How you should configure IE 11 to run well with your SharePoint 2013 sites?

I simply can’t resist to not make the following observation: Internet Explorer 11 has been released on 17 October 2013 and Microsoft SharePoint 2013 has been released in October 2012. My expectation is in these days (July 2014) SharePoint 2013 and Internet Explorer 11 to run without issues. Internet Explorer 11 is in the supported list of browsers for SharePoint 2013 and the SP1 version of SharePoint 2013 (re-released version of SP1 :-) “improves compatibility with Internet Explorer 11“.
Well … even with June 2014 Cumulative Update installed on SharePoint 2013 (the latest cumulative update available at the moment when I am writing this post) you will still have issues if in your company you deployed Internet Explorer 11.

 

The most noticeable issue (and believe me it was even before SP1) is the Calendar Web Part.

IE11_and_SP2013_Calendar_View
SharePoint 2013 Calendar View using Internet Explorer 11
IE11_and_SP2013_Calendar_Compatibility_View
SharePoint 2013 Calendar View using Internet Explorer 11 (compatibility view enabled)

 

Another issue with IE 11 and SharePoint 2013 is the disabled Web Part Properties.

IE11_and_SP2013_Web_Part_Properties
SharePoint 2013 Web Part properties using Internet Explorer 11
IE11_and_SP2013_Web_Part_Properties_Compatibility_View
SharePoint 2013 Web Part properties using Internet Explorer 11 (compatibility view enabled)

There are more other issues I experienced with native IE 11 on SharePoint 2013 sites.
I mentioned just two of them to give you an idea about what to expect and also the possibility to verify and reproduce them in your environment.


There are two solutions
1. Enable compatibility view for your SharePoint sites.
The simplest solution is to define a Group Policy Object that will force IE 11 to run in compatibility view when you access your SharePoint sites.

[Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Compatibility View\Use Policy List of Quirks Mode sites]
or
[User Configuration\Administrative Templates\Windows Components\Internet Explorer\Compatibility View\Use Policy List of Quirks Mode sites]
IE11_and_SP2013_GPO_Compatibility_View_01  IE11_and_SP2013_GPO_Compatibility_View_02

If you don’t find this setting in your GPO, most likely you are missing any kind of Internet Explorer Administrative Templates. In this case download the Administrative Templates for Internet Explorer 11 and add the template to your GPO.

2. Enable the Internet Explorer 11 Enterprise Mode
Recently I’ve been in a situation where IE 11 with Enterprise Mode On broke a specific custom functionality added to the production SharePoint farms. That happen because the output (HTML response) SharePoint 2013 will provide when you use IE 11 with Enterprise Mode On is different than the output SharePoint 2013 will provide when you use native IE 11, or IE 11 with compatibility view enabled. OK, honestly not a IE 11 or SharePoint 2013 issue – as I said it was a custom functionality added on top of SharePoint (something specific to the company I work for). Nothing to blame, but be aware of this HTML output differences in case for example you are using CSS overwriting (SharePoint branding). 
A little bit outside the topic: IE 11 Enterprise Mode On will make IE 11 to use a true IE 8 emulation mode which can cut specific features for other websites – not a problem in case of SharePoint 2013, but can be a problem for other custom sites (so don’t be radical and activate Enterprise Mode everywhere).
Again, GPO simplifies the task. In case you don’t find these settings in your GPO you need to install Administrative Templates for Internet Explorer 11 and add the template.

[Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list]
or
[User Configuration\Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list]
IE11_and_SP2013_GPO_Enterprise_Mode_01

Using Enterprise Mode Site List Manager you can generate the XML file that will “tell” IE 11 to run the Enterprise Mode only for specific domains. This XML can be stored on a web server, on a shared folder, or do regular copies of this file on the client machines.
In my case I used a DFS location (\\itech.local\Enterprise_mode\Enterprise_mode_sites.xml).

[Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Let users turn on and use Enterprise Mode from the Tools menu]
or
[User Configuration\Administrative Templates\Windows Components\Internet Explorer\Let users turn on and use Enterprise Mode from the Tools menu]
IE11_and_SP2013_GPO_Enterprise_Mode_02

 

Be aware
If you have a domain added to the Compatibility View list and also to the Enterprise Mode list, IE 11 will use the Enterprise Mode for that domain.
Compatibility View and Enterprise Mode are two separate things and even if SharePoint 2013 sites are well rendered, the output will not be the same  :) .

IE11_and_SP2013_Calendar_Compatibility_View
SharePoint 2013 Calendar View using Internet Explorer 11 (compatibility view enabled)
IE11_and_SP2013_Calendar_Enterprise_Mode
SharePoint 2013 Calendar View using Internet Explorer 11 (Enterprise Mode On)

 

Active Directory Security Groups and SharePoint Claims Based Authentication

It’s not happening only on SharePoint 2013. You will be in the same situation if you are using Claims Based Authentication with SharePoint 2010.

Out of the box behavior
You have a SharePoint Web Application configured to use Claims Based Authentication. You grant access to a SharePoint site through Active Directory Security Groups. You perform changes in the membership of that Active Directory Security Group and you notice the changes are not reflected immediately on the SharePoint site.
For example you remove one user account from the AD security group membership, but the user is still able to access the site, or you add a new user to the membership of that security group, but the user still receives access denied on SharePoint.

The explanation
SharePoint Claims Based Authentication is working differently than SharePoint Classic Mode Authentication. When you have Claims Based Authentication, SharePoint is using the Security Token Service (STS) to provide access tokens for server-to-server authentication.

The Wikipedia explanation for STS:
“A Security Token Service (STS) is a software based identity provider responsible for issuing security tokens, especially software tokens, as part of a claims-based identity system.
In a typical usage scenario, a client requests access to a secure software application, often called a relying party. Instead of the application authenticating the client, the client is redirected to an STS. The STS authenticates the client and issues a security token. Finally, the client is redirected back to the relying party and present the security token. The token is the data record in which claims are packed, and is protected from manipulation with strong cryptography. The software application verifies that the token originated from an STS trusted by it, and then makes authorization decisions accordingly. The token is creating a chain of trust between the STS and the software application consuming the claims. This process is illustrated in the Security Assertion Markup Language (SAML) use case, demonstrating how single sign-on can be used to access web services.”

So, in our case:

  • a claims based SharePoint web application handle requests to issue, manage, and validate security tokens. 
  • the security tokens are a collection of identity claims (a user name, a role, an identifier).
  • the security tokens can be protected with an X.509 certificate to protect the token’s contents in transit and to enable validation of trusted issuers.
  • the SharePoint Security Token Service plays an important role for the claims based SharePoint web application.

The problem

The tokens have a lifetime (by default 10 hours). More than that, SharePoint by default will cache the AD security group membership details for 24 hours. That means, once the SharePoint will get the details for a security group, if the AD security group will change, SharePoint will still use the cache.

Solution

When your access in SharePoint rely on the AD security groups you have to adjust the caching mechanism for the tokens and you have to adjust it properly everywhere (SharePoint and STS).

Add-PSSnapin Microsoft.SharePoint.PowerShell;

$CS = [Microsoft.SharePoint.Administration.SPWebService]::ContentService;
#TokenTimeout value before
$CS.TokenTimeout;
$CS.TokenTimeout = (New-TimeSpan -minutes 2);
#TokenTimeout value after
$CS.TokenTimeout;
$CS.update();

$STSC = Get-SPSecurityTokenServiceConfig
#WindowsTokenLifetime value before
$STSC.WindowsTokenLifetime;
$STSC.WindowsTokenLifetime = (New-TimeSpan -minutes 2);
#WindowsTokenLifetime value after
$STSC.WindowsTokenLifetime;
#FormsTokenLifetime value before
$STSC.FormsTokenLifetime;
$STSC.FormsTokenLifetime = (New-TimeSpan -minutes 2);
#FormsTokenLifetime value after
$STSC.FormsTokenLifetime;
#LogonTokenCacheExpirationWindow value before
$STSC.LogonTokenCacheExpirationWindow;
#DO NOT SET LogonTokenCacheExpirationWindow LARGER THAN WindowsTokenLifetime
$STSC.LogonTokenCacheExpirationWindow = (New-TimeSpan -minutes 1);
#LogonTokenCacheExpirationWindow value after
$STSC.LogonTokenCacheExpirationWindow;
$STSC.Update();
IISRESET

More details:
SPWebService.ContentService
SPWebService.TokenTimeout
Get-SPSecurityTokenServiceConfig
SPSecurityTokenServiceManager
SPSecurityTokenServiceManager.WindowsTokenLifetime
SPSecurityTokenServiceManager.FormsTokenLifetime
SPSecurityTokenServiceManager.LogonTokenCacheExpirationWindow

How complicated was to land the Curiosity rover on Mars?

I prefer simple solutions, but I also like complex setups.
In a complex setup I think the key is to tie carefully all the sub-components and make sure you cover all the scenarios (especially the exception scenarios).

Result:

Recently NASA announced they will improve the decelerating and landing system. Curious if they will simplify the process, or improve the existing one.