Wednesday, 21 February 2018

Consultant Bingo - A master class

I love a useful term to baffle the room as much as the next fellow but watching a master in a meeting today:
STRIDE Model is Microsoft's Security/Threat classification model.  I had to look it up and found another acronym.
DREAD Model is pretty much the same thing.

Give a 'hear-hear' for: "I evaluated my DTAP environments cross Federation services using the STRIDE model over the DREAD model because it is simpler.  Of course all the cross cutting concerns have been dealt with." 

Friday, 9 February 2018

CORS for SharePoint Requests

Problem:  I wish to create a common header for my client to layover multiple applications to tie together branding and global organisation branding.  Similar to what O365 does as shown below:
Provide a common header that logs the user in and dynamically generates the header within SharePoint.  Use an HTTP Javascript request from multiple children applications to deliver the shared user common header.  As I have multiple application on sub-domains (e.g. and even so I need to ensure allow CORS requests that also allow for user authentication.  

"The CORS mechanism supports secure cross-domain requests and data transfers between browsers and web servers."  Mozilla

Initial Hypothesis:

Option 1 - IIS and SharePoint struggle to handle this requirement using configuration.  For instance by default, only same origin sub domain requests are allowed.  Adding the header Access-Control-Allow-Origin: * allows for any domain but I can't specify to use credentials so i need an anonymous site and then i loose my ability to identify my user and generate a dynamic menu.
Result: Fail.  I receive the following error in the browser: "A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true"

Option 2- Specify a multiple sub-domains i.e. Access-Control-Allow-Origin:,
To do authentication I now need the following 3 HTTP response headers:
Access-Control-Allow-Credentials: true
Vary: Origin
Result: Fail.  I receive the following error in the browser: "The 'Access-Control-Allow-Origin' header contains multiple values '', but only one is allowed".

Option 3 - Specify a single sub-domains i.e. Access-Control-Allow-Origin:
Access-Control-Allow-Credentials: true
Vary: Origin
Result: Fail.  Works for the hr sub-domain but my other sub-domains fail. I have multiple sub-domains that need access.

Key take away: There can only be 1 Access-Control-Allow-Origin response header and the returned Access-Control-Allow-Origin header can only have one URL.

Option 4 - Dynamically inject the Access-Control-Allow-Origin, in SharePoint this is an ISAPI filter or I need to use the Global.asax to dynamically set the HTTP Access-Control-Allow-Origin header to a white-list list of URLs.  Beware of caching pages downstream.  Alternatively, URL Rewrite can be used on the IIS WFE's.

Thanks to Abhieshek Sharma for highlighting my lack of knowledge around CORS requests.

Wednesday, 31 January 2018

Looking for a cheap quick UI testing and monitoring Tool - end test and Ghost Inspector Review

Problem:  My client is looking for a simple tool to monitor a website is up and running and can run a small set of UI tests and asserts to verify it is working as expected. 

Initial Hypothesis:  There are a lot of monitoring sites like uptime that meet this requirement but I reviewed Ghost Inspector and endtest.  I am not looking to do full CI as I would look at Selenium WebDriver for an enterprise solution for UI testing.

Resolution:  Trial endtest and Ghost inspector on my O365 subscription to validate it monitors and alerts, can perform advanced logins and it can validate custom pages after JavaScript injection.  Price and feature wise both tools are pretty similar.

Ghost Inspector Initial Thoughts
Easy to use and their is a recording function for Chrome.  This review has put me off Ghost Inspector to some degree but definitely a good product to evaluate.
Bad review for Ghost Inspector but it does assume enterprise level UI testing more suited to tooling like Selenium.

endtest Initial Thoughts
Easy to use, setup testing in a matter of minutes, recorded actions and assertions.  The trial is limited as I could not check the scheduling mechanism but end test looks like the idea tool for my requirement.  Would need to go for the pro licence at $79 per month.  A simpler smaller option would be more attractive but let's see what the client thinks.

Tuesday, 23 January 2018

Basic Branching Strategy for TFS and GIT

  • The main difference between normal TFS branching strategy is that you branch more often for shorter time periods and check in small code change units into the "Development" branch.
  • Delete the black line once the feature is complete and checked back into the Development branch.  Can easily start a new functional local GIT branch to amend the next feature.
Note: Easy to also grab a GIT local branch from the Main branch (inline with you production code base), make changes and then when checked back in they hotfix goes into both the Main and Development code branches.

Friday, 19 January 2018

Interviewing Developers, Leads and Consultants for SharePoint projects

Overview:  Depending on the project will dictate the skills and experience I look for.  This post lists the skills I generally look for when hiring dev and leads for SharePoint based projects.  Firstly, I compile a list of skills for the project and ensure each developer role covers multiple areas/expertise types.  My general list is shown below.

Skill needed:

  • SharePoint
  • PHA
  • TFS / GIT
  • .NET/C# 
  • WCF / Web API
  • SQL Server 
  • Entity Framework/Code First
  • JQuery, 
  • Angular JS, KnockOut React VueJS, Other JScript Libraries
  • O365
  • Azure
  • Federation/Security
  • Agile/Scrum

I keep a scorecard and Notes that I fill in for each candidate.  If they score too low in the technical section, I don't start the Personal section, and until I think they are a good candidate then I start the problem solving which I find to be the best indicator of if a guy is going to work out.  Looking back at a lot of developers and leads hired, the 2 critical sections are problem-solving and admits limitations (the guys that don't know when to say "I don't know" are generally a problem if hired). 

Candidate Template:  John Doe

Branding, knows SP limits excellent,
8 missed JS injection
SAML, ADFS, passive clainms and SSL
Types, S2S vs ACS, Certs, MVC app pkg
Namespaces, versions ng,
Trimming, CEWS, components, DisplayTemplates, KQL
SSRS, Power BI, SSAS, rdl, understand no depth in knowledge


Super adjusted


Admits limitations


Problem Solving:

SharePoint Problem Solving


Smart, nice guy, super knowledgeable.  Admitted he does not know BI at all and then actually gave a solid explanation of BI on SP. 
Technical: 9
Personal: 9

Problem Solving: 8

Thursday, 18 January 2018

CSOM TLS Issue - The underlying connection was closed

Problem:  I have a console using CSOM that stopped working when the TLS settings were updated firm-wide.  The communication is between the console and a SharePoint farm, using CSOM, and now it no longer works.  The event log generates the following error message on the client machine: A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

Initial Hypothesis: The outbound HTTPS traffic is the issue as the error is telling me that the error was creating the SSL client credential.  The console runs on a web server and the TLS restriction change has caused the issue.  This issue is that the console running can't create an SSL client credential.  The TLS change was made to the console VM and not the SharePoint farm.

The post below helped me query the windows web servers to check the TLS settings using PowerShell.  I believe the outbound is controlled by the inbound TLS settings.

Resolution:  Change the console to use a know TLS version e.g., TLS1.2 as shown below:
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

Alternatively, revert the TLS setting in the registery.  Obviously, this means your server is more susceptible to attack.

More Info:

Tuesday, 21 November 2017

Power BI online integrate into SharePoint on-prem. extranet Architecture

Power BI Embedded Online Licencing as of 22 Nov 2017:
Basically, there are 2 parts to licencing PowerBI online.
1.> You licence per the number of pages you render per hour.  You need to have the Power BI Embedded licences on infrastructure to serve up a certain number of requests per hour. So work out your peak number of page request per hour and licence for the appropriate plan.  The table below shows the Power BI Embedded plan you'll need to subscribe to:

PlanVirtual CPUsRAM (GB)Max Request per hour
Note:  I believe the plan's can be scaled up or down instantly without display and pausing a service stops the Power BI embedded costs.  If you run over the Max requests per hour I believe the Power BI PaaS will still serve up page/reports but you will get an extra bill for the additional reports.

2.> You'll also need to purchase at least 1 Power BI Pro licence, that is used for: administration, content publishing, and development..
3.> As of time of writing (Nov 2017) the Microsoft Power BI Gateway does not offer High Availability (HA), but I'm sure it is coming soon.
4.>  A single account is used to connect to each source and RLS security has to be applied at the source (SQL SSAS), user table mapping is required.

Also see: