SharePoint: Common NTLM Authentication Issues, aka: Consider Ditching NTLM

NTLM authentication is not great. It’s not the fastest. In most cases, that honor would go to Kerberos. It’s not the most secure. Again, Kerberos. It’s not all that flexible. For example, it doesn’t work well for extranets or anything cross-firewall. In those scenarios, Trusted Provider auth (SAML / WS-Fed) works well.  See: AD FS….

1

SharePoint: Quick Troubleshooting Tip: HTTP Response Headers

Often in troubleshooting SharePoint, we’re interested to know on which Web-Front-End (WFE) a certain request landed. When you have multiple WFEs that are load balanced, this is not easily discernable. One trick is to edit your HOSTS file and point the load balanced URL at the IP address of one WFE. That method certainly has…

2

SharePoint: People Picker shows disabled user accounts in domain migration scenario

This is one that has plagued SharePoint admins since SharePoint 2007 and earlier.  There are a few other posts out there that mention this behavior, but as far as I can tell, none of them offer a complete solution. Consider the following scenario: The SharePoint farm exists in DomainB. You have users in DomainA. You…

2

SharePoint: Person or Group column does not display expected results when limited to a SharePoint group

  Consider the following scenario: You have a SharePoint list with a Person or Group column. This column is limited to choose from a SharePoint group called (for example) Approvers.   Within this SharePoint group, you have three users with (for example) first name Jeff, and one user with last name Jefferson. Within the person…

0

SharePoint: The problem with changing UserQueryMaxTimeout

Consider the following scenario: You have a fairly large and / or complex Active Directory (AD) infrastructure. When using People Picker in a SharePoint 2013 or 2016 site, you are unable to find users from certain domains, and eventually the People Picker control displays an error: “Sorry, we’re having trouble reaching the server”. You do…

0

SharePoint: Profile Synchronization – some users are missing their manager

Important: This little quirk only occurs with the “SharePoint Profile Synchronization” (aka: FIM Sync) option in SharePoint 2010 and 2013.  It does not occur with the “Active Directory Import” (aka: AD Import) option available in SharePoint 2013 and 2016.  If possible, I recommend switching AD Import.  You can read through switch considerations in my other…

0

SharePoint: Importing Manager property with AD Import: A Troubleshooter

Overview: This is a fairly visible problem within SharePoint.  It can cause the organization chart to show old manager info, or not work at all. So what to do if your user profiles show no manager value, or maybe a user has changed managers, and it’s not being updated? This is a complicated topic for…

1

SharePoint: User profiles are imported with wrong domain name

In certain domain configurations, User Profiles can be imported with the incorrect domain name. For example: account names are supposed to shown as CORP\User1, but profiles are imported as contoso\user1 Note: This applies to both SharePoint Profile Synchronization (aka: FIM Sync) and Active Directory Import (aka: AD Import).   What’s the impact? There are a…

0

SharePoint: All about non-imported user profiles

I find there is much confusion around this topic, so I’ll try to clear it up here. First off, non-imported profiles are well… not imported.  They were not created by Profile Sync / AD Import / Sync with External Identity Manager.  We also refer to these as “unmanaged”, or “stub” profiles because they typically only…

0