SharePoint 2013: Reduce AppFabric Calls to Active Directory

AppFabric is a key part of any SharePoint 2013 as we all know by now. It’s used for many things indeed all over the product and AppFabric in turn uses Active Directory to make sure only authorised processes get access to the cache data.

Thus when SharePoint uses AppFabric, it opens a new TCP connection to it and AppFabric has to authenticate that connection with Active Directory; the same as when a user/browser connects to a Windows authentication protected website. Just as with the browser/IIS connection, there’s two ways of authenticating to AppFabric – NTLM or Kerberos, with NTLM being picked if Kerberos isn’t setup. Given Kerberos is a more efficient protocol at caching authorisation we want to use that over NTLM to reduce traffic to AD as it’s just better designed in that respect.

If you have Kerberos logging enabled on a web-front-end for example, something you’ll notice is these SPNs being requested and not being found:

 

 

Notice anything about the SPN? Yep, it’s the AppFabric server we’re trying to use – the client (SharePoint) is trying to connect via Kerberos and it’s not working so we have to fail-back silently to NTLM. That works of course as far as SharePoint’s concerned but we have generated more traffic than we wanted due to this security protocol fall-back.

 

Add AppFabric SPNs to Reduce Calls to Active Directory

As with HTTP, we want to use Kerberos for AppFabric authentication to reduce the extra logins to Active Directory. This is just done by adding the right SPNs to the app-fabric account in the form of:

• AppFabricCachingService/server:22233
• AppFabricCachingService/server.domain.fqdn:22233

This you do with either ADSI Edit or setspn; in my example:

• setspn -U -S AppFabricCachingService/sharepointserver01:22233@scshiva.LOCAL scshiva\svc_cache

That should take care of both SPNs but you might want to try adding the NetBIOS one too manually – Win2012 will duplicate-check the SPN first anyway so there’s no risk. Check the security log again after the change with Kerberos logging enabled to double-check it’s worked if you’re unsure. First though, restart AppFabric (and if I remember right IIS might be necessary too) and you should be good to go – AppFabric will make significantly less calls to Active Directory as it’ll use a Kerberos token instead.
If this is of particular interest I can probably expand on this subject, but that’s it for now.

 

With Regards,

சிவசங்கரன் (Shivashankaran)





Configuring a SharePoint farm in single server without domain controller.

Recently I had a requirement of configuring 25 SharePoint development servers.

The beauty of the requirement is "The servers are not joined with Domain".

As usual, I installed the SQL Server 2012 Standard edition.

When installing the prerequisites of SharePoint, The IIS throws the configuration error, had more than 2 cup of coffee, then only released I am having SharePoint 2013 RTM version and trying to install it in Windows server 2012 R2. This is not possible.

Then downloaded the SharePoint 2013 with SP1 and installed the prerequisites and SharePoint too with complete option.

Didn't expect, that I will going to be in office for another 2 hours for configuring the SharePoint. Got the below error and absolutely yes got the help from Mr.Google.

 

 

SharePoint PowerShell is really powerful tool, because it have some backend gate to configure the SharePoint illegally or they missed to check the condition from configuring from PowerShell.

 

Open the SharePoint management Shell with Elevated permission(Run As administrator).

 

Execute the command called New-SPConfigurationDatabase.

 

It will shoot out some question to you like Config Database Name, Database Server Name, Credentials (Enter the local account like below) and provide the passphrase.

 

 

Go and take some sambar vadai(south indian dish), with coffee or some other and open the system the above mentioned command executed successfully. Go to ssms and check the database server you can see SharePoint Config database and admin content database.

 

Now run the SharePoint configuration wizard and choose DO NOT DISCONNECT THE SERVER FROM FARM.

 

Catch you later on next post. Post your queries if you have anything.

 

Desinging the Search Topology in SharePoint 2013.

Earlier in SP2010 we had an option of amending the search topology in the central Administration itself. But in SP2013 you need to amend the topology through SharePoint PowerShell alone.


In My Scenario I have 2 WFE, 1 APP, 1 for Crawl and 1 for Index.

First of all we need to start the Search Service in the necessary server. So I need to start the service in the APP1, Crawl and Index server.

$hostA = Get-SPEnterpriseSearchServiceInstance -Identity "App1"
$hostB = Get-SPEnterpriseSearchServiceInstance -Identity "Crawl"
$hostC = Get-SPEnterpriseSearchServiceInstance -Identity "Index"
Start-SPEnterpriseSearchServiceInstance -Identity $hostA
Start-SPEnterpriseSearchServiceInstance -Identity $hostB
Start-SPEnterpriseSearchServiceInstance -Identity $hostC

Check the status of SSA after started

Get-SPEnterpriseSearchServiceInstance -Identity $hostA
Get-SPEnterpriseSearchServiceInstance -Identity $hostB
Get-SPEnterpriseSearchServiceInstance -Identity $hostC



Creating new topology in the existing service application which we have in the farm

$ssa = Get-SPEnterpriseSearchServiceApplication
$newTopology = New-SPEnterpriseSearchTopology -SearchApplication $ssa

Creating the necessary components in the new topology. Here I am creating the Admin Component, Analytic Component will be in APP Server

Crawl and Content Processing will be in Crawl Server.

Query processing and Index component will be in Index server. 
 
New-SPEnterpriseSearchAdminComponent -SearchTopology $newTopology -SearchServiceInstance $hostA
New-SPEnterpriseSearchCrawlComponent -SearchTopology $newTopology -SearchServiceInstance $hostB
New-SPEnterpriseSearchContentProcessingComponent -SearchTopology $newTopology -SearchServiceInstance $hostB
New-SPEnterpriseSearchAnalyticsProcessingComponent -SearchTopology $newTopology -SearchServiceInstance $hostA
New-SPEnterpriseSearchQueryProcessingComponent -SearchTopology $newTopology -SearchServiceInstance $hostC
New-SPEnterpriseSearchIndexComponent -SearchTopology $newTopology -SearchServiceInstance $hostC -IndexPartition 0

Activating the topology which we created.

Set-SPEnterpriseSearchTopology -Identity $newTopology

Get the list of topologies which are available in the search serviceapplication. In my scenario the existing one will be available and that will be deactivate after executing the above mentioned Set-SpEnterpriseSearchTopology.

Get-SPEnterpriseSearchTopology -SearchApplication $ssa

In the output of above command just make a note of inactive topology id.

Remove-SPEnterpriseSearchTopoly -Identity "InactiveToplogy ID" -SearchServiceApplication $ssa


That's it now you can check the component status in the central adminstration -> Manager Service Application -> Search Service Application.


Thanks.

சிவசங்கரன் (Shivashankaran)

SharePoint 2013 Service Pack 1 had 2 versions

                       Microsoft has re-released Service Pack 1 for SharePoint 2013. Hopefully this time with fewer bugs. I haven’t taken it for a full test drive yet, so this blog post will likely get updated in the next few days.

If you have already installed SP1 on your farm, install this new SP1 on top of it, then run the Config Wizard, like you would with any other patch. If you’re at some lower patch level, use the same steps.

Here are some links.

SharePoint Foundation – KB – Download

SharePoint Server        – KB – Download

Project Server             – KB – Download

Office Web Apps          – KB – Download

Thanks,
சிவசங்கரன் (Shivashankaran)