Why Do I Get an Access Denied Error When Managing User Contexts in SharePoint 2010

User Context is a feature of FAST Search for SharePoint 2010 that is analagous to using audiences with search results.  As you start to test this out you may find that within the site collection you can create FAST keywords and document promotions and demotions, but when you try and manage the User Contexts for the site collection, you get an access denied.  This can happen if your site collection administrator, even if you’re a farm administrator.  So what’s the problem?  Well in order to manage user contexts, you need to have some manage rights in the User Profile service application as well.  The thing that can trip you up is that if you are a farm administrator you do have rights to manage the user profile service, but at least for now, that is not enough.  You need to specifically go into Central Admin…Application Management…Manage Service Applications.  Select your user profile service application and click the Administrators button in the ribbon.  Add your account that you want to be able to manage user contexts, and grant them at least the Manage Profiles right.  Once you save you changes there you should be able to access the manage user contexts page in a site collection.

Creating Health Monitor Rules for SharePoint 2010

Hey all, I saw an interesting discussion today about creating new health rules in SharePoint 2010 and thought I would share.  All the credit for this one goes to Chris C. who was good enough to share this information.  The discussion started because of some confusion about how to add a new health rule.  In the public beta you can go into Central Admin, hit up the rule definitions and add a new one.  Unfortunately you will find that doesn’t really work.  By RTM we should / will have the new rule definition button disabled, because that isn’t the right way to get it into the system.  Instead, here in Chris’ words are how you should approach this.

A health rule is basically a class (derived from either SPHealthAnalysisRule or SPRepairableHealthAnalysisRule) which implements a Check() method, some string properties that describe the problem to the administrator, and optionally a Repair() method (if an SPRepairableHealthAnalysisRule).

For adding health rules to your farm:

  • Create your class and compile it into a dll with a strong name
  • GAC the dll on each of the machines in your farm
  • Run the following In OM/PowerShell:
    $loc=”C:\mydlllocation.dll”
    $asm=[System.Reflection.Assembly]::LoadFrom($loc)   <- $asm should be GAC’d
    [Microsoft.SharePoint.Administration.Health.SPHealthAnalyzer]::RegisterRules($asm)

Once these steps are complete, you should see your rule(s) in the Health Rules List (i.e. http://centraladmin:8080/Lists/HealthRules/AllItems.aspx).  This is the full list of rules.  Each of these runs on a different schedule (defined in the class) inside of a timer job.  Once a rule is run, a result list item is stored in the health reports (or “Problems and Solutions”) list.  The reason you are not seeing any generated reports is most likely because your OOB rules have not been run yet.

Thanks again Chris for sharing this valuable information.

Large List Throttling for External Lists in SharePoint 2010

I’ve already done one post with information on the new list throttling features in SharePoint 2010.  This week the question came up about how that applies, or what applies, to throttling lists based on External Content Types (ECT).  These are lists that you’ll also hear called Virtual Lists sometimes or External Lists, and refer to data that’s being retrieved using the new BCS framework in SharePoint 2010.  BCS is the evolution of BDC from SharePoint 2007 for those of you not familiar with it.

 

But getting back to list throttling…Chris C. was good enough to point out that external lists don’t use the same list throttling mechanisms that I described in my first post.  They have their own throttle thresholds and ways in which to change them.  Mohammed N. was kind enough to share these default limits (subject to change by RTM time, by the way) as well as include some PowerShell examples of how you can modify these values yourself.  Thanks for this info Mohammed!

 

So, here are the out of the box throttling limits for external lists.  Note that these limits are applied per instance of the Business Data Catalog service application; if you have multiple instances then each one can have different values:

 

Data Type

Limit Type

Limit

Database

Rows per fetch

2000

Database

Timeout

3 minutes

Web Service / WCF

Size of fetch

30MB

Web Service / WCF

Timeout

3 minutes

 

Now, here’s a few PowerShell examples that Mohammed had to share; note that it assumes you have an instance of the Business Data Catalog service application called “Business Data Catalog”:

 

$bdcAppProxy = Get-SPServiceApplicationProxy | where {$_ -match “Business Data Catalog”}

 

$throttleDb = Get-SPBusinessDataCatalogThrottleConfig -Scope Database -ThrottleType Items -ServiceApplicationProxy $bdcAppProxy

Set-SPBusinessDataCatalogThrottleConfig -Identity $throttleDb -maximum 10000 -default 8000

 

$throttleWCF = Get-SPBusinessDataCatalogThrottleConfig -Scope WCF -ThrottleType Size -ServiceApplicationProxy $bdcAppProxy

Set-SPBusinessDataCatalogThrottleConfig -Identity $throttleWCF -maximum 100000000 -default 50000000

 

$throttleConn = Get-SPBusinessDataCatalogThrottleConfig -Scope Global -ThrottleType Connections -ServiceApplicationProxy $bdcAppProxy

Set-SPBusinessDataCatalogThrottleConfig -Identity $throttleConn -maximum 200 -default 150

Playing with Large List Throttling

If you’ve followed my blog entries by now then you’ve seen quite a bit of information on throttling for large lists in SharePoint 2010.  One of the things you may find is that you will have scenarios where you want to be able to toggle the enforcement of the throttling on a list by list basis.  As I explained in a previous post, an SPList object does have an EnableThrottling property.  With that useful bit of information in hand, I wrote a little web part that allows you to manage list throttling in different site collections pretty easily.  It’s implemented as a web part, as shown here:

 

As you can see, it’s a pretty simple web part, with a fairly easy to use interface.  You can toggle the list throttling on or off for any individual list, or turn it off or on for all lists in a site collection.  I’ve attached the WSP for this web part to this posting.  Feel free to use it and abuse it, there’s really only a couple of important things to remember at this point.  1) This web part MUST BE RUN IN THE CENTRAL ADMIN SITE!  This restriction *might* be lifted by the time we RTM, but we’ll just have to wait and see.  2)  This web part will only work with Windows (classic) auth sites for now.  Hope you find it useful.

You can download the attachment here:

Using the Developer Dashboard in SharePoint 2010

The developer dashboard is a new feature in SharePoint 2010 that is design to provide additional performance and tracing information that can be used to debug and troubleshoot issues with page rendering time.  The dashboard is turned off by default, but can be enabled via the object model or stsadm (and PowerShell too, I just haven’t put together the script for it yet).  When the dashboard is turned on you will find information about the controls, queries and execution time that occur as part of the page rendering process; this information appears at the bottom of the page.  Here’s an example of what the “short” version of the output looks like (NOTE: this screen shot is from a build prior to the public beta so your bits will look a little different):

 

As you can see, it provides information from the perspective of the event pipeline, the web server and database.  On the left side you can see the different events that fired in the page processing pipeline and within that, you can see how long individual web parts took to within those events.  On the top right hand side you see information about the page processing as whole, including the overall execution time, the amount of memory used in the processing of the page request and the correlation ID, which can be of great value when trying to link the page render to entries in the ULS log.  Underneath the server information you will find a list of the different database calls that were made through the object model by various components in the page itself as well as the controls it hosts – all useful information.

You may also notice the database calls are actually a hyperlink.  This is another pretty cool feature in that when you click on it, it shows the call stack from what triggered that particular database call, the SQL that was execute and the IO stats:

 

Enabling the developer dashboard is fairly easy.  If you’re doing it via the object model, the code looks something like this; to turn it on:

SPWebService cs = SPWebService.ContentService;

cs.DeveloperDashboardSettings.DisplayLevel = SPDeveloperDashboardLevel.On;

cs.DeveloperDashboardSettings.Update();

 

NOTE:  This code will not work in a web part if the web part is hosted in any site except the central admin site.  We specifically check for and block that scenario because the developer dashboard is a farm-wide setting.  If you code it up in a web part and try to execute it in a non-central admin site, it will throw a security exception.

To turn it off you set the DisplayLevel to SPDeveloperDashboard.Off; for on demand use of the dashboard you can set the value to SPDeveloperDashboard.OnDemand.   When you set it to OnDemand, it adds a small icon to the upper right hand corner of the page; you click the icon to toggle the dashboard on and off.  The icon looks like this:

 

You can also turn it off and on with stsadm; you just need to make sure you are running the command as a farm administrator:

Stsadm –o setproperty –pn developer-dashboard –pv ondemand (or “on” or “off”)

 

The on demand setting is really the optimal setting in my opinion.  Here’s what it gives you:  once it is set to on demand, site collection admins can turn it on or off.  When they do, it only turns it on or off for that particular site collection.  Equally as good, only the person that turned it on sees the output – your everyday users will not see the output from developer dashboard so this becomes a really valuable troubleshooting tool.  Even more interesting is that if you have multiple site collection admins and one of them toggles it on, the output is displayed only for that person, not for every site collection admin.   Want more flexibility?  Well you can even change the permissions that are required to see the dashboard output.  The DeveloperDashboardSettings has a property called RequiredPermissions.  You can assign a collection of base permissions (like EditLists, CreateGroups, ManageAlerts, or whatever you want) to it; only those people that have those permissions will be able to see the output.  So you have a great deal of flexibility and granularity in deciding when to use it the dashboard output and who will see it.

 

Okay, so this all seems good – all my web parts and code I run within the page will just show up and we’ll have this great troubleshooting info, right?  Well, not exactly unfortunately.  Take a look at the output from the dashboard again – you’ll notice a finite set of events that are reported.  Those are tied to events in the base web part class so they cannot be expanded for any random click event for example.  Any code you have in your override for OnInit or Render will automatically be captured in this pipeline, but code in other places will not.  All is not lost however!  We’ve also introduced a new class to the object model called the SPMonitoredScope.  Among other things, it helps to keep track of useful usage and tracing information just like the developer dashboard uses.

 

In order to get the rest of your code included in the developer dashboard output, you need to wrap it up in a new monitored scope, with something like this:

 

using (SPMonitoredScope GetListsBtnScope = new

     SPMonitoredScope(“GetListsBtn_Click”))

{

//your code goes here

}

The name I used here – “GetListsBtn_Click” – is what will appear in the developer dashboard output.  Here’s an example:

 

 

 

This should be one of your first best practices for developing code for SharePoint 2010 – use SPMonitoredScope!   This can only help you understand and manage the performance of your components as you deploy from development to production.

 

There’s a ton of great out of the box value here, but there is also one piece missing that is worth mentioning.  Even if you use SPMonitoredScope, if your code is a sandbox component (i.e. a User Solution), the output from it will not be captured in Developer Dashboard.  The reason it doesn’t get captured is that sandbox components execute in a completely different process from the page request – that’s why it’s sandboxed.  As a result though, we can’t pipe the tracing information back into the page processing event pipeline.  Sorry about that one folks, but we still have a lot of capabilities here that we should be taking advantage of.

 

I hope after reading this you will see the value in the developer dashboard, understand how to turn it on and off, and know what you have to do to get all of your code to be managed through this pipeline.

 

Working with Large Lists in SharePoint 2010 – List Throttling

List throttling is one of the new options in SharePoint 2010 that enable to set limits on how severely users can put the beat down on your servers.  In a nutshell, what it does is allow you to set a limit for how many rows of data can be retrieved for a list or library at any one time.  The most basic example of this would be if you had a list with thousands of items, and someone created a view that would return all of the items in the list in a single page.  List throttling ensures that such a request would not be allowed to execute.  The hit on the server is alleviated, and the user gets a nice little message that says sorry, we can’t retrieve all of the data you requested because it exceeds the throttle limit for this list. 

The kinds of operations that can trigger hitting this limit though aren’t limited to viewing data – that’s just the easiest example to demonstrate.  There are other actions that can impact a large number of rows whose execution would fall into the list throttle limits.  For example, suppose you had a list with 6000 items and a throttle limit of 5000.  You create a view that only displays 50 items at a time, but it does a sort on a non-indexed column.  Behind the scenes, this means that we need to sort all 6000 items and then fetch the first 50.  If you are going to delete a web with large flat lists you potentially have the same problem.  We need to select all of the items for all of the lists as part of the site deletion, so we could again hit the throttling limit.  These are just a few examples but you can start to imagine some of the others.

So how does this work and how do we manage it?  It all starts in central admin.  List throttling is an attribute that you will generally manage at the web application level.  So if you go into Central Admin, click on Application Management, then click on Manage Web Applications.  Click a single web application to select it, then in the ribbon click on the General Settings drop down and select the Resource Throttling menu item.  It displays a dialog with the several options; I’ll only cover the ones related to list item throttling in this blog:

·        List View Threshold – this is the maximum number of items that can be retrieved in one request.  The default value is 5,000.  Important to note as well, the smallest you make this value is 2,000.

·        Object Model Override – as described above, this option needs to be enabled in order to enable super users to retrieve items through the object model, up to the amount defined in the List query size threshold for auditors and administrators.

·        List View Threshold for Auditors and Administrators – this is a special limit for “super users”.  It is important to understand that this DOES NOT allow these super users to see more items in a list view.  This property is used in conjunction with the Allow object model override property described below.  That means that if the Allow object model override property is set to Yes, then these super users can retrieve up to the number of items set in this property, but only via the object model.  The way you become a “super user” is a farm admin creates a web application policy for you that grants you rights to a permission level that includes either the Site Collection Administrator and/or Site Collection Auditor rights.  By default both the Full Read and Full Control permission levels include these rights, and you can create your own custom policy permission levels that do as well.  Creating this policy is done the same way as it was in SharePoint 2007. 

·        List View Lookup Threshold – again, nothing to do with the maximum number of rows returned from a list but it’s right in the middle of these so I couldn’t leave it out.  This one is self-explanatory I think.

·        Daily Time Window for Large Queries – this option allows you to create a block of time during the day, typically when usage is low, that you will allow queries to run and not enforce the list throttling limits. The one thing to remember here is that if you execute a query during that time period, it will run until complete.  So if it’s still running when the daily window period closes, the query will continue to execute until all results have been returned.

There are a couple of additional exceptions to the information above:

1.       If you are box administrator on the WFE where the data is being requested, and you have at least Read rights to the list data, then you will see ALL the rows.  That means if you have 10,000 rows in a list and you execute a query or view that has no filters, you will get back all 10,000 rows.

2.       In the object model a list (and library) is represented by the SPList class.  It has a new property in SharePoint 2010 called EnableThrottling.  On a list by list basis you can set this property to false.  When you do that, throttling will not be enabled for views or object model queries.  So again, if your list has 10,000 items and you execute a query or view that has no filters, you will get back all 10,000 rows.

In order to retrieve information using the object model in order to retrieve up to the number of items specified in the List query size threshold for auditors and administrators property, there is a property you need to set in your query object.  The property is called QueryThrottleMode and it applies to the SPQuery and SPSiteDataQuery classes.  You simply set this property to Override and then use your class instance to query.  Here’s a simplified example:

using (SPSite theSite = new SPSite(“http://foo&#8221;)) 

{

using (SPWeb theWeb = theSite.RootWeb)

{

SPList theList = theWeb.Lists[“My List Name”];

 

SPQuery qry = new SPQuery();

qry.QueryThrottleMode = SPQueryThrottleOption.Override;

 

//set the Query property as needed to retrieve your data

 

            SPListItemCollection coll = theList.GetItems(qry);

 

            //do something with the data

}

}

Now that you know what the properties are about, let’s talk about the ways in which you use them.  Assume the following scenario:

·         # of items:  3000

·         EnableThrottling property: true

·         Default view:  display items in batches of 3000

·         List View Threshold property:  2500

·         List View Threshold for Auditors and Administrators :  2800

·        Object Model Override :  Yes

·         Method for OM Query:  SPQuery with  QueryThrottleMode = Override, query retrieves all items

Here’s how users would be able to access the data in the list:

User Type

List View

Object Model

Reader

No items shown; over threshold

No items returned; over threshold

Super User

No items shown; over threshold

No items returned; over admin and auditor threshold

Box Admin

3000 items shown per page

3000 items returned

Now let’s change the rules; the differences from the original scenario are highlighted in yellow:

·         # of items:  3000

·         EnableThrottling property: true

·         Default view:  display items in batches of 3000

·         List View Threshold property:  2500

·         List View Threshold for Auditors and Administrators :  3500

·         Object Model Override :  Yes

·         Method for OM Query:  SPQuery with  QueryThrottleMode = Override, query retrieves all items

User Type

List View

Object Model

Reader

No items shown; over threshold

No items returned; over threshold

Super User

No items shown; over threshold

3000 items returned

Box Admin

3000 items shown per page

3000 items returned

Another scenario:

  • # of items:  3000
  • EnableThrottling property: false
  • Default view:  display items in batches of 3000
  • List View Threshold property:  2500
  • List View Threshold for Auditors and Administrators :  3500
  • Object Model Override :  Yes
  • Method for OM Query:  SPQuery with  QueryThrottleMode = Override, query retrieves all items

User Type

List View

Object Model

Reader

3000 items shown per page

3000 items returned

Super User

3000 items shown per page

3000 items returned

Box Admin

3000 items shown per page

3000 items returned

Final scenario:

  • # of items:  3000
  • EnableThrottling property: true
  • Default view:  display items in batches of 2500
  • List View Threshold property:  2500
  • List View Threshold for Auditors and Administrators :  3500
  • Object Model Override :  Yes
  • Method for OM Query:  SPQuery with  QueryThrottleMode = Override, query retrieves all items

User Type

List View

Object Model

Reader

2500 items shown per page

No items returned; over threshold

Super User

2500 items shown per page

3000 items returned

Box Admin

2500 items shown per page

3000 items returned

List throttling is a powerful tool but there are a few rules and roles you need to remember when planning your implementation.  Hopefully this blog will help identify and clarify the functionality for you so that you can implement a design that makes sense for your scenario.

Adding Throttling Counters in SharePoint 2010

Http throttling is a new feature in SharePoint 2010 that allows the server to “back off” of serving requests when it is too busy.  Every 5 seconds a job will run that will check the server resources compared to the levels configured.  By default the Server CPU, Memory, Request in Queue and Request wait time are being monitored.   After 3 unsuccessful checks, the server will enter a throttling period and will remain in this state until a successful check is completed.  Requests generated prior to the server entering into the throttling mode will be completed.  This will, in theory, keep users from losing any current work when the server begins to throttle requests.  Any new HTTP GET and Search Robot request will generate a 503 error message and will be logged in the event viewer.  Also while the server is in a throttling period no new timer jobs will be started.

You can enable or disable throttling in central admin.  It is managed on a per web application basis.  Go into central admin and click on Manage Web Applications under Application Management.  Click on a web app to select it, then click on the General Settings drop down and select the Resource Throttling menu.  About half way down the page is a section titled HTTP Request Monitoring and Throttling, where you will find a radio button option to turn it off or on (it’s on by default).

You have to use PowerShell to actually view and change the counter parameters that determine whether the web app should be throttled.  To view the list of counters and their parameter values use the Get-SPWebApplicationHttpThrottlingMonitor cmdlet; for the Identity parameter pass in the Url to the web application you want to check.  It will display something that looks like this:

PS C:\backups> Get-SPWebApplicationHttpThrottlingMonitor -identity http://o14

Category                    : Processor

Counter                     : % Processor Time

Instance                    : _Total

MinValue                    : 0

MaxValue                    : 99

UpgradedPersistedProperties : {}

 

Category                    : Memory

Counter                     : Available Mbytes

Instance                    :

MinValue                    : 20

MaxValue                    : 3.402823E+38

UpgradedPersistedProperties : {}

 

Category                    : ASP.NET

Counter                     : Requests Queued

Instance                    :

MinValue                    : 0

MaxValue                    : 500

UpgradedPersistedProperties : {}

 

Category                    : ASP.NET

Counter                     : Request Wait Time

Instance                    :

MinValue                    : 0

MaxValue                    : 30000

UpgradedPersistedProperties : {}

 

To change an existing counter, use the Set-SPWebApplicationHttpThrottlingMonitor cmdlet.  For example, here’s how I would change the throttling limit for CPU utilization to 80%:

 

Set-SPWebApplicationHttpThrottlingMonitor -Identity http://o14 -Category “Processor” -Counter “%

Processor Time” -Instance “_Total” -MaxThreshold 80 -MinThreshold 0

 

What if you want to add a new performance counter to monitor?  You can do that as well, but it’s not quite as straightforward.  You can do this through the object model, but fortunately PowerShell makes that quite achievable.  Here’s an example of adding a new counter for interrupts a second to the throttling set:

 

$uri = new-object System.Uri(“http://o14&#8221;)

$webApp=[Microsoft.SharePoint.Administration.SPWebApplication]::Lookup($uri)

$throttle=$webApp.HttpThrottleSettings

$throttle. AddPerformanceMonitor (“Processor”, “Interrupts/sec”, “_Total”, 2300, 0)

$throttle.Update()

 

Now once I’ve completed that, if I run the  Get-SPWebApplicationHttpThrottlingMonitors cmdlet again it reflects the new counter I’ve added:

 

PS C:\backups> Get-SPWebApplicationHttpThrottlingMonitor -identity http://o14

 

Category                    : Processor

Counter                     : % Processor Time

Instance                    : _Total

MinValue                    : 0

MaxValue                    : 99

UpgradedPersistedProperties : {}

 

Category                    : Memory

Counter                     : Available Mbytes

Instance                    :

MinValue                    : 20

MaxValue                    : 3.402823E+38

UpgradedPersistedProperties : {}

 

Category                    : ASP.NET

Counter                     : Requests Queued

Instance                    :

MinValue                    : 0

MaxValue                    : 500

UpgradedPersistedProperties : {}

 

Category                    : ASP.NET

Counter                     : Request Wait Time

Instance                    :

MinValue                    : 0

MaxValue                    : 30000

UpgradedPersistedProperties : {}

 

Category                    : Processor

Counter                     : Interrupts/sec

Instance                    : _Total

MinValue                    : 0

MaxValue                    : 2300

UpgradedPersistedProperties : {}

 

So there you go – a little background about another new feature in SharePoint 2010 that’s designed to make your farm more resilient.  It includes the flexibility to adjust and add to the performance counters that are used to determine when to go into throttle mode based on your business needs and usage characteristics.

 

ONE ADDITIONAL NOTE:  You may find that if you add the throttling counter I demo’d in this post, that your site may start throwing a “server is busy” message every time you hit the site.  So here’s the last tip – how to remove a throttle monitor:

 

PS C:\Users\speschka> $uri = new-object System.Uri(“http://o14&#8221;)

PS C:\Users\speschka> $webApp = [Microsoft.SharePoint.Administration.SPWebApplication]::Lookup($uri)

PS C:\Users\speschka> $throttle = $webApp.HttpThrottleSettings

PS C:\Users\speschka> $throttle.RemovePerformanceMonitor(“Processor”,”Interrupts/Sec”)

PS C:\Users\speschka> $throttle.Update()