Thursday, 3 May 2018

TLS 1.2 and SharePoint on-prem.

Problem:  By default SharePoint 2016 and SP 2013 use TLS1.0 for its communication protocol (think SSL version number).  A lot of companies and partners are now insisting your internal SharePoint farms support TLS 1.2 and not the earlier versions.  For various compliance frameworks (DSS PCI, HIPPA) you need ensure you no longer use TLS1.0 or 1.1 and only support TLS 1.2 and soon to be TLS 1.3.  The problem is that earlier versions have potential vulnerabilities and can lead to various attach including being susceptible to man in the middle attacks.

TLS/SSL Basics:

Three Areas of Concern:
  1. SharePoint Farm (upgrade to SSL across the farm, Supports TLS 1.2 on SP2010 & 2013 since +_Oct 2016) - biggest lift
  2. CSOM Client VM (Ensure the client VM can send TLS1.2) - Jump boxes, browser
  3. Ensure the Communicating App support TLS1.2 (Either .NET4.6.2 compiled apps default to TLS1.2 or problematically enforce the TLS order/version. 
Our business needs three parts:
1. SharePoint farm upgrade thru DTAP environments and Test
2. Calling application need to use TLS 1.2 as the default and can potentially call backwards.  This includes IE/Chrome, calling CSOM code (either fix works: .NET 4.6.2 upgrade or pragmatically enforcing TLS), PowerShell
// C# CSOM programatic fix to TLS inacuracies
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls | SecurityProtocolType.Ssl3;
3. If your tools are on a Server ensure outbound TLS traffic is allowed.  IIS TLS settings affect both inbound and outbound traffic, overwrite the outbound if you need to in the registry.

Validate SSL SharePoint Web Front End:
Use PowerShell to check the WFE or an external tool like HTBridge.
Here is a great tool to look at you HTTPS web server/endpoint setup externally: https://www.htbridge.com/ssl

Tip: Removing TLS1.0 and 1.1 needs to be thoroughly tested as there are numerous depancncies such as OWA, Workflow, CSOM, Internal Comms, SQL Server.

Wednesday, 11 April 2018

HTTP 400 bad request response

Problem:  I have an old SharePoint 2013 custom application that is partially loading, The application has not encountered the error in several years that it has been running).  This is only happening for 1 user out of thousands and occurs on Chrome and IE.  I can see some in the IE developer tool bar that some requests are showing 200 responses and some are showing 400 responses from the web servers.  I am load balanced and all WFE's are showing the 400.

Initial Hypothesis:  Only 1 user has the issue.  Some URL requests work and other are malformed (return 400 errors) on the same WFE.   User on different machine still fails.  Using different browser user still fails.  The user is forming a malformed request.  It appears to be a problem with the specific user to a specific site collection and is likely to be the HTTP Header request.
Using the browser settings/Fiddler or Dev toolbars get the error details, i.e.
HTTP 400 – Bad Request - The size of the request headers is too long.
Alternatively, user the IE browser and turn on friendly, to identify if the issue is the HTTP header request is too long.

Possible Resolution: Look at the request header, it may be too long for the WFE to handle.  As making the header smaller is generally not an option, look to increase the the size of the requests IIS allows for HTTP requests (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters).  As this is production issue and I can't replicate to a lower environment, I need to use a host entry to get my offending user to only be accessing a single WFE where the fix is applied.  By using the NLB and updating IIS, I can ensure the fix works without disrupting my user base.
See https://www.grouppolicy.biz/2013/06/how-to-configure-iis-to-support-large-ad-token-with-group-policy/



Wednesday, 28 March 2018

TFS Scrum for SharePoint Projects

Great information on TFS for Scrum, Agile & CMMI from Microsoft.  My preference is to use Scrum with a couple of twists from Agile and external tooling.
https://docs.microsoft.com/en-us/vsts/work/work-items/guidance/choose-process

Tip:  I use User Stories extensively in scrum and with TFS all the testing and automation fits in brilliantly.  CI/CD is a chouch between TFS build and TeamCity.  Also my acceptance criteria is always written using gherkin language to ensure consistency.

Below are a few posts that are a couple of years old outlining Agile and Scrum for SharePoint projects:
Agile for SharePoint
Scrum for SharePoint - Part 1
Scrum for SharePoint - Part 2

Friday, 23 March 2018

An approach to building transactional systems in SharePoint

Overview:  It is common with modern SharePoint development to store transaction high volume data inside a SQL database and expose the application data using WebAPI or a WCF.  The application, e.g. SPA's, Angular or SharePoint pages itself merely calls the "web service" and viola you have an application that is fast and complex with the SharePoint world.


Problem:  When the WCF/WebAPI goes to the database we use a single account (single account principal).  This is an age-old problem in BI, and web applications.  The solution options are to have the security in the database, or each user needs to have a SQL login. 
Initial Hypothesis:  Generally in the last 20 years the majority of application go for the single principal data access approach.  This means there is no logging in SQL natively and you need to pass in the user's context (usually a username or email address).
My Solution:  I use the single access account principal, so I connect using the same account (either encrypt or use something like Azure Vault, in the old days this was the web.config entry with a username and password.  Each request needs to be unique so I pass in the username with the request, and my queries have users and roles and using these relationships I can validate that my user has rights to perform CRUD operations.  I am a huge fan of SQL 2016, as its performance is miles ahead of SQL 2014 and it supports "TemporalTables".  Now with other older SQL instances, you could build your own database logging (tomb tables is what I use to refer to it as).  Worth noting is that Entity Framework does not support Temporal Tables yet, but surely this will come. 
This solution provides a flexible, fast HA (assuming AOAG) transaction secured system with non-repudiation and full logging.  Overall I find this a great approach to building out complex solutions for my clients. 
This approach also provides a easy re-usable API that can be used to allow other applications and business partners to integrate with the solution.  It also allows for a mobile application UI to be easily added as the API are already in place.

Saturday, 10 March 2018

SharePoint Tooling 2018

On a development machine I have a ton of tools depending on the development approach and technologies used.  This post lists tool I commonly use as of March 2018:
SharePoint Tools:
  1. SharePoint Inspect
  2. SharePoint Designer
  3. Visual Studio 2017
  4. SharePoint Search Query Tool (CodePlex now PnP)
  5. SharePoint Manager
  6. CAML Builder
Design Tools:
  1. Balsamiq (My favourite) - Screens and interaction flow
  2. Microsoft Blend - Screens and interaction flow
  3. Visio - Architecture
  4. Access for ERD design
Other Tools:
  1. SnagIT - Basic video recording with audio and annotate screen shots.
  2. Office & OneNote
  3. NotePad++, add the compare dll plugin
Networking:
  1. Wireshark
  2. Fiddler
  3. DeveloperTool IE & Chrome
  4. Burp
  5. Telnet
Source Control:
  1. TFS
  2. TFS online
  3. GIT

Wednesday, 21 February 2018

Consultant Bingo - A master class

I love a useless term to baffle the room as much as the next fellow but watching a master in a meeting today:
STRIDE Model is Microsoft's Security/Threat classification model.  I had to look it up and found another acronym.
DREAD Model is pretty much the same thing.

'RESPECT' for: "I evaluated my DTAP environments cross Federation services using the STRIDE model over the DREAD model because it is simpler.  Of course all the cross cutting concerns have been dealt with." 

Friday, 9 February 2018

CORS for SharePoint Requests

Problem:  I wish to create a common header for my client to layover multiple applications to tie together branding and global organisation branding.  Similar to what O365 does as shown below:
Provide a common header that logs the user in and dynamically generates the header within SharePoint.  Use an HTTP Javascript request from multiple children applications to deliver the shared user common header.  As I have multiple application on sub-domains (e.g. https://hr.contoso.com https://cash.finance.contoso.com and even https://clients.oldurl.net) so I need to ensure allow CORS requests that also allow for user authentication.  

"The CORS mechanism supports secure cross-domain requests and data transfers between browsers and web servers."  Mozilla

Initial Hypothesis:

Option 1 - IIS and SharePoint struggle to handle this requirement using configuration.  For instance by default, only same origin sub domain requests are allowed.  Adding the header Access-Control-Allow-Origin: * allows for any domain but I can't specify to use credentials so i need an anonymous site and then i loose my ability to identify my user and generate a dynamic menu.
Result: Fail.  I receive the following error in the browser: "A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true"

Option 2- Specify a multiple sub-domains i.e. Access-Control-Allow-Origin: https://hr.contoso.com,other.contoso.com
To do authentication I now need the following 3 HTTP response headers:
Access-Control-Allow-Origin: https://hr.contoso.com, https://other.contoso.com
Access-Control-Allow-Credentials: true
Vary: Origin
Result: Fail.  I receive the following error in the browser: "The 'Access-Control-Allow-Origin' header contains multiple values '', but only one is allowed".

Option 3 - Specify a single sub-domains i.e. Access-Control-Allow-Origin: https://hr.contoso.com
Access-Control-Allow-Origin: https://hr.contoso.com
Access-Control-Allow-Credentials: true
Vary: Origin
Result: Fail.  Works for the hr sub-domain but my other sub-domains fail. I have multiple sub-domains that need access.

Key take away: There can only be 1 Access-Control-Allow-Origin response header and the returned Access-Control-Allow-Origin header can only have one URL.

Option 4 - Dynamically inject the Access-Control-Allow-Origin, in SharePoint this is an ISAPI filter or I need to use the Global.asax to dynamically set the HTTP Access-Control-Allow-Origin header to a white-list list of URLs.  Beware of caching pages downstream.  Alternatively, URL Rewrite can be used on the IIS WFE's.

Thanks to Abhieshek Sharma for highlighting my lack of knowledge around CORS requests.