Skip to content

Check if Kerberos is working in SharePoint

Purpose of this article is to share information from a fully functional Kerberos for quick reference when verifying after Kerberos setup.

I am not covering the steps for how to configure Kerberos, there is lot if information on how to do this online.

Some handy commands:


KLIST Tickets–>Lists the currently cached tickets of services that you have authenticated to since logon.

KLIST Sessions–>Display the information for all logon sessions on this computer.

KLIST Purge–>To delete a specific ticket or all tickets.

You can use Network monitor, IE developer’s tool, HTTP watch or Fiddler to confirm.

I used Fiddler to capture traffic for the SharePoint site and below is a comparison of Headers, Auth and RAW tabs to confirm if Kerberos is functional vs NTLM.

Kerberos Header Tab

NTLM Header Tab

Kerberos Auth Tab

NTLM Auth Tab

Kerberos Raw Tab

NTLM Raw Tab

Event ID 4624 on WFE

Event ID 4648 on client machine

Event ID 4624 on client machine

This operation can be performed only on a computer that is joined to a server farm by users ……..

Error Message: This operation can be performed only on a computer that is joined to a server farm by users who have permissions in SQL Server to read from the configuration database. To connect this server to the server farm, use the SharePoint Products Configuration Wizard, located on the Start menu in Microsoft SharePoint 2010 Products.

Issue Description:
In one of my SharePoint environment I start getting this error when browse site collection, it was working fine until yesterday. As per the error message I check all the permission for all the accounts on all databases including config database but no luck.

After several reboots, IIS resets and Googling, back to Event viewer I came across this warning mentioned below from source: ASP.NET. This warning at least has account name. I made sure that account specified in this warning has all the permissions needed but no luck.

Warning in Event Viewer: Event ID: 1309, Source: ASP.NET, Level: Warning
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 6/26/2017 3:11:03 PM
Event time (UTC): 6/26/2017 7:11:03 PM
Event ID: 1f56666ca7d249979903cbb7c1aa15de
Event sequence: 2
Event occurrence: 1
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/1927342608/ROOT-3-131429778631987995
Trust level: Full
Application Virtual Path: /
Application Path: C:\inetpub\wwwroot\wss\VirtualDirectories\Contoso Home-80\
Machine name: ContosoMachine
Process information:
Process ID: 13012
Process name: w3wp.exe
Account name: DOMAIN\\AccountName
Exception information:
Exception type: InvalidOperationException
Exception message: This operation can be performed only on a computer that is joined to a server farm by users who have permissions in SQL Server to read from the configuration database. To connect this server to the server farm, use the SharePoint Products Configuration Wizard, located on the Start menu in Microsoft SharePoint 2016  Products.
at Microsoft.SharePoint.Utilities.SPUtility.AlternateServerUrlFromHttpRequestUrl(Uri url)
at Microsoft.SharePoint.Administration.SPAlternateUrl.GetContextUri(HttpContext ctx)
at Microsoft.SharePoint.SPAppRequestContext.InitCurrent(HttpContext context)
at Microsoft.SharePoint.SPAppRequestContext.get_Current()

If all steps mentioned above did not work for you try one more, Go to Central Administration > Security > Configure Managed Accounts> Edit the account mentioned in the warning> in my case it was app pool account  > check Change Password now > select the option Use Existing Password> enter the password and click OK. That’s it. 

If  your issue resolved feel free to leave a comment or let me know if any other solution. 




Send email to all users in SharePoint group

Last week I was asked if it’s possible to send email to all SharePoint Group Members. Quick solution I tried was to select all users and click “Email Users” Under “Actions” menu in SharePoint user group. I t will select only user that are on the page not on the next page. You will see an arrow (pagination) to go to next page in case you have more than 30 users.
Item limit any for SharePoint users Group is set to 30 by default. You can increase it to whatever you want. But let’s say if you have 500 users in a group called “Members” you can set the view limit to 99 but “Email Users” under “Actions” menu will not work anymore. You can try. It will throw error something like “cannot send email to that number of users “
Of course there are more than one way to achieve this goal, below is one I came up with quickly and though will share.
Copy and paste each line individually after changing the URL with your site collection url.

$Site=Get-SPSite http://SiteCollectionURL
($Site.rootweb).groups | Format-table -Property name, owner
           # in my case I wanted to send email to all users in “Approvers” group
($Site.rootweb).groups[“Approvers”].users | Format-Table -Property DisplayName, Email
($Site.rootweb).groups[“Approvers”].users | Format-Table -Property Email >email.txt

You can modify the script and make it short, by adding more variables but this gave me what I was looking for. Wonder how this will work if one has thousands of users in a group. I don’t have any group with that big number so can’t test, if you have that big group let us know. Might have to use –LimitAll in command.

Another way to do this is open up excel click on data connections and add a new web data connection. Enter URL of the SharePoint group and it will ask you to enter your SPGroupUserslcredentials and will open up group view in excel where you can export every ting from the page in to Excel. Some formatting is needed here but you can easily get user first name and last name and then using formulas convert these 2 column in email address. Let me know if need more info on this option and I will post in detail.


Improve Performance for SharePoint and Project Server – Part 2

I have mentioned few tweaks/changes that can help improve SharePoint/Project server performance in Part 1.

I will add few more item here in Part 2 of the same article….

16 – Another important when installing OS before SQL installation you can make is, change the NTFS allocation unit size on your disks/drives. By default its 4096 bytes on windows server 2012 and by changing it to 64 you can easily gain some performance. for more reading :

17 – Make sure the initial size in the “Files” windows of “temp” database properties is set to some higher number. This is in addition to the additional tempDB files. Also “Auto Growth” option must be set to some higher number, not percentage.

18 –  One more place to look is paging file size configuration on the server. Normally it is set to a lower number and can be configured based on the system RAM and other. It is recommended to set the paging size up to 150% of the physical RAM but I will suggest you to look in to your environment first and then set those numbers. At the minimum make sure it is set to “allow system to set the size “option.

19 –   Out Put Cache – one of the thing over looked sometimes but make sure you have Out Put caching enabled on site that will help improve performance.

20 –   Blob Cache- In case of significant use of images on SharePoint site enabling blob cache can be help full. If you are planning to use new feature like Images renditions, Blob cache is required. It also help improve performance by delivering those images faster from cache.

I find this article today that has some additional information about improving performance , check it out:

Feel free to add any additional settings in the comments below .

Why HNSCs in a Single Web Application? and Best Practices in SharePoint 2013..

The new recommendations and path suggested by the MS is to go with single web application and multiple Host Named Site Collections (HNSCs) instead of multiple web applications as we use to do in the previous version of SharePoint.

For Software Boundaries and Limits click here.

You can still go with the additional web application if functionality is needed that can not be achieved in the web app shared by all the HNSCs e.g. different authentication requirement SAML or FBA.

I have spent lot of time building this new site architecture and during my research I put together some notes (with links) from different articles written by MVPs and other famous authors/TechNet.

I used this during the implementation and share and show the importance of this new architecture and how to implement e.g. no manual IIS bindings and other best practices.  I thought I will share this online as well for quick reference for others too.

If you have been playing with this new model and want to show your client the importance of this new structure you can use these points mentioned below and feel free to add any additional in the comment section.

  1. From TechNet “The recommended configuration for deploying sites is using host-named site collections with all sites located within a single web application, as illustrated in the following diagram.”

    • From the same TechNet link mentioned above “We recommend host-named site collections  unless requirements dictate that path-based sites with alternate access mapping are necessary”
    • From the link mentioned above “You can use host-named and path based site collections in the same web application. To ensure that both types of site collections are accessible to users, do not put host header bindings on the IIS website of your web application”
  2. Corporate Portal with Host named site collection
  3. Why only One Web App is recommended : “ The problem is that even the base binaries needed to load a Site into memory (e.g. using separate web apps) has a high performance impact — and given that people generally want vanity URLs, which meant separate Web Apps in the past, HNSC is a great alternative.”
  4. As per MVP , Paul Stork “Yes you can add a host header in the IIS binding after the fact, but it’s not a supported design from Microsoft’s point of view and I really wouldn’t recommend it.”” link :
  5. Brenda (MSFT) talks about a Single Web Application “New features and existing features are optimized to work with host-named site collections like never before. However, it’s not just the feature that is important. It’s how it is configured — all host-named site collections are deployed to a single web application. The App model and Request Management, for example, are optimized for this configuration.”
  6. Maximum number of web application is 20 but as per the same TechNet article “We recommended limiting the number of web applications as much as possible. Create additional host named site collections where possible instead of adding web applications.”
  7. As per Trevor, MVP “You should try to limit the number of Web Applications (preferably 1). You can mix HNSC and Path-Based site collections within the same Web Application.”
  8. Logical Architecture Guidance for SharePoint by Steve Peschka. Benefits of one Web Application
  9. MVP, Trevor says regarding single Web App and single AppPool “The Microsoft model provides far better scalability than individual Web Applications would. Each Web Application (or Application Pool) has a significant amount of overhead, just in the base binaries alone. This is why Microsoft is encouraging towards a single Web Application + single Application Pool + host-based site collection model”
  10. Removing IIS binding manually by Russ Maxwell “When you create a web application and specify a host header URL, you stamp the host header URL on the spwebapplication object which is stored in the objects table in the configuration database. When you try to change the host header URL by updating the Alternate Access Mapping and manually update the bindings in IIS, the SPWebApplication object is never updated so it continues to maintain knowledge of the original host header URL and not the new one. When you start the Microsoft SharePoint Foundation Web Application service in Central Admin, the information from the associated SPWebApplication object in the configuration database is used when instantiating IIS Sites. This is why the original host header URL shows up.”
    Also see this where MS recommend to remove IIS binding manually.
  11. Last but my favorite ,One of the best article written by Trevor Seward to show comparison of resources usage when use multiple web applications vs single web application with multiple HNSCs.

Feel free to add any comments or share your thoughts …