Reminders and TakeAways for SharePoint Hybrid

Why write this Post

Last Updated: December 9th 2014

While I do have some resources spread across the ‘Interwebs’ on Hybrid especially as I deliver sessions and webinars, I found myself with a unique opportunity as I prepare for my latest SharePoint Hybrid session coming up on December 15th 2014.  I am building out a SharePoint 2013 Hybrid Environment that looks at a high level like this:

  • On Premises Environment
    • SharePoint Farm hosted on Azure VMs using the preview site to spin up the Small Farm
      • 1 DC
      • 1 SQL
      • 1 SharePoint 2013
    • Ancillary Servers needed for Hybrid also hosted on Azure VMs
      • 1 ADFS
      • 1 Web Application Proxy (WAP)

I should also qualify that I am running DirSync on the DC to reduce cost on my Azure Subscriptions, minus the WAP box my environment currently looks like the below.

Important Note: This post is meant to augment webinars or sessions i give so it may not have all the context needed to make this flow in one placid stream. Its also NOT meant to poke Microsoft folks responsible for these services in the proverbial eye, but as I come across issues, I want to remind myself and others how to mitigate them


The Reminders and Gotchas Section

N.B. – As of the point of this initial writing [December 7th 2014], this is still a Work in Progress (WIP) Post, in the end i may categorize the below list different add items, remove items, update items as things flesh out.

Using Preview Azure Portal to Create SharePoint Farm Issues/Reminders

  1. The default allotments set for Servers are way too low, I recommend that at least for the build phase you bump them up by one level. see below for what is the default, up them from what you see below. The example i provide below is specific for the DC. I bump up the SQL and SharePoint by a factor of 1 Level as well. Notice the gains in CPU, Memory, and iOPS. In doing this, its my assertion that my Hybrid Environment based on my On Premises servers are more responsive. I have seen instances where the connectivity for the authentication as it relates to handshakes comes into play and by having faster systems, it mitigates that.


    Above: Domain Controller is A1 by Default, I up it to A2


    Above: Domain Controller is what i set mine to

  2. By Default the SharePoint Farm is build on SQL Server 2014 with SharePoint 2013 Enterprise at Service Pack 1, see below for build numbers

    Now, you should also know that this makes sense for what is currently provisioned which is only 2 Service Applications (1) Application Discovery and Load Balance SA and (2) Security Token SA.  However, this is not going to be functional for anything much, as in my case, the minute you add some requirements to allow for Hybrid which means you need User Profile Service SA including Sync Service to be running, you will meet into a situation where you will need at least Cumulative Update for April 2014, after you install that you will get what is below


    Although you cant see the SharePoint Version for UPS here in the below screen shot the point to take away is that we move from a 15.0.4571.1502 to a NOW 15.4659.1001 which is October 2014 CU which is GOOD!! as it fixes some FIM/ MIIS issue.

  3. SharePoint Search Host Controller in the Services Applet will not start although set to Automatic Start up. Now for this one, I have to thank the community for the help here, I tweeted out this issue when i was preparing for my TechEd NA 2014 session and a few of my fellow speaker buddys pointed me to the right answer. this can prove to be a costly answer as well as in my case for me, i eventually had to leave my Azure VMs up and running for days on end to make sure it worked properly. here is the detail post on how i attempted to fix the issue — 

SharePoint 2013 On Premises Issues/Reminders

  1. It seem, at least for me, some of the times, although its seems every time recently, that when I provision User Profile Services I have an issue with “at least” Work Email Managed Property is set to something other than what is should be. As you can see below it is set to proxyAddress

    Above: check out the default mapping for Work email

    The impact of this is (1) when you do a Sync for UPS it will not bring over the Email Address that is in the Active Directory property, but it will as in my case return nothing… until you modify the default property to pull the right fields.


Identity Management / Certificates Issues/Reminders

  1. Theres guidance out there on how to create a SharePoint Hybrid Solution and Ive used them, Ive helped authored some of them. Ive even done it a few times.  Granted this is the first time, I am taking such meticulous notes on what even “I” do because it seems some of the things I did before that works, at times doesnt work another time. I am not entirely sure, but at least in two places where I know I have in the past followed these instructions, I cant remember if I had to do a PowerShell Secure String when calling the System.Security.Cryptography.X509Certificates.X509Certificate2 Object Method.  This time however I kept getting the dreaded .ctor error saying that i have an invalid parameter when calling the method. But when i went to MSDN here I can see that it does require Password as a Secure String which is not how the variable is set initially.  I refer you to two guidance on the matter (1) TechNet – and (2) Bill Baer – in the end I issued this POSH command [maybe there is better way of doing this but Im not a POSH expert]
       1: $pfxPass = read-host “Enter the pfx password” -assecurestring

    to get mine to work for this Call below

  2.    1: $pfxPath = "<path to replacement certificate (.pfx file)>"

       2: $pfxPass = "<certificate password>"

       3: $stsCertificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $pfxPath, $pfxPass, 20

       4: Set-SPSecurityTokenServiceConfig -ImportSigningCertificate $stsCertificate

       5: certutil -addstore -enterprise -f -v root $stsCertificate

       6: iisreset

       7: net stop SPTimerV4

       8: net start SPTimerV4

      Bill Responded to a tweet i sent out on the topic here below:


      1. FYI, you don’t need to use the Start/End Date anymore – that was implemented to work around an Azure bug which has since been resolved. The enddate of the app principal  has always been an optional parameter. If the asymmetric key (X509 certificate) expires before the specified date or an invalid date is specified, ACS refuses to issue a token and  throw a “JWT token is invalid” error to the calling application.”  Credited to William “Bill” Baer in a recent email after discussing the matter above regarding the System.Security.Cryptography.X509Certificates.X509Certificate2 Bill also said he will be updating his Post listed in (2) to reflect the need for “SecureString” for password parameter.





      This is all I have for now, as I said, I expect this to be a WIP document/ post. So it will be constantly updated. Always check the RED HIGHLIGHTED Last Updated date above.

      Leave a comment

      Your email address will not be published. Required fields are marked *