Archive Page 2


PowerShell to Add FBA User to SharePoint Group and EnsureUser

function global:Add-FBAMember([parameter(mandatory=$true)][string]$siteCollUrl, [parameter(mandatory=$true)][string]$fbaUser, [parameter(mandatory=$true)][string]$spGroup)


# Created by Russell Wright 2015-12-21

# Updated by Russell Wright 2015-12-31 Added AllowUnsafeUpdates

# Must have machine.config <membership>, <roleManager> and <connectionStrings> sections

Add-PSSnapin microsoft.sharepoint.powershell

$web = Get-SPWeb -identity $siteCollUrl

# Save the value of AllowUnsafeUpdates

$allowUnsafeUpdates = $web.AllowUnsafeUpdates

$web.AllowUnsafeUpdates = $true

# EnsureUser initializes the user in SharePoint

$user = $web.EnsureUser($fbaUser)

$getuser = Get-SPUser -Identity $user -Web $siteCollUrl

# Set-SPUser adds the user to the SharePoint group

Set-SPUser -Identity $user -Web $siteCollUrl -Group $spGroup


$retMsg = "Added user: " + $fbaUser + " to group " + $spGroup + " in " + $siteCollUrl



We needed a PowerShell Function to call from Winshuttle Workflow that would ensure the user was in SharePoint after a SQL load to the aspnetdb.  The trick appears to be using "AllowUnsafeUpdates," similar to what many others have posted with their C# code.  There were also some items noted in the config files where the machine.config required the FBA connection string in order for the PowerShell to work.


Winshuttle SharePoint Permissions

There are a fair amount of Winshuttle items that require SharePoint security of some sort, so I thought I’d start documenting them in tabular form as I run across them.

Winshuttle Function

SharePoint Security


View Winshuttle History

Override List Behaviors

11/27/15 – Error attempting to view Winshuttle history with only Read access, but form can be displayed.
4/23/18 – To view history or item in process list select Override List Behaviors and allow the three other associated permission levels to be selected.

View Winshuttle History

Process Originator

View Winshuttle History

Assignee of an assignment

Access all workflow items in a site

Users with Manage Lists permission level, given directly or via a group.

A user with Manage Lists permission level has access to all items in the list, regardless of who created them.

Access individual items in form workflow list

Item level security

The default settings for a Form Workflow list are for End Users to have access (read and edit) only to the items they create. The exception is a user who has the Manage Lists permission.  This is controlled by the SharePoint list Item-Level Permissions advanced setting.

Winshuttle Form Library web part

Site Collection Administrators or Site Owners can see all the items.

The Form Library shows all of the forms that you have created, including Running, Completed, Rejected, and Saved. Only forms you have created will be visible to you.

Winshuttle Form Library Task List web part

The Task List shows all of the tasks that are assigned to you and ready for you to complete.

Winshuttle Form Process List web part

The Process List shows all processes that you have created and are Running.

Bulk Reassignments

SP2013 – Group must have permission level that contains Override List Behaviors permission.  SP2010 – Group must have permission level that contains Manage Lists permission.

Configuration key BulkReassignmentPermissionSets must be set to contain the permission level(s) that have the appropriate permission.  For example, Full Control has this permission by default.

Delete Scripts in Central Site Collection Administrator Ref. Winshuttle documentation.
Last update 2018-06-18


Reference to the List Permissions permission levels



403 Forbidden Error on Custom FBA Login Page

We wrote a custom FBA login page and had it working in our QA system and were in the process of setting it up in our production system when we encountered a "403 Forbidden" error.  The page was written as a modification to the FBA pack on CodePlex and thus was located in the /15/template/layouts/FBA/OurCustomFolder directory.  After struggling with this for quite some time we finally realized we had set anonymous access on the site permissions in QA to "lists and libraries" (for another reason) and had not made that same change to production.


Making this change fixed our "forbidden" error. 

Interestingly, when using the out-of-the-box FBA login page, there was no issue.


RSViewerPage.aspx Controls not Rendering

Are you seeing something like this while attempting to render a report in SSRS in SharePoint 2013…or perhaps any version of SharePoint with integrated SSRS?


Try this.

Edit the web.config for the SharePoint site in which SSRS is installed.  C:\inetpub\wwwroot\wss\VirtualDirectories\Portal-80, for example.

In the web.config, find the <handlers> section within the <system.webServer> section and add the following:

<add name=”ReportViewerWebPart” verb=”*” path=”Reserved.ReportViewerWebPart.axd” type=”Microsoft.ReportingServices.SharePoint.UI.WebParts.WebPartHttpHandler, Microsoft.ReportingServices.SharePoint.UI.WebParts, Version=, Culture=neutral, PublicKeyToken=89845dcd8080cc91″ />


Reload the page and voila’!  You’ll at least get some errors you can deal with.


Now, on to the next problem…


Visio Internal Error #3400 Action 2011

The dreaded “internal error!”  What to do?  What was I trying to do?  Simple.

I was attempting to connect a Visio diagram to a SharePoint list.  I’ve done it before a million times…but not in the last year or so.  Soooo….

I fire up Visio Premium 2010 and attempt to connect to a simple list in SharePoint 2013 and am met with the error:

Visio internal error: #3400 Action 2011:  Link Data to Shape

…or some such nonsense.  An then it proceeds to tell me to restart Visio or some such nonsense.  But I try it anyway, but it doesn’t help.

So I start Google-ing (or Bing-ing) and find others with the issue.  Some dribble about needing Premium vs. Professional, required data missing in SharePoint and other babble.  Nope, not even a restart of the old tried and trusted Windows 7 would change things.  So I tried my Windows 8.1 machine with Visio 2013.  Worked the first time.

I decided to “repair” my 2010 version of Visio, since I tend to have all sorts of mixes of version of stuff on my computer and repair Microsoft Office fairly regularly.  So, off to Programs and Features to find the Visio entry.  Fired up a repair and it asked me, fairly forcefully I may say, to finish by rebooting my computer.  So I did.

Long story short…I fired up Visio, made my connection to the same list I’d been using and BAM!  It worked like it was supposed to.

Now on to bigger and better things.


SharePoint Foundation, Visio repair, Fix found


Updating a SharePoint List with Login Name, Email Address, Display Name and User ID with a 2010 Workflow

Here’s the situation.  You have an email address and you want to display the login name (domain\username), display name (Russell Wright) and perhaps the user ID from the SharePoint user list.  Here are the steps to accomplish with a SharePoint Designer 2010 workflow.

We start by creating a custom list and add the following fields.


The main field is Email PP (email people-picker) that we will populate with an email address.


Using the people-picker for an email address can be problematic if you have multiple user IDs with the same email address.


However, you should be able to select the correct one you want to use.


If you pick an email address that is related to a single AD account, you shouldn’t have this issue.


You’ll notice the workflow named Set Fields executed and populated several other fields.  See the Completed link under the Set Fields column?  This link will take you to the workflow history list.  Let’s see how this is done in the workflow.

We’ll start with a simple list workflow created on our custom list.  The start options are set as shown.


Begin by creating all the variables you’ll need.  We will create string variables for each attribute we are dealing with.


Using the action Set Workflow Variable, we’ll read the Email PP field and set a variable for each variation of the field we want to set in a text field.  In this example we create the variable named LoginName and set its type to string.


We then set its value to Email PP from the Current Item.  The important thing is to return the field as Login Name.


Repeat this process for each variant of the people-picker field you want.


As a matter of good practice, log the fields to the workflow history list so you have a record of what they look like.


This action will give you an entry in the workflow history that will display the values of your variables.


Now, on to the step to set the fields in the list, using Update List Item.


Insert an Update List Item action.


Here you can set each field to your variable values.


Here is an example of setting the LoginName Text field with the LoginName variable.


And the final result should display multiple attributes of the person in the people-picker field.



“The database principal owns a schema in the database, and cannot be dropped” Error Running the SharePoint Configuration Wizard

I was applying some CUs to SharePoint 2013 and running the configuration wizard was failing.  You may or may not know this, but the configuration wizard will write a log file to the SharePoint hive as well as an error log.  This error log is the one you want to look at.




In my case, I was receiving

The database principal owns a schema in the database, and cannot be dropped.  User, group, or role ‘SPDataAccess’ already exists in the current database.

When looking at the error log, it was apparent this had something to do with the SPDataAccess principal within the SP15_UsageAndHealth database. 

01/09/2015 15:39:43.99    OWSTIMER (0x359C)    0x2838    SharePoint Foundation Upgrade    SPUpgradeSession    ajxnm    INFO    SPUsageDatabase Name=SP15_UsageAndHealth    012dde9c-16ee-b0ba-8634-adb34afb8eb1
01/09/2015 15:39:43.99    OWSTIMER (0x359C)    0x2838    SharePoint Foundation Upgrade    SPUpgradeSession    ajxnm    ERROR    Upgrade [SPUsageDatabase Name=SP15_UsageAndHealth] failed.    012dde9c-16ee-b0ba-8634-adb34afb8eb1
01/09/2015 15:39:44.01    OWSTIMER (0x359C)    0x2838    SharePoint Foundation Upgrade    SPUpgradeSession    ajxnm    INFO    SPUsageDatabase Name=SP15_UsageAndHealth    012dde9c-16ee-b0ba-8634-adb34afb8eb1
01/09/2015 15:39:44.01    OWSTIMER (0x359C)    0x2838    SharePoint Foundation Upgrade    SPUpgradeSession    ajxnm    ERROR    Exception: The database principal owns a schema in the database, and cannot be dropped.  User, group, or role ‘SPDataAccess’ already exists in the current database.    012dde9c-16ee-b0ba-8634-adb34afb8eb1

SharePointgotchas ( gave me the hint I needed and Pinal Dave ( had some more details about this issue.

If you look at SQL Server Management Studio and navigate to the offending database, you can navigate to the Schemas node and investigate who owns each of the schemas by looking at each Schama’s properties.


In my case, the schema owner was set to SPDataAccess.  I’m not sure how it got this way, but upon further inspection, this was also true for SP15Farm and SP15MyAppPool.


For each of them, I set the schema owner to be the same as the schema name.


Now, running the configuration wizard was successful!  All is well in SharePoint land again.


Enable the App Catalog on SharePoint 2013


Referencing these blog posts, with my own additions:

Alex’s blog:

Mirjam van Olst‘s blog:

For the most part, I followed Alex’s blog post. 

  1. Start the App Management Service (already done)
  2. Provision an App Management Service application (already done)
  3. Create a subdomain in DNS. I created apps.cfgmgt.local
  4. Set the isolated App Domain using PowerShell
    1. Set-SPAppDomain -AppDomain "apps.cfgmgt.local"
  5. Start the SPSubscriptionSettings Service using PowerShell or in SCA (already started)
    1. Get-SPServiceInstance where{$_.GetType().Name -eq "SPSubscriptionSettingsServiceInstance"} | Start-SPServiceInstance
  6. Ensure the App Management Service and SPSubscriptionSettings Services are online (PowerShell or SCA)
    1. Get-SPServiceInstance | where{$_.GetType().Name -eq "AppManagementServiceInstance" -or $_.GetType().Name -eq "SPSubscriptionSettingsServiceInstance"}
  7. Provision a Subscription Settings Service Application (This was done during the initial setup of SharePoint in my case.  Must use PowerShell, as there is no UI in SCA.)
    1. Get-SPServiceApplicationPool (to see all Server Application app pools)

    2. $appPool = Get-SPServiceApplicationPool "SharePoint Service AppPool"

    3. $appSubSvc = New-SPSubscriptionSettingsServiceApplication –ApplicationPool $appPool –Name "Subscription Settings Service Application" –DatabaseName Your_database_name

    4. $proxySubSvc = New-SPSubscriptionSettingsServiceApplicationProxy –ServiceApplication $appSubSvc

  8. Visit the Manage Service Applications page in Central Admin and verify that both the App Management Service App and Subscriptions Settings Service App are provisioned and started.

  9. Create an app catalog.  From SCA, select Apps|Manage App Catalog.  Be sure and select the correct web application where you want the app catalog created.

  10. You’ll get a page where you can fill in all the app catalog details.

  11. Configure the app URLs.  From SCA, select Apps|Configure App URLs.

  12. You need a web application (no site collection needs to be created in it) on port 80 that has no host header.  Others have stated you need to create a site collection, but I haven’t had to. 

Here are some details, with screen shots, of what I did.

Created a web application on port 80 with no host header. 


Changed the public URL so it wouldn’t conflict with my default site, CMSP2013.


Used an existing app pool.  Each app pool has a lot of overhead, so you don’t want to make too many unless you have a good reason.


Changed the name of the content database to match my naming conventions.  I then initiated the creation of the new web application.


…and there you go.


You might notice your primary site is stopped in IIS.  (Perhaps if you do an IISRESET this will clear up.)


So just start it!


In Central Administration, configure the app URLs.  The app domain was already there due to executing

Set-SPAppDomain -AppDomain "apps.cfgmgt.local"

in PowerShell earlier.


To create an App Catalog use Manage App Catalog.


Select the appropriate web application.  An app catalog is associated with a single web application.


Fill out the details to create the App Catalog site collection.


So then we go to add an app.


Select the SharePoint Store.


Find the Corporate News app.


Pick the free one, because we’re cheap!


Go through the download and trust process.

If we look at our Site Contents, we should see the apps that have been downloaded. 


If you click on one, you should get the app’s administration page.  If you don’t have your port 80 web application with no host header set up, this will return an error (404) due to the way it redirects using a GUID.


Here’s an example URL that uses the subdomain previously set up in DNS.


And adding the App Part (like adding a web part) to the default page for testing it out.




I attempted to look at the details of an app that was downloaded and installed and SharePoint threw an error with a correlation ID.


Insufficient SQL database permissions for user ‘Name: NT AUTHORITY\IUSR SID: S-1-5-17 ImpersonationLevel: Impersonation’ in database ‘SP15_UsageAndHealth’ on SQL Server instance ‘SP2013SQL’. Additional error information from SQL Server is included below.  The EXECUTE permission was denied on the object ‘prc_CountAppInstanceData’, database ‘SP15_UsageAndHealth’, schema ‘dbo’.

This was resolved by identifying the account under which the App Management Service was running (don’t let the NT AUTHORITY\IUSR account throw you off).


Next, SQL was investigated for the SQL Login and it was found only a few stored procedures had been granted access to the login.  Instead of adding the stored procedures either individually or en masse, I decided to put the login into one of the existing SharePoint roles.


I appears that putting it into the SPReadOnly database role provides the required execute permissions for the stored procedures.


And for reference, you can see SPReadOnly provides Execute and Select permissions to the database.



SharePoint 2013: The server was unable to save the form at this time. Please try again.

I got this message, “The server was unable to save the form at this time. Please try again.” when trying to create a folder on a document library.  A quick search found this article where I found that restarting the "Sharepoint Search Hosting Controller" service fixed the problem.  That was weird!



Oops! I Accidentally Uploaded a Document to My Winshuttle Query Scripts Library

In my new job and new role, I’ve entered the world of Winshuttle, a suite of apps that allow you to easily and non-technically integrate SharePoint Workflows (created with Winshuttle Studio) with SAP transactions, to effectively eliminate the “swivel-chair” integration that often occurs between two systems.  However, like any application, there are things that occur that are unplanned…and this is one of them!

If you find you “accidentally” uploaded a document to the Query Scripts library (a system library on Winshuttle Central), you’ll find that trying to delete it will throw the error: 

“An internal error occurred while doing this action. Object reference not set to an instance of an object.”

How can you delete it?



Edit the properties of the offending file and change the Content Type from eShuttleBase to one of the others (I believe I chose BaseQueryDoc, but I believe QueryFileDoc or MetaInfoQueryFileDoc will also work).  You should then be able to delete the file and happily send it on its way to the SharePoint recycle bin!


Asif Rehmani’s SharePoint Videos


Click to access a wealth of SharePoint videos

SharePoint Rx

SharePoint Rx Home


Posts by Date

June 2023
Support Wikipedia