Magic Kingdom(s)

1… 2… 3…

I closed my eyes and then reopened them. Carefully I counted again.

1… 2… and 3.. Yes definitely 3.

Damn it.

The cast member looked at me expectantly.

“Where did she come from,” I asked.

He shrugged, “No one is sure really. We think she wandered in from D12.”

“She doesn’t exactly fit the profile.”

“Yeah,” he shrugged again, “she must have snuck through a partner park. Regardless, she is your problem now. By the way, her D1 parents are in the lobby. They are starting to freak out.”

Damn it.

Two years ago I sat in a room with the rest of the security team listening intently as the Imagineers described their latest breakthrough. “Dimensional shifting”. It seemed like an overly complicated solution to the simple problem of people just not having any patience. But the more they talked about it, the more it seemed to make sense. As long as you didn’t try to understand the science. Fortunately, the presentation they gave was relatively science free.

“Dimensional shifting will go into effect within the next six months,” they began. “Initially we will just be targeting our largest attractions, but we anticipate that once the technology is proven we will introduce it to minor attractions and restaurants. Express riders will be shifted to another park where there is no wait and then shifted back at the end of the ride.”

“Another park.” Yeah. That was a simple way of putting it. Another park on another world is what they meant. On another earth. One that somehow occupied the same space and time that we did right on the other side of the dimensional gateway. It made my head hurt. I was just the security guy. I shouldn’t have to worry about these types of things. After 18 years at the park you learned to trust the Imagineers though. If they said they could spin you around so fast that you almost threw up but didn’t, then sure. If they told you that they could integrate different types of insects into the park to eliminate mosquitoes then you did it, and if they told you they could send someone to an alternate earth to skip the line then you knew they could do it.

Damn thing worked to. 12 different parks were chosen on 12 different earths. Supposedly they were others out there as well, billions of them, some with empty parks, even empty worlds to cover with rides that had no wait, and restaurants that always had a table ready.

Then about 6 months ago…. We get this kid..

His mother insisted that his hair was a slightly different shade of brown before he went on the ride. We got it figured out though. The security team found the right kid, and legal got everyone paid off to keep quiet. After an extensive internal investigation though we discovered that some of the alternate parks had started scaling. They went out and made deals with other worlds, and they in turn with others. Enough that minor variances were starting to creep in. We tried to tightened things down. But…

..Damn it.

They are going to shut us down for this…

I looked at the little girl in the pink Arora princess dress standing in front of me. I counted one more time… as slowly and carefully as my patience allowed..

1… 2… 3…

Damn it.

Three giant tears filled three soft blue eyes and she stared back at me, and started sobbing again…

Posted in Stories | Tagged , | Leave a comment

Enabling Collaboration with EMS

Hit the link below to view my slides from the 11/2/2015 Reston SharePoint Users Group.

Title – How the Enterprise Mobility Suite can help Enable Collaboration

Synopsis – Microsoft’s Enterprise Mobility Suite is a collection of tools that work together with Office 365 and other cloud services to provide secure access to corporate resources on any device, regardless of where the resources are stored. In this session we will cover what these tools do and how they can enable collaboration for an increasingly mobile and demanding workforce.



Posted in SharePoint | Tagged , , , | Leave a comment

Cloud and Mobile Device Security and Protection

Recently I had the opportunity to collaborate with @TechTrainerDean on a video about Microsoft’s Enterprise Mobility Suite (EMS). I’m pretty excited about this technology and Dean did an awesome job editing and creating the video. We are lucky to have him at Xgility. Thanks again Dean!

On a related note I’ll be presenting at the Reston SharePoint Users Group on November 2nd on EMS and how it can enable enterprise collaboration. Look forward to seeing you there!

Posted in SharePoint | Tagged , , | Leave a comment

Office 365 Identity Management Options

A snippet on Same Sign On Vs. Single Sign On from the Reston SharePoint Users Group. Covers some of the concepts of using Dirsync in Office 365 and/or ADFS.



Posted in Uncategorized | Leave a comment

Reston SharePoint Users Group – SharePoint 2013 Hybrid Slides

Here are my slides from the Reston SharePoint Users Group on 9/15/2014.

Download Slides

Thanks to everyone that attended.

Posted in Uncategorized | Leave a comment

SharePoint Saturday DC – Art of Troubleshooting

TeaserSlideI just put the finishing touches on my presentation for SharePoint Saturday DC. I’ve presented on troubleshooting before but I’ve revamped my presentation to focus on methods and tools and am really looking forward to sharing it.

You will find out what ADPIE, half-splitting and motorcycles have to do with troubleshooting SharePoint.

The basic agenda is as follows;

  • Why talk about troubleshooting?
  • Troubleshooting methodolgies
  • Patterns for troubleshooting SharePoint
  • Tips and Tools

I hope to see everyone out at SharePoint Saturday. See for more details about the event.


You can download my slides for this presentation @ this link.


Posted in SharePoint, Troubleshooting | Tagged , , | 1 Comment

IPv6 Notation

Just some notes on IPv6 notation –

  • Since IPv6 Addresses are pretty long there are a few abbreviations that can be used to help with notation..
  • :0000: can be shortened to :0:
  • Leading zeros can be omitted –
  • :009f: can be shorted to :9f:
  • :: is a variable standing for “enough zeros to round out the address to 128 bits. :: can only be used once in an address.
  • :0000:0000: can be shorted to ::

Example address

  • Long format = 2001:0000:0000:6ab8:0097:9f0e:0000:1f58
  • Shortened =   2001::6ab8:97:9f0e:0:1f58
Posted in Uncategorized | Tagged , | Leave a comment

Skip the Authentication Selection Page at /_login/default.aspx in a Mixed Authentication Environment

So a few disclaimers prior to this post –

  1. This was a unique set of circumstances and was only ever meant to be temporary. I don’t know what the effects of it would be long term.
  2. I’m not a SharePoint developer and there was probably a better/smarter way of doing this.
  3. I can’t speak to this being a best practice, for all I know this is the way you’re supposed to do things and I’m wasting everyone’s time. That being said the names of have been changed to protect the innocent, err.. guilty..

I ran into a situation the other night where a requirement had come up to change the default authentication provider on a SharePoint web application from ADFS to FBA. I won’t go into the details of the requirement but it came down to the customer not wanting to continue supporting ADFS (even though it was working), and wanting some additional features that they felt would be better supported using FBA. Their goal was to implement FBA side by side with ADFS and run both during a transition time while users were converted between authentication types. My job was to provide platform support for the project which included deploying the developer’s solutions to staging and production.

When ADFS was the only authentication mechanism on a web application after hitting the front page of the site you were automatically redirected to the ADFS sign in page which was located on a different server (the ADFS proxy) and had a different URL. Once the configuration changes and solutions were implemented to support FBA when you hit the front page of the site you were presented (as intended) with a page at which allows you to pick the authentication provider you want to use.

Pick Sign in page

Unfortunately this surprised the developers who had been testing both authentication types by just hitting a direct url for each. Now when you implement FBA you can build a custom page and set that page as the custom sign in url in central administration. But let’s say you want to continue having users be directed to the ADFS sign in page without being prompted to choose an authentication type. You can’t set the custom sign url to be a page/site that isn’t part of the web application you’re currently on.

So if your ADFS proxy site is at and your SharePoint site is you won’t be able to set the custom sign in page to SharePoint just won’t let you do it. But!! Before you frantically create some redirect code and edit /_login/default.aspx dig around a little in IIS and you will discover a set of directories with default pages for each authentication type.

Identity Model1

The one we wanted was @ /_trust/default.aspx. Setting the custom sign in page in Central administration to /_trust/default.aspx allowed us to bypass the authentication selection page and send users directly to the ADFS proxy site.CustomSignIn

Now the developers could continue testing in the staging environment on the FBA login and the ADFS login without the pesky prompt to choose an authentication type. Hopefully someone finds this to be useful.


Posted in SharePoint, Troubleshooting | Tagged , , , , , | 1 Comment

Get-SPSite Error – X.509 Certificate Error

I encountered an issue the other day in a testing environment where I couldn’t run Get-SPSite from PowerShell. I’ve seen stuff like this in the past when trying to call a site collection when a user isn’t a ShellAdmin or otherwise lacks permissions but that wasn’t the case here.

When trying to call a specific site I was getting the error –

“Get-SPSite : Cannot find an SPSite object with the Id or Url:”


But when trying just a generic Get-SPSite I was getting –


“Get-SPSite : ID4257: X.509 certificate ‘CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US’ validation failed by the token handler.”

In the event log I was seeing – Event ID 8311

“An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer Name: CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: 669768FC7C91DF33439823EDDEF4AB64AF37CAF9\n\nErrors:\n\n The root of the certificate chain is not a trusted root authority.”


And these errors were duplicated in the ULS logs. Some research led me to which describes a scenario where the root certificate for the Security Token Service is missing or incorrect and needs to be replaced. Truth be told the last time I had been working in this test environment I had been playing with some ADFS certificates and I believe now that I inadvertently overwrote or replaced my default STS certificate.

Sure enough when I ran Get-SPTrustedRootAuthority I could see the certs I had added for ADFS but not the default STS cert.

I was able to use PowerShell to create a new default certificate based on the post above and from this KB article @

Here are the commands I used –

$rootCert = (Get-SPCertificateAuthority).RootCertificate
New-SPTrustedRootAuthority -Name “localNew” -Certificate $rootCert

After running this I was able to see a new cert named “localNew” when running Get-SPTrustedRootAuthority, it also showed up in Central Administration under “Security -> Manage Trusts”.

Posted in Uncategorized | Leave a comment

Upgrade MySites Host Site Collection in Office 365 – SharePoint 2013

Xgility’s Office 365 account was recently upgraded to 2013 and I noticed that on every other site collection I got a nice little pink notice at the top of the page prompting me to upgrade. On every page except my profile / MySite page.

Clicking on “About Me” in the suite bar sent me to the SharePoint 2010 version of my profile page.
Even after upgrading my “My Content” portion of the MySite I was still being directed to the SharePoint 2010 version of the profile page.
I tried appending “/_layouts/siteupgrade.aspx” to the end of the URL and just got an “Access Denied” error message. Which I thought was strange since I’m a site collection administrator, (or so I thought) and a company administrator. Then I remembered that despite being a site collection administrator for my MySite, the profile URL is generated from a MySite host which is a separate site collection that no one gets access to by default.

So I logged into the company portal and looked at my list of site collections. I found the application that was hosting our MySites and clicked “Owners -> Manage Administrators” and sure enough, only the Company Administrator account had been added.
Once I added my account as a site collection administrator in this area and refreshed the browser I was greeted by the nice pink notice to upgrade the whole MySite host site collection


Posted in SharePoint | Tagged , , , | 2 Comments