. This is without the “(Microsoft Office Project Server)” suffix but with standard SharePoint group names in brackets:

  • User that publishes the project has Project Manager (Design) permissions
  • Users assigned to tasks within the project have Team Member (Contribute) permissions
  • Users on the Resource Sheet of a project have Reader (Read) permissions
  • Users that have Manage Windows SharePoint Services permission have Web Administrator (Full Control) permission over all workspaces
  • Users that have Save Project permission have Project Manager (Design) permission over all workspaces

This looks complicated and it is. Try explaining to a project manager that access to documents in their workspace depends on who is added to the project’s Resource Sheet. It just doesn’t make sense! Then try explaining to an administrator why there is a group called “Readers (Microsoft Office Project Server)” as well as the standard SharePoint group called “Read”. It just doesn’t make sense!!

Then there’s the inflexibility of the rules themselves. There are no options – they are either on or off. And if you don’t go with MS on this one folks and uncheck the box for Workspace Permissions in Server Settings / Project Workspace Provisioning Settings, then only the Project Server service account is given access to new workspaces! This is hardly useful to the humble user needing to assign permissions who will never get their hands on this particular username and password. It just doesn’t make sense!

Don’t worry, there are solutions. However, they don’t come until Part 3! Next we look at how Microsoft’s solution is also slow, and even worse, buggy.

Posted in Project Server | Tagged , , , | 4 Comments

Programmatically retrieving the name of an SSP

Posted on 14/10/2008 by Alex Angas

This was asked on the new Stack Overflow programming questions site recently (which you should really check out and start using if you don’t already!). Getting the SSP name is something that I’ve needed to do to build the SSP URL for impersonating access to the Project Server PSI. I used to think that the URL had to live in a config file. Then after some digging into Project Server’s behaviour with the help of Reflector, I discovered Microsoft use the SharedResourceProvider class in the Microsoft.Office.Server.Administration namespace. Who knows why, but this class is marked internal so reflection is required to access it, and therefore accessing it is not supported. We should be on relatively safe ground if MS products such as Project Server use it however…

The following code retrieves the name of the SSP for the current site collection.
[sourcecode language='csharp']
SPSite site = SPContext.Current.Site;
ServerContext serverContext = ServerContext.GetContext(site);

PropertyInfo srpProp = serverContext.GetType().GetProperty(
“SharedResourceProvider”,
BindingFlags.NonPublic | BindingFlags.Instance);
object sharedResourceProvider = srpProp.GetValue(serverContext, null);
PropertyInfo srpName = sharedResourceProvider.GetType().GetProperty(
“Name”,
BindingFlags.Public | BindingFlags.Instance);

string sspName = (string)srpName.GetValue(sharedResourceProvider, null);
[/sourcecode]

From there the URL to the PSI web services within the SSP directly becomes the following (and the port number is always the following on every server):
http://servername:56737/SSPName/PSI/ or

https://servername:56738/SSPName/PSI/

This does seem overly complex so if someone out there has a better solution please add it as a comment to this blog or update the answer on Stack Overflow.

Posted in Project Server, SharePoint | Tagged , , , , | Leave a comment

SQL querying the queue

Posted on 30/09/2008 by Alex Angas

I recently found myself in the situation where the Project Server queue service was taking up almost all of a server’s CPU. Unfortunately due to the high demands of the queue jobs, the administration page was unavailable with a connection timeout error.

One way to try and access the administration page again might have been to stop or restart the queue service or the entire server itself, but what if unpredictable behaviour had disrupted those jobs? Instead, by carefully looking at the Project Server databases we can see the draft project database stores a lot of information about the queue in tables and views starting with MSP_QUEUE.

The following query gives a summary of jobs in the queue:
[sourcecode language='sql']
SELECT
QPG.GRP_QUEUE_ID,
QPG.CREATED_DATE,
QPG.READY_FOR_PROCESSING_DATE,
QPM.MSG_QUEUE_BODY_TYPE,
QPG.GRP_QUEUE_MESSAGE_TYPE,
QPG.GRP_QUEUE_STATE,
QPG.PROCESSING_DATE,
QPG.PERCENT_COMPLETE,
QPG.COMPLETED_DATE,
QPG.GRP_QUEUE_ERROR_INFO,
QPG.GRP_QUEUE_PRIORITY,
QPG.LAST_MSG_ID,
QPG.LAST_ADMIN_ACTION
FROM dbo.MSP_QUEUE_PROJECT_GROUP_FULL_VIEW QPG (NOLOCK)
INNER JOIN dbo.MSP_QUEUE_PROJECT_MESSAGE QPM (NOLOCK)
ON QPM.GRP_UID = QPG.GRP_UID
ORDER BY GRP_QUEUE_STATE DESC, GRP_QUEUE_PRIORITY, QPG.GRP_QUEUE_ID
[/sourcecode]

This query gives how many jobs are remaining to run:
[sourcecode language='sql']
SELECT COUNT(*)
FROM dbo.MSP_QUEUE_PROJECT_GROUP_FULL_VIEW QPG (NOLOCK)
WHERE QPG.PROCESSING_DATE IS NULL
[/sourcecode]

This query gives how many jobs of each priority are remaining to run:
[sourcecode language='sql']
SELECT QPG.GRP_QUEUE_PRIORITY, COUNT(*) AS [COUNT]
FROM dbo.MSP_QUEUE_PROJECT_GROUP_FULL_VIEW QPG (NOLOCK)
WHERE QPG.PROCESSING_DATE IS NULL
GROUP BY QPG.GRP_QUEUE_PRIORITY
[/sourcecode]

There are also an interesting statistics table, although I haven’t yet found how to get a text value for GRP_QUEUE_MESSAGE_TYPE:
[sourcecode language='sql']
SELECT QPS.*
FROM dbo.MSP_QUEUE_PROJECT_STATS QPS (NOLOCK)
[/sourcecode]

Ideally you would never want to execute raw SQL statements against the database, but as with any computer system, unpredictable things can happen. These queries might help with some troubleshooting.

Posted in Project Server | Tagged , , | Leave a comment