Hi,
Last week I came across an issue where SharePoint 2010 People Picker displayed a "Blank Page" instead of displaying the users. It was very strange as other SharePoint Pages were working fine. We have built lot of SharePoint 2010 farms before and never faced this issue, so that gave us a clue to rule out possible errors in SharePoint 2010. The other two bits which need to verify are windows firewall or IIS Settings.
Windows firewall - Should not be an issue as All pages in the server accessed via same port and other pages are working fine.
IIS Settings - hmm ya interesting to notice SQL Injection Settings applied on IIS Server. It was applied as part of Organization policy to block any SQL Query attacks to Databases via Query Strings. There was something bothering to proceed before confirming is SharePoint 2010 if fool proof enough to remove this settings. After googling around I found an article from MSDN which clarifies the same.
http://social.technet.microsoft.com/Forums/en-US/sharepoint2010setup/thread/6b48e7ac-a393-48b4-ba24-6e56cd8b7ebc/
Once we removed the SQL Injection Settings from IIS on all the Web Front Ends. People Picker started to return expected results
Problem: People Picker returns Blank Page
Cause: SQL Injection Settings applied on the IIS
Resolution: Go to all Web Servers, Start -> Run -> Type inetmgr -> Click OK -> Expand Server_Name -> Expand Sites -> Click Web Application -> Click Request Filtering under IIS on the Right -> Double click "Request Filtering" -> Click on Rules -> Click on Rules related to SQL Injection (name can be anything defined, most probably it will deny certain strings which has SQL Keywords in Query Strings) -> Either remove the rule completely or remove the denied strings within the rule Whichever is applicable. Repeat the steps for all the Web Front Ends, This will resolve the issue.
Note: If you require, future web applications not to face this issue then the settings has to be applied to the IIS level as well. Follow the following steps to apply the same
Go to all Web Servers, Start -> Run -> Type inetmgr -> Click OK -> Click on Server_Name -> Click Request Filtering under IIS on the Right -> Double click "Request Filtering" -> Click on Rules -> Click on Rules related to SQL Injection (name can be anything defined, most probably it will deny certain strings which has SQL Keywords in Query Strings) -> Either remove the rule completely or remove the denied strings within the rule Whichever is applicable. Repeat the steps for all the Web Front Ends, This will make sure all future web applications will not face this issue.
Other Issues related:
The same issue is applicable while accessing "View All Site Collections Page" in SharePoint 2010 Central Administration Screen. SharePoint Central Admin ->
Application Management-> View All Site Collections.
Precuation:
The fix is for SharePoint 2010 Out of the box pages which are confirmed from MSDN that there are no vulnerable SQL Injection attacks by the Product. However for custom solutions or custom pages deployed in SharePoint 2010, it is responsiblity of the Deployment team to review this settings for custom code and approve it to be deployed.
Hope this helps!!!
Happy bug fixing!!!
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment