Wednesday, 6 June 2018

Geo-replication in SharePoint and SPO to the recue

Geo-Replication on SharePoint (Not covering email or OneDrive)

Problem: Over the past 7 years, I have worked on a few clients that require some form of Geo-Replication of share SharePoint farms.  Geo-replication is normally needed for compliance.  This post assumes you need to geo-replicate and not why you need to geo-replicate

Tip: Geo-replication can be used for performance but the complexity that it brings I feel is an added bonus and should not be undertaken for performance gains, there are easier better pragmatic answers to performance such as Riverbed devices, caching and CDN's to name a few.

Initial Hypothesis:  Large organisations existing in multiple geographic regions and need to abide by country regulations and often other industry standards bring the need to geo-replication capability.  I recently completed several high profile projects for a big four consultancy that needed to ensure SharePoint data does not leave its jurisdiction depending on its metadata.  Building on-prem Sharepoint farms were extremely complex and the 3 big services that needed to be centralised or copied are Search, MMS and the Content Type Hub.  There are more like AAD but for my situation, I needed to be able to have multiple SharePoint farms in specific regions that connected to centralised services.

Thoughts: MS has OneDrive and the email piece working in local geographies.
SharePoint is coming with multi-tenancy and users will get unified search results across geographic regions.
  1. Search each tenant holds their own index, not a central index for search - "good news for data location compliance".  Somehow MS are intermingling all the search results using federation - wow.  
  2. Profile Services (use to be UPS) gets core fields from central AAD and local fields are stored at a tenancy level (good news).  
  3. Taxonomy (MMS) is replicated downwards from the central MMS.
  4. Each tenant has it's own content type hub (I never liked this), the CTH uses a star topology to push the CTHub from the central tenant to the regional tenants so the copies including GUIDs are identical.
SPO to the Geo-Rescue (coming soon, in pre-beta as of 6 June 2018):
  • SPO is implementing multiple tenants across O365 like O365 previously did for OneDrive, you can specify where sites get created i.e. region/country.  Each region as it's data centres specified and the URL of the Sites clearly indicates where the site is hosted.
  • The search index is kept in-country and federated up to the central tenant for a seamless search experience across multiple region tenants.
  • Central taxonomy is automatically replicated to the regional tenant.  MMS us a star topology to distribute and keeps GUIDs in sync.
  • UPA holds only key data centrally and each region holds additional properties (good for GDPR and other DPA regulations).
  • AAD is controlled centrally and I believe AAD's have regional copies.
RoadMap:
OneDrive is multi-geo now.  > Circa Oct-Dec 2018 SharePoint will offer multi-geo (yeah).

http://blog.sharepointsite.co.uk/2013/08/stretched-farms-geo-replication-and.html

SharePoint Online Replacement Patterns in Diagrams

Overview: This Post highlights my default position for achieving Common SharePoint solutions using SharePoint Online, flow and Azure Functions.


Matt Wade has a great resource on the components making up O365.
https://app.jumpto365.com/

Wednesday, 30 May 2018

Azure Information Protection - Protect your companies documents

Azure Information Protection (AIP) can be used to protect documents owned by your organisation to ensure they are retractable, encrypted, visible to the correct people.

WIP:  Record simple AIP to demo protecting a document

Event Driven Protection
Auto classify 
Office document labels (Azure retention labels)
E-Discovery relook
Joanne-cklein.com data 

AIP works doc-centric: pdf and office docs anywhere
O365 DLP is SPO, OD4B, exchange4free level controlled

Sunday, 27 May 2018

SharePoint Framework Notes

As the SPFx is progressing and changing rapidly, I shall try to update this page as time goes by.  I have been dabbling with the SharePoint Framework (SPFx) for a few months and went to a day workshop with Andrew Connell (AC) on SPFX as the SharePoint Conference 2018 North America on 20 May 2018.  I would definitely recommend attending Andrew Connell training (I have gone to a lot of workshops and presentations over the years and he is excellent) I am not an expert but these notes are my summary of items to be aware of.

Last Updated:15 June 2018
  • To use the SPFx on-prem. with SP2016, you need to have feature pack 2.  SP2016 only for SPFx web parts does not do    SP2019 will be behind SP365 but it shall have all the updates circ May 2018 when it is released circa Sept-Oct 2018. 
  • Safer to user SPFx on modern pages rather than classic SP pages.
  • Development can be done on any laptop with any editor.
  • Either build Web Parts in the local or O365 (/_layouts/15/workbench.aspx) Workbench.

  • What you need is 1. Node.js, 2. npm, 3. Yeoman, 4. GULP, 5. Webpack (used to check and load dependency JS modules).  AC suggests for simplicity install and forget about: Node.js, Yeoman, Gulp and webpack.  You'll use them but you don't really need to understand them.
  • Language-wise, use JavaScript or you can use TypeScript which obviously converts down into normal JS but makes it easier to program (e.g. type ahead/intelisense).
  • Use NVM (allows for multiple versions of Node.js; you may have clients of different versions and NVM allows you to have multiple Node.js versions on a machine) and use the LTS (Long-term support) versions: v8.11.2 or v8.9.4
  • Install the following pre-reqs using npm:  yomen, gulp and the MSfx template for yeomen scaffolding namely @microsoft/sharepoint…
  • VS code makes a good editor, I think Mark Rackly has built a VS template that will do all the scaffolding instead of using yeoman.
SPFx Eqivalancy Comparison:

SPFx Tool C# WSP Tool Desc
Node.js .NET Used to run npm and compile the SP package (*.sppkg) using gulp and webpack.  Runs a local server to use the tooling
npm Nuget Download 3rd party packages/frameworks e.g. jQuery or Angular
yeoman Visual Studio Generates basic SPFx web part files, same as a template built using VSIX in VS.  Ensure you have all the basic parts to build a SPFx web part
gulp MSBuild or F5 Builds the package
webpack NA checks dependant files are included in the package.  AC explained it as shaking the tree (removes unnecessary js libraries and ensure libraries are included)


SP2016 on-prem. Dev vs No FTC Sp2016 on-prem. vs SPO SPFx

  • WSP
  • Timer
  • Custom Service Apps
  • Event Handlers


References:
https://www.voitanos.io/

Background:
Node.js - Allows you to create a web server and compile JS on the server-side.  It's 2 main functions to use in SP are: 1) Need it for local development workbench and 2) Node.js has npm (package manager) built in, you need node.js that uses npm and webpack to uses gulp to build packages (like we did with MSBuild for WSP's).
webpack - build tool that manages code.  Manges styles and JS files.


Thursday, 3 May 2018

TLS 1.2 and SharePoint on-prem.

Problem:  By default SharePoint 2016 and SP 2013 use TLS1.0 for its communication protocol (think SSL version number).  A lot of companies and partners are now insisting your internal SharePoint farms support TLS 1.2 and not the earlier versions.  For various compliance frameworks (DSS PCI, HIPPA) you need to ensure you no longer use TLS1.0 or 1.1 and only support TLS 1.2 and soon to be TLS 1.3.  The problem is that earlier versions have potential vulnerabilities and can lead to various attach including being susceptible to man in the middle attacks.

TLS/SSL Basics:

Three Areas of Concern:
  1. SharePoint Farm (upgrade to SSL across the farm, Supports TLS 1.2 on SP2010 & 2013 since +_Oct 2016) - biggest lift
  2. CSOM Client VM (Ensure the client VM can send TLS1.2) - Jump boxes, browser
  3. Ensure the Communicating App support TLS1.2 (Either .NET4.6.2 compiled apps default to TLS1.2 or problematically enforce the TLS order/version. 
Our business needs three parts:
1. SharePoint farm upgrade thru DTAP environments and Test
2. Calling application needs to use TLS 1.2 as the default and can potentially call backwards.  This includes IE/Chrome, calling CSOM code (either fix works: .NET 4.6.2 upgrade or pragmatically enforcing TLS), PowerShell
// C# CSOM programmatic fix to TLS inaccuracies
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls | SecurityProtocolType.Ssl3;
3. If your tools are on a Server ensure outbound TLS traffic is allowed.  IIS TLS settings affect both inbound and outbound traffic, overwrite the outbound if you need to in the registry.

Validate SSL SharePoint Web Front End:
Use PowerShell to check the WFE or an external tool like HTBridge.
Here is a great tool to look at your HTTPS web server/endpoint setup externally: https://www.htbridge.com/ssl

Tip: Removing TLS1.0 and 1.1 needs to be thoroughly tested as there are numerous dependencies such as OWA, Workflow, CSOM, Internal Comms, SQL Server.

Wednesday, 11 April 2018

HTTP 400 bad request response

Problem:  I have an old SharePoint 2013 custom application that is partially loading, The application has not encountered the error in several years that it has been running).  This is only happening for 1 user out of thousands and occurs on Chrome and IE.  I can see some in the IE developer toolbar that some requests are showing 200 responses, and some are showing 400 responses from the web servers.  The SP WFE's are load balanced, and all WFE's are showing the 400.

Initial Hypothesis:  Only 1 user has the issue.  Some URL requests work, and other are malformed (return 400 errors) on the same WFE.   The user on a different machine still fails.  Using a different browser, the user still fails.  The user is forming a malformed request.  It appears to be a problem with the specific user to a particular site collection and is likely to be the HTTP Header request.
Using the browser settings/Fiddler or Dev toolbars get the error details, i.e.
HTTP 400 – Bad Request - The size of the request headers is too long.
Alternatively, user the IE browser and turn on friendly, to identify if the issue is the HTTP header request is too long.

Possible Resolution: Look at the request header, it may be too long for the WFE to handle.  As making the header smaller is generally not an option, look to increase the size of the requests IIS allows for HTTP requests (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters).  As this is production issue and I can't replicate to a lower environment, I need to use a host entry to get my offending user to only be accessing a single WFE where the fix is applied.  By using the NLB and updating IIS, I can ensure the fix works without disrupting my user base.
See https://www.grouppolicy.biz/2013/06/how-to-configure-iis-to-support-large-ad-token-with-group-policy/



Wednesday, 28 March 2018

TFS Scrum for SharePoint Projects

Great information on TFS for Scrum, Agile & CMMI from Microsoft.  My preference is to use Scrum with a couple of twists from Agile and external tooling.
https://docs.microsoft.com/en-us/vsts/work/work-items/guidance/choose-process

Tip:  I use User Stories extensively in SCRUM and with TFS all the testing and automation fits in brilliantly.  CI/CD is a choice between TFS build and TeamCity.  Also, my acceptance criteria are always written using gherkin language to ensure consistency.

Below are a few posts that are a couple of years old outlining Agile and Scrum for SharePoint projects:
Agile for SharePoint
Scrum for SharePoint - Part 1
Scrum for SharePoint - Part 2