Tuesday, 21 May 2013

AccessDeniedException when deploying Rdl to SP2010 Claims based site

This Post by Adam Saxton saved me hours of time today.


I setup SP2010 with SQL 2012, all appeared to be working until I create a rdl and tried to deploy it into SharePoint from BIDS in VS2010.  Got the error: The permissions granted to user are insufficient for performing this operation. reporting services + AccessDeniedException.

Resolution: This is a permissions issue on the SharePoint site, I opened the url http://<sitecollection>/_layouts/people.aspx?membershipGroupId=0

I had 2 identical accounts: demo\administrator & DEMO\Administrator.  I ran the select statement explained by Adam to check the user table on the content db where the site collection sites:
SELECT tp_login, tp_title, tp_delete from UserInfo

I deleted the NT account (not the claim account) using the SP UI (http://<sitecollection>/_layouts/people.aspx?membershipGroupId=0).  Re-ran the T-SQL query and the offending NT account (DEMO\Administrator) has been virtually deleted by SP.

I can now publish the report.

More Info on setting up SSRS for SharePoint:

Sunday, 19 May 2013

Creating related lists for SP Hosted Apps using VS2012

Problem:  SharePoint Hosted apps need to use their own site collection (app site collection) to hold list data.  In this post I look at setting up 2 lists that are related.  To clarify what I am trying to achieve I have created an Entity Relationship Diagram (ERD) below.

Initial Hypothesis:  Provisioning fields, content types, list definitions, list instances and seed data is fairly similar between SP2010 and SP2013 within an App.  The VS2012 tooling is good OOTB and I am using a few simple xml based tweaks to get them working as I like them.

Open VS2012 ensure you have the SharePoint developer addin and create the Question list as shown below.

Amend the list to show your fields:

Hit F5 to debug the App, edit the url to view the list you created.  My url after I edited it is shown below:

Question list is working

Repeat the list setup process in VS for the "Comments" list.  We will start from the step where you add the related look to the Posts list.

Working Result:

Wednesday, 15 May 2013

Impersonation over elavation in SharePoint code

Tip:  In managed code in SharePoint use Impersonation over elavation.


Tuesday, 14 May 2013

Compare Files Easily

Problem:  Often need to compare files and i recently had such a case where I needed to check PS1 and xml based files on my build server needed to be the same as in TFS.  I had been fairly slack and needed to verify they were the same. 

Resolution: BeyondCompare is a great tool for comparing files but I really like CodeCompare from Devart.  It has VS 2010 integration as well as the console that is shown below.


Thursday, 9 May 2013

SharePoint 2013 Community Book Published

A couple of folks and I decided to write another community book, this time focusing on SharePoint 2013. It is now published and you can see it here:

The SharePoint 2013 Handbook Cover
Our last book was The SharePoint 2010 Handbook.

Sunday, 5 May 2013

Understanding OAuth

Overview:  With the introduction of Apps into the SharePoint 2013 world, OAuth is an essential mechanism to understand.  OAuth is a standard for authorisation of resources, it does not verify a users identity/Authentication.  This post explains in simple terms what OAuth is about.  The goal of OAuth is to allow Consumers (TweetAppFiction/my custom program) to use resources from a Service Provider (Twitter in this case).  For authentication purposes, the web application "TweetAppFiction" will redirect you to sign into Twitter on Twitters site, after you have logged into Twitter successfully, your browser is redirected back to "TweetAppFiction" with a token.  The token verifies who you are.  This allows your users to login to your site by using there large trusted websites credentials(FaceBook/Google/Yahoo), without them having to provide credentials to your new unknown site.

Tip: Replace TweetAppFiction with an app you are happy to consider as your consumer/app.  Examples of apps/consumer apps are TweetDeck and TweetApp

Problem:  So how OAuth shouldn't work: The end users signup with TweetAppFiction, TweetAppFiction asking the user for their Twitter, LinkedIn, Email etc. username and password.  TweetAppFiction now can work on your behalf with Twitter and the other Service Providers you have given.  The problem is you have given TweetAppFiction your full access credentials.  You don't know or trust "TweetAppFiction".  TweetAppFiction can now do any action it wishes against your Twitter account.  Another issue is if TweetAppFiction gets hacked, your Twitter credentials are compromised.

OAuth/OpenId stops the end-users creating another set of credentials by allowing the Service Provider e.g. Twitter for another website.  The end-user is directed to the Service Provider (twitter) where they authenticate themselves and tell the Service Provider (twitter) to allow this new web application to verify who they are (it also can give other permissions; in effect roles/services).

The issues OAuth solves for end-users are:
  1. TweetAppFiction does not have account credentials for your twitter account,
  2. TweetAppFiction will get access to do some actions on your behalf but you won't give it full permissions, and 
  3. The end-user can revoke TweetAppFiction's permissions at any point from the Service Provider (Twitter),
I see it as there being 2 parts to OAuth:
  1. Authorisation (setup TweetAppFiction with limited permissions to Twitter)
  2. Usage (TweetApp will post/use Twitters API's) 
To this point, we have been looking at authorisation.

Authorisation:  This is the setup of allowing the consumer (TweetAppFiction) to use a Service Provider (Twitter) on your behalf to verify end users. 
The end-user on the TweetAppFiction website/mobile app is going to create an account that logs you in using Twitter.  TweetAppFiction will send your browser a URL that allows you to go to Twitter, and give TweetAppFiction permissions.  If you are not already logged into Twitter you are prompted for your Twitter credentials.  Once you grant the permissions, Twitter sends TweetAppFiction a token (this in effect is a set of credentials and roles for TweetAppFiction to use that is not your username and password but has a limited set of functionality it can perform on your behalf).  Note: TweetAppFiction had to do an initial trust setup with Twitter that involves a Consumer Key & Consumer Secret (Think of this as the original trust relationship setup where Twitter is accepting TweetAppFiction to access TwittersOAuth API)/Resouce Server).  OpenId does not need to perform this initial connection step (Google and Yahoo use OpenId).

Trusted Usage:  For example, TweetAppFiction provides the ability to post comments on your behalf on Twitter.  To post a comment on your behalf, assuming you have already logged in, TweetAppFiction will use your Twitter provided "Access Token" to allow you to post Twitter comments from TweetAppFiction.


More Info:
Sahil Malik explains claims http://www.codemag.com/Article/1201021