Enterprise Add-in On-premises Installation Guide

  • Updated

About

This document is a complete guide how to install LiveTiles Intranet Enterprise for SharePoint Server 2013/2016/2019/SE using the high-trust model. The setup is different using SharePoint Online app model, as the solution is using IIS services to run the LiveTiles Intranet Enterprise web site.

Please note  The code used for online and on-premises is the same, - with some small modifications.

 

Document Version

Owner Date Comments Version
Peter Jensboel - PS 2020-06-30 Initial document 1.0.0
Peter Jensboel - PS 2021-05-19 Release / Re-brand 2.0.0
Peter Jensboel - PS 2023-05-02 Added workspace "Self-service site creation" in Appendix 2.1.0

 

Installation and Deployment

The following guide describes the process installing and configuring SharePoint Server(s) and LiveTiles Intranet Enterprise server(s).

LiveTiles Intranet Enterprise for SharePoint Server 2013/2016/2019 is using the SharePoint add-in model.

When using the add-in model, LiveTiles Intranet Enterprise application have a minimal footprint in SharePoint. Application code is executed outside the SharePoint environment and integrates with SharePoint through iFrames, scripts and web service endpoints.

image1.png

 

Highlight Installation Values

In this guide we have marked sections and text that need to have installation specific values entered accordingly to the setup.

The sections are marked with text highlighted and in “<>” like this example <SharePointURL> and need to be changed to match the current configuration.

There are steps in the installation where you must save installation values and settings and these settings has been highlighted with a “share” sign in this document like this:

image2.png

If values and settings cannot be shared on regular basis, we recommend using OneTimeSecret https://onetimesecret.com or similar solution.

 

Prerequisites

The following prerequisites are required to provision LiveTiles Intranet Enterprise using SharePoint Server(s) and IIS server(s):

  • LiveTiles Enterprise binaries Enterprise releases – Knowledge Base (livetilesglobal.com)
    • Identify the right version and please note that SharePoint 2016/2019/SE are using the same binaries.
  • SharePoint farm administrative access.
  • Administrative permissions to create site collections, app catalog and approve app requests.
  • LiveTiles Intranet Enterprise (IIS) server with local administrative access.

Requirements SharePoint

The following requirements must be in place for SharePoint Server(s):

DNS Requirements

Requirements for DNS entries, please refer to LiveTiles Intranet Enterprise Add-in On-Premises Checklist.docx found on LiveTiles Partner portal https://livetiles.force.com/partners/s/contentdocument/0690o00000GYghaAAD

Service Applications

Requirements for service applications, please refer to LiveTiles Intranet Enterprise Add-in On-Premises Checklist.docx found on LiveTiles Partner portal https://livetiles.force.com/partners/s/contentdocument/0690o00000GYghaAAD

Services

Requirements for services provisioned in SharePoint, please refer to LiveTiles Intranet Enterprise Add-in On-Premises Checklist.docx found on LiveTiles Partner portal https://livetiles.force.com/partners/s/contentdocument/0690o00000GYghaAAD

SharePoint Service Accounts

Service Accounts Description Member of Local Security Policy
SP-<ENV>-FarmAcct Runs the SharePoint Timer and Administration Service

Domain User

Member of the following SQL Roles:

  • DB Creator
Security Admin

Allow log on locally

Adjust memory quotas for a process

Impersonate a client after authentication

Log on as a batch job

Log on as a service

Replace a process level token
SP-<ENV>-InstallAcct This account will be used to Install and configure the SharePoint farm initially. After the initial setup, you can grant the farm administrator rights to your SharePoint Administrators account so they can log in and manage SharePoint with their own account.

Domain User

Local Administrator on the SharePoint Servers

Member of the following SQL Roles

  • DB Creator
Security Admin

Back up files and directories.

Debug Programs.

Manage auditing and Security log.

Restore files and directories.

Take ownership of files or other objects.
SP-<ENV>-SuperReader Object cache account (Super Reader). Must not be an account that will ever be used to log in to the site.

Domain User

Full Read on your Web Applications

 
SP-<ENV>-SuperUser Object cache account (Super User). Must not be an account that will ever be used to log in to the site.

Domain User

Full Control on your Web Applications

 
SP-<ENV>-SPSERVICE Runs the Application Pool for most of your Service Applications. There are some service applications that require more rights, and a dedicated Service Account is recommended. We are converting those a bit lower in this blog post!

Domain User

Adjust memory quotas for a process.

Log on as a batch job.

Log on as a service.

Replace a process level token.

Impersonate a client after authentication.
SP-<ENV>-CRAWL The Default Content Access Account for the Search Service Application. This account is sued to crawl the content of your SharePoint Web Applications.

Domain User

This account needs to have Read Access on all your Web Applications (given automatically)

 
SP_<ENV>_SYNC Used to synchronize profiles between AD and SharePoint Server

Domain User

Needs to have “Replicate Directory Changes” in the Active Directory

 
SP-<ENV>-ServerSearch Account used for SharePoint Search Services

-

SharePoint servers
SP-<ENV>-POOL Runs the Application Pool for your Web Applications.

Domain User

Impersonate a client after authentication.

Log on as a batch job.

Lon as a service.
SP-<ENV>-SQLAdmin This account will be used to Install and configure the SQL Server initially. After the initial setup, you can grant the SQL Admin rights to your SQL Administrators account so they can log in and manage SQL with their own account.

Domain User

Local Administrator on the SQL Server

Back up files and directories

Debug Programs.

Manage auditing and Security log.

Restore files and directories.

Take ownership of files or other objects.
SP-<ENV>-SQLSRV This account will run the Database Engine service

Domain User

Log on as a service.

Replace a process-level token.

Bypass traverse checking.

Adjust memory quotas for a process.

Perform Volume Maintenance Tasks (Only If you want to enable Instant File Initialization).
SVC-<ENV>-SQLAgent This account will run the SQL Server Agent Service

Domain User

Log on as a service.

Replace a process-level token.

Bypass traverse checking.

Adjust memory quotas for a process.
SVC-<ENV>-LIVETILES Runs the Application Pool for LiveTiles Enterprise IIS site

Domain User

Impersonate a client after authentication.

Log on as a batch job.

Lon as a service.

 

Password Restrictions

When using special signs in the password that can functions as injection characters you are not allowed to use these characters directly. When saving strings to XML, it is important to escape invalid characters. The following table shows the invalid XML character and their escaped equivalents.

Invalid XML Character Replaced with
&lt;
&gt;
&quot;
&apos;
& &amp;

 

AntiVirus Exclusions

When using antivirus, it is required to make an exclusion list for SharePoint binaries to avoid locked files when SharePoint crawler indexing files and to gain performance. An exclusion list must also be crated for SharePoint databases on the SQL server.

Exclusions of SharePoint Directories

The following folders are necessary to exclude in the antivirus program in the SharePoint servers, since this has a major impact on performance and stability.

The term Drive is a placeholder that represents the drive letter where SharePoint binaries are installed. This is typically drive letter C.

  • Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions

Recommended is to exclude all files in “Web Server Extensions” from the scanning.

  • Drive:\Program Files\Microsoft Office Servers\15.0\Data\Office Server\Applications

Above folder will exclude antivirus from scanning of files in SharePoint index in SharePoint 2013.

  • Drive:\Program Files\Microsoft Office Servers\16.0\Data\Office Server\Applications

Above folder will exclude antivirus from scanning of files in SharePoint index in SharePoint 2016 and 2019.

Exclusion of IIS webs binary files from scanning, i.e.

  • C:\inetpub\wwwroot\wss\VirtualDirectories
  • C:\inetpub\wwwroot\livetiles website
  • C:\inetpub\wwwroot\livetiles blob

Exclusion of SharePoint log files, ULS and Index, i.e.

  • D:\SharePoint\Index\*
  • D:\SharePoint\Logs\*

Exclusion of Framework files and folders

The following exclusions will exclude .NET Framework v3.5 and v4.x from antivirus:

  • Drive:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET files
  • Drive:\Windows\Microsoft.NET\Framework64\v3.5\Temporary ASP.NET files
  • Drive:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET files
  • Drive:\Users\service account\AppData\Local\Temp\WebTempDir files

Please note: “WebTempDir” folder is a substitute for “FrontPageTempDir” folder.

Exclusion of Database Files and Folders

It is also necessary to create a positive exclusion list that has been created on the database server to gain better performance and avoid “locked” databases.

The following must be configured to be excluded in the antivirus program:

  • Database Engine server components and data files, i.e.:
    • Path:%ProgramFiles%\Microsoft SQL Server\MSSQL13<instance>\*
  • Database database files, i.e.:
    • D:\MSSQL\MSSQL_data\*
  • Database logs files, i.e.:
    • D:\MSSQL\MSSQL_logs\*

Exclusion of LiveTiles Intranet Enterprise Web Sites and Folders

The following LiveTiles IIS web site files and folders must be excluded from antivirus scanning:

  • Drive:\inetpub\wwwroot\<livetiles website>\*
  • Drive:\inetpub\wwwroot\<livetiles blob>\*

Other

Other requirements in SharePoint and LiveTIles IIS server, please refer to LiveTiles Intranet Enterprise Add-in On-Premises Checklist.docx found on LiveTiles Partner portal https://livetiles.force.com/partners/s/contentdocument/0690o00000GYghaAAD

 

Install and Provision SharePoint Server

LiveTiles recommending provisioning a SharePoint farm is done by using AutoSPInstaller or Assist.

AutoSPInstaller and Assist works with SharePoint server 2013, 2016, 2019 and SE and take advantages of some of the cmdlet updates in the newer SharePoint releases, while remaining largely backward-compatible older versions. AutoSPInstaller is open source and can be downloaded from this URL https://github.com/brianlala/AutoSPInstaller.  

For configuring the script, please take advantage of the GUI provided here https://autospinstaller.com.

 

LiveTiles Intranet Enterprise Requirements

If an organization has implemented URL restrictions on their firewall for clients to access the Internet, the following section listing URL’s that need to be whitelisted on the firewall/proxy server.

Please note: We only document URL’s needed for LiveTiles Intranet Enterprise to function in SharePoint.

Type URL Description
CDN https://wizdom-libs-one.azureedge.net/ Content files: Font, CSS, javascript, templates
CDN https://wizdom-libs-two.azureedge.net/ Content files: Font, CSS, javascript, templates
CDN https://wizdom-libs-three.azureedge.net/ Content files: Font, CSS, javascript, templates
CDN https://wizdom.azureedge.net/ Content files: Font, CSS, javascript, templates
CDN https://az416426.vo.msecnd.net Official Microsoft 365 CDN
CDN https://ajax.aspnetcdn.com Microsoft CDN
URL https://wizdomlicenseportal.azurewebsites.net/ License Service API
URL https://success.wizdom-intranet.com/ Documentation URL
URL https://licenseportal.wizdom-intranet.com/ License Service API
URL https://wizdomdocumentation.azurewebsites.net/ Knowledgebase and documentation

 

Access Requirements

LiveTiles has the following requirements for access to the servers:

  • LiveTiles Intranet Enterprise server
    • RDP access
    • Local administrative access
    • File level administrative access
  • SharePoint server
    • RDP access
    • Farm administrative access
    • File level administrative access
  • Database server
    • RDP access
    • DBO rights to the LiveTiles database (server admin or sysadmin)

High-Trust Provider-Hosted Add-in SharePoint

A high-trust add-in is a provider-hosted SharePoint Add-in that is installed to an on-premises SharePoint farm.

In SharePoint, the security token service (STS) provides access tokens for server-to-server authentication. The STS enables temporary access tokens to access other application services such as Exchange, Lync, and SharePoint Add-ins. A farm administrator establishes trust between SharePoint and the other application or add-in by using Windows PowerShell cmdlets and a certificate. Each certificate that is used must be trusted by SharePoint by using the New-SPTrustedRootAuthority cmdlet. Also, each certificate must be registered with SharePoint as a token issuer by using the New-SPTrustedSecurityTokenIssuer cmdlet.

The following illustration show the components used within a high-trust.

image3.png

  1. User sends a request for URL, e.g., https://intranet.company.com (SharePoint web application)
  2. SharePoint authenticates user (App Web)
  3. High-trust requests trusted provider for access (LiveTiles Intranet Enterprise web site)
  4. LiveTiles Intranet Enterprise add-in access database for content and configuration etc. (Database and Web Services)
  5. Content are delivered to user using cross-domain content in high-trust provided add-in

Please note: When a user sends a request to SharePoint, contents within the web application are delivered as cross-domain requests. Contents are delivered from both domains (SharePoint and LiveTiles Intranet Enterprise DNS) in the client browser.

image4.png

High-Trust Requirements

The following are required to create a high-trust provided add-in for use in SharePoint.

A high-trust add-in uses a certificate instead of a context token to establish trust. High-trust add-ins require some configuration on the SharePoint farm and on the IIS server hosting LiveTiles Intranet Enterprise remote web application. The certificate does not use SAN (Subject Alternate Names) for verification but use certificate encryption key.

  • X.509 digital certificate (CER)
  • Corresponding Private Key (PFX) and password
  • Public issued certificate (wildcard certificate or self-signed certificate)
  • 2048-bit encryption key
  • Self-signed certificate

Using Self-Signed Certificate

If using self-signed certificate, we recommend using SelfSSL command line tool found in IIS6 Resource Kit.

Only use self-signed certificates in non-production environments and keep track of validity and approval.

To create a self-signed certificate valid for 10 years, use the following command in an administrative PowerShell:

New-SelfSignedCertificate -Subject "LiveTiles High-Trust" -DnsName "livetiles.company.com" -CertStoreLocation "cert:\LocalMachine\My" -KeyAlgorithm RSA -KeyLength 2048 -KeyExportPolicy Exportable -NotAfter (Get-Date).AddYears(5)

Please note: Parameter "DnsName" can be left out, as the certificate is used for the high-trust only. DnsName can be used for easier identification of the high-trust self-signed certificate.

  • Install self-signed certificate on all servers participating in the setup, including LiveTiles Intranet Enterprise IIS server(s)
  • Install (x2) self-signed PFX in MMC > Certificates > Personal and Trusted Root Authorities

IIS Server Requirement

LiveTiles Intranet Enterprise requires an IIS web server to host Provider Hosted App utilized by the remote SharePoint web application.

Minimum hardware requirements:

  • 2 cores
  • 8 GB memory

Recommended hardware requirements:

  • 4 cores
  • 8 GB memory

Software requirements:

  • IIS 7+
  • .NET version 4.6 https://www.microsoft.com/en-us/download/details.aspx?id=48137
  • Roles
    • Web Server (IIS)
  • Feature
    • .NET Framework 4.5 Features
      • .NET Framework 4.5
      • ASP.NET 4.5
  • Web Server Roles
    • Security
      • Windows Authentication
    • Application Development
      • .NET Extensibility 4.5
      • ASP.NET 4.5
  • SSL: Certificate PFX file with password (not self-signed certificate for production)
  • Firewall rules
    • Allow https traffic between the SharePoint Farm and the IIS server
  • Internet Access

Loopback and IP Address

LiveTiles Intranet Enterprise timer job triggers calls by accessing the site and IIS web site on the server. You must ensure that if using a dedicated IP address on the IIS server, the IP address must be reachable and present in the local host file on the server hosting LiveTiles Intranet Enterprise.

If a dedicated IP address has not been configured, please ignore this section and continue the installation as normal.

Example: The LiveTiles Intranet Enterprise web site https://livetiles.company.com has been configured to listen and server calls on a dedicated IP address 192.168.13.29 in the IIS bindings

image5.png

Add the example IP address 192.168.13.29 to local HOSTS file (c:\windows\system32\drivers\etc\hosts) on the server

image6.png

DNS Requirements

Requirements for DNS entries, please refer to LiveTiles Intranet Enterprise Add-in On-Premises Checklist.docx found on LiveTiles Partner portal https://livetiles.force.com/partners/s/contentdocument/0690o00000GYghaAAD

LiveTiles Database and Permissions

The following are required on the SQL server, database, and application pools:

  • Active Directory service account for the LiveTiles Intranet Enterprise web site application pool
    • Service accounts need to be domain accounts, not local accounts.
  • Empty SQL database
    • LiveTiles Intranet Enterprise application pool service account must have DBowner rights.
  • Empty IIS web site for LiveTiles Intranet
    • Binding configured e.g., livetiles.domain.com
    • DNS entry configured for Portal web application e.g., intranet.domain.com
  • LiveTiles Intranet Enterprise deployment package.
  • Account used for the installation of the IIS server, must be a domain account.

Authentication and Requirements

For authentication against SharePoint and LiveTiles Intranet, the requirements are as following:

  • Windows authentication are required (NTLM or Kerberos).
  • Forms-based authentication are not supported.
  • SAML-token based authentication are not supported.
  • User accounts need to be part of the local or a trusted Active Directory (requires a 1-way trust).
  • If LiveTiles Intranet are using ADFS, the claims mapping requires property SAMAccountName (UPN is not supported).

Please note: If planning to use ADFS, the version supported is Windows Server 2019 that has built-in support for CORS headers needed for LiveTiles Enterprise Intranet. One example seen is the font editor used in Noticeboard where Froala editor (icons) are visible and working as expected.

Internet Explorer Security Policies

Internet Explorer native browser cannot be used and LiveTiles does not support this application.

Support for Internet Explorer has ended June 15, 2022 as stated by Microsoft.

You can read more the product line lifecycle here if needed.

 

To support a single sign-on solution between SharePoint and LiveTiles using current username and password, the following changes to Internet Explorer security settings must be considered implemented as a Group Policy template on the corporate domain.

Internet Options

Add sites included in the solution to Internet Options > Security > Trusted sites

image7.png

Change custom settings to allow data access across SharePoint and LiveTiles seamlessly. To configure settings, do the following:

  1. Open Internet Options
  2. Go to Security tab and highlight Trusted sites
  3. Click on Custom level… and in the Miscellaneous section, select Access data sources across domain to be Enable
  4. image8.png
  5. Go to User Authentication section and select Automatic logon with current username and password
  6. image9.png
  7. Press OK twice to save the changes

For more information how to enroll these changes in a new Group Policy settings to help you manage your company’s web browser configuration, please see https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.

 

Windows OS and SQL Server Requirements

LiveTiles Intranet requires a Microsoft SQL Server database for storing application data. Following requirements must be complied:

Software requirements:

  • SharePoint Subscription Edition
    • SQL Server 2019 Standard or Enterprise (database compatibility level 150)
    • SQL Server 2022 Standard or Enterprise (database compatibility level 150)
      • Any future versions version of SQL Server for Windows that supports database compatibility level 150
    • Windows Server 2019 Standard or Datacenter
    • Windows Server 2022 Standard or Datacenter
  • SharePoint Server 2019
    • SQL Server 2016 RTM
    • SQL Server 2017 RTM for Windows
    • SQL Server 2019 RTM for Windows
    • Windows Server 2016 Standard or Datacenter
    • Windows Server 2019 Standard or Datacenter
  • SharePoint Server 2016
    • 64-bit edition of SQL Server 2014 Service Pack 1
    • SQL Server 2016 RTM
    • SQL Server 2017 RTM for Windows
    • Windows Server 2012 R2 Standard or Datacenter
    • Windows Server 2016 Standard or Datacenter
  • SharePoint Server 2013
    • SQL Server 2008 R2 Service Pack 1
    • SQL Server 2012
    • SQL Server 2014, May 2014 Cumulative Update
    • Windows Server 2008 R2 SP1
    • Windows Server 2012 (KB 2765317)
  •  

Recommended configuration:

  • SQL Instance dedicated to SharePoint and related databases
  • Max degree of Parallelism (MAXDOP) set to 1 (required for SharePoint 2016/2019)
  • SharePoint Collation is “Latin1_General_CI_AS_KS_WS”
  • Use full recovery model on all user databases
  • Make sure to do backup of data and log files

 

SharePoint Configurations

Create New Site Collection

Before we install the new LiveTiles Intranet for add-in, first is to create a new site collection holding LiveTiles Intranet Enterprise. This site will be created using the team site template.

  1. Open SharePoint Central Administration
  2. Click Application Management and select Create site collection in the Site Collection section
  3. image10.png
  4. Select the right Web Application and add a Title
  5. In Template Selection, select Team site template
  6. Add Primary Site Collection Administrator
  7. Click OK to save and create the new site collection
  8. image11.png

Activate Features

When the site collection has been created, do the following to enable/disable features for LiveTiles Intranet:

  1. Log in to https://<site collection URL>
  2. Open the Site Settings
  3. In Site Collection Administration, select Site collection features
  4. Click Activate on feature SharePoint Server Publishing Infrastructure
  5. Go back to Site Settings
  6. In Site Actions, select Manage site features
  7. Click Activate on feature SharePoint Server Publishing
  8. Click Deactivate on feature Mobile Browser View

Create Corporate App Catalog

Before we can upload apps, we need to create an app catalog in SharePoint (if not exists).

Please note: The following section assumes that no app catalog exists. Important to know is that the app catalog must be created under the same web application where Enterprise exists.

  1. Open SharePoint Central Administration
  2. Click Apps and select Manage App Catalog in the App Management section
  3. Next select the right web application and click OK to get to the creation site
  4. image12.png
  5. In Title type e.g., Apps and the same for the URL
  6. image13.png
  7. Click OK to save the changes and create the new app catalog

Polyfill Webservice WSP (SharePoint 2013)

Please note: The following is only targeted using SharePoint Server 2013. In newer versions, polyfill webservice is built in. 

LiveTiles Intranet Enterprise requires installation of a single SharePoint solution on the farm that polyfill the API gap between SharePoint Online and SharePoint on-premises. The polyfill solution does not customize SharePoint in any way, it just deploys endpoints on the SharePoint farm that LiveTiles Intranet Enterprise can utilize.

Use PowerShell to install the polyfill web service.

  1. On the SharePoint server, open SharePoint PowerShell with Elevated Rights
  2. At the PowerShell command prompt, update appropriately and run the following commands:
Add-SPSolution "\<path>\Wizdom polyfill\Wizdom.Polyfill.Webservice.wsp"  
Install-SPSolution -Identity Wizdom.Polyfill.Webservice.wsp -GACDeployment  

Import Search Configuration Settings

Go to the SharePoint server and open the web site created previously.

  1. Download SearchConfiguration.xml file from LiveTiles Distribution Repository https://livetilesrepository.blob.core.windows.net/livetilesintranetonprem/installationfiles/SearchConfiguration.zip
  2. Open LiveTiles Intranet Enterprise site collection and select Site Settings
  3. In the Search section, select Configuration Import /_layouts/15/importsearchconfiguration.aspx?level=site
  4. image14.png
  5. Select the SearchConfiguration.xml file and click Import

Enable Global Term Sets

Global term sets are necessary to make sure all functionalities are working as expected, such as Workspaces, Related Content etc. in LiveTiles Intranet Enterprise.

Manual configure term group and sets

The following section describe how global term sets can be added manually.

  1. Log in to https://<Central AdministrationUrl> with a farm administrator account
  2. In Application Management, select Manage Service Applications
  3. Click the Managed Metadata Service application link
  4. image15.png
  5. In Term Store Administrators, add the account that must perform this change
  6. image16.png
  7. Click Save to update Term Store Administrators
  8. In the Taxonomy Term Store click the little arrow on the right side and select New Group
  9. image17.png
  10. Name the new group Wizdom Global and click Save
  11. On the new group, select New Term Set and add the following:

Term Group Name

 Term Set Name
Wizdom Global Wizdom_Department
Wizdom Global Wizdom_Languages
Wizdom Global Wizdom_Location
Wizdom Global Wizdom_ManualArea
Wizdom Global Wizdom_ManualType
Wizdom Global Wizdom_RelatedTopic
      The result should look like this:

 

image18.png

SSL Certificate

Next step is to export the wildcard certificate that we have been provided by the customer and assumed has already been installed on the server with the “Allow this certificate to be exported” setting enabled.

To export the certificate PFX file and CER file, do the following.

  1. On the SharePoint WFE#1 server, open IIS Management
  2. Click on Server Certificates on the Home page
  3. image19.png
  4. Export the certificate to a PFX file
    • Right-click the wildcard certificate that’s been provided and select Export
    • Select an export path and choose a password to the certificate
      • PFX password = <password>
      • Export path i.e. = “D:\LiveTiles\Certificate\export\<cert.pfx>”
    • As the PFX file and password will be used on the LiveTiles IIS server at a later step, the file must be copied to the LiveTiles IIS server(s) in the path “D:\LiveTiles\Certificate\export\<cert.pfx>”.
  5. Export the certificate to a CER file
    • Open the certificate in IIS and select the Details tab
    • Click on Copy to File… (choose default values in the wizard)
    • image20.png
  • Export path = “D:\LiveTiles\Certificate\export\<cert.cer>”
  • CER-file will be used in the SharePoint high-trust configuration at a later step

Add new high-trust for Intranet WA

For SharePoint server and the IIS APP server to be able to communicate together, a high-trust for token validation, need to be created between them.

This is accomplished by using PowerShell – a prerequisite is that the certificate have been created and installed correctly.

  1. Log on to the SharePoint server
  2. On the SharePoint server, open SharePoint PowerShell with Elevated Rights
  3. At the PowerShell command prompt, update appropriately and run the following commands
    • The <issuer ID> can be any GUID generated using [guid]::newguid() or New-Guid
    • Save the script as e.g., CreateHigtTrust.ps1 for future reference

Replace “<>” input values to match the installationimage2.png

$issuerID = "<Issuer ID>"
$publicCertPath = "D:\LiveTiles\Certificate\export\cert.cer"
$siteUrl = "<Site collection URL>"
$web = Get-SPWeb $siteUrl
$certificate = Get-PfxCertificate $publicCertPath
$realm = Get-SPAuthenticationRealm -ServiceContext $web.Site
$fullAppIdentifier = $issuerId + '@' + $realm
New-SPTrustedRootAuthority -Name "LiveTilesApp" -Certificate $certificate
New-SPTrustedSecurityTokenIssuer -Name "LiveTilesApp" -Certificate $certificate -RegisteredIssuerName $fullAppIdentifier –IsTrustBroker
Register-SPAppPrincipal -NameIdentifier $fullAppIdentifier -Site $web -DisplayName "LiveTilesApp"
Iisreset

Register new app

In the following steps we need to register a new SharePoint app which is needed for LiveTiles Intranet.

Do the following to register new app on the root site collection or in a managed path:

  1. Log on to the SharePoint site collection https://<intranet.company.com/> with <Site Collection admin> account
  2. Register new app settings
    • Open https://<intranet.company.com/>/_layouts/15/appregnew.aspx
    • Client ID = Generate
    • Client Secret = Generate
    • Title = LiveTilesApp
    • App Domain = <livetilesIISwebsite.company.com>
    • Redirect URL = https://<livetilesIISwebsite.company.com>
    • image21.png
    • Click on Create to create the app request
    • Save ClientID and ClientSecret values as we need them in the LiveTiles IIS web.configimage2.png

Create app package

SharePoint must be able to communicate with the LiveTiles IIS website and provide access tokens, - next step is to create a new SharePoint app package for the app catalog.

  1. Download GenerateAppPackage.zip here and unpack it to your local computer
  2. Fill in with ClientID and AppUrl (Remember https:// in front of the URL)
  3. AppUrl must be without ”/” at the end
  4. Client ID is the client ID you created earlier when you created the app catalog
  5. New product ID is required and can easily be generated in PowerShell by running this command:
    • PowerShell before version 5.0 -> [guid]::newguid()
    • # PowerShell before version 5.0
      PS Z:\> [guid]::newguid()
      Guid                                
      ----                                
      c6c39e03-1c25-4b9e-a428-6ad9e890a1c5
    • PowerShell version 5.0 or newer -> New-Guid
    • # PowerShell version 5.0 or newer
      PS Z:\> New-Guid
      Guid                                
      ----                                
      c6c39e03-1c25-4b9e-a428-6ad9e890a1c5
  6. Below is an example of how the command will look like in PowerShell
  7. image22.png
  8. New-Guid 
    Guid
    ----
    62b30a60-0ac9-4252-850f-4a4549aa1e58 

    .\generateAppPackage.ps1 
    -clientid ef459460-    480b-43fb-ab37-ac5ae132d05a 
    -appurl https://livetiles.company.com 
    -outfile     "LiveTilesApp.app" 
    -title     "LiveTilesApp" 
    -name     "LiveTilesApp" 
    -productid     62b30a60-0ac9-4252-850f-4a4549aa1e58

Upload the app package

When the new app has been created, the app must be uploaded to the SharePoint app catalog.

Upload app package to SharePoint app catalog

Please follow these steps to accomplish this task.

  1. Log on to the SharePoint server as Administrator
  2. Open the App catalog https://<Site collection URL>/sites/<apps>
  3. Click on the link to the left Apps for SharePoint
  4. Upload the app created above into the App container
  5. Verify that the App has all metadata information filled in and no errors
  6. image24.png

LiveTiles IIS Server Installation

The following section describes the steps involved in configuring the LiveTiles IIS App server for high-trust.

Add roles and features

The following section describes the steps involved in enabling the server that will have the LiveTiles IIS web site provisioned.

  1. On the LiveTiles IIS server, open PowerShell with Elevated Rights
  2. At the PowerShell command prompt, update appropriately and run the following commands:

Change –source to reflect the Windows Server install image.

Install-WindowsFeature Web-Server,Web-WebServer,Web-Common-Http,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Static-Content,Web-Health,Web-Http-Logging,Web-Log-Libraries,Web-Request-Monitor,Web-Http-Tracing,Web-Performance,Web-Stat-Compression,Web-Dyn-Compression,Web-Security,Web-Filtering,Web-Basic-Auth,Web-Digest-Auth,Web-Windows-Auth,Web-App-Dev,Web-Net-Ext,Web-Net-Ext45,Web-Asp-Net,Web-Asp-Net45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Mgmt-Tools,Web-Mgmt-Console,Web-Mgmt-Compat,Web-Metabase,Web-Lgcy-Scripting,Web-WMI –source G:\sources\sxs

Add certificate to IIS Manager

In case the customer did not install the certificate on all servers participating in the SharePoint farm, the following procedure can be used to add the certificate exported from the SharePoint server WFE#1 to the IIS server(s).

  1. On the LiveTiles IIS server, open PowerShell with Elevated Rights
  2. At the PowerShell command prompt, update appropriately and run the following commands
    • Make sure the PFX file and password are exported and available.
$mypwd = ConvertTo-SecureString -String "<password>" -Force –AsPlainText
$PfxCertFile = Get-ChildItem -Path <path>\<cert>.pfx
$PfxCertFile | Import-PfxCertificate -CertStoreLocation Cert:\LocalMachine\my -Password $mypwd
$PfxCertFile | Import-PfxCertificate -CertStoreLocation Cert:\LocalMachine\root -Password $mypwd

LiveTiles IIS website

Installation files

The source installation files can be downloaded from LiveTiles Repository and mandatory version is to start with version 6.48.2.0 as upgrade engine has changed and therefore this version must be installed first:

  1. Extract the provided ZIP file to a temporary location
  2. Copy the following directories to the LiveTiles IIS server in the web site location (<Inetpub>)
    • \LiveTiles blob\
    • \LiveTiles website\
  3. Copy web.config from \LiveTiles website web.config\ to folder \LiveTiles website\
  4. image25.png

Create LiveTiles IIS web site

On the LiveTiles IIS server, we need to create new web site for LiveTiles Enterprise. The following steps describes how to do this manually.

  1. Log on to the LiveTiles IIS server as administrator
  2. Click Start > Run… and type inetmgr to open Internet Information Services (IIS) Manager
  3. Expand <server> and Application Pools 
    1. Right-click and select Add Application Pool... 
    2. Add a name like LiveTiles and click OK to save with default settings
    3. Next right-click the new application pool and select Advanced Settings... 
    4. In section Process Model, click Identity and change to the LiveTiles Application Pool account
    5. Select Custom account: > Set... 
    6. image27.png
    7. Click OK to save the changes 
    8. Restart the application pool
  4. Expand <server> and right-click Sites and select Add Website…
    • Fill in Site name and the application pool created above
    • In Physical path, browse to the website binaries you copied earlier
    • In Bindings, use SSL and provide the host name for the LiveTiles IIS web site
    • Finally, select the certificate to use on the web site
    • image26.png
    • Click OK to create the new web site

Enable authentication in IIS

When the web site has been created Windows Authentication is per default disabled. To change this, do the following:

  1. Log on to the LiveTiles IIS server as Administrator.
  2. Open IIS Manager and highlight the newly created LiveTiles web site.
  3. In the IIS section, click Authentication to open settings.
  4. image28.png
  5. Enable Windows Authentication
  6. Verify that:
    • LiveTiles web site = Anonymous Authentication enabled
    • LiveTiles web site = Windows Authentication enabled
    • LiveTiles Blob site = Anonymous Authentication enabled
    • LiveTiles Blob site = Windows Authentication enabled

Change Anonymous Authentication Credentials 

  1. Log on to the LiveTiles IIS server as Administrator.
  2. Open IIS Manager and highlight Blob virtual directory.
  3. In the Features view, click Authentication.
  4. High-light Anonymous Authentication and select Edit.
  5. image29.png
  6. In the Edit Anonymous Authentication Credentials, change to Application pool identity.
  7. Click OK to save the changes.

Change Application Pool Recycling settings

Per default recycling of application pool is set to 1740 minutes (every 29 hour) and this value does not comply with normal use of IIS sites.

  1. Log on to the LiveTiles IIS server as Administrator.
  2. Open IIS Manager and navigate to Application Pools.
  3. Highlight LiveTiles application pool and change to Specific time(s).
  4. image30.png

Check that the time entered comply with SharePoint maintenance jobs, organization etc. before changing. It is important that this value does not reflect daily use e.g., a worldwide organization could have benefit of not using this setting.

Assign certificate to LiveTiles web site

  1. Log on to the LiveTiles IIS server as Administrator.
  2. Open IIS Manager and highlight the newly created LiveTiles web site.
  3. Click on bindings and assign the relevant SSL certificate.

AppPool account and certificate store

The application pool account that is used for the IIS LiveTiles web site must have permissions to the certificate store.

  1. Log on to the LiveTiles IIS server.
  2. Open MMC and type “Ctrl+M”.
  3. Select Certificates from available snap-ins.
  4. Click on Add and select Computer account and click Next and Finish.
  5. Go to Certificates > Personal > Certificates and select the certificate used for the trust.
  6. Right-click and select All Tasks > Manage Private Keys.
  7. image31.png
  8. Add the LiveTiles IIS web site application pool account with Full control permissions.
  9. image32.png
  10. Save with OK and close the MMC console.

Delegate permissions to web site

When the LiveTiles IIS web site and the blob site has been created on the server, next step is to delegate access to the application pool account.

  1. Log on to the LiveTiles IIS server as Administrator.
  2. Open Explorer and navigate to LiveTiles IIS web site.
  3. image33.png
  4. Right-click <LiveTiles blob> and <LiveTiles website> and select Properties
  5. Select the tab Security and click Edit… and Add…
  6. Add LiveTiles IIS web site application pool account
  7. image34.png
  8. Grant full permission to the folder and subfolders
  9. image35.png
  10. Repeat the steps for the Blob folder
  11. Right-click <LiveTiles website> and select Properties
  12. Select the tab Security and click Edit… and Add…
  13. Add <local server>\IIS_IUSRS 
  14. image36.png
  15. Add Modify permission
  16. Repeat the step for <LiveTiles blob> folder
  17. Click OK to save the changes

Disable loop back check

Decide whether to specify specific URLs to bypass loop-back-check (BackConnectionHostNames) or to bypass loop-back-check for everything (DisableLoopbackCheck). Choose one and use the relevant part from below. This is important for LiveTiles timer jobs to run successfully.

BackConnectionHostNames

  1. On the LiveTiles IIS server, click Start, click Run…, type regedit, and then click OK.
  2. In Registry Editor, locate and then click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
  3. Right-click MSV1_0, point to New, and then click Multi-String Value.
  4. Type BackConnectionHostNames, and then press ENTER.
  5. Right-click BackConnectionHostNames, and then click Modify.
  6. In the Value data box, type the host name <IIS site URL for LiveTiles> that is on the local computer, and then click OK.
  7. Quit Registry Editor, and then perform and IISRESET.

DisableLoopbackCheck

  1. On the LiveTiles IIS server, click Start, click Run…, type regedit, and then click OK.
  2. In Registry Editor, locate and then click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  3. Right-click Lsa, point to New, and then click DWORD Value.
  4. Type DisableLoopbackCheck, and then press ENTER.
  5. Right-click DisableLoopbackCheck, and then click Modify.
  6. In the Value data box, type 1, and then click OK.
  7. Quit Registry Editor, and then restart the server.

Create new LiveTiles database

This section describes how to create the LiveTiles Intranet Enterprise database.

  1. Log on to the SQL Server with db creator permissions.
  2. Open SSMS.
  3. Right-click Databases and select New database.
  4. Fill in with the information:
    • Database Name = <Name of the LiveTiles database>
    • Autogrowth data = 10 MB
    • Recovery Model = Simple (if point in time recovery is required, then it must be “Full”)
    • Collation = Latin1_General_CI_AS_KS_WS
  5. Create the database by click OK.

Grant permissions to the database

On the newly created LiveTiles database grant access to the LiveTiles Service Account (the application pool account configured previously).

  1. Log on to the SQL server with administrative permissions.
  2. Open SSMS.
  3. Go to Security and grant the “LiveTiles Service Account” db_owner permissions to the database.
  4. image37.png
  5. Press OK to update the permissions for the LiveTiles database.

Update web.config file

The following procedures describe the procedure for configuring web.config files on the LiveTiles IIS server.

  1. Log on to the LiveTiles IIS server as Administrator
  2. Copy the web.config file from the source installation folder on the SharePoint server from “D:\LiveTiles\Install\LiveTiles\LiveTiles website web.config” to the LiveTiles IIS server in “D:\inetpub\LiveTiles website”
  3. Alter the config file to match your environment:
    • Connection stings > Update the two connection strings to reflect your environment
    • AppUrl > URL to your APP (ex. https://livetiles.company.com/)
    • BlobUrl > URL to Blob directory (ex. https://livetiles.company.com/blob/)
    • LocalBlobPath > URL to the local path of your Blob (ex. c:\LiveTiles\LiveTiles blob)
    • ADDomain > Domain, e.g., company.local
    • ClientID > ClientID from appregnew.aspx
    • ClientSecret > ClientSecret from appregnew.aspx
    • ClientSigningCertificatePath > path to the certificate you exported (.pfx file)
    • ClientSigningCertificatePassword > Password for the certificate
    • IssuerID > Issuer ID created earlier (from the high-trust script creation)
    • TenantSiteUrl > URL to the SharePoint site (ex. https://intranet/) Remember “/” at the end
    • SearchUsername > Username for a search account (with read access to site collection)
    • SearchPassword > Password for a search account
    • SearchDomain > Domain for the search account

Please note: You can use the ASP.NET IIS Registration Tool (Aspnet_regiis.exe) to encrypt or decrypt sections of a Web configuration file. ASP.NET will automatically decrypt encrypted configuration elements when the web.config file is processed. For instructions how to encrypt and decrypt, please see appendix how to do this.

 

Add LiveTiles app to site collection

This section describes how to add the LiveTiles App to the site collection.

  1. Open the Intranet site collection where LiveTiles needs to be provisioned.
  2. Click on Site Contents and Add an App.
  3. Select the <LiveTilesApp>
  4. Click Trust it

Activate LiveTiles Enterprise

A license should already have been provided for you with the Enterprise application. If the license is not provided, then please contact the LiveTiles support team.

The process of activating LiveTiles with the license PIN is described here. Please be aware of the PIN is valid for 72 hours only.

  1. Log in to <LiveTiles Intranet>, e.g., https://intranet.company.com 
  2. Open LiveTiles Admin Center and click on Admin > License.
  3. Type in the four-digit license key to activate. The license key is valid in 24 hours.
  4. Click on Pair button.
  5. image38.png
  6. Check that the license is valid by refresh the site.
  7. image39.png

Install LiveTiles Enterprise content types etc.

After the license PIN code has been added to Azure web site and validity confirmed, next step is to start the installation of site content types, schema files etc.

  1. Open the LiveTiles Intranet admin center.
  2. Select Admin and Installation.
  3. Click on Install or Upgrade.
  4. Wait for the installation to complete. Time for this task is approximately 5 minutes. When this is completed, next step is to import the search configuration into SharePoint.

Create new default page for LiveTiles

  1. Log in to Log on to the SharePoint server as Administrator.
  2. Open e.g., https://intranet.company.com with <Site Collection admin> account.
  3. Open the Settings image40.pngmenu and select Site contents.
  4. Click on Pages app and click New > Page to create a new LiveTiles page.
  5. In New page name, name it e.g., LiveTiles in Title – the URL must be “/SitePages/default.aspx”.
  6. Select page layout (Wizdom contentpage) Wizdom 3 columns.
  7. image41.png
  8. Click Create to create the new page.
  9. Next open the checkout page default.
  10. In the ribbon bar, select Page and then Make Homepage.
  11. image42.png
  12. Select Save and publish the page to commit the changes.
  13. Click on Home to go to the newly created start page.

Enable Noticeboard timer sync job

The following section describes how to enable Noticeboard News Synchronization Job to synchronize news items into a SharePoint list.

Create datastore site collection

  1. Open SharePoint Central Administration.
  2. Select Create Site Collection in the Site Collection section.
  3. Point to <SharePoint Intranet> web application.
  4. Add these values:
    • Title = e.g. LiveTilesData
    • URL e.g. https://intranet.company.com/sites/livetilesdata
    • Language = <select language>
    • Primary Site Collection Owner = <PrimaryOwner>
    • Secondary Site Collection Owner = <SecondaryOwner>

Configure datastore timer job

To enable LiveTiles timer job to use the newly created site, do the following:

  1. Open LiveTiles Intranet administration.
  2. Click on Admin and select Sitecollections.
  3. In the Datastore URL add e.g. https://intranet.company.com/sites/livetilesdata
  4. Add Datastore owner <PrimaryOwner>.
  5. Save the configuration by click in the Save Configuration button.
  6. Go back to Admin and click on Webhooks.
  7. Remove the check mark in DatastoreCreating.
  8. image43.png
  9. Test the setting, by open Timer jobs in the Wizdom administration.
  10. Click Run now on Noticeboard News Synchronization Job.
  11. Verify status is Idle afterwards.

 

Appendix

Workspace module self-site creation

If you plan to use Workspaces module to be configured for self-service site creation, - sites are created as dedicated site collections -  extra configuration must be done in order to make this work.

image44.png

To enable self-service site creation on the web application used for the Workspaces module business app, requires a PowerShell script that will set site collection to act as admin site.

Prerequisites for configuring self-service site creation:

Configure Workspaces self-site creation

To configure self-service site creation (act as admin), do the following:

  1. Open Enterprise web.config in your preferred editor (remember to make a backup)
    • Change “AdminSiteUrl” to the new site collection created in prerequisites above
<appSettings>

<add key="AdminSiteUrl" value="https://intranet.contoso/sites/project" />
  • Save the file
  1. Extract the PowerShell script WorkspacesActAsAdmin.ps1 
  2. Change $WebApplicationUrl and $siteColUrl to match the configuration
# SharePoint 2016/2019/SE
# Please provide the web application Url & Cockpit site collection
# Create an empty site based on teamsite template and use this in $siteColUrl
# The SharePoint web application to be used (Get-SPWebApplication)
$WebApplicationUrl = "https://intranet.contoso.com"

# Workspaces site collection (top site collection)
$siteColUrl = "https://intranet.contoso.com/sites/projects"
$webapp=Get-SPWebApplication $WebApplicationUrl
$newProxyLibrary = New-Object "Microsoft.SharePoint.Administration.SPClientCallableProxyLibrary"
$newProxyLibrary.AssemblyName = "Microsoft.Online.SharePoint.Dedicated.TenantAdmin.ServerStub, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
$newProxyLibrary.SupportAppAuthentication = $true
$webapp.ClientCallableSettings.ProxyLibraries.Add($newProxyLibrary)
$webapp.SelfServiceSiteCreationEnabled=$true
$webapp.Update()
Write-Host "Successfully added TenantAdmin ServerStub to ClientCallableProxyLibrary for web application" $WebApplicationUrl

# Reset the memory of the web application
Write-Host "IISReset..."
Restart-Service W3SVC,WAS -force
Write-Host "IISReset complete on this server, remember other servers in farm as well."
$site = get-spsite -Identity $siteColUrl
$site.AdministrationSiteType = [Microsoft.SharePoint.SPAdministrationSiteType]::TenantAdministration
Write-Host "Site $siteColUrl set to AdministrationSiteType" $site.AdministrationSiteType
  1. When completed, open LiveTiles Admin Center and navigate to Modules > Workspaces
  2. Click on workspace instance click the pencil png-transparent-computer-icons-pencil-icon-design-pencil-angle-pencil-pen-thumbnail.pngto edit
  3. In Site repository settings select Sitecollection – Sites are created as sitecollections 
  4. image45.png
  5. Click Save configuration to save the settings

Multi-server environment

In environments where Enterprise is installed on multiple servers (IIS web sites), the following are required in order to synchronize web site and virtual blob between these nodes:

  • Load Balancing between the Enterprise IIS servers
  • Microsoft Distributed File System (DFS) sync of Enterprise web site and blob between the servers
  • Changing IIS caching method from memory to SQL
    • Find this key in the web.config
<add key="IOC:Wizdom365.BLL.Managers.ICacheManager, Wizdom365.BLL" value="Wizdom365.BLL.Managers.MemoryCacheManager, Wizdom365.BLL" />
    • Replace it with this key:
<add key="IOC:Wizdom365.BLL.Managers.ICacheManager, Wizdom365.BLL" value="Wizdom365.BLL.Managers.SqlCacheManager, Wizdom365.BLL" />

 

Brand suitebar

To change the home link in LiveTiles, do the following.

  1. Open a SharePoint Administrative PowerShell as administrator
  2. Change the <http://siteurl> to reflect the environment and run the command
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue 
function Set-SPSuiteBarBrandingElement {
[CmdletBinding()]
Param([Parameter(Mandatory=$true)][System.String]$WebAppUrl)
$webApp = Get-SPWebApplication $WebAppUrl
$html = "<div class='ms-core-brandingText'><a href='/' id='hjem-link-logo'>hjem</a></div>"
Write-Host $webApp.SuiteBarBrandingElementHtml
$webApp.SuiteBarBrandingElementHtml = $html
$webApp.Update()
}
Set-SPSuiteBarBrandingElement <http://siteurl>

Enable SharePoint Blobcache

To configure the cache settings for web applications in SharePoint, do the following:

  1. Log in to SharePoint web front server(s) with administrator rights.
  2. Locate the web application used for LiveTiles Intranet.
  3. Make a copy of the web.config file belonging to the web application.
  4. Open web.config and find the section <BlobCache location>
  5. Change the path where the blob cache files must be stored. It’s recommended to store the files outside the OS system files, - i.e. on the D-partition and set value = true
<BlobCache location="D:\BlobCache\14" path="\.(gif|jpg|jpeg|jpe|jfif|bmp|dib|tif|tiff|themedbmp|themedcss|themedgif|themedjpg|themedpng|ico|png|wdp|hdp|css|js|asf|avi|flv|m4v|mov|mp3|mp4|mpeg|mpg|rm|rmvb|wma|wmv|ogg|ogv|oga|webm|xap)$" maxSize="10" enabled="true" />
  1. Save the file and make sure to update on all SharePoint web frontend servers.

Configure Learning & Event module

The Learning & Event Module is designed to streamline and automate the handling of training courses, events, seminars etc.

The module is flexible and can be configured to manage many different types of activities, e.g., lectures or college.

The following settings are required to use Course Management module to send our mails

  1. Add the following entry in the <appSettings> section:
<appSettings>

<add key="SmtpHost" value="<provide information>"/>
<add key="SmtpPort" value="587"/>
<add key="SmtpUserName" value="<provide information>"/>
<add key="SmtpUserPwd" value="<provide information>"/>
<add key="SenderEmail" value="<provide information>"/>
<add key="SenderName" value="<provide information>"/>
<add key="EnableSSL" value="true"/>
<add key="IOC:Wizdom365.BLL.Managers.IEmailSender, Wizdom365.BLL"  value="Wizdom365.BLL.Managers.SmtpEmailSender, Wizdom365.BLL"/>

Please note: The SmtpUserName most have an Exchange mailbox configured. 

Enable Custom modules

The following section describes how to enable custom modules in LiveTiles Enterprise and prepare the application.

  1. Log in to the LiveTiles IIS server.
  2. Locate the web.config belonging to the LiveTiles IIS web site.
  3. Add the following key in /appSettings:
<appSettings>
<add key="RequireCustomModuleAuthorization" value="true" />
  1. Close the file to save it.

Use SID for name lookup

In some situations, it can be necessary to enable SID for principle name lookup in the domain.

To enable this feature, add the following feature toggle in web.config:

<add key="UseSidForPrincipalNameLookup" value="true" />

 Be careful not to add an “s” in NameLookup.

Error "Blocked by CORS Proxy"

When accessing LiveTiles Intranet you may receive an error Blocked by CORS policy. This error is related to the Angular that translates HTTP/2 request to HTTP/1.1 when requesting LiveTiles templates from the IIS server.

A possible workaround is to add this to “appSettings” in the web.config file belonging to LiveTiles IIS web site.

<add key="UseTemplateBundle" value="true" />

A drawback on this setting is, that LiveTiles now requests all LiveTiles templates per user request and this will have a performance decrease on the web site.

If this setting is enabled in the appSettings and users still receives the CORS error, then it is necessary to look at the infrastructure behind the servers, such as firewall, network load balancer etc.

How to enable logging in LiveTiles Enterprise

Configure web site

To enable extra logging in LiveTiles, please edit your Web.config file.

You need to configure your Web.config / App Settings to support the extended logging with the following parameters:

image46.png

Change: Wizdom365.BLL.Managers.NullLogger, Wizdom365.BLL > no logging (default)

To: Wizdom365.BLL.Managers.NLogLogger, Wizdom365.BLL > enable logging

<add key = "IOC:Wizdom365.BLL.Managers.ILogger, Wizdom365.BLL" value = "Wizdom365.BLL.Managers.NLogLogger, Wizdom365.BLL"/>
Key Value
IOC:Wizdom365.BLL.Managers.ILogger, Wizdom365.BLL Wizdom365.BLL.Managers.NLogLogger, Wizdom365.BLL
GlobalLogLevel trace

 

Set Loglevel

Choose between the following loglevels in GlobalLogLevel:

  • Trace
  • Debug
  • Info
  • Warn
  • Error
  • Fatal
  • Off

After you have worked with your logging and identified the issue, please switch back to Off

Please note: Please note that it is required to restart the web site for the level to change.

 

Read Logs

Logs can either be read from LiveTiles Intranet admin center (Admin -> Log)

image47.png

Or by navigating to App_Data/FileStorage/Logs in Azure

image48.png

 Text is formatted in Json, so find a LogViewer that supports this language.

 

Lost access to LiveTiles Enterprise admin center

Access to who can manage settings in LiveTiles Enterprise admin center are controlled by AD groups. If you somehow have lost access to administrating Wizdom settings, the following guidelines can help you gain access again.

  1. Log in to the LiveTiles IIS server
  2. Locate Blob virtual directory
  3. Right-click and select Explore
  4. image49.png
  5. In the virtual Blob storage, click back and goto path \secure\configuration\
  6. Click Edit on WizdomConfig.xml in a preferred editor
  7. Remove all the sections <Group> to </Group> as listed below
<Config version="6.39.1.0" timestamp="11-11-2019 16:49:24">
  <Wizdom365 expand="true">
    <DataStore>
      <url>https://intranet.wizdomdev.local/sites/WizdomData</url>
      <owner>WIZDOMDEV\SVC-DEV-SPSearch</owner>
    </DataStore>
    <GlobalCache>
      <Timestamp>2019-09-17T12:42:52.3136917Z</Timestamp>
    </GlobalCache>
    <Permissions>
      <Admin_Global_AdminGroups>
        <Group json:Array="true" xmlns:json="http://james.newtonking.com/projects/json">
          <Id>8def8401-abad-4f9b-9cfd-bc95ec9e4e86</Id>
          <Name>WizdomAdmins</Name>
          <Category>AD</Category>
        </Group>
      </Admin_Global_AdminGroups>
      <Modules_Global_AdminGroups>
        <Group json:Array="true" xmlns:json="http://james.newtonking.com/projects/json">
          <Id>03fc7b13-acf5-48ed-ab5f-f7e5740ea3e1</Id>
          <Name>WizdomModuleAdmins</Name>
          <Category>AD</Category>
        </Group>
      </Modules_Global_AdminGroups>
      <Admin_Global_ConfigurationGroups>
        <Group json:Array="true" xmlns:json="http://james.newtonking.com/projects/json">
          <Id>1a2460a5-cb28-4efa-a88c-7b64d08774cb</Id>
          <Name>WizdomConfigurationCenterAdmins</Name>
          <Category>AD</Category>
        </Group>
      </Admin_Global_ConfigurationGroups>
      <Admin_Global_DocumentationGroups>
        <Group json:Array="true" xmlns:json="http://james.newtonking.com/projects/json">
          <Id>a53aed19-6c93-4374-b8ec-f86784193246</Id>
          <Name>WizdomHelpTrainingAdmins</Name>
          <Category>AD</Category>
        </Group>
      </Admin_Global_DocumentationGroups>
      <Modules_LiveTiles_AdminGroups />
      <Modules_Noticeboard_InsightsGroups>
        <Group json:Array="true" xmlns:json="http://james.newtonking.com/projects/json">
          <Id>722cceae-0467-409e-8377-03e5c0547263</Id>
          <Name>WizdomNoticeboardInsightsAdmins</Name>
          <Category>AD</Category>
        </Group>
      </Modules_Noticeboard_InsightsGroups>
    </Permissions
  1. Click Save and open LiveTiles Enterprise admin center again.

Error 405 - HTTP verp used to access this page

If you see errors related to either templates not being saved or you cannot save quick links, the reason is most probably caused by WebDAV has been enabled on the LiveTiles IIS server in the IIS Manager.

LiveTiles does not support WebDAV and WebDAV will produce errors in the F12 developer console like these:

image50.png

To fix the issue, do the following:

  1. Open IIS Manager on the LiveTiles IIS server
  2. In IIS Manager, select the LiveTiles web site and on the right menu click Disable WebDAV
  3. image51.png

How to get the Install button visible

In some situations, it can be necessary to be able to click the Install button. For example, doing a migration where the LiveTiles database has been migrated, we will need to click Install to update and change LiveTiles references to reflect the environment.

Here is a little - unsupported - guide to get the Install button back again:

  1. Log on to the site using Chrome browser.
  2. Go to LiveTiles Intranet admin center.
  3. Click Admin and Installation.
  4. Press F12 on the keyboard to get to developer tools.
  5. Click Select an element in the page to inspect it
  6. image52.png
  7. Click in the Installation section to highlight it.
  8. image53.png
  9. Press Ctrl + F to get to the search box.
  10. Search for Install and about the 7th result should display something like this.
  11. image55.png
  12. Dubble-click in class section and remove ng-hide.
  13. image56.png
  14. Install button is visible again – do not reload the page as this will hide the button again.

How to encrypt/decrypt app settings in web.config

As the LiveTiles IIS web site web.config contains a plain text password of the certificate pfx file, the following can be used to encrypt (and decrypt) the appSettings section of the web.config file. For security, the file encryption is restricted to the specific IIS instance, which means copying the file or encrypted section to a different server for decryption will not work.

As an example, this is standard plain text in the appSettings section in web.config

  <appSettings>
    <add key="AppUrl" value="https://wizdom.wizdomdev.local/" />
    <add key="BlobUrl" value="https://wizdom.wizdomdev.local/blob/" />
    <add key="LocalBlobPath" value="C:\inetpub\wwwroot\Wizdom blob" />
    <add key="ADDomain" value="domain" />
    . . . . .
  </appSettings

When encryption has been enabled, the appSettings section is no longer readable, but will functions as normal.

<appSettings configProtectionProvider="RsaProtectedConfigurationProvider">
    <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
      xmlns="http://www.w3.org/2001/04/xmlenc#">
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
          <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
          <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <KeyName>Rsa Key</KeyName>
          </KeyInfo>
          <CipherData>
            <CipherValue>Ql75Yg0CxJfC... zg==</CipherValue>
          </CipherData>
        </EncryptedKey>
      </KeyInfo>
      <CipherData>
        <CipherValue>dQSFAL7HcLwFmPalwVCgmx... bSM/</CipherValue>
      </CipherData>
    </EncryptedData>
  </appSettings>

To enable encryption

To encrypt the appSettings do the following:

  1. Log on to the LiveTiles IIS server with local administrative rights.
  2. Open an elevated PowerShell.
  3. Type the following command to encrypt the appSettings section in web.config:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319> .\aspnet_regiis.exe -pef "appSettings" "C:\inetpub\wwwroot\LiveTiles website"

To disable encryption

If you need to make any changes in appSettings in web.config, it is necessary to decrypt this section first before making changes.

To decrypt the appSettings to the following.

  1. Log on to the LiveTiles IIS server with local administrative rights.
  2. Open an elevated PowerShell.
  3. Type the following command to decrypt the appSettings section in web.config:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319> .\aspnet_regiis.exe -pdf "appSettings" "C:\inetpub\wwwroot\Wizdom website"

Please note: If using DFS (Distributed File System) to keep files identical across several Wizdom servers, DFS must be disabled on the website and only used on the blob. If DFS is handling the website, above is not supported, as the other IIS servers are not able to decrypt the web.config file.

Comments

0 comments

Please sign in to leave a comment.

Articles in this section

See more

Related articles

We're here to help!

Contact Us
Privacy Policy Terms and Conditions LSAA EULA © 2025 LiveTiles Limited