SharePoint un-representable Datetime issue with Publishing sites

I recently had a serious issue with a SharePoint 2016 farm. Any site with Publishing enabled would fail to display giving a correlation error.

UPDATE: This issue is definitely related to Token Timeout settings. It was pretty common to adjust these settings in older SharePoint versions, but SharePoint 2016 doesn’t behave the same. See comments for more details.

Application error when access /Pages/Home.aspx, Error=The added or subtracted value results in an un-representable DateTime.  Parameter name: value   atSystem.DateTime.AddTicks(Int64 value)     at Microsoft.SharePoint.Publishing.CacheManager.HasTimedOut()     at Microsoft.SharePoint.Publishing.CacheManager.GetManager(SPSite site, Boolean useContextSite, Boolean allowContextSiteOptimization, Boolean refreshIfNoContext)     at Microsoft.SharePoint.Publishing.TemplateRedirectionPage.ComputeRedirectionVirtualPath(TemplateRedirectionPage basePage)     at Microsoft.SharePoint.Publishing.Internal.CmsVirtualPathProvider.CombineVirtualPaths(String basePath, String relativePath)     at System.Web.Hosting.VirtualPathProvider.CombineVirtualPaths(VirtualPath basePath, VirtualPath relativePath)

I tested creating a new web application and site collection using the Team Site template. This worked successfully. I tried again using a Publishing Site template and the error above  appeared.

The issue appeared to be timezone related and so we checked the timezone and locale settings on all servers in the farm and the site collections to make sure they matched.

The ULS log also pointed us towards the Security Token Service and then the TokenTimeOut setting. Bingo! The SharePoint 2016 farm was using Mini-roles and the server host the Security Token Service had failed to pickup the configuration update with the timezone settings and so didn’t match the rest of the farm.

To resolve the issue we did the following:

Initially we had installed the farm with United States timezone, when a change was made to use New Zealand time, the configuration didn’t fully update on all servers and the Security Token Service was responding with US Date format making things very unhappy.

Publishing pages use the Security Token Service to validate pages. If the validation fails the page doesn’t load. Team sites without Publishing enabled are OK as they don’t do this validation.

SharePoint 2016 Workflow Manager Registration error

I tried to register Workflow Manager with my SharePoint site collection on a new SharePoint 2016 farm. I followed this article and everything was fine until the last step in the process,  registering the Workflow Manager in SharePoint using this command:

Register-SPWorkflowService –SPSite http://sharepoint –WorkflowHostUri https://workflow:12291

Unfortunately I struck the following error:

Register-SPWorkflowService : Failed to query the OAuth S2S metadata endpoint at URI ‘http://sharepoint/_layouts/15/metadata/json/1;. Error details: ‘An error occurred while sending the request.’. HTTP headers received from the server….

Quite a few people reported this as being an issue with DNS registrations e.g. the SharePoint site URL not being accessible. I checked DNS name resolution and everything looked fine, so it must something else. If you are having name resolution issues try using a hosts file entry on the SharePoint server to resolve the issue.

The solution was to enable OAuth and Metadata over HTTP. To enable these settings use the following PowerShell on the SharePoint server:

$cfg = Get-SPSecurityTokenServiceConfig
$cfg.AllowOAuthOverHttp = $true
$cfg.AllowMetaDataOverHttp = $true

Now rerun the Register-SPWorkflowService PowerShell command to complete the registration.

I hope this saves you a bit of time!

SharePoint Managed Account Login Failures KB3177108

SharePoint allows you to config “managed accounts” used to run service applications to automatically change passwords. I normally turn this on as it is a good way to help ensure those accounts are secure.

Today I worked on an issue where the accounts were failing to login. In IIS I could see various App Pools using the managed accounts were stopped. I restarted them but they stopped again immediately.

To make matters worse, I was unable to use Central Admin to reset the passwords.

Here’s what I did to solve the issue:

  • In IIS I noted the name of the Service Account assigned to the stopped App Pool
  • In Active Directory, I reset the password and set the account to never expire
  • On the SharePoint server, I used PowerShell to reset the Service Account password to a known password using this command:

Set-SPManagedAccount -identity Domain\User -ExistingPassword (Convertto-Securestring “P@ssword” -AsPlainText –Force)

  • Back to IIS again, restarted the App Pool
  • Repeat for all Managed Accounts with automatic password refresh

So what caused this?

A Windows update installed onto the Domain Controllers was the issue. KB3177108 has a known issues which prevents the Kerberos negotiate process from falling back to NTLM. The KB article goes into detail on this and some work arounds.

Phew! We’re back online again. Happy days!

Microsoft Teams

Microsoft Teams is a new collaboration tool for Office 365 users. It is available now in “preview” to anyone with Office 365 Small Business, Enterprise and Education plans.

Firstly, what is Teams? If you believe the hype on social media then it is the death of Slack, but I think that is a pretty superficial view. I think it will be more interesting to see what Microsoft does with Yammer next and we let Slack worry about their business.

Teams brings chat based collaboration to Office 365. That’s the key point here, it makes it easy to converse, get links from recently worked on documents and create virtual teams with the people you work with.

Key features

A short (but not complete) list of features:

  • Ability to create teams from other users in Office 365
  • Instant messaging
  • Outlook integration for meetings
  • SharePoint Online and One Drive for Business integration for files
  • Integration with Trello, Github, Wunderlist and Twitter via connectors

Getting Started

Before you can start using Teams, it must be activated on your Office 365 Tenant. This is done via the Admin Portal using these instructions.

Once done, Teams can be accessed via the website or using the Apps for Windows, iOS and Android. In the Apple App Store search for “Microsoft Teams”.

Expect updates

I’ve watched Microsoft develop Power BI over the last couple of years then I think we can probably expect a similar approach for Teams. Lots of regular updates bringing incremental improvements very rapidly.

The first update I would like to see is the ability to federate with other Office 365 tenants. The ability to collaborate better with other organisations must surely be high on the feature roadmap!

Recovering SharePoint

As a SharePoint Administrator, it is critically important that you understand the backup process. Don’t just take the word of the person whose job is to look after backups, then aren’t experts in SharePoint. You should also take time to understand the different recovery options available to you and practice restoring each scenario, so when disaster strikes the recovery process is understood and appropriate to the situation.

Over the past two or three months I’ve received a couple of calls from people with serious SharePoint issues wanting to know how to roll back to a previous backup. Before doing that it you really need to ask yourself do I really need to roll back and what is the impact?


On one occasion the issue was related to a failed installation of a SharePoint CU. The SharePoint farm was down and had a very large amount of content.

Key Point: The issue was a failed CU install.

In this case the Configuration Database was corrupt but the user content was OK. The solution was to restore the Configuration Database only (take a backup of the current one first, just in case). Once this was done the Cumulative Update was reapplied.

In another case the issue was a user had deleted a site containing several document libraries. The site collection recycle bin had been emptied, so items couldn’t be recovered from here. The site collection contained many other sites and restore from backup would have resulted in a day’s worth of changes being lost.

Key Point: The issue was with one content database

SharePoint allows ‘Unattached Content Database recovery’ via Central Admin. To get the site back, we restored the Content Database from the most recent backup to a different name and then used Central Admin to extract the missing site from the restored the missing site.

In both cases above the recovery was quick because SQL dumps were being used to backup the SQL server hosting SharePoint’s databases. Some backup solutions allow item, library and site level restore and this could have also helped.

One thing to bear in mind when thinking about backup software is that some solutions need sufficient disk space to restore the database before extracting the items you want to recover. I’ve heard of more than one person struggling to recovery because they don’t have space available.

Remember that SharePoint has recycle bins at both the user and site collection level. This should always be the first place you look.

My advice to SharePoint Administrators is to make backup and recovery a priority. Own it because if disaster strikes, you are the person people will turn to.

SharePoint Online Provisioning PnP

At this weeks New Zealand Digital Workplace Conference I attended a session introducing the Provisioning PnP (Patterns and Practice) resources. This is a fantastic resource for SharePoint Online administrators and consultants.

It provides a set of PowerShell commands that allow administrators to build a template of a SharePoint Online site (or features within a site e.g just a library or list) and then redeploy the template to another site.

Three big features:

  • It isn’t tenant specific, so you can make a template from one tenant and deploy to another. Great for Dev to UAT to Production.
  • The templates can be updated and redeployed to update existing sites built from the template!
  • The templates are XML files that can be manually updated.

The Provisioning PnP also includes commands that can help audit sites, lists and libraries for specific settings. For example, you can find a list of sites with a specific feature enabled or web-part installed.

The Provisioning PnP is free and is part of a larger PnP resource which is receiving monthly updates.


This is a fantastic addition to the tool kit but wait there’s more. The PnP website is full of useful resources, created by experts for the community.

Thank you to Paul Culmsee for sharing his experiences with us at #DWCNZ.