Tuesday, 24 September 2013

Office Web App WCA - SSL confussion

Overview: Office web Apps (WCA) 2013 defaults to using https, this is a good position to take but SSL offloading may be needed or you may want to do testing without SSL.  In my case we are using KEMP for SSL termination and before the NLB's are in place I made some hard discoveries.

SSL, WCA wants to use SSL and has some confusing switches, they make sense eventually so to summerise: You have 3 options to install WCA with SP2013:
  • Not using SSL (not recommened),
  • SSL Certificates on the WCA servers
  • SSLOffloading (Hardware device such as an F5 or KEMP does the SSL decryption, this saves you distributing certs to the WCA servers but means that the traffic between the NLB and the servers is not encrypted.)
My Scenario and Resolution:
Basically I have 2 WCA servers that make up my Office web App farm.  I want to connect SharePoint 2013 to display/edit document via the web browser and I want the preview cabability that SharePoint search needs.  This post explains the situation "Not Using SSL". 

In my initial attemp at installing the WCA farm I selected the switch -SSLOffLoading, this makes the WCA farm accept http requests.  My issue was that other resources then made http requests that with a load balancer performing SSL termination in place is correct.  And here was the problem, when i open a word document it just waits.  I opened my IE developer toolbar and noticed the https request.  Below is how I rolled out of the issue to allow me to use http throughout (Don't do this in production).

Location of the ULS logs on the WCA VM's: C:\ProgramData\Microsoft\OfficeWebApps\Data\Logs\ULS
This part of the post differs in that I explain how to use the "SSLOffloading scenario".
You need a load balancer such as F5 or Kemp with networking configured.
The big differences are:
Ensure the "WopiZone : internal-https"
Tip:  Watch the networking. 
Tip:  You can't use a wild card certificate if you use SSL termination on the load balance (it actually works if you only have 1 WCA VM in your farm).
Scenario: SharePoint 2013 farm (represents any WOPI client/consumer), this can be on http or https.  The WCA farm consists of 2 or more WCA dedicated VM's.
The diagram above shows of the clients browser will interact with the WOPI consumer namely SharePoint 2013 and it accesses the SSL based url for the WCA server.  So the request would go to https://wca.demo.dev.  The load balancer performs SSL termination and load balances to any WCA server on port 80 using session affinity.
Tip: I used a wildcard certificate in UAT that works in a load balanced scenario but rather go for the fully qualified certificate for the WCA https service. 
Problem:  When I create a WCA farm (1VM) and connect SharePoint to use the WCA farm, office documents show correctly.  However when I have WCA multiple servers, I get a the error “[ServerError: Verifying signature failed]. [status:NotFound”.  In my  VM logs on the Office web app server (WCA ULS).

Initial Hypothesis: The error appears to be an issue with SSL, while routing around I found the following information on certificates: http://technet.microsoft.com/en-us/library/jj219435.aspx#certificate

·         The certificate must come from a trusted Certificate Authority and include the fully qualified domain name (FQDN) of your Office Web Apps Server farm in the SAN (Subject Alternative Name) field. (If the FQDN is not in the SAN when you try to use the certificate, the browser will either show security warnings or won’t process the response.)

·         The FQDN in the SAN field can’t begin with an asterisk (*).

Below is a view of our wildcard certificate of the SAN field:
What made this issue tough to track is that when I only have 1 WCA server, WCA displays my word document correctly.  This document is cached when I add the remaining servers however once the cache clears down I loose WCA functionality.
Microsoft troubleshooting for WCA
Tip:  A lot of issues around WCA involve networking.  It is useful to verify networking on the VM's.  I use host entries until I am ready to get the load balancing service working.  Note:  Ensure communication from WCA back to the SP WFE's.

Automate the deployment of an WCA 2013 farm - run the setup.exe silently

Problem:  I have been trying to automate the creation of my Office Web Apps (WCA) 2013 farm and hook it into my SharePoint 2013 farm.  When installing the WCA binaries using PowerShell I get prompted periodially. 

Initial Hypothisis:  Using the setup.exe /? switch I don't see a run silently or accept defaults.  I tried extracting the exe and workingout the switches without joy.  Asked some folks an no answer.  The is a /config switch but I have no idea how to structure it.  Eventually I noticed a folder on the WCA binaries ""

Resolution:  Run the setup.exe and supply the location of the configuration file for a silent install.  If you refer to the config.xml as I have done above, the install will use all the default settings.  Change it if you want a custom Office Web Apps install on each machine in the farm.

I could not find this on the Internet and once I got there is is on the net, see below - recon I need a Google search training day.

More Info:

Thursday, 19 September 2013

WCA and SP2013 not displaying Office document

Problem: I have setup Office Web Apps (OWA/WAC) 2013 on Windows 2008 R2 and connected it to SP2013.  WAC appears to be working and the hookup from SP2013 went without a hitch.  I try open a word document in WAC and receive the error: "Sorry, there was a problem and we can't open this document. If this happens again, try opening the document in Microsoft Word."

Initial Hypothesis:  I can't find any errors in my event logs and in my ULS log on WAC (C:\ProgramData\Microsoft\OfficeWebApps\Data\Logs\ULS) I opened the latest log and looked for errors, I found couple of "Unexpected" errors that relate to my problem.  The error looks something like: "HttpRequestAsync, (WOPICheckFile,WACSERVER) no response [WebExceptionStatus:NameResolutionFailure, url:http://web-sp2013-uat.demo.dev/_vti_bin/wopi.ashx/files/ef71ad7d...."
WOPI CheckFile: Catch-All Failure [exception:Microsoft.Office.Web.Common.EnvironmentAdapters.UnexpectedErrorException: HttpRequest failed

I realised that my DNS entry to web-sp2013-uat.demo.dev is missing on my WAC servers, I added local host entries which corrected the error.

Resolution:  Ensure the DNS entry to the SP2013 web servers has permeated down to all WAC servers, I added a host entry to proof the fix however stick to using DNS as if the IP/resolving changes you would need to go to each OWA/WAC machine and correct the issue.

More Info:

Tuesday, 17 September 2013

OWA patch issue - Windows Update KB2592525 must be installed

I followed the Technet instruction to install OWA 2013 on Windows 2012 which are clear but did cause me to have this hiccup.

Problem:  After installing OWA 2013 binaries I try to create my new farm on Windows 2008 R2 using the PS cmd>New-OfficeWebAppsFarm –InternalURL "http://servername" –AllowHttp -EditingEnabled
I receive the following error: "New-OfficeWebAppsFarm : The operation failed. The server did not meet the following prerequisites: - Windows Update KB2592525 must be installed."

Initial Hypothesis: I have already installed the OWA pre-requisites and KB2592525 is part of the "Windows PowerShell 3.0" pre-requisite. 

Resolution: I downloaded the KB for Windows 2008 R2 and try install it.  It fails with the erro saying that the kb is not for this version of Windows (This update is not applicable to your computer).  So this failed now I'm getting rather irratated with Microsoft and the OWA install.  Failed, and I need to define a new problem.

Problem:  I can't install the download KB2592525.

Resolution: I found this post explaining how to fix my error "When you try to install Lync WAC server (Office wen apps server 2013) on Microsoft Windows server 2008 R2 SP1 you may have this error while installing KB2592525 required update (This update is not applicable to your computer)."

While routing arround my OWA Server, I noticed that the Windows Service "Office Web Apps" has not started.  It fails if you try start it.
 My event Viewer show the following error "The Farm settings are invalid...":
This is correct, the service only starts when the new OWA farm is created.
Note: The Windows Service "Office Web Apps" will only start once the New farm is created, not when the OWA binaries are installed. 

Retrieveing Versions

Overview:  I repeatedly need to determine versions of software and patches so this post holds common requests to verify versions that I need.

.NET framework versions installed:
Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -recurse | Get-ItemProperty -name Version -EA 0 | Where { $_.PSChildName -match '^(?!S)\p{L}'} | Select PSChildName, Version

Version of Powershell on a machine:

Version of your SharePoint farm:
 PS> (get-spfarm).buildversion

Version of Office Web Apps 2012/WCA:
The easiest way to get the OWA version is to make an http/https request to your WCA server and the version number is returned in the response header.
I use IE and fiddler so I can view the traffic to the url https://wca.demo.dev/m/met/particiapant.svc, you will get a 302, but your can see the version return in the https response header.
15.0.4481.1005 is WCA 2013 with the March 2013 CU.
15.0.4420.1017 is WCA 2013 RTM.

The approach below does not work:
((Get-ChildItem hklm:\software\microsoft\windows\currentversion\uninstall | Where-Object {$_.PSChildName -Like "*WacServer"}) | Get-ItemProperty).DisplayVersion

from http://blogs.technet.com/b/sammykailini/archive/2013/09/20/how-to-find-the-version-or-build-number-for-an-office-web-apps-2013-farm.aspx

It should show version 15.0.4481.1005 for me.  Note: I upgraded an original WCA RTM install.

A good PS approach:

Monday, 16 September 2013

OWA 2013 Installation Notes

Overview:  There are a lot of posts on the InterWeb about installing OWA/WCA 2013.  This post shows my experience while installing OWA/WCA 2013 on a 2 Windows Server farm using Windows 2008 R2.  The process involves 5 ligh level steps shown below:
  1. Install pre-requisites and Windows roles on all VM's to be WCA servers.
  2. Install the WCA binaries, Language packs and updates on all VM's to be WCA servers.
  3. Create the farm on the 1st WCA server.
  4. Join additional servers to the WCA farm.
  5. Join the SP2013 farm to the WCA farm (this step could also be Lync 2013 (pptx sharing) or Exchange 2013 (previews) or any custom WOPI host).
  1. WCA 2013 does not require SQL database.
  2. WCA  2013 are now decoupled from SharePoint 2012.
  3. WCA 2013 farms need NLB server affinity.
  4. WCA 2013 integrates with SharePoint 2013, Lync Server 2013, and Exchange Server 2013.
  5. Install WCA on dedicated VM’s i.e. don’t install OWA on SharePoint, SQL or Domain Controller servers.
  6. Don’t Install Microsoft Office on the WCA VM’s.
  7. WCA 2013 installed in read-only mode is a free product (if you have editing you need licences).  "To enable users to edit (not just read) Office documents in a web browser, verify that you have the necessary editing licenses" from Technet and "Office Web Apps licensing offers two options:
    • View-only. By default, Office Web Apps is view-only. View-only functionality is provided for free.
    • Edit and view. You must purchase an editing license to use the editing features of Office Web Apps with SharePoint 2013. You enable editing when you create the Office Web Apps Server farm"
  8. The install of Office Web Apps 2013 with SP2013 is pretty easy, I have automated most steps.
  9. I have 2 VM's that make up my OWA farm.  It's pretty difficult to find hardware requirements for OWA 2013.  I have gone for 8CPU's, 16GB RAM, c drive is 90GB and D is 72GB on each VM.
  10. Create the WCA farm then on the SP2013 farm bind to the OWA farm.
  11. Location of the ULS logs on the WCA VM's: C:\ProgramData\Microsoft\OfficeWebApps\Data\Logs\ULS
  12. SharePoint's link to OWA/WCA is farm wide.  You can only have 1 OWA per farm.  So you can't use different WCA/OWA per web application and you can't specify to use OWA on 1 Web App but have it excluded from a different web app.  It's farm wide.  You can specify the default behaviour at a library level i.e. tell the browser to use "the default application" will then not use OAW to open the document.
  13. Individual file types can be excluded from opening using WCA.  E.g. PS>Remove-SPWOPIBinding –Application “Excel” at the SP2013 farm level.
  14. SSL, WCA wants to use SSL and has some confusing switches, they make sense eventually so to summerise:  You have 3 options to install WCA with SP2013:
    • No SSL (not recommened),
    • SSL Certificates on the WCA servers
    • SSLOffloading (Hardware device such as an F5 or KEMP does the SSL decryption, this saves you distributing certs to the WCA servers but means that the traffic between the NLB and the servers is not encrypted.)
Test your OWA farm install using IE: http://owa-uat.demo.dev/hosting/discovery.  A Web app Open Platform Interface (WOPI)-discovery XML file will open.

References/More Info:






SSRS - Reporting Library lables for SQL Reporting Services

Problem:  I am building a 14 SP 2013 server farm for my client.  I automate the installation of SSRS onto the SP farm (the SQL installation is also automated).  I use Powershell to create a reports library and add the SP SSRS CT's to the library.  On smaller farm installs it all works on my farm the labelled to the CT look odd e.g. $Resource.....

Environment: 10 Search servers, 2 WFE's and 2 App servers.  I have 3 SQL nodes made up of 6 SQL Servers to hold the databases.  This is an Always on Availability Group per 2 SQL servers.  So a dedicated search database, dedicated SP and a SSRS/SSAS SQL cluster.  This is SP2013 with SQL 2013 SP1 on Windows 2008 R2 on VMware.  The install of SP is based off AutoSPInstaller.

Initial Hypothesis:  I was concerned of adding the SQL roles or the version on the app servers where the SSRS service resides, this is not the issue.  It looks like the labels to the CT's are missing in the UI.  It appears to be working from my initial testing, so it is purely a cosmetic bug.

Resolution: I installed the SQL_RS feature on the 2 WFE's and added the services to each VM (i.e. install SSRS Service app on the web front end servers).  The labels show up correctly.  My next test will be to stop the SSRS services on the WFE's. I believe this will still run correctly. 

Note: This is probably a good idea to do anyway as I can easily add the SSRS service at a later stage to more servers without having to install the SQL_RS feature.

Update 2014-03-03:  On a daily build environment consisting of 2 WFE and 4 App servers, I recently had a issue whereby SSRS installed and the SSA for SSRS is created using Powershell.  I can see the SSA and the service running on 2 of the APP servers in the farm.  CA is running on another app server and SSRS is not showing up in CA.  If I install SSRS on the CA box it all shows up in CA.  I assume the feature is not being activate and if activate would show up correctly.