Disable LoopBack Check

Common problem with deployments on SharePoint is that when you try to browse to the server loopback on any dns name that isn’t the server name itself the server will stop you and it looks like a Kerberos error initially. To disable these checks can be done easily and in true Ninja fashion by PowerShell script….check it out:

The first option is more secure as you only grant access to the host names specified, the second option gives access to the server on any hostname so is less secure.

 

New-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 -Name BackConnectionHostNames -Value "password.mim.ninja","portal.mim.ninja" -PropertyType MultiString -Force

New-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name "DisableLoopbackCheck" -value "1" -PropertyType dword

 

You can have as many host names as you like in the first script, MS recommends only using the 2nd option in development environments.

MIM HTTPS redirect and Site Pages redirect

Everyone always needs to do this right? I used to do this with a SharePoint homepage but using the URL Rewrite module is a much neater solution and portable. So, URL Rewrite is an addon module that you can add from the Web Platform Installer here. Install that and search for URL Rewrite and install it.

Then use the below powershell code to add https and redirect to your mim site, the script will query all the sites then ask you to enter an index corresponding to the site…..Macho Ninja!

$webSites = get-WebSite
$global:index=-1
$webSites |  Format-Table -Property @{name="index";expression={$global:index;$global:index+=1}},name
$sitenameindex = read-host -Prompt "Enter Site index"
$sitename = $webSites[$sitenameindex].name

try
{
$RuleName = "HTTPS Redirect"
$Rule = @{
 Name = $RuleName
 patternSyntax = 'ECMAScript'
 stopProcessing = 'True'
 match = @{
  url = '(.*)'
  ignoreCase = 'True'
  negate = 'False'
 }
 conditions = @{
  logicalGrouping = 'MatchAll'
  trackAllCaptures = 'True'
 }
 action = @{
  type = 'Redirect'
  url = 'https://{HTTP_HOST}/{R:1}'
  appendQueryString = 'False'
  redirectType = 'Permanent'
 }
}
Add-WebConfigurationProperty -PSPath "IIS:\Sites\$SiteName" -Filter "/system.webServer/rewrite/rules" -Name "." -Value $Rule 
$match = @{
 input = '{HTTPS}'
 matchType = 'Pattern'
 pattern = 'off'
 ignoreCase = 'True'
 negate = 'False'
}
Add-WebConfigurationProperty -PSPath "IIS:\Sites\$SiteName" -Filter "/system.webServer/rewrite/rules/rule[@Name='$RuleName']/conditions" -Name "." -Value $match


$RuleName = "Redirect to MIM Site"
$Rule = @{
 Name = $RuleName
 patternSyntax = 'ECMAScript'
 stopProcessing = 'True'
 match = @{
  url = '^$'
  ignoreCase = 'True'
  negate = 'False'
 }
 action = @{
  type = 'Redirect'
  url = '/IdentityManagement/default.aspx'
  appendQueryString = 'False'
  redirectType = 'Permanent'
 }
}
Add-WebConfigurationProperty -PSPath "IIS:\Sites\$SiteName" -Filter "/system.webServer/rewrite/rules" -Name "." -Value $Rule
}
catch
{
Write-Host "There was a problem............." -ForegroundColor Red
write-host $_.Exception.Message -ForegroundColor Red
exit
}
Write-Host "$sitename has been updated successfully...........Enjoy!" -ForegroundColor Green


The reference for the re-write module is here. Be careful when using permamnent as your redirectType though if you are testing this out it may be worth using temporary as when you use Permanent the rule sticks even when you restart/hard refresh the browser. You either have to clear your cache or start in private browsing for the new change to appear which took me a while to work out why my perfectly corrected rule was still using an old incorrect rule when debugging.

Installing MIM on SharePoint 2016

The online docs don’t exactly get it right when it comes to installing MIM on SharePoint 2016, the compatibility is set for SharePoint2010 that was the level FIM supported. However this isn’t available in SharePoint 2016 and moreover its not needed as MIM supports it out of the box. I also like to specify my databases on the command line so I can make them all uniform. Here is the config I use:

So run the normal SharePoint 2016 install but don’t run the config wizard after instead run these commands:

psconfig.exe -cmd configdb -create -server fim-sql -database SharePoint_central_config -user domain\mimsp -password mypassword -passphrase mypassphrase -admincontentdatabase SharePoint_admin_content -localserverrole SingleServerFarm

So I have specified the database and the server role makes things a little tidier, also always use a SQL alias this is a ninja technique and will make life so much easier in a DR or server move situation.

Now we create the MIM portal site:

new-spmanagedaccount

You may not need the above command if you are using the same account as specified in the initial command as that puts it’s a farm admin.

The online install docs assume you are installing on SP2013 so don’t mention you have to change compatibility level to 15, any less than 15 won’t work.


$dbManagedAccount = Get-SPManagedAccount -Identity domain\mimsp
New-SpWebApplication -Name "MIM Portal" -ApplicationPool "MIMAppPool" -ApplicationPoolAccount $dbManagedAccount -AuthenticationMethod "Kerberos" -Port 80 -URL http://mim.mimninja.com -DatabaseName SharePoint_WSS_Content -DatabaseServer fim-sql
$t = Get-SPWebTemplate -compatibilityLevel 15 -Identity "STS#1"
$w = Get-SPWebApplication http://mim.mimninja.com
New-SPSite -Url $w.Url -Template $t -OwnerAlias domain\fimsp -CompatibilityLevel 15 -Name "MIM Portal" -SecondaryOwnerAlias domain\fimsync
$s = SpSite($w.Url)
 
These commands are NOT needed as we are using the correct Compatibility Level.
$s.AllowSelfServiceUpgrade = $false
$s.CompatibilityLevel

Then continue as normal

$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService;
$contentService.ViewStateOnServer = $false;
$contentService.Update();

That’s it for just creating the sites there are a few more gotchas that I will put up soon…..