Multi-tenancy and Project Server and PerformancePoint 2010

Update 21/01/2011: Update below regarding Excel Services and Multi-tenancy!

One of the exciting new features of SharePoint 2010 is multi-tenancy, if you’re working in hosted or shared environments then it is no less than a must-have feature.

Unfortunately in the real world of software nothing is perfect at RTM, and this would have to be one of those cases!

In short neither Project Server or PerformancePoint appear to support multi-tenancy in SharePoint 2010, it would seem that the feature has yet to be fully implemented for either service application, however the situation is not as bad as you might fear.


Project Server in a multi-tenanted environment

Firstly although Project Server does not accept any subscription related parameters when provisioning a new instance using PowerShell or the Central Admin, it does appear to work in a tenanted environment. Basically the fact that any provisioned PWA site is a site collection of its own means that once you have provisioned your PWA instance you can use the following PowerShell command to associate your PWA site collection with your tenant subscription:

Set-SpSite $PWASiteUrl -SiteSubscription $subscription

More good news is that once provisioned a PWA instance is able to communicate with other service applications belonging to the same subscription. Most importantly: Secure Store Service. Without that Excel Services wouldn’t work!

All is not good though, especially if you like to use the full feature set of the 2010 product, read on..


PerformancePoint in a multi-tenanted environment

This is where the news gets bad, it would appear that PerformancePoint in 2010 does not support multi-tenancy at all, it actually doesn’t appear to respect tenant subscriptions and so as a result you might end up with errors like the following when attempting to run Dashboard Designer or configuring the service application unattended account;

w3wp.exe (0x04E4)        0x0ED8        Secure Store Service        Secure Store        7557        Critical        The Secure Store Service application Secure Store Service Proxy is not accessible. The full exception text is: Access is denied.        adfdd2a3-b6e5-4d92-8c5e-5a44fd821969

w3wp.exe (0x04E4)        0x0ED8        Secure Store Service        Secure Store        d9ld        Unexpected        Unexpected exception from endpoint address

w3wp.exe (0x04E4)        0x0ED8        Secure Store Service        Secure Store        d9le        Unexpected        Logging unknown/unexpected client side exception: SecurityAccessDeniedException. This will cause this application server to be removed from the load balancer queue. Exception: System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied

Some searching will lead you to a number of sources talking about the lack of a Master Key being created in the Secure Store which is most certainly the cause of the issue, unfortunately it appears that in the case where your Secure Store is created with tenancy enabled PerformancePoint is unable to see the Secure Store service application (and thus unable to retrieve the master key)!

Some deep reading led me to some TechNet articles detailing the requirements for PerformancePoint (sorry can’t find the link ATM), basically PPS requires that a Secure Store Service Application exists in the default proxy group, and as I’ve found that app also cannot be tenanted.

Fortunately this can also be worked around, maintaining a non-tenanted default Secure Store app dedicated to PPS does not as I see it introduce any security implications, in particular as you will have to provision a separate PPS service for each tenant in your farm (thus losing much of the benefits of multi-tenancy).


All I can say on this one is that I can’t wait for SP1 for PPS, maybe then we’ll even be able to name our databases and lose that BETA PowerShell command line syntax? :)


Update 21/01/2011:

See the following blog for information on how Excel Services impacts the above configurations!

Share and Enjoy !


Claims: Exception occurred issuing a security token

With a large customer going live on a fully multi-tenanted claims authenticated platform in the last month I’ve had the chance to really see the limits of these two new features in SharePoint 2010. This issue was one of the big impact problems that I’m hoping that I’ve now found the solution to, so with that in mind it’s definitely worth sharing.


After a few days of working normally claims authentication stops working unexpectedly on any given server in the farm, the below errors are logged.

Event Logs

Log Name: Application

Source: Microsoft-SharePoint Products-SharePoint Foundation

Event ID: 8306

Task Category: Claims Authentication

Level: Error


An exception occurred when trying to issue security token: The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs..

Log Name: Application

Source: Microsoft-SharePoint Products-SharePoint Foundation

Event ID: 8306

Task Category: Claims Authentication

Level: Error


An exception occurred when trying to issue security token: The security token username and password could not be validated..

Log Name: Application

Source: Microsoft-Windows-User Profiles Service

Event ID: 1511

Task Category: None

Level: Error


Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

ULS Logs:

01/04/2011 13:38:52.17        w3wp.exe (0x037C)        0x0660        SharePoint Server        Shared Services        olgq        Exception       System.Runtime.InteropServices
.COMException (0x800703FA): Illegal operation attempted on a registry key that has been marked for deletion. at System.DirectoryServices.DirectoryEntry.Bind(…      

01/04/2011 13:38:52.17        w3wp.exe (0x0554)        0x0F30        SharePoint Foundation        Claims Authentication        8306        Critical        An exception occurred when trying to issue security token: The security token username and password could not be validated..       



The third the Event log error above I included as although it is one that you often see, it was the message that eventually led me to the what looks like the source of this issue, with that combined with the “registry key that has been marked for” message in the ULS I was lead to the following DCOM blog:

A COM+ application may stop working on Windows Server 2008 when the identity user logs off


It seems that the Claims provider breaks when for some reason or other the App Pool account logs off unexpectedly, the solution (at least after 2 weeks with no reoccurrence) is as suggested in the above blog;

As a workaround it may be necessary to disable this feature which is the default behavior. The policy setting ‘Do not forcefully unload the user registry at user logoff’ counters the default behavior of Windows 2008. When enabled, Windows 2008 does not forcefully unload the registry and waits until no other processes are using the user registry before it unloads it.

The policy can be found in the group policy editor (gpedit.msc)
Computer Configuration->Administrative Templates->System-> UserProfiles
Do not forcefully unload the user registry at user logoff

Change the setting from “Not Configured” to “Enabled”, which disables the new User Profile Service feature.

‘DisableForceUnload’ is the value added to the registry


I’ll update this blog entry if the problem comes back.

Share and Enjoy !


How to Check the Version of SharePoint / Project Server Installed

It seems SharePoint 2010 gives a nice new way to say exactly what versions of the binaries are installed on any given server in your farm, this is a great enhancement from 2007 which effectively required a Windows Explorer properties check at times to be absolutely sure that all the servers had been updated!

Find it in Central Admin by;

  1. Open Central Admin go to Upgrade and Migration


  1. Select Check product and path installation status

You should see something like the following:


Specifically if you scroll down you will see the project server section under each server in the farm, and in my case you can see the RTM version number plus the KB2394322 (October 2010 CU).




FYI that SQL method still can come in handy (when migrating for instance) so if you’re not familiar with it here it is:

USE ProjectServer_Reporting

SELECT * FROM dbo.Versions

Not exactly as much detail as the above method, but it does confirm what version server your databases should belong to.

Share and Enjoy !


Database Restore from / to Claims Auth App Problem

When restoring SharePoint 2010 databases or sites I have recently come across the following problem:

Access Denied to all Sites for all users, including Site Collection Admins.

This appears similar to old 2007 restore issues which were fixed using the STSADM MigrateUser command, however in this case it seems that the STSADM (or PowerShell move-spuser) commands doesn’t fix the issue. And I have definitely made certain to change the Site Collection admin on the restored site collections using Central Admin.

A little investigation revealed that the reason is the use of Claims (or Forms) Authentication in either the source or destination web application, so in my case where my Test environment used Claims (both NTLM and LDAP) but my Prod was only going to use NTLM authentication the restored sites were inaccessible (including PWA!).

Fortunately in my case I found a workaround; setup my new Web App to use Claims, however only enable NTLM authentication, effectively resulting in a pure NTLM setup. However that won’t always work, in fact I have another case where the source data (from an old 2007 portal) is using NTLM and I want to migrate it to 2010 using Claims, in that case another solution will be required.

I plan to investigate further using the "move-spuser" powershell command as that seems to be the solution, it just seems that something is preventing it from migrating the users as expected. I’ll update this blog with my results.

Share and Enjoy !


Configuring Claims-based Authentication

I just spent some time setting up my first claims based authenticated Project Server 2010 and thought I would post my experiences here, maybe that will help someone avoid the issues I had.

Firstly Bill Baer’s TechNet Blog has a great how-to article on the setup of claims-based authentication, unfortunately there are a few mistakes and omissions in the post that will cause some issues if you follow the steps as provided.

To clarify one mistake I noticed (where Bill asks you to update the Central Admin web.config twice) you must configure the web.config of the following:

  • Central Administration Web Application
  • Security Token Service
  • Your Web Application

Security Token Service Error:

Secondly when updating the Security Token Service, in my default install I found that there was no <system.web> tag, and so placing the config after the </> as instructed by Bill, caused the following error when trying to login:

ProtocolException: The content type text/html; charset=utf-8 of the response message does not match the content type of the binding (application/soap+msbin1). If using a custom encoder, be sure that the IsContentTypeSupported method is implemented properly. T

Once I enclosed my <membership> and <rolemanager> tags in a <system.web> </system.web> all was good. Thanks to this thread for that solution.

Secure Store Error:

Finally once I got it all setup the I was getting errors trying to open my Excel data connections via Excel Services, the ULS log error was the following:

06/04/2010 12:52:42.78    w3wp.exe (0x1AA4)    0x1D94    Secure Store Service    Secure Store    7493    Critical    The Microsoft Secure Store Service application Secure Store Service failed to retrieve credentials. The error returned was ‘Access is denied.’. For more information, see the Microsoft SharePoint Products and Technologies Software Development Kit (SDK).    e994ce5b-fcde-43e8-a32b-c2427a86fc6d

This one turned out to be very simple, I forgot to add my new claims ‘role’ group to the Target Application Members configured and used by my data connections. Editing the Target Application under the Secure Store Service Application and adding to the Members those users logging in using claims fixed that one.

Share and Enjoy !


Database names in SharePoint 2010

With SharePoint 2010 adding a good number of new databases to the default configuration one thing that is sorely missing is the ability to easily name those databases.

Is it just me who has to conform to strict database naming conventions in most installations of Project Server?

I’ve just been working on what I think is a pretty typical Project Server 2010 installation and found that in-order to simply prefix my databases names with something rather than let them be automatically named with a GUID I faced the following:

  • Central Admin and the farm configuration is the same as 2007, the PSCONFIG command line will let you name both of those databases.
  • Session State Service Application – the first hurdle, this one requires a PowerShell command to give the database a name, e.g.:

$serviceApp = New-SPStateServiceApplication -Name "State Service"

New-SPStateServiceDatabase -Name "MyPrefix_State_Service" -ServiceApplication $serviceApp

New-SPStateServiceApplicationProxy -Name "State Service" -ServiceApplication $serviceApp –DefaultProxyGroup

  • Secure Store Application – Central Admin fortunately will let you name the database through the usual creation process.
  • Search Service Application – Next hurdle and this one much bigger, three databases are required now for the Search service; Administration, Crawl and Property databases are created, this blog post has a nice PowerShell script to create the service with named databases but with 50 odd lines for the script I’m not going to repeat it here. Fortunately if you’re happy with not naming just one of those three databases, it is actually possible to create new Crawl and Property databases with specified names after creating the three using Central Admin.
  • PerformancePoint Service – Well for this one I have not found a way to name the database?! I need to revisit this as there must be a way, but looking at the PowerShell command line options and searching TechNet I couldn’t find one!
  • User Profile Service, Excel Services and WSS Usage are all well behaved and through Central Admin you can name the databases.

So it’s about time to get that installation PowerShell script done, as unless your happy with the default wizard configuration then this setup is getting quite long “just” to get Project Server 2010 installed.

Share and Enjoy !