Sslv3 poodle vulnerability and sharepoint site using https
Hi
Is it safe to run IIS crypto tool and choose
'FIPS 140-2' on Sharepoint WFe
We have one web application accessible to users using HTTPS with a valid SSL from CA.
FIPS 140-2 is not supported by SharePoint and enforcing it will break SharePoint.
Instead, disable SSLv3 support in IIS.
https://www.digicert.com/ssl-support/iis-disabling-ssl-v3.htm
https://support.microsoft.com/kb/187498/
Trevor Seward
Follow or contact me at...
  
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
Similar Messages
-
We have SharePoint 2013 site configured with SSL and we have developed a provider hosted app which interacts with SharePoint list.
If we try accessing the Provider hosted app from the SharePoint site with HTTP [http://mysharepointsite.com/] there are no any errors thrown.
But whenever the same Provider hosted app is tried accessing from the same SharePoint site using https address
[https://mysharepointsite.com/] we are getting below error:
The remote certificate is invalid according to the validation procedure.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[AuthenticationException: The remote certificate is invalid according to the validation procedure.]
System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception) +2983172
System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) +473
System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) +86
System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) +262
System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) +473
System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) +86
System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) +262
System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) +473
System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) +86
System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) +262
System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) +473
System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest) +8530566
System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult) +230
System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) +645
System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) +9
System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state) +87
System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result) +1467
System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size) +84
System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size) +22
System.Net.ConnectStream.WriteHeaders(Boolean async) +761
[WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.]
System.Net.HttpWebRequest.GetResponse() +8534156
Microsoft.SharePoint.Client.SPWebRequestExecutor.Execute() +58
Microsoft.SharePoint.Client.ClientRequest.ExecuteQueryToServer(ChunkStringBuilder sb) +975
ProviderHostedHTTPSWeb.Default.Page_Load(Object sender, EventArgs e) +348
System.Web.UI.Control.LoadRecursive() +71
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3178
We have already added the certificate used for the SharePoint site and the provider hosted app in the SharePoint central admin trusts.
Any idea's how can I resolve this issue?Hi,
According to your post, my understanding is that you failed to access provider host app using https.
The reason for this is that SharePoint implements its own certificate validation policy to override .NET certificate validation.
Fix is to setup a trust between SharePoint and the server requiring certificate validation.
For more information, you can refer to:
http://blogs.technet.com/b/sharepointdevelopersupport/archive/2013/06/13/could-not-establish-trust-relationship-for-ssl-tls-secure-channel.aspx
Best Regards,
Linda Li
Linda Li
TechNet Community Support -
Not able to open office documents from SharePoint site using Forms auth on a Mac with Office 2011
I posted the same question on the Mac Office forum (http://answers.microsoft.com/en-us/mac/forum/macoffice2011-macstart/not-able-to-open-office-documents-from-sharepoint/7fba517b-ebd1-4e90-a54a-c70c5f035146?tm=1418836613595) but figured it's probably more
of a SharePoint question so I'm going to try here as well.
We just discovered an issue where a user logs into a SharePoint site using Forms based authentication. When clicking on an Office file they get
'Sorry, this site hasn't been shared with you' message:
The user can download the file and can also open the file within the browser (Office Web apps). This SharePoint site is on a Web app that uses mixed authentication (forms for external partners) and Windows/Kerberos for internal employees.
When logging into this same site as an internal user I am able to open the file just fine.
I checked the 'Microsoft Document Connection' settings and selected and deselected 'Enable Basic Authentication' and neither helped.
I also tried to add the site URL under 'Microsoft Document Connection' -> Add connection -> Connect to a SharePoint site. When I put the site URL in and click 'Connect', I get an error saying that 'Only connection to SharePoint or OneDrive
servers are supported' message. If I try the same thing as an internal user using Windows/Kerberos authentication I am able to connect to the site just fine.
Any ideas??Hi Szamir,
As you are using Form Based authentication to open the documents from SharePoint site, I recommend to check the things below:
Make sure that the user has permission to view the documents in the site.
Please select "Sign me in automatically" when you sign in the login page.
More references:
https://social.technet.microsoft.com/Forums/en-US/ae8cc886-c362-4709-8575-07d339144714/not-able-to-open-microsoft-office-documentsdocxxls-etc-from-document-library-in-a-fba-site-in?forum=sharepointgeneralprevious
http://manojvnair.blogspot.com/2011/06/login-prompt-while-opening-office.html
Best regards.
Thanks
Victoria Xia
TechNet Community Support -
Can we customize any other expect SharePoint Sites using Sharepoint Designer
Hi All,
Can we customize any other expect SharePoint Sites using Sharepoint Designer?
Thanks in Advance!As Hemmendra, the tool is specifically designed for SharePoint. Both this and another tool derive from an older utility called FrontPage, which was an early Web Authoring product, before the age of standards and the like.
The other product that evolved into a paid development tool but is now free is one called Expression Web. This can do more web specific stuff and may be of use for you. It was made a free product a year ago though and can be found here.
http://www.microsoft.com/en-gb/download/details.aspx?id=36179
What else were you looking to achieve?
Steven Andrews
SharePoint Business Analyst: LiveNation Entertainment
Blog: baron72.wordpress.com
Twitter: Follow @backpackerd00d
My Wiki Articles:
CodePlex Corner Series
Please remember to mark your question as "answered" if this solves (or helps) your problem. -
How can I download content of wiki pages from Office 365 online Sharepoint site using c#?
How can I download content of wiki pages from Office 365 online Sharepoint site using c#?
Ratnesh[MSFT]Hi,
According to your post, my understanding is that you want to download content of wiki pages on SharePoint Online.
If just for getting the text of the page, I suggest you convert page to PDF file first and then download the PDF file via a Visual Web Part as a Sandboxed solution.
A sample about export HTML to PDF:
http://hamang.net/2008/08/14/html-to-pdf-in-net/
Thanks
Patrick Liang
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]
Patrick Liang
TechNet Community Support -
Does anyone have any more info on the SSLv3 Poodle vulnerability in that are any of the Cisco switches, in particular the ACE load balancer (If they do SSL offloading) vulnerable to this?
http://www.wired.com/2014/10/poodle-explained/
If so, if there a way to disable SSLv3?To disable SSLv3, do something like this:
parameter-map type ssl PARAMMAP_SSL
cipher RSA_WITH_3DES_EDE_CBC_SHA
cipher RSA_WITH_AES_128_CBC_SHA priority 2
cipher RSA_WITH_AES_256_CBC_SHA priority 3
version TLS1
ssl-proxy service SSL_PSERVICE_SERVER
ssl advanced-options PARAMMAP_SSL
(Omitted all the other important, but not to this exact solution, stuff in the ssl-proxy config) -
Error when moving files between Sharepoint sites using 'content and structure' feature
Hi,
I am using Sharepoint Online 2013 on a mac computer.
I am trying to move files between sharepoint sites/libraries but because the "open with explorer" link does not work on mac computers, I need to do so using the 'content and structure' feature.
When I select a file to move and then select the destination site/doc library, i get the following error:
An error was encountered performing this operation.
Operation to Move '120207_Australia Post_Invoice.pdf' to '/Ops/internal/admin/General Admin' failed
No items were moved. Please remove 120207_Australia Post_Invoice.pdf from the selection and retry operation
Please help!
Thanks,
KateHi Kate,
If you mean only one file "120207_Australia Post_Invoice.pdf" could not be moved, please compare this file to the other files moved successfully, check if there are some differences, like the content types, fields.
Also compare the source library and destination library, make sure they have the the same type of fields.
And you could have a try of moving this single file separately see if it could help, or as a workaround to download this file from source and upload to the destination library.
Since it is related to SharePoint Online 2013, we cannot see the ULS log for more information, I would suggest you post this issue in Office365 SharePoint online dedicated forum via the following link for a better assistance.
http://community.office365.com/en-us/forums/default.aspx
Thanks
Daniel Yang
TechNet Community Support -
Hi ,
I have a site that runs on Claims Mode ( NTLM) . That site has a web part that needs to show the data from any sharepoint farm, SharePoitn 2010 , or 2007 or 2003.
I am getting 401 unauthorized when I try to get data from webservice running in sharePoint context.
But when I run the same code in Windows Console application then it is giving no error.
What I doubt is that this issue is due to the reason that I have set
claims mode authentication.
Because same code is running in different farm in a site that is configured using windows authentication.So generally speaking, you're talking about a VERY long running topic of authentication methods... and generally speaking, in the world of Windows, the only long running authentication options have been:
- NTLM (limited to one hop)
- Kerberos (unlimited hops)
- Application level authentication (ex: SQL auth, also, no hops)
Recently, Microsoft has been investing in Claims Based Auth... and I fully expect claims to start working their way into other systems (previously starting to work into Windows via the CardSpace technology, but also in other ways such as Win8's ability to
log in with a LiveID)... but building a new authentication method into ALL applications is a VERY long process, and the complexity of claims adds a LOT of consideration (claims from the same AD can look VERY different depending on the STS, so lots of questions
around things like bridging claims).
So as far your SP auth needs...
IF both applications are CLAIMS AWARE, then you MAY be able to use claims (which support unlimited hops)... but that's just not very likely yet (and will probably take another 5-10 years to be available across the entire enterprise)... otherwise, KERBEROS
Outside of the Microsoft world... KERBEROS is open spec, so is supported by other systems (such as authenticating to linux)... claims based auth is also open spec, but again, still new... there are a few other options (LDAP, etc), but none that are native
to Windows (so you rely on things like third party auth modules for Windows, which Novell has done for DECADES with NDS and eDir)
And again, SharePoint can convert claims to Kerberos using the C2WTS... which MS uses internally for things Excel Services connecting to a backend SQL server... but it DOES require the Kerb and C2WTS configuration.
if you're having issues using Kerb auth... then it sounds like Kerb isn't configured correctly... and Kerb is a PAIN to configure (whitepaper for SP Kerb is ~100 pages long)... IIS (and SharePoint) also has the added benefit of failing over to NTLM if Kerb
fails (and you shouldn't disable this behavior, since it'll break other settings elsewhere)
Scott Brickey
MCTS, MCPD, MCITP
www.sbrickey.com
Strategic Data Systems - for all your SharePoint needs -
POODLE Vulnerability and AMS configuration in Adapator.xml
Hi,
I am looking for some recommendation and guidance on how to ban AMS from using SSlV3 in with RTMPS clients. I know about that there's a configuration in Adaptor.xml called
"SSLCipherSuite" which should be able to somehow prevent a specific protocol, but the Adobe documentation recommends contacting with Adobe before changing that configuration.
So I was wondering if Adobe has any official recommendation to prevent RTMPS client from using SSLV3. Could someone please point me to the right direction?
Thanks
-IrtizaWhen will it be released?
I can not comment on that...
How will it support older browsers?
Well most likely it will disable SSLv3 support from within the application. So you will not need to change anything in AMS ocnfiguration.
All browsers which work on TLS 1.0 and higher will continue to work as they were working till now.
Note that even in current release, if your browsers support TLS then TLS would be preferred mode of connection and you will not be exposed to SSLv3 attack.
Even today, POODLE vulnerability exists only if you are working on those browsers which do not support TLS.
That said, you must upgrade your openssl to 1.0.1j, because prior to that a hacker could exploit a hack in openssl so that even if your endpoints supports TLS, it can hack and make the connection protocol get downgraded to SSLv3...openssl to 1.0.1j fixes this downgrade protocol attack..
The steps to compile openssl for AMS are available in public domain..please google and compile openssl for yourself and drop that openssl in your AMS installation.
Openssl consists of two files libeay32.dll and ssleay32.dll on windows AND libssl.so.1.0.0 and libcrypto.so.1.0.0 on Linux... -
Problem connecting to hosted sharepoint site using hotspot connection with Telstra 3G
I have problems connecting to a hosted sharepoint website using hotspot conection - either the page doesnt load (IE) or I get repeated sharepoint authentication prompts (Firefox). The problem is specific to this hosted site, we can successfully load other webpages, and can access another companes sharepoint extranet using iPhone hotsot connection. I have tried changing the cellular data APN settings on the iPhone from telstra.iph to telstra.internet but this did not solve the problem.
Look at the JSSE examples. You need to setup a key store, add the jsse jars to your classpath, yadda, yadda, yadda....
-
SCCM central site and primary site use the same SQL SERVER with two Instance.
Hi Guys,
I want deploy SCCM 2012 central site and primary site in my domain. But Only one Sql server for me. Any one can tell me how to install the central site server and primary site server with the same SQL SERVER with two instance.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Sean Xiao
TechNet Community SupportAlthough you can install like the configuration you said above, we do not recommend you do it this way. If your SQL box has problems, all the data will go away and you will not have data redundancy.
You need to configure the different SQL Port and SQL Broke service port e.g.
SQL port 4023 SQL Broke Service port 4022 for CAS instance
SQL port 4024 SQL Broke Service port 4021 for PRI instance
Juke Chou
TechNet Community Support
I agree with Johan and this configuration should not be used. But I want to clarify that the default ports for "SQL port" (actually, SQL over TCP) is 1433 and the SQL Broker Service uses 4022. The configuration above should work but the "correct" would be
to use 1433 and 4022 for the CAS and 10434 and 4023 for the Primary :)
You can read more about Network Ports used by Configuration Manager here
http://technet.microsoft.com/en-us/library/hh427328.aspx#BKMK_CommunicationPorts
/Tim
Tim Nilimaa | Blog: http://infoworks.tv | Twitter: @timnilimaa -
Hi,
I want to fetch the list of users who all are having full access to the sharepoint list using client object model with .Net
Please let me know if any property for the user object or any other way to get it.
Thanks in advance.Here you are complete code i created from some years it lists all groups and users, you can just add a check in the permissions loop to see if it is equal to Full Control.
Private void GetData(object obj)
MyArgs args = obj as MyArgs;
try
if (args == null)
return; // called without parameters or invalid type
using (ClientContext clientContext = new ClientContext(args.URL))
// clientContext.AuthenticationMode = ClientAuthenticationMode.;
NetworkCredential credentials = new NetworkCredential(args.UserName, args.Password, args.Domain);
clientContext.Credentials = credentials;
RoleAssignmentCollection roles = clientContext.Web.RoleAssignments;
ListViewItem lvi;
ListViewItem.ListViewSubItem lvsi;
ListViewItem lvigroup;
ListViewItem.ListViewSubItem lvsigroup;
clientContext.Load(roles);
clientContext.ExecuteQuery();
foreach (RoleAssignment orole in roles)
clientContext.Load(orole.Member);
clientContext.ExecuteQuery();
//name
//MessageBox.Show(orole.Member.LoginName);
lvi = new ListViewItem();
lvi.Text = orole.Member.LoginName;
lvsi = new ListViewItem.ListViewSubItem();
lvsi.Text = orole.Member.PrincipalType.ToString();
lvi.SubItems.Add(lvsi);
//get the type group or user
// MessageBox.Show(orole.Member.PrincipalType.ToString());
if (orole.Member.PrincipalType.ToString() == "SharePointGroup")
lvigroup = new ListViewItem();
lvigroup.Text = orole.Member.LoginName;
// args.GroupsList.Items.Add(lvigroup);
DoUpdate1(lvigroup);
Group group = clientContext.Web.SiteGroups.GetById(orole.Member.Id);
UserCollection collUser = group.Users;
clientContext.Load(collUser);
clientContext.ExecuteQuery();
foreach (User oUser in collUser)
lvigroup = new ListViewItem();
lvigroup.Text = "";
lvsigroup = new ListViewItem.ListViewSubItem();
lvsigroup.Text = oUser.LoginName;
lvigroup.SubItems.Add(lvsigroup);
//args.GroupsList.Items.Add(lvigroup);
DoUpdate1(lvigroup);
// MessageBox.Show(oUser.LoginName);
RoleDefinitionBindingCollection roleDefsbindings = null;
roleDefsbindings = orole.RoleDefinitionBindings;
clientContext.Load(roleDefsbindings);
clientContext.ExecuteQuery();
//permission level
lvsi = new ListViewItem.ListViewSubItem();
string permissionsstr = string.Empty;
for (int i = 0; i < roleDefsbindings.Count; i++)
if (i == roleDefsbindings.Count - 1)
permissionsstr = permissionsstr += roleDefsbindings[i].Name;
else
permissionsstr = permissionsstr += roleDefsbindings[i].Name + ", ";
lvsi.Text = permissionsstr;
lvi.SubItems.Add(lvsi);
// args.PermissionsList.Items.Add(lvi);
DoUpdate2(lvi);
catch (Exception ex)
MessageBox.Show(ex.Message);
finally
DoUpdate3();
Kind Regards, John Naguib Technical Consultant/Architect MCITP, MCPD, MCTS, MCT, TOGAF 9 Foundation -
Is it possible to send a file to a sharepoint site using SSIS?
Hi everyone,
I got a request from my customer. She wanted me to develop a SSIS package that produces a CSV file and then send the file to a sharepoint folder. Is this possible? Please give me some detailed suggestion so I can do a simple test by myself. Thank you very
much.
regards,
OliverYou may also want to check these other posts, too:
http://spmaster.wordpress.com/2011/08/15/uploading-documents-to-sharepoint-via-powershell/
http://www.a2zdotnet.com/View.aspx?Id=138#.U_ziy_ldWSo
http://geekswithblogs.net/bjackett/archive/2010/02/15/programmatically-uploading-files-to-a-sharepoint-2007-document-library.aspx
http://www.cozyroc.com/script/http-upload-download-task
SSIS Tasks Components Scripts Services | http://www.cozyroc.com/ -
Can someone advise, my proxy server blocks any sites using https
i'm not using parental controls, i'm blocking the hosts in the proxy server setting on osx server. It all works fine but as soon as i go to some https:// site like https://auth.apple.com/authenticate?service=DockStatus&realm=primary-me&returnUR L=aHR0cDovL3d3dy5tZS5jb20vd28vV2ViT2JqZWN0cy9Eb2NrU3RhdHVzLndvYS93YS90cmFtcG9saW 5l&destinationUrl=
i get access denied even though i haven't set it in blocked hosts. I was wondering do i have to have an SSL certificate to be able to access https:// sites? does anybody know?
If i do can someone explain the procedure for self certification?turns out after i loaded more modules in proxy server it sorted this problem out
Message was edited by: purplemonkey1 -
Achieving Autofailover between Branches and HQ site using OSPF
Hi there,
I have a number of Branches and ATMs which connect to the HQ via GRE tunnels through L2MPLS of the service provdiers network.
Recently I commisioned a DR site that I would like all the branches and ATMs to point to incase of disaster.
Most importantly I am supposed to achieve an auto-failover solution between Branches and ATMs towards HQ, @ATM and branch has duo links from different providers for resiliency.
The standard I am supposed to use is OSPF between branches and HQ, where we have GRE tunnels running in between, is there anyone who can assist me on how to achieve auto-failover solution between the Branches and HQ using OSPF on the existing GRE tunnels.
Sample configuration would really help
Thanks.What you are asking for here is a full blown network design. It is more than just a few configuration commands.
We can point you in the right direction but we cannot do the entire thing for you.
We would need to know things like is there a direct link between HQ and DR, how many branches, is OSPF already in use, if so what areas do you have, are you proposing to use the same IPs at the DR site etc etc.
But before all that have you thought about how the applications would work ?
Presumably you have applications that run on servers at HQ. How do you sync this information to the DR site servers ?
So a couple of scenarios -
1) the link at HQ fails and all sites automatically switch to DR. Then 10 minutes later the link comes back up so all sites switch back to HQ.
How are you going to make sure that any data written to servers in DR is now replicated to the HQ servers in real time.
2) a branch primary link fails. It switches to DR but all the other branches are still going to HQ.
Again how you are going to ensure the data remains consistent between the HQ and DR servers as you now have two active sites.
Routing protocols are very good at automatically providing failover but they don't understand the applications.
The hard part with DR is not the network, although that in itself can be challenging, but how the applications are going to work.
So if you only want to invoke DR if there is a major outage at your HQ sites which could last for days for example then using a dynamic routing protocol could create more problems than it would solve.
You may not have applications that need to be kept in sync so it may not be an issue for you.
But even then what you are asking for is not trivial, DR never is.
Perhaps you can clarify exactly how it is meant to work otherwise we cannot really point you in the right direction.
Jon
Maybe you are looking for
-
Getting a variable value from another class
Is there any way to get the value of a variable from another class? I have a file that calls another that does some checking then gives a true or false. The place the checking is done is inside an ActionListener I want to use that value in the file t
-
2 Logical Components for 1 Business Process Step
Hello All, I'm looking for a way to assign in SolMan --> transaction Solar01 - Tab Structure - Business Process Step, 2 logical components for 1 business step. When creating the business step I have to assign 1 specific logical component to this step
-
Can't restore 9.5, can't uninstall, stuck in limbo!
I should have known better. I had acrobat 9.5.2 installed, and was perfectly happy with it. I could view PDF docs, and scan from my scanner directly to a PDF document. Then after weeks of the updater reminding me, I finally let X1 install. Much to my
-
Stacking order vs. Layers?
I'm coming from working with layers in Photoshop and understanding how they work in there. Illustrator also has layers, though you are able to also change the stacking order of items on a given layer by using the object > send to back or forward. 1.
-
FI postings,3rd party remittance & Taxation
Hi Team, I want to know how to configure Fi posting, 3rd party remittance & taxation part in US payroll. Kindly let em know how we do it in SAP. Waiting for your response. Regards, Vimal