Data Protection Advisor (DPA) authentication for the web published scheduled reports is disabled[1]

Article Number: 502581 Article Version: 4 Article Type: Break Fix



Data Protection Advisor,Data Protection Advisor Family

Data Protection Advisor (DPA) authentication for the web published scheduled reports has been disabled.

Some customers have a need to access DPA reports via a Web style interface. In DPA 5 a Web Server, acting as Report Portal was available,and could be accessed without a password.

This functionally has been removed from DPA 6. The Web Server component is a security vulnerability that requires near constant patching, fixing newly developed exploitation approaches. In addition, the strategic role of DPA is not to be the Report Portal, rather to publish reports to destinations, such as other portals, as required. For these reasons the portal was removed from the DPA.

Reports produced by DPA can continue to be accessed via a web server, if a web server is configured correctly. This would be the customer’s responsibility.

In DPA 6 functionality was added to publish to Microsoft Sharepoint 2013. This purpose of this was to eliminate the need for a web server. This would be a better option to consider. Details on publishing to MS Sharepoint can be found in the DPA internal help and DPA Installation and Administration Guide. Please contact EMC Technical Support for further details or information.

Please contact Dell EMC Technical Support for further details or information.

Related:

ShareFile Connector SSO to Network Shares and SharePoint using Kerberos (KCD)

Summary of items

  1. Configure SharePoint for KCD
  2. Create an additional “Internal Content Switch” on the NetScaler
  3. Configure SplitDNS to resolve to the new Internal Content Switch
  4. StorageZone Controller IIS changes
  5. AD Delegation
  6. Web Browsers configs

1. Configure SharePoint for KCD

SharePoint config steps:

  1. On the Central Administration page, on the Quick Launch click Security, and in the General Security section click Specify authentication providers.
  2. On the Authentication Providers page, select the zone for which you want to change authentication settings.
  3. On the Edit Authentication page, and in the Authentication Type section ensure this is set to Windows (selected by default).
  4. In the IIS Authentication Settings section, select Negotiate (Kerberos).

    NOTE: If you selectNegotiate (Kerberos)you must perform additional steps to configure authentication (below).
  5. Click Save.

Set the SPN to the service account for SharePoint config steps:

NOTE:this is a standard SharePoint requirement which references the service account used during the installation of SharePoint itself). The service account used below is usually the one that SharePoint has been initially installed with.

  1. From any server, open CMD (elevate with account with the appropriate SharePoint rights)
  2. Type the following:

    SetSPN -S HTTP/SharePoint domainserviceaccountname

    SetSPN -S HTTP/SharePoint.citrix.lab domainserviceaccountname

2. Create an additional “Internal Content Switch” on the NetScaler

Before creating this, you should have run the wizard to create an External Content Switch as you would need to split the traffic, to split External and Internal traffic. The main reason being is to have AAA configured for Connectors externally, but for Internal use, not to have AAA enabled on the Connectors, especially if you would like to enable Web Access to Connectors and have a seamless SSO in all web browsers.

NOTE: AAA requires a NetScaler Enterprise license to use.

External Content Switch (usually created by the inbuilt ShareFile wizard on the NS).

NOTE: If Web Access to Connectors are required then additional configuration is needed in addition to the wizard. Please see this
article in section “Configure NetScaler for restricted zones or web access to Connectors”.

The External config would typically have:

  • 1 x Content Switch, with Policies, Responders, Callouts.
  • 3 x LBVIP’s
    • ShareFile Data LBVIP.
    • Connectors LBVIP with AAA enabled.
    • OPTIONS LBVIP.

Internal Content Switch (in this scenario, created manually)

The internal config would typically have:

  • 1 x Content Switch, with Policies, Responders, Callouts.
  • 2 x LBVIP’s
    • ShareFile Data LBVIP.
    • Connectors LBVIP (No AAA enabled).
    • No OPTIONS LBVIP required (even if SSO to “Web Access to Connectors” is needed).

Create the Internal Content Switch config steps:

Create the Virtual Servers (one for ShareFile Data and another for Connectors)

  1. Log onto the NetScaler and browse to:

    +Traffic Management

    +Load Balancing

    Virtual Servers
  2. Click Add to create the ShareFile Data LBVIP:

    Name: _SF_SZ_LB_INT

    Protocol: SSL or HTTP

    IP Address Type: Non Addressable
  3. Click OK.
  4. Click on the “No Load Balancing Virtual Server Binding”
  5. On the Select Server option click the arrow next to Click to select field
  6. Select the appropriate StorageZone Controller node(s) and click Bind
  7. Select the Certificate and click Bind, click Continue
  8. Click on the +Method option, change the Load Balancing Method to Token
  9. Add the expression REQ.URL.QUERY.VALUE(“uploadid”), click OK
  10. Click on the +Persistence option, and change the Persistence field to SSLSESSION
  11. Click OK
  12. Click Add to create the ShareFile Connector LBVIP:

    Name: _SF_CIF_SP_LB_INT

    Protocol: SSL or HTTP

    IP Address Type: Non Addressable
  13. Click OK
  14. Click on the “No Load Balancing Virtual Server Binding”
  15. On the Select Server option click the arrow next to Click to select field
  16. Select the appropriate StorageZone Controller node(s) and click Bind
  17. Select the Certificate and click Bind, click Continue
  18. Click on the +Method option, change the Load Balancing Method to LEASTCONNECTION
  19. Click on the +Persistence option, and change the Persistence field to COOKIEINSERT
  20. Click OK

Create the HTTP Callouts

  1. Browse to :

    +AppExpert

    HTTP Callouts
  2. Click Add to create the first callout:

    Name: _SF_CALLOUT_INT

    Server to receive callout request:

    Virtual Server and choose _SF_SZ_LB_INT

    Request to send to the server:

    Request Type:Attribute-Based

    Method: GET

    HostExpression: FQDN of the SSL cert internally Place quotes around ie: “sz.company.com”

    URLStemExpression: “/validate.ashx?RequestURI=” + HTTP.REQ.URL.BEFORE_STR(“&h”).HTTP_URL_SAFE.B64ENCODE + “&h=”+ HTTP.REQ.URL.QUERY.VALUE(“h”)

    Parameter:

    Scheme: HTTP

    ServerResponse

    ReturnType: BOOL

    Expression to extract data from the response: HTTP.RES.STATUS.EQ(200).NOT
  3. Click Create:

    Name: _SF_CALLOUT_INT_Y

    Server to receive callout request:

    Virtual Server and choose _SF_SZ_LB_INT

    Request to send to the server:

    Request Type:Attribute-Based

    Method: GET

    HostExpression: FQDN of the SSL cert internally Place quotes around ie: “sz.company.com”

    URLStemExpression: “/validate.ashx?RequestURI=” + HTTP.REQ.URL.HTTP_URL_SAFE.B64ENCODE + “&h=”

    Parameter:

    Scheme: HTTP

    ServerResponse

    ReturnType: BOOL

    Expression to extract data from the response: HTTP.RES.STATUS.EQ(200).NOT
  4. Click Create.
  5. Click Add to create the second callout (note: this is the same as the other except for the Name and URL Stem Expression)
  6. Click Add to create the first callout:

    Name: _SF_CALLOUT_INT_Y

    Server to receive callout request:

    Virtual Server and choose _SF_SZ_LB_INT

    Request to send to the server:

    Request Type: Attribute-Based

    Method: GET

    Host Expression: FQDN of the SSL cert internally Place quotes around ie: “sz.company.com”

    URL Stem Expression: “/validate.ashx?RequestURI=” + HTTP.REQ.URL.HTTP_URL_SAFE.B64ENCODE + “&h=”

    Parameter:

    Scheme: HTTP

    Server Response


    Return Type: BOOL

    Expression to extract data from the response: HTTP.RES.STATUS.EQ(200).NOT
  7. Click Create.

Create the Responder policy

  1. Browse to :

    +AppExpert

    +Responder

    Policies
  2. Click Add to create the responder:

    Name: _SF_RESPONDERPOL_INT

    Action: DROP

    Expression: HTTP.REQ.URL.CONTAINS(“&h=”) && HTTP.REQ.URL.CONTAINS(“/crossdomain.xml”).NOT&& HTTP.REQ.URL.CONTAINS(“/validate.ashx?requri”).NOT&& SYS.HTTP_CALLOUT(_SF_CALLOUT_INT) || HTTP.REQ.URL.CONTAINS(“&h=”).NOT && HTTP.REQ.URL.CONTAINS(“/crossdomain.xml”).NOT&& HTTP.REQ.URL.CONTAINS(“/validate.ashx?requri”).NOT&& SYS.HTTP_CALLOUT(_SF_CALLOUT_INT_Y)
  3. Click Create:

    Bind the Responder policy


    +Traffic Management

    +Load Balancing

    Virtual Servers
  4. Open _SF_SZ_LB_INT
  5. Click on the +Policies option
  6. Click Add Binding, Select the policy _SF_RESPONDERPOL_INT
  7. Click Bind, then Close.
  8. Click Done to complete.

Create the Content Switch policies

+Traffic Management

+Content Switching

Policies

  1. Click Add.

    Name: _SF_SZ_CSPOL_INT

    Expression: HTTP.REQ.HOSTNAME.CONTAINS(“sz.company.com”) && HTTP.REQ.URL.CONTAINS(“/cifs/”).NOT && HTTP.REQ.URL.CONTAINS(“/sp/”).NOT

    Note: DON’T FORGET TO CHANGE TO THE CORRECT EXTERNAL FQDN
  2. Click Create and then Add.

    Name: _SF_CIF_SP_CSPOL_INT

    Expression: HTTP.REQ.HOSTNAME.CONTAINS(“sz.company.com”) && (HTTP.REQ.URL.CONTAINS(“/cifs/”) || HTTP.REQ.URL.CONTAINS(“/sp/”))

    NOTE: Don’t forget to change to the correct external FQDN.
  3. Click Create.

Create the Content Switch vServer

+Traffic Management

+Content Switching

Virtual Server

  1. Click Add to create the Content Switch vServer:

    Name: _SF_CS_ShareFile_INT

    Protocol: SSL

    IP Address: Internal IP of DNS name

    Port:443
  2. Click OK
  3. Under Content Switching Policy Binding click on the No Content Switching Bound option:

    Select Policy:_SF_SZ_CSPOL_INT

    Target Load Balancing Virtual Server: _SF_SZ_LB_INT

    Click Bind

    Select Policy:_SF_CIF_SP_CSPOL_INT

    Target Load Balancing Virtual Server: _SF_CIF_SP_LB_INT

    Click Bind
  4. Click OK
  5. Click on the +Certificates option, add a certificate by clicking the No Server Certificate option
  6. Select the Certificate and click Bind, click Continue.

3. Configure SplitDNS to resolve to the new Internal Content Switch

This is important as you need to direct traffic internally to the NetScaler for internal clients. Create a Host A entry for the StorageZone FQDN to point to the IP of the Internal Content Switch created in section 2.

  1. Log into the Domain Controller and open dsa.msc.
  2. Browse to Forward Lookup Zones to find the one which correlates to the StorageZone FQDN (sz.company.com)
  3. Add a New Host (A or AAAA)… and enter the FQDN for the StorageZone.
  4. Enter the IP, this should be the one of the Internal Content Switch created in section 2.
  5. To test, open CMD from another desktop/server, run ipconfig/flushdns and ping the StorageZone FQDN. Does it resolve to the correct IP?

4. StorageZone Controller IIS changes

Config steps:

  1. Log onto the StorageZone Controller(s) and open IIS.
  2. Click on the Default web site then to the SP virtual directory.
  3. Click on Authentication, then ensure Anonymous and Windows Authentication are Enabled.
  4. Right-click on the WindowsAuthentication option and select Providers
  5. Highlight Negotiate and Move Up to the top of the list. Click
  6. Ensure Basic Authentication is set to Disabled.
  7. Click on the CIFS virtual directory, then on Authentication.
  8. Ensure Anonymous and Windows Authentication are Enabled.
  9. Right-click on the WindowsAuthentication option and select Providers.
  10. Highlight Negotiate and Move Up to the top of the list. Click
  11. Ensure Basic Authentication is Disabled.

    NOTE: If Using port 80 on your StorageZone Controller for Load Balancing communication, see section 5 of this article.
  12. Then right-click the Default Web Site and select Edit Bindings.
  13. Add a new binding on port 80, assign the IP address and insert a host header (which is the fqdn of storagezone).

    NOTE: Editing the existing binding on port 80 will upset the NTLM Path configured within the NetScaler IdP
    article on page 14 .
  14. On the StorageZone Controller, run CMD, then type:

    setspn –a http/sz.company.com SZCServer1

    setspn –a http/”fqdn of storagezone”hostname of storagezone controller”

    where “fqdn of storagezone” = sz.company.com

    and “hostname of storagezone controller” = SZCServer1)

5. AD DELEGATION

Changes need to be actioned on the SZC AD object(s), and all the servers used for Network Shares and SharePoint need to be added. Config steps shown in this procedure.

NOTE:

  • Ensure that any File servers hosting any Network Shares, are added to the delegation as CIFS.
  • Ensure any SharePoint servers that need to be accessed, are also entered as HTTP.

6. Browsers

Config steps:

Internet Explorer

  1. Open Internet Options, Security, Local Intranet, Sites, Advanced then enter the following:

    ShareFile site – subdomain.sharefile.com

    FQDN StorageZone – sz.company.com

    FQDN of AAAVIP – aaavip.company.com

    Note: If this is locked down, configure via GPO which will be actioned on the User Configuration.
  2. Open GPMC and select the GPO controlling the behavior of IE.
  3. Browse to Computer Configuration/Administrative Templates/System/Group Policy and Enabled the policy Configure user group policy loopback processing mode and select Replace.
  4. Then browse to User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page and edit the Site to Zone Assignment List as follows:

    User-added image

    NOTE: The number in the Value field denotes the number of the zone. MS breaks them down as follows:

    1 – Intranet zone – sites on your local network.

    2 – Trusted Sites zone – sites that have been added to your trusted sites.

    3 – Internet zone – sites that are on the Internet.

    4 – Restricted Sites zone – sites that have been specifically added to your restricted sites.

  5. For external IE browsers, extra configuration is required as follows:

    Click on the Internet/Custom Level and ensure that:

    Miscellaneous/Access data sources across domains is Enabled.

    User Authentication/Log on/Prompt for Username and Password is selected.
  6. Click OK twice.

Firefox

  1. Launch Firefox. In the Address Bar, instead of typing a URL, enter:

    about:config
  2. This will open the configuration interface. You may need to agree to a security warning in order to proceed.
  3. Double-click the line labeled automatic-ntlm-auth.trusted-uris and enter the following:

    ShareFile site – subdomain.sharefile.com

    FQDN StorageZone – sz.company.com

    FQDN of AAAVIP – aaavip.company.com

    NOTE: Separate individual URLs with commas, but do not put spaces between them, for example:

    subdomain.sharefile.com, sz.company.com
  4. Click OK when you’re finished.
  5. Double-click the line labeled negotiate-auth.trusted-uris. Enter the same information you entered in the previous step, with the URLs separated by commas and with no spaces. Click OK.

Chrome

This should work. CORS should be enabled by default on Chrome but you can add the plugin into Chrome here.

Opera

This should work.

Related:

SourceOne: Random warnings from EMC SourceOne for Storage Management / RBS informing that the required permissions are not required

Article Number: 487941 Article Version: 3 Article Type: Break Fix



SourceOne for Microsoft SharePoint Storage Management 7.2 SP3,SourceOne for Microsoft SharePoint Storage Management 7.2,SourceOne for Microsoft SharePoint Storage Management 7.1 SP3,SourceOne for Microsoft SharePoint Storage Management 7.1 SP2

The following warning may be generated in the Web Frontend servers Application log:

The RBS configured credential is NOT used, please make sure the account: ‘<Account>’ has required permissions to access the RBS storage path: ‘<RBS Storage Location>’

Other than the warning, all other RBS functionality is operational.

This is a warning generated by the EMC SourceOne RBS code, due to a Microsoft bug. Periodically when Microsoft RBS tries to store the blob into file share, SharePoint does not use the credential passed in the Store configuration, instead it uses the service account, which is the account runs the IIS web site.

Verify the account running the web application has the proper credentials (Full Access) to the file share.

No other action is required.

Related:

7023323: Licensing ZENworks during 2017 Upgrade or Migration

This document (7023323) is provided subject to the disclaimer at the end of this document.

Environment

ZENworks Configuration Management 2017

ZENworks Configuration Management 2017 Migration

Situation

Understanding the licensing scenarios when Upgrading or Migrating to ZENworks 2017.
Suite or Product Licenses will be requested during the upgrade wizard process or appliance migration process.

Resolution

Scenario A: If ZENworks 11 SP4 Zone has ZENworks Suite as “Not Licensed” state, and one or more Products are in “Active” state under

ZCC > Configuration | Product Licensing
  • Ensure ZENworks 2017 license keys are available for the same ZENworks Product in the Micro Focus Customer Center prior to ZENworks 2017 upgrade (or appliance migration).

Scenario B: If ZENworks 11 SP4 Zone has ZENworks Suite as”Active” state under

ZCC > Configuration | Suite Licensing

  • Ensure “ZENworks Suite 2017” license is available in Micro Focus Customer Center prior to ZENworks 2017 upgrade (or appliance migration).
  • If “ZENworks Suite 2017” license is not available in the Micro Focus Customer Center and only the Product licenses for ZENworks 2017 are available, then “Deactivate” the ZENworks Suite in ZENworks 11 SP4 zone in ZCC, and “Activate” the same Product Licenses for ZENworks 11 SP4 zone in ZCC, prior to ZENworks 2017 upgrade (or appliance migration).
  • Refer to the ZENworks Documentation for Activating and/or Deactivating products.

Scenario C: If “ZENworks Suite 2017” license is available in the Micro Focus Customer Center but only Product licenses are “Active” in the ZENworks 11SP4 zone under

ZCC > Configuration | Product Licensing
  • Then Activate “ZENworks Suite” license for ZENworks 11 SP4 version in ZCC, prior to ZENworks 2017 upgrade (or appliance migration).
  • Refer to the ZENworks documentation for Activating Licenses.

Scenario D: If ZENworks 2017 Product license(s) available in the Micro Focus Customer Center are different than ZENworks 11 SP4 Product licenses “Active” in the ZENworks 11 SP4 zone under

ZCC > Configuration | Product Licensing
  • Then “Deactivate” the same Product(s) in ZENworks 11 SP4 ZCC that are not licensed for ZENworks 2017, prior to ZENworks 2017 upgrade (or appliance migration).
  • Refer to ZENworks documentation for deactivating specific product licenses in ZCC.

Cause

Upgrading from ZENworks 11 SP4 to ZENworks 2017, the same licenses “Active” in the Zone (ZENworks 11 SP4), must be available for the ZENworks2017 version in Micro Focus Customer Center.

Additional Information



Example: To check ZENworks Suite 2017 License in Customer Center

Example: To check ZCM 2017 Product License in Customer Center

NOTE: If any assistance is required in the case where ZENworks 2017 licenses in the Micro Focus Customer Center is not the same type as ZENworks Product or Suite Licenses enabled for ZENworks 11 SP4;
You may contact Micro Focus Customer Support here, to chat with a representative regarding licensing.
If there are any questions on Product licenses, refer to Micro Focus Customer Center FAQ for most answers and all licensing help, email entitlements@microfocus.com for assistance.
Additional information on ZENworks Suite or Product licensing:

ZENworks Products

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

  • No Related Posts

Re: Backup Sharepoint 2016 with NMM 9.1.1.7

Hello experts,

we have a question about configuration of a SharePoint backup with NMM.

We tried to configure the backup with the wizard. Picture 1 is our farm. We have 2 WFEs.

We can choose one of the two WFEs for example xxxx076.

The backup works fine. But if we start NMM for recover, we only see the client xxx76 and xxx75 (Picture 2), not the xxxxx77.

The same if we choose the xxx77.

Does someone have the same configuration as us? And how do you configure the backup?

bg

VAn Le

wfes.jpgnmm.jpg

Related:

Re: Publish Dashboard

Once you have made your Dashboard template, you can publish it to the web. To do so, you have two options:

1) you can publish to SharePoint, if you go the Admin pane and setup a connector/login to a SharePoint server in your environment

2) you can publish the dashboard as an .html file

The first one is pretty easy, as Microsoft provides all the components and you don’t have to much after it’s all set up. However, this only works in SharePoint, and even then, only certain WebParts can interact with it, so you’ll need to have a competent SharePoint admin to help build anything complex on your pages.

The second one takes a bit more work. When you publish .html to a file, DPA can only write the file to a local filesystem. In most cases, you’ll need to move this file to another server – your webserver – for your users to see/interact with. In our case, we installed a simple FTP client to push the .html file from the DPA to a specific folder on the web server.

Let us know if that helps!

Karl

Related:

Symantec for SharePoint needs to be installed on all SharePoint Servers in the SP2013 Farm?

I need a solution

Dear All,

I have a query regarding the Symantec Protection for SharePoint. Is it mandatory to install Symantec for SharePoint on all the SharePoint Servers?

We have 10 SharePoint Servers – 2 Web, 2 App, 2 Search query, 2 Search Component and 2 Search Crawl Servers. Do we require to install Symantec for SharePoint on all the 10 SharePoint Servers given above or only installation on 2 Web and 2 Apps are enough?

Please suggest., Thanks!

0

Related:

DLP Solution for SharePoint 2016

I need a solution

Trying to find out if Symantec has a compatible DLP solution for SharePoint 2016. According to this article posted last year it is not compatible with the new min roles features in SharePoint 2016: https://support.symantec.com/en_US/article.TECH246…

0

Related:

NetIQ Access Manager 4.4 Support Pack 2 4.4.2.0-78

Abstract: NetIQ Access Manager 4.4 Support Pack 2 build (version 4.4.2.0-78). This file contains updates for services contained in the NetIQ Access Manager 4.4 product. NetIQ recommends that all customers running Access Manager 4.4 release code apply this patch.

The purpose of the patch is to provide a bundle of fixes for issues that have surfaced since NetIQ Access Manager 4.4 was released. These fixes include updates to the Access Gateway Appliance, Access Gateway Service, Identity Server, Analytics Server and Admin Console.

Document ID: 5376150
Security Alert: No
Distribution Type: Public
Entitlement Required: Yes
Files:

  • AM_442_AccessGatewayService_Linux64.tar.gz (376.93 MB)
  • AM_442_AccessGatewayService_Win64.exe (387.21 MB)
  • AM_442_AccessGatewayAppliance.iso (1.23 GB)
  • AM_442_AnalyticsServerAppliance.tar.gz (1.64 GB)
  • AM_442_AccessManagerAppliance.tar.gz (1.32 GB)
  • AM_442_AnalyticsServerAppliance.iso (2.04 GB)
  • AM_442_AccessManagerService_Win64.exe (793.15 MB)
  • AM_442_AccessManagerService_Linux64.tar.gz (1.14 GB)
  • AM_442_AccessManagerAppliance.iso (2.17 GB)
  • AM_442_AccessGatewayAppliance.tar.gz (418.75 MB)

Products:

  • Access Manager 4.4
  • Access Manager 4.4.2

Superceded Patches: None

Related:

  • No Related Posts