Unable to Delete Azure AD Connect Sync’d Groups

Issue

You have Active Directory groups being sync’d to Azure AD via Azure AD Connect.  These sync’d groups are being used for assigning licenses in your tenant.  If you delete one of these groups from your Active Directory, AD Connect throws an error and you get an error alert email.

The error says:

The cause of the error is not clear. This operation will be retried during the next synchronization. If the issue persists, contact Technical Support.

If you open the Azure AD Connect Synchronization Service, you can also see the error there:

AADConnectError

AAD Connect Error

If you try to delete the same group via PowerShell, you get the following error:

 

Remove-AzureADGroup : Error occurred while executing RemoveGroup.
Code: Request_BadRequest
Message: Group deletion is not allowed.

 

Cause

Azure AD blocks group deletion when the group is being used to assign licenses.  This is to help protect you from accidentally removing all of your users’ licenses with a single action.

Resolution

Remove the license assignment from the group and run the sync again.  You can kick off the sync from your AAD Connect Server by running:

Start-ADSyncSyncCycle -PolicyType:Delta

 

References:

Group Based Licensing: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-licensing-group-assignment-azure-portal

Advertisements

Microsoft Teams / SharePoint Online Integration Not Working

Issue

When creating Teams in Office 365, you may notice that the files and wiki features (items that depend on access to the back-end SharePoint site collection for the Office 365 group) do not work correctly.

Here is an example of the error In Teams UI

Error Message:
Hang tight, we’re busy making space for your Wiki. Wait a few minutes then try again.

Even after waiting 24 hours, the connection still does not work. Additionally, if you select the “Open in SharePoint” option from the channel menu:

You are given this error message:

We are setting up your file directory.

Lastly, and this is the cause of the issue, you see this error if you try to browse to the underlying SharePoint site collection from off-premises.

Due to organizational policies, you can’t access these resources from this network location.

Cause

Your organization has IP restrictions setup in the SharePoint Online tenant to restrict which source IP addresses are allowed to connect to your sites.

These restrictions can be configured in the SharePoint online Admin Portal:

  1. Open the Office 365 Admin Portal
  2. Browse to Admin Centers -> SharePoint
  3. Click on Device Access on the left navigation
  4. Check the Control access based on network location section for any IP restrictions. Your organization may have put their public IP ranges in this field to limit access to on-premises only.

Resolution

Microsoft teams requires that it (the teams infrastructure) can access your SharePoint tenant. Check with your organization about removing the IP restrictions from SharePoint Online device access policy.

PowerShell Fails to Connect to Office 365

Issue

You may experience an error when connecting to SharePoint Online (or other Office 365 services) via PowerShell. All you get back is a generic:

Connect-SPOService : Unexpected response from the server. The content type of the response is “text/html;
charset=UTF8”. The status code is “OK”.

Example Error

PS C:\Windows\system32] Connect-SPOService -Url https://tenant-admin.sharepoint.com
Connect-SPOService : Unexpected response from the server. The content type of the response is "text/html;
charset=UTF8". The status code is "OK".
At line:1 char:1
+ Connect-SPOService -Url https://tenant-admin.sharepoint.com
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Connect-SPOService], ClientRequestException
+ FullyQualifiedErrorId : Microsoft.SharePoint.Client.ClientRequestException,Microsoft.Online.SharePoint.PowerShel
l.ConnectSPOService

Cause

This can happen when your corporate web filter blocks the traffic to your admin URL, such as https://tenant-admin.sharepoint.com. Check the logs on the web filter / proxy to ensure the traffic is being allowed.

Fuzzy / Phonetic Search Does not Work in SharePoint 2013

Issue / Symptoms

Fuzzy / phonetic name searching is not working in people search in SharePoint 2013. For example, if you search for my name as “myree” (which is how it sounds), you would not get my profile as a result.

Here is a good reference on finding if your farm is having this issue (however the fix suggested is no longer the recommended solution): https://blogs.msdn.microsoft.com/ronalg/2015/02/25/sharepoint-2013-fuzzy-and-phonetic-people-search-dont-appear-to-be-working/

How to Reproduce the Issue

  1. Turn up logging level by running the following command (do this on non-prod or off hours)
Set-SPLogLevel –TraceSeverity:VerboseEx
  1. Open ULS log viewer and create a filter on “EN_EN.mdl” OR “fuzzy”
  2. Browse to the people search page and enter a name
  3. You will see entries similar to the following if your farm has this problem
On Query Server:

10/25/2016 13:07:45.13 NodeRunnerQuery2-936ea3ce-afa6- (0x0C0C) 0x270C Search Fuzzy Name Search ajyfa Unexpected CCANameProjector : Exception:Exception : Access to the path ‘E:\Program Files\Microsoft Office Servers\15.0\Data\Office Server\CanonicalResources\ProjectionModels\EN_EN.mdl’ is denied. encountered while attempting to load the Projection Model Catalog E:\Program Files\Microsoft Office Servers\15.0\Data\Office Server\CanonicalResources\ProjectionModels\EN_EN.mdl for Language : en encountered while attempting to load the projection model. 3af3b09d-aa93-906f-2913-467b8e5e0f93

On Crawl Server:

CCANameProjector : Exception:Exception : Access to the path ‘E:\Program Files\Microsoft Office Servers\15.0\Data\Office Server\CanonicalResources\ProjectionModels\EN_EN.mdl’ is denied. encountered while attempting to load the Projection Model Catalog E:\Program Files\Microsoft Office Servers\15.0\Data\Office Server\CanonicalResources\ProjectionModels\EN_EN.mdl for Language : en encountered while attempting to load the projection model.
CCAMetadataProducer : Fuzzy metadata generation failed to load resource for language: en.
CCAMetadataProducer : Fuzzy metadata generation failed for the current record. Check logs for more details.

  1. Remember to turn log levels back down!
Clear-SPLogLevel

If you watch the search index directory using procmon while running searches or profile crawls, you will see the access denied messages.

Cause

This is a known bug in SharePoint 2013.  It has been there since RTM.  The good news is that it is finally fixed in the July 2016 CU for SharePoint 2013.  This happens in scenarios when you run in the recommended way of having a separate service account (domain account) for the service service.  Under this condition, the service account does not have the permissions that the code requires.  The fix in the July CU changes the code so that read only access is all that is required on the search index directory.

Solution

Upgrade your farm to at least the July 2016 CU.  Once this fix has been applied, you will likely need to wait 1 day for all of the indexing / processing to take place before fuzzy / phonetic searches start working.

Test

After waiting a day, test this out using the SharePoint Search Query Tool.  Make sure you have nicknames and Phonetic enabled as shown below:

searchtool

Workarounds

If you can’t upgrade your farm for whatever reason, a temporary workaround would be to add your search service account to WSS_ADMIN_WPG local security group.  This change would require a reboot (or a service restart).

Visual Studio Load Test – Could not read result repository

Issue

After running a web test, you see an error such as this:

Error message:

Could not read result repository: Unknown transaction id in results: XX.

Will display the runtime result instead of the repository result.

You also get a similar error when you try to load historical results from the “Open and Managed Load Test Results” screen. In my case, I am running Visual Studio 2015 with Update 3. The controller and agents are 2013 with update 5.

Solution / Workaround

In this case, the workaround is to update your load test “Run Settings” to include a “Cool-down Duration”. This can set by:

  1. Open the load test file
  2. Click on the run settings section (the active one)

  1. In the properties window, set the “Cool-down Duration” to at least 1 minute:

SSRS – WebForms Error 12019

Issue

We have some really long running queries in our SSRS SharePoint integrated mode environment. After a few minutes of processing, we would see the following error:

Sys.WebForms.PageRequestManagerServerErrorException: An unknown error occurred while processing the request on the server. The status code returned from the server was: 12019

Interestingly, this issue only occurs when using IE. In Chrome, the report keeps running and works fine.

Solution

In our environment, we have an F5 BigIP as the load balancer in front of SharePoint. All we needed to do was set the Idle Timeout to 3600 (default was 300) on the TCP profile for the virtual server.


In other load balancing solutions, there are likely similar settings.

SSRS Report Parameters Session Timeout

Issue

A bug in the .net framework causes SQL Server Reporting Services (SSRS) reports to “lose” their parameter values when paging through the report when to stay on a page for longer than 1 minute.

When you click the next page button, you will be presented with the parameter prompt again:

Conditions:

  • You have a multi-page report in SSRS in SharePoint that includes required parameters
  • If you sit on a page of the report for more than 1 minute, you are re-prompted for parameter values and must re-run the report

 

Solution

This is a known problem in the .NET framework. Please reference the following KB: https://support.microsoft.com/en-us/kb/2996566

MSFT does not have the download link published, so you will need to contact support to be sent the hotfix. As of this writing, this hotfix has not been included in any public patches or updates.