SharePoint (SP) is a web application platform that runs on IIS and persists its content to a SQL Server database. An SP Farm has 1 or more web applications and a web application can have 1 or more site collections. There are different reasons to have more than 1 SP web application, such as different authentication schemes or tighter control of the site content.
Screenshot of IIS showing 2 web 5 websites.
In the diagram above App1 and App2 are SP Web Applications that have been created by the SP farm administrator. The SharePoint Central Administration website and SharePoint Web Services website are added automatically when SharePoint is installed. The "Default Web Site" is added when IIS is installed, it is not a SP website.
Each SP web application has one or more site collections. A new content database is created in SQL Server for each site collection. SP farm administrators to delegate the management of the site collection to “Site Collection Administrators” who will be working with SharePoint sites and content, but not interacting with the server computers and databases. Basically the site collection is a way to give the business users the power to control access.
SharePoint 2013 Central Administration Application
"SharePoint 2013 Central Administration" is a web application is used to create web application and site collections.
Screenshot - Shortcut to start the SharePoint 2013 Central Administration
Screenshot - SP 2013 Central Administration
Screenshot SP2013 showing all site collections for the web application found at “app1.dom1.loc”. There is only 1 site collection in this web application, it is named "rnd".
Prerequisite Permissions/ Site Collection Administrator
The documentation says “Assign that user to be the "Site Collection Administrator". Use the web application policy rule to assign these permissions.” Do not set user as the Site Collection Administrator on any of the site collections, instead assign full control to the aervice account using the steps outlines below.
Site Collection Administrator
Web Access Policy
Example: Setting Web Application Policy for SecurityIQ in SP2013
1. Open “SharePoint 2013 Central Administration”
2. Click “Security” in the menu along the left-had side of the page.
3. Click “Specify web application user policy”
4. Click Add Users
5. Change the Web Application as needed. Keep the default setting of “All zones.” Click Next.
Add the service account to the users list. Check the Full Control box. Click Finish.
Running the PowerShell Script
This PowerShell script generates a text file that contains the SQL statements that will set the all the required permissions on SharePoint database objects. You must run the SQL statements on the database server manually, the PowerShell script does not modify the database permissions.
Here is the syntax for running the script
.\20150514-WBX-CreateSQLScriptForSPPerReq.ps1 DOM1\SIQ_SP
Troubleshooting SharePoint Connections
Check if there are events in SharePoint
You can query the SharePoint database for events to verify that it is in fact generating an audit trail that SecurityIQ can read. If a certain event is missing, you can filter on ItemFullUrl to see if the event you expected to see in SecurityIQ was generated by SP.
The SharePoint connector in SecurityIQ has the option to purge old audit events from the SharePoint server. Be sure to leave the “days to keep” setting long enough for you to troubleshoot certain events.
Sample querys to read SP audit trail in SP 2013
/* update to use the admin database in your environment */
Use SharePoint_AdminContent_bc056d7f-1c9d-4f39-9b05-82cf5e57bdb1
/* Use the optional where clauses to help you troubleshoot certain events */
select *
from EventCache with (nolock)
where ItemFullUrl like '%someDocThatShoudHaveAuditTrail%'
and EventTime > '2016-05-06 16:37:36.750';
Data Classification Error - Service will not start
Unlike the other data classification services, the SharePoint data classification services do not login as the local system account. Instead, they installer sets the service to login as the service account that will connect to SP. This account must have access to the local machine certificate store. If it does not this error will appear in the logs.
2016-05-10 18:23:37,111,ERROR,WBSearch.Infra.Logger,OnStart,Service OnStart Error:Object reference not set to an instance of an object.
2016-05-10 18:23:39,236,ERROR,WBX.Common.Utilities.RSAHelper,decryptStringPKCS7,Caught Exception:
System.Security.Cryptography.CryptographicException: Keyset does not exist
at System.Security.Cryptography.Pkcs.EnvelopedCms.DecryptContent(RecipientInfoCollection recipientInfos, X509Certificate2Collection extraStore)
at WBX.Common.Utilities.RSAHelper.decryptStringPKCS7(Byte[] pkcs7ToDecrypt)
2016-05-10 18:23:39,845,ERROR,WBX.whiteOPS.DAO.NHibernate.GenericDAO`2,findAll,Caught Exception:
System.Data.SqlClient.SqlException (0x80131904): Login failed for user 'SecurityIQ_User'.
at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)
at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)
at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady)
To resolve this error, grant the service account permission to the local certificate store or add the user to the local administrator group on the server running the SP data classification service.
SP BAM could not turn on auditing
The SP BAM uses the SP API to turn on auditing and off. If the service account does not have rights to turn on auditing this error will be in the log at the time the agent starts. Expect one of these per site collection.
2016-04-25 18:54:58,708,4,ERROR,WBX.whiteOPS.Agents.WSSBAMAgent.WSSBAMAgent,turnAuditOn,Error while turning audit on.
Url: http://myboardtest
2016-04-25 18:54:58,781,4,ERROR,WBX.whiteOPS.Agents.WSSBAMAgent.WSSBAMAgent,turnAuditOn,Caught Exception:
System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
at Microsoft.SharePoint.Library.SPRequest.SetAuditFlags(String bstrUrl, Guid gSiteId, String bstrDirName, String bstrLeafName, Int32 itemType, UInt32 AuditFlags)
at Microsoft.SharePoint.SPAudit.Update()
at WBX.whiteOPS.Agents.WSSBAMAgent.WSSBAMAgent.turnAuditOn(WSSBusinessService curBS)
This next event will occur after the above events as the BAM tries to read the audit log that failed to turn on. Expect one per site collection.
2016-04-25 18:56:09,298,12,ERROR,WBX.whiteOPS.Agents.WSSBAMAgent.WSSBAMAgent,pollSite,Caught Exception:
System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
at Microsoft.SharePoint.SPAudit.GetEntries(SPAuditQuery query)
at WBX.whiteOPS.Agents.WSSBAMAgent.WSSBAMAgent.pollSite(String siteUrl, Dictionary`2 relevantBRs, DateTime from, DateTime to)
To fix this try one of these options:
BAM Error – No rights to an IIS log file folder
The SP BAM monitors view events by reading the IIS log files from the 1 or more servers that front end SharePoint content. If the service account does not have access to the log file do to a bad path/file name or no permissions this error will occur.
2016-05-04 16:25:48,577,12,ERROR,WBX.whiteOPS.Agents.WSSBAMAgent.MonitorView.LogFilesThreadManager,init,Caught Exception:
System.ArgumentException: \\server1\c$\inetpub\logs\LogFiles\W3SVC1990221007 does not exists, please check the UNC and verify the service user has permissions to access it
at WBX.whiteOPS.Agents.WSSBAMAgent.MonitorView.LogFileThread..ctor(String logFilePath, LogParser parser)
at WBX.whiteOPS.Agents.WSSBAMAgent.MonitorView.LogFilesThreadManager.init(Object dummy)
Maintenance Tasks and Audit Cleanup
The activity monitor calls the SharePoint API to purge SharePoint audit data (at 1:00 local time by default). This is not the same as the SharePoint maintenance task that is often configured to run at 1:00 am local time and also does a similar function, Wether started by SecurityIQ or SharePoint, if SharePoint auditing has been in use for a long time and the audit logs have not been purged, when the purge is started it may create very large database transaction log files on the SharePoint databases. Contact Microsoft support if it becomes a problem, this is due to the SharePoint API, not SecurityIQ.