Random ramblings

of a System Administrator

February 20, 2014
by ugrin

IIS error 401 Unauthorized access is denied due to invalid credentials

This weekend while I was creating a publishing rule for an IIS webpage on our TMG server I noticed a strange behaivour on the IIS server.  When you try and open the page through a web browser you get an http authentication window and after you enter your credentials the same http authentication window popups again. After the third iteration the server reports 401 Unauthorized: Access is denied due to invalid credentials.

The problem was solved by changing the order for the authentication mechanisms. We had Negotiate above NTLM and the server had trouble authenticating the users.

To change the order you have to do the following:

  • Open IIS and select the website (or directory) that is causing the 401
  • Open the “Authentication” property under the IIS header
  • Click the “Windows Authentication” item and click Providers
  • Change the order and put NTLM on top.

After the change open Command Prompt and do a iisreset /noforce.

The error should be gone and credentials should be working again.


July 17, 2013
by ugrin

SharePoint 404 error while creating a new web application

SharePoint 2010 and SharePoint 2013 both have the same problem when you try to create a new Web Application. There is a timeout limit that occurs during the creation of the Web Application and the web application is provisioned only on the local server. The wwwroot folder for this web application is empty and all you can do is delete the application. You cannot create a site collection using this web application.

Microsoft says that his error occurs because more and more web applications are created on the same server (i have seen this error even when creating the fourth or fifth web application)  and during the creation process IIS is reset and by default the application pool allows 90 seconds for the connections to close off before forcibly shutting down. When you have more than one web application apparently 90 seconds is not enough for the provisioning to finish. As a result the w3wp process is killed and the provisioning process is stopped prior to the timer jobs being created.

The solution is to open IIS manager on the server hosting the Central Administration:

1. in the tree view, expand the server name and click on Application Pools.

2. Locate the SharePoint Central Administration v4 application pool. Right click on it and choose Advanced Settings.

3. In the Process model section, set the Shutdown Time Limit to a greater value.

ProcessModel1 ProcessModel2

4. You can also set the idle shutdown to False.


5. Restart IIS



July 17, 2013
by ugrin

SharePoint 2010 incoming e-mail size limit

SharePoint 2010 and SharePoint 2013 use the same IIS 6.0 SMTP server for incoming e-mail configuration. Because of the default configuration the incoming e-mail size limit is set to 2048 KB.

The error that your receive when you try to send an e-mail larger then 2MB or that has attachments larger then 2MB is something like this:

This message is larger than the current system limit or the recipient’s mailbox is full.  Create a shorter message body or remove attachments and try sending it again.

You will have to go to IIS 6.0 administration console end right click the domain and then go to the Messages tab. In the message size limit you can enter the desired size for the incoming e-mail messages.

Virtual SMTP server properties

After you change the message size you will have to do an IIS reset to apply the changes.

July 17, 2013
by ugrin

System Center Data Protection Manager problem with protected Workgroup Server

If you have a protected workgroup computer in your System Center Data Protection Manager environment and you forget or you don’t want to check the box Password never expires for the synchronization account for DPM, then you will probably get this error cca. 42 days after you configured your Workgroup server for backup with SC DPM.

Description: Unable to contact DPM protection agent.
The protection agent operation failed because it could not access the protection agent on YOURPROTECTEDDPMSERVER. YOURPROTECTEDDPMSERVER may be running DPM, or the DPM protection agent may have been installed by another DPM server

In the Event Viewer on the protected server running the DPM agent I noticed a bunch of event id 85.

Event Type: Error
Event Source: DPMRA
Event Category: None
Event ID: 85
Date:  2011-01-15
Time:  13:30:38
A DPM agent failed to communicate with the DPM service on YOURDPMSERVER because of a communication error. Make sure that YOURDPMSERVER is remotely accessible from the computer running the DPM agent. If a firewall is enabled on YOURDPMSERVER, make sure that it is not blocking requests from the computer running the DPM agent (Error code: 0x800706ba, full name: YOURDPMSERVER).

The problem is that the password for the local account on the protected server has expired and the account has the box next to User must change password at next logon checked. You will have to execute the following commands on the protected server and on the DPM server:

– on the protected server:

SetDpmServer.exe -dpmServerName YOURDPMSERVER -isNonDomainServer -updatePassword

Be careful to use either the FQDN or the name of your DPM server (it has to be the same name that you used when you configured this the first time), otherwise you will get an error stating that this computer is not protected as a workgroup computer.

– on the DPM server




May 30, 2013
by ugrin

Lenovo T430 problem with Wi-Fi adapter when using Hyper-V

This one has been making me crazy ever since I got my Lenovo T430 laptop. This laptop has an Intel Centrino Advanced-N 6205 WiFi card. The minute I got Windows 8 up I’ve installed Lenovo System Update and made sure that every single driver has been updated. The problem started when I enabled the Hyper-V role and created the WiFi Hyper-V switch. The internet connection lasted for about 5 minutes and than it would just show the yellow exclamation mark and the internet will go dead. I had to disable and enable the WiFi adapter or disconnect or connect to the network. It would work for 5 or 10 minutes and then it will go down again. I reverted to using a cable connection and didn’t use the WiFi connection for virtual machine traffic for a while and yesterday I wanted to give it another go.

It was a disaster until I realised that Intel has a newer driver for this card than Lenovo.


I’ve installed the Wireless_15.8.0_De64.exe file and the problems disappeared. I had 4 virtual machines running and downloading updates from the internet and the card just keep on working without a problem.

Lenovo should really integrate this Intel drivers for the WiFi card as soon as they can because I’ve seen a lot of people having troubles with the WiFi connection on certain routers.


May 30, 2013
by ugrin

Managing Exchange Server Distributions groups using PowerShell

If you happen to have 300+ distribution groups on your Exchange Server, you are bound to end with the same problem I had a few days ago. The problem was a pretty straightforward. I had to first find all the distribution groups that had a specific user as a Manager and than grant manager rights to another user without loosing the other Managers. If you try it from the Exchange Management Console, you can bulk edit the Managed By field, but as soon as you start typing the name of the additional manager you are going to lose the previous Managed By entries.

The solution was to use the Exchange Management Shell and PowerShell to bulk edit the distribution groups.

The easiest way to do it by first selecting all the groups that have the user as their Manager:

Get-DistributionGroup | where {$_.ManagedBy -like “*Ugrin*”}

You can save it in a file just as a backup so you will have something to compare with after you make the changes.

You can than pipe the list of Distribution Groups into a Set-DistributionGroup command that would make the change for every distribution group.

Get-DistributionGroup | where {$_.ManagedBy -like “*Ugrin*”} | Set-DistributionGroup -ManagedBy ugrin@domain.com, vojdan@domain.com

Just make sure that you include the original user as a manager so you wouldn’t have to add it again in the end.

The same syntax can be used for adding members to a distribution group when you know the manager.

Get-DistributionGroup | where {$_.ManagedBy -like “*Ugrin*”} | Add-DistributionGroupMember -Member vojdan@domain.com,lili@domain.com


May 28, 2013
by ugrin

SharePoint 2013 Azure Access Connections error when using Windows Live ID authentication

The problem exists only when you use Windows Live ID as your authentication mechanism for SharePoint authentication. If you click the Windows LiveID  Icon for authentication nothing happens and you are reverted to the default SignIn page for SharePoint 2013.

If you check the Event Viewer Application Log you will see the following error:




The description doesn’t say much except that the trusted login provider (in this case it is the Azure ACS service) has supplied a token that was not accepted by the SharePoint Server:EventViewer02


When you setup your SharePoint environment you will most probably use the emailaddress for validation. However the Windows Live ID by default uses the nameidentifier as type for validation.

You will have to login to your Azure ACS dashboard and connect the nameidentifier type to the emailaddress type.

1. Go to your Azure ACS URL (https://servicenamespace.accesscontrol.windows.net/v2/mgmt/web)

2. Click on the Rule Groups on your right

3. Click the Rule group that is used by your SharePoint environment

4. If you clicked the generate button and Azure ACS generated the rules for your environment you will probably have one entry for the Windows Live ID as Claim Issuer


5. Scroll down to the Then section and change the claim type to: (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress)


6. Change the nameidentifier part in the Description field to “emailaddress”

7. Save the changes


You can try to sign in to your web application now using the Windows Live ID option as an authentication provider. The problem that still remains for Microsoft to solve is the way the username is shown when someone logs in using the Windows Live ID option. If you don’t want to share your webpage with every single user that has Windows Live ID than you will probably want to add some users manually to your web application. Every time you’ll want to add a user you will have to get the whole string (which you can obtain when you try to send a request for webpage access) and add the string as a user with read/modify/full control permissions on your web application.