I had a wonderful weekend in western Michigan, which included two sessions at the GRDevDay conference. (Think SharePoint Saturday, but for all things developer.) My thanks to the organizers for a job very well done!
The slides from my talk on Cloud Identity are posted on ITUnity.
The Office 365 session can be found on Microsoft Virtual Academy, with the slides and code on GitHub.
I had a terrific time at the SharePoint Saturday event in Irving, TX this weekend. The developer track consistently had about 20 attendees in the room, which is way more than I've seen at SPS events in the past. In addition, there was a Q&A room, and attendees had Eric and me going for another full hour.
My presentation was taken directly from the O365 TPM group (thanks Jeremy!) and can be found on Microsoft Virtual Academy, with the slides and code on GitHub.
Also, I want to thank the organizers (Eric, Eric, Rich, Corey, Jen, Miguel, Kyle and others I have likely missed) and sponsors (Amazon Web Services, Slalom, Planet Technologies, K2, Metalogix, RBA) for making the event a smashing success!
Microsoft announced this week, via a blog by Senior Escalation Engineer Stefan Goßner that SharePoint CUs will be included in Windows Update. The comments on that post indicated the risk for many SharePoint deployments.
In summary, Stefan acknowledges that due to the number of configurations possible with SharePoint that no guarantee can be made about causing issues in existing code (called a regression). Stefan also points out that production servers should not take updates directly. While many agree with this position, I find that small business administrators (who deal with everything, not just SharePoint) are not well versed in SharePoint patching and just accept the default values.
So, if this situation applies to you, I suggest you look at your Windows Update settings. I'm off to update my DSC configuration to make these changes to my VMs.
If you search the internet, you will find many different blog/forum posts that show how to store credentials for later use in PowerShell. Most of these will point you toward one of these approaches:
- Pipe a secure string to a text file
- Read a secure string from the "host" (doesn't really work in unattended scenarios)
- Encrypt using the private key of a certificate
Each of these has its disadvantages, which range from deleting the file to exposing the password.
I've settled on a new approach that balances the ease-of-use that PowerShell brings with the security required for sensitive data. The Office Developer Patterns and Practices (OfficeDevPnP) group has a library of cmdlets that includes Get-SPOStoredCredential. Despite the name, it can be used in *all* PowerShell scenarios.
TO use the cmdlet, you first log on to the computer using the appropriate account. Then, run the Credential Manager program that is included in Windows. Create a Generic credential (under Windows Credential). The cmdlet will read the credentials and return a NetworkCredential (for on-premises), a SharePoint Online Credential (for O365) or a PSCredential (which can be used anywhere).
You can get the code for the cmdlets from the GitHub repo, from which you can create an installer or xcopy-like deployment script.
I have a confession to make…for the last six months, I have been working as a SharePoint architect in an infrastructure group.
Yes, I had to hear about how bad developers are. Yes, I've had to hear the crazy ideas that developers have for deploying code. Yes, I've had to walk a mile in their shoes. Yes, I am a better developer for it.
But, I left the place better than when I arrived. The group has a service request framework that uses out of the box SharePoint functionality. They have a set of automation tools that make their job easier. They have a better understanding of what us developers are trying to do.
This global organization has embraced the cloud service model of IT. (Most services that the business units consume are from a private cloud, but from the BU perspective, that does not matter.) The resources that comprise these services are hosted in Azure IaaS (Virtual Machines). But instead of just using tried and true manual processes for provisioning virtual machines, we put in place an automated framework comprising of SharePoint, PowerShell, Azure and Office 365. The solution provides a flexible, reliable and scalable platform to meet the needs of the business.
I am really excited to be able to tell some of the story in a presentation at the SharePoint Evolutions Conference in London in April 2015. I have a talk that is in the Azure track, with the audience of both IT Pro and Developer. The talk is titled: Microsoft Azure Iaas Governance, Provisioning and Desired State Configuration.
The talk will introduce the high-level goals of the organization. Lots of Visio and PowerPoint, just like an IT Pro. (Yes, this old dog learned a new trick or two.) We will then move into the details around the governance model that leverages SharePoint. Like most large organizations, there are policies to consider, firewalls to configure and chargeback codes to acquire.
It promises to be an information-packed session. But this is just one of many such sessions at the information-packed conference. And, no one puts on a conference like the folks at Combined Knowledge.
I hope to see you there!
I am thrilled to point you to a community/charity event that has been scheduled to leverage the large number of technology professionals in Chicago for Ignite: ChicagosNext Hackathon.
The goal is to build the next app that creatively solves issues within our local neighborhood using Azure and Office 365.
I have signed up to help organize and participate in the event. I cannot wait so see you there!
More information is availble in the Sway below.
I was working on a project recently with an interesting issue. The organization has an on premise SharePoint farm. They are developing Apps for SharePoint that will leverage the server-to-server trust approach (a.k.a. S2S or High-trust) for authenticating the apps. I was engaged to help troubleshoot an "Access Denied" error when testing the app in a QA/Staging environment. So we started the troubleshooting. What follows is a dump of links that help with this troubleshooting process. Bing/Google will include these, but I'm storing them on my blog for my future use. You're welcome. J
More TroubleShooting Tips for High Trust Apps on SharePoint 2013 (S. Peschka)
Creating High Trust SharePoint Apps with Microsoft Office Developer Tools for Visual Studio 2012 - Preview 2 (K. Evans)
Configure an environment for apps for SharePoint (TechNet)
How to: Package and publish high-trust apps for SharePoint 2013 (TechNet)
In case you are interested, what I found in this particular environment was three items:
- While the certificate used to sign the S2S tokens was trusted by SharePoint, the certificate had a signing chain that was not. Every cert in the chain, all the way up to the Root CA, must be trusted by SharePoint.
- The issuer id that was used in the Publish Wizard was entered with both the specific issuer id *and* the realm id. The value entered was two GUIDs with an "@" sign. Only the specific issuer id (the GUID before the "@") is necessary if you are sharing a cert across apps.
- The IIS server was not authenticating the user. The remote web was allowing anonymous access. When the app made a call back to SharePoint, which was facilitated by TokenHelper's CreateUserContextForSPHost() method, the user identifier was an empty string. So of course, SharePoint rejected the call because it could not verify that the user had permission to the site.
As a side note, I was able to verify that the S2S configuration was correct by changing to app-only permissions.
Having fixed the issue, I was on my out the door when an interesting question was raised. A large portion of the user community will be on mobile devices and not on the corporate network. If we need the remote web to authenticate the user, what will that look like? The answer is two logon prompts. One for SharePoint and one for the remote web. And as you can imagine, that user experience is sub-optimal.
Fixing this identity problem is not trivial, and I'll try to cover some of those points in the future. But the moral of the story – be sure to plan for authentication at the beginning. You should understand how *every* piece of your solution will authenticate and authorize users. And you should be prepared to bridge any gaps that you find in the AuthN/AuthZ story. It is very important, and can be very difficult.
If you need assistance, please reach out to me. Contact information is on the home page.
I am delighted to be speaking at
SPS DFW on March 7, 2015. With the timing of the event, being just a few months before Microsoft's Ignite and //build/ conferences, Eric and I have chosen a session that can help those new to Office 365 to get up to speed. My topic is
Getting Started with Office 365 Development, in which I will broadly discuss the capabilities of the Office 365 platform and technologies from which it can be accessed.
I look forward to seeing my Texas friends again! Please be sure to turn on the heat.